Fortigate 50B – konfiguracja dostępu z zewnątrz do serwera WWW przez NAT i routing
Przepraszam za tamto i że tak długo ale szukam jeszcze jakiegoś datasheeta...
Dodano po 42 :
Znalazłem datasheeta oprogramowania do tego routera, jeśli potrzeba:
Download file - link to post
FortiOS™ Handbook
FortiOS 4.0 MR2
Visit http://support.fortinet.com to register your FortiOS™ Handbook product. By registering
you can receive product updates, technical support, and FortiGuard services.
�FortiOS™ Handbook
FortiOS 4.0 MR2
14 July 2010
01-420-99686-20100714
© Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
�Contents Quick Look
Introduction
Chapter 1
77
What’s New
87
Upgrading to FortiOS 4.0 MR2
91
Web-based manager
97
CLI
FortiOS software enhancements
107
System
117
High availability
123
Firewall
129
User
133
UTM
135
VPN
141
Endpoint
143
WAN Opt. & Cache
147
FortiOS Carrier
149
Logging and reporting
Chapter 2
103
155
FortiGate Fundamentals
163
The Purpose of a Firewall
Life of a Packet
175
Firewall components
185
Firewall Policies
215
Multicast forwarding
235
Advanced concepts and examples
265
Troubleshooting
279
Concept Example: Small Office Network Protection
289
Concept Example: Library Network Protection
Chapter 3
165
325
System Administration
359
Basic setup
361
Using the CLI
387
Tightening security
407
Best Practices
413
Wireless
419
Monitoring
427
Advanced concepts
441
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
3
�Contents Quick Look
Chapter 4
Logging and Reporting
455
Logging practices in FortiOS 4.0
457
Configuring log devices
463
Logging in FortiOS 4.0
475
FortiGate SQL log databases
495
Configuring reports in FortiOS 4.0
Chapter 5
489
FortiGate log messages
519
535
UTM overview
537
Network defense
547
AntiVirus
559
Email filter
577
Intrusion protection
593
Web filter
623
FortiGuard Web Filter
639
Data leak prevention
653
Application control
667
DoS policy
677
Sniffer policy
Chapter 6
UTM Guide
683
User Authentication
691
Introduction to authentication
693
Authentication servers
701
Users and user groups
711
Configuring authenticated access
729
Certificate-based authentication
757
Monitoring authenticated users
769
Example
4
719
FSAE for integration with Windows AD or Novell
771
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Contents Quick Look
Chapter 7
IPsec VPNs
779
IPsec VPN concepts
781
FortiGate IPsec VPN Overview
789
Gateway-to-gateway configurations
793
Hub-and-spoke configurations
807
Dynamic DNS configurations
821
FortiClient dialup-client configurations
827
FortiGate dialup-client configurations
843
Supporting IKE Mode config clients
851
Internet-browsing configuration
855
Redundant VPN configurations
859
Transparent mode VPNs
881
Manual-key configurations
887
IPv6 IPsec VPNs
889
L2TP and IPsec (Microsoft VPN) configurations
901
GRE over IPsec (Cisco VPN) configurations
913
Protecting OSPF with IPsec
929
Phase 2 parameters
945
Defining firewall policies
951
Hardware offloading and acceleration
957
Monitoring and troubleshooting VPNs
Chapter 8
921
Auto Key phase 1 parameters
963
SSL VPNs
969
Introduction to SSL VPN
971
Setting up the FortiGate unit
979
Working with the web portal
1019
Using the SSL VPN tunnel client
Chapter 9
1033
Examples
1043
Dynamic Routing
1059
Dynamic Routing Overview
1061
Routing Information Protocol (RIP)
1095
Border Gateway Protocol (BGP)
1131
Open Shortest Path First (OSPF)
1169
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
5
�Contents Quick Look
Chapter 10 Advanced System Settings
1207
Advanced Static routing
1209
Virtual LANs
1235
IPv6
1269
PPTP and L2TP
1293
Session helpers
1307
Chapter 11 Virtual Domains
1317
Virtual Domains
1319
Virtual Domains in NAT/Route mode
1347
Virtual Domains in Transparent mode
1365
Inter-VDOM routing
1385
Troubleshooting Virtual Domains
1421
Chapter 12 High Availability
1427
Solving the High Availability problem
1431
An introduction to the FortiGate Clustering Protocol (FGCP)
1437
Configuring and connecting HA clusters
1461
Configuring and connecting virtual clusters
1523
Configuring and operating FortiGate full mesh HA
1545
Operating a cluster
1557
HA and failover protection
1595
HA and load balancing
1643
HA with third-party products
1657
Standalone session synchronization
1661
Chapter 13 Endpoint
1667
Network Access Control and monitoring
1669
Network Vulnerability Scan
1685
Chapter 14 Traffic Shaping
1693
The purpose of traffic shaping
Traffic shaping methods
1705
Examples
1717
Troubleshooting
6
1695
1725
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Contents Quick Look
Chapter 15 FortiOS Carrier
1729
Overview of FortiOS Carrier features
1733
Dynamic profiles and profile groups
1755
MMS Carrier End Point features
1775
MMS UTM features
1783
Message flood protection
1803
Duplicate message protection
1817
MMS Replacement messages
1825
Configuring GTP on FortiOS Carrier
1833
GTP message type filtering
1843
GTP identity filtering
1849
Troubleshooting
1855
Chapter 16 Deploying Wireless Networks
1863
Introduction to wireless networking
1865
Configuring a wireless LAN
1875
Access point deployment
1885
Wireless network monitoring
1891
Chapter 17 VoIP Solutions: SIP
FortiGate VoIP solutions: SIP
Chapter 18 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
1895
1897
1979
WAN optimization, web cache, and web proxy concepts
1981
WAN optimization and Web cache storage
1995
WAN optimization peers and authentication groups
1997
Configuring WAN optimization rules
2003
WAN optimization configuration examples
2013
Web caching
2031
Advanced configuration example
2047
SSL offloading for WAN optimization and web caching
2069
FortiClient WAN optimization
2077
The FortiGate explicit web proxy
2079
FortiGate WCCP
2097
WAN optimization, web cache and WCCP get and diagnose commands
2103
Chapter 19 Load Balancing
2109
Configuring load balancing
2111
Load balancing configuration examples
2133
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
7
�Contents Quick Look
Chapter 20 Hardware Acceleration
2147
FortiGate hardware accelerated processing
2149
Examples
2167
Index ................................................................................................... 2171
8
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
How this Handbook is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . .
77
Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
79
IP addresses . . . . . . . . . . .
Example Network configuration .
Cautions, Notes and Tips . . . .
Typographical conventions . . . .
CLI command syntax conventions
.
.
.
.
.
79
81
82
83
83
Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . .
85
Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . .
85
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
85
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
85
Fortinet Tools and Documentation CD . . . . . . . . . . . . . . . . . . . . . . .
Fortinet Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . .
86
86
86
Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . .
86
What’s New
87
Top ten features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
87
Upgrading issues for FortiOS 4.0 MR2 . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
87
Endpoint (previously Endpoint NAC) . . . .
Topology viewer . . . . . . . . . . . . . .
Customizing the GUI . . . . . . . . . . . .
Basic traffic reports (system memory only).
PPTP VPNs . . . . . . . . . . . . . . . .
VoIP settings . . . . . . . . . . . . . . . .
NNTP DLP archive . . . . . . . . . . . . .
Email filter banned word setting . . . . . .
HTTPS invalid certificate setting . . . . . .
HTTPS AV scanning . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
88
88
88
88
88
88
88
88
89
89
Upgrading issues for FortiOS Carrier. . . . . . . . . . . . . . . . . . . . . . . . . .
89
Upgrading to FortiOS 4.0 MR2
91
Upgrading from earlier firmware to FortiOS 4.0 MR2. . . . . . . . . . . . . . . . . .
91
Upgrading from FortiOS 3.0 MR7 to 4.0 MR2 . . . . . . . . . . . . . . . . . . .
Upgrading from FortiOS 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrading from FortiOS 4.0 MR1 . . . . . . . . . . . . . . . . . . . . . . . . .
91
91
92
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
9
�Detailed Contents
Upgrading to FortiOS 4.0 MR2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
93
Backing up your configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing FortiOS 4.0 MR2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Verifying the upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
93
94
95
Web-based manager
97
The redesigned web-based manager . . . . . . . . . . . . . . . . . . . . . . . . .
97
Navigating in the web-based manager . . . . . . . . . . . . . . . . . . . . . . .
Modifying settings within a feature . . . . . . . . . . . . . . . . . . . . . . . . .
Switching VDOMs in the web-based manager . . . . . . . . . . . . . . . . . . .
97
98
98
Adding dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
99
Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
99
Per-IP Bandwidth Usage . . . . . . .
P2P Usage . . . . . . . . . . . . . .
IM Usage . . . . . . . . . . . . . . .
VoIP Usage. . . . . . . . . . . . . .
Storage . . . . . . . . . . . . . . . .
Alert Message Console enhancement
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
100
100
100
101
101
101
FSAE enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Dynamic proxy allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
CLI
103
grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
IS-IS routing support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
IS-IS CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Trouble-shooting command updates . . . . . . . . . . . . . . . . . . . . . . . . . . 105
FortiOS software enhancements
107
Disk management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Disk I/O scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Storage Health Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
ELBC blade configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Support for AMC modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Storing configuration history and templates on local hard disk . . . . . . . . . . . . . 109
10
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
SIP features available on all FortiGate models . . . . . . . . . . . . . . . . . . . . . 110
SIP header conformance check . . . .
SIP message per method rate limitation
SIP NAT IP address conservation . . .
Support for multiple RTP endpoint . . .
SIP HA failover . . . . . . . . . . . . .
Deep SIP message inspection . . . . .
Stateful SCTP firewall . . . . . . . . .
SIP Hosted NAT Traversal (HNT) . . .
Logging and statistics . . . . . . . . .
System
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
110
110
111
111
111
111
112
114
115
117
Concurrent username restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
MD5 hash for log transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Limiting the number of concurrent explicit proxy users . . . . . . . . . . . . . . . . . 117
sFlow client support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
WCCP client mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
WCCP router mode configuration . . . . . . . . . . . . . . . . . . . . . . . . . 119
WCCP client mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . 120
Client certificate handling for SSL inspection. . . . . . . . . . . . . . . . . . . . . . 121
Controlling the source interface IP address for self-originating traffic . . . . . . . . . 121
Web Proxy replacement messages . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
High availability
123
Configurable Ethernet types for HA heartbeat packets. . . . . . . . . . . . . . . . . 123
HA subsecond failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
HA reserved management interface . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Configuring the reserved management interface and SNMP remote
management of individual cluster units. . . . . . . . . . . . . . . . . . . . . . . 125
Firewall
129
Protection profile re-organization and enhancement . . . . . . . . . . . . . . . . . . 129
VoIP profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Explicit Proxy improvements (including Citrix/TS support) . . . . . . . . . . . . . . . 130
Central NAT Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
11
�Detailed Contents
User
133
LDAP/RADIUS password renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
BGP support for four-byte AS Path . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
IM users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
UTM
135
FortiGuard Web Filtering quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Viewing FortiGuard quota usage . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Skype control improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Flow-based antivirus database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Extreme antivirus database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
SSL proxy exemption by FortiGuard Web Filter category . . . . . . . . . . . . . . . 137
Application control enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Monitoring application control traffic . . . . . . . . . . . . . . . . . . . . . . . . 138
Applying traffic shaping settings to an application control list . . . . . . . . . . . 139
VPN
141
FortiMobile SSL-VPN app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
L2TP and IPSec support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Endpoint
143
Endpoint menu enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Endpoint application enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Network Vulnerability Scan
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Configuring assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Scheduling a scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
WAN Opt. & Cache
147
Web Cache exempt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
FortiOS Carrier
149
Opera Mini Browser support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
MMS filtering enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Carrier menu in UTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
12
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Profile Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Configuring a profile group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Logging and reporting
155
Archiving support for local hard drives . . . . . . . . . . . . . . . . . . . . . . . . . 155
Log viewing enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Report enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Configuring a theme . . . . . . . .
Importing images . . . . . . . . . .
Configuring a chart . . . . . . . . .
Configuring a report layout . . . . .
Viewing generated FortiOS reports
Chapter 2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
156
157
158
159
160
FortiGate Fundamentals
163
The Purpose of a Firewall
165
Firewall features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Antivirus . . . . . . .
Web Filtering . . . . .
Antispam/Email Filter.
Intrusion Protection. .
Traffic Shaping . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
165
166
168
169
170
NAT vs. Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
NAT mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Operating mode differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Life of a Packet
175
Stateful inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Flow inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Proxy inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
FortiOS functions and security layers . . . . . . . . . . . . . . . . . . . . . . . . . 176
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
13
�Detailed Contents
Packet flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Packet inspection. . . .
Interface . . . . . . . .
DoS attack protection .
IP integrity . . . . . . .
IPsec . . . . . . . . . .
Destination NAT . . . .
Routing . . . . . . . . .
Local delivery. . . . . .
Policy lookup . . . . . .
Flow-based inspection .
Proxy-based inspection
IPsec . . . . . . . . . .
Source NAT . . . . . .
Routing . . . . . . . . .
Exit . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
177
178
178
178
179
179
179
179
179
180
180
180
180
180
180
Example 1: client/server connection . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Example 2: Routing table update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Example 3: Dialup IPsec with application control. . . . . . . . . . . . . . . . . . . . 183
Firewall components
185
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Physical . . . . . . .
Administrative access
Wireless . . . . . . .
Aggregate . . . . . .
Virtual domains . . . .
Virtual LANs . . . . .
Zones. . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
185
187
188
188
189
191
192
Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Fully Qualified Domain Name addresses . . . . .
Virtual IPs . . . . . . . . . . . . . . . . . . . . .
Address groups. . . . . . . . . . . . . . . . . . .
DHCP. . . . . . . . . . . . . . . . . . . . . . . .
IP pools. . . . . . . . . . . . . . . . . . . . . . .
IP pools and dynamic NAT . . . . . . . . . . . . .
IP Pools for firewall policies that use fixed ports . .
Source IP address and IP pool address matching .
IPv6. . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
195
195
200
200
202
203
203
204
205
Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Originating traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Receiving traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Closing specific ports to traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
14
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Custom service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Schedule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
UTM profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Profiles and sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Firewall Policies
215
Policy order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Denial of Service policies.
Rearranging policies . . .
Firewall policy 0 . . . . .
Firewall policy list details .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
217
217
218
218
Creating basic policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Basic accept policy example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Basic deny policy example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Basic VPN policy example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
DoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Basic DoS policy example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Sniffer Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Basic one-armed sniffer policy example . . . . . . . . . . . . . . . . . . . . . . 223
Identity-based Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Identity-based policy positioning . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Identity-based sub-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
ICMP packet processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Firewall policy examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Blocking an IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Scheduled access policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Multicast forwarding
235
Multicast IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Multicast forwarding and FortiGate units . . . . . . . . . . . . . . . . . . . . . . . . 236
Multicast forwarding and RIPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Configuring FortiGate multicast forwarding. . . . . . . . . . . . . . . . . . . . . . . 237
Adding multicast firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Enabling multicast forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
15
�Detailed Contents
Multicast routing examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Example FortiGate PIM-SM configuration using a static RP .
FortiGate PIM-SM debugging examples . . . . . . . . . . .
Example multicast destination NAT (DNAT) configuration . .
Example PIM configuration that uses BSR to find the RP . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Advanced concepts and examples
241
246
252
254
265
Adding NAT firewall policies in transparent mode . . . . . . . . . . . . . . . . . . . 265
Adding a static NAT virtual IP for a single IP address and port . . . . . . . . . . . . 267
Double NAT: combining IP pool with virtual IP . . . . . . . . . . . . . . . . . . . . . 269
Server load balancing and HTTP cookie persistence fields . . . . . . . . . . . . 271
Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping. . . . . . . . . . 272
Stateful inspection of SCTP traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Configuring FortiGate SCTP filtering . . . . . . . .
Adding an SCTP custom service . . . . . . . . . .
Adding an SCTP policy route. . . . . . . . . . . .
Changing the session time to live for SCTP traffic .
Adding an SCTP port forwarding virtual IP . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Troubleshooting
275
276
276
277
277
279
Basic policy checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Verifying traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Using log messages to view violation traffic . . . . . . . . . . . . . . . . . . . . . . 280
Traffic trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Session table . . . . . . . . . . . .
Finding object dependencies . . . .
Flow trace . . . . . . . . . . . . .
Flow trace output example - HTTP .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
281
283
283
284
Packet sniffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Simple trace example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Simple trace example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Trace with filters example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Concept Example: Small Office Network Protection
289
Example small office network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Network management and protection requirements . . . . . . . . . . . . . . . . 290
Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Features used in this example . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
16
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
First steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Configuring FortiGate network interfaces . . . . . . . . . .
Adding the default route . . . . . . . . . . . . . . . . . . .
Removing the default firewall policy . . . . . . . . . . . . .
Configuring DNS forwarding . . . . . . . . . . . . . . . . .
Setting the time and date. . . . . . . . . . . . . . . . . . .
Registering the FortiGate unit . . . . . . . . . . . . . . . .
Scheduling automatic antivirus and attack definition updates
Configuring administrative access and passwords. . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
292
293
293
294
294
295
295
296
Configuring settings for Finance and Engineering departments . . . . . . . . . . . . 297
Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding the Finance and Engineering department addresses
Configuring web category block settings . . . . . . . . . . .
Configuring FortiGuard spam filter settings . . . . . . . . .
Configuring antivirus grayware settings . . . . . . . . . . .
Configuring a corporate set of UTM profiles . . . . . . . . .
Configuring firewall policies for Finance and Engineering . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
297
297
298
299
299
300
301
Configuring settings for the Help Desk department . . . . . . . . . . . . . . . . . . 303
Goals . . . . . . . . . . . . . . . . . . . .
Adding the Help Desk department address
Creating and Configuring URL filters . . . .
Creating a recurring schedule . . . . . . .
Configuring firewall policies for help desk .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
303
303
304
307
307
Configuring remote access VPN tunnels . . . . . . . . . . . . . . . . . . . . . . . . 309
Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding addresses for home-based workers . . . . . . . .
Configuring the FortiGate end of the IPSec VPN tunnels .
Configuring firewall policies for the VPN tunnels . . . . . .
Configuring the FortiClient end of the IPSec VPN tunnels .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
309
310
310
312
314
Configuring the web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Goals . . . . . . . . . . . . . . . . . . . . . .
Configuring the FortiGate unit with a virtual IP .
Adding the web server address . . . . . . . .
Configuring firewall policies for the web server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
315
315
316
316
Configuring the email server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Configuring the FortiGate unit with a virtual IP . . . . . . . . . . . . . . . . . . . 319
Adding the email server address . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Configuring firewall policies for the email server . . . . . . . . . . . . . . . . . . 320
ISP web site and email hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
The Example Corporation internal network configuration . . . . . . . . . . . . . . . 323
Other features and products for SOHO. . . . . . . . . . . . . . . . . . . . . . . . . 323
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
17
�Detailed Contents
Concept Example: Library Network Protection
325
Current topology and security concerns . . . . . . . . . . . . . . . . . . . . . . . . 325
Library requirements . . . . .
The library’s decision . . . . .
Proposed topology . . . . . .
Features used in this example
Network addressing . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
326
327
327
329
330
Configuring the main office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
High Availability (HA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
FortiGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
IPSEC VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Configuring IPSEC VPNs
IP Pools . . . . . . . . .
User Disclaimer . . . . .
Protection Profiles . . . .
Staff access . . . . . . .
Catalog terminals. . . . .
Public access terminals .
Wireless access . . . . .
Mail and web servers. . .
The FortiWiFi-80CM . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
335
336
337
338
341
343
343
345
348
351
Configuring branch offices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Topology . . . . . . . .
Staff access . . . . . .
Catalog terminals. . . .
Wireless/public access .
Mail and web servers. .
IPSEC VPN. . . . . . .
Branch Firewall Policy .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
352
353
353
353
353
354
354
Traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
The future. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Logging . . . . . . .
Decentralization . .
Staff WiFi . . . . . .
Further redundancy
18
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
356
357
357
357
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Chapter 3
System Administration
359
Basic setup
361
Connecting to the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Connecting to the web-based manager . . . . . . . . . . . . . . . . . . . . . . 361
Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Configuring NAT mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Configure the interfaces . . . . .
Configure a DNS server . . . . .
Add a default route and gateway .
Add firewall policies . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
362
364
365
366
Configuring transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Switching to transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Verifying the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Additional configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Setting the time and date. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Configuring FortiGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Password considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Password policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Forgotten password? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Trusted hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Backing up the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Download a configuration file using SCP. . . . . . . . . . . . . . . . . . . . . . 374
Restoring a configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Downloading firmware . . . . . . . . . . . . .
Upgrading the firmware - web-based manager
Upgrading the firmware - CLI. . . . . . . . . .
Testing new firmware before installing . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Using the CLI
378
378
379
384
387
Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Connecting to the CLI using a local console . . . . . . . . . . .
Enabling access to the CLI through the network (SSH or Telnet)
Connecting to the CLI using SSH . . . . . . . . . . . . . . . .
Connecting to the CLI using Telnet . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
387
388
389
390
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
19
�Detailed Contents
Sub-commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Help . . . . . . . . . . . . . . . . . . . . . . . .
Shortcuts and key commands . . . . . . . . . . .
Command abbreviation. . . . . . . . . . . . . . .
Environment variables . . . . . . . . . . . . . . .
Special characters . . . . . . . . . . . . . . . . .
Using grep to filter get and show command output
Language support and regular expressions . . . .
Screen paging . . . . . . . . . . . . . . . . . . .
Baud rate . . . . . . . . . . . . . . . . . . . . . .
Editing the configuration file on an external host . .
Using Perl regular expressions. . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Tightening security
399
399
399
400
400
401
401
404
404
404
405
407
Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Idle time-out . . . . . . . . . .
Administrator lockout . . . . . .
Change the admin username .
Disable admin services. . . . .
Segregated administrative roles
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
407
407
408
408
408
Administrative ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Interface settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Rejecting PING requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Opening TCP 113 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Obfuscate HTTP headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Best Practices
413
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Environmental specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Grounding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Rack mount instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Shutting down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Intrusion protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Web filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
20
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Wireless
419
Setting up a wireless network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Positioning an access point . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Radio Frequency interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Using multiple access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
FortiWiFi operation modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Access point mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Client mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Wireless Equivalent Privacy (WEP) . .
Wi-Fi Protected Access (WPA, WPA2).
MAC address filtering . . . . . . . . .
Service Set Identifier . . . . . . . . . .
A tiered approach to security . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Monitoring
423
423
424
424
425
427
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Widgets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
SNMP agent . . . . . . . . . . .
SNMP community . . . . . . . .
Enabling on the interface . . . . .
Fortinet MIBs . . . . . . . . . . .
Fortinet and FortiGate traps . . .
Fortinet and FortiGate MIB fields.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
429
429
430
430
432
434
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
FortiGate memory . . . . . . . . . . . . . . .
FortiGate hard disk . . . . . . . . . . . . . . .
Syslog server . . . . . . . . . . . . . . . . . .
FortiGuard Analysis and Management service.
FortiAnalyzer . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
438
438
438
439
439
Alert email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Advanced concepts
441
Central NAT table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
DHCP servers and relays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Reserving IP addresses for specific clients . . . . . . . . . . . . . . . . . . . . 442
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
21
�Detailed Contents
FortiGate DNS services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Configuring the FortiGate DNS database . . . . . . . . . . . . . . . . . . . . . 445
Administration for schools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
UTM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Blocking port 25 to email server traffic . . . . . . . . . . . . . . . . . . . . . . . . . 450
Dedicated traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Restricting traffic on port 25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Blocking HTTP access by IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Assigning IP address by MAC address. . . . . . . . . . . . . . . . . . . . . . . . . 453
Chapter 4
Logging and Reporting
455
Logging practices in FortiOS 4.0
457
About logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Logging FortiGate features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Log devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
System memory . . . . . .
Local disk or AMC disks . .
FortiAnalyzer unit. . . . . .
FortiGuard Analysis server .
Syslog server . . . . . . . .
NetIQ WebTrends server. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
459
459
460
460
460
460
Backup solutions for logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Configuring log devices
463
Logging to the FortiGate unit’s system memory . . . . . . . . . . . . . . . . . . . . 463
Logging to the FortiGate unit’s hard disk . . . . . . . . . . . . . . . . . . . . . . . . 464
Logging to a FortiAnalyzer unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Testing the FortiAnalyzer configuration . . . . . . . . . . . . . . . . . . . . . . 466
Connecting to a FortiAnalyzer unit using Automatic Discovery . . . . . . . . . . 466
Logging to a FortiGuard Analysis server . . . . . . . . . . . . . . . . . . . . . . . . 467
Logging to a Syslog server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Enabling reliable syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Logging to a WebTrends server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
22
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Logging to multiple FortiAnalyzer units or Syslog servers . . . . . . . . . . . . . . . 469
Configuring multiple FortiAnalyzer units . . . . . . . . . . . . . . . . . . . . . . 470
Configuring multiple Syslog servers . . . . . . . . . . . . . . . . . . . . . . . . 471
Example of configuring multiple FortiAnalyzer units . . . . . . . . . . . . . . . . 472
Logging in FortiOS 4.0
475
FortiGate log types and subtypes . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Log severity levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Enabling logging of FortiGate features . . . . . . . . . . . . . . . . . . . . . . . . . 478
Firewall policy traffic logging . . .
Event logging . . . . . . . . . . .
Data Leak Prevention logging . .
Application control logging . . . .
Antivirus logging . . . . . . . . .
Web Filter logging . . . . . . . .
IPS packet logging and archiving
Attack logging . . . . . . . . . .
Email filter logging . . . . . . . .
Netscan logging . . . . . . . . .
DLP archiving . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
478
479
480
480
480
481
481
482
482
482
483
Filtering and customizing the display of log messages in the web-based
manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Filtering and customizing application control log messages . . . . . . . . . . . . 484
Alert email messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Configuring an alert email message . . . . . . . . . . . . . . . . . . . . . . . . 485
Configuring an alert email for notification of FortiGuard license expiry . . . . . . 486
Viewing quarantined files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
FortiGate SQL log databases
489
SQL overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
SQL tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
SQL statement examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Distribution of Applications by Type in the last 24 hours . . . . . . . . .
Top 10 Application Bandwidth Usage Per Hour Summary . . . . . . . .
Top 10 Attacks Over The Last 24 Hours . . . . . . . . . . . . . . . . .
Wan Optimization Application in LAN Composition over Last 24 Hours .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
490
490
491
491
Troubleshooting SQL statements. . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
SQL statement syntax errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Connection problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
23
�Detailed Contents
FortiGate log messages
495
Explanation of log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Viewing log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Examples of log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Example 1: Alert email test configuration . . . . . . . . . . . . . . . . . . . . . 496
Example 2: Verifying to see if a network scan was performed . . . . . . . . . . . 497
Example 3: License expiry log message . . . . . . . . . . . . . . . . . . . . . . 497
Traffic log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Event log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
DLP Archive logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Antivirus log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
WebFilter log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Attack log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Email Filter log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
DLP log message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Application control log message . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Network Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Configuring reports in FortiOS 4.0
519
Report overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
FortiOS reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Creating datasets for charts . . . . . . . . .
Configuring the charts for the report . . . . .
Configuring a theme for the report . . . . . .
Customizing and creating styles for a theme.
Importing images for the report. . . . . . . .
Configuring the layout for the report . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
521
521
522
523
524
525
FortiAnalyzer reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Configuring a FortiAnalyzer report schedule . . . . . . . . . . . . . . . . . . . . 526
Executive Summary reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Viewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Report examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Report for analyzing traffic on the network . . . . . . . . . . . . . . . . . . . . . 528
Report for application usage on the network . . . . . . . . . . . . . . . . . . . . 529
24
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Chapter 5
UTM Guide
535
UTM overview
537
UTM components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
AntiVirus . . . . . . . . . . . . . . . . . . . .
Intrusion Protection System (IPS) . . . . . . .
Anomaly protection (DoS policies) . . . . . . .
One-armed IDS (sniffer policies) . . . . . . . .
Web filtering . . . . . . . . . . . . . . . . . .
Email filtering . . . . . . . . . . . . . . . . . .
Data Leak Prevention (DLP) . . . . . . . . . .
Application Control (for example, IM and P2P).
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
537
537
538
538
538
538
538
538
UTM profiles/lists/sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
UTM and Virtual domains (VDOMs) . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Conserve mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
The AV proxy . . . . . . . . . . . . .
Entering and exiting conserve mode .
Conserve mode effects. . . . . . . .
Configuring the av-failopen command
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
540
540
540
541
SSL content scanning and inspection . . . . . . . . . . . . . . . . . . . . . . . . . 541
Setting up certificates to avoid client warnings . . . . . . . . . . . . . . . . . . . 542
SSL content scanning and inspection settings . . . . . . . . . . . . . . . . . . . 543
Viewing and saving logged packets . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Configuring packet logging options. . . . . . . . . . . . . . . . . . . . . . . . . 545
Network defense
547
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Blocking external probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Address sweeps . . . . . . .
Port scans . . . . . . . . . .
Probes using IP traffic options
Evasion techniques. . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
547
548
548
550
Defending against DoS attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
The “three-way handshake” . . . . . . . . . . . . . .
SYN flood. . . . . . . . . . . . . . . . . . . . . . . .
SYN spoofing. . . . . . . . . . . . . . . . . . . . . .
DDoS SYN flood . . . . . . . . . . . . . . . . . . . .
Configuring the SYN threshold to prevent SYN floods .
SYN proxy . . . . . . . . . . . . . . . . . . . . . . .
Other flood types . . . . . . . . . . . . . . . . . . . .
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
552
552
553
553
554
554
555
25
�Detailed Contents
Traffic inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
IPS signatures . . . . . . .
Suspicious traffic attributes.
DoS policies . . . . . . . .
Application control . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
555
556
556
556
Content inspection and filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
AntiVirus . . . . . . . . .
FortiGuard Web Filtering .
Email filter . . . . . . . .
DLP. . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
AntiVirus
557
557
558
558
559
Antivirus concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
How antivirus scanning works
Antivirus scanning order . . .
Antivirus databases . . . . .
Antivirus techniques . . . . .
FortiGuard Antivirus . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
559
560
562
563
564
Enable antivirus scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Viewing antivirus database information . . .
Changing the default antivirus database . . .
Overriding the default antivirus database . .
Adding the antivirus profile to a firewall policy
Configuring the scan buffer size . . . . . . .
Configuring archive scan depth . . . . . . .
Configuring a maximum allowed file size. . .
Configuring client comforting . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
564
565
565
566
566
566
567
568
Enable the file quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
General configuration steps . .
Configuring the file quarantine .
Viewing quarantined files. . . .
Downloading quarantined files .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
569
569
570
570
Enable file filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
General configuration steps
Creating a file filter list . . .
Creating a file pattern . . .
Creating a file type . . . . .
Enable file filtering . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
571
571
571
571
572
Enable grayware scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Testing your antivirus configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 573
26
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
AntiVirus examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Configuring simple antivirus protection. . . . . . . . . . . . . . . . . . . . . . . 573
Protecting your network against malicious email attachments . . . . . . . . . . . 574
Email filter
577
Email filter concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Email filter techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Order of spam filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Enable email filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Enabling FortiGuard IP address checking . . . .
Enabling FortiGuard URL checking . . . . . . .
Enabling FortiGuard email checksum checking .
Enabling FortiGuard spam submission. . . . . .
Enabling IP address black/white list checking . .
Enabling HELO DNS lookup . . . . . . . . . . .
Enabling email address black/white list checking
Enabling return email DNS checking . . . . . . .
Enabling banned word checking . . . . . . . . .
How content is evaluated. . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
580
580
580
581
581
583
583
584
585
585
Configure the spam action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Configure the tag location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Configure the tag format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Email filter examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Configuring simple antispam protection . . . . . . . . . . . . . . . . . . . . . . 589
Blocking email from a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
Intrusion protection
593
IPS concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Anomaly-based defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Signature-based defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Enable IPS scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
General configuration steps . . . . . .
Creating an IPS sensor. . . . . . . . .
Creating an IPS filter . . . . . . . . . .
Updating predefined IPS signatures . .
Creating an IPS signature override. . .
Creating a custom IPS signature . . . .
Custom signature syntax and keywords
IPS processing in an HA cluster . . . .
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
595
595
595
596
596
597
597
606
27
�Detailed Contents
Configure IPS options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Configuring the IPS engine algorithm . .
Configuring the IPS engine-count . . . .
Configuring fail-open . . . . . . . . . . .
Configuring the session count accuracy .
Configuring the IPS buffer size . . . . . .
Configuring protocol decoders . . . . . .
Configuring security processing modules
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
607
607
608
608
608
608
609
Enable IPS packet logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
IPS examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Configuring basic IPS protection . . . . . . . . . . . . . . . . .
Using IPS to protect your web server . . . . . . . . . . . . . .
Create and test a packet logging IPS sensor . . . . . . . . . .
Creating a custom signature to block access to example.com. .
Creating a custom signature to block the SMTP “vrfy” command
Configuring a Fortinet Security Processing module . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Web filter
610
611
613
615
616
618
623
Web filter concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Different ways of controlling access . . . . . . . . . . . . . . . . . . . . . . . . 625
Order of web filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Web content filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
General configuration steps . . . . . . . . . . . . . . . . . . .
Creating a web filter content list . . . . . . . . . . . . . . . . .
Configuring a web content filter list. . . . . . . . . . . . . . . .
How content is evaluated. . . . . . . . . . . . . . . . . . . . .
Enabling the web content filter and setting the content threshold
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
626
626
626
627
628
URL filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
URL filter actions . . . . . .
General configuration steps
Creating a URL filter list . .
Configuring a URL filter list .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
629
631
631
632
SafeSearch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Advanced web filter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
ActiveX filter . . . . . . . . .
Cookie filter. . . . . . . . . .
Java applet filter . . . . . . .
Web resume download block.
Block Invalid URLs . . . . . .
HTTP POST action . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
633
633
633
633
633
634
Web filtering example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
School district . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
28
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
FortiGuard Web Filter
639
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
FortiGuard Web Filter and your FortiGate unit . . . . . . . . . . . . . . . . . . . . . 640
Order of web filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Enable FortiGuard Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
General configuration steps . . . . . . . . . . .
Configuring FortiGuard Web Filter settings . . .
Configuring FortiGuard Web Filter categories . .
Configuring FortiGuard Web Filter classifications
Configuring FortiGuard Web Filter usage quotas
Checking quota usage . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
642
642
642
643
644
646
Advanced FortiGuard Web Filter configuration . . . . . . . . . . . . . . . . . . . . . 646
Provide Details for Blocked HTTP 4xx and 5xx Errors . . . . . . . .
Rate Images by URL (blocked images will be replaced with blanks)
Allow Websites When a Rating Error Occurs . . . . . . . . . . . .
Strict Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rate URLs by Domain and IP Address . . . . . . . . . . . . . . .
Block HTTP Redirects by Rating . . . . . . . . . . . . . . . . . . .
Daily log of remaining quota . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
646
646
646
647
647
647
647
Add or change FortiGuard Web Filter ratings . . . . . . . . . . . . . . . . . . . . . 647
Create FortiGuard Web Filter overrides . . . . . . . . . . . . . . . . . . . . . . . . 648
Understanding administrative and user overrides . . . . . . . . . . . . . . . . . 648
Customize categories and ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Creating local categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Customizing site ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
FortiGuard Web Filter examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Configuring simple FortiGuard Web Filter protection. . . . . . . . . . . . . . . . 650
School district . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Data leak prevention
653
Data leak prevention concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
DLP sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
DLP rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
DLP compound rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
29
�Detailed Contents
Enable data leak prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
General configuration steps . . . . .
Creating a DLP rule . . . . . . . . .
Understanding the default DLP rules.
Creating a compound DLP rule . . .
Creating a DLP sensor . . . . . . . .
Adding rules to a DLP sensor . . . .
Understanding default DLP sensors .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
655
655
658
659
659
660
662
DLP archiving. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
DLP examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Configuring DLP content archiving . . . . . . . . . . . . . . . . . . . . . . . . . 664
Blocking sensitive email messages . . . . . . . . . . . . . . . . . . . . . . . . 664
Application control
667
Application control concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Enable application control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
General configuration steps . . . . . . . . . . . .
Creating an application control list . . . . . . . . .
Adding applications to an application control list . .
Understanding the default application control lists .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
668
668
668
670
Application traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Enabling application control traffic shaping . . . . . . . . . . . . . . . . . . . . 670
Reverse direction traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Shaper re-use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Application control monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Enabling application control monitor . . . . . . . . . . . . . . . . . . . . . . . . 672
Application control packet logging . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Application considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
IM applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Skype. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Application control examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Blocking all instant messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Allowing only software updates . . . . . . . . . . . . . . . . . . . . . . . . . . 675
DoS policy
677
DoS policy concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Enable DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Creating and configuring a DoS sensor . . . . . . . . . . . . . . . . . . . . . . 677
Creating a DoS policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
Apply an IPS sensor to a DoS policy . . . . . . . . . . . . . . . . . . . . . . . . 680
30
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
DoS example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
Sniffer policy
683
Sniffer policy concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
The sniffer policy list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Enable one-arm sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
Designating a sniffer interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
Creating a sniffer policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
Sniffer example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
An IDS sniffer configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Chapter 6
User Authentication
691
Introduction to authentication
693
What is authentication?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Means of authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Local password authentication . . . . .
Server-based password authentication
Certificate-based authentication . . . .
Two-factor authentication . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
693
693
694
695
Types of authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
Firewall authentication (Identity-based policies) . . . . . . . . . . . . . . . . . . 695
VPN authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
User’s view of authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Web-based user authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 697
VPN client-based authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 698
FortiGate administrator’s view of authentication . . . . . . . . . . . . . . . . . . . . 698
Authentication servers
701
RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Configuring the FortiGate unit to use a RADIUS server . . . . . . . . . . . . . . 702
LDAP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
Configuring the FortiGate unit to use an LDAP server . . . . . . . . . . . . . . . 705
TACACS+ servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Configuring the FortiGate unit to use a TACACS+ authentication server . . . . . 708
Directory Service servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
31
�Detailed Contents
RSA/ACE (SecurID) servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Using the SecurID user group for authentication. . . . . . . . . . . . . . . . . . 710
Users and user groups
711
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Creating local users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
Creating PKI or peer users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
User groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Firewall user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Directory Service user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
Configuring Peer user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
Configuring authenticated access
719
Authentication timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
Password policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
Authentication protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
Authentication in firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Configuring authentication for a firewall policy . . . . . . . . . . . . . . . . . . . 721
Configuring authenticated access to the Internet . . . . . . . . . . . . . . . . . 723
VPN authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Configuring authentication of SSL VPN users . . . . . . . .
Configuring authentication of remote IPsec VPN users . . .
Configuring authentication of PPTP VPN users/user groups
Configuring authentication of L2TP VPN users/user groups .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
FSAE for integration with Windows AD or Novell
723
724
726
727
729
Introduction to FSAE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Using FSAE in a Windows AD environment . . . . . . . . . . . . . . . . . . . . 729
Using FSAE in a Novell eDirectory environment . . . . . . . . . . . . . . . . . . 733
Operating system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 733
Installing FSAE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
FSAE components for Windows AD . . .
FSAE components for Novell eDirectory .
Installing FSAE for Windows AD . . . . .
Installing FSAE for Novell . . . . . . . .
32
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
733
733
734
735
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Configuring FSAE on Windows AD. . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Configuring Windows AD server user groups . . . . . . . . . .
Configuring collector agent settings . . . . . . . . . . . . . . .
Configuring Directory Access settings . . . . . . . . . . . . . .
Configuring the Ignore User List . . . . . . . . . . . . . . . . .
Configuring FortiGate group filters . . . . . . . . . . . . . . . .
Configuring TCP ports for FSAE on client computers . . . . . .
Configuring ports on the collector agent computer . . . . . . . .
Configuring alternate user IP address tracking. . . . . . . . . .
Viewing collector agent status . . . . . . . . . . . . . . . . . .
Viewing DC agent status . . . . . . . . . . . . . . . . . . . . .
Selecting Domain Controllers and working mode for monitoring.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
736
737
739
739
740
742
742
742
742
743
744
Configuring FSAE on Novell networks . . . . . . . . . . . . . . . . . . . . . . . . . 745
Configuring a group filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747
Configuring FSAE on FortiGate units. . . . . . . . . . . . . . . . . . . . . . . . . . 748
Configuring LDAP server access. . . . . . . . . . . . . . .
Specifying your collector agents or Novell eDirectory agents
Selecting Windows user groups (LDAP only) . . . . . . . .
Viewing information imported from the Windows AD server .
Creating Directory Service user groups . . . . . . . . . . .
Creating firewall policies . . . . . . . . . . . . . . . . . . .
Enabling guests to access FSAE policies . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
748
750
751
751
753
753
754
Testing the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Certificate-based authentication
757
Certificates overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
SSL, HTTPS, and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
IPsec VPNs and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758
Managing X.509 certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758
Generating a certificate signing request . . . . . . . . . . . . . . . .
Generating certificates with CA software. . . . . . . . . . . . . . . .
Obtaining a signed server certificate from an external CA . . . . . . .
Installing a CA root certificate and CRL to authenticate remote clients
Online updates to certificates and CRLs . . . . . . . . . . . . . . . .
Backing up and restoring local certificates . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
758
760
761
761
762
764
Configuring certificate-based authentication . . . . . . . . . . . . . . . . . . . . . . 766
Authenticating administrators with security certificates . . . . . . . . . . . . . . 766
Authenticating SSL VPN users with security certificates . . . . . . . . . . . . . 766
Authenticating IPsec VPN users with security certificates . . . . . . . . . . . . . 767
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
33
�Detailed Contents
Monitoring authenticated users
769
Monitoring firewall users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
Monitoring SSL VPN users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
Monitoring IPsec VPN users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Example
771
Firewall authentication example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Overview . . . . . . . . . . . . . . . . . . . . .
Creating a locally-authenticated user account . .
Creating a RADIUS-authenticated user account .
Creating user groups . . . . . . . . . . . . . . .
Defining firewall addresses. . . . . . . . . . . .
Creating firewall policies . . . . . . . . . . . . .
Chapter 7
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
771
772
772
773
775
775
IPsec VPNs
779
IPsec VPN concepts
781
IP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
VPN tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782
VPN gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783
Clients, servers, and peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
Phase 1 and Phase 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
Phase 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
Phase 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
Security Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
FortiGate IPsec VPN Overview
789
About FortiGate VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Planning your VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Network topologies
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Choosing policy-based or route-based VPNs . . . . . . . . . . . . . . . . . . . . . 790
General preparation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
How to use this guide to configure an IPsec VPN . . . . . . . . . . . . . . . . . . . 791
34
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Gateway-to-gateway configurations
793
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Gateway-to-gateway infrastructure requirements . . . . . . . . . . . . . . . . . 794
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Configure the VPN peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Configuration example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Define the phase 1 parameters on FortiGate_1
Define the phase 2 parameters on FortiGate_1
Define the firewall policy on FortiGate_1 . . . .
Configure FortiGate_2 . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
797
798
798
800
How to work with overlapping subnets . . . . . . . . . . . . . . . . . . . . . . . . . 802
Solution for route-based VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
Solution for policy-based VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Hub-and-spoke configurations
807
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Hub-and-spoke infrastructure requirements
Spoke gateway addressing. . . . . . . . .
Protected networks addressing . . . . . .
Authentication . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
808
808
808
809
Configure the hub. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
Define the hub-spoke VPNs . . . . . . . . . . . . . . . . . . . .
Define the hub-spoke firewall policies . . . . . . . . . . . . . . .
Configuring communication between spokes (policy-based VPN) .
Configuring communication between spokes (route-based VPN) .
Configure the spokes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
809
810
811
812
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
Configuring firewall policies for hub-to-spoke communication . . . . . . . . . . . 813
Configuring firewall policies for spoke-to-spoke communication . . . . . . . . . . 814
Dynamic spokes configuration example . . . . . . . . . . . . . . . . . . . . . . . . 816
Configure the hub (FortiGate_1) . . . . . . . . . . . . . . . . . . . . . . . . . . 816
Configure the spokes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818
Dynamic DNS configurations
821
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821
Dynamic DNS infrastructure requirements
. . . . . . . . . . . . . . . . . . . . 822
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
Configure the dynamically-addressed VPN peer . . . . . . . . . . . . . . . . . . . . 822
Configure the fixed-address VPN peer
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
. . . . . . . . . . . . . . . . . . . . . . . . 824
35
�Detailed Contents
FortiClient dialup-client configurations
827
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
Peer identification . . . . . . . . . . . . . . . . .
Automatic configuration of FortiClient dialup clients
Using virtual IP addresses . . . . . . . . . . . . .
FortiClient dialup-client infrastructure requirements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
828
828
829
831
FortiClient-to-FortiGate VPN configuration steps . . . . . . . . . . . . . . . . . . . 831
Configure the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
Configuring FortiGate unit VPN settings . . . . . . . . . . . . . . . . . . . . . . 832
Configuring the FortiGate unit as a VPN policy server . . . . . . . . . . . . . . . 834
Configuring DHCP service on the FortiGate unit . . . . . . . . . . . . . . . . . . 834
Configure the FortiClient Endpoint Security application . . . . . . . . . . . . . . . . 836
Configuring FortiClient to work with VPN policy distribution . . . . . . . . . . . . 836
Configuring FortiClient manually . . . . . . . . . . . . . . . . . . . . . . . . . . 836
Adding XAuth authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
FortiClient dialup-client configuration example . . . . . . . . . . . . . . . . . . . . . 838
Configuring FortiGate_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
Configuring the FortiClient Endpoint Security application . . . . . . . . . . . . . 841
FortiGate dialup-client configurations
843
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
FortiGate dialup-client infrastructure requirements . . . . . . . . . . . . . . . . 845
FortiGate dialup-client configuration steps . . . . . . . . . . . . . . . . . . . . . . . 846
Configure the server to accept FortiGate dialup-client connections . . . . . . . . . . 846
Configure the FortiGate dialup client . . . . . . . . . . . . . . . . . . . . . . . . . . 848
Supporting IKE Mode config clients
851
Automatic configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
IKE Mode Config overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Configuring IKE Mode Config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Configuring an IKE Mode Config client. . . . . . . . . . . . . . . . . . . . . . . 852
Configuring an IKE Mode Config server . . . . . . . . . . . . . . . . . . . . . . 852
Example: FortiGate unit as IKE Mode Config server . . . . . . . . . . . . . . . . . . 853
Example: FortiGate unit as IKE Mode Config client . . . . . . . . . . . . . . . . . . 854
36
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Internet-browsing configuration
855
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855
Creating an Internet browsing firewall policy . . . . . . . . . . . . . . . . . . . . . . 856
Routing all remote traffic through the VPN tunnel . . . . . . . . . . . . . . . . . . . 857
Configuring a FortiGate remote peer to support Internet browsing . . . . . . . . 857
Configuring a FortiClient application to support Internet browsing . . . . . . . . . 858
Redundant VPN configurations
859
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860
Configure the VPN peers - route-based VPN . . . . . . . . . . . . . . . . . . . . . 861
Redundant route-based VPN configuration example. . . . . . . . . . . . . . . . . . 862
Configuring FortiGate_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
Configuring FortiGate_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868
Partially-redundant route-based VPN example. . . . . . . . . . . . . . . . . . . . . 873
Configuring FortiGate_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874
Configuring FortiGate_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876
Creating a backup IPsec interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
Transparent mode VPNs
881
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
Transparent VPN infrastructure requirements . . . . . . . . . . . . . . . . . . . 884
Configure the VPN peers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
For more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Manual-key configurations
887
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887
Specify the manual keys for creating a tunnel . . . . . . . . . . . . . . . . . . . . . 887
IPv6 IPsec VPNs
889
Overview of IPv6 IPsec support . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
37
�Detailed Contents
Configuring IPv6 IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
Phase 1 configuration
Phase 2 configuration
Firewall policies . . .
Routing . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
890
890
890
890
Site-to-site IPv6 over IPv6 VPN example. . . . . . . . . . . . . . . . . . . . . . . . 891
Configure FortiGate A interfaces . . .
Configure FortiGate A IPsec settings
Configure FortiGate A firewall policies
Configure FortiGate A routing . . . .
Configure FortiGate B . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
891
892
892
893
893
Site-to-site IPv4 over IPv6 VPN example. . . . . . . . . . . . . . . . . . . . . . . . 894
Configure FortiGate A interfaces . . .
Configure FortiGate A IPsec settings
Configure FortiGate A firewall policies
Configure FortiGate A routing . . . .
Configure FortiGate B . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
894
895
895
895
896
Site-to-site IPv6 over IPv4 VPN example. . . . . . . . . . . . . . . . . . . . . . . . 897
Configure FortiGate A interfaces . . .
Configure FortiGate A IPsec settings
Configure FortiGate A firewall policies
Configure FortiGate A routing . . . .
Configure FortiGate B . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
L2TP and IPsec (Microsoft VPN) configurations
897
897
898
898
899
901
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
Configuring the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902
Configuring users and user group
Configuring L2TP. . . . . . . . .
Configuring IPsec . . . . . . . .
Configuring firewall policies . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
902
903
903
905
Configuring the Windows PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908
Quick checks . . . . . . . . . . . . . . . .
Setting up logging . . . . . . . . . . . . .
Understanding the log messages . . . . .
Using the FortiGate unit debug commands
38
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
908
908
908
909
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
GRE over IPsec (Cisco VPN) configurations
913
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
Configuring the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
Enabling overlapping subnets
Configuring the IPsec VPN . .
Configuring the GRE tunnel .
Configuring firewall policies .
Configuring routing . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
914
914
916
916
918
Configuring the Cisco router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
Quick checks . . . . . . . . . . .
Setting up logging . . . . . . . .
Understanding the log messages
Using diagnostic commands . . .
Protecting OSPF with IPsec
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
919
919
920
920
921
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921
OSPF over IPsec configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922
Configuring the IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922
Configuring static routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
Creating a redundant configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 927
Adding the second IPsec tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . 927
Adding the OSPF interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927
Auto Key phase 1 parameters
929
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929
Defining the tunnel ends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
Choosing main mode or aggressive mode . . . . . . . . . . . . . . . . . . . . . . . 930
Choosing the IKE version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
Authenticating the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
Authenticating the FortiGate unit with digital certificates . . . . . . . . . . . . . . 931
Authenticating the FortiGate unit with a pre-shared key . . . . . . . . . . . . . . 932
Authenticating remote peers and clients . . . . . . . . . . . . . . . . . . . . . . . . 933
Enabling VPN access for specific certificate holders . . . . . . . . . . . . . . . 934
Enabling VPN access by peer identifier . . . . . . . . . . . . . . . . . . . . . . 936
Enabling VPN access using user accounts and pre-shared keys . . . . . . . . . 937
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
39
�Detailed Contents
Defining IKE negotiation parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 938
Generating keys to authenticate an exchange . . . . . . . . . . . . . . . . . . 939
Defining IKE negotiation parameters . . . . . . . . . . . . . . . . . . . . . . . . 939
Defining the remaining phase 1 options . . . . . . . . . . . . . . . . . . . . . . . . 940
NAT traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
NAT keepalive frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
Dead peer detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
Using XAuth authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942
Using the FortiGate unit as an XAuth server . . . . . . . . . . . . . . . . . . . . 942
Authenticating the FortiGate unit as a client with XAuth . . . . . . . . . . . . . . 943
Phase 2 parameters
945
Basic phase 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945
Advanced phase 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945
P2 Proposal . . . . . .
Replay detection . . . .
Perfect forward secrecy
Keylife . . . . . . . . .
Auto-negotiate . . . . .
Autokey Keep Alive. . .
DHCP-IPsec . . . . . .
Quick mode selectors .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
946
946
946
946
946
947
947
947
Configure the phase 2 parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 948
Specifying the phase 2 parameters . . . . . . . . . . . . . . . . . . . . . . . . 948
Defining firewall policies
951
Defining firewall addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951
Defining firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952
Defining an IPsec firewall policy for a policy-based VPN . . . . . . . . . . . . . 952
Defining firewall policies for a route-based VPN . . . . . . . . . . . . . . . . . . 955
Hardware offloading and acceleration
957
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
IPsec session offloading requirements .
Packet requirements . . . . . . . . . .
IPsec encryption offloading. . . . . . .
HMAC check offloading . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
957
958
958
958
IPsec offloading configuration examples . . . . . . . . . . . . . . . . . . . . . . . . 959
Accelerated route-based VPN configuration . . . . . . . . . . . . . . . . . . . . 959
Accelerated policy-based VPN configuration. . . . . . . . . . . . . . . . . . . . 960
40
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Monitoring and troubleshooting VPNs
963
Monitoring VPN connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
Monitoring connections to remote peers . . . . . . . . . . . . . . . . . . . . . . 963
Monitoring dialup IPsec connections . . . . . . . . . . . . . . . . . . . . . . . . 963
Monitoring IKE sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965
Testing VPN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965
Logging VPN events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965
VPN troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967
A word about NAT devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 968
Chapter 8
SSL VPNs
969
Introduction to SSL VPN
971
History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971
What is a VPN?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972
What is SSL? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972
Goals of SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972
SSL certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
Choosing the level of security for your SSL VPN tunnel . . . . . . . . . . . . . . 974
Choosing between SSL and IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . 974
Legacy versus web-enabled applications
Authentication differences . . . . . . . .
Connectivity considerations . . . . . . .
Relative ease of use . . . . . . . . . . .
Client software requirements . . . . . . .
Access control . . . . . . . . . . . . . .
Session failover support . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
974
975
975
975
975
975
975
General topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 976
SSL VPN modes of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 976
Web-only mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977
Tunnel mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977
Single Sign-on (SSO). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 978
Setting up the FortiGate unit
979
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 980
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
41
�Detailed Contents
Configuring SSL VPN settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 980
Enabling SSL VPN operation. . . . . . . . . . . . . . . . . . . .
Specifying an IP address range for tunnel-mode clients . . . . .
Adding WINS and DNS services for clients . . . . . . . . . . . .
Setting the idle timeout setting . . . . . . . . . . . . . . . . . . .
Setting the client authentication timeout . . . . . . . . . . . . . .
Specifying the cipher suite for SSL negotiations . . . . . . . . .
Enabling strong authentication through X.509 security certificates
Changing the port number for web portal connections . . . . . .
Customizing the web portal login page . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
981
981
982
983
983
983
984
985
986
Configuring SSL VPN web portals . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
Before you begin . . . . . . . . . . . . . .
Configuring basic web portal settings . . .
Configuring tunnel mode settings . . . . .
Configuring the Session Information widget
Configuring the Bookmarks widget . . . . .
Configuring the Connection Tool widget . .
Configuring host checking . . . . . . . . .
Configuring cache cleaning . . . . . . . .
Configuring virtual desktop . . . . . . . . .
Configuring client OS Check . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 988
. 990
. 993
. 995
. 996
. 999
1000
1002
1002
1004
Configuring user accounts and user groups for SSL VPN . . . . . . . . . . . . . . 1005
Creating user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005
Creating a user group for SSL VPN users . . . . . . . . . . . . . . . . . . . . 1006
Configuring firewall policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007
Configuring firewall addresses . . . . . . .
Configuring the SSL VPN firewall policy . .
Configuring the tunnel mode firewall policy
Adding an Internet browsing policy. . . . .
Enabling connection to an IPsec VPN . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1008
1009
1011
1013
1014
Viewing SSL VPN logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1015
Monitoring active SSL VPN sessions. . . . . . . . . . . . . . . . . . . . . . . . . 1017
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1018
Working with the web portal
1019
Connecting to the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019
Web portal overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1020
Applications available in the web portal . . . . . . . . . . . . . . . . . . . . . 1021
Using the Bookmarks widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021
Adding bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1022
Using the Connection Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023
Tunnel-mode features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030
42
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Using the SSL VPN Virtual Desktop . . . . . . . . . . . . . . . . . . . . . . . . . 1031
Using the SSL VPN tunnel client
1033
Client configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
Web mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
Tunnel mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
Virtual desktop application . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1034
Downloading the SSL VPN tunnel mode client . . . . . . . . . . . . . . . . . . . . 1034
Installing the tunnel mode client . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
MAC OS client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
Using the tunnel mode client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
Windows client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
Linux client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1038
MAC OS X client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1040
Uninstalling the tunnel mode client . . . . . . . . . . . . . . . . . . . . . . . . . . 1042
Examples
1043
Basic SSL VPN example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043
General configuration steps . . . . . . . . . . . . . . . . . . .
Creating the firewall addresses . . . . . . . . . . . . . . . . .
Enabling SSL VPN and setting the tunnel user IP address range
Creating the web portal. . . . . . . . . . . . . . . . . . . . . .
Creating the user account and user group . . . . . . . . . . . .
Creating the firewall policies . . . . . . . . . . . . . . . . . . .
Add routing to tunnel mode clients . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1044
1044
1045
1045
1046
1047
1048
Multiple user groups with different access permissions example . . . . . . . . . . 1049
General configuration steps . . . . . . . . .
Creating the firewall addresses . . . . . . .
Creating the web portals . . . . . . . . . . .
Creating the user accounts and user groups.
Creating the firewall policies . . . . . . . . .
Create the static route to tunnel mode clients
Enabling SSL VPN operation. . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1049
1050
1051
1052
1053
1056
1056
OS patch check example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1057
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
43
�Detailed Contents
Chapter 9
Dynamic Routing
1059
Dynamic Routing Overview
1061
Routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1061
Routing in VDOMs . . . . . . . . . . . . . . . .
The default route . . . . . . . . . . . . . . . . .
The routing table . . . . . . . . . . . . . . . . .
Building the routing table . . . . . . . . . . . . .
Reverse path lookup . . . . . . . . . . . . . . .
Multipath routing and determining the best route
Route priority . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1061
1062
1062
1068
1068
1068
1070
What is dynamic routing?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1070
Comparing static and dynamic routing . . . . . . . . . . . . . . . . . . . . . . 1071
Dynamic routing protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
Minimum configuration for dynamic routing . . . . . . . . . . . . . . . . . . . 1073
Comparison of dynamic routing protocols . . . . . . . . . . . . . . . . . . . . . . 1073
Features of dynamic routing protocols . . . . . . . . . . . . . . . . . . . . . . 1073
When to adopt dynamic routing . . . . . . . . . . . . . . . . . . . . . . . . . 1076
Choosing a routing protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078
Dynamic routing terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1079
IPv6 in dynamic routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085
Verify the contents of the routing table (in NAT mode).
Perform a sniffer trace . . . . . . . . . . . . . . . . .
Debug the packet flow . . . . . . . . . . . . . . . . .
Examine the firewall session list . . . . . . . . . . . .
Run ping and traceroute . . . . . . . . . . . . . . . .
Common diagnose commands . . . . . . . . . . . . .
Routing Information Protocol (RIP)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1085
1086
1087
1088
1089
1092
1095
RIP background and concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095
Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095
Parts and terminology of RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . 1096
How RIP works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101
Troubleshooting RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1106
Routing Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1106
Split horizon and Poison reverse updates . . . . . . . . . . . . . . . . . . . . 1109
Debugging IPv6 on RIPng . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109
RIP routing examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1110
44
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Simple RIP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1110
Network layout and assumptions. . . . . . . . . .
General configuration steps . . . . . . . . . . . .
Configuring the FortiGate units system information
Configuring FortiGate unit RIP router information .
Configuring other networking devices . . . . . . .
Testing network configuration . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1110
1112
1112
1120
1123
1124
RIPng — RIP and IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124
Network layout and assumptions. . . . . . . . . .
General configuration steps . . . . . . . . . . . .
Configuring the FortiGate units system information
Configuring RIPng on FortiGate units . . . . . . .
Configuring other network devices . . . . . . . . .
Testing the configuration . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Border Gateway Protocol (BGP)
1124
1126
1126
1128
1129
1129
1131
BGP background and concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 1131
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1131
Parts and terminology of BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1131
BGP and IPv6 . . . . . . . . . . . . . . . . .
Roles of routers in BGP networks . . . . . . .
Confederations . . . . . . . . . . . . . . . . .
Network Layer Reachability Information (NLRI)
BGP attributes . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1132
1133
1136
1137
1138
How BGP works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141
IBGP versus EBGP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141
BGP path determination — which route to use. . . . . . . . . . . . . . . . . . 1141
Troubleshooting BGP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144
Clearing routing table entries. . . . . . . . . . . . . . . . . . . . . . . . . . . 1144
Route flap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144
BGP routing examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148
Dual-homed BGP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148
Network layout and assumptions. . .
General configuration steps . . . . .
Configuring the FortiGate unit . . . .
Configuring other networking devices
Testing this configuration. . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1150
1151
1152
1160
1160
Redistributing and blocking routes in BGP . . . . . . . . . . . . . . . . . . . . . . 1162
Network layout and assumptions. . . . . . . . . . . . . . . . . . . . . . . . . 1162
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
45
�Detailed Contents
Open Shortest Path First (OSPF)
1169
OSPF Background and concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . 1169
Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169
The parts and terminology of OSPF . . . . . . . . . . . . . . . . . . . . . . . 1169
How OSPF works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175
Troubleshooting OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1180
Clearing OSPF routes from the routing table.
Checking the state of OSPF neighbors . . .
Passive interface problems. . . . . . . . . .
Timer problems. . . . . . . . . . . . . . . .
Bi-directional Forwarding Detection (BFD) . .
Authentication issues. . . . . . . . . . . . .
DR and BDR election issues . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1180
1180
1180
1181
1181
1181
1182
OSPF routing examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182
Basic OSPF example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182
Network layout and assumptions. . . . .
General configuration steps . . . . . . .
Configuring the FortiGate units. . . . . .
Configuring OSPF on the FortiGate units
Configuring other networking devices . .
Testing network configuration . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1183
1184
1185
1187
1194
1194
Advanced inter-area OSPF example . . . . . . . . . . . . . . . . . . . . . . . . . 1195
Network layout and assumptions. . . . .
General configuration steps . . . . . . .
Configuring the FortiGate units. . . . . .
Configuring OSPF on the FortiGate units
Configuring other networking devices . .
Testing network configuration . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Chapter 10 Advanced System Settings
1195
1197
1197
1201
1205
1205
1207
Advanced Static routing
1209
Static routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209
Routing and VDOMs . . . . . . . . . . . . . . .
The default route . . . . . . . . . . . . . . . . .
Routing table . . . . . . . . . . . . . . . . . . .
Static routing security . . . . . . . . . . . . . .
Multipath routing and determining the best route
Troubleshooting static routing . . . . . . . . . .
Static routing tips . . . . . . . . . . . . . . . . .
46
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1209
1210
1210
1215
1217
1219
1223
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
ECMP route failover and load balancing . . . . . . . . . . . . . . . . . . . . . . . 1224
Route priority . . . . . . . . . . . . . . . . . .
Equal-Cost Multi-Path (ECMP) . . . . . . . . . .
Configuring spill-over or usage-based ECMP . .
Configuring weighted static route load balancing
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1224
1224
1226
1228
Policy Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229
Adding a policy route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229
Moving a policy route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1231
Transparent mode static routing . . . . . . . . . . . . . . . . . . . . . . . . . . . 1232
Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1232
Creating or editing a zone .
Blocking intra-zone traffic .
IP pools and zones . . . . .
Zones in VDOMs . . . . . .
Zones in transparent mode.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Virtual LANs
1233
1233
1234
1234
1234
1235
VLAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1235
What are VLANs? . . . . .
How VLANs work. . . . . .
VLAN ID rules . . . . . . .
VLAN switching and routing
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1235
1236
1236
1237
VLANs in NAT/Route mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1241
Configuring your FortiGate unit. . . . . . . . . . . . . . . . . . . . . . . . . . 1242
Adding VLAN subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 1242
Configuring firewall policies and routing . . . . . . . . . . . . . . . . . . . . . 1245
Example VLAN configuration in NAT/Route mode . . . . . . . . . . . . . . . . . . 1246
Network topology and assumptions
General configuration steps . . . .
Configuring the FortiGate unit . . .
Configuring the VLAN switch . . . .
Testing the configuration . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1246
1247
1247
1252
1253
VLANs in Transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1253
VLANs and Transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . . 1254
Example of VLANs in Transparent mode . . . . . . . . . . . . . . . . . . . . 1256
Troubleshooting VLAN problems . . . . . . . . . . . . . . . . . . . . . . . . . . . 1262
Asymmetric routing . . . . .
Layer-2 and Arp traffic . . .
Forward-domain solution . .
NetBIOS . . . . . . . . . .
STP forwarding . . . . . . .
Too many VLAN interfaces.
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1263
1263
1265
1266
1267
1267
47
�Detailed Contents
IPv6
1269
IPv6 overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269
Differences between IPv6 and IPv4
IPv6 MTU. . . . . . . . . . . . . .
IPv6 address format . . . . . . . .
IP address notation. . . . . . . . .
Netmasks. . . . . . . . . . . . . .
Address scopes . . . . . . . . . .
Address types . . . . . . . . . . .
IPv6 neighbor discovery . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1269
1270
1271
1271
1272
1272
1272
1274
FortiGate IPv6 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1275
Configuring IPv6 interfaces. . . . . .
Configuring IPv6 routing . . . . . . .
Configuring IPv6 firewall policies . . .
Configuring IPv6 over IPv4 tunneling
Configuring IPv6 IPSec VPNs . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1276
1277
1278
1279
1280
Transition from IPv4 to IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1282
Configuring FortiOS to connect to an IPv6 tunnel provider. . . . . . . . . . . . . . 1282
Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a SIT-Tunnel Interface . . . . . . . . . . . . . . . . . . . . . . .
Create a static IPv6 Route into the Tunnel-Interface. . . . . . . . . . . .
Assign your IPv6 Network to your FortiGate . . . . . . . . . . . . . . . .
Create a Firewall-Policy to allow Traffic from port1 to the Tunnel-Interface
Test the connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1283
1283
1284
1284
1285
1285
IPv6 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1285
ping6 . . . . . . . . . . . . .
diag sniffer packet . . . . . .
diag debug flow. . . . . . . .
IPv6 specific diag commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1285
1288
1289
1289
Additional IPv6 resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1290
PPTP and L2TP
1293
About FortiOS PPTP VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1293
How PPTP VPNs work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1293
FortiGate PPTP topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1295
Infrastructure requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 1295
FortiGate unit as a PPTP server . . . . . . . . . . . . . . . . . . . . . . . . . 1295
FortiGate unit forwards traffic to a PPTP server . . . . . . . . . . . . . . . . . 1295
48
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Configuring the FortiGate unit for PPTP VPN . . . . . . . . . . . . . . . . . . . . 1296
PPTP server configuration overview . . . . . . . . . . . . .
PPTP pass through configuration overview . . . . . . . . .
Configuring user authentication for PPTP clients . . . . . .
Enabling PPTP and specifying the PPTP IP address range .
Adding the firewall policy . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1296
1296
1296
1297
1298
Configuring the FortiGate unit for PPTP pass through . . . . . . . . . . . . . . . . 1299
Defining a virtual port-forwarding address . . . . . . . . . . . . . . . . . . . . 1299
Configuring a port-forwarding firewall policy . . . . . . . . . . . . . . . . . . . 1299
Adding the firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1300
Monitoring PPTP sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1300
Testing PPTP VPN connections . . . . . . . . . . . . . . . . . . . . . . . . . 1300
Logging VPN events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1300
Configuring L2TP VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1301
Network topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1302
L2TP configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1303
Authenticating L2TP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 1303
Enabling L2TP and specifying an address range . . . . . . . . . . . . . . . . 1303
Defining firewall source and destination addresses . . . . . . . . . . . . . . . 1304
Adding the firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1304
Configuring a Linux client . . .
Monitoring L2TP sessions . . .
Testing L2TP VPN connections
Logging L2TP VPN events . . .
Session helpers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1305
1305
1306
1306
1307
Viewing the session helper configuration. . . . . . . . . . . . . . . . . . . . . . . 1307
Changing the session helper configuration . . . . . . . . . . . . . . . . . . . . . . 1308
Changing the protocol or port that a session helper listens on. . . . . . . . . . 1308
Disabling a session helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1310
DCE-RPC session helper (dcerpc) . . . . . . . . . . . . . . . . . . . . . . . . . . 1311
DNS session helpers (dns-tcp and dns-udp) . . . . . . . . . . . . . . . . . . . . . 1311
File transfer protocol (FTP) session helper (ftp) . . . . . . . . . . . . . . . . . . . 1311
H.245 session helpers (h245I and h245O) . . . . . . . . . . . . . . . . . . . . . . 1312
H.323 and RAS session helpers (h323 and ras) . . . . . . . . . . . . . . . . . . . 1312
Alternate H.323 gatekeepers . . . . . . . . . . . . . . . . . . . . . . . . . . . 1312
Media Gateway Controller Protocol (MGCP) session helper (mgcp) . . . . . . . . . 1312
ONC-RPC portmapper session helper (pmap) . . . . . . . . . . . . . . . . . . . . 1313
PPTP session helper for PPTP traffic (pptp) . . . . . . . . . . . . . . . . . . . . . 1313
Remote shell session helper (rsh) . . . . . . . . . . . . . . . . . . . . . . . . . . 1314
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
49
�Detailed Contents
Real-Time Streaming Protocol (RTSP) session helper (rtsp) . . . . . . . . . . . . 1315
Session Initiation Protocol (SIP) session helper (sip) . . . . . . . . . . . . . . . . 1315
Trivial File Transfer Protocol (TFTP) session helper (tftp) . . . . . . . . . . . . . . 1316
Oracle TNS listener session helper (tns) . . . . . . . . . . . . . . . . . . . . . . . 1316
Chapter 11 Virtual Domains
1317
Virtual Domains
1319
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319
Benefits of Virtual Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319
Improving Transparent mode configuration
Easier administration . . . . . . . . . . . .
Continued security . . . . . . . . . . . . .
Savings in physical space and power . . .
More flexible MSSP configurations. . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1320
1320
1320
1321
1321
Enabling and accessing Virtual Domains. . . . . . . . . . . . . . . . . . . . . . . 1321
Enabling Virtual Domains . . .
Viewing the VDOM list . . . . .
Global and per-VDOM settings.
Resource settings . . . . . . .
Virtual Domain Licensing . . . .
Logging in to VDOMs. . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1322
1324
1325
1333
1336
1338
Configuring Virtual Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1340
Creating a Virtual Domain . . . .
Disabling a Virtual Domain . . . .
Deleting a VDOM. . . . . . . . .
Removing references to a VDOM
Administrators in Virtual Domains
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Virtual Domains in NAT/Route mode
1340
1341
1342
1342
1343
1347
Virtual domains in NAT/Route mode . . . . . . . . . . . . . . . . . . . . . . . . . 1347
Changing the management virtual domain . . . . . .
Configuring interfaces in a NAT/Route VDOM . . . .
Configuring VDOM routing . . . . . . . . . . . . . .
Configuring firewall policies for NAT/Route VDOMs .
Configuring UTM profiles for NAT/Route VDOMs . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1347
1348
1351
1353
1354
WAN Optimization using VDOMs. . . . . . . . . . . . . . . . . . . . . . . . . . . 1354
50
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Example NAT/Route VDOM configuration . . . . . . . . . . . . . . . . . . . . . . 1355
Network topology and assumptions
General configuration steps . . . .
Creating the VDOMs . . . . . . . .
Configuring the FortiGate interfaces
Configuring the vdomA VDOM . . .
Configuring the vdomB VDOM . . .
Testing the configuration . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Virtual Domains in Transparent mode
1355
1356
1356
1357
1359
1361
1364
1365
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1365
Transparent operation mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1365
Broadcast domains . . . . . . . . . . . . . . . . . . . .
Forwarding domains . . . . . . . . . . . . . . . . . . .
Spanning Tree Protocol . . . . . . . . . . . . . . . . .
Differences between NAT/Route and Transparent mode
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1366
1366
1367
1367
Operation mode differences in VDOMs . . . . . . . . . . . . . . . . . . . . . . . 1368
Configuring VDOMs in Transparent mode . . . . . . . . . . . . . . . . . . . . . . 1369
Switching to Transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . 1369
Adding VLAN subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 1370
Creating firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1370
Example of VDOMs in Transparent mode . . . . . . . . . . . . . . . . . . . . . . 1370
Network topology and assumptions . . .
General configuration steps . . . . . . .
Configuring common items . . . . . . . .
Creating virtual domains . . . . . . . . .
Configuring the Company_A VDOM . . .
Configuring the Company_B VDOM . . .
Configuring the VLAN switch and router .
Testing the configuration . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Inter-VDOM routing
1371
1371
1372
1372
1373
1377
1381
1382
1385
Benefits of inter-VDOM routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1385
Freed-up physical interfaces . . . . . . . . .
More speed than physical interfaces . . . . .
Continued support for secure firewall policies
Configuration flexibility . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1385
1386
1386
1386
Getting started with VDOM links . . . . . . . . . . . . . . . . . . . . . . . . . . . 1387
Viewing VDOM links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1387
Creating VDOM links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1388
Deleting VDOM links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1390
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
51
�Detailed Contents
Inter-VDOM configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1390
Standalone VDOM configuration . .
Independent VDOMs configuration.
Management VDOM configuration .
Meshed VDOM configuration. . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1391
1391
1392
1393
Dynamic routing over inter-VDOM links . . . . . . . . . . . . . . . . . . . . . . . 1394
HA virtual clusters and VDOM links . . . . . . . . . . . . . . . . . . . . . . . . . 1395
What is virtual clustering? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1395
Example of inter-VDOM routing . . . . . . . . . . . . . . . . . . . . . . . . . . . 1396
Network topology and assumptions . . .
General configuration steps . . . . . . .
Creating the VDOMs . . . . . . . . . . .
Configuring the physical interfaces. . . .
Configuring the VDOM links . . . . . . .
Configuring the firewall and UTM settings
Testing the configuration . . . . . . . . .
.
.
.
.
.
.
.
Troubleshooting Virtual Domains
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1397
1398
1398
1399
1400
1402
1419
1421
VDOM admin having problems gaining access . . . . . . . . . . . . . . . . . . . 1421
Confirm the admin’s VDOM . . . . . . . . . . . . . . . . . . . . . . . . . . . 1421
Confirm the VDOM’s interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 1421
Confirm the VDOMs admin access. . . . . . . . . . . . . . . . . . . . . . . . 1421
FortiGate unit running very slowly . . . . . . . . . . . . . . . . . . . . . . . . . . 1421
Too many VDOMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1422
One or more VDOMs are consuming all the resources . . . . . . . . . . . . . 1422
Too many UTM features in use . . . . . . . . . . . . . . . . . . . . . . . . . 1422
General VDOM tips and troubleshooting . . . . . . . . . . . . . . . . . . . . . . . 1422
Perform a sniffer trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1422
Debug the packet flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1424
Chapter 12 High Availability
Solving the High Availability problem
1427
1431
FortiGate Cluster Protocol (FGCP) . . . . . . . . . . . . . . . . . . . . . . . . . . 1431
TCP session synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1431
VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1432
52
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
More about the FGCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1432
FGCP failover protection .
Session Failover . . . . .
Load Balancing . . . . . .
Virtual Clustering . . . . .
Full Mesh HA . . . . . . .
Cluster Management . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
An introduction to the FortiGate Clustering Protocol (FGCP)
1433
1433
1434
1434
1434
1434
1437
Configuring a FortiGate unit for HA operation . . . . . . . . . . . . . . . . . . . . 1437
Connecting a FortiGate HA cluster . . . . . . . . . . . . . . . . . . . . . . . . 1439
Active-passive and active-active HA . . . . . . . . . . . . . . . . . . . . . . . . . 1440
Active-passive HA (failover protection). . . . . . . . . . . . . . . . . . . . . . 1440
Active-active HA (load balancing and failover protection) . . . . . . . . . . . . 1441
Identifying the cluster and cluster units . . . . . . . . . . . . . . . . . . . . . . . . 1441
Group name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1442
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1442
Group ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1442
Device failover, link failover, and session failover . . . . . . . . . . . . . . . . . . 1442
Primary unit selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1443
Primary unit selection and monitored interfaces . . . .
Primary unit selection and age . . . . . . . . . . . . .
Primary unit selection and device priority . . . . . . .
Primary unit selection and FortiGate unit serial number
Points to remember about primary unit selection . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1444
1445
1447
1449
1449
HA override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1449
Override and primary unit selection . . . . . . . . . . . . . . . . . . . . .
Controlling primary unit selection using device priority and override. . . . .
Points to remember about primary unit selection when override is enabled .
Configuration changes can be lost if override is enabled . . . . . . . . . .
Override and disconnecting a unit from a cluster . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
1450
1451
1452
1452
1453
FortiGate HA compatibility with PPPoE and DHCP . . . . . . . . . . . . . . . . . 1453
Hard disk configuration and HA . . . . . . . . . . . . . . . . . . . . . . . . . . . 1453
Recommended practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1454
Heartbeat interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1454
Interface monitoring (port monitoring) . . . . . . . . . . . . . . . . . . . . . . 1455
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1455
FGCP HA terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1455
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
53
�Detailed Contents
Configuring and connecting HA clusters
1461
About the procedures in this chapter . . . . . . . . . . . . . . . . . . . . . . . . . 1461
Example: NAT/Route mode active-passive HA configuration . . . . . . . . . . . . 1461
Example NAT/Route mode HA network topology . . . . . . . . . . . . . . . . 1462
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 1462
Configuring a NAT/Route mode active-passive cluster of two FortiGate-620B units web-based manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1463
Configuring a NAT/Route mode active-passive cluster of two FortiGate-620B units CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1467
Example: Transparent mode active-active HA configuration . . . . . . . . . . . . . 1473
Example Transparent mode HA network topology . . . . . . . . . . . . . . . . 1473
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 1473
Configuring a Transparent mode active-active cluster of two FortiGate-620B units web-based manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1474
Configuring a Transparent mode active-active cluster of two FortiGate-620B units - CLI
1479
Example: advanced Transparent mode active-active HA configuration . . . . . . . 1485
Example Transparent mode HA network topology . . . . . . . . . . . . . . . . 1485
Configuring a Transparent mode active-active cluster of three FortiGate-5005FA2 units
- web-based manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1485
Configuring a Transparent mode active-active cluster of three FortiGate-5005FA2 units
- CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1488
Example: converting a standalone FortiGate unit to a cluster . . . . . . . . . . . . 1492
Example: adding a new unit to an operating cluster . . . . . . . . . . . . . . . . . 1494
Example: replacing a failed cluster unit. . . . . . . . . . . . . . . . . . . . . . . . 1495
Example: HA and 802.3ad aggregated interfaces . . . . . . . . . . . . . . . . . . 1496
HA interface monitoring, link failover, and 802.3ad aggregation . . . . . . . . . 1496
HA MAC addresses and 802.3ad aggregation . . . . . . . . . . . . . . . . . . 1496
Link aggregation, HA failover performance, and HA mode . . . . . . . . . . . 1497
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 1498
Configuring active-passive HA cluster that includes aggregated interfaces - web-based
manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1498
Configuring active-passive HA cluster that includes aggregate interfaces - CLI . 1502
54
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Example: HA and redundant interfaces . . . . . . . . . . . . . . . . . . . . . . . 1507
HA interface monitoring, link failover, and redundant interfaces . . . . . . . . .
HA MAC addresses and redundant interfaces . . . . . . . . . . . . . . . . . .
Connecting multiple redundant interfaces to one switch while
operating in active-passive HA mode . . . . . . . . . . . . . . . . . . . . . .
Connecting multiple redundant interfaces to one switch while operating in
active-active HA mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring active-passive HA cluster that includes redundant
interfaces - web-based manager . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring active-passive HA cluster that includes redundant interfaces - CLI .
1508
1508
1508
1508
1509
1509
1513
Troubleshooting HA clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1518
Before you set up a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1518
Troubleshooting the initial cluster configuration . . . . . . . . . . . . . . . . . 1518
More troubleshooting information . . . . . . . . . . . . . . . . . . . . . . . . 1520
Configuring and connecting virtual clusters
1523
Virtual clustering overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1523
Virtual clustering and failover protection . . . . . . . . . .
Virtual clustering and heartbeat interfaces . . . . . . . . .
Virtual clustering and HA override . . . . . . . . . . . . .
Virtual clustering and load balancing or VDOM partitioning
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1523
1524
1524
1525
Configuring HA for virtual clustering . . . . . . . . . . . . . . . . . . . . . . . . . 1525
Example: virtual clustering with two VDOMs and VDOM partitioning . . . . . . . . 1527
Example virtual clustering network topology . . . . . . . . . . . . . . .
General configuration steps . . . . . . . . . . . . . . . . . . . . . . .
Configuring virtual clustering with two VDOMs and VDOM partitioning web-based manager . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring virtual clustering with two VDOMs and VDOM partitioning CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 1527
. . . . 1528
. . . . 1529
. . . . 1533
Example: inter-VDOM links in a virtual clustering configuration . . . . . . . . . . . 1540
Configuring inter-VDOM links in a virtual clustering configuration . . . . . . . . 1541
Troubleshooting virtual clustering . . . . . . . . . . . . . . . . . . . . . . . . . . 1542
Configuring and operating FortiGate full mesh HA
1545
Full mesh HA overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1545
Full mesh HA and redundant heartbeat interfaces . . . . . . . . . . . . . . . . 1546
Full mesh HA, redundant interfaces and 802.3ad aggregate interfaces . . . . . 1546
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
55
�Detailed Contents
Example: full mesh HA configuration . . . . . . . . . . . . . . . . . . . . . . . . . 1547
FortiGate-620B full mesh HA configuration . . . . . . . . . . . . . . . . .
Full mesh switch configuration . . . . . . . . . . . . . . . . . . . . . . . .
Full mesh network connections . . . . . . . . . . . . . . . . . . . . . . .
How packets travel from the internal network through the full mesh cluster
and to the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring FortiGate-620B units for HA operation - web-based manager .
Configuring FortiGate-620B units for HA operation - CLI . . . . . . . . . .
. . 1547
. . 1548
. . 1548
. . 1548
. . 1548
. . 1552
Operating a cluster
1557
Operating a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1557
Operating a virtual cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1558
Managing individual cluster units using a reserved management interface . . . . . 1559
Configuring the reserved management interface and SNMP remote
management of individual cluster units. . . . . . . . . . . . . . . . . . . . . . 1560
The primary unit acts as a router for subordinate unit management traffic. . . . . . 1564
Cluster communication with RADIUS and LDAP servers . . . . . . . . . . . . 1565
Clusters and FortiGuard services. . . . . . . . . . . . . . . . . . . . . . . . . . . 1565
FortiGuard and active-passive clusters . . . . . . . . . . . . . . . . . . . . . 1565
FortiGuard and active-active clusters . . . . . . . . . . . . . . . . . . . . . . 1565
FortiGuard and virtual clustering . . . . . . . . . . . . . . . . . . . . . . . . . 1565
Clusters and logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1566
Viewing and managing log messages for individual cluster units . .
HA log messages. . . . . . . . . . . . . . . . . . . . . . . . . . .
Example log messages. . . . . . . . . . . . . . . . . . . . . . . .
Fortigate HA message " HA master heartbeat interface & lt; intf_name & gt;
lost neighbor information " . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 1566
. . . . . . 1567
. . . . . . 1567
. . . . . . 1571
Clusters and SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1573
SNMP get command syntax for the primary unit . . . . . . . . . . . . .
SNMP get command syntax for any cluster unit . . . . . . . . . . . . .
Getting serial numbers for all the units in a cluster. . . . . . . . . . . .
SNMP get command syntax - reserved management interface enabled
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1573
1574
1575
1575
Clusters and file quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1575
Cluster members list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1576
Virtual cluster members list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1577
Viewing HA statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1578
Changing the HA configuration of an operating cluster. . . . . . . . . . . . . . . . 1579
Changing the HA configuration of an operating virtual cluster . . . . . . . . . . . . 1579
Changing the subordinate unit host name and device priority . . . . . . . . . . . . 1580
56
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Upgrading cluster firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1580
Changing how the cluster processes firmware upgrades . . . . . . . . . . . . 1581
Synchronizing the firmware build running on a new cluster unit . . . . . . . . . 1581
Downgrading cluster firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1582
Backing up and restoring the cluster configuration . . . . . . . . . . . . . . . . . . 1583
Monitoring cluster units for failover . . . . . . . . . . . . . . . . . . . . . . . . . . 1583
Viewing cluster status from the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . 1584
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1585
About the HA cluster index and the execute ha manage command . . . . . . . 1588
Managing individual cluster units. . . . . . . . . . . . . . . . . . . . . . . . . 1590
Disconnecting a cluster unit from a cluster . . . . . . . . . . . . . . . . . . . . . . 1591
Adding a disconnected FortiGate unit back to its cluster . . . . . . . . . . . . . . . 1592
HA and failover protection
1595
About active-passive failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1596
Device failure . . . . .
Link failure . . . . . .
Session failover . . .
Primary unit recovery.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1596
1596
1596
1597
About active-active failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1597
Device failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1597
HA heartbeat and communication between cluster units . . . . . . . . . . . . . . . 1598
Heartbeat interfaces . . . . . . . . . . . . . . . . . . . . . . . .
Connecting HA heartbeat interfaces . . . . . . . . . . . . . . . .
Heartbeat interfaces and FortiGate switch interfaces . . . . . . .
Heartbeat packets and heartbeat interface selection . . . . . . .
Interface index and display order. . . . . . . . . . . . . . . . . .
HA heartbeat interface IP addresses. . . . . . . . . . . . . . . .
Heartbeat packet Ethertypes . . . . . . . . . . . . . . . . . . . .
Modifying heartbeat timing . . . . . . . . . . . . . . . . . . . . .
Enabling or disabling HA heartbeat encryption and authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1599
1600
1600
1600
1601
1601
1602
1603
1605
Cluster virtual MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1605
Changing how the primary unit sends gratuitous ARP packets after a failover
How the virtual MAC address is determined . . . . . . . . . . . . . . . . . .
Displaying the virtual MAC address . . . . . . . . . . . . . . . . . . . . . .
Diagnosing packet loss with two FortiGate HA clusters in the
same broadcast domain . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
. 1606
. 1607
. 1608
. 1610
57
�Detailed Contents
Synchronizing the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 1611
Disabling automatic configuration synchronization. . . . . . . . .
Incremental synchronization . . . . . . . . . . . . . . . . . . . .
Periodic synchronization . . . . . . . . . . . . . . . . . . . . . .
Console messages when configuration synchronization succeeds
Console messages when configuration synchronization fails . . .
Comparing checksums of cluster units . . . . . . . . . . . . . . .
How to diagnose HA out of sync messages . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1611
1612
1613
1613
1614
1615
1616
Synchronizing routing table updates . . . . . . . . . . . . . . . . . . . . . . . . . 1618
Configuring graceful restart for dynamic routing failover . . . . . . . . . . . . . 1618
Controlling how the FGCP synchronizes routing updates . . . . . . . . . . . . 1619
Synchronizing IPsec VPN SAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1620
Link failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1621
If a monitored interface on the primary unit fails . . . . . . .
If a monitored interface on a subordinate unit fails . . . . . .
How link failover maintains traffic flow . . . . . . . . . . . .
Recovery after a link failover . . . . . . . . . . . . . . . . .
Testing link failover . . . . . . . . . . . . . . . . . . . . . .
Updating MAC forwarding tables when a link failover occurs
Multiple link failures . . . . . . . . . . . . . . . . . . . . .
Example link failover scenarios . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1623
1623
1623
1625
1625
1625
1625
1625
Remote link failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1626
Ping server priority and the failover threshold . . . . . . . . . . . . . . . . . . 1629
Flip timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1629
Detecting HA remote IP monitoring failovers. . . . . . . . . . . . . . . . . . . 1630
Session failover (session pick-up) . . . . . . . . . . . . . . . . . . . . . . . . . . 1630
Session failover not supported for all sessions. . . . . . . . . . . . . .
SIP session failover . . . . . . . . . . . . . . . . . . . . . . . . . . .
Session failover and explicit web proxy, WCCP, and WAN
optimization sessions. . . . . . . . . . . . . . . . . . . . . . . . . . .
Session failover and SSL offloading and HTTP multiplexing. . . . . . .
IPsec VPN and SSL VPN sessions . . . . . . . . . . . . . . . . . . .
PPTP and L2TP VPN sessions . . . . . . . . . . . . . . . . . . . . .
Session failover and UDP, ICMP, multicast and broadcast packets . . .
FortiOS Carrier GTP session failover . . . . . . . . . . . . . . . . . .
Active-active HA subordinate units sessions can resume after a failover
. . . . 1631
. . . . 1632
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1632
1632
1632
1632
1632
1633
1633
Subsecond failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1634
Subsecond failover and cluster firmware upgrades . . . . . . . . . . . . . . . 1634
WAN optimization and HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1634
Failover and attached network equipment . . . . . . . . . . . . . . . . . . . . . . 1635
Monitoring cluster units for failover . . . . . . . . . . . . . . . . . . . . . . . . . . 1635
58
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
NAT/Route mode active-passive cluster packet flow . . . . . . . . . . . . . . . . . 1635
Packet flow from client to web server . . . . . . . . . . . . . . . . . . . . . . 1636
Packet flow from web server to client . . . . . . . . . . . . . . . . . . . . . . 1636
When a failover occurs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1637
Transparent mode active-passive cluster packet flow . . . . . . . . . . . . . . . . 1637
Packet flow from client to mail server . . . . . . . . . . . . . . . . . . . . . . 1638
Packet flow from mail server to client . . . . . . . . . . . . . . . . . . . . . . 1638
When a failover occurs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1639
Failover performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1640
Device failover performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 1640
Link failover performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1640
Reducing failover times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1640
HA and load balancing
1643
Load balancing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1643
Load balancing schedules . . . . . . . . . . . . . . . . . . . . .
Selecting which packets are load balanced . . . . . . . . . . . .
More about active-active failover . . . . . . . . . . . . . . . . . .
HTTPS sessions, active-active load balancing, and proxy servers
Using FortiGate network processor interfaces to accelerate
active-active HA performance . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1644
1645
1645
1645
. . . . . . . 1646
Configuring load balancing settings . . . . . . . . . . . . . . . . . . . . . . . . . 1646
Selecting a load balancing schedule . . . . . . . . . . . . . . . . . . . . . . . 1647
Load balancing UTM sessions and TCP sessions . . . . . . . . . . . . . . . . 1647
Configuring weighted-round-robin weights . . . . . . . . . . . . . . . . . . . . 1647
NAT/Route mode active-active cluster packet flow. . . . . . . . . . . . . . . . . . 1649
Packet flow from client to web server . . . . . . . . . . . . . . . . . . . . . . 1650
Packet flow from web server to client . . . . . . . . . . . . . . . . . . . . . . 1651
When a failover occurs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1652
Transparent mode active-active cluster packet flow . . . . . . . . . . . . . . . . . 1652
Packet flow from client to mail server . . . . . . . . . . . . . . . . . . . . . . 1653
Packet flow from mail server to client . . . . . . . . . . . . . . . . . . . . . . 1654
When a failover occurs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1654
HA with third-party products
1657
Troubleshooting layer-2 switches. . . . . . . . . . . . . . . . . . . . . . . . . . . 1657
Forwarding delay on layer 2 switches . . . . . . . . . . . . . . . . . . . . . . 1658
Failover issues with layer-3 switches . . . . . . . . . . . . . . . . . . . . . . . . . 1658
Changing spanning tree protocol settings for some switches . . . . . . . . . . . . 1658
Spanning Tree protocol (STP) . . . . . . . . . . . . . . . . . . . . . . . . . . 1659
Bridge Protocol Data Unit (BPDU) . . . . . . . . . . . . . . . . . . . . . . . . 1659
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
59
�Detailed Contents
Failover and attached network equipment . . . . . . . . . . . . . . . . . . . . . . 1659
Ethertype conflicts with third-party switches . . . . . . . . . . . . . . . . . . . . . 1659
LACP, 802.3ad aggregation and third-party switches . . . . . . . . . . . . . . . . 1660
Standalone session synchronization
1661
Notes and limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1662
Configuring session synchronization . . . . . . . . . . . . . . . . . . . . . . . . . 1663
Configuring the session synchronization link . . . . . . . . . . . . . . . . . . . . . 1664
Basic example configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1664
Chapter 13 Endpoint
1667
Network Access Control and monitoring
1669
NAC overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1669
User experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1669
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1671
Configuring FortiClient required version and download location . . . . . . . . . . . 1672
Configuring application detection and control . . . . . . . . . . . . . . . . . . . . 1673
Configuring application sensors . . . . . . . . . . . . . . . . . . . . . . . . . 1673
Viewing the application database . . . . . . . . . . . . . . . . . . . . . . . . 1675
Configuring Endpoint profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1676
Enabling Endpoint NAC in firewall policies . . . . . . . . . . . . . . . . . . . . . . 1677
Monitoring endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1678
Viewing details about the endpoint . . . . . . . . . . . . . . . . . . . . . . . . 1679
Modifying Endpoint NAC replacement pages . . . . . . . . . . . . . . . . . . . . 1679
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1680
Configuring FortiClient download source and required version
Configuring an application sensor . . . . . . . . . . . . . . .
Configuring an endpoint profile. . . . . . . . . . . . . . . . .
Configuring the firewall policy . . . . . . . . . . . . . . . . .
Network Vulnerability Scan
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1680
1680
1682
1682
1685
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1685
Selecting assets to scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1685
Discovering assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1685
Adding assets manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1687
Configuring scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1688
60
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1690
Viewing scan logs . . . . . . . . . .
Viewing Executive Summary graphs .
Creating reports . . . . . . . . . . .
Viewing reports . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Chapter 14 Traffic Shaping
1690
1691
1691
1692
1693
The purpose of traffic shaping
1695
Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1695
Traffic policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1696
Bandwidth guarantee, limit, and priority interactions . . . . . . . . . . . . . . . . . 1697
FortiGate traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1698
Through traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1698
Important considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1702
Traffic shaping methods
1705
Traffic shaping options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1705
Shared policy shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1705
Per policy . . . . . . . . . . . . . . .
All policies . . . . . . . . . . . . . .
Maximum and guaranteed bandwidth
Traffic priority . . . . . . . . . . . . .
VLAN, VDOM and virtual interfaces .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1706
1706
1706
1706
1707
Per-IP shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1707
Application control shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1708
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1708
Shaping order of operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1709
Enabling in the firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1709
Reverse direction traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . 1710
Application control shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1710
Type of Service priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1710
TOS in FortiOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1711
Differentiated Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1711
DSCP examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1712
Tos and DSCP mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1716
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
61
�Detailed Contents
Examples
1717
QoS using priority from firewall policies . . . . . . . . . . . . . . . . . . . . . . . 1717
Sample configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1718
QoS using priority from ToS or differentiated services . . . . . . . . . . . . . . . . 1719
Sample configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1720
Example setup for VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1720
Creating the traffic shapers. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1721
Creating firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1722
Troubleshooting
1725
Interface diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1725
Shaper diagnose commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1725
TOS command . . . . . . . . . . . .
Shared shaper . . . . . . . . . . . .
Per-IP shaper. . . . . . . . . . . . .
Packet loss with statistics on shapers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1725
1726
1726
1727
Packet lost with the debug flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1727
Session list details with dual traffic shaper . . . . . . . . . . . . . . . . . . . . . . 1727
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1728
Chapter 15 FortiOS Carrier
Overview of FortiOS Carrier features
1729
1733
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1733
Dynamic profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1733
MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1733
GTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1734
MMS background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1734
MMS content interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1734
How MMS content interfaces are applied . . . . . . . . . . . . . . . . . . . . 1735
How FortiOS Carrier processes MMS messages . . . . . . . . . . . . . . . . . . 1737
FortiOS Carrier and MMS content scanning . . . . . . . . . . . . . . . . . . . 1737
FortiOS Carrier and MMS duplicate message and message floods . . . . . . . 1742
MMS protection profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1744
Bypassing MMS protection profile filtering based on user’s carrier end points . . . . 1745
Applying MMS protection profiles to MMS traffic . . . . . . . . . . . . . . . . . . . 1745
GTP basic concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1745
GPRS security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1746
62
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Parts of a GPRS network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1746
Radio access . . .
Transport . . . . .
Billing and records
PDP Context . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1747
1747
1748
1749
GPRS network common interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 1751
Packet flow through the GPRS network . . . . . . . . . . . . . . . . . . . . . . . 1752
Dynamic profiles and profile groups
1755
Dynamic profile and RADIUS-based accounting systems . . . . . . . . . . . . . . 1755
About carrier end points . . . . . . . . . . . . . . . . . . . .
Dynamic profiles and firewall policies . . . . . . . . . . . . .
Accounting system RADIUS configuration . . . . . . . . . . .
About the user context list . . . . . . . . . . . . . . . . . . .
Accepting sessions from dynamic profile users only . . . . . .
Configuring the dynamic profile . . . . . . . . . . . . . . . .
Example: Parental control dynamic profile group configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1756
1756
1756
1757
1758
1759
1763
HTTP header options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1767
How FortiOS Carrier applies HTTP header options . . . . . . . . . . . . . . . 1768
Configuring carrier end point HTTP header options . . . . . . . . . . . . . . . 1769
Example: How FortiOS Carrier applies carrier end point prefix options . . . . . 1770
Cookie Override configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1771
Cookie override commands - CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . 1772
MMS Carrier End Point features
1775
Controlling access to MMS services based on a user’s carrier end point . . . . . . 1775
Configuring carrier end point filtering. . . . . . . . . . . . . . . . . . . . . . . 1775
Blocking network access for IP addresses based on carrier end points . . . . . . . 1777
Configuring end point IP filtering . . . . . . . . . . . . . . . . . . . . . . . . . 1778
Extracting carrier end points for user and administrative notifications . . . . . . . . 1780
Configuring MMS address translation . . . . . . . . . . . . . . . . . . . . . . 1780
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
63
�Detailed Contents
MMS UTM features
1783
MMS virus scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1783
Why scan MMS messages? . . . . . . . . . . . . . . . . . .
MMS virus monitoring . . . . . . . . . . . . . . . . . . . . .
MMS virus scanning blocks messages (not just attachments) .
Removing or replacing blocked messages . . . . . . . . . . .
Scanning MM1 retrieval messages. . . . . . . . . . . . . . .
Passing or blocking fragmented messages . . . . . . . . . .
Client comforting . . . . . . . . . . . . . . . . . . . . . . . .
Server comforting . . . . . . . . . . . . . . . . . . . . . . .
Handling oversized MMS messages . . . . . . . . . . . . . .
MM1 sample messages . . . . . . . . . . . . . . . . . . . .
Configuring MMS virus scanning . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1783
1784
1784
1784
1785
1785
1785
1786
1786
1786
1787
MMS file filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1789
Built-in patterns and supported file types. . . . . . . . . .
MMS file filtering blocks messages (not just attachments) .
Configuring MMS file filtering. . . . . . . . . . . . . . . .
Configuring sender notifications . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1790
1792
1792
1793
MMS content-based Antispam protection . . . . . . . . . . . . . . . . . . . . . . 1795
Overview . . . . . . . . . . . . . . . . . . . .
Scores and thresholds . . . . . . . . . . . . .
Configuring content-based antispam protection
Configuring sender notifications . . . . . . . .
Using wildcards and Perl regular expressions .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1795
1796
1797
1797
1798
MMS DLP archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1800
Configuring MMS DLP archiving . . . . . . . . . . . . . . . . . . . . . . . . . 1800
Viewing DLP archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1801
Message flood protection
1803
Setting message flood thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . 1804
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1804
Flood actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1806
Notifying administrators of floods . . . . . . . . . . . . . . . . . . . . . . . . . . . 1806
Example of using three flood threshold levels and different sets of actions for each
threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1807
Notifying message flood senders and receivers . . . . . . . . . . . . . . . . . . . 1809
Responses to MM1 senders and receivers . . . . . . . . . . . . . . . . . . . 1809
Forward responses for MM4 message floods . . . . . . . . . . . . . . . . . . 1810
Viewing DLP archived messages. . . . . . . . . . . . . . . . . . . . . . . . . . . 1810
Order of operations: flood checking before duplicate checking . . . . . . . . . . . 1811
64
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
Bypassing message flood protection based on user’s carrier end points . . . . . . 1811
Configuring message flood detection. . . . . . . . . . . . . . . . . . . . . . . . . 1811
Sending administrator alert notifications . . . . . . . . . . . . . . . . . . . . . . . 1812
Configuring how and when to send alert notifications . . . . . . . . . . . . . . 1812
Configuring who to send alert notifications to . . . . . . . . . . . . . . . . . . 1814
Duplicate message protection
1817
Using message fingerprints to identify duplicate messages . . . . . . . . . . . . . 1818
Messages from any sender to any recipient . . . . . . . . . . . . . . . . . . . . . 1818
Setting duplicate message thresholds . . . . . . . . . . . . . . . . . . . . . . . . 1818
Duplicate message actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1818
Notifying duplicate message senders and receivers . . . . . . . . . . . . . . . . . 1819
Responses to MM1 senders and receivers . . . . . . . . . . . . . . . . . . . 1819
Forward responses for duplicate MM4 messages . . . . . . . . . . . . . . . . 1820
Viewing DLP archived messages. . . . . . . . . . . . . . . . . . . . . . . . . . . 1820
Order of operations: flood checking before duplicate checking . . . . . . . . . . . 1821
Bypassing duplicate message detection based on user’s carrier end points. . . . . 1821
Configuring duplicate message detection . . . . . . . . . . . . . . . . . . . . . . 1821
Sending administrator alert notifications . . . . . . . . . . . . . . . . . . . . . . . 1822
Configuring how and when to send alert notifications . . . . . . . . . . . . . . 1822
Configuring who to send alert notifications to . . . . . . . . . . . . . . . . . . 1823
MMS Replacement messages
1825
Changing replacement messages . . . . . . . . . . . . . . . . . . . . . . . . . . 1825
Multimedia content for MMS replacement messages . . . . . . . . . . . . . . . . 1826
MMS replacement message types . . . . . . . . . . . . . . . . . . . . . . . . . . 1828
Replacement message tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1828
Replacement message groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1829
Configuring GTP on FortiOS Carrier
1833
GTP support on the FortiOS Carrier unit . . . . . . . . . . . . . . . . . . . . . . . 1833
Packet sanity checking . . . . . . . . . . .
GTP stateful inspection. . . . . . . . . . .
Protocol anomaly detection and prevention
HA . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1833
1834
1834
1834
Configuring General Settings on the FortiOS Carrier unit . . . . . . . . . . . . . . 1834
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
65
�Detailed Contents
Configuring Encapsulated Filtering on the FortiOS Carrier unit . . . . . . . . . . . 1836
Configuring Encapsulated IP Traffic Filtering . . . . . . . . . . . . . . . . . . 1836
Configuring Encapsulated Non-IP End User Address Filtering . . . . . . . . . 1837
Configuring Protocol Anomaly on the FortiOS Carrier unit . . . . . . . . . . . . . . 1838
Configuring Anti-overbilling in FortiOS Carrier . . . . . . . . . . . . . . . . . . . . 1838
Overbilling in GPRS networks . . . . . . . . . . . . . . . . . . . . . . . . . . 1838
Anti-overbilling with FortiOS Carrier . . . . . . . . . . . . . . . . . . . . . . . 1839
Configuring anti-overbilling with FortiOS Carrier . . . . . . . . . . . . . . . . . 1839
Logging events on the FortiOS Carrier unit. . . . . . . . . . . . . . . . . . . . . . 1839
Configuring FortiOS Carrier logging events . . . . . . . . . . . . . . . . . . . 1839
GTP message type filtering
1843
Common message types on carrier networks . . . . . . . . . . . . . . . . . . . . 1843
GTP-C messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1843
GTP-U messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1844
Unknown Action messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 1845
Configuring message type filtering in FortiOS Carrier . . . . . . . . . . . . . . . . 1845
Message Type Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1845
GTP identity filtering
1849
IMSI on carrier networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1849
Other identity and location based information elements . . . . . . . . . . . . . . . 1849
When to use APN, IMSI, or advanced filtering . . . . . . . . . . . . . . . . . . 1851
Configuring APN filtering in FortiOS Carrier . . . . . . . . . . . . . . . . . . . . . 1852
Configuring IMSI filtering in FortiOS Carrier . . . . . . . . . . . . . . . . . . . . . 1852
Configuring advanced filtering in FortiOS Carrier . . . . . . . . . . . . . . . . . . 1853
Troubleshooting
1855
FortiOS Carrier diagnose commands. . . . . . . . . . . . . . . . . . . . . . . . . 1855
Dynamic Profile diagnose commands . . . . . . . . . . . . . . . . . . . . . . 1855
GTP related diagnose commands . . . . . . . . . . . . . . . . . . . . . . . . 1856
Applying Intrusion and Prevention System (IPS) signatures to IP packets
within GTP-U tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1856
66
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
GTP packets are not moving along your network . . . . . . . . . . . . . . . . . . 1857
Attempt to identify the section of your network with the problem.
Ensure you have an APN configured. . . . . . . . . . . . . . .
Check the logs and adjust their settings if required . . . . . . .
Check the routing table. . . . . . . . . . . . . . . . . . . . . .
Perform a sniffer trace . . . . . . . . . . . . . . . . . . . . . .
Generate specific packets to test the network . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Chapter 16 Deploying Wireless Networks
1857
1858
1858
1858
1859
1861
1863
Introduction to wireless networking
1865
Wireless concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1865
Bands and channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1865
Power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1868
Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1868
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1869
Whether to broadcast SSID . . . . . . . .
Encryption . . . . . . . . . . . . . . . . .
Separate access for employees and guests
Captive portal. . . . . . . . . . . . . . . .
Power. . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1869
1869
1869
1869
1869
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1870
Wireless networking equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . 1870
FortiWiFi units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1870
FortiAP units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1871
Third-party WAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1871
Deployment considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1871
Types of wireless deployment .
Deployment methodology . . .
Single access point networks .
Multiple access point networks .
Configuring a wireless LAN
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1871
1871
1872
1872
1875
Overview of wireless controller configuration. . . . . . . . . . . . . . . . . . . . . 1875
Creating a virtual access point (wireless controller) . . . . . . . . . . . . . . . . . 1876
Creating an AP Profile (wireless controller) . . . . . . . . . . . . . . . . . . . . . 1877
Configuring a WLAN interface (standalone FortiWiFi unit) . . . . . . . . . . . . . . 1878
Configuring the WLAN interface (wireless controller) . . . . . . . . . . . . . . . . 1879
Configuring DHCP on the WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . 1880
Creating a wireless user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1880
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
67
�Detailed Contents
Configuring firewall policies for the WLAN . . . . . . . . . . . . . . . . . . . . . . 1881
Adding a disclaimer page to the captive portal . . . . . . . . . . . . . . . . . . . . 1882
Modifying the Disclaimer page . . . . . . . . . . . . . . . . . . . . . . . . . . 1882
Modifying the Declined Disclaimer page . . . . . . . . . . . . . . . . . . . . . 1883
Enabling the disclaimer page. . . . . . . . . . . . . . . . . . . . . . . . . . . 1884
Access point deployment
1885
Network topology for managing APs . . . . . . . . . . . . . . . . . . . . . . . . . 1885
Attaching an AP unit as a WAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1886
Controller discovery methods . . . . . . . . . . . . . . . . . . . . . . . . . . 1887
Connecting to the FortiAP CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 1888
Configuring a FortiWiFi unit as a WAP . . . . . . . . . . . . . . . . . . . . . . 1888
Discovering and adding APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1888
Wireless network monitoring
1891
Monitoring wireless clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1891
Monitoring rogue APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1892
Monitoring with a FortiWiFi unit . . . . . . . . . . . . . . . . . . . . . . . . . 1892
Monitoring with a FortiGate wireless controller. . . . . . . . . . . . . . . . . . 1892
Chapter 17 VoIP Solutions: SIP
1895
FortiGate VoIP solutions: SIP
1897
SIP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1897
Common SIP VoIP configurations . . . . . . . . . . . . . . . . . . . . . . . . . . 1898
Peer to peer configuration . . . .
SIP proxy server configuration . .
SIP redirect server configuration .
SIP registrar configuration . . . .
SIP with a FortiGate unit . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1898
1899
1899
1900
1901
SIP messages and media protocols . . . . . . . . . . . . . . . . . . . . . . . . . 1903
SIP request messages . . . . . . . . . . . . . . .
SIP response messages . . . . . . . . . . . . . .
SIP message start line . . . . . . . . . . . . . . .
SIP headers . . . . . . . . . . . . . . . . . . . .
The SIP message body and SDP session profiles .
Example SIP messages . . . . . . . . . . . . . .
68
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1905
1905
1907
1907
1909
1910
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
The SIP session helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1912
SIP session helper configuration overview . . . . . . . . . . . . . . . . . . . . 1912
Configuration example: SIP session helper in Transparent Mode . . . . . . . . 1914
SIP session helper diagnose commands. . . . . . . . . . . . . . . . . . . . . 1916
The SIP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1917
SIP ALG configuration overview . . . . . . . . . . . . . . . . . . .
Conflicts between the SIP ALG and the session helper . . . . . . .
Stateful SIP tracking, call termination, and session inactivity timeout
SIP and RTP/RTCP . . . . . . . . . . . . . . . . . . . . . . . . .
How the SIP ALG creates RTP pinholes . . . . . . . . . . . . . . .
Configuration example: SIP in Transparent Mode . . . . . . . . . .
RTP enable/disable (RTP bypass) . . . . . . . . . . . . . . . . . .
Opening and closing SIP register and non-register pinholes. . . . .
Accepting SIP register responses . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1919
1921
1922
1924
1924
1926
1929
1929
1930
How the SIP ALG performs NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . 1930
Source address translation . . . . . . . . . . . . . . . . . . . . . . . . .
Destination address translation . . . . . . . . . . . . . . . . . . . . . .
Call Re-invite messages . . . . . . . . . . . . . . . . . . . . . . . . . .
How the SIP ALG translates IP addresses in SIP headers . . . . . . . .
How the SIP ALG translates IP addresses in the SIP body . . . . . . . .
SIP NAT scenario: source address translation (source NAT) . . . . . . .
SIP NAT scenario: destination address translation (destination NAT) . . .
SIP NAT configuration example: source address translation (source NAT)
SIP NAT configuration example: destination address translation
(destination NAT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional SIP NAT scenarios . . . . . . . . . . . . . . . . . . . . . . .
NAT with IP address conservation . . . . . . . . . . . . . . . . . . . . .
Controlling how the SIP ALG NATs SIP contact header line addresses . .
Controlling NAT for addresses in SDP lines . . . . . . . . . . . . . . . .
Translating SIP session destination ports . . . . . . . . . . . . . . . . .
Translating SIP sessions to multiple destination ports . . . . . . . . . . .
Server load balancing with multiple SIP ports . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1931
1932
1932
1932
1934
1935
1937
1939
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1942
1945
1947
1948
1949
1949
1951
1952
Hosted NAT traversal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1957
Configuration example: Hosted NAT traversal for calls between SIP
Phone A and SIP Phone B . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1958
Restricting the RTP source IP . . . . . . . . . . . . . . . . . . . . . . . . . . 1960
SIP over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1960
Deep SIP message inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1961
Actions taken when a malformed message line is found.
Logging and statistics . . . . . . . . . . . . . . . . . .
Recommended configurations . . . . . . . . . . . . . .
Configuring deep SIP message inspection. . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1962
1962
1963
1963
Blocking SIP request messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 1965
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
69
�Detailed Contents
SIP rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1967
Limiting the number of SIP dialogs accepted by a firewall policy . . . . . . . . 1968
SIP logging and DLP archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1969
SIP and HA: session failover and geographic redundancy . . . . . . . . . . . . . . 1969
SIP geographic redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . 1970
Support for RFC 2543-compliant branch parameters . . . . . . . . . . . . . . 1971
SIP debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1974
SIP debug log format . . .
SIP-proxy filter per VDOM
SIP-proxy filter command
SIP debug log filtering . .
SIP debug setting . . . .
SIP test commands. . . .
Display SIP rate-limit data
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Chapter 18 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
1974
1975
1975
1976
1976
1977
1977
1979
WAN optimization, web cache, and web proxy concepts
1981
WAN optimization topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1981
Basic WAN optimization topologies . . . . . . . . . . . .
Out-of-path topology . . . . . . . . . . . . . . . . . . . .
Topology for multiple networks . . . . . . . . . . . . . . .
Web-cache-only WAN optimization . . . . . . . . . . . .
WAN optimization with web caching . . . . . . . . . . . .
WAN optimization and web caching with FortiClient peers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1982
1982
1983
1984
1985
1986
Explicit Web proxy topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1986
WCCP topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1987
WAN optimization client/server architecture . . . . . . . . . . . . . . . . . . . . . 1987
WAN optimization peers . . . . . . . . . . . . . .
Peer-to-peer and active-passive WAN optimization
WAN optimization and the FortiClient application .
Operating modes and VDOMs . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1988
1989
1989
1989
WAN optimization tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1989
Tunnel sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1990
Protocol optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1990
Byte caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1991
WAN optimization and HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1991
Monitoring WAN optimization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1992
70
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
WAN optimization and Web cache storage
1995
Formatting the hard disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1995
Configuring WAN optimization and Web cache storage . . . . . . . . . . . . . . . 1996
Changing the amount of space allocated for WAN optimization and
Web cache storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1996
WAN optimization peers and authentication groups
1997
Basic WAN optimization peer authentication requirements . . . . . . . . . . . . . 1997
Accepting any peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1997
How FortiGate units process tunnel requests for peer authentication . . . . . . . . 1998
Configuring peers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1999
Configuring authentication groups . . . . . . . . . . . . . . . . . . . . . . . . . . 2000
Secure tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2002
Configuring WAN optimization rules
2003
WAN optimization rules, firewall policies, and UTM protection . . . . . . . . . . . . 2003
WAN optimization transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . 2004
WAN optimization rule list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2004
How list order affects rule matching . . . . . . . . . . . . . . . . . . . . . . . 2006
Moving a rule to a different position in the rule list . . . . . . . . . . . . . . . . 2007
WAN optimization address formats. . . . . . . . . . . . . . . . . . . . . . . . . . 2007
Configuring WAN optimization rules . . . . . . . . . . . . . . . . . . . . . . . . . 2008
Processing non-HTTP sessions accepted by an HTTP rule . . . . . . . . . . . 2010
Processing unknown HTTP sessions . . . . . . . . . . . . . . . . . . . . . . 2011
WAN optimization configuration examples
2013
Example: Basic peer-to-peer WAN optimization configuration . . . . . . . . . . . . 2013
Network topology and assumptions . . . . . . . . . . . . . . . . . . . .
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . .
Configuring basic peer-to-peer WAN optimization - web-based manager .
Configuring basic peer-to-peer WAN optimization - CLI . . . . . . . . . .
Testing and troubleshooting the configuration . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2013
2014
2014
2015
2017
Example: Active-passive WAN optimization . . . . . . . . . . . . . . . . . . . . . 2019
Network topology and assumptions . . . . . . . . . . . . . . . . . . . . .
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring basic active-passive WAN optimization - web-based manager .
Configuring basic active-passive WAN optimization - CLI . . . . . . . . . .
Testing and troubleshooting the configuration . . . . . . . . . . . . . . . .
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
.
.
.
.
.
.
.
.
.
.
2019
2020
2020
2022
2024
71
�Detailed Contents
Example: Adding secure tunneling to an active-passive WAN optimization
configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2026
Network topology and assumptions . . . . . . . . . . . . . . . . . . . . .
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring WAN optimization with secure tunneling - web-based manager
Configuring WAN optimization with secure tunneling - CLI . . . . . . . . .
.
.
.
.
.
.
.
.
Web caching
2026
2026
2027
2029
2031
Configuring Web Cache Only WAN optimization . . . . . . . . . . . . . . . . . . . 2032
Exempting web sites from web caching . . . . . . . . . . . . . . . . . . . . . . . 2032
Example: Web Cache Only WAN optimization . . . . . . . . . . . . . . . . . . . . 2033
Network topology and assumptions . . . . . . . . . . . . . . . . . . .
General configuration steps . . . . . . . . . . . . . . . . . . . . . . .
Configuring Web Cache Only WAN optimization - web-based manager.
Configuring Web Cache Only WAN optimization - CLI. . . . . . . . . .
Testing and troubleshooting the configuration . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2033
2034
2034
2035
2036
Configuring active-passive web caching . . . . . . . . . . . . . . . . . . . . . . . 2037
Example: Active-passive Web Caching . . . . . . . . . . . . . . . . . . . . . . . 2037
Network topology and assumptions . . . . . . . . . . . . . . .
General configuration steps . . . . . . . . . . . . . . . . . . .
Configuring active-passive web caching - web-based manager .
Configuring active-passive web caching - CLI . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2038
2038
2038
2040
Configuring peer-to-peer web caching . . . . . . . . . . . . . . . . . . . . . . . . 2041
Example: Peer-to-peer web caching . . . . . . . . . . . . . . . . . . . . . . . . . 2042
Network topology and assumptions . . . . . . . . . . . . . .
General configuration steps . . . . . . . . . . . . . . . . . .
Configuring peer-to-peer web caching - web-based manager .
Configuring peer-to-peer web caching - CLI . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2042
2042
2042
2044
Changing web cache settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2045
Advanced configuration example
2047
Out-of-path WAN optimization with inter-VDOM routing . . . . . . . . . . . . . . . 2047
Network topology and assumptions . . . . . . . . . .
Configuration steps. . . . . . . . . . . . . . . . . . .
Client-side configuration steps - web-based manager .
Server-side configuration steps - web-based manager
Client-side configuration steps - CLI . . . . . . . . . .
Server-side configuration steps - CLI . . . . . . . . .
72
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2047
2048
2049
2056
2059
2066
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
SSL offloading for WAN optimization and web caching
2069
Example: SSL offloading for a WAN optimization tunnel . . . . . . . . . . . . . . . 2069
Network topology and assumptions
General configuration steps . . . .
Client-side configuration steps . . .
Server-side configuration steps . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2069
2070
2071
2072
Example: SSL offloading and reverse proxy web caching for an Internet
web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2073
Network topology and assumptions . . . . . . . . . . . . . . . . . . . . . . . 2073
Configuration steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2074
FortiClient WAN optimization
2077
Configuring FortiClient WAN optimization . . . . . . . . . . . . . . . . . . . . . . 2077
FortiClient configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . 2077
FortiGate unit configuration steps . . . . . . . . . . . . . . . . . . . . . . . . 2078
The FortiGate explicit web proxy
2079
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2080
Proxy auto-config (PAC) configuration . . . . . . . . . . . . . . . . . . . . . . 2083
Authentication realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2083
Global explicit web proxy options . . . . . . . . . . . . . . . . . . . . . . . . 2084
Explicit web proxy authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 2084
IP Based authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2084
Per session authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2085
UTM features and the explicit web proxy . . . . . . . . . . . . . . . . . . . . . . . 2086
Explicit proxy sessions and protocol options . . . . . . . . . . . . . . . . . . . 2086
Explicit proxy sessions web filtering and FortiGuard web filtering . . . . . . . . 2087
Explicit proxy sessions and antivirus . . . . . . . . . . . . . . . . . . . . . . . 2088
Example: users on an internal network browsing the Internet through the
explicit proxy with web caching, RADIUS authentication, web filtering and
virus scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2088
General configuration steps . . . . . . . . . . . . . . .
Configuring the explicit web proxy - web-based manager
Configuring the explicit web proxy - CLI . . . . . . . . .
Testing and troubleshooting the configuration . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2088
2089
2090
2092
Explicit web proxy sessions and user limits . . . . . . . . . . . . . . . . . . . . . 2093
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
73
�Detailed Contents
FortiGate WCCP
2097
How WCCP works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2097
Example: WCCP router and client configuration . . . . . . . . . . . . . . . . . . . 2098
WCCP router configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2098
Configuring the forward and return methods and adding authentication . . . . . . . 2100
WCCP Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2101
Troubleshooting WCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2101
Real time debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2101
Application debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2101
WAN optimization, web cache and WCCP get and diagnose commands
2103
get test {wa_cs | wa_dbd | wad | wad_diskd | wccpd} & lt; test_level & gt; . . . . . . . . . 2103
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2103
diagnose wad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2106
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2106
diagnose wacs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2108
diagnose wadbd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2108
diagnose debug application {wa_cs | wa_dbd | wad | wad_diskd | wccpd}
[ & lt; debug_level & gt; ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2108
Chapter 19 Load Balancing
2109
Configuring load balancing
2111
Load balancing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2111
Configuring load balancing virtual servers
Load balancing method . . . . . . . . .
Session persistence . . . . . . . . . . .
Real servers . . . . . . . . . . . . . . .
Health check monitoring . . . . . . . . .
Monitoring load balancing . . . . . . . .
Load balancing get command . . . . . .
Load balancing diagnose commands . .
Real server diagnostics . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2112
2112
2113
2114
2115
2116
2116
2117
2118
Basic load balancing configuration example . . . . . . . . . . . . . . . . . . . . . 2118
HTTP and HTTPS load balancing, multiplexing, and persistence . . . . . . . . . . 2122
HTTP and HTTPS multiplexing. . . . . . . . . . . . . . . . . . . . . . . . . . 2122
HTTP and HTTPS persistence . . . . . . . . . . . . . . . . . . . . . . . . . . 2123
74
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Detailed Contents
SSL/TLS load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2124
SSL offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2124
IP, TCP, and UDP load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . 2132
Load balancing configuration examples
2133
Example: HTTP load balancing to three real web servers . . . . . . . . . . . . . . 2133
Web-based manager configuration. . . . . . . . . . . . . . . . . . . . . . . . 2133
CLI configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2136
Example: Basic IP load balancing configuration . . . . . . . . . . . . . . . . . . . 2137
Example: Adding a server load balance port forwarding virtual IP . . . . . . . . . . 2138
Example: Weighted load balancing configuration . . . . . . . . . . . . . . . . . . 2139
Web-based manager configuration. . . . . . . . . . . . . . . . . . . . . . . . 2139
CLI configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2141
Example: HTTP and HTTPS persistence configuration . . . . . . . . . . . . . . . 2142
CLI configuration: adding persistence for a specific domain . . . . . . . . . . . 2145
Chapter 20 Hardware Acceleration
2147
FortiGate hardware accelerated processing
2149
How hardware acceleration alters packet flow . . . . . . . . . . . . . . . . . . . . 2149
Network processors overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2151
Network processor models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2151
Determining the network processors installed on your FortiGate unit . . . . . . 2152
Content processors overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2152
Determining the content processor in your FortiGate unit . . . . . . . . . . . . 2153
Security processing modules overview . . . . . . . . . . . . . . . . . . . . . . . . 2153
Security processor module models. . . . . . . . . . . . . . . . . . . . . . . . 2153
Displaying information about security processing modules . . . . . . . . . . . 2154
Setting switch-mode mapping on the ADM-XD4 . . . . . . . . . . . . . . . . . 2155
Configuring overall security priorities . . . . . . . . . . . . . . . . . . . . . . . . . 2155
Configuring traffic offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2156
Session fast path requirements . . . . . . . . . . .
Packet fast path requirements . . . . . . . . . . . .
Session offloading in HA active-active configuration .
Configuring traffic shaping offloading . . . . . . . .
Checking that traffic is offloaded . . . . . . . . . . .
Disabling offloading . . . . . . . . . . . . . . . . .
Multicast offloading / acceleration . . . . . . . . . .
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2156
2156
2157
2157
2158
2158
2159
75
�Detailed Contents
Configuring IPsec VPN offloading . . . . . . . . . . . . . . . . . . . . . . . . . . 2160
IPsec offloading requirements . . . . . . . . . . .
Configuring HMAC check offloading . . . . . . . .
Configuring VPN encryption/decryption offloading .
Examples of ASM-FB4 accelerated VPNs . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2160
2161
2161
2161
Configuring IPS offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2165
Configuring pre-IPS anomaly detection . . . . . . . . . . . . . . . . . . . . . 2165
Configuring policy-based IPS on SP modules . . . . . . . . . . . . . . . . . . 2166
Configuring interface-based IPS on SP modules . . . . . . . . . . . . . . . . 2166
Examples
2167
Accelerated tunnel mode IPsec . . . . . . . . . . . . . . . . . . . . . . . . . 2168
Accelerated interface mode IPsec . . . . . . . . . . . . . . . . . . . . . . . . 2169
Index
76
2171
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction
This FortiOS™ Handbook is meant to be the definitive guide to configuring and operating
FortiOS 4.0 MR2. It contains concept and feature descriptions, as well as configuration
examples worked out in detail for the web-based manager and the CLI. This document
also contains operating and troubleshooting information.
This is the fist version of this handbook. Our hope is that this initial version while flawed
and incomplete still contains enough information to answer most of your questions about
FortiOS. Future versions of this document will include more features, concepts and
examples. If you notice problems with this document or have suggestions for
improvements, you are invited to send an email about them to Fortinet Technical
Documentation at techdoc@fortinet.com.
This introduction describes the following topics:
•
How this Handbook is organized
•
Document conventions
•
Registering your Fortinet product
•
Fortinet products End User License Agreement
•
Training
•
Documentation
•
Customer service and technical support
How this Handbook is organized
This handbook contains the following chapters:
•
Chapter 1, What’s New describes the new features in FortiOS 4.0 MR2 and includes
some general upgrading information.
•
Chapter 2, FortiGate Fundamentals describes FortiOS firewall functionality on all
FortiGate units. It includes the purpose of the firewall, how traffic moves through the
FortiGate unit, the components involved in the firewall and its policies. This chapter
also describes how to configure the basics and some more involved examples.
•
Chapter 3, System Administration describes a number of administrative tasks to
configure and setup the FortiGate unit for the first time. It also describes the best
practices and sample configuration tips to secure your network and the FortiGate unit
itself.
•
Chapter 4, Logging and Reporting describes how to begin choosing a log device for
your logging requirements, the types of log files, how to configure your chosen log
device, including detailed explanations of each log type of log message.
FortiOS™ Handbook FortiOS 4.0 MR2 Introduction
01-420-99686-20100630
http://docs.fortinet.com/ • Feedback
77
�How this Handbook is organized
•
•
Chapter 6, User Authentication defines authentication and describes the FortiOS
options for configuring authentication for FortiOS.
•
Chapter 7, IPsec VPNs provides a general introduction to IPsec VPN technology,
explains the features available with IPsec VPN and gives guidelines to decide what
features you need to use, and how the FortiGate unit is configured to implement the
features.
•
Chapter 8, SSL VPNs provides a general introduction to SSL VPN technology, explains
the features available with SSL VPN and gives guidelines to decide what features you
need to use, and how the FortiGate unit is configured to implement the features.
•
Chapter 9, Dynamic Routing provides detailed information about FortiGate dynamic
routing including common dynamic routing features, troubleshooting, and each of the
protocols including RIP, BGP, and OSPF.
•
Chapter 10, Advanced System Settings describes advanced static routing, PPTP and
L2TP VPN, VLANs, IPv6, and session helpers.
•
Chapter 11, Virtual Domains describes FortiGate Virtual Domains (VDOMs) and is
intended for administrators who need guidance on solutions to suit different network
needs and information on basic and advanced configuration of VDOMs. Virtual
Domains (VDOMs) multiply the capabilities of your FortiGate unit by using virtualization
to partition your resources.
•
Chapter 12, High Availability describes FortiGate HA, the FortiGate Clustering Protocol
(FGCP), and FortiGate standalone TCP session synchronization.
•
Chapter 13, Endpoint describes how to use the Endpoint features of FortiOS: endpoint
Network Access Control (NAC), endpoint application detection, endpoint monitoring,
and network vulnerability scanning.
•
Chapter 14, Traffic Shaping describes how to configure FortiOS traffic shaping.
•
Chapter 15, FortiOS Carrier describes FortiOS Carrier dynamic profiles and groups,
Multimedia messaging service (MMS) protection, and GPRS Tunneling Protocol (GTP)
protection.
•
Chapter 16, Deploying Wireless Networks describes how to configure wireless
networks with FortiWiFi, FortiGate, and FortiAP units.
•
Chapter 17, VoIP Solutions: SIP describes FortiOS SIP support.
•
Chapter 18, WAN Optimization, Web Cache, Explicit Proxy, and WCCP describes how
FortiGate WAN optimization, web caching, and web proxy work and also describes
how to configure these features.
•
Chapter 19, Load Balancing describes firewall HTTP, HTTPS, SSL or generic
TCP/UDP or IP server load balancing.
•
78
Chapter 5, UTM Guide describes the Unified Threat Management (UTM) features
available on your FortiGate unit, including antivirus, intrusion prevention system (IPS),
anomaly protection (DoS), one-armed IPS (sniffer policies), web filtering, email
filtering, data leak prevention, (DLP) and application control. The chapter includes
step-by-step instructions showing how to configure each feature. Example scenarios
are included, with suggested configurations.
Chapter 20, Hardware Acceleration describes how to use and configure FortiASIC
network acceleration hardware.
FortiOS™ Handbook FortiOS 4.0 MR2 Introduction
01-420-99686-20100630
http://docs.fortinet.com/ • Feedback
�Document conventions
Document conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Most of the examples in this document use the following IP addressing:
•
IP addresses are made up of A.B.C.D
•
A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918.
•
B - 168, or the branch / device / virtual device number.
•
•
Device or virtual device - allows multiple FortiGate units in this address space
(VDOMs).
•
•
Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other.
Devices can be from x01 to x99.
C - interface - FortiGate units can have up to 40 interfaces, potentially more than one
on the same subnet
•
•
•
001 - 099- physical address ports, and non -virtual interfaces
100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
D - usage based addresses, this part is determined by what device is doing
•
The following gives 16 reserved, 140 users, and 100 servers in the subnet.
•
001 - 009 - reserved for networking hardware, like routers, gateways, etc.
•
010 - 099 - DHCP range - users
•
100 - 109 - FortiGate devices - typically only use 100
•
110 - 199 - servers in general (see later for details)
•
200 - 249 - static range - users
•
250 - 255 - reserved (255 is broadcast, 000 not used)
•
The D segment servers can be farther broken down into:
•
110 - 119 - Email servers
•
120 - 129 - Web servers
•
130 - 139 - Syslog servers
•
140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc)
•
150 - 159 - VoIP / SIP servers / managers
•
160 - 169 - FortiAnalyzers
•
170 - 179 - FortiManagers
•
180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.)
•
190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.)
•
Fortinet products, non-FortiGate, are found from 160 - 189.
FortiOS™ Handbook FortiOS 4.0 MR2 Handbook Introduction
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
79
�Document conventions
The following table shows some examples of how to choose an IP number for a device
based on the information given. For internal and dmz, it is assumed in this case there is
only one interface being used.
Table 1: Examples of the IP numbering
Location and device
Dmz
External
Head Office, one FortiGate
10.011.101.100
10.011.201.100
172.20.120.191
Head Office, second FortiGate
10.012.101.100
10.012.201.100
172.20.120.192
Branch Office, one FortiGate
10.021.101.100
10.021.201.100
172.20.120.193
Office 7, one FortiGate with 9
VDOMs
10.079.101.100
10.079.101.100
172.20.120.194
Office 3, one FortiGate, web
server
n/a
10.031.201.110
n/a
Bob in accounting on the
corporate user network (dhcp)
at Head Office, one FortiGate
10.0.11.101.200
n/a
n/a
Router outside the FortiGate
80
Internal
n/a
n/a
172.20.120.195
FortiOS™ Handbook FortiOS 4.0 MR2 Handbook Introduction
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Document conventions
Example Network configuration
The network configuration shown in Figure 1 or variations on it is used for many of the
examples in this document. In this example, the 172.20.120.0 network is equivalent to the
Internet. The network consists of a head office and two branch offices.
Figure 1: Example network configuration
Head office
WLAN: 10.12.101.100
SSID: example.com
Password: supermarine
DHCP range: 10.12.101.200-249
FortiMail-100C
Port1: 10.11.101.110
Internal
Network
FortiAnalyzer-100B
Windows PC
FortiWiFi-80CM
10.11.101.10
INT: 10.11.101.101
Port2: 10.11.101.130
Linux PC
10.11.101.20
FortiGate-82C Port2: 10.11.101.102
Port2: 10.11.101.100
FortiGate-620B
Cluster
Port1:
172.20.120.130
(sniffer mode)
Port1: 172.20.120.141
Port2 and Port3
Linksys SRW2008
Port8
Old Lab
Port5
(mirror of Port2 and Port3)
Port1
Branch office
WAN1: 172.20.120.122
Internet
FortiGate-51B
Internal: 10.31.101.100
Windows PC
10.31.101.10
WAN1: 172.20.120.131
Branch office
FortiGate-111C
Switch: 10.21.101.100
Port1:
10.21.101.101
Cluster
Engineering
Network
Port1: 10.21.101.102
FortiGate-5005FA2
Port1: 10.21.101.102
FortiGate-3810A
FortiGate-5005FA2
Port1:
10.21.101.160
Port4:
10.22.101.100
Port1: 10.21.101.103
FortiSwitch-5003A
Port1: 10.21.101.161
FortiGate-5050SM
FortiManager-3000B
Port1: 10.21.101.104
Linux PC
FortiSwitch-5003A
Port1: 10.22.101.161
10.22.101.0
FortiGate-5050SM
Port1: 10.22.101.104
10.21.101.10
FortiOS™ Handbook FortiOS 4.0 MR2 Handbook Introduction
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
81
�Document conventions
Cautions, Notes and Tips
Fortinet technical documentation uses the following guidance and styles for cautions,
notes and tips.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Note: Presents useful information, but usually focused on an alternative, optional method,
such as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
82
FortiOS™ Handbook FortiOS 4.0 MR2 Handbook Introduction
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Document conventions
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 2: Typographical conventions in Fortinet technical documentation
Convention
Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input
config system dns
set primary & lt; address_ipv4 & gt;
end
CLI output
FGT-602803030703 # get system settings
comments
: (null)
opmode
: nat
Emphasis
HTTP connections are not secure and can be intercepted by a third
party.
File content
& lt; HTML & gt; & lt; HEAD & gt; & lt; TITLE & gt; Firewall
Authentication & lt; /TITLE & gt; & lt; /HEAD & gt;
& lt; BODY & gt; & lt; H4 & gt; You must authenticate to use this
service. & lt; /H4 & gt;
Hyperlink
Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry
Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation
Go to VPN & gt; IPSEC & gt; Auto Key (IKE).
Publication
For details, see the FortiOS Handbook.
CLI command syntax conventions
This guide uses the following conventions to describe the syntax to use when entering
commands in the Command Line Interface (CLI).
Brackets, braces, and pipes are used to denote valid permutations of the syntax.
Constraint notations, such as & lt; address_ipv4 & gt; , indicate which data types or string
patterns are acceptable value input.
Table 3: Command syntax notation
Convention
Description
Square brackets [ ]
A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and
its accompanying option, such as:
verbose 3
FortiOS™ Handbook FortiOS 4.0 MR2 Handbook Introduction
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
83
�Document conventions
Table 3: Command syntax notation (Continued)
Convention
Angle brackets & lt; & gt;
84
Description
A word constrained by data type.
To define acceptable input, the angled brackets contain a descriptive
name followed by an underscore ( _ ) and suffix that indicates the
valid data type. For example:
& lt; retries_int & gt;
indicates that you should enter a number of retries, such as 5.
Data types include:
• & lt; xxx_name & gt; : A name referring to another part of the
configuration, such as policy_A.
• & lt; xxx_index & gt; : An index number referring to another part of the
configuration, such as 0 for the first static route.
• & lt; xxx_pattern & gt; : A regular expression or word with wild cards
that matches possible variations, such as *@example.com to
match all email addresses ending in @example.com.
• & lt; xxx_fqdn & gt; : A fully qualified domain name (FQDN), such as
mail.example.com.
• & lt; xxx_email & gt; : An email address, such as
admin@mail.example.com.
• & lt; xxx_url & gt; : A uniform resource locator (URL) and its associated
protocol and host name prefix, which together form a uniform
resource identifier (URI), such as
http://www.fortinet./com/.
• & lt; xxx_ipv4 & gt; : An IPv4 address, such as 192.168.1.99.
• & lt; xxx_v4mask & gt; : A dotted decimal IPv4 netmask, such as
255.255.255.0.
• & lt; xxx_ipv4mask & gt; : A dotted decimal IPv4 address and netmask
separated by a space, such as
192.168.1.99 255.255.255.0.
• & lt; xxx_ipv4/mask & gt; : A dotted decimal IPv4 address and
CIDR-notation netmask separated by a slash, such as such as
192.168.1.99/24.
• & lt; xxx_ipv6 & gt; : A colon( : )-delimited hexadecimal IPv6 address,
such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
• & lt; xxx_v6mask & gt; : An IPv6 netmask, such as /96.
• & lt; xxx_ipv6mask & gt; : An IPv6 address and netmask separated by a
space.
• & lt; xxx_str & gt; : A string of characters that is not another data type,
such as P@ssw0rd. Strings containing spaces or special
characters must be surrounded in quotes or use escape
sequences.
• & lt; xxx_int & gt; : An integer number that is not another data type,
such as 15 for the number of minutes.
FortiOS™ Handbook FortiOS 4.0 MR2 Handbook Introduction
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Registering your Fortinet product
Table 3: Command syntax notation (Continued)
Convention
Description
Curly braces { }
A word or series of words that is constrained to a set of options
delimited by either vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
Options
delimited by
vertical bars |
Mutually exclusive options. For example:
{enable | disable}
indicates that you must enter either enable or disable, but must
not enter both.
Options
delimited by
spaces
Non-mutually exclusive options. For example:
{http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any
order, in a space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options,
instead of replacing it, or if the list is comma-delimited, the exception
will be noted.
Registering your Fortinet product
Before you begin configuring and customizing features, take a moment to register your
Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Center article Registration Frequently
Asked Questions.
Fortinet products End User License Agreement
See the Fortinet products End User License Agreement.
Training
Fortinet Training Services provides courses that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://campus.training.fortinet.com, or email training@fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Center.
FortiOS™ Handbook FortiOS 4.0 MR2 Handbook Introduction
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
85
�Customer service and technical support
Fortinet Tools and Documentation CD
Many Fortinet publications are available on the Fortinet Tools and Documentation CD
shipped with your Fortinet product. The documents on this CD are current at shipping
time. For current versions of Fortinet documentation, visit the Fortinet Technical
Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Base
The Fortinet Knowledge Base provides additional Fortinet technical documentation, such
as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and
more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this or any Fortinet technical
document to techdoc@fortinet.com.
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your Fortinet
products install quickly, configure easily, and operate reliably in your network.
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Base article FortiGate
Troubleshooting Guide - Technical Support Requirements.
86
FortiOS™ Handbook FortiOS 4.0 MR2 Handbook Introduction
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 1 What’s New
This section explains general upgrading issues for both FortiOS and FortiOS Carrier that
may affect your configuration. This section also includes a top ten features topic that
explains the top most interesting features in FortiOS 4.0 MR2. For more information about
upgrading to FortiOS 4.0 MR2, see “Upgrading to FortiOS 4.0 MR2” on page 93.
This section contains the following topics:
•
Top ten features
•
Upgrading issues for FortiOS 4.0 MR2
•
Upgrading issues for FortiOS Carrier
Top ten features
In FortiOS 4.0 MR2, there are many interesting new features, as well as changes to
existing features. The following list contains the top ten most interesting features.
•
Limiting the number of concurrent explicit proxy users
•
Flow-based antivirus database and Extreme antivirus database
•
Report enhancements and Log viewing enhancement
•
sFlow client support
•
Monitoring application control traffic
•
FortiGuard Web Filtering quotas
•
Network Vulnerability Scan
•
FSAE support Polling Domain Controllers (PDC)
•
SSL proxy exemption by FortiGuard Web Filter category
•
The redesigned web-based manager
Upgrading issues for FortiOS 4.0 MR2
When you are ready to upgrade to FortiOS 4.0 MR2, it is important to understand what
configuration settings may not carry forward during the upgrade process. This topic
explains what issues may occur during the upgrade process from FortiOS 4.0 MR1 to
FortiOS 4.0 MR2.
Fortinet recommends always backing up your current configuration before installing a new
firmware image, such as FortiOS 4.0 MR2, so that you always have a current version of
your configuration settings in the event those configuration settings do not carry forward.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
87
�Upgrading issues for FortiOS 4.0 MR2
Endpoint (previously Endpoint NAC)
The endpoint NAC feature is not working properly in FortiOS 4.0 MR2 GA. If you have
configured endpoint NAC settings previously in FortiOS 4.0 MR1 or earlier, you should
upgrade to FortiOS 4.0 MR2 Patch Release 1. This patch release resolves the issues.
Topology viewer
The Topology viewer is not supported in FortiOS 4.0 MR2 and, therefore, the settings that
you configured for this feature do not carried forward.
Customizing the GUI
Previously, you could assign to an administrator the read and write privileges of
customizing the web-based manager. However, in this release, this feature is no longer
supported and the customized settings configured previously are not carried forward.
Basic traffic reports (system memory only)
Previously, if you enabled memory logging on your FortiGate unit, you could view basic
traffic reports from Log & Report & gt; Report Access & gt; Memory. In FortiOS 4.0 MR2, this
feature is not supported.
PPTP VPNs
PPTP VPN configuration was previously available in both the web-based manager and
the CLI; however, now PPTP VPNs are configured only in the CLI. The following
commands are used when configuring PPTP VPNs
config vpn pptp
set status {enable | disable}
set eip & lt; end_ip_address & gt;
set ip-mode {range | usrgrp}
set sip & lt; start_ip_address & gt;
set usrgrp & lt; user_group & gt;
end
VoIP settings
When you upgrade to FortiOS 4.0 MR2, VoIP settings that were implemented in the
following scenario are not moved to the DLP archive feature.
•
In FortiOS 4.0 Patch Release 4 has two protection profiles, PP1 and PP2.
•
PP1 contains a DLP sensor (DLP1) and application control list (APP1); APP1
archives SIP messages.
•
PP2 contains a DLP sensor (DLP1) and application control list (APP2); APP2 which
has content-summary enabled for SIMPLE.
NNTP DLP archive
NNTP log archives are not carried forward when upgrading to FortiOS 4.0 MR2.
Email filter banned word setting
The set spam-bword-table x setting under config firewall profile is not
carried forward after upgrading from FortiOS 4.0 Patch Release 4 to FortiOS 4.0 MR2.
88
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Upgrading issues for FortiOS Carrier
HTTPS invalid certificate setting
The HTTPS allow-invalid-server-cert setting under config firewall
profile is not carried forward when upgrading from FortiOS 4.0 Patch Release 4 to
FortiOS 4.0 MR2.
HTTPS AV scanning
In FortiOS 4.0 MR2, if the FortiGate unit is configured to perform a deep inspection using
explicit web proxy, it does not work properly. There is currently no workaround.
Upgrading issues for FortiOS Carrier
When you are ready to upgrade to FortiOS Carrier 4.0 MR2, it is important to understand
what configuration settings may not carry forward during the upgrade process. This topic
explains what issues may occur during the upgrade process from FortiOS Carrier 4.0 MR1
to FortiOS Carrier 4.0 MR2.
Fortinet recommends always backing up your current configuration before installing a new
firmware image, such as FortiOS Carrier 4.0 MR2, so that you always have a current
version of your configuration settings in the event those configuration settings do not carry
forward.
The following are issues that occur when upgrading to FortiOS Carrier 4.0 MR2:
•
The source IP address and MSISDN number are mismatched in the traffic log packet
that is sent to FortiAnalyzer
•
MMS traffic may cause scannunitd to crash.
•
MMS remove blocked feature does not work for MM3 and MM4 single part messages.
•
Profile-group name is missing in the event log
•
When the file type is set to allow for MMS file transfers, no log entry is added to the log
file.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
89
�Upgrading issues for FortiOS Carrier
90
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Upgrading to FortiOS 4.0 MR2
This section explains how to properly upgrade the current firmware running on your
FortiGate unit to FortiOS 4.0 MR2.
The following topics are included in this section:
•
Upgrading from earlier firmware to FortiOS 4.0 MR2
•
Upgrading to FortiOS 4.0 MR2
Upgrading from earlier firmware to FortiOS 4.0 MR2
Before upgrading to FortiOS 4.0 MR2, you need to know if you can directly upgrade to
FortiOS 4.0 MR2 from the current firmware that is running on your FortiGate unit. Directly
upgrading from one firmware image to another is not always supported, so you must find
out if you need to first upgrade to a patch release and then upgrade to the new firmware
image.
The following provides how to upgrade from FortiOS 3.0 MR7, 4.0 and 4.0 MR1 because a
direct upgrade from these earlier firmware images is not supported.
The following is included:
•
Upgrading from FortiOS 3.0 MR7 to 4.0 MR2
•
Upgrading from FortiOS 4.0
•
Upgrading from FortiOS 4.0 MR1
Upgrading from FortiOS 3.0 MR7 to 4.0 MR2
If you are upgrading from FortiOS 3.0 MR7 Patch Release 9 to 4.0 MR2, this direct
upgrade will not be successful. Fortinet recommends the following when upgrading from
FortiOS 3.0 MR7 Patch Release 9:
1 FortiOS 3.0 MR7 Patch Release 9 (or later)
2 FortiOS 4.0.4 build-0113 (or later)
3 FortiOS 4.0 MR2 GA
After upgrading, verify that the build number and branch point match the firmware image.
Upgrading from FortiOS 4.0
FortiOS 4.0 MR2 supports upgrading from FortiOS 4.0 Patch Release 4 or later. If you
currently have an earlier version of FortiOS 4.0, you need to upgrade to FortiOS 4.0 Patch
Release 4 before you can upgrade to FortiOS 4.0 MR2.
Fortinet recommends the following when upgrading from FortiOS 4.0 Patch Release 4
(build-0113):
1 FortiOS 4.0.4 build-0113 (or later)
2 FortiOS 4.0 MR2 build-0272 GA
After upgrading, verify that the build number and branch point match the firmware image.
The following are upgrading issues specific to upgrading from FortiOS 4.0 Patch Release
4 or later.
FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
91
�Upgrading from earlier firmware to FortiOS 4.0 MR2
Upgrading to FortiOS 4.0 MR2
Network Interface Configuration
If a network interface has ips-sniffer-mode option set to enable, and that interface is
being used by a firewall policy, then after upgrading from FortiOS 4.0 (as well as later
patch releases), the setting is changed to disable.
Web Filter banned word and exempt word list
FortiOS 4.0 MR1 merged the web filter banned and exempt word list into one list under
config web-footed content. In FortiOS 4.0 MR2, only the banned word list is carried
forward.
When you are ready to upgrade to FortiOS 4.0 MR2, back up the configuration, parse the
web filter exempt list entries, and then upgrade. After the upgrade process is finished,
merge the parsed web filter exempt list entries into the web filter content list. The following
is an example.
config webfilter content
edit 1
config entires
edit “goodword1”
set status enable
next
edit goodword2
set action exempt
set status enable
next
edit badword1
set action exempt
set status enable
next
end
set name BannedWordList
next
end
Upgrading from FortiOS 4.0 MR1
FortiOS 4.0 MR2 supports upgrading from FortiOS 4.0 MR1 Patch Release 4 or later. If
you currently have an earlier version of FortiOS 4.0, you need to upgrade to FortiOS 4.0
Patch Release 4 before you can upgrade to FortiOS 4.0 MR2.
Fortinet recommends the following when upgrading from FortiOS 4.0 MR1 Patch Release
4 (build-0196):
1 FortiOS 4.0.4 build-0196 (or later)
2 FortiOS 4.0 MR2 build-0272 GA
After upgrading, verify that the build number and branch point match the firmware image.
The following are upgrading issues specific to upgrading from FortiOS 4.0 MR1 Patch
Release 4 or later.
•
•
If you enabled the alert email variable setting local-disk-usage-warning in
config alertemail settings, it is reset to disable after the upgrade.
•
92
If you have configured a DLP rule with subprotocol setting set to sip simple sccp,
it is not carried forward.
If you configured settings in config system autoupdate schedule, these
settings are reset to default values after upgrading to FortiOS 4. 0MR2.
FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Upgrading to FortiOS 4.0 MR2
Upgrading to FortiOS 4.0 MR2
Upgrading to FortiOS 4.0 MR2
When you are ready to update your firmware, for either FortiOS or FortiOS Carrier, you
must install the new firmware using the following general procedure. This general
procedure applies to patch releases as well.
General procedure for upgrading current firmware
1 Download the new firmware
2 Back up your existing configuration file
3 Install the firmware during a low-traffic time period (for example, at night)
4 Clear your browser’s cache after the installation process is finished.
The following procedures do not include how to test a firmware image before installing it
onto the FortiGate unit.
Note: The following procedures for backing up configuration and installing new firmware
can also be used when upgrading your FortiOS Carrier firmware.
The following are included:
•
Backing up your configuration
•
Installing FortiOS 4.0 MR2
•
Verifying the upgrade
Backing up your configuration
Caution: Always back up your configuration before installing a patch release,
upgrading/downgrading firmware, or resetting configuration to factory defaults.
You can back up configuration settings to a local PC, a FortiManager unit, FortiGuard
Management server, or to a USB key. You can also back up to a FortiGuard Management
server if you have FortiGuard Analysis and Management Service enabled.
Fortinet recommends backing up all configuration settings from your FortiGate unit before
upgrading to FortiOS 4.0 MR2. This ensures all configuration settings are still available if
you require downgrading to FortiOS 4.0 MR1 (or lower) and want to restore those
configuration settings
To back up your configuration file - web-based manager
1 Go to System & gt; Dashboard & gt; Status.
2 In the System Information widget, select Backup in the System Configuration line.
You are automatically redirected to the Backup page.
3 Select the location where the configuration file will be stored on.
4 Select the check box beside Encrypt configuration file to encrypt the configuration file.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file check box, enter a password, and then enter it again to
confirm.
5 Select Backup.
FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
93
�Upgrading to FortiOS 4.0 MR2
Upgrading to FortiOS 4.0 MR2
6 Save the file.
To back up your configuration to the USB key - web-based manager
1 Go to System & gt; Dashboard & gt; Status.
2 In the System Information widget, select Backup in the System Configuration line.
You are automatically redirected to the Backup page.
3 Select USB Disk .
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file check box, enter a password, and then enter it again to
confirm.
4 Select Backup.
5 Save the file.
To back up your configuration file - CLI
6 Enter the following to back up the configuration file to a USB key:
execute backup config usb & lt; backup_filename & gt; & lt; encrypt_passwd & gt;
7 Enter the following to back up the configuration file to a TFTP or FTP server:
execute backup config {tftp | ftp} & lt; backup_filename & gt;
& lt; tftp_server_ipaddress & gt; & lt; ftp server [:ftp port] & lt; ftp_username & gt;
& lt; ftp_passwd & gt; & lt; encrypt_passwd & gt;
8 Enter the following to back up the configuration to a FortiGuard Management server:
execute backup config management-station & lt; comment & gt;
To back up the entire configuration file - CLI
Enter the following to back up the entire configuration file:
execute backup full-config {tftp | ftp | usb} & lt; backup_filename & gt;
& lt; backup_filename & gt; & lt; tftp_server_ipaddress & gt; & lt; ftp server [:ftp
port] & lt; ftp_username & gt; & lt; ftp_passwd & gt; & lt; encrypt_passwd & gt;
Installing FortiOS 4.0 MR2
Caution: Always back up your configuration before installing a patch release,
upgrading/downgrading firmware, or resetting configuration to factory defaults.
You should verify that you can directly install and upgrade from your current firmware
image to the FortiOS 4.0 MR2 using the FortiOS Release Notes. If you want to test the
firmware before installing it, see the FortiGate Administration Guide for more information.
The following procedure uses a TFTP server to upgrade the firmware. The CLI upgrade
procedure reverts all current firewall configurations to factory default settings. This
provides a clean base for the new firmware image.
For additional information about upgrading firmware in the CLI, see the Fortinet
Knowledge Base article, Loading FortiGate firmware image using TFTP.
The following procedure assumes that you have already downloaded the firmware image
to your management computer.
To upgrade to FortiOS 4.0 through the CLI
1 Copy the new firmware image file to the root directory of the TFTP server.
94
FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Upgrading to FortiOS 4.0 MR2
Upgrading to FortiOS 4.0 MR2
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following command to ping the computer running the TFTP server:
execute ping & lt; server_ipaddress & gt;
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image & lt; name_str & gt; & lt; tftp_ipv4 & gt;
Where & lt; name_str & gt; is the name of the firmware image file and & lt; tftp_ipv4 & gt; is the
IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image.out 192.168.1.168
The FortiGate unit responds with a message similar to the following:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6 Type y.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 Enter the following command to confirm the firmware image installed successfully:
get system status
9 To update antivirus and attack definitions from the CLI, enter the following:
execute update-now
If you want to update antivirus and attack definitions from the web-based manager
instead, log in to the web-based manager and go to System & gt; Maintenance & gt;
FortiGuard.
Verifying the upgrade
After logging back in to the web-based manager, most of your FortiOS 4.0 MR1
configuration settings have been carried forward. For example, if you go to System & gt;
Network & gt; Options you can see your DNS settings carried forward from your FortiOS
4.0MR1 configuration settings.
You should verify what configuration settings carried forward. You should also verify that
administrative access settings carried forward as well. Verifying your configuration
settings allows you to familiarize yourself with the new features and changes in FortiOS
4.0 MR2.
You can verify your configuration settings by:
•
going through each menu and tab in the web-based manager
•
using the show shell command in the CLI.
FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
95
�Upgrading to FortiOS 4.0 MR2
96
Upgrading to FortiOS 4.0 MR2
FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web-based manager
This section explains general information about what is new or changed for the web-based
manager in FortiOS 4.0 MR2.
The following topics are included in this section:
•
The redesigned web-based manager
•
Widgets
•
FSAE enhancements
•
Dynamic proxy allocation
The redesigned web-based manager
The web-based manager has been redesigned for FortiOS 4.0 MR2. This new design
includes a fresh new look and new navigation while maintaining the same functionality and
familiar structure of FortiOS. Configuration of many features stays the same, unless
changes to existing features have occurred in FortiOS 4.0 MR2.
When logging into the web-based manager, you will notice the new design also includes
the log-in screen, which is shown in Figure 1.
Figure 2: New web-based manager login
Navigating in the web-based manager
After logging in to the web-based manager, you will notice that even though the main
menus are still located in the left-hand column, how you access the menus and submenus (previously these were tabs) is quite different.
When you select a menu, for example System, all menus below System move down, and
then the sub-menus for System appear. You can then access the tabs by selecting the
plus sign (+) beside the name of the sub-menu that you want to access. This path location
is still the same as before, for example System & gt; Network & gt; Interface, but how you access
that tab is different.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
97
�The redesigned web-based manager
Web-based manager
Modifying settings within a feature
Within the menus, there is a column that contains check boxes for each row and this
column is referred to as the check box column. When you select a check box within that
column, the row is immediately highlighted and certain icons, such as the Edit icon, at the
top of the page are accessible. If you select the check box in the column name area, all
check boxes within that column are selected. These check boxes are for highlighting a row
within a list on a page, which you then decide to remove, modify, or other available options
such as moving an item in the list above another item.
Figure 3: Modifying settings within the VDOM list in System & gt; VDOM & gt; VDOM
Check box
column
Selected check box for modifying
settings. When selected, the entire row
becomes highlighted.
Use the following procedure whenever you need to make modifications to any feature’s
settings. This procedure assumes that you are already at the location where you need to
make modifications in, such as in Figure 2.
To access icons for modifications to items within a list
1 In the Check box column, within the row of the setting you want to change, select the
check box to highlight the row.
The grayed icons are now accessible, similar to that in Figure 2. On some pages, all
icons may not be accessible when you highlight the row.
2 With the icon or icons now accessible, select the icon that you want to use to make
modifications with (such as the Edit icon).
Tip: You can edit a row by simply double-clicking your mouse in that row. You are
automatically redirected to the page where you can modify the settings of that item. This
applies only to editing an item.
After the modifications are made, and you are back to the list on the page, the check box
is unselected and the row unhighlighted.
Switching VDOMs in the web-based manager
When VDOMs are enabled in the web-based manager, you may need to switch from
VDOM to VDOM. In this new re-design, how you switch between VDOMs is very simple
and easy. After VDOMs are enabled, a new menu appears at the bottom of the left
column, called Current VDOM. Beside the menu is a drop-down list where you select the
VDOM you want, and are then redirected to that VDOM. You can verify that you have
switched to a specific VDOM by viewing which main menus appear, and by the name that
appears in the Current VDOM’s drop-down list.
The Current VDOM main menu appears only when VDOMs are enabled. Creation and
configuring of VDOMs still remains the same and in System & gt; VDOM & gt; VDOM.
98
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web-based manager
Adding dashboards
Adding dashboards
You can add multiple dashboards within the Dashboard menu. The dashboards are add
as menus within the Dashboard menu. For example, branchoffice, is added below Usage,
within the Dashboard menu (System & gt; Dashboard & gt; branchoffice).
You must add the first dashboard from within the Status page. The dashboards that you
add to the Dashboard menu appear below the first two menus, Status and Usage. You can
add any type of widget that you want, to the dashboard that you created.
To add a dashboard to the dashboard menu
1 Go to Dashboard & gt; Status.
2 Select the Dashboard icon.
A drop-down list appears with the following options:
Add Dashboard
Add a new dashboard to the Dashboard menu.
Rename Dashboard
Rename the current dashboard. You can rename the existing
default menus Status and Usage.
Delete Dashboard
Removes the current dashboard that you are viewing from the
Dashboard menu.
Reset Dashboards
Resets the entire Dashboard menu back to its default settings.
3 Select Add Dashboard.
4 Enter a name for the dashboard in the Name field in the Add Dashboard window.
5 Select OK.
You are automatically redirected to the new dashboard. You can start adding widgets to
the dashboard.
Widgets
The existing IM/P2P/VoIP widgets from UTM & gt; Application Control & gt; Statistics are now
available as widgets an can be customized.
These dashboard widgets are customized using either the web-based manager or CLI;
however, Fortinet encourages administrators to customize dashboard widgets within the
web-based manager, because you can see the customized settings immediately after
applying them.
This topic contains the following:
•
Per-IP Bandwidth Usage
•
P2P Usage
•
IM Usage
•
VoIP Usage
•
Storage
•
Alert Message Console enhancement
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
99
�Widgets
Web-based manager
Per-IP Bandwidth Usage
The Per-IP Bandwidth Usage widget provides per-IP address session data. This data,
which displays each IP address that initiated the traffic, and its current bandwidth
consumption (in kbps), appears as a default widget in System & gt; Dashboard & gt; Usage. The
widget, similar to the top session widget, allows you to refresh the interval time, display the
user name instead of the IP address, and how the information displays either in the form
of a chart of table.
The following procedure assumes that the Per-IP Bandwidth Usage widget has already
been added to the dashboard of your choice, and that you are already on that dashboard’s
page.
To customize the per-IP bandwidth traffic shaping widget
1 Select the Edit icon in the title bar area.
The Custom Per-IP Bandwidth Usage Display window appears.
2 Modify the following to customize the widget:
• To rename the widget, enter the new name in the Custom Widget Name field.
• To display host names by a recognizable name instead of IP addresses, select the
check box beside Resolve Host Name.
• To change the display from chart to table, select Table in the Display Format row.
• To show top entries, select a number from the drop-down list in Top Entries to Show;
you can display up to the top 20 entries.
• To refresh the information at a set interval, enter a number (10-240) in seconds in
the Refresh Interval field.
3 Select OK.
P2P Usage
The P2P Usage widget displays the total bytes and total bandwidth for each supported
instant messaging client. These clients are WinNY, BitTorrent, eDonkey, Guntella, and
KaZaa. The P2P Usage widget can be displayed on either the Status or Usage page. You
can add it to either page by select +Widget, which is located at the bottom of the page.
Widgets can be customized to suite your needs; however, the P2P Usage widget can only
be renamed.
To change the name, select the Edit icon in the title bar area and then enter a new name in
the Custom Widget Name field. Select OK to save the change.
Note: The information displayed in this widget comes from the new application control
monitoring feature. You must enable this feature within the application control so that the
information is displayed in the widget.
IM Usage
The IM Usage widget provides detailed information about instant messaging client activity
that is occurring on your network. In the IM Usage widget, you can view information
regarding users, chats, messages, file transfers between clients, and any voice chats that
occurred as well. IM Usage provides this detailed information for IM, Yahoo!, AIM, and
ICQ.
Widgets can be customized to suite your needs; however, the IM Usage widget can only
be renamed.
100
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web-based manager
Widgets
To change the name, select the Edit icon in the title bar area and then enter a new name in
the Custom Widget Name field. Select OK to save the change.
VoIP Usage
The VoIP Usage widget displays information about VoIP calls that use the SIP and SCCP
protocols. You can view the number of calls that were dropped, failed or went
unanswered. You can easily and quickly view how many calls succeeded in getting
through, and how many calls there were in total from when you last cleared the
information in the widget.
Widgets can be customized to suite your needs; however, the VoIP Usage widget can only
be renamed.
To change the name, select the Edit icon in the title bar area and then enter a new name in
the Custom Widget Name field. Select OK to save the change.
Storage
The Storage widget provides detailed information about the amount of space available and
used on your local hard disk. This widget also shows the interface that is primarily using
the space as well as the total capacity (in GB) of the local disk.
Widgets can be customized to suite your needs; however, the Storage widget can only be
renamed.
To change the name, select the Edit icon in the title bar area and then enter a new name in
the Custom Widget Name field. Select OK to save the change.
Alert Message Console enhancement
You can now configure a separate Alert Message Console widget that displays only
FortiGuard alert information that is received from the FortiGuard Center. The Alert
Message Console is available by default from System & gt; Dashboard & gt; Status. You can
rename the newly created Alert Message Console widget and select the option FortiGuard
security alerts to enable alerts are received and display on the widget.
The following procedure assumes that you have already added the Alert Message
Console to a dashboard of your choice, and that you are already on that dashboard’s
page.
To configure FortiGuard alert information and the widget
1 Select the Edit icon in the title bar area.
The Custom Alert Display window appears.
2 Enter the name, FortiGuard alerts, in the Custom Widget Name field.
By entering this name, you can easily distinguish it from the Alert Message Console
widget.
3 Select the check box beside FortiGuard security alerts.
4 To display a specific number of alerts in the widget, select a number from the dropdown list beside Number of alerts to display on the dashboard.
5 Select OK.
The following CLI command syntax supports this new option for the Alert Message
Console widget:
config system global
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
101
�FSAE enhancements
Web-based manager
set fgd-alert-subscription [advisory | latest-threat | latestvirus | latest-attack | new-virus-db | new-attack-db]
set advisory {enable | disable}
set latest-threat {enable | disable}
set latest-virus {enable | disable}
set latest-attack {enable | disable}
set new-virus-db {enable | disable}
set new-attack-db {enable | disable}
end
FSAE enhancements
The Fortinet Server Authentication Extension (FSAE) has two enhancements, support for
polling domain controllers and DC agent distribution. FSAE provides authentication
information to the FortiGate unit so that users automatically gain access to permitted
resources on a Microsoft Windows or Novell network without having to input login
information twice.
You can now install FSAE on a separate Windows server where it will poll the Domain
Controller (DC) periodically for log on and log off events. These events will then be sent
directly to the FortiGate unit.
The FSAE DC agent distribution feature provides a way to automate software distribution
on the FSAE DC agent itself. An MSI file is created which is then installed on the DC
agent. A simple GUI program is created to configure the DC agent setting. The installation
then installs a file (dcagent.dll) and the simple configuration utility to the Windows server.
Dynamic proxy allocation
FortiOS 4.0 MR2 allocates resources dynamically for the virus scanning, web filtering,
email filtering, and DLP UTM processing. The result is more efficient use of FortiGate
memory, CPU and FortiASIC resources.
On FortiGate models with more than one CPU you can use the following CLI commands
to change the number of proxy workers and scan units. These commands are for only
advanced users.
config system global
set proxy-worker-count & lt; integer & gt;
set scanunit-count & lt; integer & gt;
end
102
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�CLI
This section explains specific CLI commands for FortiOS 4.0 MR2. This section does not
include all CLI commands that were changed or new ones added. For more information
about what CLI commands are new and what commands changed, see the FortiGate CLI
Reference.
The following topics are included in this section:
•
grep
•
IS-IS routing support
•
Trouble-shooting command updates
grep
The grep command allows users to search the CLI using the show, get and diag
commands. A grep command is a type of command line text search utility that searches
files or standard input globally for lines that match a given regular expression. The grep
command is based on the standard UNIX grep command.
The grep command supports:
•
ignore case distinctions
•
print line number with output line
•
select non-matching lines
•
only print count of matching lines
•
print NUM lines of trailing context
•
print NUM lines of leading context
•
print NUM lines of output context
The grep command is used in the following way:
show & lt; config_command & gt; & lt; subcommand & gt; | grep regex_expression
diag & lt; config_command & gt; & lt; subcommand & gt; | grep regex_expression
get & lt; config_command & gt; & lt; subcommand & gt; | grep regex_expression
Example
The following is an example of how to use the grep command to display all TCP sessions
in the session list, including the session list line number.
get system session list | grep -n tcp
2:tcp
47
3:tcp
3355
172.16.120.110:1156 -
10.10.20.5:80 -
4:tcp
3352
172.16.120.110:1157 -
10.10.20.5:80 -
5:tcp
3354
172.16.120.110:1155 -
10.10.20.5:80 -
11:tcp
3599
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
172.16.120.110:1132 -
172.16.120.110:115 -
10.10.20.5:80 -
192.168.110.220 -
103
�IS-IS routing support
CLI
IS-IS routing support
FortiOS 4.0 MR2 includes support for the Intermediate system to intermediate system
(IS-IS) routing protocol. IS-IS is described in RFC 1142. You can enable and configure
IS-IS on your FortiGate unit if this routing protocol is in use on your network. You configure
IS-IS and view information about IS-IS using the from the CLI using the following
commands:
Note: For each routing protocol, you can also use a redistribute command to
redistribute IS-IS routes with the other protocol. For example, to redistribute IS-IS routes
over OSFP enter:
config router ospf
config redistribute isis
set statue enable
end
end
IS-IS CLI commands
config router isis
set adjacency-check {disable | enable}
set auth-mode-l1 {md5 | password}
set auth-mode-l2 {md5 | password}
set auth-password-l1 & lt; password & gt;
set auth-password-l2 & lt; password & gt;
set auth-sendonly-l1 {disable | enable}
set auth-sendonly-l2 {disable | enable}
set default-originate {disable | enable}
set dynamic-hostname {disable | enable}
set ignore-lsp-errors {disable | enable}
set is-type {level-1 | level-1-2 | leve-2-only}
set lsp-gen-interval-l1 & lt; interval_int & gt;
set lsp-gen-interval-l2 & lt; interval_int & gt;
set lsp-refresh-interval & lt; interval_int & gt;
set max-lsp-lifetime & lt; lifetime_int & gt;
set metric-style {narrow | narrow-transition | narrowtransition-11 | narrow-transition-12 | transition |
transition-11 | transition-12 | wide | wide-11 | wide-12 |
wide-transition | wide-transition-11 | wide-transition-12}
set overload-bit {disable | enable}
set overload-bit-on-startup & lt; 5-864000_seconds & gt;
set overload-bit-suppress {external | interlevel}
set redistribute-l1 {disable | enable}
set redistribute-11-list & lt; access_list_str & gt;
set redistribute-l2 {disable | enable}
set redistribute-12-list & lt; access_list_str & gt;
set spf-interval-exp-l1 & lt; min_delay_int & gt;
set spf-interval-exp-l2 & lt; min_delay_int & gt; & lt; max_delay_int & gt;
config isis-interface
edit & lt; interface_str & gt;
set auth-mode-l1 {md5 | password}
set auth-mode-l2 {md5 | password}
set auth-password-l1 & lt; password & gt;
set auth-password-l2 & lt; password & gt;
set auth-send-only-l1 {disable | enable}
104
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�CLI
Trouble-shooting command updates
set auth-send-only-l2 {disable | enable}
set circuit-type {level-1 | level-1-2 | level2-only}
set csnp-interval-l1 & lt; interval_int & gt;
set csnp-interval-l2 & lt; interval_int & gt;
set hello-interval-l1 & lt; interval_int & gt;
set hello-interval-l2 & lt; interval_int & gt;
set hello-multiplier-l1 & lt; multipler_int & gt;
set hello-multiplier-l2 & lt; mulipler_int & gt;
set hello-padding {disable | enable}
set lsp-interval & lt; interval_int & gt;
set lsp-retransmit-interval & lt; interval_int & gt;
set mesh-group {disable | enable}
set mesh-group-id & lt; id_int & gt;
set metric-l1 & lt; metric_int & gt;
set metric-l2 & lt; metric_int & gt;
set network-type {broadcast | point-to-point}
set priority-l1 & lt; priority_int & gt;
set priority-l2 & lt; priority_int & gt;
set status {disable | enable}
set wide-metric-l1 & lt; metric_int & gt;
set wide-metric-l2 & lt; metric_int & gt;
config isis-net
edit & lt; id & gt;
set net & lt; user_defined & gt;
config redistribute {bgp | connected | ospf | rip | static}
set status {disable | enable}
set metric & lt; metric_int & gt;
set metric-type {external | internal}
set level & lt; level-1 | level-1-2 | level-2}
set routemap & lt; routemap_name & gt;
config summary-address
edit & lt; id & gt;
set level {level-1 | level-1-2 | level-2}
set prefix & lt; prefix_ipv4 & gt; & lt; prefix_mask & gt;
end
end
Trouble-shooting command updates
In FortiOS 4.0 MR2, there are new get commands that provide trouble-shooting
information. These new get commands are similar to previous diag commands, because
of the information they can retrieve.
Here are the get commands that you can use for trouble-shooting:
get system auto-update
status
Retrieves update status information for scheduled updates,
push update, virus defniitions, IPS definitions, server
override, push address override, and web proxy tunneling.
The information also indicates whether FDN is available.
get system auto-update
version
Retrieves information about updates for FortiGuard services,
such as antivirus.
get system startup-error-log Retrieves any errors that occurred during start up.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
105
�Trouble-shooting command updates
CLI
get system auto-update
status
Retrieves update status information for scheduled updates,
push update, virus defniitions, IPS definitions, server
override, push address override, and web proxy tunneling.
The information also indicates whether FDN is available.
get webfilter status
& lt; refresh-rate & gt;
The refresh-rate variable provides how often to refresh the
server lists in minutes.
exec tac report
A debug report is generated.
get system performance
Retrieves packet distribution statistics.
firewall packet-distribution
get system performance
firewall statistics
get system session-helperinfo
Retrieves the session’s protocol amount and port number
used.
get system session-ttl
Retrieves the session’s TTL configuration information.
get system performance top
Retrieves detailed information about the top performance
protocols
get router info kernel
Retrieves information about the routing kernel.
get hardware npu
{legacy | npux …}
{list | session | setting}
106
Retrieves traffic statistics. These statistics retrieve how
many packets were created during sessions such as IM,
web browsing and generic UDP.
Retrieves information about hardware NPU. When you enter
the command, it must be in the following order:
get hardware npu {legacy | npu1 | npu2 |
npu3} {list | session | setting}
Note: For get hardware npu there are additional settings
within the NPU device list. For example, under npu2, the
following is available: performance.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiOS software enhancements
This section explains software enhancements that have been implemented, such as
storage management or blade topology enhancements. This section also includes the SIP
features that are now available across all FortiGate models.
The following topics are included in this section:
•
Disk management
•
ELBC blade configuration
•
Support for AMC modules
•
Storing configuration history and templates on local hard disk
•
SIP features available on all FortiGate models
Disk management
This new feature allows you to manage disk storage for log files as well as WAN Opt
storage. The data that you can store on the disk also includes firmware images,
configuration files, Antivirus databases and IPS databases, and much more.
Partitions are sections or databases within the drive itself. Partitions provide a more
manageable storage location because data is accessed more quickly and efficiently.
The following table explains the data types and where they are located on a drive on a
FortiGate unit. The partitions themselves are represented as numbers, for example,
section 1 of the hard disk contains primary and secondary firmware, section 2 contains
only archives, and section 3 contains only firmware images. The table also explains the
new data types (identified by the asterisk symbol) and their location on the disk.
Table 4: The data types where they are located on the drive
Data
Description
Location
Primary and Secondary
firmware, and configuration
FortiOS supports two sets of
firmware images and configuration
which are always stored on the disk
Flash partitions 1 and 2
*Firmware image
Extended firmware storage
Flash partition on 3 only
*Revision History and
Templates
On-the-box revision history or
template storage
Flash partition on 3 only
Disk Log
Local logging feature
Flash partition on either 2
or 3
Archive
Local archiving feature
Flash partition on either 2
or 3
Quarantine
Local quarantine feature
Flash partition on either 2
or 3
WAN Opt and Web Cache
Disk allocation for WAN Opt and
Web Cache features
Flash partition on either 2
or 3
Extended AV Database
Extended antivirus database, which
is currently supported in the third
partition.
Flash partition on either 2
or 3
*Extreme AV Database
Complete antivirus database.
Flash partition on either 2
or 3
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
107
�ELBC blade configuration
FortiOS software enhancements
Table 4: The data types where they are located on the drive (Continued)
*Extreme IPS Database
IPS Database extensions to include
malware and malicious URL entries
Flash partition on either 2
or 3
*Vulnerability Database
Vulnerability Database
Flash partition on either 2
or 3
If your FortiGate unit has a fixed disk, or if there is only a single disk on the unit, the
configuration is determined by the size of the partitions. Platforms that are affected by this
are ones that use one system partition, and two user partitions.
If your FortiGate unit has multiple disks, Fortinet recommends choosing one disk to store
log and system data on, and then choose which disk to use for which data types. For
example, disk 1 is used for log and system data storage, while disk 2 is used for firmware
image storage, disk 3 is used for databases (all databases, such as Vulnerability), and
disk 4 is used for quarantined files. The FortiGate unit will automatically make the decision
on how to load balance WAN Opt and Web Cache storage issues among the multiple
disks.
Configuration options may vary widely with removable disks, since there could be up to
ten removable disks. If the user inserts extra disks into a multiple-disk FortiGate model,
the administrator will have the option to assign the disks for WAN Opt and Web Cache.
Note: RAID is not included in this release of the Disk Management feature.
Disk I/O scalability
The new Disk I/O scalability allows FortiGate units with multiple disks and high capacity
disk access to be configured to do a type of “load-balance” with WAN Opt and Web Cache
deployments.
With this feature, you can:
•
configure an optimal partitioning scheme
•
maximize parallel reads/writes based on optimizing either total throughput for WAN Opt
and Web Cache deployments or total number of sessions.
Storage Health Monitor
An extension to disk management, the Disk I/O scalability provides you with the ability to
by-pass disk access when the disk becomes a bottleneck for traffic.
When the disk I/O spikes and becomes a bottleneck for traffic, specific settings that you
enable allow the traffic to flow properly again. This settings automatically by-pass the
web-cache and WAN optimization features.
ELBC blade configuration
This enhancement to the ELBC blade deployment topology allows FortiGate blades to
synchronize their configuration, similar to the HA primary and subordinate unit scenario.
This enhancement is available on FortiGate models with an ELBC blade deployment
topology. These models must be running FortiOS 4.0 MR2 to use this synchronization
feature.
108
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiOS software enhancements
Support for AMC modules
Support for AMC modules
FortiOS 4.0 MR2 now supports the following AMC modules.
•
ASM-CD4
•
ADM-XE2
•
ADM-XD4
•
RTM-XD2
Storing configuration history and templates on local hard disk
Multiple configuration files, revisions and templates can now be stored on a FortiGate
unit’s flash disk, if that flash disk is 1G or larger. The configuration files can be stored on a
third partition.
The configuration files are uploaded to the third partition, and then listed under the section
Config File. Firmware images will also be listed, located under the OS images section. If
you try to upload a file that is not recognized by the FortiGate unit, that file is deleted.
The following table explains the amount of revisions, templates and configuration files can
be stored on a flash drive.
Table 5: The maximum number of revisions, templates and firmware images for each flash
drive
Compact Flash
Size
Number of
Revisions
Number of
Templates
Number of
Firmware
Images
1 GB
20
20
5
2 GB
40
20
5
4 GB
100
40
10
8 GB
200
40
10
Firmware images and templates must be deleted when the limit is reached and for
revision history, when the maximum number of files is reached, the FortiGate replaces the
oldest files with the new ones. This behavior is similar to how logs are rolled, since you
can configure the FortiGate unit to roll a log when the maximum log size is reached.
The following is a CLI command syntax that you can use to find the flash size on your
FortiGate unit.
get hardware status
An example of what may display after entering the above CLI command syntax (from a
FortiGate-51B unit):
Model name: Fortigate-51B
ASIC version: CP6
ASIC SRAM: 64M
CPU: Geode(TM) Integrated Processor by AMD PCS
RAM: 502 MB
Compact Flash: 981 MB /dev/hda
Hard disk: 30711 MB /dev/hde
USB Flash: not available
Network Card chipset: ip175c-vdev (rev.)
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
109
�SIP features available on all FortiGate models
FortiOS software enhancements
SIP features available on all FortiGate models
Previously, SIP features were found only on FortiOS Carrier. In FortiOS 4.0 MR2, they are
now available on all FortiGate models that are running FortiOS 4.0MR2.
These SIP features are available only in the CLI, under the voip profile command.
The following are the SIP features that are available in FortiOS 4.0 MR2.
•
SIP header conformance check
•
SIP message per method rate limitation
•
SIP NAT IP address conservation
•
Support for multiple RTP endpoint
•
SIP HA failover
•
Deep SIP message inspection
•
Stateful SCTP firewall
•
SIP Hosted NAT Traversal (HNT)
•
Logging and statistics
SIP header conformance check
The SIP header conformance check allows for detection of malformed, and perhaps,
malicious SIP messages. You can enable this check by using the unknown-header [
discard | pass | respond] variable in the voip command. The following is an
example.
config voip profile
edit voip_1
config sip
set unknown-header respond
end
SIP message per method rate limitation
The SIP message per method rate limitation allows the limitation of message rates per SIP
methods. Previously, FortiOS specified only two methods, INVITE and REGISTER, while
FortiOS Carrier provided additional request methods. This feature will also be able to rate
limit, in particular, non-dialog SIP services such as presence services.
The following variables configure this feature in the CLI:
set message-rate & lt; per second_per policy & gt;
set bye-rate & lt; per second_per policy & gt;
set cancel-rate & lt; per second_per policy & gt;
set publish-rate & lt; per second_per policy & gt;
set options-rate & lt; per second_per policy & gt;
set notify-rate & lt; per second_per policy & gt;
set subscribe-rate & lt; per second_per policy & gt;
set prack-rate & lt; per second_per policy & gt;
set ack-rate & lt; per second_per policy & gt;
set update-rate & lt; per second_per policy & gt;
set info-rate & lt; per second_per policy & gt;
set register-rate & lt; per second_per policy & gt;
set invite-rate & lt; per second_per policy & gt;
set provisional-invite-expiry-time & lt; seconds & gt; (between 10-3600)
110
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiOS software enhancements
SIP features available on all FortiGate models
SIP NAT IP address conservation
The SIP NAT IP address conservation provides the ability to store the external IP address
and port information that is overwritten in a SIP NAPT in the SDP i-line (information line).
This information is particularly important for debugging purposes of the operator.
The following CLI variable is used to configure SIP NAT IP address conservation:
set preserve-override [enable | disable]
Support for multiple RTP endpoint
This previous, FortiOS Carrier-only feature allows you to configure a large number of RTP
endpoints in a RTP NAT configuration. Previously, this required a VIP configuration where
the IP addresses of the RTP endpoint needed to be configured. With a larger number of
RTP endpoint (for example, larger than 64), this may become an issue, for example in
enterprise IP PABX networks.
The following CLI variable is used to configure RTP endpoint support:
set rtp [enable | disable]
RTP bypass option
The RTP Bypass Option allows the RTP stream to bypass the SIP signaling firewall.
SIP HA failover
The SIP HA failover supports a low outage configuration for carrier grade networks to
reduce the downtime to a minimum. This applies to planned outages, such as software or
hardware upgrades, or an unplanned outage, such as a hardware failure. In large
enterprise configurations, SIP HA failover has become a requirement for high-end IP
PABX and high capacity SIP trunking applications for the same reason.
Deep SIP message inspection
Deep SIP message syntax inspection (also called Deep SIP header inspection or SIP
fuzzing protection) provides protection against malicious SIP messages by applying SIP
header and SDP profile syntax checking. SIP Fuzzing attacks can be used by attackers to
discover and exploit vulnerabilities of a SIP entity (for example, a SIP proxy server). These
attacks could often crash or compromise the SIP entity. The SIP Firewall in FortiOS 4.0
MR2 helps detect these types of malicious messages and drop or reject them.
The SIP stateful firewall checks all messages in syntax and semantics against the SIP
standards. If a malformed header, which is a violation against the standard list, is
detected, one of the following options can be configured so that the FortiGate unit takes
the appropriate action:
•
pass – passes the message along
•
discard – discards the message altogether
•
respond – responds with a SIP 4xx, 5xx, or 6xxx message (hard-coded message)
The above options are configurable in the CLI. These types of actions can be logged, if
required. The following information is logged by the FortiGate unit when a message was
detected as a malformed message:
•
Malformed SIP message
•
Header field – to indicated which header field is malformed)
•
Line – header content as long as it fits into the maximum length of the log message;
this is truncated if it is too long)
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
111
�SIP features available on all FortiGate models
•
FortiOS software enhancements
Column – assists the analyst to locate the point where the FortiGate unit believes the
header is malformed.
The following table outlines the SIP header field with the option associated with it in the
CLI.
Table 6: SIP header fields and their associated CLI variable
SIP Header field
CLI variable options
SIP Request Line
malformed-request-line {discard | pass}
SIP VIA
malformed-header-via {discard | pass}
SIP FROM
malformed-header-from {discard | pass}
SIP TO
malformed-header-to {discard | pass}
SIP CALL-ID
malformed-header-call-id {discard | pass}
SIP CSEQ
malformed-header-cseq {discard | pass}
SIP RACK
malformed-header-rack {discard | pass}
SIP RSEQ
malformed-header-rseq {discard | pass}
SIP CONTACT
malformed-header-contact {discard | pass}
SIP RECORD-ROUTE
malformed-header-record-route {discard | pass}
SIP EXPIRES
malformed-header-expires {discard | pass}
SIP CONTENT-TYPE
malformed-header-content-type {discard | pass}
SIP CONTENT-LENGTH
malformed-header-content-length {discard | pass}
SIP MAX-FORWARDS
malformed-header-max-forwards {discard | pass}
SIP ALLOW
malformed-header-allow {discard | pass}
SIP P-ASSERTEDIDENTITY
malformed-p-asserted-identity {discard | pass}
If the FortiGate unit detects a new or unknown SIP header field, you can configure the
FortiGate unit to take an action in that case. This may mean the message is passed or
discarded.
Stateful SCTP firewall
The FortiGate firewall can no w apply firewall policies to SCTP sessions in the same way
as TCP and UDP sessions. You can create firewall policies that accept or deny SCTP
traffic by setting the service to ANY. FortiOS does not included pre-defined SCTP
services. When configuring firewall policies for traffic with specific SCTP source or
destinations ports, you must create custom firewall services for SCTP.
FortiGate units route SCTP traffic in the same way as TCP and UDP traffic. You can
configure policy routes specifically for routing SCTP traffic by setting the protocol number
to 132. SCTP policy routes can route SCTP traffic according to the destination port of the
traffic if you add a port range to the policy route.
You can configure a FortiGate unit to perform stateful inspection of different types of SCTP
traffic by creating custom SCTP services and defining the port numbers or port ranges
used by those services. FortiGate units support SCTP over IPv4.
The stateful SCTP firewall supports the following:
•
•
IPSec VPN transport (SCTP over IPSec)
•
112
IPv4 networks, as well as IPv6 and NAT
configure and view status of SCTP firewall from remote devices, such as FortiManager
and SNMP agent, along with web-based manager, CLI and SNMP.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiOS software enhancements
SIP features available on all FortiGate models
•
log events and alarms of stateful firewall events
•
SNMP MIB for stateful SCTP firewall
•
CLI commands that allow for debugging and displaying of SCTP content and statistics
Adding an SCTP custom service
Use the following command to create a custom SCTP service that accepts SCTP traffic
using destination port 2905. SCTP port number 2905 us used for SS7 Message Transfer
Part 3 (MTP3) User Adaptation Layer (M3UA) over IP.
The following is an example using the following CLI commands and variables:
config firewall service custom
edit M3UA_service
set protocol TCP/UDP/SCTP
set sctp-portrange 2905
end
To add the same custom service from the web-based manager, go to Firewall & gt; Service & gt;
Custom and select Create New. Use the following example when configuring the custom
service.
New Custom Service page
Name
M3UA_service
Protocol Type
TCP/UDP/SCTP
Protocol
SCTP
Source Port (Low)
1
Source Port (High)
65535
Destination Port (Low) 2905
Destination Port (High) 2905
Adding an SCTP policy route
You can add policy routes that route SCTP traffic based on the SCTP source and
destination port as well as other policy route criteria. The SCTP protocol number is 132.
Use the following commands to direct all SCTP traffic with SCTP destination port 2905 to
the next hop gateway at IP address 1.1.1.1.
config router policy
edit 1
set input-device internal
set src 0.0.0.0 0.0.0.0
set dst 0.0.0.0 0.0.0.0
set output-device external
set gateway 1.1.1.1
set protocol 132
set start-port 2905
set end-port 2905
end
To add the same policy router example configuration from the web-based manager, go to
Router & gt; Static & gt; Policy Route and select Create New. Use the following to configure the
policy router and then select OK.
New Policy Route page
If incoming traffic matches:
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
113
�SIP features available on all FortiGate models
FortiOS software enhancements
Protocol
132
Incoming interface
internal
Source address/mask
0.0.0.0 0.0.0.0
Destination address/mask
0.0.0.0 0.0.0.0
Destination Ports
From 2905 to 2905
Type of Service
00 and 00
Force traffic to:
Outgoing interface
external
Gateway address
1.1.1.1
Changing the session time to live for SCTP traffic
You can change the session timeout for SCTP traffic in the CLI. Use the following example
to help you change the session timeout for SCTP traffic. It changes the protocol M3UA on
port 2905 to 3600 seconds.
config system session-ttl
config port
edit 1
set protocol 132
set start-port 22905
set end-port 2905
set timeout 3600
end
Adding an SCTP port forwarding virtual IP
In the following example, it shows how to add a static NAT port forwarding virtual IP that
uses port address translation to allow external access to a server on a private network. In
this example, the external IP address of the server 172.20.120.11 and the real IP address
of the web server on the internal network is 10.21.101.11. Use the example to help you
add an SCTP port forwarding virtual IP of your own.
config firewall vip
edit web_Server
set portforward enable
set extintf port1
set extip 172.20.120.11
set extport 2905
set mappedip 10.31.101.11
set mappedport 2905
set protocol sctp
end
SIP Hosted NAT Traversal (HNT)
Hosted NAT Traversal (HNAT) for SIP is now supported in FortiOS. You can configure this
new feature so that a UAC that is behind a NAT firewall that is not SIP aware and can
allow RTP to flow through the FortiGate unit.
The following is an example of the CLI command syntax used to configure this feature.
config voip profile
edit voip_1
config sip
set hosted-NAT-traversal enable
114
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiOS software enhancements
SIP features available on all FortiGate models
set hnt-restrict-source-IP enable
next
end
end
Logging and statistics
With this enhancement, improvements to log, statistical and debug information as well for
FortiOS Carrier SIP implementation are provided. These improvements are as follows:
•
Logging -- logs discarded SIP messages when they are detected as invalid.
•
Statistics -- more information is included within the log to help explain what occurred
and why the log was recorded.
•
Debugging -- more readable and easier to understand the information shown.
Logging command variables:
log-violations
log-call-summary
Debugging variable
call-keepalive (continue tracking calls with no RTP for this many minutes)
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
115
�SIP features available on all FortiGate models
116
FortiOS software enhancements
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�System
This section explains the new features and changes to existing features that concern the
System menu in the web-based manager.
The following topics are included in this section:
•
Concurrent username restriction
•
MD5 hash for log transfers
•
Limiting the number of concurrent explicit proxy users
•
sFlow client support
•
WCCP client mode
•
Client certificate handling for SSL inspection
•
Controlling the source interface IP address for self-originating traffic
•
Web Proxy replacement messages
•
Maintenance
Concurrent username restriction
There are now options for restricting concurrent user sessions for either per-user or peradministrator. This is an extension to administrator and firewall user session enforcement.
You can configure this restriction in the CLI. The following is the CLI syntax to use when
configuring concurrent user restrictions:
config system global
set admin-concurrent {enable | disable}
set policy-auth-concurrent {enable | disable}
end
MD5 hash for log transfers
MD5 hash for log transfers feature helps maintain the integrity of log files when in transfer,
ensuring that the log information was not altered before making it outside the
FortiAnalyzer unit, or backing up.
config system central-management
set fmg-source-ip 172.16.122.154
end
Limiting the number of concurrent explicit proxy users
In FortiOS 4.0 MR2, you can now place a limit on how many users there should be for
explicit proxy. You can configure this limit either in the CLI or the web-based manager.
Example
When the vdom-admin is enabled, the following CLI command syntaxes are available:
config global
config system resource-limits
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
117
�sFlow client support
System
set webproxy & lt; max global user & gt;
end
config system vdom-property
edit & lt; vdom_name & gt;
set webproxy & lt; vdom_max_user & gt;
next
end
To limit the number of concurrent explicit proxy users
1 Go to System & gt; VDOM & gt; VDOM.
2 Edit the VDOM that you want to limit concurrent explicit proxy users.
3 On the Edit Virtual Domain page, under Resource Usage, enter the guaranteed MB
amount in the Guaranteed field of the Concurrent web proxy users row.
4 Select OK.
sFlow client support
sFlow is a network monitoring protocol defined in RFC 3176 and described in
http://www.sflow.org. You can configure one or more FortiGate interfaces as sFlow agents
that monitor network traffic and send sFlow datagrams containing information about traffic
flow to an sFlow collector. You can add sFlow agents to any FortiGate interface, including
physical interfaces, VLAN interfaces, and aggregate interfaces.
sFlow is normally used to provide an overall traffic flow picture of your network. You would
usually operate sFlow agents on switches, routers, and firewall on your network, collect
traffic data from all of them and use a collector to show traffic flows and patterns.
Using this data you can determine normal traffic flow patterns for your network and then
monitor for traffic flow problems. As these problems are found you can attempt to correct
them and continue to use the sFlow agents and collectors to view the results of your
corrective action.
The FortiGate sFlow agent functions like any sFlow agent, combining interface counters
and flow samples into sFlow datagrams that are immediately sent to an sFlow collector.
Because the sFlow datagrams are sent immediately without processing the data and
without collecting large amounts of data, running the sFlow agent has almost no affect on
system performance.
You can configure sFlow only from the CLI. To begin using sFlow, you must add the IP
address of your sFlow connector to the FortiGate configuration and then configure sFlow
agents on FortiGate interfaces.
Example configuration
The following is an example that helps to explain how to configure your FortiGate unit to
send sFlow datagrams to an sFlow collector. This example configuration also includes
how to config sFlow with multiple VDOMs.
To configure the FortiGate unit to send sFlow datagrams to an sFlow collector
1 Enter the following command syntax to set the IP address of your sFlow collector to
172.20.120.11:
config system sflow
set collector-ip 172.20.120.11
end
118
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�System
WCCP client mode
2 If required you can also change the UDP port number that the sFlow agent uses. You
should only change this port if required by your network configuration or sFlow
collector. The default sFlow port is 6343. The following command changes the sFlow
agent port to 5345.
config system sflow
set collector-port 6345
end
3 Use the following command to enable sFlow for the port1 interface:
config system interface
edit port1
set sflow-sample enable
end
4 Repeat this step to add sFlow agents to other FortiGate interfaces.
5 You can also change the sampling rate, polling interval, and sample direction for each
sFlow agent:
config system interface
edit port1
set sample-rate & lt; rate_number & gt;
set polling-interval & lt; frequency & gt;
set sample-direction {both | rx | tx}
end
sFlow with multiple VDOMs
For a FortiGate unit operating with multiple VDOMs, you can add different sFlow collector
IP addresses and port numbers to each non-management VDOM. Use the following
command syntax to customize the sFlow configuration for a VDOM named VDOM_1:
config vdom
edit VDOM_1
config system vdom-sflow
set vdom-sflow enable
set collector-ip 172.20.120.11
end
The management VDOM and all VDOMs that you have not configured a VDOM-specific
configuration for use the global sFlow configuration.
WCCP client mode
You can configure a FortiGate unit to operate as a WCCP router or client. The WCCCP
client configuration is new for FortiOS 4.2.
•
A FortiGate unit operating as a WCCP router can intercept HTTP and HTTPS sessions
and forward them to a web caching engine that caches web pages and returns cached
content to the web browser.
•
A FortiGate unit operating as a WCCP client can accept and forward WCCP sessions
and use firewall policies to apply NAT, UTM, and other FortiGate security features to
them. A FortiGate unit operates as a WCCP client only in NAT/Route mode (and not in
Transparent mode)
WCCP router mode configuration
Enter the following command to configure a FortiGate unit to operate as a WCCP router
(this is the default FortiGate WCCP configuration).
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
119
�WCCP client mode
System
config system settings
set wccp-cache-engine disable
end
Use the following command to configure WCCP router mode:
config system wccp
edit & lt; service-id & gt;
set router-id & lt; interface_ipv4 & gt;
set group-address & lt; multicast_ipv4 & gt;
set server-list & lt; router_ipv4 & gt;
set authentication {disable | enable}
set forward-method {GRE | L2 | any}
set return-method {GRE | L2 | any}
set assignment-method {HASH | MASK | any}
set password & lt; password_str & gt;
next
end
WCCP client mode configuration
Enter the following command to configure a FortiGate unit to operate as a WCCP cache
engine:
config system settings
set wccp-cache-engine enable
end
When you enter this command an interface named w. & lt; vdom_name & gt; is added to the
FortiGate configuration (for example w.root). All WCCP received by a FortiGate unit
operating as a WCCP client is considered to be received at this interface and you can
enter firewall policies for the WCCP traffic. For example, the following firewall policy
accepts WCCP traffic routed from the w.root interface to the wan1 interface. This firewall
policy applies NAT and an antivirus UTM profile named scan to the WCCP traffic.
.config firewall policy
edit 4
set srcintf w.root
set dstintf wan1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service any
set nat enable
set utm-status enable
set av-profile scan
end
You can also use the following commands to configure how a FortiGate unit in WCCP
client mode communicates with WCCP routers:
config system wccp
edit & lt; service-id & gt;
set cache-id & lt; cache_engine_ip4 & gt;
set group-address & lt; multicast_ipv4 & gt;
set router-list & lt; server_ipv4mask & gt;
set authentication {disable | enable}
set service-type {auto | dynamic | standard}
set assignment-weight & lt; weight_int & gt;
120
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�System
Client certificate handling for SSL inspection
set assignment-bucket-format {cisco-implementation |
wccp-v2}
set password & lt; password_str & gt;
next
end
Client certificate handling for SSL inspection
SSL sessions that use client-certificates now bypass the SSL inspection. For this
enhancement to work properly, an SSL server should be set up that requires client-side
certificates; these certificates are then uploaded to the client, making a connection
through the FortiGate unit with the SSL Inspection feature enabled on the FortiGate unit.
Controlling the source interface IP address for self-originating
traffic
This new feature is an extension to the general system operation, allowing you to specify
the source IP address of self-originated traffic. The following are supported for this feature:
•
SNMP
•
Syslog servers
•
FortiAnalyzer units
•
Alert Email
•
FortiManager connection
This feature is available only in the CLI. The following is an example of the CLI command
syntax used to configure a source IP address for self-originating traffic.
config system central-management
set fmg-source-ip 172.16.122.154
end
Web Proxy replacement messages
Web proxy replacement messages were included in the Replacement Messages menu for
web proxy. These messages are specifically for triggers that are associated with web
proxy, such as web proxy access, login, authorization, and HTTP errors.
These web proxy replacement messages are:
Table 7: Web Proxy replacement messages
Message name Description
Web proxy
access denied
If no web proxy policy is defined, and the default action is set to Deny, this
message displays. This message also displays when both of the following are
true:
• no web proxy policy is defined OR no existing policy matches the incoming
request
• default action is set to Deny (System & gt; Network & gt; Web Proxy)
Note: The default action is ignored when there is at least one web policy
defined.
Web proxy login This replacement message is triggered by a log in, and is always sent to the
challenge
client’s browser with it is triggered; however, some browsers (Internet Explorer
and Firefox) are unable to display this replacement message.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
121
�Maintenance
System
Table 7: Web Proxy replacement messages
Message name Description
Web proxy login If a user name and password authentication combination is entered, and is
fail
accepted as incorrect, this replacement message appears.
Web proxy
If a username and password is entered and is correct, this replacement message
authorization fail appears. However, if the following is true, this replacement message also
appears:
• The user is not allowed to view the request resources, (for example in an
FSAE setup and the authentication passes), and the username and
password combo is correct, but the user group does not match a user group
defined in the firewall policy.
Web proxy
HTTP error
This replacement message is triggered whenever there is a web proxy HTTP
error. This message forwards the actual servers’ error message and a web proxy
internal error message, for example, error 404: web page is not found.
Web proxy user- If you have enabled user-limit within config system replacemsg
limit (CLI only)
webproxy, this message is triggered when a web proxy user has met the
threshold that is defined in global resources or vdom resources.
Maintenance
The Maintenance menu has been redesigned for FortiOS 4.0 MR2. This new redesign
incorporates the disk management enhancements introduced in this release. The new
redesign moves the Backup and Restore menu’s settings to the System Information
widget.
The System Information widget displays the date and time of when the configuration was
previously backed up, as well as the options to backup (select Backup to back up the
configuration) or restore a configuration (select Restore to restore a previously backed up
configuration). When you select Backup, you are automatically redirected to the Backup
page which contains the same options that were previously found in the Backup and
Restore menu. When you select Restore, you are automatically redirected to the Restore
page, which contains the same options that were previously found in the Backup and
Restore menu.
The Maintenance menu now contains the following menus:
•
•
FortiGuard – allows you to view FortiGuard subscriptions as well as configuring
settings for the FortiGuard Analysis server
•
Advanced – allows you to upload scripts, configure an automatic install of a firmware
image and configuration file from a USB key, and you can also download a debug log
file for use in debugging the FortiGate unit.
•
License – has not changed; still allows you to include a VDOM license to extend the
amount of VDOMs on your FortiGate unit.
•
122
Firmware – allows you to upgrade firmware; if you have partitioned the hard drive, you
can also upload or upgrade the firmware on that partition
Disk – provides information about the amount of space being used or that is free on the
hard drive; also includes detailed information about the data that is being stored, for
example disk logging has 5 MB allocated, 1 MB that is being used, and 100 percent of
quota usage.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�High availability
This section explains all new features and changes to existing features that concern High
Availability in the web-based manager.
The following topics are included in this section:
•
Configurable Ethernet types for HA heartbeat packets
•
HA subsecond failover
•
HA reserved management interface
Configurable Ethernet types for HA heartbeat packets
Normal IP packets are 802.3 packets that have an Ethernet type (Ethertype) field value of
0x0800. Ethertype values other than 0x0800 are understood as level2 frames rather than
IP packets.
By default, HA heartbeat packets use the following Ethertypes:
•
HA heartbeat packets for NAT/Route mode clusters use Ethertype 0x8890. These
packets are used by cluster units to find other cluster units and to verify the status of
other cluster units while the cluster is operating.
•
HA heartbeat packets for Transparent mode clusters use Ethertype 0x8891. These
packets are used by cluster units to find other cluster units and to verify the status of
other cluster units while the cluster is operating.
•
HA synchronization packets use Ethertype 0x8893. These packets are used to
synchronize the cluster units.
Since heartbeat packets are recognized as level2 frames, the switches and routers on
your heartbeat network that connect to heartbeat interfaces must be configured to allow
them. If level2 frames are dropped by these network devices, heartbeat traffic will not be
allowed between the cluster units.
Some third-party network equipment may use packets with these Ethertypes for other
purposes. For example, Cisco N5K/Nexus switches use Ethertype 0x8890 for some
functions. When one of these switches receives Ethertype 0x8890 packets from an
attached cluster unit, the switch generates CRC errors and the packets are not forwarded.
As a result, FortiGate units connected with these switches cannot for a cluster.
In some cases, if the heartbeat interfaces are connected and configured so regular traffic
flows but heartbeat traffic is not forwarded, you can change the configuration of the switch
that connect the HA heartbeat interfaces to allow level2 frames with Ethertypes 0x8890,
0x8893, and 0x8891 to pass.
For FortiOS 4.0 MR2, you can use the following CLI command syntax on each cluster unit
to change the Ethertypes of the HA heartbeat packets:
config system ha
set ha-eth-type & lt; ha_ethertype_4-digit_hex & gt; default: 8890
set hc-eth-type & lt; hc_ethertype_4-digit_hex & gt; default: 8891
set l2ep-eth-type & lt; l2ep_ethertype_4-digit_hex & gt; default: 8893
end
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
123
�HA subsecond failover
High availability
HA subsecond failover
HA subsecond failover is an extension of the HA failover mechanism. This new feature
allows you to configure subsecond failover for your HA configuration. This feature applies
to interfaces (or ports) with NP2 or newer network processors. FortiGate-310B units and
above support this feature.
The following is an example of the CLI command syntax used to configure subsecond
failover for HA:
config system ha
set subsecond enable
end
HA reserved management interface
You can provide direct management access to all cluster units by reserving a
management interface as part of the HA configuration. Once this management interface is
reserved, you can configure a different IP address and administrative access settings for
this interface for each cluster unit. Then, by connecting this interface of each cluster unit to
your network, you can be manage each cluster unit separately from a different IP address.
The reserved management interface provides direct management access to each cluster
unit and gives each cluster unit a different identity on your network. This simplifies using
external services, such as SNMP, to monitor and manage each cluster unit.
If you enable SNMP administrative access for the reserved management interface, you
can use SNMP to monitor each cluster unit using the reserved management interface IP
address. You can monitor each cluster unit using SNMP by adding the IP address of each
cluster unit’s reserved management interface to the SNMP server configuration. You must
also enable direct management of cluster members in the cluster SNMP configuration.
If you enable HTTPS or HTTP administrative access for the reserved management
interfaces, you can connect to the web-based manager of each cluster unit. Any
configuration changes made to any of the cluster units is automatically synchronized to all
cluster units. From the subordinate units, the web-based manager has the same features
as the primary unit, except that unit-specific information is displayed for the subordinate
unit. For example:
•
The System Information widget displays the subordinate unit serial number but also
displays the same information about the cluster as the primary unit
•
On the Cluster members list, (go to System & gt; Config & gt; HA), you can change the HA
configuration of the subordinate unit that you are logged into. For the primary unit and
other subordinate units, you can change only the host name and device priority.
•
Log Access displays the logs of the subordinate that you are logged into first. You use
the HA Cluster list to view the log messages of other cluster units, including the primary
unit.
If you enable SSH or TELNET administrative access for the reserved management
interfaces, you can connect to the CLI of each cluster unit. The CLI prompt contains the
host name of the cluster unit that you have connected to. Any configuration changes made
to any of the cluster units is automatically synchronized to all cluster units. You can also
use the execute ha manage command to connect to other cluster unit CLIs.
124
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�High availability
HA reserved management interface
Configuring the reserved management interface and SNMP remote management
of individual cluster units
This example describes how to configure SNMP remote management of individual cluster
units using the HA reserved management interface. The configuration consists of two
FortiGate-620B units already operating as a cluster. In the example, the port8 interface of
each cluster unit is connected to the internal network using the switch and configured as
the reserved management interface.
Figure 4: SNMP remote management of individual cluster units
Internal
Network
SNMP Server
Switch
10.11.101.20
Port2: 10.11.101.100
FortiGate-620B
Cluster
Port8: 10.11.101.102
(Subordinate Unit)
Port8: 10.11.101.101
(Primary Unit)
Port1: 172.20.120.141
Internet
To configure the reserved management interface - web-based manager
1 Go to System & gt; Config & gt; HA.
2 Edit the primary unit.
3 Select Reserve Management Port for Cluster Member and select port8.
4 Select OK.
From the CLI, you can also configure a default route that is only used by the reserved
management interface.
To configure the reserved management interface - CLI
1 Log in to the CLI of any cluster unit.
2 Enter the following command to enable the reserved management interface, set port8
as the reserved interface, and add a default route of 10.11.101.100 for the reserved
management interface.
config system ha
set ha-mgmt-status enable
set ha-mgmt-interface port8
set ha-mgmt-interface-gateway 10.11.101.100
end
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
125
�HA reserved management interface
High availability
You can change the IP address of the primary unit reserved management interface from
the primary unit web-based manager. Configuration changes to the reserved
management interface are not synchronized to other cluster units.
To change the primary unit reserved management interface configuration web-based manager
1 From a PC on the internal network, browse to http://10.11.101.100 and log in to the
cluster web-based manager.
This logs you in to the primary unit web-based manager.
You can identify the primary unit from its serial number or host name that appear on the
System Information dashboard widget.
2 Go to System & gt; Network & gt; Interface and edit the port8 interface as follows:
Alias
primary_reserved
IP/Netmask
10.11.101.101
Administrative Access
Ping, SSH, HTTPS, SNMP
3 Select OK.
You can now log into the primary unit web-based manager by browsing to
https://10.11.101.101 and the primary unit CLI by using an SSH client to connect to
10.11.101.101.
At this point, you cannot connect to the subordinate unit’s reserved management interface
because it does not have an IP address. Instead, the following procedure describes
connecting to the primary unit’s CLI and using the execute ha manage command to
connect to that subordinate unit’s CLI to change the port8 interface. You can also use a
serial connection to connect to the cluster unit’s CLI. Configuration changes to the
reserved management interface are not synchronized to other cluster units.
To change subordinate unit reserved management interface configuration - CLI
1 Connect to the primary unit CLI and use the execute ha manage command to
connect to a subordinate unit CLI.
You can identify the subordinate unit from is serial number or host name. The host
name appears in the CLI prompt.
2 Enter the following command to change the port8 IP address to 10.11.101.102 and
set management access to https, ping, ssh, and snmp.
config system interface
edit port8
set ip 10.11.101.102/24
set allowaccess https ping ssh snmp
end
You can now log in to the subordinate unit web-based manager by browsing to
https://10.11.101.102 and the subordinate unit CLI by using an SSH client to connect to
10.11.101.102.
126
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�High availability
HA reserved management interface
The following procedure describes how to configure the cluster to allow the SNMP server
to get status information from the primary unit and the subordinate unit. The SNMP
configuration is synchronized to all cluster units. To support using the reserved
management interfaces for, you must add at least one HA direct management host to an
SNMP community. If your SNMP configuration includes SNMP users with user names and
passwords, you must also enable HA direct management for SNMP users.
To configure the cluster for SNMP management using the reserved management
interfaces - CLI
1 Enter the following command syntax to add an SNMP community called Community
and add a host to the community for the reserved management interface of each
cluster unit. The host includes the IP address of the SNMP server (10.11.101.20).
config system snmp community
set name Community
edit 1
config hosts
edit 1
set ha-direct enable
set ip 10.11.101.20
end
end
2 Enter the following command syntax to add an SNMP user for the reserved
management interface.
config system snmp user
edit 1
set ha-direct enable
set notify-hosts 10.11.101.20
end
3 Configure other settings as required.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
127
�HA reserved management interface
128
High availability
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall
This section explains the new features and changes to existing features that concern the
Firewall menu.
The following topics are included in this section:
•
Protection profile re-organization and enhancement
•
Explicit Proxy improvements (including Citrix/TS support)
•
Central NAT Table
Protection profile re-organization and enhancement
The way to configure UTM features in a firewall policy has dramatically changed in
FortiOS 4.0 MR2. This new re-organization allows you to select options individually, which
simplifies the configuration procedure for applying UTM features to a firewall policy.
The changes are:
•
Profiles are configured within each of the UTM submenus, such as UTM & gt; Antivirus.
The path is UTM & gt; Antivirus & gt; Profile.
•
Profiles are available only in Antivirus, Email Filtering, Web Filtering, and VoIP.
•
VoIP profile is introduced which allows you to configure a profile containing settings for
VoIP protocols, SIP and SCCP, that can then be applied to a firewall policy.
The protection profile menu in Firewall, (previously Firewall & gt; Protection Profile) is no
longer available because of this re-organization. When upgrading to FortiOS 4.0 MR2, the
protection profiles that you previously created carry forward and are automatically
reorganized to the new organization arrangement.
Example
The following is an example of how to configure a profile in the UTM menu and then how
to apply it to a firewall policy. All profiles are applied to a firewall policy the same way as in
this example, even DLP sensors and protocol options.
To create an antivirus profile
1 Go to UTM & gt; Antivirus & gt; Profile.
2 Enter av_email in the Name field.
3 In the Virus row of the table, select the check box for POP3.
4 In the HTTP row of the table, select the check box for POP3, and in the Option column
of that row, select email_only from the drop-down list.
5 In the Method row, select Virus’s Incoming Interface from the drop-down list.
6 Select OK.
To apply the antivirus profile to a firewall policy
1 Go to Firewall & gt; Policy & gt; Policy.
2 Edit wan1- & gt; internal row.
3 Select the check box beside UTM.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
129
�Explicit Proxy improvements (including Citrix/TS support)
Firewall
4 Select the check box beside Antivirus, and then select av_email from the drop-down
list.
5 Select OK.
VoIP profile
The VoIP menu in UTM contains configuration settings for creating multiple profiles for
applying SIP and SCCP protocols to firewall policies. The VoIP menu allows you to
configure specific SIP or SCCP settings that will monitor and examine these protocols
when applied to a firewall policy. For example, you create a profile that is only for SIP calls
and enable logging which includes logging of violation traffic.
When configuring a VoIP profile, you can enable logging of SIP and/or SCCP traffic,
including violation of traffic. These logs appear in the Log Access menu of the Log & Report
menu.
Explicit Proxy improvements (including Citrix/TS support)
The explicit proxy improvements include Citrix/TS support. This provides support for
setting a web proxy address to point to a FortiGate unit from the Citrix server. The
behaviors for both the FortiGate unit and the Citrix server is as follows:
FortiGate unit
•
Web-proxy is a special source added when used as a source interface of a firewall
policy. When the traffic hits the explicit-web-proxy, it is considered its source
interface as web-proxy when matching the firewall policy.
•
Firewall policy is added from web-proxy to any other interface or zone for secured
explicit web proxy. Source addresses are the client IP addresses and destination is
the targeted server IP addresses, similar to a firewall policy. Authentication and
protection profile is supported for services that are supported by explicit web proxy.
Citrix
•
Administrator on a Citrix server can set an explicit web proxy address to point to a
FortiGate unit so that the system uses the FortiGate unit as an explicitly proxy. The
Citrix server can then send the authentication information to the FortiGate unit.
•
Using the authentication information, the FortiGate unit can block or inspect the
Citrix user traffic, based on individual user names, not source IP addresses.
Basically, the FortiGate unit will co-relate the user information from Citrix server with
the user group information in its policy, and then apply it to the right profile that is
associated with each user group.
•
The FortiGate unit, if logging is enabled for web filtering, generates logs with the
user information for each action taken to block or a URL category violation.
In each VDOM, a read-only zone web proxy is created by default when an explicit web
proxy is configured. This type of proxy can only be used as a source interface of a firewall
policy. A firewall policy that uses web-proxy as srcintf defines secure policy for secured
explicit web proxy. The command syntax is as follows:
configure firewall policy
edit 1
set status {enable | disable}
set srcintf web-proxy
set dstintf & lt; destination interface_or_zone & gt;
set srcaddr & lt; source_address & gt;
set dstaddr & lt; destination_address & gt;
130
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall
Central NAT Table
set action {allow | deny}
Central NAT Table
In the Policy menu, a new menu is available for configuring NAT rules called Central NAT
Table. NAT rules can be applied to a firewall policy.
The Central NAT Table allows users to create NAT rules, as well as view NAT mappings
that are set up by the global firewall table. You can use these NAT rules on firewall policies
by selecting Use Central NAT Table option within the policy.
Configure central NAT rule sets in Firewall & gt; Policy & gt; Central NAT Table using the
following table.
Central NAT Table page
Lists all the NAT rule sets that you have configured. On this page, you can edit, delete, move, or
create a new NAT rule set. You can also organize NAT rule sets within the list, in the order that you
want.
Create New
Creates a new NAT rule set. When you select Create New, you are automatically
redirected to the New Nat page where you can configure a NAT rule set.
Edit
Modifies settings within the NAT rule set. When you select Edit, you are
automatically redirected to the Edit Nat page where you can modify the settings of
the NAT rule set.
Delete
Removes a NAT rule set from within the list on the Central NAT Table page. You
can also remove multiple NAT rule sets at once within the list, or remove all the
sets within the list at once as well.
To remove multiple NAT rule sets in the list, on the Central NAT Table page, in
each of the rows of the sets you want removed, select the check box and then
select Delete.
To remove all NAT rules sets in the list, on the Central NAT Table page, select the
check box in the check box column, and then select Delete.
Enable
Enables the NAT rule set so that it can be used. When the set is enabled, the
Status column displays a check mark in the check box.
Disable
Disables the NAT rule set so that it cannot be used. When the set is disabled, the
Status column does not display a check mark in the check box, and that NAT rule
set’s row is grayed.
Insert
Inserts a new NAT rule set above a NAT rule set. When you select Insert, you are
automatically redirected to the New Nat page.
Move To
Moves a NAT rule set either before or after a NAT rule set in the list. When you
select Move, you are automatically redirected to the Move Policy page.
When you move NAT rule sets within the list, their individual NAT ID number does
not change when it is moved to its new location in the list. For example, Policy ID
contains 1, with the Policy ID field containing 10; that NAT rule set (1) is moved to
the tenth row in the list, but still keeps its original ID number, 1.
Policy ID
The current row that is highlighted, and that will be moved to a different place
(Move Policy within the list. For example, Policy ID contains 1, with the Policy ID field
containing 10; that NAT rule set (1) is moved to the tenth row in the list.
page)
Move To
Select Before to move a NAT rule set before another set, and then enter the ID
(Move Policy number of the set that will come before it. The ID is the number from the NAT ID
column. For example, Policy ID is 1; 2 is entered in the Policy ID field so that 2
page)
comes before 1 in the list.
Select After to move a NAT rule set after another set, and then enter the ID
number of the set that comes after it. The ID is the number from the NAT ID
column. For example, Policy ID is 4; 3 is entered in the Policy ID field so that 3
comes before 4.
Status
Indicates whether the NAT rule set has been enabled or disabled. The check
mark in the check box indicates that it is enabled. If the row is grayed, and there is
no check mark in the check box, then the NAT rule set is disabled.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
131
�Central NAT Table
Firewall
NAT ID
The NAT identification number. This number is used when indicating where to
move the NAT rule set within the list.
Original
Address
The source IP address. You can add multiple IP addresses to the Source Address
by select Multiple. When you select Multiple, the Choose Multiple Address
window appears.
To choose multiple addresses, from the Choose Multiple Addresses window,
select the address in Available Addresses, and then select the down arrow to
move it to Members:.
Original Port
The original source port number range.
Translated
Address
The translated IP address range
Translated Port The translated port number range.
New Nat page
Provides settings for configuring the NAT rule set.
Source Address Select the source IP address from the drop-down list. You can optionally create a
group of source IP addresses when you select Multiple in the drop-down list. You
can also create a new source IP address when you select Create New in the
drop-down list.
Translated
Address
Select the dynamic IP pool from the drop-down list.
Original Port
Enter the port that the address is originating from.
Translated Port Enter the translated port number range. The number in the Original Source Port
field must be greater than the port number that is entered in this field.
132
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�User
This section explains the new features and changes to existing features that concern the
User menu.
The following topics are included in this section:
•
LDAP/RADIUS password renewal
•
BGP support for four-byte AS Path
•
IM users
LDAP/RADIUS password renewal
You can now configure settings for password renewal and notice of expiry for LDAP
servers. You can also now configure support for UTF-8 encoding log ins for RADIUS
servers.
Configuration of these settings is available in the CLI.
For RADIUS:
config vpn ssl settings
set force-utf8-login {enable | disable}
end
For LDAP password renewal:
config user ldap
edit & lt; name & gt;
set password-expiry-warning {enable | disable}
set password-renewal {enable | disable}
end
BGP support for four-byte AS Path
FortiGate models now support four-byte AS Path. This new BGP capability provides AS
with a four-byte octet number instead of the current two-byte octet number. For more
information about this new BGP capability, see RFC 4893.
IM users
Previously, by default, the IM tabs in User & gt; IM and User & gt; Monitor & gt; IM appeared by
default. The new menu arrangement in the User menu in FortiOS 4.0 MR2 hides these
menus by default until you create an IM user in the CLI.
The menus for IM users appear in User & gt; User and User & gt; Monitor in the web-based
manager after configuring an IM user using the config imp2p command.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
133
�IM users
134
User
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�UTM
This section explains the new features and changes to existing features that concern the
UTM menu.
The following topics are included in this section:
•
FortiGuard Web Filtering quotas
•
Skype control improvements
•
Flow-based antivirus database
•
Extreme antivirus database
•
SSL proxy exemption by FortiGuard Web Filter category
•
Monitoring application control traffic
•
Applying traffic shaping settings to an application control list
FortiGuard Web Filtering quotas
FortiGuard Web Filtering quotas allow administrators to set time limits for authenticated
users when those users access web sites that fall under the FortiGuard Web Filtering
categories, category groups and classifications.
The administrator, who must have read and write privileges, defines each user group’s
time limits for the category, category group and classification. Quotas are calculated
separately for each user and the daily quota amounts used are reset at midnight. The
quota is applied to each user individually so the FortiGate unit must be able to identify
each user. Quotas are ignored if applied to a firewall policy that does not require user
authentication.
When a user first attempts to access a URL, they are prompted to authenticate with the
FortiGate unit. When they provide their username and password, the FortiGate unit
recognizes them, determines their quota allowances, and monitors their web use. The
category and classification of each page they visit is checked, and the FortiGate unit
adjusts the user’s remaining available quota for the category or classification.
The following procedure explains how to configure FortiGuard Web Filtering quotas in an
existing web filter profile.
To configure FortiGuard Web Filtering quotas
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Edit an existing web profile.
3 In the FortiGuard Web Filtering row, select the check box for HTTP to enable
FortiGuard Web Filtering.
If you require FortiGuard Web Filtering for HTTPS, select that check box.
4 Expand FortiGuard Web Filtering.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
135
�Skype control improvements
UTM
5 In the table under FortiGuard Web Filtering, in the FortiGuard Quota area, use the
following to configure the settings you want for each category, category group and
classification:
Disable
By default, quotas are disabled for all categories, category groups and
classifications. Select Enable to allow configuration of quota settings.
Enable
Select to allow access to configuring the quota settings.
Exempt
The quota checking sequence occurs for every URL that the user accesses and
this can cause unexpected behavior. Select to effectively ignore the category,
category group, or classification entirely. Use when accessed web pages load
elements from other sites that contain different category ratings. For example,
pages that load ads from advertising sites.
This action does not stop an already running quota timers.
Quota
Enter a number for the time, which can be in hours, minutes or seconds. Select
the type of time from the drop-down list, Minute(s) Hour(s) or Second(s).
6 Select OK.
Viewing FortiGuard quota usage
You can view current web quota usage from UTM & gt; Web Filter & gt; FortiGuard Quota. This
list displays all of the users, which are sorted by user names, who have used up some of
their quota time. The list also displays how much time has been used. You can view each
individual user’s quota by selecting the View icon in the row of the user.
Skype control improvements
The FortiGate unit can now learn IP addresses and ports that are used by Skype. This
type of detection provides a much better way for the FortiGate unit to detect Skype users,
because previously, Skype detection was based on packet patterns. Since the traffic is
encrypted, some connections eventually sneak out, and the Skype client is connected
regardless of whether the connection was blocked or not.
The way the FortiGate unit learns IP addresses and ports used by Skype is an internal
change, so there is no configuration required in the CLI or in the web-based manager.
Flow-based antivirus database
The flow-based antivirus database, located in UTM & gt; Antivirus & gt; Virus Database, uses the
FortiGate IPS engine to examine network traffic for viruses, worms, trojans, and malware
without the need to buffer the file being checked.
This flow-based scanning includes fast scanning and no maximum file size. Flow-based
scanning eliminates the maximum file size limit since it does not require that the file be
buffered during the scan as it passes through the FortiGate unit, packet-by-packet. This
elimination allows the client receiving the file data, to receive it immediately.
The trade-off for these advantages is that flow-based scans detect a smaller number of
infections. Viruses in documents, packed files, and some archives are less likely to be
detected because the scanner can only examine a small portion of the file at any moment.
136
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�UTM
Extreme antivirus database
Extreme antivirus database
The extreme antivirus database contains both “In the wild” viruses and all available “zoo”
viruses. The “zoo” viruses are viruses that are no longer seen in recent virus studies, and
are largely dormant today. Some zoo viruses may rely on operating systems and
hardware that are no longer widely used.
The extreme antivirus database is located in UTM & gt; Antivirus & gt; Virus Database. This
database provides better flexibility, allowing you to have maximum protection against both
current and older viruses, without sacrificing performance. For example, testing if the
FortiGate unit is catching all viruses.
The extreme antivirus database is supported on FortiGate models with large storage
space.
SSL proxy exemption by FortiGuard Web Filter category
Administrators can now exempt a FortiGuard Web Filter category from SSL content
inspection on higher-end FortiGate models. This is configured in the CLI using the
following command syntax:
config webfilter profile
edit & lt; profile_name & gt;
config ftgd-wf
set ssl-exempt {all | & lt; category_str & gt; }
end
Use the get command to view all available category codes with descriptions. For
example, g01 Potentially Liable.
When the exemption is configured, the SSL proxy prevents the decryption of sessions to
the specified FortiGuard Web Filter categories by behaving this way:
•
Reads the client hello but does not complete the handshake.
•
Connects to the server.
•
Passes the client hello to the server and reads the server hello.
•
Extracts the common-name from the server hello and checks it with the server IP
address from the FortiGuard Web Filtering lists.
•
If the traffic will be exempted, the client and SSL handshakes are completed and
clear-text traffic is passed through the HTTP proxy to handle all scanning options that
are in place.
Application control enhancements
In this release, you can configure three new settings within an application control list:
monitor application traffic, apply traffic shaping settings, and enable packet logging. The
following explains how to monitor application control traffic and apply traffic shaping
settings to an application control list.
Enabling packet logging in an application control list is similar to enabling packet logging.
Packet logging in an application control list can be used for false positive analysis or
forensic analysis.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
137
�Application control enhancements
UTM
Monitoring application control traffic
The application control monitoring feature provides the ability to monitor application
control traffic on your network. When this feature is enabled in an application control list
entry and the list is selected in a firewall policy, all the detected traffic required to populate
the selected charts is logged to the SQL database on the FortiGate unit hard drive.
The charts are available for display in Log & Report & gt; Report Access & gt; Executive
Summary. The advantage over these charts is that the information is stored on the hard
drive, and if you need to restart the system, the information is not affected. The monitor
widgets that are available, such as Top Application Usage, are reset whenever the system
is reset. The charts within the Executive Summary page provide more detail than the
widgets do within the Dashboard menu.
The application control monitoring feature is available only on FortiGate units that have
internal hard drives.
You can enable application control monitoring within the application control list (UTM
& gt; Application Control & gt; Application Control List), by selecting the check box beside Enable
Monitoring. The application control list must then be applied to the firewall policy.
The application control monitoring feature is configured within the application control list
itself. Use the following procedure to enable monitoring.
To configure application control monitoring
1 Go to UTM & gt; Application Control & gt; Application Control List.
2 Edit the application control list that you want to enable monitoring on.
If you have not created an application control list for monitoring, create a new one
before proceeding. For example, an application list that contains only P2P
3 On the Edit Application Control List page, select the check box beside Enable
Monitoring.
4 Go to Firewall & gt; Policy & gt; Policy.
5 Edit the firewall policy that you want to apply monitoring on.
6 In the UTM section, select the check box beside Enable Application Control.
When you enable application control, three check boxes appear: Top 10 Applications,
Top 10 P2P Users and Top 10 Media Users.
7 Select the application control item that has monitoring enabled on it from the
drop-down list.
8 Select the check boxes beside Top 10 Applications, Top 10 P2P Users and Top 10
Media Users.
9 Go to Log & Report & gt; Report Access & gt; Executive Summary.
There are three charts within the Executive Summary page that will display the
application control monitoring information, one for top 10 applications, media users and
P2P users.
10 Add the following widgets to the Executive Summary page:
• appcrtl.Count.Bandwidth.Top10.Apps.last24h(Graph)
• appcrtl.Count.Bandwidth.Top10.MediaUser.last24h(Graph)
• appcrtl.Count.Bandwidth.Top10.P2Puser.last24h(Graph)
When application control logs begin recording, you will see information about the top 10
applications, media users and P2P users in the charts. You can edit these charts if you
want by select the Edit icon in the title bar area.
138
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�UTM
Application control enhancements
Applying traffic shaping settings to an application control list
You can apply traffic shaping settings to an application control list to better control the
application traffic on your network. When you apply traffic shaping to an application control
list, it allows you to limit or guarantee the bandwidth available to the application or
applications specified in the application control list. You can also prioritize the traffic by
using traffic shaping. You can apply traffic shaping only to application lists that have Action
set to Pass. When Action is set to Pass, the traffic shaping settings are displayed. They
are disabled by default.
You must have a traffic shaper configured before enabling this option because you cannot
configure a traffic shaper from within the application control entry.
Note: You cannot edit the existing Implicit 1 or Implicit 2 application entries to include traffic
shaping.
The following procedure assumes that you have already configured a traffic shaper and an
application control list.
To apply traffic shaping to an application entry
1 Go to UTM & gt; Application Control & gt; Application Control List.
2 Edit the application control list that you want to apply the traffic shaper to.
3 Within the application control list, edit an application control entry.
If you want to, you can create a new entry by selecting Create New.
4 Select Pass from the Action drop-down list.
Traffic Shaping and Reverse Direction Traffic Shaping options appear.
5 Select the check box beside Traffic Shaping, and then select the traffic shaper from the
drop-down list.
If you want to include reverse direction traffic shaping, select the check box beside
Reverse Direction Traffic Shaping, and then select the traffic shaper from the
drop-down list.
6 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
139
�Application control enhancements
140
UTM
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�VPN
This section explains the new features and changes to existing features that concern the
VPN menu.
The following topics are included in this section:
•
FortiMobile SSL-VPN app
•
L2TP and IPSec support
FortiMobile SSL-VPN app
The FortiMobile SSL-VPN app allows you to remotely connect to your FortiGate unit
without a browser or computer. The app uses only SSL-VPN web mode. SSL VPN web
mode provides remote users with a fast and efficient way to access server applications
from any client computer that is equipped with a web browser. Configuring the SSL VPN
web mode on the FortiGate unit involves enabling the SSL VPN feature and selecting the
appropriate web portal configuration in the user group setting.
The FortiMobile SSL-VPN app is found on Apple’s iTunes app store, and is available for
free; however, you must have an iTunes account to access the app and download it from
the store. The Fortinet SSL-VPN app supports iPhone and iPod touch hardware running
OS 3.0 and above, and can communicate with a FortiGate unit running FortiOS 4.0 MR2
or higher.
The FortiMobile SSL-VPN app includes configuration for:
•
gateway (FortiGate IP address)
•
user name
•
password
When using the FortiMobile SSL-VPN app, the following occurs:
•
The app becomes a browser that connects to the web mode to get the bookmarks
•
When you tap on the bookmark, it starts Mobile Safari and shows the bookmark
content page
•
HTTP/HTTPS type bookmarks are only supported; other types are hidden.
•
You can add, edit, or delete user-defined bookmarks
•
Tunnel mode is not supported.
Note: You must have an iTunes account to access the FortiMobile SSL-VPN web access
app.
L2TP and IPSec support
L2TP and IPSec is supported for native Windows XP, Windows Vista, and Mac OSX
native VPN clients. However, in Mac OSX (OSX 10.6.3, including patch releases) the
L2TP feature does not work properly on the Mac OS side. The L2TP-IPSec between the
FortiGate unit and Mac OSX native client fails during L2TP negotiation. This negotiation
failure is caused by a bug in the Mac OSX L2TP client.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
141
�L2TP and IPSec support
VPN
This negotiation failure is clearly seen in the log message, within the hostname field; the
hostname field contains no information at all.
142
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Endpoint
This section explains the new features and changes to existing features that concerns the
Endpoint menu on the web-based manager.
In FortiOS 4.0 MR2, this menu was renamed from Endpoint NAC to Endpoint.
The following topics are included in this section:
•
Endpoint menu enhancements
•
Endpoint application enforcement
•
Network Vulnerability Scan
Endpoint menu enhancements
In FortiOS 4.0 MR2, several enhancements were made to the Endpoint NAC menu,
including changing its name to Endpoint. The enhancements provide a network scanning
feature that was previously only available on FortiAnalyzer units, as well as configuration
of application sensors, which were previously application detection lists.
The Endpoint menu contains the following menus:
•
NAC
•
•
Application Sensor
•
Application Database
•
•
Profile
FortiClient
Network Vulnerability Scan
•
•
•
Asset
Scan
Monitor
•
Endpoint Monitor
The Network Vulnerability Scan provides a way to scan vulnerabilities on the FortiGate
unit. A schedule for a scan is configured on the Network Scan page. An asset provides
information about what type of scan will occur, as well as the IP address host or range.
Endpoint application enforcement
Endpoint application enforcement is an extension of the Endpoint Application Detection
feature. This new enforcement allows you to quarantine hosts that are not running
software required by your company or organization’s policy. Previously, when defining an
application, you specified a profile of violating applications. This new extension allows you
to now toggle between violating and required applications. This extension is available in
Endpoint & gt; NAC & gt; Application Sensor.
The following is an example of the CLI command syntax to configure endpoint application
enforcement:
config endpoint-control app-detect rule-list
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
143
�Network Vulnerability Scan
Endpoint
edit rule-list
config entries
edit 1
set application 379
set category 0
set vendor 446
set action allow
set status installed
next
end
set comment “for branch office use only”
set other-application-action deny
end
end
Network Vulnerability Scan
Caution: In FortiOS 4.0 MR2 GA build-272, the network vulnerability scan feature does not
work properly. Fortinet recommends upgrading to FortiOS 4.0 MR2 Patch 1 release
(build-279). This patch release resolves the issues as well as adds the Discovery Assets,
Start Scan, and Last Scan icons to the Asset page. These are explained in this topic.
The Network Vulnerability feature, previously found only on FortiAnalyzer units and
FortiScan, allows you to analyze information as well as ensure and enforce PCI
compliance. This feature is used for larger enterprises.
Network Vulnerability Scan options and settings are found in Endpoint & gt; Network
Vulnerability Scan. When you are ready to start configuring network vulnerability scan
options, you must ensure that an asset is configured and then you can schedule a scan.
An asset must be configured because it is used by the FortiGate unit as instructions on
what to scan and whether there is windows authentication required or unix authentication
required.
When the scan is performed, it automatically applies all assets or asset groups that are
enabled. The scan behaves as follows:
•
all Host assets are discovered as specified in the host definition
•
all discovered hosts are scanned for the configured sensors, port scan, and so on
•
all IP Range assets are discovered as specified in the range definition
•
scanning is run for each unique IP in the list, and up to the maximum number of IPs
supported per-platform
•
results from the scan are stored either on the FortiAnalyzer unit, or in the SQL
database
In FortiOS 4.0 MR2 Patch 1 release, you can discover assets or start a scan from the
Asset page. You can also view when the last scan was performed, which is displayed
beside Last scan:. For example, if a scan was performed over the weekend, it displays
Last scan: 2010-06-05 13:15:50.
Configuring assets
Assets must be configured so that the unit knows what to scan.
Configure an asset in Endpoint & gt; Network Vulnerability Scan & gt; Asset using the following
table. The information in the following table is based on FortiOS 4.0 MR2 Patch 1 release
because it resolves issues in the GA release.
144
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Endpoint
Network Vulnerability Scan
Asset page
Lists each individual asset that you created. On this page, you can edit, delete or create a new
asset.
Create New
Creates a new asset. When you select Create New, you are
automatically redirected to the new asset page, called Asset in the
web-based manager.
Edit
Modifies settings in an asset. When you select Edit, you are
automatically redirected to the edit asset page, called Asset in the
web-based manager.
Delete
Removes an asset from the list on the Asset page. You can also
remove multiple assets from the list, or remove all assets from the list
as well.
To remove multiple assets in the list, on the Asset page, in each of the
rows of the sets you want removed, select the check box and then
select Delete.
To remove all NAT rules sets in the list, on the Asset page, select the
check box in the check box column, and then select Delete.
Last scan:
[yyyy-mm-dd hh:mm:ss]
Displays when the last scanned occurred. The time format is in year,
month, day, and then the 24 hour format. For example, a scan was
performed at 1 pm, the time displays 2010-06-04 13:00:00.
Start Running. Started:
[yyyy-mm-dd hh:mm:ss]
Appears when a user selects Start Scan, and the FortiGate unit begins
scanning the network. Displays the time when the scan began.
Stop
Appears when a user selects Start Scan. Select whenever you want to
immediately stop scanning the network.
Assets Found (n)
Displays how many assets where found. If there were any found, you
can select Assets Found and view the Assets window, which allows
you to import the assets to the FortiGate unit. Any duplicates that are
found during the importing process are removed.
Discover Assets
Select to find out if there are any assets on the network. The FortiGate
unit uses the asset list that you created to perform the scan.
Start Scan
The last discovery that the asset found.
Name
The name of the asset.
IP Address/Range
The IP address and/or range entered for that asset.
If Host was chosen as the type for the asset, then the IP address of
the host displays. If Range was chosen as the type for the asset, the
IP address range appears.
Enable
Displays whether or not the asset is enabled for scanning.
Last Discovery
The last discovery that was found.
Asset Settings page
Provides settings for configuring an asset.
Name
Enter a name for the asset that you are creating.
Type
Select Host to configure the host’s IP address. Select Range to
configure the IP address range.
IP Address
Enter the IP address of the host, or the IP address range. This
depends on what type you selected in Type.
Scan Type
Select Asset Discovery Only to use only the asset for scanning. Select
Vulnerability Scan to scan for various vulnerabilities.
Windows Authentication
Select to use authentication on a Windows operating system. Enter
the username and password in the fields provided. The fields appear
after selecting Windows Authentication.
Unix Authentication
Select to use authentication on a Unix operating system. Enter the
username and password in the fields provided. The fields appear after
selecting Unix Authentication.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
145
�Network Vulnerability Scan
Endpoint
Scheduling a scan
You can configure settings to schedule when a scan is performed by the FortiGate unit.
Configure a schedule in Endpoint & gt; Network Vulnerability Scan & gt; Scan using the following
table.
Network Scan page
Provides settings for configuring a schedule and what type of scanning you want the FortiGate unit
to perform.
Scan Mode
Select the mode the FortiGate unit will use to scan for vulnerabilities.
• Quick – checks only the most commonly used ports
• Standard – checks only the ports used by the most known applications
• Full – checks all TCP and UDP ports
Schedule
Select the schedule to begin and end the vulnerability scan.
• Manually – performs a scan only on request
• Schedule – a schedule of when the scan will be performed
Recurrence
Time
Select the time to start the schedule, in the format HH:MM.
Day of Week
Select a day of the week from the drop-down list when you want to schedule a
scan during the week.
Day of Month
146
Select to have the schedule occur on a daily, weekly, or monthly basis. If you
select Weekly, the Day of Week drop-down list appears. If you select Monthly,
the Day of Month drop-down list appears.
Select a day of the month from the drop-down list when you want to schedule a
scan on that day of the month.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN Opt. & Cache
This section explains the Web Cache list, a new feature for FortiOS 4.0 MR2, which
concerns the WAN Opt. & Cache menu.
Web Cache exempt
A new exempt list is now available for the Web Cache feature. This new list allows users
to exempt URLs from being cached. You can configure the list either in the CLI or the
web-based manager.
To configure the exempt list - web-based manager
1 Go to WAN Opt. & Cache & gt; Cache & gt; Exempt List.
2 Select Create New.
3 Enter the URL address in the URL Pattern field.
4 If you do not want the URL address to be considered, select the check box beside
Enable to disable the URL.
5 Select OK.
The following is an example of a configured Web Cache exempt list when configured
using the CLI.
config wanopt webcache
set explicit enable
set cache-exempt enaqble
config cache-exemption-list
edit 1
set url-pattern 192.168.1.99
set status disable
next
edit 2
set url-pattern example.com/pic123/321
next
edit 3
set url-pattern 10.10.10.1
end
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
147
�Web Cache exempt
148
WAN Opt. & Cache
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiOS Carrier
This section explains the new features and changes to existing features for FortiOS
Carrier in FortiOS Carrier 4.0 MR2.
FortiOS Carrier 4.0 MR2 also contains the same redesign of the web-based manager as in
FortiOS. For more information about the changes, see “The redesigned web-based
manager” on page 97.
The following topics are included in this section:
•
Opera Mini Browser support
•
MMS filtering enhancements
•
Carrier menu in UTM
•
Profile Group
Opera Mini Browser support
The Opera Mini is a service for end users to browse web pages from MIDP 1 and MIDP 2
compliant handsets. This new feature allows for extraction of URLs from the Opera client
when it requests them, as well as updating the HTTP header if a block page is returned.
The following CLI command syntax is used when configuring support for handling of
Opera Mini browser traffic with VDOMs configured:
config vdom
edit & lt; vdom_name & gt;
edit & lt; name & gt;
config url-extraction
set status {enable | disable}
set server-fqdn & lt; fqdn_name & gt;
set redirect-header & lt; x-redirect & gt;
set redirect-url & lt; url_address & gt;
set redirect-no-content {enable | disable}
end
next
end
When you have configured the Opera Mini browser support, you also need to configure
the special requests that the client generates that need to be pass directly through to the
Opera Mini servers. For example, End-User License Agreement requests to eula.* .
The following CLI command syntax example is used when configuring the special
requests for the Opera Mini servers.
config webfilter urlfilter
edit 0
config entries
edit “*/server:test”
set action pass
set type wildcard
next
edit “*/server:t0”
set action pass
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
149
�MMS filtering enhancements
FortiOS Carrier
set type wildcard
next
edit “*/eula:*”
set action pass
set type wildcard
next
edit “*/b:*”
set action pass
set type wildcard
next
edit “*/search:*”
set action pass
set type wildcard
next
edit “*/news:*”
set action pass
set type wildcard
next
edit “*/feeds:*”
set action pass
set wildcard
next
edit “*/opera:”
set action pass
set type wildcard
next
edit “*/operaette:”
set action pass
set action wildcard
next
edit “*/javascript:”
set action pass
set action wildcard
next
end
set name “opera-mini-special-requests”
end
end
MMS filtering enhancements
In FortiOS 4.0 MR2, you can now block MMS messages by a checksum value against the
attachment and image file types within the message.
You can configure the checksum value for blocking MMS messages against the
attachment by going to UTM & gt; Carrier & gt; MMS Content Checksum, and then apply it to the
MMS Profile in UTM & gt; Carrier & gt; MMS Profile.
In the MMS Scanning section of the New MMS Profile page (or if you are editing an
existing MMS Profile, the Edit MMS Profile page), you select the checksum from the dropdown list in the MMS Content Checksum line. You can select the checksum for each of the
available MMS protocols within the MMS Content Checksum line.
When the checksum is enabled, the content will be verified as a match or not, and if
matched the attachment will be blocked.
150
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiOS Carrier
Carrier menu in UTM
The file extension for blocking images in MMS messages is:
•
JPG
•
GIF
•
TIFF
•
PNG
•
BMP
You must first configure a file filter that contains the file types that you want blocked when
MMS messages are scanned. The file filter is then applied to the MMS profile.
Example of blocking images for MMS messages
This example shows how to configure the file filter that contains the file types that you
want blocked when the FortiGate unit is scanning MMS messages. This example includes
how to apply that file filter to an MMS profile which is then applied to a firewall policy.
To configure a file filter
1 Go to UTM & gt; Antivirus & gt; File Filter.
2 Select Create New.
3 Enter MMS_filter in the Name field on the New List page and then select OK.
4 Select Create New on the File Filter Settings page.
5 Select File Type in the drop-down Filter Type list.
6 In the File Type drop-down list, select JPEG.
7 In the Action drop-down list, select Block.
8 Make sure Enable is selected and then select OK.
9 Repeat steps 4-8 to include GIF and TIFF file types in the list.
To apply the file filter to the MMS profile
1 Go to UTM & gt; Carrier & gt; MMS Profile.
2 On the Profile page, edit the MMS_filter_profile profile.
3 On the Edit MMS Profile page, expand the MMS Scanning section to reveal the
options.
4 In the File Filter line, select MM1, MM4 and MM7 check boxes.
5 In the File Filter line, select the file filter in the Options drop-down list.
6 Select OK to save the changes.
Carrier menu in UTM
In the UTM menu, a new menu called Carrier is included. It contains all MMS and GTP
features previously found in a protection profile. This new menu provides a central location
for configuring Carrier UTM features. From the Carrier menu, you can configure an MMS
profile or GTP profile and then apply to firewall policies.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
151
�Profile Group
FortiOS Carrier
The Carrier menu also provides configuration of MMS content checksum lists, notification
lists, carrier endpoint filter lists, and IP filter lists. You can view message floods, or a
volume of messages that have been sent by one subscriber, from the Message Flood
menu. This menu also provides filtering capabilities so that you can view specific
messages. You can also view duplicate messages that were sent by senders from the
Duplicate Message menu. For more information about the features available in UTM & gt;
Carrier, see the FortiOS Carrier MMS Protection chapter.
Profile Group
A profile group is a group of UTM features, including replacement message groups, that
can be applied to a firewall policy. A profile group allows you to group individual profiles for
each UTM function that you would otherwise apply individually to the firewall policy. These
UTM features include the following:
•
Protocol options
•
antivirus profiles
•
IPS sensors
•
web filter profiles
•
email filter profiles
•
DLP sensors
•
application control lists
•
VoIP profiles
•
MMS profiles
•
replacement message groups
If you want to include a replacement message group in a profile group, you must first
configure a replacement message group in System & gt; Config & gt; Replacement Message
Group. For more information about the features available in UTM & gt; Carrier, see the
FortiOS Carrier MMS Protection chapter.
The FortiOS Carrier Dynamic Profile feature now dynamically assigns profile groups to
traffic.
Configuring a profile group
The following procedures explains how to configure a profile group and then apply that
profile group to a firewall policy. If you are including a replacement message group in the
profile group, you must configure the replacement message group first.
To configure a profile group
1 Go to UTM & gt; Profile Group & gt; Profile Group.
2 Select Create New.
3 On the New Profile Group page, enter a name for the profile group and then select the
check box beside one or more of the UTM features that are listed.
4 After selecting a check box, make sure to select the profile, sensor or group in each of
the UTM features drop-down lists.
5 Select OK.
152
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiOS Carrier
Profile Group
To apply the profile group to a firewall policy
1 Go to Firewall & gt; Policy & gt; Policy.
2 Edit the firewall policy that you want to apply the profile group to.
3 On the Edit Policy page, select Group in the Profile Type row.
4 Select the check box beside Profile Group and then select the profile group from the
drop-down list.
5 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
153
�Profile Group
154
FortiOS Carrier
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging and reporting
This section includes all new features and changes to existing features that concern the
Log & Report menu on the web-based manager.
The following topics are included in this section:
•
Archiving support for local hard drives
•
Log viewing enhancement
•
Report enhancements
Note: The basic traffic reports that were available in Log & Report & gt; Report Access & gt;
Memory are not supported.
Archiving support for local hard drives
FortiGate units with local hard drives can now archive logs, which includes IPS packet
logs. This feature is supported only on FortiGate models that contain a new generation
HDD, an ASM-S08 or ASM-SAS hard disk, or FMC or FSM module storage.
There are now settings for rolling logs, as well as archives, and deleting logs on the local
hard disk. You can configure archiving to the local hard disk by using the following
command syntax in the CLI:
config log disk filter
set dlp-archive {enable | disable}
end
Log viewing enhancement
When accessing log messages, you can now view them from a table within the page. The
table, which appears on the right side of the page that contains log messages, provides a
more clear view of each of the fields that are within a log message. The table provides
next and previous arrows, allowing you to view each log message from the table.
This table appears when you select a row within the log messages’ page and is available
until you close the table.
To view log messages using the log table
1 Go to Log & Report & gt; Log Access.
2 Select the menu that you want to access logs from.
For example, the DLP menu.
3 From within the page, select inside the row of the log message that you want to view.
The log message row is highlighted and the log table appears, located on the right side
of the page.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
155
�Report enhancements
Logging and reporting
Report enhancements
You can now configure reports that are based on logs stored on your FortiGate unit. These
new reports are called FortiOS reports. The Report Config menu provides settings for
configuring the report’s layout and schedule. This enhancement allows you to create and
generate reports directly on the FortiGate unit itself, without having to use a FortiAnalyzer
unit.
The Reports Config menu contains only the menus that are available for the remote
logging configuration. For example, on a FortiGate unit with an SQL database (which has
been configured to store logs), contains the menus Theme, Layout, Chart, and Image.
However, on another FortiGate unit that has been configured to store logs on a
FortiAnalyzer unit, only the FortiAnalyzer menu appears.
Both the menus, Report Config and Report Access, may not appear after upgrading to
FortiOS 4.0 MR2. You must use the following command syntax to enable them on the
web-based manager.
config log fortianalyzer setting
set gui-display enable
end
The Report Config menu contains the following menus:
•
Theme – create a simple page layout with report title which you can then apply to a
report layout
•
Layout – create a report that includes a theme, chart, image and schedule when the
report will be generated
•
Chart – create different charts that will gather specific log information that displays
within the chart
•
Image – import your company’s logo to include it within the report
A report is generated similarly to how a report is a generated on a FortiAnalyzer unit.
These new reports are available only on FortiGate units with hard drives that an SQL
database has been configured.
Note: Sending out a report as an email attachment, or uploading report files to a specific
server is not supported in FortiOS 4.0 MR2.
This topic contains the following:
•
Configuring a theme
•
Configuring a report layout
•
Importing images
•
Importing images
•
Viewing generated FortiOS reports
Configuring a theme
A theme allows you to configure how the information displays on the page, as well as the
type of font, page orientation, and if there will be multiple columns. After a theme is
configured, you can then apply it to the report’s layout. Themes are configured only in the
CLI.
If you want, you can apply the two default themes that are available in the Add Report
Layout page.
156
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging and reporting
Report enhancements
For more information about the theme commands, see the FortiGate CLI Reference.
To configure a theme for a report, log in to the CLI and then enter the following commands.
config report theme
edit & lt; theme_name & gt;
set column-count [ 1 | 2 | 3]
set default-html-style & lt; string & gt;
set default-pdf-style & lt; string & gt;
set graph-chart-style & lt; string & gt;
set heading1-style & lt; string & gt;
set heading2-style & lt; string & gt;
set heading3-style & lt; string & gt;
set heading4-style & lt; string & gt;
set hline-style & lt; string & gt;
set image-style
set normal-text-style
set page-footer-style
set page-header-style
set page-orient {landscape | portrait}
set page-style
set report-subtitle-style
set report-title-style
set table-chart-caption-style
set table-chart-even-row-style
set table-chart-head-style
set table-chart-odd-row-style
set table-chart-style
set toc-heading1-style
set toc-heading2-style
set toc-heading3-style
set toc-heading4-style
set toc-title-style
end
When you are choosing a setting for any of the above commands (except for columncount), enter ? to view the choices that are available.
You can configure a specific style that is then applied to the theme using the config
report style command syntax. You must first select the settings in the options
variable before you can configure the styles for each.
Importing images
You can import an image to use for a report. The image formats that are supported are
JPEG, JPG and PNG.
Import images from Log & Report & gt; Report Config & gt; Image using the following table.
Image page
Lists all the images that you have imported. On this page, you can delete an image, import an image
from your local PC, or view an image.
Delete
Removes an image from the list on the page. You can remove multiple images,
or all images at once.
To remove multiple images from the list, on the Image page, select the check
box in each of the rows of the images you want to remove, and then select
Delete.
To remove all images from the list, on the Image page, select the check box in
the check box column, and then select Delete.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
157
�Report enhancements
Logging and reporting
Import
Imports an image from your local PC.
View
Displays the image. When you select View, you are automatically redirected to
the View Image page where the image displays. Select Return to go back to the
Image page.
Image Name
The file name of the image.
Thumbnail
A thumbnail image of the actual image you imported.
Import Image File page
Provides settings for importing images.
File to Import
Enter the location of the image on the local PC or select Browse to locate the
image file. Select OK to start importing the image file.
Configuring a chart
There are default charts available when configuring a report layout; however, you can
configure your own charts for report layouts. When configuring charts, you must also
configure datasets because datasets are used to gather specific data from the SQL
database. You should configure the datasets you need for a report layout first, and then
configure the chart.
You must have prior knowledge about Structured Query Language (SQL) before
configuring datasets because datasets require SQL statements. Datasets are configured
only in the CLI.
Configure charts in Log & Report & gt; Report Config & gt; Chart using the following table.
Chart page
Lists all the charts, both default and the ones that you created. On this page, you can edit, delete
and create new charts.
Create New
Creates a new chart. When you select Create New, you are automatically
redirected to the Add Graph Report Chart page.
Edit
Modifies settings of an existing chart. When you select Edit, you are
automatically redirected to the Edit Graph Report Chart page.
Delete
Removes a chart from the list on the Chart page. You can also remove multiple
charts, or all charts within the list.
To remove multiple charts from the list, on the Chart page, select the check box
in each of the rows of the charts you want to remove, and then select Delete.
To remove all charts from the list, on the Chart page, select the check box in the
check box column, and then select Delete.
Name
The name of the chart.
Type
The type of information that will display within the chart. For example, a bar
chart displays attack log information in the Attacks_February chart.
Dataset
The dataset that will be used for the chart.
Comments
The description about the chart.
Add Graph Report Chart page
Provides settings for configuring charts for report layouts.
Name
Dataset
Select a configured dataset for the chart.
Category
Select a log category for the chart.
Comments
Enter a comment to describe the chart. This is optional.
Graph Type
Select the type of graph that will display the information within the chart. If you
select Pie, only Category Series and Value Series appears.
Category Series
158
Enter a name for the chart.
Enter the fields for the category in the Databind field.
The databind is a combination of the fields derived rom the SQL statement or
named fields in the CLI. For example, field(3).
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging and reporting
Report enhancements
Value Series
Enter the fields for the value in the Databind field.
The databind is a combination of the fields derived rom the SQL statement or
named fields in the CLI. For example, field(3).
X-series
The settings for the x axis of the line, bar or flow chart.
Databind
Enter an SQL databind value expression for binding data to the series being
configured. For example, field(3).
Category Axis Select to have the axis show the type of log category. The default is no log
category will appear on the axis.
Scale
Sets the type of format to display the date and time on the x axis.
Format
Choose the type of time format that displays on the x axis.
Number of Step Choose the number of steps on the horizontal axis of the graph.
Step
Enter the number of scale units in each x axis scale step.
Unit
Select the unit of the scale-step on the x-axis.
Y-series
The Y-series settings to configure the y part of the line, bar or flow chart.
Databind
Enter the fields for the x-series.
The databind is a combination of the fields derived rom the SQL statement or
named fields in the CLI. For example, field(3).
Group
Enter a group in the field.
Configuring a report layout
After configuring a theme, charts, and importing the images you want to use in the report,
you can then configure the report in the Layout menu.
This layout, similar to the layout that you must configure for a FortiAnalyzer report,
contains settings for including charts, sections, adding images and scheduling when the
layout will be generated.
The Report Components section on the Add Report Layout page provides a place where
you can view what charts, sections, and images you have chosen for that report. This
section also allows you to move the parts, such as charts, to where you want them in the
report.
Configure a report layout in Log & Report & gt; Report Config & gt; Layout using the following
table.
Layout page
Lists all the report layouts that you configured, as well as default layouts. On this page, you can edit,
delete, clone a report, or create a new report.
Create New
Creates a new layout. When you select Create New, you are automatically
redirected to the Add Report Layout page.
Edit
Modifies the settings within a layout. When you select Edit, you are
automatically redirected to the Edit Report Layout page.
Delete
Removes the layout from the list on the Layout page. You can remove multiple
layouts from the list, or all layouts from the list.
To remove multiple layouts from the list, on the Layout page, select the check
box in each of the rows of the layouts you want to remove, and then select
Delete.
To remove all layouts from the list, on the Layout page, select the check box in
the check box column, and then select Delete.
Clone
Use to base a new report layout on an existing one. For example, layout_1 is
used as a base (cloned using the Clone icon) for the new layout, layout_april,
which is a report on application control logs that were recorded in the month of
April.
Run
Immediately generates a report.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
159
�Report enhancements
Logging and reporting
Report Layout
The name of the report layout.
Title
The name of the title that appears on the generated report.
Format
The type of format that the report is in, either PDF or HTML.
Schedule
The time that the report is generated on.
Description
A description about the report.
Add Report Layout page
Provides settings for configuring a report layout.
Name
Enter a name of the report layout. This is not the name that will be the report’s
title.
Report Theme
Select a theme from the drop-down list.
Description
Enter a description, if you want, to explain what the report is about. This does
not appear within the report.
Output Format
The type of format the report will be generated in. You can choose PDF to
have the report generated as a PDF.
Schedule
Select what type of schedule you want the report generated on. The type of
schedule can be on a daily basis, weekly, on demand (whenever you want), or
only once.
If you select On Demand, the report can be generated whenever you want it. If
you select Once, the report is generated as soon as the report is saved.
Title
Enter a name for the title of the report.
Sub Title
Enter a name that will be the sub title of the report.
Option
Select to include all or some of the following report options:
• Table of Contents – includes a table of contents in the report
• Auto Heading Number – automatically provides a heading number for
each heading, in numerical format.
• HTML navigation bar – provides a navigational bar to help you navigate in
report whose format is HTML
• Chart Name as Heading – allows for a chart’s name to be the heading
Report
Components
Select Add to add the type of information that you want in the report.
These components are required since they contain what log information needs
to be included in the report, and how that information will be displayed and
formatted in the report.
This section provides a preview in the sense that tit allows you to edit each part
of the report, such as a chart or an image. You can move each part to be in the
order that you want it within the generated report.
Add Component page
Text
Select the type of format the heading will have. For example, if you select
Heading 1, the headings will be in the Heading 1 format.
When you select Normal, you will be providing a comment for a section within
the report.
Chart
Select a category from the Categories drop-down list. Each category contains
different charts that are specific to that category.
Image
Select an image to include within the report.
Misc
Select a page break, column break, or horizontal line to include in the report.
Viewing generated FortiOS reports
After creating a report layout, you can go to the Report Access & gt; Disk to view your
generated report. When you choose to generate a report only once, the report is
generated right away.
160
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging and reporting
Report enhancements
Disk page
Lists all the reports that are generated by the FortiGate unit. You can also remove reports from the
list.
Delete
Select to remove a report from the list.
Report File
The report name that the FortiGate unit gave the report. This name is in the
format & lt; scheduletype & gt; - & lt; report_title & gt; - & lt; yyyy-mm-dd & gt; - & lt; start_time & gt; . For
example, Once-examplereport_1-2010-02-12-083054, which indicates that the
report titled examplereport_1 was scheduled to generate only once and did on
February 12, 2010 at 8:30 am. The hour format is in hh:mm:ss format.
Started
The time when the report began generating. The format is in yyyy-mm-dd
hh:mm:ss.
Finished
The time when the report finished generating. The format is in yyyy-mm-dd
hh:mm:ss.
Size
The size of the report after it was generated. The size is in bytes.
Other Formats
The other type of format you choose the report to be in, for example, PDF. When
you select PDF in this column, the PDF opens up within the Disk page. You can
save the PDF to your local PC when it is opened on the Disk page as well.
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
161
�Report enhancements
162
Logging and reporting
FortiOS™ Handbook FortiOS 4.0 MR2 What’s New
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 2 FortiGate Fundamentals
This document describes firewall components, and how to implement firewall policies on
FortiGate units operating in both NAT/Route, and Transparent mode.
This FortiOS Handbook chapter contains the following sections:
•
The Purpose of a Firewall provides an overview of the FortiGate firewall and its traffic
controlling options.
•
Life of a Packet describes how a FortiGate unit processes incoming and outgoing
network traffic through its interfaces and firewall policies.
•
Firewall components describes the FortiGate interfaces, addressing, services and user
configuration that goes into creating a firewall policy.
•
Firewall Policies describes what policies are, the types of firewall policies and how to
configure and arrange them to ensure proper traffic management.
•
Multicast forwarding describes configuring FortiGate units to forward multicast traffic
•
Troubleshooting describes some common problems and solutions when setting up
firewall policies to manage network traffic.
•
Concept Example: Small Office Network Protection walks through a small office
configuration of firewall policies.
•
Concept Example: Library Network Protection walks through an enterprise network
configuration of firewall policies.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
163
�164
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The Purpose of a Firewall
Ranging from the FortiGate-30B series for small offices to the FortiGate-5000 series for
large enterprises, service providers and carriers, the FortiGate line combines the
FortiOS™ security operating system and latest hardware technologies to provide a
comprehensive and high-performance array of security and networking functions.
FortiGate platforms incorporate sophisticated networking features, such as high
availability for maximum network uptime, and virtual domain (VDOM) capabilities to
separate various networks requiring different security policies.
At the heart of these networking security functions, is the firewall policies.Firewall policies
control all traffic attempting to pass through the FortiGate unit, between FortiGate
interfaces, zones, and VLAN subinterfaces. They are instructions the FortiGate unit uses
to decide connection acceptance and packet processing for traffic attempting to pass
through. When the firewall receives a connection packet, it analyzes the packet’s source
address, destination address, and service (by port number), and attempts to locate a
firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow when it
receives matching packets. Some instructions are required, such as whether to drop or
accept and process the packets, while other instructions, such as logging and
authentication, are optional. It is through these policies that the FortiGate unit grants or
denies the packets and information in or out of the network, who gets priority (bandwidth)
over other users, and when the packets can come through.
This chapter describes the features of the FortiGate firewall that help to protect your
network, and the firewall policies that are the instructions for the FortiGate unit. The
following topics are included in this section:
•
Firewall features
•
NAT vs. Transparent Mode
Firewall features
The FortiGate unit includes a rich feature set to protect your network from unwanted
attacks. This section provides an overview of what the FortiGate unit can protect against.
Each of these elements are configured and added to firewall policies as a means of
instructing the FortiGate unit what to do when encountering an security threat.
Antivirus
Antivirus is a group of features that are designed to prevent unwanted and potentially
malicious files from entering your network. These features all work in different ways,
whether by checking for a file size, name, type, or the presence of a virus or grayware
signature.
The antivirus scanning routines used are designed to share access to the network traffic.
This way, each individual feature does not have to examine the network traffic as a
separate operation, reducing overhead significantly. For example, if you enable file
filtering and virus scanning, the resources used to complete these tasks are only slightly
greater than enabling virus scanning alone. Two features do not require twice the
resources.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
165
�Firewall features
The Purpose of a Firewall
Antivirus scanning function includes various modules and engines that perform separate
tasks. The FortiGate unit performs antivirus processing in the following order:
•
File size
•
File pattern
•
File type
•
Virus scan
•
Grayware
•
Heuristics
If a file fails any of the tasks of the antivirus scan, no further scans are performed. For
example, if the file “fakefile.exe” is recognized as a blocked pattern, the FortiGate unit will
send the recipient a message informing them that the original message had a virus, and
the file will be deleted or quarantined. The virus scan, grayware, heuristics, and file type
scans will not be performed as the file is already been determined to be a threat and has
been dealt with.
For more information on FortiGate antivirus processes, features and configuration, see the
UTM chapter.
Web Filtering
Web filtering is a means of controlling the content that an Internet user is able to view.
With the popularity of web applications, the need to monitor and control web access is
becoming a key component of Secure Content Management systems that employ
antivirus, web filtering, and messaging security. Important reasons for controlling web
content include:
•
Lost productivity because employees are accessing the web for non-business reasons.
•
Network Congestion - valuable bandwidth is being used for non-business purposes
and legitimate business applications suffer.
•
Loss or exposure of confidential information through chat sites, non-approved email
systems, instant messaging, and peer-to-peer file sharing.
•
Increased exposure to web-based threats as employees surf non-business related web
sites.
•
Legal liability when employees access/download inappropriate and offensive material.
•
Copyright infringement caused by employees downloading and/or distributing
copyrighted material.
As the number and severity of threats increase on the web, the risk potential is increasing
within a company's network as well. Casual non-business related web surfing has caused
many businesses countless hours of legal litigation as hostile environments have been
created by employees who download and view offensive content.web-based attacks and
threats are also becoming increasingly sophisticated. New threats and web-based
applications that are causing additional problems for corporations include:
•
•
Phishing
•
Instant Messaging
•
Peer-to-Peer File Sharing
•
Streaming Media
•
166
Spyware/Grayware
Blended Network Attacks
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The Purpose of a Firewall
Firewall features
Spyware/Grayware
Spyware is also known as Grayware. Spyware is a type of computer program that
attaches itself to a user’s operating system. It does this without the user’s consent or
knowledge. It usually ends up on a computer because of something the user does such as
clicking on a button in a popup window. Spyware can do a number of things such as track
the user’s Internet usage, cause unwanted popup windows, and even direct the user to a
host web site. It is estimated that 80% of all personal computers are infected with
spyware. For further information, visit the FortiGuard Center.
Some of the most common ways of grayware infection include:
• Downloading shareware, freeware or other forms of file-sharing services
•
Clicking on pop-up advertising
•
Visiting legitimate web sites infected with grayware
Phishing
Phishing is the term used to describe social engineering attacks that use web technology
to trick users into revealing personal or financial information. Phishing attacks use web
sites and emails that claim to be from legitimate financial institutions to trick the viewer into
believing that they are legitimate. Although phishing is initiated by spam email, getting the
user to access the attacker’s web site is always the next step.
Pharming
Pharming is a next generation threat that is designed to identify, and extract financial, and
other key pieces of information for identity theft. Pharming is much more dangerous than
Phishing because it is designed to be completely hidden from the end user. Unlike
phishing attacks that send out spam email requiring the user to click to a fraudulent URL,
Pharming attacks require no action from the user outside of their regular web surfing
activities. Pharming attacks succeed by redirecting users from legitimate web sites to
similar fraudulent web sites that have been created to look and feel like the authentic web
site.
Instant messaging
Instant Messaging presents a number of problems. Instant Messaging can be used to
infect computers with spyware and viruses. Phishing attacks can be made using Instant
Messaging. There is also a danger that employees may use instant messaging to release
sensitive information to an outsider.
Peer-to-peer
Peer-to-Peer networks are used for file sharing. Such files may contain viruses.
Peer-to-Peer applications take up valuable network resources and lower employee
productivity but also has legal implications with the downloading of copyrighted material.
Peer-to-Peer file sharing and applications can also be used to expose company secrets.
Streaming media
Streaming media is a method of delivering multimedia, usually in the form of audio or
video to Internet users. The viewing of streaming media has increased greatly in the past
few years. The problem with this is the way it impacts legitimate business.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
167
�Firewall features
The Purpose of a Firewall
Blended network attacks
Blended network threats are rising and the sophistication of network threats is increasing
with each new attack. Attackers are learning from each previous successful attack and are
enhancing and updating attack code to become more dangerous and fast spreading.
Blended attacks use a combination of methods to spread and cause damage. Using virus
or network worm techniques combined with known system vulnerabilities, blended threats
can quickly spread through email, web sites, and Trojan applications. Blended attacks can
be designed to perform different types of attacks - from disrupting network services to
destroying or stealing information to installing stealthy back door applications to grant
remote access.
For more information on FortiGate web filter processes, features and configuration, see
the UTM chapter.
Antispam/Email Filter
The FortiGate unit performs email filtering (formerly called antispam) for IMAP, POP3, and
SMTP email. Email filtering includes both spam filtering and filtering for any words or files
you want to disallow in email messages. If your FortiGate unit supports SSL content
scanning and inspection you can also configure spam filtering for IMAPS, POP3S, and
SMTPS email traffic.
You can configure the FortiGate unit to manage unsolicited commercial email by detecting
and identifying spam messages from known or suspected spam servers. The FortiGuard
Antispam Service uses both a sender IP reputation database and a spam signature
database, along with sophisticated spam filtering tools, to detect and block a wide range of
spam messages. Using FortiGuard Antispam protection profile settings you can enable IP
address checking, URL checking, E-mail checksum check, and Spam submission.
Updates to the IP reputation and spam signature databases are provided continuously via
the global FortiGuard distribution network.
From the FortiGuard Antispam Service page in the FortiGuard center you can use IP and
signature lookup to check whether an IP address is blacklisted in the FortiGuard antispam
IP reputation database, or whether a URL or email address is in the signature database.
Email filter techniques
The FortiGate unit has a number of techniques available to help detect spam. Some use
the FortiGuard AntiSpam service, requiring a subscription. The remainder use your DNS
servers, or lists you must maintain.
The FortiGate unit queries the FortiGuard Antispam service to determine if the IP address
of the client delivering the email is blacklisted. A match will have the FortiGate unit treat
delivered messages as spam. If enabled, the FortiGate unit will check all the IP addresses
in the header of SMTP email against the FortiGuard Antispam service.
The FortiGate unit queries the FortiGuard Antispam service to determine if any URL in the
message body is associated with spam. If any URL is blacklisted, the FortiGate unit
determines that the email message is spam
The FortiGate unit sends a hash of an email to the FortiGuard Antispam server which
compares the hash to hashes of known spam messages stored in the FortiGuard
Antispam database. If the hash results match, the email is flagged as spam.
The FortiGate unit compares the IP address of the client delivering the email to the
addresses in the IP address black/white list specified in the protection profile. If a match is
found, the FortiGate unit will take the action configured for the matching black/white list
entry against all delivered email.
168
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The Purpose of a Firewall
Firewall features
The FortiGate unit takes the domain name specified by the client in the HELO greeting
sent when starting the SMTP session, and does a DNS lookup to determine if the domain
exists. If the lookup fails, the FortiGate unit determines that any messages delivered
during the SMTP session are spam.
The FortiGate unit compares the sender email address, as shown in the message
envelope MAIL FROM, to the addresses in the email address black/white list specified in
the protection profile. If a match is found, the FortiGate unit will take the action configured
for the matching black/white list entry.
The FortiGate unit performs a DNS lookup on the reply-to domain to see if there is an A or
MX record. If no such record exists, the message is treated as spam.
The FortiGate unit will block email messages based on matching the content of the
message with the words or patterns in the selected spam filter banned word list.
For more information on FortiGate antispam processes, features and configuration, see
the UTM chapter.
Intrusion Protection
The FortiGate Intrusion Protection system combines signature detection and prevention
with low latency and excellent reliability. With intrusion Protection, you can create multiple
IPS sensors, each containing a complete configuration based on signatures. Then, you
can apply any IPS sensor to each protection profile. The FortiGate intrusion protection
system protects your network from outside attacks. Your FortiGate unit has two techniques
to deal with these attacks.
Anomaly-based defense is used when network traffic itself is used as a weapon. A host
can be flooded with far more traffic than it can handle, making the host inaccessible. The
most common example is the denial of service attack, in which an attacker directs a large
number of computers to attempt normal access of the target system. If enough access
attempts are made, the target is overwhelmed and unable to service genuine users. The
attacker does not gain access to the target system, but it is not accessible to anyone else.
The FortiGate unit DoS feature will block traffic over a certain threshold from the attacker,
allowing connections from other legitimate users.
Signature-based defense is used against known attacks or vulnerability exploits. These
often involve an attacker attempting to gain access to your network. The attacker must
communicate with the host in an attempt to gain access, and this communication will
include particular commands or sequences of commands and variables. The IPS
signatures include these command sequences, allowing the FortiGate unit to detect and
stop the attack.
The basis of signature-based intrusion protection are the IPS signatures, themselves.
Every attack can be reduced to a particular string of commands or a sequence of
commands and variables. Signatures include this information so your FortiGate unit
knows what to look for in network traffic.
Signatures also include characteristics about the attack it describes. These characteristics
include the network protocol in which it will appear, the vulnerable operating system, and
the vulnerable application.
Before examining network traffic for attacks, the FortiGate will identify each protocol
appearing in the traffic. Attacks are protocol-specific so your FortiGate unit conserves
resources by looking for attacks only in the protocols used to transmit them. For example,
the FortiGate unit will only examine HTTP traffic for the presence of a signature describing
an HTTP attack.
Once the protocol decoders separate the network traffic by protocol, the IPS engine
examines the network traffic for the attack signatures.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
169
�Firewall features
The Purpose of a Firewall
The IPS engine does not examine network traffic for all signatures, however. You must
first create an IPS sensor and specify which signatures are included. You do not have to
choose each signature you want to include individually, however. Instead, filters are used
to define the included signatures.
IPS sensors contain one or more IPS filters. A filter is simply a collection of signature
attributes you specify. The signatures that have all of the attributes specified in a filter are
included in the IPS signature.
For example, if your FortiGate unit protects a Linux server running the Apache web server
software, you could create a new filter to protect it. Set OS to Linux, and Application to
Apache and the filter will include only the signatures applicable to both Linux and Apache.
If you wanted to scan for all the Linux signatures and all the Apache signatures, you would
create two filters, one for each.
For more information on FortiGate IPS processes, features and configuration, see the
UTM chapter.
Traffic Shaping
Traffic shaping, when included in a firewall policy, controls the bandwidth available to, and
sets the priority of the traffic processed by, the policy. Traffic shaping makes it possible to
control which policies have the highest priority when large amounts of data are moving
through the FortiGate unit. For example, the policy for the corporate web server might be
given higher priority than the policies for most employees’ computers. An employee who
needs extra high speed Internet access could have a special outgoing policy set up with
higher bandwidth.
Traffic shaping is available for firewall policies whose Action is ACCEPT, IPSEC, or
SSLVPN. It is also available for all supported services, including H.323, TCP, UDP, ICMP,
and ESP
Traffic shaping cannot increase the total amount of bandwidth available, but you can use it
to improve the quality of bandwidth-intensive and sensitive traffic.
The bandwidth available for traffic set in a traffic shaper is used to control data sessions
for traffic in both directions. For example, if guaranteed bandwidth is applied to an internal
and an external FTP policy, and a user on an internal network uses FTP to put and get
files, both the put and get sessions share the bandwidth available to the traffic controlled
by the policy.
Once included in a firewall policy, the guaranteed and maximum bandwidth is the total
bandwidth available to all traffic controlled by the policy. If multiple users start multiple
communications session using the same policy, all of these communications sessions
must share from the bandwidth available for the policy.
However, bandwidth availability is not shared between multiple instances of using the
same service if these multiple instances are controlled by different policies. For example,
you can create one FTP policy to limit the amount of bandwidth available for FTP for one
network address and create another FTP policy with a different bandwidth availability for
another network address
Traffic shaping attempts to “normalize” traffic peaks/bursts to prioritize certain flows over
others. But there is a physical limitation to the amount of data which can be buffered and
to the length of time. Once these thresholds have been surpassed, frames and packets
will be dropped, and sessions will be affected in other ways. For example, incorrect traffic
shaping configurations may actually further degrade certain network flows, since the
excessive discarding of packets can create additional overhead at the upper layers that
may be attempting to recover from these errors.
170
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The Purpose of a Firewall
NAT vs. Transparent Mode
A basic traffic shaping approach is to prioritize certain traffic flows over other traffic whose
potential discarding is less advantageous. This would mean that you accept sacrificing
certain performance and stability on low-priority traffic, in order to increase or guarantee
performance and stability to high-priority traffic.
If, for example, you are applying bandwidth limitations to certain flows, you must accept
the fact that these sessions can be limited and therefore negatively impacted. Traffic
shaping applied to a firewall policy is enforced for traffic which may flow in either direction.
Therefore a session which may be set up by an internal host to an external one, through
an Internal-to-External policy, will have traffic shaping applied even if the data stream
flows external to internal. One example may be an FTP “get” or a SMTP server connecting
to an external one, in order to retrieve email.
Note that traffic shaping is effective for normal IP traffic at normal traffic rates. Traffic
shaping is not effective during periods when traffic exceeds the capacity of the FortiGate
unit. Since packets must be received by the FortiGate unit before they are subject to traffic
shaping, if the FortiGate unit cannot process all of the traffic it receives, then dropped
packets, delays, and latency are likely to occur.
For more information on traffic shaping, see the Traffic Shaping chapter.
NAT vs. Transparent Mode
The FortiGate unit can run in two modes: Network Address Translation (NAT) mode and
Transparent mode. Generally speaking, both modes function the same, with some minor
differences in feature availability due to the nature of the mode. With both modes,
however, firewall policies define how traffic moves, or is prevented, from moving within the
local network or to an external network or the Internet.
NAT mode
In NAT mode, the FortiGate unit is visible to the network that it is connected to. All of its
interfaces are on different subnets. Each interface that is connected to a network must be
configured with an IP address that is valid for that subnetwork.
You would typically use NAT mode when the FortiGate unit is deployed as a gateway
between private and public networks. In its default NAT mode configuration, the FortiGate
unit functions as a firewall. Firewall policies control communications through the FortiGate
unit to both the Internet and between internal networks. In NAT mode, the FortiGate unit
performs network address translation before IP packets are sent to the destination
network. For example, a company has a FortiGate unit as their interface to the Internet.
The FortiGate unit also acts as a router to multiple sub-networks within the company.
Figure 5: FortiGate unit in NAT mode
Internal Network
192.168.1.0/24
NAT policies controlling traffic
between internal and external networks.
Internet
Port1
192.168.1.1
Policies controlling
traffic between
internal networks.
WAN1
172.20.120.129
Port2
10.10.10.1
Internal Network
10.10.10.0/24
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
171
�NAT vs. Transparent Mode
The Purpose of a Firewall
In this situation, as shown in Figure 5, the FortiGate unit is set to NAT mode. Using this
mode, the FortiGate unit can have a designated port for the Internet, in this example,
wan1 with an address of 172.20.120.129, which is the public IP address. The internal
network segments are behind the FortiGate unit and invisible to the public access, for
example port 2 with an address of 10.10.10.1. The FortiGate unit translates IP addresses
passing through it to route the traffic to the correct subnet or the Internet.
How address translation works
In NAT mode, firewall policies perform the address translation between the internal and
external interfaces. When a user accesses a web site, for example, the web site only
knows the request by the external interface of the FortiGate unit, in this example, wan1.
For example, a user surfs to a web server (IP address 172.50.20.20). The user’s PC has
an IP address of 10.10.10.2 on the Internal interface. The FortiGate unit receives the
request from the user to go to the web server. The external interface for the FortiGate unit
to send and receive information is want 1 (172.20.120.129). The FortiGate unit looks at
the firewall policies to determine where the request should go, in this case, out the
external interface.
The FortiGate unit changes the packet information of the return address to its external
interface, while keeping track of the originating user request, and the originating PC
address. Once modified, the FortiGate unit sends the packet information to the web
server.
Figure 6: Sender’s IP internal address translated to the FortiGate unit’s external address
Firewall Policy
NAT enabled
1
2
3
Sent
Packet
Received
Packet
3
wan1
Internal
1
3
2
Client PC
10.10.10.2
1
2
Destination: 172.50.20.20
Source: 10.10.10.2
Destination: 172.50.20.20
Source: 172.20.120.129
Web Server
172.50.20.20
When the web server sends the response, it sends it to what it believes to be the
originating address, which is the FortiGate wan1 address, 172.20.120.129. When the
FortiGate unit receives the information, it determines where it should go by looking at its
session stored information. Using firewall policies, it determines that the information
should be going to the originating user at 10.10.10.2. The FortiGate changes the
destination IP to the correct user and delivers the packet.
Figure 7: Web server sends to FortiGate external address and translated to internal address
Firewall Policy
NAT enabled
1
2
3
Received
Packet
3
Sent
Packet
1
2
Client PC
10.10.10.2
Destination: 10.10.10.2
Source: 172.50.20.20
Internal
wan1
3
1
2
Destination: 172.20.120.1
Source: 172.50.20.20
Web Server
172.50.20.20
Throughout this exchange, which occurs in nanoseconds, and because of network
address translation, the web server does not know that the originating address is really
10.10.10.2, but 172.20.120.129.
172
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The Purpose of a Firewall
NAT vs. Transparent Mode
Transparent mode
In Transparent mode, the FortiGate unit is invisible to the network. All of its interfaces are
on the same subnet and share the same IP address. You only have to configure a
management IP address so that you can make configuration changes.
You would typically use the FortiGate unit in Transparent mode on a private network
behind an existing firewall or behind a router. In Transparent mode, the FortiGate unit also
functions as a firewall. Firewall policies control communications through the FortiGate unit
to the Internet and internal network. No traffic can pass through the FortiGate unit until you
add firewall policies.
For example, the company has a router or other firewall in place. The network is simple
enough that all users are on the same internal network. They need the FortiGate unit to
perform antispam, antivirus and intrusion protection and similar traffic scanning. In this
situation, as shown in Figure 8, the FortiGate unit is set to transparent mode. The traffic
passing through the FortiGate unit does not change the addressing from the router to the
internal network. Firewall policies and protection profiles define the type of scanning the
FortiGate unit performs on traffic entering the network.
Figure 8: FortiGate unit in transparent mode
Internal Network
Gateway to public network
204.23.1.5 10.10.10.2
Internet
WAN1
Internal
Policies controlling traffic
between internal and external networks.
By default when shipped, the FortiGate unit operates in NAT mode. To use the FortiGate
unit in Transparent mode, you need to switch its mode. When switched to a different
mode, the FortiGate unit does not need to be restarted; the change is automatic.
In the following example, the steps change the FortiGate unit to Transparent mode with an
IP of 10.11.101.10, netmask of 255.255.255.0 and a default gateway of 10.11.101.1
To enable Transparent mode - web-based manager
1 Go to System & gt; Config & gt; Operation.
2 Select Transparent for the Operation Mode from the list box.
3 Enter the Management IP address and netmask 10.11.101.10 255.255.255.0.
4 Enter the Default Gateway address of 10.11.101.1.
5 Select Apply.
To enable Transparent mode - CLI
config system settings
set opmode transparent
set manageip 10.11.101.10 255.255.255.0
set gateway 10.11.101.1
end
For information on unique Transparent mode firewall configurations, see “Adding NAT
firewall policies in transparent mode” on page 265 and “Enabling multicast forwarding” on
page 238.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
173
�NAT vs. Transparent Mode
The Purpose of a Firewall
Note: This guide and its examples are constructed with the FortiGate unit running in NAT
mode, unless otherwise noted.
Operating mode differences
The FortiGate unit, running in either NAT or Transparent mode have essentially the same
feature set. Due to the differences in the modes, however, some features are not available
in Transparent mode. The list below outlines the key features not available in Transparent
mode:
•
•
DHCP
•
Router (basic routing is available by going to Network & gt; Routing Table)
•
Virtual IP
•
Load Balance
•
IPSec Concentrator (Transparent mode supports policy-based configurations)
•
SSL VPN
•
174
Network & gt; DNS Databases
WCCP cache engine
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Life of a Packet
Directed by firewall policies, FortiGate units screen network traffic from the IP layer up
through the application layer of the TCP/IP stack. This chapter provides a general,
high-level description of what happens to a packet as it travels through a FortiGate
security system.
The FortiGate unit passes network traffic across three layers of security inspection:
•
stateful inspection, that provides individual packet-based security within a basic
session state
•
flow-based inspection, that relies on reconstruction of TCP and application data before
inspection of the data
•
proxy-based inspection, that provides inspection before relaying traffic between client
and server.
Each inspection component plays a role in the processing of a packet as it traverses the
FortiGate unit en route to its destination. To understand these inspections is the first step
to understanding the flow of the packet.
Stateful inspection
With stateful inspection, the FortiGate unit looks at each individual packet to make a
security decision. Common fields inspected include TCP SYN and FIN flags to identity the
start and end of a session, the source/destination IP, source/destination port and protocol.
Other checks are also performed on the packed payload and sequence numbers to verify
it as a valid communication and that the data is not corrupted or poorly formed. The
FortiGate unit will make the decision to drop, pass or log the traffic based on what is found
in each packet.
Figure 9: Stateful inspection of packets through the FortiGate unit
SYN, IP, TCP
1
3
1
2
3
3
2
Sent
1
2
Received
Flow inspection
With flow inspection, the FortiGate unit will pass all the packets between the source and
destination, and keeps a copy of the packets in its memory. It then uses a reconstruction
engine to build the content of the original traffic. The security inspection occurs after the
data has passed from its source to its destination.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
175
�Proxy inspection
Life of a Packet
Figure 10: Flow inspection of packets through the FortiGate unit
IPS, Flow-AV,
App Control
2
1
2
2
3
Sent
Received
Flow-based inspections typically require less processing, and therefore the performance
can be better. However, if a particular threat can only be detected when a complete copy
of the payload is obtained, it means the threat has already reached its destination. Also,
some application protocols are very complex, so an offline reconstruction may not be able
to analyze the payload sufficiently to make a decision.
Proxy inspection
With proxy inspection, the FortiGate unit will download the entire payload first and after a
satisfactory inspection, the FortiGate unit will pass the content on to the client. If the proxy
detects some undesirable content in this traffic flow, it will be able to stop it before the
traffic reaches its destination. Proxy inspection is the most thorough inspection of all,
although it requires more processing power, and this may result in lower performance.
Figure 11: Proxy inspection of packets through the FortiGate unit
Email filter, web
filter, DLP, AV
3
1
2
3
1
3
2
1
2
Sent
Received
FortiOS functions and security layers
Within these security inspection layers, FortiOS functions map to different inspections.
The table below outlines when actions are taken as a packet progresses through its life
within a FortiGate unit.
Table 8: FortiOS security functions and security layers
Security Function
Stateful
Flow
Proxy
Firewall
IPsec VPN
Traffic Shaping
User Authentication
Management Traffic
176
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Life of a Packet
Packet flow
Table 8: FortiOS security functions and security layers (Continued)
Security Function
Stateful
Flow
Proxy
SSL VPN
Intrusion Prevention
Flow-based Antivirus
Application Control
Proxy Antivirus
Email Filtering
Web Filtering (Antispam)
Data Leak Prevention
Packet flow
After the FortiGate unit’s external interface receives a packet, the packet proceeds
through a number of steps on its way to the internal interface, traversing each of the
inspection types, depending on the policy and profile configuration. The diagram below is
a high level view of the packet’s journey.
The description following is a high-level description of these steps as a packet enters the
FortiGate unit towards its destination on the internal network. These similar steps would
occur for outbound traffic.
Packet inspection
In the diagram in Figure 12 on page 178, in the first set of steps, a number of header
checks take place to ensure the packet is valid and contains the necessary information to
reach its destination. This includes:
•
packet verification - during the IP integrity stage, verification is performed to ensure
that the layer 4 protocol header is the correct length. If not, the packet is dropped.
•
session creation - The FortiGate unit attempts to create a session for the incoming data
•
IP stack validation for routing - The firewall performs IP header length, version and
checksum verifications in preparation for routing the packet.
•
verifications of IP options - the FortiGate unit validates the rouging information
•
application of firewall policies
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
177
�Packet flow
Life of a Packet
Figure 12: Packet routing through inspection engines
3
1
2
Packet
Packet flow: Ingress
Interface
(Link layer)
DoS
Sensor
Stateful
Policy
Engine
IP Integrity
Header checking
Session
Helpers
Management
Traffic
IPsec
NAT
User
Authentication
SSL VPN
Routing
Traffic
Shaping
Session
Tracking
No
UTM
Yes
No
Antivirus,
Web Filter,
Email Filter,
DLP
Flow-based
Antivirus
VoIP
Application
Control
Flow
Inspection
Engine
IPS
Yes
Data Leak Prevention
IPsec
NAT
Routing
Email Filter
Web Filter
(HTTP, HTTPS)
Interface
Antivirus
(HTTP(S), SMTP(S),
POP3(S), IMAP(S), FTP,
NNTP, IM)
3
Proxy
Inspection
Engine
1
2
Packet
Interface
The packet is received at the FortiGate unit’s external interface connected to the Internet.
The packet information enters the system, and the interface network device driver passed
the packets to the Denial of Service (DoS) sensors, if enabled, to determine whether this
is a valid information request or not.
DoS attack protection
DoS scans are handled at the flow level, although by a different module. This scan occurs
very early in the life of the packet to determine whether the traffic is valid or a designed
attack and process accordingly. Unlike the signature-based IPS which inspects all the
packets within a certain traffic flow, this module inspects all traffic flows but only tracks
certain types of traffic, for example TCP SYN, to ensure they are within the permitted
parameters.
IP integrity
The FortiGate unit reads the packet headers to verify if the packet is a valid TCP, UDP,
ICMP or GRE packet. The only verification that is done at this step to ensure that the
protocol header is the correct length. If it is, the packet is allowed to carry on to the next
step. If not, the packet is dropped.
178
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Life of a Packet
Packet flow
IPsec
If the packet is an IPsec packet, the IPsec engine decrypts the packet. The IPsec engine
applies the correct encryption keys to the IPSec packet so the internal packet is decrypted
and sent to the next step. IPsec is bypassed when for non-IPSec traffic and for IPsec
traffic that cannot be decrypted by the FortiGate unit
Destination NAT
The FortiGate unit checks the NAT table and determine the destination IP address for the
traffic. This step determines whether a route to the destination address actually exists.
For example, if a user’s browser on the internal network at IP address 192.168.1.1 visited
the web site www.example.com using NAT, after passing through the FortiGate unit the
source IP address becomes NATed to the FortiGate unit external interface IP address.
The destination address of the reply back from www.example.com is the IP address of the
FortiGate unit internal interface. For this reply packet to be returned to the user, the
destination IP address must be destination NATed to 192.168.1.1.
For more information on network address translation, see “How address translation works”
on page 172.
DNAT must take place before routing so that the FortiGate unit can determine if a route to
the destination address exists.
Routing
The routing step determines the outgoing interface to be used by the packet as it leaves
the FortiGate unit. In the previous step, the FortiGate unit determined the real destination
address, so it can now refer to its routing table and decide where the packet must go next.
Routing also distinguishes between local traffic and forwarded traffic.
Local delivery
Local delivery relates to traffic destined for the FortiGate unit itself. Typically, there are two
types of traffic; management traffic and tunneled SSL-VPN traffic.
Management traffic
This traffic is delivered to the FortiGate unit TCP/IP stack and is process by applications
such as the web server which displays the FortiOS web-based manager, the SSH server
for the CLI or the FortiGuard server to handle local database updates. After processing,
the packets are sent to Flow-based inspection and sent out to the outgoing interface.
SSL-VPN traffic
For SSL-VPN traffic, the internal packets are decrypted and are routed to a special
interface. This interface is typically called ssl.root for decryption. Once decrypted, it goes
to policy lookup.
Policy lookup
The policy look up is where the FortiGate unit reviews the list of firewall policies which
govern the flow of network traffic, from the first entry to the last, to find a match for the
source and destination IP addresses and port numbers. The decision to accept or deny a
packet, after being verified as a valid request within the stateful inspection, occurs here. A
denied packet is discarded. An accepted packet will have further actions taken. If IPS is
enabled, the packet will go to Flow-based inspection, otherwise it will go to the
Proxy-based inspection.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
179
�Example 1: client/server connection
Life of a Packet
If no other UTM options are enabled, then the session was only subject to stateful
inspection. If the action is accept, the packet will go to Source NAT to be ready to leave
the FortiGate unit.
Flow-based inspection
Flow-based inspection is responsible for IPS, application control and flow-based antivirus
scanning. All three are performed at the same time, with application control providing a
different set of traffic patterns to match.
Note: Flow-based antivirus scanning is only available on some FortiGate models.
Once the packet has passed the flow-based engine, it will be sent to the proxy-inspection
engine if the firewall policy was configured for web filtering (antispam) and/or proxy-based
antivirus checking.
Proxy-based inspection
The proxy inspection engine is responsible for carrying out antivirus protection, email
filtering (antispam), web filtering and data leak prevention. The proxy engine will process
multiple packets to generate content before it is able to make a decision for a specific
packet.
IPsec
If the packet is transmitted through an IPsec tunnel, it is at this stage the encryption and
required encapsulation is performed. For non-IPsec traffic (TCP/UDP) this step is
bypassed.
Source NAT
When preparing the packet to leave the FortiGate unit, it needs to NAT the source address
of the packet, typically the external interface IP address of the FortiGate unit. For example,
a packet from a user at 192.168.1.1 accessing www.example.com is now using a valid
external IP address as its source address.
Routing
The final routing step determines the outgoing interface to be used by the packet as it
leaves the FortiGate unit.
Exit
Upon completion of the scanning at the IP level, the packet exits the FortiGate unit.
Example 1: client/server connection
The following example illustrates the flow of a packet of a client/web server connection
with authentication and FortiGuard URL and antivirus filtering.
180
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Life of a Packet
Example 1: client/server connection
This example includes the following steps:
Initiating connection from client to web server
1 Client sends packet to web server.
2 Packet intercepted by FortiGate unit interface
2.1 Link level CRC and packet size checking. If the size is correct, the packet
continues, otherwise it is dropped.
3 DoS sensor - checks are done to ensure the sender is valid and not attempting a denial
of service attack.
4 IP integrity header checking, verifying the IP header length, version and checksums.
5 Next hop route
6 User authentication
7 Proxy inspection
7.1 Web Filtering
7.2 FortiGuard Web Filtering URL lookup
7.3 Antivirus scanning
8 Source NAT
9 Routing
10 Interface transmission to network
11 Packet forwarded to web server
Response from web server
1 We Server sends response packet to client.
2 Packet intercepted by FortiGate unit interface
2.1 Link level CRC and packet size checking.
3 IP integrity header checking.
4 DoS sensor
5 Proxy inspection
5.1 Antivirus scanning
6 Next hop route
7 Interface transmission to network
8 Packet returns to client
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
181
�Example 2: Routing table update
Life of a Packet
Figure 13: Client/server connection
3
1
2
Client sends packet
to web server
Interface
(Link layer)
Stateful
Policy
Engine
Proxy
Inspection
Engine
DoS
Sensor
Session
Tracking
Antivirus
FortiGate Unit
IP Integrity
Header checking
NAT
User
Authentication
Routing
FortiGuard
Web Filtering
Web Filter
FortiGuard
Source
NAT
Packet
Exits
Interface
(Link layer)
Routing
Proxy Inspection
Engine
Antivirus
Source
NAT
Internet
Web Server
DoS
Sensor
Session
Tracking
Interface
(Link layer)
IP Integrity
Header checking
Packet
Enters
Routing
Stateful Policy
Engine
Interface
(Link layer)
3
1
2
Packet exits and
returns to client
Example 2: Routing table update
This example includes the following steps:
1 FortiGate unit receives routing update packet
2 Packet intercepted by FortiGate unit interface
2.1 Link level CRC and packet size checking. If the size is correct, the packet
continues, otherwise it is dropped.
3 DoS sensor - checks are done to ensure the sender is valid and not attempting a denial
of service attack.
4 IP integrity header checking, verifying the IP header length, version and checksums.
5 Stateful policy engine
4.1 Management traffic (local traffic)
6 Routing module
5.1 Update routing table
182
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Life of a Packet
Example 3: Dialup IPsec with application control
Figure 14: Routing table update
3
1
2
Routing
update
packet
Packet
FortiGate Unit
Interface
(Link layer)
IP Integrity
Header checking
DoS
Sensor
Routing Table
Management
Traffic
Stateful
Policy
Engine
Routing
Module
Update routing table
Example 3: Dialup IPsec with application control
This example includes the following steps:
1 FortiGate unit receives IPsec packet from Internet
2 Packet intercepted by FortiGate unit interface
2.1 Link level CRC and packet size checking. If the size is correct, the packet
continues, otherwise it is dropped.
3 DoS sensor - checks are done to ensure the sender is valid and not attempting a denial
of service attack.
4 IP integrity header checking, verifying the IP header length, version and checksums.
5 IPsec
5.1 Determines that packet matched IPsec phase 1 configuration
5.2 Unencrypted packet
6 Next hop route
7 Stateful policy engine
7.1 Session tracking
8 Flow inspection engine
8.1 IPS
8.2 Application control
9 Source NAT
10 Routing
11 Interface transmission to network
12 Packet forwarded to internal server
Response from server
1 Server sends response packet
2 Packet intercepted by FortiGate unit interface
2.1 Link level CRC and packet size checking
3 IP integrity header checking.
4 DoS sensor
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
183
�Example 3: Dialup IPsec with application control
Life of a Packet
5 Flow inspection engine
5.1 IPS
5.2 Application control
6 Stateful policy engine
6.1 Session tracking
7 Next hop route
8 IPsec
8.1 Encrypts packet
9 Routing
10 Interface transmission to network
11 Encrypted Packet returns to internet
Figure 15: Dialup IPsec with application control
3
1
2
IPsec packet
received from
Internet
Encrypted or
encapsulated packet
FortiGate Unit
Interface
(Link layer)
IP Integrity
Header checking
DoS
Sensor
IPsec
NAT
Packet decryption
Application
Control
Session
Tracking
IPS
Flow Inspection Engine
Next Hop
Route
Stateful Policy Engine
Packet Exits
Source
NAT
Routing
Interface
(Link layer)
3
1
2
Internal
Server
Destintion
NAT
IP Integrity
Header checking
DoS
Sensor
Interface
(Link layer)
3
1
2
Response Packet
Packet Enters
Application
Control
Session
Tracking
IPS
Next Hop
Route
Stateful Policy Engine
Flow Inspection Engine
Interface
(Link layer)
Routing
IPsec
Packet encryption
3
1
2
Packet
Exits and returns
to source
Encrypted or
encapsulated packet
184
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
The FortiGate unit’s primary purpose is to act as a firewall to protect your networks from
unwanted attacks and to control the flow of network traffic. The FortiGate unit does this
through the use of firewall policies. The policies you create review the traffic passing
through the device to determine if the traffic is allowed into or out of the network, if it is
normal network traffic or encrypted VPN or SSL VPN traffic, where it is going and how it
should be handled.
Every firewall policy uses similar components. This chapter briefly describes these
components.
The following topics are included in this section:
•
Interfaces
•
Addressing
•
Ports
•
Services
•
Schedules
•
UTM profiles
Interfaces
Interfaces, both physical and virtual, enable traffic to flow to and from the internal network,
and the Internet and between internal networks. The FortiGate unit has a number of
options for setting up interfaces and groupings of subnetworks that can scale to a
company’s growing requirements.
Physical
FortiGate units have a number of physical ports where you connect Ethernet or optical
cables. Depending on the model they can have anywhere from four to 40 physical ports.
Some units have a grouping of ports labelled as internal, providing a built-in switch
functionality.
In FortiOS, the port names as labeled on the FortiGate unit appear in the web-based
manager, in the System Information on the Dashboard. They also appear when you are
configuring the interfaces, by going to System & gt; Network & gt; Interface. As shown below, the
FortiGate-100A has eight interfaces
Figure 16: FortiGate-100A physical interfaces
4
DC+12V
Console
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
USB
3
2
Internal
1
DMZ 2
DMZ 1
WAN 2
WAN 1
185
�Interfaces
Firewall components
Figure 17: FortiGate-100A interfaces on the Dashboard
Figure 18: Configuring the FortiGate-100A ports
Normally the internal interface is configured as a single interface shared by all physical
interface connections - a switch. The switch mode feature has two states - switch mode
and interface mode. Switch mode is the default mode with only one interface and one
address for the entire internal switch. Interface mode allows you to configure each of the
internal switch physical interface connections separately. This enables you to assign
different subnets and netmasks to each of the internal physical interface connections.
The larger FortiGate units can also include Advanced Mezzanine Cards (AMC) which can
provide additional interfaces (ethernet or optical) to provide additional interfaces, with
throughput enhancements for more efficient handling of specialized traffic. These
interfaces appear in FortiOS as port amc/sw1, amc/sw2 and so on. In the following
illustration, the FortiGate-3810A has three AMC cards installed: two single-width
(amc/sw1, amc/sw2) and one double-width (amc/dw).
Figure 19: FortiGate-3810A AMC card port naming
186
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Interfaces
For more information on configuring physical ports, see “Addressing” on page 193.
Administrative access
Interfaces, especially the public-facing ports can be potentially accessed by those who
you may not want access to the FortiGate unit. When setting up the FortiGate unit, you
can set the type of protocol an administrator must use to access the FortiGate unit. The
options include:
•
HTTPS
•
HTTP
•
SSH
•
TELNET
•
PING
•
SNMP
You can select as many, or as few, even none, that are accessible by an administrator.
Example
This example adds an IPv4 address 172.20.120.100 to the WAN1 interface as well as the
administrative access to HTTPS and SSH. As a good practice, set the administrative
access when you are setting the IP address for the port.
To add an IP address on the WAN1 interface - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select the WAN1 interface row and select Edit.
3 Select the Addressing Mode of Manual.
4 Enter the IP address for the port of 172.20.120.100/24.
5 For Administrative Access select HTTPS and SSH.
6 Select OK.
To create IP address on the WAN1 interface - CLI
config system interface
edit wan1
set ip 172.20.120.100/24
set allowaccess https ssh
end
Note: When adding to, or removing a protocol, you must type the entire list again. For
example, if you have an access list of HTTPS and SSH, and you want to add PING, typing:
set allowaccess ping
...only PING will be set. In this case, you must type...
set allowaccess https ssh ping
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
187
�Interfaces
Firewall components
Wireless
A wireless interface is like a physical interface only it does not include a physical
connection. The FortiWiFi units enables you to add multiple wireless interfaces that can be
available at the same time (the FortiWiFi-30B can only have one wireless interface). On
FortiWiFi units, you can configure the device to be either an access point, or a wireless
client. As an access point, the FortiWiFi unit can have up to four separate SSIDs, each on
their own subnet for wireless access. In client mode, the FortiWiFi only has one SSID, and
is used as a receiver, to enable remote users to connect to the existing network using
wireless protocols.
Wireless interfaces also require additional security measures to ensure the signal does
not get hijacked and data tampered or stolen.
Aggregate
Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces
together to form an aggregated (combined) link. This new link has the bandwidth of all the
links combined. If a link in the group fails, traffic is transferred automatically to the
remaining interfaces with the only noticeable effect being a reduced bandwidth.
This is similar to redundant interfaces with the major difference being that a redundant
interface group only uses one link at a time, where an aggregate link group uses the total
bandwidth of the functioning links in the group.
Support of the IEEE standard 802.3ad for link aggregation is available on some models.
An interface is available to be an aggregate interface if:
•
it is a physical interface, not a VLAN interface or subinterface
•
it is not already part of an aggregate or redundant interface
•
it is in the same VDOM as the aggregated interface
•
it does not have a IP address and is not configured for DHCP or PPPoE
•
it is not referenced in any firewall policy, VIP, IP Pool or multicast policy
•
it is not an HA heartbeat interface
•
it is not one of the FortiGate-5000 series backplane interfaces
When an interface is included in an aggregate interface, it is not listed on the System & gt;
Network & gt; Interface screen. You cannot configure the interface individually and it is not
available for inclusion in firewall policies, VIPs, IP pools, or routing.
You can add an accelerated interface (FA2 interfaces) to an aggregate link, but you will
lose the acceleration. For example, if you aggregate two accelerated interfaces you will
get slower throughput than if the two interfaces were separate.
Example
This example creates an aggregate interface on a FortiGate-3810A using ports 4-6 with
an internal IP address of 10.13.101.100, as well as the administrative access to HTTPS
and SSH.
To create an aggregate interface - web-based manager
1 Go to System & gt; Network & gt; Interface and select Create New.
2 Enter the Name as Aggregate.
3 For the Type, select 802.3ad Aggregate.
4 In the Available Interfaces list, select port 4, 5 and 6 and move it to the Selected
Interfaces list.
188
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Interfaces
5 Select the Addressing Mode of Manual.
6 Enter the IP address for the port of 10.13.101.100/24.
7 For Administrative Access select HTTPS and SSH.
8 Select OK.
To create aggregate interface - CLI
config system interface
edit Aggregate
set type aggregate
set member port4 port5 port6
set vdom root
set ip 172.20.120.100/24
set allowaccess https ssh
end
Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual
units that function as multiple independent units. A single FortiGate unit is then flexible
enough to serve multiple departments of an organization, separate organizations, or to act
as the basis for a service provider’s managed security service.
Note: Some smaller FortiGate units do not support virtual domains.
VDOMs provide separate security domains that allow separate zones, user authentication,
firewall policies, routing, and VPN configurations. By default, each FortiGate unit has a
VDOM named root. This VDOM includes all of the FortiGate physical interfaces, modem,
VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings.
Management systems such as SNMP, logging, alert email, FDN-based updates and
NTP-based time setting use addresses and routing in the management VDOM to
communicate with the network. They can connect only to network resources that
communicate with the management virtual domain.
When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can create
firewall policies for connections between Virtual LAN (VLAN) subinterfaces or zones in the
VDOM. Packets do not cross the virtual domain border internally. To travel between
VDOMs, a packet must pass through a firewall on a physical interface. The packet then
arrives at another VDOM on a different interface, but it must pass through another firewall
before entering the VDOM. Both VDOMs are on the same FortiGate unit. Inter-VDOMs
change this behavior in that they are internal interfaces; however their packets go through
all the same security measures as on physical interfaces.
The remainder of the FortiGate unit’s functionality is global—it applies to all VDOMs on the
unit. This means there is one intrusion prevention configuration, one antivirus
configuration, one web filter configuration, one protection profile configuration, and so on.
Increasing VDOMs involves no extra hardware, no shipping, and very few changes to
existing networking. They take no extra physical space—you are limited only by the size of
the license you buy for your VDOMs.
All FortiGate units, except the 30B series, support 10 VDOMs by default. High-end
FortiGate models support the purchase of a VDOM license key from customer service to
increase their maximum allowed VDOMs to 25, 50, 100, 250, or 500. Configuring 250 or
more VDOMs will result in reduced system performance.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
189
�Interfaces
Firewall components
Table 9: VDOM support by FortiGate model
FortiGate model
Support
VDOMs
Default VDOM
maximum
Maximum VDOM
license
30B series
no
0
0
Low and mid-range models
yes
10
10
High-end models
yes
10
500
Note: Your FortiGate unit has limited resources that are divided amongst all configured
VDOMs. These resources include system memory, and CPU. When running 250 or more
VDOMs, you cannot run Unified Threat Management (UTM) features such as proxies, web
filtering, or antivirus—your FortiGate unit can only provide basic firewall functionality.
Example
This example shows how to enable VDOMs on the FortiGate unit and the basic and create
a VDOM accounting on the DMZ2 port and assign an administrator to maintain the VDOM.
First enable Virtual Domains on the FortiGate unit. When you enable VODMs, the
FortiGate unit will log you out.
To enable VDOMs - web-based manager
1 Go to System & gt; Dashboard & gt; Status.
2 In the System Information widget, select Enable for Virtual Domain.
The FortiGate unit logs you out. Enter your user name and password to log back in. You
will notice that the menu structure has changed. This reflects the global settings for all
Virtual Domains.
To enable VDOMs - CLI
config system global
set vdom-admin enable
end
Next, add the VDOM called accounting.
To add a VDOM - web-based manager
1 Go to System & gt; VDOM & gt; VDOM, and select Create New.
2 Enter the VDOM name accounting.
3 Select OK.
To add a VDOM - CLI
config vdom
edit & lt; new_vdom_name & gt;
end
With the Virtual Domain created, you can assign a physical interface to it, and assign it an
IP address.
To assign physical interface to the accounting Virtual Domain - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select the DMZ2 port row and select Edit.
3 For the Virtual Domain drop-down list, select accounting.
4 Select the Addressing Mode of Manual.
190
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Interfaces
5 Enter the IP address for the port of 10.13.101.100/24.
6 Set the Administrative Access to HTTPS and SSH.
7 Select OK.
To assign physical interface to the accounting Virtual Domain - CLI
config global
config system interface
edit dmz2
set vdom accounting
set ip 10.13.101.100/24
set allowaccess https ssh
next
end
Virtual LANs
The term VLAN subinterface correctly implies the VLAN interface is not a complete
interface by itself. You add a VLAN subinterface to the physical interface that receives
VLAN-tagged packets. The physical interface can belong to a different VDOM than the
VLAN, but it must be connected to a network route that is configured for this VLAN.
Without that route, the VLAN will not be connected to the network, and VLAN traffic will not
be able to access this interface.The traffic on the VLAN is separate from any other traffic
on the physical interface.
FortiGate unit interfaces cannot have overlapping IP addresses—the IP addresses of all
interfaces must be on different subnets. This rule applies to both physical interfaces and to
virtual interfaces such as VLAN subinterfaces. Each VLAN subinterface must be
configured with its own IP address and netmask. This rule helps prevent a broadcast
storm or other similar network problems.
Any FortiGate unit (without VDOMs enabled) or VDOM can have a maximum of 255
interfaces in Transparent operating mode. In NAT/Route operating mode, the number can
range from 255 to 8192 interfaces per VDOM, depending on the FortiGate model. These
numbers include VLANs, other virtual interfaces, and physical interfaces. To have more
than 255 interfaces configured in Transparent operating mode, you need to configure
multiple VDOMs with many interfaces on each VDOM.
Example
This example shows how to add a VLAN, vlan_accounting on the FortiGate unit internal
interface with an IP address of 10.13.101.101.
To add a VLAN - web-based manager
1 Go to System & gt; Network & gt; Interface and select Create New.
The Type is by default set to VLAN.
2 Enter a name for the VLAN to vlan_accounting.
3 Select the Internal interface.
4 Enter the VLAN ID.
The VLAN ID is a number between 1 and 4094 that allow groups of IP addresses with
the same VLAN ID to be associated together.
5 Select the Addressing Mode of Manual.
6 Enter the IP address for the port of 10.13.101.101/24.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
191
�Interfaces
Firewall components
7 Set the Administrative Access to HTTPS and SSH.
8 Select OK.
To add a VLAN - CLI
config system interface
edit VLAN_1
set interface internal
set type vlan
set vlanid 100
set ip 10.13.101.101/24
set allowaccess https ssh
next
end
Zones
Zones are a group of one or more FortiGate interfaces, both physical and virtual, that you
can apply firewall policies to control inbound and outbound traffic. Grouping interfaces and
VLAN subinterfaces into zones simplifies the creation of firewall policies where a number
of network segments can use the same policy settings and protection profiles. When you
add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the
zone.
For example, in the illustration below, the network includes three separate groups of users
representing different entities on the company network. While each group has its own set
of port and VLANs, in each area, they can all use the same firewall policy and protection
profiles to access the Internet. Rather than the administrator making nine separate firewall
policies, he can add the required interfaces to a zone, and create three policies, making
administration simpler.
Figure 20: Network zones
Zone 1
WAN1, DMZ1,
VLAN 1, 2, 4
Zone 1 policies
Zone 2
Internal ports 1, 2, 3
Internet
Zone 2 policies
Zone 3
Zone 3 policies
WAN2, DMZ2,
VLAN 3
You can configure policies for connections to and from a zone, but not between interfaces
in a zone. Using the above example, you can create a firewall policy to go between zone 1
and zone 3, but not between WAN2 and WAN1, or WAN1 and DMZ1.
192
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Addressing
Example
This example explains how to set up a zone on the FortiGate unit to include the Internal
interface and a VLAN.
To create a zone - web-based manager
1 Go to System & gt; Network & gt; Zone, and select Create New.
2 Enter a zone name of Zone_1.
3 Select the Internal interface and the virtual LAN interface vlan_accounting from the
previous section.
4 Select OK.
To create a zone - CLI
config system zone
edit Zone_1
set interface internal VLAN_1
end
Addressing
Firewall addresses and address groups define network addresses that you can use when
configuring a firewall policies’ source and destination address fields. The FortiGate unit
compares the IP addresses contained in packet headers with firewall policy source and
destination addresses to determine if the firewall policy matches the traffic. Addressing in
firewall policies can be IPv4 addresses and address ranges, IPv6 addresses, and fully
qualified domain names (FQDNs).
A firewall address can contain one or more network addresses. Network addresses can
be represented by an IP address with a netmask, an IP address range, or a fully qualified
domain name (FQDN).
When representing hosts by an IP address with a netmask, the IP address can represent
one or more hosts. For example, a firewall address can be:
•
a single computer, such as 192.45.46.45
•
a subnetwork, such as 192.168.1.0 for a class C subnet
•
0.0.0.0, which matches any IP address
The netmask corresponds to the subnet class of the address being added, and can be
represented in either dotted decimal or CIDR format. The FortiGate unit automatically
converts CIDR formatted netmasks to dotted decimal format. Example formats:
•
netmask for a single computer: 255.255.255.255, or /32
•
netmask for a class A subnet: 255.0.0.0, or /8
•
netmask for a class B subnet: 255.255.0.0, or /16
•
netmask for a class C subnet: 255.255.255.0, or /24
•
netmask including all IP addresses: 0.0.0.0
Valid IP address and netmask formats include:
•
x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
•
x.x.x.x/x, such as 192.168.1.0/24
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
193
�Addressing
Firewall components
Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid firewall
address.
When representing hosts by an IP Range, the range indicates hosts with continuous IP
addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the
complete range of hosts on that subnet. Valid IP Range formats include:
•
x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120
•
x.x.x.[x-x], such as 192.168.110.[100-120]
•
x.x.x.*, such as 192.168.110.*
When representing hosts by a FQDN, the domain name can be a subdomain, such as
mail.example.com. A single FQDN firewall address may be used to apply a firewall policy
to multiple hosts, as in load balancing and high availability (HA) configurations. FortiGate
units automatically resolve and maintain a record of all addresses to which the FQDN
resolves. Valid FQDN formats include:
•
& lt; host_name & gt; . & lt; second_level_domain_name & gt; . & lt; top_level_domain_name & gt; , such as
mail.example.com
•
& lt; host_name & gt; . & lt; top_level_domain_name & gt;
Caution: Be cautious when employing FQDN firewall addresses. Using a fully qualified
domain name in a firewall policy, while convenient, does present some security risks,
because policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.
Example
This example adds an IPv4 firewall address for guest users of 10.13.101.100 address the
port1 interface.
To add a firewall IP address to the port1 interface - web-based manager
1 Go to Firewall & gt; Address & gt; Address and select Create New.
2 For the Address Name, enter Guest.
3 Leave the Type as Subnet/IP Range.
4 Enter the IP address of 10.13.101.100/24.
5 For the Interface, select port1.
6 Select OK.
To add a firewall IP address to the port1 interface- CLI
config firewall address
edit Guest
set type ipmask
set subnet 10.13.101.100/24
set associated-interface port1
end
194
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Addressing
Example
This example adds an IPv4 firewall address range for guest users with the range of
10.13.101.100 to 10.13.101.110 addresses on any interface. By setting the interface to
Any, the address range is not bound to a specific interface on the FortiGate unit.
To add a firewall IP address to the port1 interface - web-based manager
1 Go to Firewall & gt; Address & gt; Address and select Create New.
2 For the Address Name, enter Guest.
3 Leave the Type as Subnet/IP Range.
4 Enter the IP address range of 10.13.101.[100-110].
5 For the Interface, select Any.
6 Select OK.
To add a firewall IP address to the port1 interface - CLI
config firewall address
edit Guest
set type iprange
set start-ip 10.13.101.100
set end-ip 10.13.101.110
end
Fully Qualified Domain Name addresses
Using Fully Qualified Domain Name (FQDN) addresses in firewall policies has the
advantage of causing the FortiGate unit to keep track of DNS TTLs and adapt as records
change. As long as the FQDN address is used in a firewall policy, it stores the address in
the DNS cache. The FortiGate unit will query the DNS for an amount of time specified, in
seconds, and update the cache as required. This feature can reduce maintenance
requirements for changing firewall addresses for dynamic IP addresses. This also means
that you can create firewall policies for networks configured with dynamic addresses using
DHCP.
You specify the TTL time in the CLI. For example, to set the TTL for 30 minutes on an
FQDN of www.example.com on port 1, enter the following commands:
config firewall address
edit FQDN_example
set type fdqn
set associated-interface port 1
set fqdn www.example.com
set cache-ttl 1800
end
Virtual IPs
Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP
addresses and ports of packets received by a network interface. When the FortiGate unit
receives inbound packets matching a firewall policy whose Destination Address field is a
virtual IP, the FortiGate unit applies NAT, replacing packets’ IP addresses with the virtual
IP’s mapped IP address.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
195
�Addressing
Firewall components
IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP
pools configure dynamic translation of packets’ IP addresses based on the Destination
Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets’ IP
addresses based upon the Source Interface/Zone.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy.
Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies
that include Virtual IPs and IP pools. See “Adding NAT firewall policies in transparent mode”
on page 265.
Virtual IPs can specify translations of packets’ port numbers and/or IP addresses for both
inbound and outbound connections. In Transparent mode, virtual IPs are available from
the FortiGate CLI.
Example
This example adds a virtual IP of 10.13.100.1 that allows users on the Internet to connect
to a web server on the DMZ IP address of 192.168.1.1. In the example, the wan1 interface
of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to
the DMZ network.
To add a static NAT virtual IP for a single IP address - web-based manager
1 Go to Firewall & gt; Virtual IP & gt; Virtual IP and select Create New.
2 For the Name, enter Static_NAT.
3 Select the External interface of wan1
4 Enter the External IP Address of 10.13.100.1.
5 Enter the Mapped IP Address of 192.168.1.1.
6 Select OK.
To add a static NAT virtual IP for a single IP address - CLI
config firewall vip
edit Static_NAT
set extintf wan1
set extip 10.13.100.1
set mappedip 192.168.1.1
end
Inbound connections
Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to
apply bidirectional NAT, also known as inbound NAT.
When comparing packets with the firewall policy list to locate a matching policy, if a firewall
policy’s Destination Address is a virtual IP, FortiGate units compares packets’ destination
address to the virtual IP’s external IP address. If they match, the FortiGate unit applies the
virtual IP’s inbound NAT mapping, which specifies how the FortiGate unit translates
network addresses and/or port numbers of packets from the receiving (external) network
interface to the network interface connected to the destination (mapped) IP address or IP
address range.
196
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Addressing
In addition to specifying IP address and port mappings between interfaces, virtual IP
configurations can optionally bind an additional IP address or IP address range to the
receiving network interface. By binding an additional IP address, you can configure a
separate set of mappings that the FortiGate unit can apply to packets whose destination
matches that bound IP address, rather than the IP address already configured for the
network interface.
Depending on your configuration of the virtual IP, its mapping may involve port address
translation (PAT), also known as port forwarding or network address port translation
(NAPT), and/or network address translation (NAT) of IP addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your
selection of:
•
static vs. dynamic NAT mapping
•
the dynamic NAT’s load balancing style, if using dynamic NAT mapping
•
full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible when
configuring a firewall policy with a virtual IP.
Static NAT
Static, one-to-one NAT mapping: an external IP address is always translated to
the same mapped IP address.
If using IP address ranges, the external IP address range corresponds to a
mapped IP address range containing an equal number of IP addresses, and
each IP address in the external range is always translated to the same IP
address in the mapped range.
Static NAT with Static, one-to-one NAT mapping with port forwarding: an external IP address is
Port Forwarding always translated to the same mapped IP address, and an external port number
is always translated to the same mapped port number.
If using IP address ranges, the external IP address range corresponds to a
mapped IP address range containing an equal number of IP addresses, and
each IP address in the external range is always translated to the same IP
address in the mapped range. If using port number ranges, the external port
number range corresponds to a mapped port number range containing an equal
number of port numbers, and each port number in the external range is always
translated to the same port number in the mapped range.
Server Load
Balancing
Dynamic, one-to-many NAT mapping: an external IP address is translated to one
of the mapped IP addresses, as determined by the selected load balancing
algorithm for more even traffic distribution. The external IP address is not always
translated to the same mapped IP address.
Server load balancing requires that you configure at least one “real” server, but
can use up to eight. Real servers can be configured with health check monitors.
Health check monitors can be used to gauge server responsiveness before
forwarding packets.
Server Load
Dynamic, one-to-many NAT mapping with port forwarding: an external IP
Balancing with address is translated to one of the mapped IP addresses, as determined by the
Port Forwarding selected load balancing algorithm for more even traffic distribution. The external
IP address is not always translated to the same mapped IP address.
Server load balancing requires that you configure at least one “real” server, but
can use up to eight. Real servers can be configured with health check monitors.
Health check monitors can be used to gauge server responsiveness before
forwarding packets.
Note: If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full (source and destination) NAT; instead, it performs destination
network address translation (DNAT).
For inbound traffic, DNAT translates packets’ destination address to the mapped private IP
address, but does not translate the source address. The private network is aware of the
source’s public IP address. For reply traffic, the FortiGate unit translates packets’ private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
197
�Addressing
Firewall components
A typical example of static NAT is to allow client access from a public network to a web
server on a private network that is protected by a FortiGate unit. Reduced to its essence,
this example involves only three hosts, as shown in Figure 21: the web server on a private
network, the client computer on another network, such as the Internet, and the FortiGate
unit connecting the two networks.
When a client computer attempts to contact the web server, it uses the virtual IP on the
FortiGate unit’s external interface. The FortiGate unit receives the packets. The addresses
in the packets are translated to private network IP addresses, and the packet is forwarded
to the web server on the private network.
Figure 21: A simple static NAT virtual IP example
The packets sent from the client computer have a source IP of 192.168.37.55 and a
destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external
interface, and matches them to a firewall policy for the virtual IP. The virtual IP settings
map 192.168.37.4 to 10.10.10.42, so the FortiGate unit changes the packets’ addresses.
The source address is changed to 10.10.10.2 and the destination is changed to
10.10.10.42. The FortiGate unit makes a note of this translation in the firewall session
table it maintains internally. The packets are then sent on to the web server.
Figure 22: Example of packet address remapping during NAT from client to server
Note that the client computer’s address does not appear in the packets the server
receives. After the FortiGate unit translates the network addresses, there is no reference
to the client computer’s IP address, except in its session table. The web server has no
indication that another network exists. As far as the server can tell, all packets are sent by
the FortiGate unit.
When the web server replies to the client computer, address translation works similarly,
but in the opposite direction. The web server sends its response packets having a source
IP address of 10.10.10.42 and a destination IP address of 10.10.10.2. The FortiGate unit
receives these packets on its internal interface. This time, however, the session table is
used to recall the client computer’s IP address as the destination address for the address
translation. In the reply packets, the source address is changed to 192.168.37.4 and the
destination is changed to 192.168.37.55. The packets are then sent on to the client
computer.
The web server’s private IP address does not appear in the packets the client receives.
After the FortiGate unit translates the network addresses, there is no reference to the web
server’s network. The client has no indication that the web server’s IP address is not the
virtual IP. As far as the client is concerned, the FortiGate unit’s virtual IP is the web server.
198
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Addressing
Figure 23: Example of packet address remapping during NAT from server to client
In the previous example, the NAT check box is checked when configuring the firewall
policy. If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full NAT; instead, it performs destination network address
translation (DNAT).
For inbound traffic, DNAT translates packets’ destination address to the mapped private IP
address, but does not translate the source address. The web server would be aware of
the client’s IP address. For reply traffic, the FortiGate unit translates packets’ private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
Outbound connections
Virtual IPs can also affect outbound NAT, even though they are not selected in an
outbound firewall policy. If no virtual IPs are configured, FortiGate units apply traditional
outbound NAT to connections outbound from private network IP addresses to public
network IP addresses. However, if virtual IP configurations exist, FortiGate units use
virtual IPs’ inbound NAT mappings in reverse to apply outbound NAT, causing IP address
mappings for both inbound and outbound traffic to be symmetric.
For example, if a network interface’s IP address is 10.10.10.1, and its bound virtual IP’s
external IP is 10.10.10.2, mapping inbound traffic to the private network IP address
192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not
10.10.10.1
Virtual IP, load balance virtual server / real server limitations
The following limitations apply when adding virtual IPs, load balancing virtual servers, and
load balancing real servers. Load balancing virtual servers are actually server load
balancing virtual IPs. You can add server load balance virtual IPs from the CLI.
•
Virtual IP External IP Address/Range entries or ranges cannot overlap with each
other or with load balancing virtual server Virtual Server IP entries.
•
A virtual IP Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255.
•
A real server IP cannot be 0.0.0.0 or 255.255.255.255.
•
If a static NAT virtual IP External IP Address/Range is 0.0.0.0, the Mapped IP
Address/Range must be a single IP address.
•
If a load balance virtual IP External IP Address/Range is 0.0.0.0, the Mapped IP
Address/Range can be an address range.
•
When port forwarding, the count of mapped port numbers and external port
numbers must be the same. The web-based manager does this automatically but
the CLI does not.
Virtual IP and virtual server names must be different from firewall address or address
group names.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
199
�Addressing
Firewall components
Address groups
Similar to zones, if you have a number of addresses or address ranges that require the
same firewall policies, you can put them into address groups, rather than creating multiple
similar policies. Because firewall policies require addresses with homogenous network
interfaces, address groups should contain only addresses bound to the same network
interface, or to Any — addresses whose selected interface is Any are bound to a network
interface during creation of a firewall policy, rather than during creation of the firewall
address.
For example, if address 1.1.1.1 is associated with port1, and address 2.2.2.2 is associated
with port2, they cannot be in the same group. However, if 1.1.1.1 and 2.2.2.2 are
configured with an interface of Any, they can be grouped, even if the addresses involve
different networks.
You cannot mix IPv4 firewall addresses and IPv6 firewall addresses in the same address
group.
Example
This example crates an address group accounting, where addresses for User_1 and
User_2 have port association of Any.
Note that it is recommended to add the addresses you want to add to the group before
setting up the address group.
Setup
To create an address group - web-based manager
1 Go to Firewall & gt; Address & gt; Group, and select Create New.
2 Enter the Group Name of accounting.
3 From the Available Addresses list, select an address and select the down-arrow button
to move the address name to the Members list.
4 Repeat step three as many times as required. You can also hold the SHIFT key to
select a range of address names from the list.
5 Select OK.
To create an address group - CLI
config firewall addrgrp
edit accounting
set member User_1
set member User_2
end
DHCP
The Dynamic Host Configuration Protocol (DHCP) enables hosts to automatically obtain
an IP address from a DHCP server. Optionally, hosts can also obtain default gateway and
DNS server settings.
Note: DHCP is not available when the FortiGate unit is operating in Transparent mode.
200
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Addressing
On FortiGate 30B, 50 and 60 series units, a DHCP server is configured, by default, on the
Internal interface, as follows:
IP Range
192.168.1.110 to 192.168.1.210
Netmask
255.255.255.0
Default gateway
192.168.1.99
Lease time
7 days
DNS Server 1
192.168.1.99
A FortiGate interface can provide the following DHCP services:
•
Basic DHCP servers
•
IPSec DHCP servers for IPSec (VPN) connections
•
DHCP relay for regular Ethernet or IPSec (VPN) connections
An interface cannot provide both a server and a relay for connections of the same type.
You can configure one or more DHCP servers on any FortiGate interface. A DHCP server
dynamically assigns IP addresses to hosts on the network connected to the interface. The
host computers must be configured to obtain their IP addresses using DHCP. The IP
range of each DHCP server must match the network address range. The routers must be
configured for DHCP relay.
Example
This example sets up a DHCP server on the Internal interface for guests with an IP range
of 10.13.101.100 to 10.13.101.110, a default gateway of 10.13.101.2 and address lease of
5 days.
To configure a DHCP server on the internal interface - web-based manager
1 Go to System & gt; DHCP Server & gt; Service.
2 For the internal interface, select the ‘plus’ sign for Servers and complete the following:
Name
Guest DHCP
Type
Regular
IP Range
10.13.101.100
10.13.101.110
Netmask
255.255.255.0
Default Gateway
10.13.101.2
Lease
5 days
3 Select OK.
To configure a DHCP server on the internal interface - CLI
config system dhcp server
edit guest_dhcp
set server-type regular
set interface internal
set start-ip 10.13.101.100
set end-ip 10.13.101.105
set netmask 255.255.255.0
set default-gateway 10.13.101.2
set lease-time 432000
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
201
�Addressing
Firewall components
A FortiGate interface can also be configured as a DHCP relay. The interface forwards
DHCP requests from DHCP clients to an external DHCP server and returns the responses
to the DHCP clients. The DHCP server must have appropriate routing so that its response
packets to the DHCP clients arrive at the FortiGate unit.
Example
This example sets up a DHCP relay on the internal interface from the DHCP server
located at 172.20.120.55. The FortiGate unit will send a request for an IP address from the
defined DHCP server and forward it to the requesting connection.
To configure a DHCP relay on the internal interface - web-based manager
1 Go to System & gt; DHCP Server & gt; Service.
2 For the internal interface, select the Edit icon for the Relay option.
3 Select Enable for the DHCP Relay Agent.
4 Select the Type of Regular.
5 Enter the DHCP Server IP address of 172.20.120.55.
6 Select OK.
To configure a DHCP server on the internal interface - CLI
config system interface
edit internal
set dhcp-relay-service enable
set dhcp-relay-type regular
set dhcp-relay-ip 172.20.120.55
end
IP pools
Use IP pools to add NAT policies that translate source addresses to addresses randomly
selected from the IP pool, rather than the IP address assigned to that FortiGate interface.
An IP pool defines a single IP address or a range of IP addresses. A single IP address in
an IP pool becomes a range of one IP address. For example, if you enter an IP pool as
1.1.1.1 the IP pool is actually the address range 1.1.1.1 to 1.1.1.1.
If a FortiGate interface IP address overlaps with one or more IP pool address ranges, the
interface responds to ARP requests for all of the IP addresses in the overlapping IP pools.
For example, consider a FortiGate unit with the following IP addresses for the port1 and
port2 interfaces:
•
port1 IP address: 1.1.1.1/255.255.255.0 (range is 1.1.1.0-1.1.1.255)
•
port2 IP address: 2.2.2.2/255.255.255.0 (range is 2.2.2.0-2.2.2.255)
And the following IP pools:
•
IP_pool_1: 1.1.1.10-1.1.1.20
•
IP_pool_2: 2.2.2.10-2.2.2.20
•
IP_pool_3: 2.2.2.30-2.2.2.40
The port1 interface overlap IP range with IP_pool_1 is:
•
(1.1.1.0-1.1.1.255) and (1.1.1.10-1.1.1.20) = 1.1.1.10-1.1.1.20
The port2 interface overlap IP range with IP_pool_2 is:
•
202
(2.2.2.0-2.2.2.255) & (2.2.2.10-2.2.2.20) = 2.2.2.10-2.2.2.20
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Addressing
The port2 interface overlap IP range with IP_pool_3 is:
•
(2.2.2.0-2.2.2.255) & (2.2.2.30-2.2.2.40) = 2.2.2.30-2.2.2.40
And the result is:
•
The port1 interface answers ARP requests for 1.1.1.10-1.1.1.20
•
The port2 interface answers ARP requests for 2.2.2.10-2.2.2.20 and for 2.2.2.302.2.2.40
Select NAT in a firewall policy and then select Dynamic IP Pool and select an IP pool to
translate the source address of packets leaving the FortiGate unit to an address randomly
selected from the IP pool.
Example
This example sets up an IP Pool with an address range of 10.13.101.100 to 10.13.101.110
for guest accounts on the network.
To configure an IP Pool - web-based manager
1 Go to Firewall & gt; Virtual IP & gt; IP Pool.
2 Enter the Name of Guest.
3 Enter the IP Range/Subnet of 10.13.101.100-10.13.101.110.
4 Select OK.
To configure an IP Pool - CLI
config firewall ippool
edit Guest
set startip 10.13.101.100
set endip 10.13.101.110
end
IP pools and dynamic NAT
Use IP pools for dynamic NAT. For example, an organization might have purchased a
range of Internet addresses but has only one Internet connection on the external interface
of the FortiGate unit.
Assign one of the organization’s Internet IP addresses to the external interface of the
FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all connections from
the organization’s network to the Internet appear to come from this IP address.
For connections to originate from all the Internet IP addresses, add this address range to
an IP pool. Then select Dynamic IP Pool for all policies with the external interface as the
destination. For each connection, the firewall dynamically selects an IP address from the
IP pool to be the source address for the connection. As a result, connections to the
Internet appear to be originating from any of the IP addresses in the IP pool.
IP Pools for firewall policies that use fixed ports
Some network configurations do not operate correctly if a NAT policy translates the source
port of packets used by the connection. NAT translates source ports to keep track of
connections for a particular service.
From the CLI you can enable fixedport when configuring a firewall policy for NAT
policies to prevent source port translation.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
203
�Addressing
Firewall components
config firewall policy
edit policy_name
...
set fixedport enable
...
end
However, enabling fixedport means that only one connection can be supported
through the firewall for this service. To be able to support multiple connections, add an IP
pool, and then select Dynamic IP pool in the policy. The firewall randomly selects an IP
address from the IP pool and assigns it to each connection. In this case the number of
connections that the firewall can support is limited by the number of IP addresses in the IP
pool.
Source IP address and IP pool address matching
When the source addresses are translated to the IP pool addresses, one of the following
three cases may occur:
Scenario 1: The number of source addresses equals that of IP pool addresses
In this case, the FortiGate unit always matches the IP addressed one to one.
If you enable fixedport in such a case, the FortiGate unit preserves the original source
port. This may cause conflicts if more than one firewall policy uses the same IP pool, or
the same IP addresses are used in more than one IP pool.
Original address
Change to
192.168.1.1
172.16.30.1
192.168.1.2
172.16.30.2
......
......
192.168.1.254
172.16.30.254
Scenario 2: The number of source addresses is more than that of IP pool addresses
In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism.
If you enable fixedport in such a case, the FortiGate unit preserves the original source
port. But conflicts may occur since users may have different sessions using the same TCP
5 tuples.
Original address
Change to
192.168.1.1
172.16.30.10
192.168.1.2
172.16.30.11
......
172.16.30.19
192.168.1.11
172.16.30.10
192.168.1.12
172.16.30.11
192.168.1.13
172.16.30.12
......
204
......
192.168.1.10
......
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Addressing
Scenario 3: The number of source addresses is fewer than that of IP pool addresses
In this case, some of the IP pool addresses are used and the rest of them are not be used.
Original address
Change to
192.168.1.1
172.16.30.10
192.168.1.2
172.16.30.11
192.168.1.3
172.16.30.12
No more source addresses
172.16.30.13 and other addresses are not used
IPv6
Internet Protocol version 6 (IPv6) is the next-generation version of IP addressing, to
eventually replace IPv4. IPv6 was developed because there is a concern that in the near
future, the available addresses for the IPv4 infrastructure will be exhausted. The IPv6
infrastructure will supplement, and eventually, replace the IPv4 standard.
Where IPv4 uses 32 bit addressing, IPv6 uses 128 bit addressing, effectively providing
trillions upon trillions of unique addresses, whereas IPv4 can have a a little over 4 billion.
With this larger address space, allocating addresses and routing traffic becomes easier,
and network address translation (NAT) becomes virtually unnecessary.
Where IPv4 addresses are written numerals separated by a decimal, the IPv6 address is
written with hexadecimal digits separated by a colon. For example,
fe80:218:8bff:fe84:4223.
By default, the FortiGate unit is not enabled to use IPv6 addressing. To enable this
feature, go to System & gt; Admin & gt; Settings and select IPv6 Support on GUI. When enabled
you can use IPv6 addressing on any of the address-dependant components of the
FortiGate unit, including firewall policies, interface addressing, DNS servers. IPv6
addressing can be configured on the web-based manager and in the CLI.
Example
This example adds an IPv6 address 2001:db8:0:1234:0:567:1:1 for the WAN1 interface as
well as the administrative access to HTTPS and SSH. As a good practice, set the
administrative access when you are setting the IP address for the port.
To add an IP address for the WAN1 interface - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select WAN1 row and select Edit.
3 Select the Addressing Mode of Manual.
4 Enter the IPv6 Address for the port of 2001:db8:0:1234:0:567:1:1.
5 For Administrative Access select HTTPS and SSH.
6 Select OK.
To create IP address for the WAN1 interface - CLI
config system interface
edit wan1
config ipv6
set ip6-address 2001:db8:0:1234:0:567:1:1
set ip6-allowaccess https ssh
end
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
205
�Ports
Firewall components
Example
This example adds an IPv6 firewall address for guest users of 2001:db8:0:1234:0:567:1:1.
To add a firewall IPv6 address - web-based manager
1 Go to Firewall & gt; Address & gt; Address.
2 On the Create New button, click the down arrow on the right.
If there is no arrow, ensure you have enabled IPv6 by going to System & gt; Admin & gt;
Settings and select IPv6 Support on GUI.
3 Select IPv6 Address.
4 For the Address Name, enter Guest.
5 Enter the IP address of 2001:db8:0:1234:0:567:1:1/128.
6 Select OK.
To add a firewall IPv6 address - CLI
config firewall address6
edit Guest
set ip6 2001:db8:0:1234:0:567:1:1/128
end
Ports
A port is a type of address used by specific applications and processes. The FortiGate unit
uses a number of port assignments to send and receive information for basic system
operation and communication by default.
Originating traffic
Function
DNS lookup; RBL lookup
UDP 53
FortiGuard Antispam or Web Filtering rating lookup
UDP 53 or UDP
8888
FDN server list
Source and destination port numbers vary by originating or reply traffic.
UDP 53 (default) or
UDP 8888, and
UDP 1027 or UDP
1031
NTP synchronization
UDP 123
SNMP traps
UDP 162
Syslog
All FortiOS versions can use syslog to send log messages to remote syslog
servers.
Note: If a secure connection has been configured between a Fortigate and a
FortiAnalyzer, Syslog traffic will be sent into an IPSec tunnel. Data will be
exchanged over UDP 500/4500, Protocol IP/50
UDP 514
Configuration backup to FortiManager unit or FortiGuard Analysis and
Management Service
TCP 22
SMTP alert email; encrypted virus sample auto-submit
TCP 25
LDAP or PKI authentication
206
Port(s)
TCP 389 or TCP
636
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Ports
FortiGuard Antivirus or IPS update
TCP 443
When requesting updates from a FortiManager unit instead of directly from the
FDN, this port must be reconfigured as TCP 8890.
FortiGuard Analysis and Management Service
TCP 443
FortiGuard Analysis and Management Service log transmission (OFTP)
TCP 514
SSL management tunnel to FortiGuard Analysis and Management Service
TCP 541
FortiGuard Analysis and Management Service contract validation
TCP 10151
Quarantine, remote access to logs & reports on a FortiAnalyzer unit, device
registration with FortiAnalyzer units (OFTP)
TCP 514
RADIUS authentication
TCP 1812
Receiving traffic
When operating in the default configuration, FortiGate units do not accept TCP or UDP
connections on any port except the default internal interface, which accepts HTTPS
connections on TCP port 443.
Function
Port(s)
FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then
occur on standard originating ports for updates.
UDP 9443
SSH administrative access to the CLI; remote management from a
FortiManager unit
TCP 22
Telnet administrative access to the CLI; HA synchronization (FGCP L2)
Changing the telnet administrative access port number also changes the HA
synchronization port number.
TCP 23
HTTP administrative access to the web-based manager
TCP 80
HTTPS administrative access to the web-based manager; remote
TCP 443
management from a FortiManager unit; user authentication for policy override
SSL management tunnel from FortiGuard Analysis and Management Service TCP 541
(FortiOS v3.0 MR6 or later)
HA heartbeat (FGCP L2)
TCP 703
User authentication keep alive and logout for policy override (default value of TCP 1000
port for HTTP traffic)
This port is closed until enabled by the auth-keepalive command.
User authentication keepalive and logout for policy override (default value of
port for HTTPS traffic)
This port is closed until enabled by the auth-keepalive command.
TCP 1003
Windows Active Directory (AD) Collector Agent
TCP 8000
User authentication for policy override of HTTP traffic
TCP 8008
FortiClient download portal
This feature is available on FortiGate-1000A, FortiGate-3600A, and
FortiGate-5005FA2.
TCP 8009
User authentication for policy override of HTTPS traffic
TCP 8010
VPN settings distribution to authenticated FortiClient installations
TCP 8900
SSL VPN
TCP 10443
HA
ETH 8890 (Layer 2)
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
207
�Services
Firewall components
Closing specific ports to traffic
By default, FortiGate units do not accept remote administrative access except by HTTPS
connections on TCP port 443 to the default internal network interface for some FortiGate
models. Restricting administrative access by default ensure that only you can change your
firewall policies and security configuration. It also improves security of the FortiGate unit
itself by reducing the number of ports that potential attackers can discover by network
probes and port scans, a common method of discovering open ports for denial of service
(DoS) attacks.
Port 113
TCP port 113 (Ident/Auth) is an exception to the above rule. By default, FortiGate units
receiving an IDENT request on this port respond with a TCP RST, which resets the
connection. This prevents delay that would normally occur if the requesting host were to
wait for the connection attempt to time out.
This port is less commonly used today. If you do not use this service, you can make your
FortiGate unit less visible to probes. You can disable TCP RST responses to ident
requests and subject those requests to firewall policies, and thereby close this port.
For each network interface that should not respond to ident requests on TCP port 113,
enter the following CLI commands:
config system interface
edit & lt; port_name & gt;
set ident-accept enable
end
For example, to disable ident responses on a network interface names port1, enter the
following commands:
config system interface
edit port1
set ident-accept enable
end
Port 541
By default, FortiGate units use this port to initiate an SSL-secured management tunnel
connection to centralized device managers such as the FortiGuard Analysis and
Management Service.
If you do not use centralized management, and you can make your FortiGate unit less
visible to probes. You can disable the management tunnel feature, and thereby close this
port using the following CLI command:
config sys central-management
set status disable
end
Services
Services represent typical traffic types and application packets that pass through the
FortiGate unit. Firewall services define one or more protocols and port numbers
associated with each service. Firewall policies use service definitions to match session
types. You can organize related services into service groups to simplify your firewall
policy list.
208
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Schedules
Many well-known traffic types have been predefined in firewall services and protocols on
the FortiGate unit. These predefined services and protocols are defaults, and cannot be
edited or removed. However, if you require different services, you can create custom
services.
To view the predefined servers, go to Firewall & gt; Service & gt; Predefined.
Custom service
Should there be a service that does not appear on the list, or you have a unique service or
situation, you can create your own custom service. You need to know the port(s), IP
addresses or protocols the particular service or application uses to create the custom
service.
Example
This example creates a custom service for the “Widget” application, which communicates
on TCP port 9620 for source traffic and between ports 4545 and 4550 for destination
traffic.
To create a custom service - web-based manager
1 Go to Firewall & gt; Service & gt; Custom and select Create New.
2 Enter the following and select Add:
Name
Widget
Protocol Type
TCP/UDP
Source Port
Low
9620
Hi
9620
Destination Port
Low
4545
High
4550
3 Select OK.
To create a custom service - CLI
config firewall service custom
edit Widget
set protocol TCP/UDP
set tcp-portrange 9620:4545-4550
end
Schedules
When you add firewall policies on a FortiGate unit, those policies are always on, policing
the traffic through the device. Firewall schedules control when policies are in effect, that is,
when they are on. You can create one-time schedules which are schedules that are in
effect only once for the period of time specified in the schedule. You can also create
recurring schedules that are in effect repeatedly at specified times of specified days of the
week.
You can create a recurring schedule that activates a policy during a specified period of
time. For example, you might prevent game playing during office hours by creating a
recurring schedule that covers office hours.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
209
�Schedules
Firewall components
Note: If a recurring schedule has a stop time that is earlier than the start time, the schedule
will take effect at the start time but end at the stop time on the next day. You can use this
technique to create recurring schedules that run from one day to the next. For example, to
prevent game playing except at lunchtime, you might set the start time for a recurring
schedule at 1:00 p.m. and the stop time at 12:00 noon. To create a recurring schedule that
runs for 24 hours, set the start and stop times to 00.
Example
This example creates a schedule for surfing the Internet at lunch time. The company
restricts the amount of surfing on company time, but over lunch, the restrictions are lifted.
For this schedule, a firewall policy would be created to enable all services for a limited
amount of time. This example sets up the time frame.
To create a recurring firewall schedule - web-based manager
1 Go to Firewall & gt; Schedule & gt; Recurring, and select Create New.
2 Enter the schedule Name of Lunch-Surfing.
3 Select the days of the week this schedule is employed.
In this case, Monday through Friday.
4 Select the Start Hour of 12.
5 Select the Stop Hour of 01.
6 Select OK.
To create a recurring firewall schedule - CLI
config firewall schedule recurring
edit Lunch-Surfing
set day monday tuesday wednesday thursday friday
set start 12:00
set end 1:00
end
Example
This example creates a one-time schedule for a firewall policy. In this example, a company
is shut down over the Christmas holidays. To prevent employees from coming to work to
use the internet connection, the company sets up a one-time firewall policy to block most
internet traffic during this time period. A schedule needs to be created to limit internet
traffic between December 25 and January 1.
To create a one-time firewall schedule - web-based manager
1 Go to Firewall & gt; Schedule & gt; One-time, and select Create New.
2 Enter the schedule Name of Xmas-Shutdown.
3 Enter the following and select OK.
/Start
Year
Month
12
Day
25
Hour
00
Minute
210
2009
00
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
Schedules
Stop
Year
2010
Month
01
Day
01
Hour
23
Minute
00
To create a firewall schedule - CLI
config firewall schedule onetime
edit Xmas-Shutdown
set start 00:00 2009/12/25
set end 23:00 2010/01/01
end
Schedule groups
You can organize multiple firewall schedules into a schedule group to simplify your firewall
policy list. For example, instead of having five identical policies for five different but related
firewall schedules, you might combine the five schedules into a single schedule group that
is used by a single firewall policy.
Schedule groups can contain both recurring and one-time schedules. Schedule groups
cannot contain other schedule groups.
Example
This example creates a schedule group for the schedules created in the previous
schedule examples. The schedule group enables you to have one firewall policy that
covers both schedules, rather than creating two separate policies.
To create a firewall schedule group - web-based manager
1 Go to Firewall & gt; Schedule & gt; Group, and select Create New.
2 Enter the group Name of Schedules.
3 From the Available Schedules list, select the Lunch-Surfing schedule and select the
down-arrow button to move the address name to the Members list.
4 From the Available Schedules list, select the Xmas-Shutdown schedule and select the
down-arrow button to move the address name to the Members list.
5 Select OK.
To create a recurring firewall schedule - CLI
config firewall schedule group
edit Schedules
set member Lunch-Surfing Xmas-Shutdown
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
211
�UTM profiles
Firewall components
UTM profiles
Where firewall policies provide the instructions to the FortiGate unit as to what traffic is
allowed through the device, the Unified Threat Management (UTM) profiles provide the
screening that filters the content coming and going on the network. The UTM profiles
enable you to instruct the FortiGate unit what to look for in the traffic that you don’t want, or
want to monitor, as it passes through the device.
A UTM profile is a group of options and filters that you can apply to one or more firewall
policies. Because UTM profiles can be used by more than one firewall policy, you can
configure sets of UTM profiles for the traffic types handled by a set of firewall policies
requiring identical protection levels and types, rather than repeatedly configuring those
same UTM profile settings for each individual firewall policy.
For example, while traffic between trusted and untrusted networks might need strict
antivirus protection, traffic between trusted internal addresses might need moderate
antivirus protection. To provide the different levels of protection, you might configure two
separate protection profiles: one for traffic between trusted networks, and one for traffic
between trusted and untrusted networks.
UTM profiles are available for various unwanted traffic and network threats. Each are
configured separately and can be used in different groupings as needed. You configure
UTM profiles in the UTM menu and applied when creating a firewall policy by selecting the
UTM profile type.
Profiles and sensors
The UTM profiles can be identified by two categories: profiles (antivirus, web filter and
email filter) and sensors (intrusion prevention and data leak prevention). Profiles are a
group of identifiers to filter unwanted email such as spam, web content and provide virus
detection. Sensors are a grouping of common or custom signature information that the
FortiGate unit uses to identify, or sense, an intrusion or data leak and prevent it from
occurring.
For both categories, you create a unique set of criteria for the profile or sensor and select
it for the firewall policy. When traffic passes through the FortiGate unit, the FortiGate unit
compares the traffic information to see if the policy is valid. If it is, it then applies the
profiles and sensors to the traffic to determine if the traffic is an attack, virus, spam or
unwanted web content and either blocks or allows the traffic through depending on how
the sensor or policy was configured.
FortiOS includes a selection default UTM profiles and sensors. The defaults provide
varying levels of security from very strict, monitoring or blocking everything, to very light
allowing most traffic through. You can use these default protection profiles as is to quickly
configure your network security or as the bases for creating your own.
Example
This example creates an antivirus profile that will scan all email traffic for viruses. The new
profile will be called email_scan.
To create a antivirus profile for email - web-based manager
1 Go to UTM & gt; AntiVirus & gt; Profile and select Create New.
2 Enter the schedule Name of email_scan.
3 For the Virus Scan row, select IMAP, POP3 and SMTP.
4 Select OK.
212
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall components
UTM profiles
To create a antivirus profile for email - CLI
config antivirus profile
edit email_scan
config imap
set options scan
end
config smtp
set options scan
end
config pop3
set options scan
end
end
Example
This example creates an web filter profile that prevents Active X and Java applets from
being downloaded in a web browser when a user visits a web site with these elements on
the page. The new profile will be called activex_java.
To create a antivirus profile for email - web-based manager
1 Go to UTM & gt; Web Filter & gt; Profile and select Create New.
2 Enter the schedule Name of activex_java
3 Select the blue arrow for the Advanced Filter to expand the options.
4 Select the check boxes for ActiveX Filter and Java Applet Filter.
5 Select OK.
To create a antivirus profile for email - CLI
config webfilter profile
edit activex_java
config http
set options activexfilter
end
config http
set options javafilter
end
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
213
�UTM profiles
214
Firewall components
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall Policies
Firewall policies control all traffic attempting to pass through the FortiGate unit, between
FortiGate interfaces, zones, and VLAN subinterfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance
and packet processing for traffic attempting to pass through. When the firewall receives a
connection packet, it analyzes the packet’s source address, destination address, and
service (by port number), and attempts to locate a firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow when it
receives matching packets. Some instructions are required, such as whether to drop or
accept and process the packets, while other instructions, such as logging and
authentication, are optional.
Policy instructions may include network address translation (NAT), or port address
translation (PAT), by using virtual IPs or IP pools to translate source and destination IP
addresses and port numbers.
Policy instructions may also include UTM profiles, which can specify application-layer
inspection and other protocol-specific protection and logging.
This chapter describes what firewall policies are and how they affect all traffic to and from
your network. It also describes how to configure some key policies; these are basic
policies you can use as a building block to more complex policies, but enables you to get
the FortiGate unit running on the network quickly.
This chapter contains the following topics:
•
Policy order
•
Creating basic policies
•
DoS Policies
•
Sniffer Policies
•
Identity-based Policies
•
ICMP packet processing
•
Firewall policy examples
You configure firewall policies to define which sessions will match the policy and what
actions the FortiGate unit will perform with packets from matching sessions.
Sessions are matched to a firewall policy by considering these features of both the packet
and policy:
•
Source Interface/Zone
•
Source Address
•
Destination Interface/Zone
•
Destination Address
•
schedule and time of the session’s initiation
•
service and the packet’s port numbers.
If the initial packet matches the firewall policy, the FortiGate unit performs the configured
Action and any other configured options on all packets in the session.
Packet handling actions can be ACCEPT, DENY, IPSEC or SSL-VPN.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
215
�Policy order
Firewall Policies
•
ACCEPT policy actions permit communication sessions, and may optionally include
other packet processing instructions, such as requiring authentication to use the policy,
or specifying a protection profile to apply features such as virus scanning to packets in
the session. An ACCEPT policy can also apply interface-mode IPSec VPN traffic if
either the selected source or destination interface is an IPSec virtual interface.
•
DENY policy actions block communication sessions, and you can optionally log the
denied traffic. If no firewall policy is matching the traffic, the packets are dropped,
therefore it is not required to configure a DENY firewall policy in the last position to
block the unauthorized traffic. A DENY firewall policy is needed when it is required to
log the denied traffic, also called “violation traffic”.
•
IPSEC and SSL-VPN policy actions apply a tunnel mode IPSec VPN or SSL VPN
tunnel, respectively, and may optionally apply NAT and allow traffic for one or both
directions. If permitted by the firewall encryption policy, a tunnel may be initiated
automatically whenever a packet matching the policy arrives on the specified network
interface, destined for the local private network.
Create firewall policies based on traffic flow. For example, a policy for POP3, where the
email server is outside of the internal network, traffic should be from an internal interface
to an external interface rather than the other way around. It is typically the user on the
network requesting email content from the email server and thus the originator of the open
connection is on the internal port, not the external one of the email server. This is also
important to remember when view log messages as to where the source and destination
of the packets can seem backwards.
Policy order
Each time a FortiGate unit receives a connection attempting to pass through one of its
interfaces, the unit searches its firewall policy list for a matching firewall policy.
The search begins at the top of the policy list and progresses in order towards the bottom.
The FortiGate unit evaluates each policy in the firewall policy list for a match until a match
is found. When the FortiGate unit finds the first matching policy, it applies the matching
policy’s specified actions to the packet, and disregards subsequent firewall policies.
Matching firewall policies are determined by comparing the firewall policy and the
packet’s:
•
source and destination interfaces
•
source and destination firewall addresses
•
services
•
time/schedule.
If no policy matches, the connection is dropped.
As a general rule, you should order the firewall policy list from most specific to most
general because of the order in which policies are evaluated for a match, and because
only the first matching firewall policy is applied to a connection. Subsequent possible
matches are not considered or applied. Ordering policies from most specific to most
general prevents policies that match a wide range of traffic from superseding and
effectively masking policies that match exceptions.
Note: One slight variation on this is identity-based policies. For more information
see “Identity-based Policies” on page 224.
216
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall Policies
Policy order
For example, you might have a general policy that allows all connections from the internal
network to the Internet, but want to make an exception that blocks FTP. In this case, you
would add a policy that denies FTP connections above the general policy.
Figure 24: Example: Blocking FTP — Correct policy order
}Exception
}General
FTP connections would immediately match the deny policy, blocking the connection.
Other kinds of services do not match the FTP policy, and so policy evaluation would
continue until reaching the matching general policy. This policy order has the intended
effect. But if you reversed the order of the two policies, positioning the general policy
before the policy to block FTP, all connections, including FTP, would immediately match
the general policy, and the policy to block FTP would never be applied. This policy order
would not have the intended effect.
Figure 25: Example: Blocking FTP — Incorrect policy order
}General
}Exception
Similarly, if specific traffic requires authentication, IPSec VPN, or SSL VPN, you would
position those policies above other potential matches in the policy list. Otherwise, the
other matching policies could always take precedence, and the required authentication,
IPSec VPN, or SSL VPN might never occur.
Note: A default firewall policy may exist which accepts all connections. You can move,
disable or delete it. If you move the default policy to the bottom of the firewall policy list and
no other policy matches the packet, the connection will be accepted. If you disable or delete
the default policy and no other policy matches the packet, the connection will be dropped.
You can arrange the firewall policy list to influence the order in which policies are
evaluated for matches with incoming traffic. When more than one policy has been defined
for the same interface pair, the first matching firewall policy will be applied to the traffic
session.
Denial of Service policies
An exception to the above description is denial of service (DoS) and sniffer firewall
policies. These policies are created in a separate location in the Firewall menu, and
processed first before any other policy, yet in their own respective order. This is done to
determine early in the traffic processing if the traffic is valid traffic or an unwanted attack,
and therefore shutting it down before further processing of anti-spam and anti-virus
definitions. For more information on DoS policies, see “DoS Policies” on page 221.
Rearranging policies
Moving a policy in the firewall policy list does not change its ID, which only indicates the
order in which the policy was created.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
217
�Policy order
Firewall Policies
To move a policy in the policy list
1 Go to Firewall & gt; Policy & gt; Policy.
2 In the firewall policy list, note the ID of a firewall policy that is before or after your
intended destination.
3 Select the row corresponding to the firewall policy you want to move and select Move.
4 Select Before or After, and enter the ID of the firewall policy that is before or after your
intended destination. This specifies the policy’s new position in the firewall policy list.
5 Select OK.
Firewall policy 0
FortiGate units create a firewall policy of 0 (zero) which can appear in the logs, but will
never appear in the firewall policy list, and therefore can never be repositioned in the list.
When viewing the FortiGate logs, you may find an entry indicating policyid=”0”.
For example:
2008-10-06 00:13:49 log_id=0022013001 type=traffic
subtype=violation pri=warning vd=root SN=179089 duration=0
user=N/A group=N/A rule=0 policyid=0 proto=17 service=137/udp
app_type=N/A status=deny src=10.181.77.73 srcname=10.181.77.73
dst=10.128.1.161 dstname=10.128.1.161 src_int=N/A
dst_int= " Internal " sent=0 rcvd=0 src_port=137 dst_port=137 vpn=N/A
tran_ip=0.0.0.0 tran_port=0
Any firewall policy that is automatically added by the FortiGate unit has a policy ID number
of 0. The most common reasons the FortiGate unit creates this policy is
•
The IPsec policy for FortiAnalyzer (and FortiManager version 3.0) is automatically
added when an IPsec connection to the FortiAnalyzer unit or FortiManager is enabled.
•
The policy to allow FortiGuard servers to be automatically added has a policy ID
number of 0.
•
The (default) drop rule that is the last rule in the policy and that is automatically added
has a policy ID number of 0.
•
When a network zone is defined within a VDOM, the intra-zone traffic set to allow or
block is managed by policy 0 if it is not processed by a configured firewall policy.
Firewall policy list details
The firewall policy table includes by default a number of columns to display information
about the policy, for example, source, destination, service, and so on. You can add a
number of additional rows to the table to view more information about the policies and
what is in their configuration. By going to Firewall & gt; Policy & gt; Policy and selecting the
Column Settings link, you can add or remove a number of different columns of information
to the policy list, and arrange their placement within the table.
218
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall Policies
Creating basic policies
Figure 26: Firewall policy column selection
Creating basic policies
This section describes how to configure basic firewall policies based on the selectable
actions described above. The following criteria will be used for each policy for
internal/source and external/destination information:
Source interface/Zone
Internal
Source address
10.13.20.22
Destination interface/Zone
WAN1
Destination address
172.20.120.141
Basic accept policy example
With this basic accept policy example, the firewall policy will accept all HTTP traffic
passing from the external interface (WAN1) to the internal interface (Internal) at all times.
This enables users to surf the internet using HTTP (port 80). Using this policy alone, no
other traffic (email, FTP and so on) to pass through the FortiGate unit.
To create a basic accept policy for HTTP - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following and select OK:
Source interface/Zone
WAN1
Source address
172.20.120.141
Destination interface/Zone
Internal
Destination address
10.13.20.22
Schedule
always
Service
HTTP
Action
ALLOW
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
219
�Creating basic policies
Firewall Policies
To create a basic accept policy for HTTP - CLI
config firewall policy
edit 1
set srcintf wan1
set scraddr 172.20.12.141
set dstintf internal
set dstaddr 10.13.20.22
set action accept
set schedule always
set service http
end
Basic deny policy example
With this basic deny policy example, the firewall policy will deny all FTP traffic passing
from the internal interface (Internal) to the external interface (WAN1) at all times. This
prevents users from uploading files to an FTP site. Ideally, this would not be the only policy
on the FortiGate unit.
To create a basic deny policy for FTP - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following and select OK:
Source interface/Zone
Internal
Source address
10.13.20.22
Destination interface/Zone
WAN1
Destination address
172.20.120.141
Schedule
always
Service
FTP
Action
DENY
To create a basic accept policy for FTP - CLI
config firewall policy
edit 1
set srcintf internal
set srcaddr 10.13.20.22
set dstintf wan1
set dstaddr 172.20.120.141
set action deny
set schedule always
set service ftp
end
Basic VPN policy example
With this basic VPN policy example, the firewall policy will allow VPN traffic between the
FortiGate unit in the branch office and the head office. For simplicity, the VPN
configuration has been completed. The Phase 1 name is Head_Office. This firewall policy
would be configured on the Branch office FortiGate unit.
220
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall Policies
DoS Policies
To create a basic VPN policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following and select OK:
Source interface/Zone
Internal
Source address
10.13.20.22
Destination interface/Zone
WAN1
Destination address
172.20.120.141
Schedule
always
Service
FTP
Action
IPSEC
VPN Tunnel
Select Head_Office from the configured list of VPN tunnels.
To create a basic VPN tunnel - CLI
config firewall policy
edit 1
set srcintf internal
set srcaddr 10.13.20.22
set dstintf wan1
set dstaddr 172.20.120.141
set action deny
set schedule always
set service ipsec
set vpntunnel Head_Office
end
DoS Policies
Denial of Service (DoS) policies are primarily used to apply DoS sensors to network traffic
based on the FortiGate interface it is leaving or entering as well as the source and
destination addresses. DoS sensors are a traffic anomaly detection feature to identify
network traffic that does not fit known or common traffic patterns and behavior. A denial of
service attack occurs when an attacking system starts an abnormally large number of
sessions with a target system. The large number of sessions slows down or disables the
target system so legitimate users can no longer use it.
DoS policies examine network traffic very early in the sequence of protective measures
the FortiGate unit deploys to protect your network. Because of this, DoS policies are a
very efficient defence, using few resources. The previously mentioned denial of service
would be detected and its packets dropped before requiring firewall policy look-ups,
antivirus scans, and other protective but resource-intensive operations.
You can create DoS sensors to protect a variety of different attack patterns. By default, the
FortiGate unit includes two sensors; one to pass all traffic and one to block the more
common DoS attack patterns. To create your own DoS sensor, go to UTM & gt; Intrusion
Protection & gt; DoS Sensor and select Create New.
For more information on DoS sensor configuration, see the UTM chapter.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
221
�Sniffer Policies
Firewall Policies
DoS sensor policies are stored separately in the FortiGate web-based manager and do
not appear in the firewall policy list. As traffic passes through the FortiGate interface, the
DoS policy is applied first to determine whether the traffic and genuine or an attack. If it is
genuine, the packets are forwarded to the normal firewall policies and applied as required.
If the FortiGate unit determines the traffic is a DoS attack, the policy is applied as
configured in the DoS sensor.
Basic DoS policy example
This example demonstrates setting up a simple DoS policy using the default sensor
block_flood to monitor HTTP traffic the WAN1 port for any addresses through that port.
The block_flood sensor monitors for flood attacks.
To create the DoS firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; DoS Policy and select Create New.
2 Set the Source Interface/Zone to WAN1.
3 Set the Source Address to All.
4 Set the Destination Address to All
5 Set the Service to HTTP.
6 Select the check box for DoS Sensor, and select block_flood from the list.
7 Select OK.
To create the DoS firewall policy - CLI
config firewall interface-policy
edit 1
set interface wan1
set srcaddr all
set dstaddr all
set service http
set ips-DoS-status enable
set ips-DoS block_flood
end
Sniffer Policies
Sniffer policies are used to configure a physical interface on the FortiGate unit as a
onearm intrusion detection system (IDS). Traffic sent to the interface is examined for
matches to the configured IPS sensor and application control list. Matches are logged and
then all received traffic is dropped. Sniffing only reports on attacks. It does not deny or
otherwise influence traffic.
Sniffer policies are applied to sniffer interfaces. Traffic entering a sniffer interface is
checked against the sniffer policies for matching source and destination addresses and for
service. This check against the policies occurs in listed order, from top to bottom. The first
sniffer policy matching all three attributes then examines the traffic. Once a policy matches
the attributes, checks for policy matches stop. If no sniffer policies match, the traffic is
dropped without being examined.
Once a policy match is detected, the matching policy compares the traffic to the contents
of the DoS sensor, IPS sensor, and application control list specified in the policy. If any
matches are detected, the FortiGate unit creates an entry in the log of the matching
sensor/list. If the same traffic matches multiple sensors/lists, it is logged for each match.
222
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall Policies
Sniffer Policies
Before creating the sniffer policy, you must setup the FortiGate unit to the network and
configure a port as a dedicated sniffer port.The easiest way to do this is to either use a hub
or a switch with a SPAN port. A SPAN port is a special-purpose interface that mirrors all
the traffic the switch receives. Traffic is handled normally on every other switch interface,
but the SPAN port sends a copy of everything. If you connect your FortiGate unit sniffer
interface to the switch SPAN port, all the network traffic will be examined without any being
lost because of the examination.
The FortiGate interface needs to be enabled for sniffing. In the example below, the WAN1
port is configured for one-armed sniffing.
To configure a FortiGate interface as a one-arm sniffer - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 and select the WAN1 interface row and select Edit.
3 Select the check box for Enable one-arm sniffer.
4 Note that the port that is set up in sniffer mode will not require an IP address.
5 Select OK.
To configure a FortiGate interface as a one-arm sniffer - CLI
config system interface
edit wan1
set ips-sniffer-mode enable
end
Basic one-armed sniffer policy example
This example demonstrates setting up a simple one-armed sniffer policy using the default
D0S sensor block_flood and IPS sensor protect_email_server to monitor SMTP traffic the
WAN1 port for any addresses through that port. Note that the WAN1 port was enabled in
the previous steps to be used as a sniffer port.
To create the one-armed sniffer firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Sniffer Policy and select Create New.
2 Set the Source Interface/Zone to WAN1.
3 Set the Source Address to All.
4 Set the Destination Address to All
5 Set the Service to SMTP.
6 Select the check box for DoS Sensor, and select block_flood from the list.
7 Select the check box for IPS Sensor and select protect_email_server from the list.
8 Select OK.
To create the DoS firewall policy - CLI
config firewall interface-policy
edit 1
set interface wan1
set srcaddr all
set dstaddr all
set service smtp
set ips-sensor-status enable
set ips-sensor protect_email_server
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
223
�Identity-based Policies
Firewall Policies
set ips-DoS-status enable
set ips-DoS block_flood
end
Identity-based Policies
If you enable Enable Identity Based Policy in a firewall policy, network users must send
traffic involving a supported firewall authentication protocol to trigger the firewall
authentication challenge, and successfully authenticate, before the FortiOS™ Handbook
unit will allow any other traffic matching the firewall policy.
User authentication can occur through any of the following supported protocols:
•
HTTP
•
HTTPS
•
FTP
•
Telnet
Authentication can also occur through automatic login using NTLM and FSAE, to bypass
user intervention.
The authentication style depends on which of these supported protocols you have
included in the selected firewall services group and which of those enabled protocols the
network user applies to trigger the authentication challenge. The authentication style will
be one of two types. For certificate-based (HTTPS or HTTP redirected to HTTPS only)
authentication, you must install customized certificates on the FortiGate unit and on the
browsers of network users, which the FortiGate unit matches. For user name and
password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts
network users to input their firewall user name and password.
For example, if you want to require HTTPS certificate-based authentication before
allowing SMTP and POP3 traffic, you must select a firewall service (in the firewall policy)
that includes SMTP, POP3 and HTTPS services. Prior to using either POP3 or SMTP, the
network user would send traffic using the HTTPS service, which the FortiGate unit would
use to verify the network user’s certificate; upon successful certificate-based
authentication, the network user would then be able to access his or her email.
In most cases, you should ensure that users can use DNS through the FortiGate unit
without authentication. If DNS is not available, users will not be able to use a domain
name when using a supported authentication protocol to trigger the FortiGate unit’s
authentication challenge.
Note: If you do not install certificates on the network user’s web browser, the network users
may see an SSL certificate warning message and have to manually accept the default
FortiGate certificate, which the network users’ web browsers may then deem as invalid.
Note: When you use certificate authentication, if you do not specify any certificate when
you create a firewall policy, the FortiGate unit will use the default certificate from the global
settings will be used. If you specify a certificate, the per-policy setting will override the
global setting.
Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create
users, assign them to a firewall user group, and assign a protection profile to that user
group.
224
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall Policies
Identity-based Policies
Identity-based policy example
With this basic identity-based policy example, the firewall policy will allow HTTPS traffic
passing from the external interface (Internal) to the internal interface (WAN1) at all times,
as soon as the network user enters their username and password. For simplicity, the
policy will request the firewall authentication. This authentication can be set up for users
by going to User & gt; Local and their groupings by going to User & gt; Groups. For this example,
the group “accounting” is used. When a user attempts to browse to a secure site, they will
be prompted for their log in credentials.
To create a identity-based policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following:
Source interface/Zone
WAN1
Source address
172.20.120.141
Destination interface/Zone
Internal
Destination address
10.13.20.22
Schedule
always
Action
ACCEPT
3 Select Enable Identity Based Policy.
4 Firewall authentication is enabled by default.
5 Select Add.
6 From the Available User Groups list, select the Accounting user group and select the
right arrow to move it to the Selected User Groups area.
7 From the Available Services list, select the HTTPS and select the right arrow to move it
to the Selected Services area.
8 For the Schedule, select Always.
9 Select OK.
To create a basic accept policy for FTP - CLI
config firewall policy
edit 1
set srcintf wan1
set srcaddr 172.20.120.141
set dstintf internal
set dstaddr 10.13.20.22
set action accept
set schedule always
set identity-based enable
config identity-based-policy
edit 1
set group accounting
set service HTTPS
set schedule always
end
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
225
�Identity-based Policies
Firewall Policies
Identity-based policy positioning
With identity-based firewall policies, positioning is extremely important. For a typical
firewall policy, the FortiGate unit matches the source, destination and service of the policy.
If matched, it acts on that policy. If not, the FortiGate unit moves to the next policy.
With identity-based policies, once the FortiGate unit matches the source and destination
addresses, it processes the identity sub-rules for the user groups and services. That is, it
acts on the authentication and completes the remainder of that policy and goes no further
in the policy list.
The way identity based policies work is that once src/dest are matched, it will process the
identity based sub-rules (for lack of a better term) around the user groups and services. It
will never process the rest of your rulebase. For this reason, unique firewall policies
should be placed before an identity-based policy.
For example, consider the following policies:
DNS traffic goes through successfully as does any HTTP traffic after being authenticated.
However, if there was FTP traffic, it would not get through. As the FortiGate unit processes
FTP traffic, it skips rule one since it’s matching the source, destination and service. When
it moves to rule two it matches the source and destination, it determines there is a match
and, sees there are also processes the group/service rules, which requires authentication
and acts on those rules. Once satisfied, the FortiGate unit will never go to rule three.
In this situation, where you would want FTP traffic to traverse the FortiGate unit, create a
firewall policy specific to the services you require and place it above the authentication
policy.
Identity-based sub-policies
When adding authentication to a firewall policy, you can add multiple authentication rules,
or sub-policies. Within these policies you can include additional UTM profiles, traffic
shaping and so on, to take affect on the selected services.
Figure 27: Authentication sub-policies
226
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall Policies
ICMP packet processing
These sub-policies work on the same principle as normal firewall policies, that is, top
down until the criteria has been met (see “Policy order” on page 216). As such, if there is
no matching policy within the list, the packet can still be dropped even after authentication
is successful.
ICMP packet processing
ICMP messages are used to relay feedback to the traffic source that the destination IP is
not reachable. ICMP message types are
•
ICMP_ECHO
•
ICMP_TIMESTAMP
•
ICMP_INFO_REQUEST
•
ICMP_ADDRESS
For ICMP error messages, only those reporting an error for an existing session can pass
through the firewall. The firewall policy will allow traffic to be routed, forwarded or denied.
If allowed, the ICMP packets will start a new session. Only ICMP error messages of a
corresponding firewall policy is available will be sent back to the source. Otherwise, the
packet is dropped. That is, only ICMP packets for a corresponding firewall policy can
traverse the FortiGate unit.
Common error messages include:
•
destination unreachable messages
•
time exceeded messages
•
redirect messages
For example, a firewall policy that allows TFTP traffic through the FortiGate unit. User1
(192.168.21.12) attempts to connect to the TFTP server (10.11.100.1), however, the UDP
port 69 has not been opened on the server. The corresponding sniffer trace occurs:
diagnose sniffer packet any “host 10.11.100.1 or icmp 4”
3.677808 internal in 192.168.21.12.1262 - & gt; 10.11.100.1.69: udp 20
3.677960 wan1 out 192.168.21.12.1262 - & gt; 10.11.100.1.69: udp 20
3.678465 wan1 in 10.11.100.1.132 - & gt; 192.168.21.12: icmp: 10.11.100.1
udp port 69 unreachable
3.678519 internal out 10.11.100.1 - & gt; 192.168.21.12: icmp:
192.168.182.132 udp port 69 unreachable
Firewall policy examples
This section provides some simple, real-world, examples of firewall policies you can use
as a starting point when creating policies for your network.
Blocking an IP address
This example describes how to create a firewall policy to bock a specific IP address. Any
traffic from the configured IP address will be dropped at the point of hitting the FortiGate
unit. To block an IP address, you need and additional step of creating an address entry
before creating a firewall policy to block the address.
Add an Address
First create the address which the FortiGate will identify to be blocked. In this example, the
address will be 172.20.120.29 for the address name of Blocked_IP.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
227
�Firewall policy examples
Firewall Policies
To add an address entry - web-based manager
1 Go to Firewall & gt; Address & gt; Address and select Create New.
2 Enter a Name of Blocked_IP.
3 Enter the IP address and subnet of 172.20.120.29/255.255.255.255.
The subnet is set to 255.255.255.255 to block the specific address. If you wanted to
block the entire subnet enter 172.20.120.0/255.255.255.0.
To add an address entry - web-based CLI
config firewall address
edit Blocked_IP
set subnet 172.20.120.29/24
end
Add a Firewall Policy
With the address added, you can now create the DENY firewall policy which will prevent
any traffic from this IP address from traversing the network. In this policy, the traffic will be
restricted from the IP of an outside source through the external interface, WAN1.
To add a firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Complete the following and select OK:
Source Interface/Zone
WAN1
Source Address
Blocked_IP
Destination Interface/Zone
Internal
Destination Address
All
Schedule
Always
Service
ALL
Action
DENY
3 Move the firewall policy to the top of the policy list.
To add a firewall policy - web-based CLI
config firewall poliy
edit 1
set srcintf wan1
set srcaddr Blocked_IP
set dstintf Internal
set dstaddr all
set action deny
set schedule always
set service any
end
Scheduled access policies
Firewall schedules control when policies are in effect, that is, when they are on. You can
create one-time schedules which are schedules that are in effect only once for the period
of time specified in the schedule. You can also create recurring schedules that are in effect
repeatedly at specified times of specified days of the week. For more information on
schedules, see “Services” on page 208.
228
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall Policies
Firewall policy examples
This example describes firewall policy rules that:
•
On weekdays, allow all users to fully access the Internet during lunchtime and after
business hours
•
Allow full access to the Internet without any restriction for users from a specific IP
range, called Admin_PCs
•
During business hours, allow only access to www.example.com and
www.example2.com for the other users
•
No restriction during the weekend
It should be noted that a Firewall Policy is inactive outside of its schedule and that the
schedule relies upon the date/time that is configured on the FortiGate unit.
In this example all users are connected to the Internal interface and that the Internet
access is connected to WAN1.
Configuring the schedules
Begin by adding the schedule time when the firewall policies take affect.
Note: If the stop time is set earlier than the start time, the stop time will be
considered as the next day. If the start time is equal to the stop time, the schedule
will run for 24 hours.
To configure schedules - web-based manager
1 Go to Firewall & gt; Schedule & gt; Recurring, and select Create New.
2 Enter the schedule Name of week-end.
3 Select the days of the week this schedule is employed. In this case, Saturday and
Sunday.
4 Select OK.
5 Select Create New
6 Enter the schedule Name of lunch-time.
7 Select the days of the week this schedule is employed. In this case, Monday through
Friday.
8 Select the Start Hour of 12.
9 Select the Stop Hour of 14.
10 Select OK.
11 Select Create New
12 Enter the schedule Name of late evening early morning.
13 Select the days of the week this schedule is employed. In this case, Monday through
Friday.
14 Select the Start Hour of 18.
15 Select the Stop Hour of 08.
16 Select OK.
To configure schedules - web-based manager
config firewall schedule recurring
edit week-end
set day sunday saturday
next
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
229
�Firewall policy examples
Firewall Policies
edit lunch-time
set day monday tuesday wednesday thursday friday
set end 14:00
set start 12:00
next
edit late evening to early morning
set day monday tuesday wednesday thursday friday
set end 08:00
set start 18:00
next
end
Configuring the IP addresses
Configure the addresses for the administrator computers and the web sites that can be
accessible during the scheduled times.
To configure addresses and web sites - web-based manager
1 Go to Firewall & gt; Address & gt; Address and select Create New.
2 Enter a Name of Admin_PCs.
3 Enter the Subnet/IP Range of 192.168.1.200-192.168.1.254.
4 Select OK.
5 Select Create New.
6 Enter the Name of example.com
7 Select the Type of FQDN.
8 Enter the FQDN of www.example.com.
9 Select OK.
10 Select Create New.
11 Enter the Name example2.com
12 Select the Type of FQDN.
13 Enter the FQDN of www.example2.com.
14 Select OK.
To configure addresses and web sites - CLI
config firewall address
edit Admin_PCs
set type iprange
set end-ip 192.168.1.254
set start-ip 192.168.1.200
next
edit example.com
set type fqdn
set fqdn www.example.com
next
edit example2.xom
set type fqdn
set fqdn www.example2.com
next
end
230
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall Policies
Firewall policy examples
Configuring the firewall policies
With the key components, the schedules and addresses, create the firewall policies to
employ these components and set the schedules to drive what users can view during the
day. There are a total of five required for this example.
To create the firewall policies - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Complete the following for the weekend access policy and select OK:
Source Interface/Zone
Internal
Source Address
All
Destination Interface/Zone WAN1
Destination Address
All
Schedule
week-end
Service
ALL
Action
Accept
NAT
Select to Enable.
Comments
Week-end policy.
3 Select Create New.
4 Complete the following for the administrator access policy and select OK:
Source Interface/Zone
Internal
Source Address
Admin_PCs
Destination Interface/Zone WAN1
Destination Address
All
Schedule
Always
Service
ALL
Action
Accept
NAT
Select to Enable.
Comments
Admin PCs no restriction.
5 Select Create New.
6 Complete the following for the lunch-time surfing policy and select OK
:
Source Interface/Zone
Internal
Source Address
All
Destination Interface/Zone WAN1
Destination Address
All
Schedule
lunch-time
Service
ALL
Action
Accept
NAT
Select to Enable.
Comments
Lunch-time policy.
7 Select Create New.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
231
�Firewall policy examples
Firewall Policies
8 Complete the following for the overnight policy and select OK
:
Source Interface/Zone
Internal
Source Address
All
Destination Interface/Zone WAN1
Destination Address
All
Schedule
late_eveing_early_morning
Service
ALL
Action
Accept
NAT
Select to Enable.
Comments
Late evening to early morning policy.
9 Select Create New.
10 Complete the following for the web site access and select OK
:
Source Interface/Zone
Internal
Source Address
All
Destination Interface/Zone example.com and example2.com
Destination Address
All
Schedule
Always
Service
ALL
Action
Accept
NAT
Select to Enable.
Comments
Access to the example.com websites policy.
To create the firewall policies - CLI
config firewall policy
edit 1
set srcintf internal
set dstintf wan1
set srcaddr all
set dstaddr all
set action accept
set comments week-end policy
set schedule week-end
set service ANY
set nat enable
next
edit 2
set srcintf internal
set dstintf wan1
set srcaddr Admin_PCs
set dstaddr all
set action accept
set comments Admin PCs no restriction
set schedule always
set service ANY
set nat enable
next
232
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Firewall Policies
Firewall policy examples
edit 3
set srcintf internal
set dstintf wan1
set srcaddr all
set dstaddr all
set action accept
set comments lunch time policy
set schedule lunch-time
set service ANY
set nat enable
next
edit 4
set srcintf internal
set dstintf wan1
set srcaddr all
set dstaddr all
set action accept
set comments “late evening to early morning policy”
set schedule “late evening to early morning”
set service ANY
set nat enable
next
edit 5
set srcintf internal
set dstintf " wan1
set srcaddr " all
set dstaddr example.com example2.com
set action accept
set schedule always
set service ANY
set nat enable
next
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
233
�Firewall policy examples
234
Firewall Policies
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicasting (also called IP multicasting) consists of using a single multicast source to
send data to many receivers. Multicasting can be used to send data to many receivers
simultaneously while conserving bandwidth and reducing network traffic. Multicasting can
be used for one-way delivery of media streams to multiple receivers and for one-way data
transmission for news feeds, financial information, and so on. Also RIPv2 uses
multicasting to share routing table information.
A multicast network typically consists of one or more multicast sources and one or more
multicast receivers. Multicast sources send multicast packets and multicast receivers
receive multicast packets. Usually there are various network components in between the
sources and the receivers. These network components may just forward multicast packets
or they may route multicast packets. Network components that route multicast packets are
multicast routers.
Using a multicast router means that the source only needs to transmit a single stream of
data to the multicast router. The multicast router routes the data to the receivers. The
receivers can be single receivers or can be part off a multicast group. The multicast router
makes decisions about how to route the packets to receivers and multicast groups.
Typically the multicast router makes routing decisions based on the source and
destination addresses of the multicast packets. The multicast router can also apply
network address translation (NAT) to multicast packets.
This chapter describes configuring FortiGate units to forward multicast traffic and contains
the following sections:
•
Multicast IP addresses
•
Multicast forwarding and FortiGate units
•
Configuring FortiGate multicast forwarding
FortiGate units operating in NAT/Route mode can also be configured as multicast routers.
You can configure a FortiGate unit to be a Protocol Independent Multicast (PIM) router
operating in Sparse Mode (SM) or Dense Mode (DM).
Multicast IP addresses
Multicast uses the Class D address space. The 224.0.0.0 to 239.255.255.255 IP address
range is reserved for multicast groups. The multicast address range applies to multicast
groups, not to the originators of multicast packets. Table 10 lists reserved multicast
address ranges and describes what they are reserved for:
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
235
�Multicast forwarding and FortiGate units
Multicast forwarding
Table 10: Reserved Multicast address ranges
Reserved
Address Range
Use
Notes
224.0.0.0 to
224.0.0.255
Used for network protocols on local In this range, packets are not forwarded
networks. For more information, see by the router but remain on the local
RFC 1700.
network. They have a Time to Live
(TTL) of 1. These addresses are used
for communicating routing information.
224.0.1.0 to
238.255.255.255
Global addresses used for
multicasting data between
organizations and across the
Internet. For more information, see
RFC 1700.
Some of these addresses are reserved,
for example, 224.0.1.1 is used for
Network Time Protocol (NTP).
239.0.0.0 to
239.255.255.255
Limited scope addresses used for
local groups and organizations. For
more information, see RFC 2365.
Routers are configured with filters to
prevent multicasts to these addresses
from leaving the local system.
Multicast forwarding and FortiGate units
In both Transparent mode and NAT/Route mode you can configure FortiGate units to
forward multicast traffic.
For a FortiGate unit to forward multicast traffic you must add FortiGate multicast firewall
policies. Basic multicast firewall policies accept any multicast packets at one FortiGate
interface and forward the packets out another FortiGate interface. You can also use
multicast firewall policies to be selective about the multicast traffic that is accepted based
on source and destination address, and to perform NAT on multicast packets.
In the example shown in Figure 28, a multicast source on the Marketing network with IP
address 192.168.5.18 sends multicast packets to the members of network 239.168.4.0. At
the FortiGate unit, the source IP address for multicast packets originating from workstation
192.168.5.18 is translated to 192.168.18.10. In this example, the FortiGate unit is not
acting as a multicast router.
Multicast forwarding and RIPv2
RIPv2 uses multicast to share routing table information. If your FortiGate unit is installed
on a network that includes RIPv2 routers, you must configure the FortiGate unit to forward
multicast packets so that RIPv2 devices can share routing data through the FortiGate unit.
No special FortiGate configuration is required to share RIPv2 data, you can simply use the
information in the following sections to configure the FortiGate unit to forward multicast
packets.
Note: RIPv1 uses broadcasting to share routing table information. To allow RIPv1 packets
through a FortiGate unit you can add standard firewall policies. Firewall policies to accept
RIPv1 packets can use the ANY predefined firewall service or the RIP predefined firewall
service.
236
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Configuring FortiGate multicast forwarding
Figure 28: Example multicast network including a FortiGate unit that forwards multicast
packets
Receiver_1 Receiver_3
Members of
Multicast Group Receiver_2
Receiver_4
239.168.4.0
Internet
FortiGate-800
internal IP:
192.168.5.1
external IP:
172.20.20.10
DMZ IP:
192.168.6.1
Multicast Forwarding Enabled
Source address: 192.168.5.18
Source interface: internal
Destination address: 239.168.4.0
Destination interface: external
NAT IP: 192.168.18.10
Marketing
192.168.5.0/24
Sender on the Marketing
network at IP address
192.168.5.18
multicasts to
IP address
239.168.4.0
Development
192.168.6.0/24
Configuring FortiGate multicast forwarding
You configure FortiGate multicast forwarding from the Command Line Interface (CLI). Two
steps are required:
•
Adding multicast firewall policies
•
Enabling multicast forwarding
This second step is only required if your FortiGate unit is operating in NAT mode. If
your FortiGate unit is operating in Transparent mode, adding a multicast policy enables
multicast forwarding.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
237
�Configuring FortiGate multicast forwarding
Multicast forwarding
Adding multicast firewall policies
You need to add firewall policies to allow packets to pass from one interface to another.
Multicast packets require multicast firewall policies. You add multicast firewall policies
from the CLI using the config firewall multicast-policy command. As with
unicast firewall policies, you specify the source and destination interfaces and optionally
the allowed address ranges for the source and destination addresses of the packets.
You can also use multicast firewall policies to configure source NAT and destination NAT
for multicast packets. For full details on the config firewall multicast-policy command, see
the FortiGate CLI Reference.
Keep the following in mind when configuring multicast firewall policies:
•
The matched forwarded (outgoing) IP multicast source IP address is changed to the
configured IP address.
•
Source and Destination interfaces are optional. If left blank, then the multicast will be
forwarded to ALL interfaces.
•
Source and Destination addresses are optional. If left un set, then it will mean ALL
addresses.
•
The nat keyword is optional. Use it when source address translation is needed.
Enabling multicast forwarding
Multicast forwarding is disabled by default. In NAT mode you must use the multicastforward keyword of the system settings CLI command to enable multicast
forwarding. When multicast-forward is enabled, the FortiGate unit forwards any
multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces
except the receiving interface. The TTL in the IP header will be reduced by 1. Even though
the multicast packets are forwarded to all interfaces, you must add firewall policies to
actually allow multicast packets through the FortiGate. In our example, the firewall policy
allows multicast packets received by the internal interface to exit to the external interface.
Note: Enabling multicast forwarding is only required if your FortiGate unit is operating in
NAT mode. If your FortiGate unit is operating in Transparent mode, adding a multicast
policy enables multicast forwarding.
Enter the following CLI command to enable multicast forwarding:
config system settings
set multicast-forward enable
end
If multicast forwarding is disabled and the FortiGate unit drops packets that have multicast
source or destination addresses.
You can also use the multicast-ttl-notchange keyword of the system settings
command so that the FortiGate unit does not increase the TTL value for forwarded
multicast packets. You should use this option only if packets are expiring before reaching
the multicast router.
config system settings
set multicast-ttl-notchange enable
end
In Transparent mode, the FortiGate unit does not forward frames with multicast
destination addresses. Multicast traffic such as the one used by routing protocols or
streaming media may need to traverse the FortiGate unit, and should not be interfere with
the communication. To avoid any issues during transmission, you can set up multicast
firewall policies. These types of firewall policies can only be enabled using the CLI.
238
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Configuring FortiGate multicast forwarding
Note: The CLI parameter multicast-skip-policy must be disabled when using multicast
firewall policies. To disable enter the command
config system settings
set multicast-skip-policy disable
end
In this simple example, no check is performed on the source or destination interfaces. A
multicast packet received on an interface is flooded unconditionally to all interfaces on the
forwarding domain, except the incoming interface.
To enable the multicast policy
config firewall multicast-policy
edit 1
set action accept
end
In this example, the multicast policy only applies to the source port of WAN1 and the
destination port of Internal.
To enable the restrictive multicast policy
config firewall multicast-policy
edit 1
set srcintf wan1
set dstinf internal
set action accept
end
In this example, packets are allowed to flow from WAN1 to Internal, and sourced by the
address 172.20.120.129.
To enable the restrictive multicast policy
config firewall multicast-policy
edit 1
set srcintf wan1
set srcaddr 172.20.120.129 255.255.255.255
set dstinf internal
set action accept
end
This example shows how to configure the multicast firewall policy required for the
configuration shown in Figure 28 on page 237. This policy accepts multicast packets that
are sent from a PC with IP address 192.168.5.18 to destination address range
239.168.4.0. The policy allows the multicast packets to enter the internal interface and
then exit the external interface. When the packets leave the external interface their source
address is translated to 192.168.18.10
config firewall multicast-policy
edit 5
set srcaddr 192.168.5.18 255.255.255.255
set srcintf internal
set destaddr 239.168.4.0 255.255.255.0
set dstintf external
set nat 192.168.18.10
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
239
�Multicast routing examples
Multicast forwarding
This example shows how to configure a multicast firewall policy so that the FortiGate unit
forwards multicast packets from a multicast Server with an IP 10.10.10.10 is broadcasting
to address 225.1.1.1. This Server is on the network connected to the FortiGate DMZ
interface.
config firewall multicast-policy
edit 1
set srcintf DMZ
set srcaddr 10.10.10.10 255.255.255.255
set dstintf Internal
set dstaddr 225.1.1.1 255.255.255.255
set action accept
edit 2
set action deny
end
Multicast routing examples
This section contains the following multicast routing configuration examples and
information:
•
•
FortiGate PIM-SM debugging examples
•
Example multicast destination NAT (DNAT) configuration
•
240
Example FortiGate PIM-SM configuration using a static RP
Example PIM configuration that uses BSR to find the RP
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
Figure 29: Example FortiGate PIM-SM topology
Cisco_3750 _1 router
RP for group 233.234.200.x
(169.254.100.1 loopback0)
Multicast Source
169.254.82.1
233.254.200.1
FE0/23 (.250)
169.254.82.0/24
FE0/24 (.1)
Cisco_3750_2 router
FE0/23 (.250)
10.31.138.0/24
VLAN 138
external (.253)
FortiGate-800
internal (.1)
10.31.130.0/24
VLAN 130
FE0/24 (.250)
Cisco_3750_3 router
FE0/23 (.130)
10.31.128.128/30
Receiver (.129)
Group 233.254.200.1
Example FortiGate PIM-SM configuration using a static RP
The example Protocol Independent Multicast Sparse Mode (PIM-SM) configuration shown
in Figure 29 has been tested for multicast interoperability using PIM-SM between Cisco
3750 switches running 12.2 and a FortiGate-800 running FortiOS v3.0 MR5 patch 1. In
this configuration, the receiver receives the multicast stream when it joins the group
233.254.200.1.
The configuration uses a statically configured rendezvous point (RP) which resides on the
Cisco_3750_1. Using a bootstrap router (BSR) was not tested in this example. See
“Example PIM configuration that uses BSR to find the RP” on page 254 for an example
that uses a BSR.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
241
�Multicast routing examples
Multicast forwarding
Configuration steps
The following procedures show how to configure the multicast configuration settings for
the devices in the example configuration.
•
Cisco_3750_1 router configuration
•
Cisco_3750_2 router configuration
•
To configure the FortiGate-800 unit
•
Cisco_3750_3 router configuration
Cisco_3750_1 router configuration
version 12.2
!
hostname Cisco-3750-1
!
switch 1 provision ws-c3750-24ts
ip subnet-zero
ip routing
!
ip multicast-routing distributed
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
interface Loopback0
ip address 169.254.100.1 255.255.255.255
!
interface FastEthernet1/0/23
switchport access vlan 182
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 172
switchport mode access
!
interface Vlan172
ip address 10.31.138.1 255.255.255.0
ip pim sparse-mode
ip igmp query-interval 125
ip mroute-cache distributed
!
interface Vlan182
ip address 169.254.82.250 255.255.255.0
ip pim sparse-mode
ip mroute-cache distributed
!
ip classless
ip route 0.0.0.0 0.0.0.0 169.254.82.1
ip http server
ip pim rp-address 169.254.100.1 Source-RP
!
ip access-list standard Source-RP
permit 233.254.200.0 0.0.0.255
242
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
Cisco_3750_2 router configuration
version 12.2
!
hostname Cisco-3750-2
!
switch 1 provision ws-c3750-24ts
ip subnet-zero
ip routing
!
ip multicast-routing distributed
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
interface FastEthernet1/0/23
switchport access vlan 138
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 182
witchport mode access
!
interface Vlan138
ip address 10.31.138.250 255.255.255.0
ip pim sparse-mode
ip mroute-cache distributed
!
interface Vlan182
ip address 169.254.82.1 255.255.255.0
ip pim sparse-mode
ip mroute-cache distributed
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.138.253
ip route 169.254.100.1 255.255.255.255 169.254.82.250
ip http server
ip pim rp-address 169.254.100.1 Source-RP
!
!
ip access-list standard Source-RP
permit 233.254.200.0 0.0.0.255
To configure the FortiGate-800 unit
1 Configure the internal and external interfaces.
config system interface
edit internal
set vdom root
set ip 10.31.130.1 255.255.255.0
set allowaccess ping https
set type physical
next
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
243
�Multicast routing examples
Multicast forwarding
edit external
set vdom root
set ip 10.31.138.253 255.255.255.0
set allowaccess ping
set type physical
end
end
2 Add a firewall address for the RP.
config firewall address
edit RP
set subnet 169.254.100.1/32
end
3 Add standard firewall policies to allow traffic to reach the RP.
config firewall policy
edit 1
set srcintf internal
set dstintf external
set srcaddr all
set dstaddr RP
set action accept
set schedule always
set service ANY
next
edit 2
set srcintf external
set dstintf internal
set srcaddr RP
set dstaddr all
set action accept
set schedule always
set service ANY
end
4 Add the multicast firewall policy.
config firewall multicast-policy
edit 1
set dstaddr 233.254.200.0 255.255.255.0
set dstintf internal
set srcaddr 169.254.82.0 255.255.255.0
set srcintf external
end
5 Add an access list.
config router access-list
edit Source-RP
config rule
edit 1
set prefix 233.254.200.0 255.255.255.0
set exact-match disable
next
end
244
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
6 Add some static routes.
config router static
edit 1
set device internal
set gateway 10.31.130.250
next
edit 2
set device external
set dst 169.254.0.0 255.255.0.0
set gateway 10.31.138.250
next
7 Configure multicast routing.
config router multicast
config interface
edit internal
set pim-mode sparse-mode
config igmp
set version 2
end
next
edit external
set pim-mode sparse-mode
config igmp
set version 2
end
next
end
set multicast-routing enable
config pim-sm-global
config rp-address
edit 1
set ip-address 169.254.100.1
set group Source-RP
next
Cisco_3750_3 router configuration
version 12.2
!
hostname Cisco-3750-3
!
switch 1 provision ws-c3750-24ts
ip subnet-zero
ip routing
!
ip multicast-routing distributed
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
interface FastEthernet1/0/23
switchport access vlan 128
switchport mode access
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
245
�Multicast routing examples
Multicast forwarding
!
interface FastEthernet1/0/24
switchport access vlan 130
switchport mode access
!
interface Vlan128
ip address 10.31.128.130 255.255.255.252
ip pim sparse-mode
ip mroute-cache distributed
!
interface Vlan130
ip address 10.31.130.250 255.255.255.0
ip pim sparse-mode
ip mroute-cache distributed
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.130.1
ip http server
ip pim rp-address 169.254.100.1 Source-RP
!
!
ip access-list standard Source-RP
permit 233.254.200.0 0.0.0.255
FortiGate PIM-SM debugging examples
Using the example topology shown in Figure 30 you can trace the multicast streams and
states within the three FortiGate units (FGT-1, FGT-2, and FGT-3) using the debug
commands described in this section. The command output in this section is taken from
FortiGate unit running FortiOS v3.0 MR5 patch 1 when the multicast stream is flowing
correctly from source to receiver.
246
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
Figure 30: PIM-SM debugging topology
Multicast Source (.11)
239.255.255.1
10.166.0.0/24
internal
FGT-1 (.237)
external
10.130.0.0/24
internal
FGT-2 (.156)
RP 192.168.1.1/32
(loopback)
external
10.132.0.0/24
port2
FGT-3 (.226)
port3
10.167.0.0/24
Receiver (.62)
Checking that the receiver has joined the required group
From the last hop router, FGT-3, you can use the following command to check that the
receiver has correctly joined the required group.
FGT-3 # get router info multicast igmp groups
IGMP Connected Group Membership
Group Address
Interface
Uptime
Expires Last
Reporter
239.255.255.1
port3
00:31:15 00:04:02
10.167.0.62
Only 1 receiver is displayed for a particular group, this is the device that responded to the
IGMP query request from the FGT-3. If a receiver is active the expire time should drop to
approximately 2 minutes before being refreshed.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
247
�Multicast routing examples
Multicast forwarding
Checking the PIM-SM neighbors
Next the PIM-SM neighbors should be checked. A PIM router becomes a neighbor when
the PIM router receives a PIM hello. Use the following command to display the PIM-SM
neighbors of FGT-3.
FGT-3 # get router info multicast pim sparse-mode neighbour
Neighbor
Interface
Uptime/Expires
Ver
DR
Address
Priority/Mode
10.132.0.156
port2
01:57:12/00:01:33 v2
1 /
Checking that the PIM router can reach the RP
The rendezvous point (RP) must be reachable for the PIM router (FGT-3) to be able to
send the *,G join to request the stream. This can be checked for FGT-3 using the
following command:
FGT-3 # get router info multicast pim sparse-mode rp-mapping
PIM Group-to-RP Mappings
Group(s): 224.0.0.0/4, Static
RP: 192.168.1.1
Uptime: 07:23:00
Viewing the multicast routing table (FGT-3)
The FGT-3 unicast routing table can be used to determine the path taken to reach the RP
at 192.168.1.1. You can then check the stream state entries using the following
commands:
FGT-3 # get router info multicast pim sparse-mode table
IP Multicast Routing Table
(*,*,RP) Entries: 0
(*,G) Entries: 1
(S,G) Entries: 1
(S,G,rpt) Entries: 1
FCR Entries: 0
(*,*,RP)
Entries
This state may be reached by general joins for all groups served by a
specified RP.
(*,G) Entries
State that maintains the RP tree for a given group.
(S,G) Entries
State that maintains a source-specific tree for source S and group G.
(S,G,rpt)
Entries
State that maintains source-specific information about source s on the RP
tree for G. For example, if a source is being received on the source-specific
tree, it will normally have been pruned off the RP tree.
FCR
The FCR state entries are for tracking the sources in the & lt; *, G & gt; when & lt; S, G & gt;
is not available for any reason, the stream would typically be flowing when
this state exists.
Breaking down each entry in detail:
(*, 239.255.255.1)
RP: 192.168.1.1
RPF nbr: 10.132.0.156
RPF idx: port2
Upstream State: JOINED
248
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
Local:
port3
Joined:
Asserted:
FCR:
The RP will always be listed in a *,G entry, the RPF neighbor and interface index will also
be shown. In this topology these are the same in all downstream PIM routers. The state is
active so the upstream state is joined.
In this case FGT-3 is the last hop router so the IGMP join is received locally on port3.
There is no PIM outgoing interface listed for this entry as it is used for the upstream PIM
join.
(10.166.0.11, 239.255.255.1)
RPF nbr: 10.132.0.156
RPF idx: port2
SPT bit: 1
Upstream State: JOINED
Local:
Joined:
Asserted:
Outgoing:
port3
This is the entry for the SPT, no RP IS listed. The S,G stream will be forwarded out of the
stated outgoing interface.
(10.166.0.11, 239.255.255.1, rpt)
RP: 192.168.1.1
RPF nbr: 10.132.0.156
RPF idx: port2
Upstream State: NOT PRUNED
Local:
Pruned:
Outgoing:
The above S,G,RPT state is created for all streams that have both a S,G and a *,G entry
on the router. This is not pruned in this case because of the topology, the RP and source
are reachable over the same interface.
Although not seen in this scenario, assert states may be seen when multiple PIM routers
exist on the same LAN which can lead to more than one upstream router having a valid
forwarding state. Assert messages are used to elect a single forwarder from the upstream
devices.
Viewing the PIM next-hop table
The PIM next-hop table is also very useful for checking the various states, it can be used
to quickly identify the states of multiple multicast streams
FGT-3 # get router info multicast pim sparse-mode next-hop
Flags: N = New, R = RP, S = Source, U = Unreachable
Destination
Type Nexthop
Nexthop
Nexthop Metric Pref
Refcnt
Num
Addr
Ifindex
_________________________________________________________________
10.166.0.11
..S. 1
10.132.0.156
9 21
110
3
192.168.1.1
.R.. 1
10.132.0.156
9 111
110
2
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
249
�Multicast routing examples
Multicast forwarding
Viewing the PIM multicast forwarding table
Also you can check the multicast forwarding table showing the ingress and egress ports of
the multicast stream.
FGT-3 # get router info multicast table
IP Multicast Routing Table
Flags: I - Immediate Stat, T - Timed Stat, F - Forwarder installed
Timers: Uptime/Stat Expiry
Interface State: Interface (TTL threshold)
(10.166.0.11, 239.255.255.1), uptime 04:02:55, stat expires
00:02:25
Owner PIM-SM, Flags: TF
Incoming interface: port2
Outgoing interface list:
port3 (TTL threshold 1)
Viewing the kernel forwarding table
Also the kernel forwarding table can be verified, however this should give similar
information to the above command:
FGT-3 # diag ip multicast mroute
grp=239.255.255.1 src=10.166.0.11 intf=9 flags=(0x10000000)[ ]
status=resolved
last_assert=2615136 bytes=1192116 pkt=14538 wrong_if=0
num_ifs=1
index(ttl)=[6(1),]
Viewing the multicast routing table (FGT-2)
If you check the output on FGT-2 there are some small differences:
FGT-2 # get router info multicast pim sparse-mode table
IP Multicast Routing Table
(*,*,RP) Entries: 0
(*,G) Entries: 1
(S,G) Entries: 1
(S,G,rpt) Entries: 1
FCR Entries: 0
(*, 239.255.255.1)
RP: 192.168.1.1
RPF nbr: 0.0.0.0
RPF idx: None
Upstream State: JOINED
Local:
Joined:
external
Asserted:
FCR:
The *,G entry now has a joined interface rather than local because it has received a PIM
join from FGT-3 rather than a local IGMP join.
250
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
(10.166.0.11, 239.255.255.1)
RPF nbr: 10.130.0.237
RPF idx: internal
SPT bit: 1
Upstream State: JOINED
Local:
Joined:
external
Asserted:
Outgoing:
external
The S,G entry shows that we have received a join on the external interface and the stream
is being forwarded out of this interface.
(10.166.0.11, 239.255.255.1, rpt)
RP: 192.168.1.1
RPF nbr: 0.0.0.0
RPF idx: None
Upstream State: PRUNED
Local:
Pruned:
Outgoing:
External
The S,G,RPT is different from FGT-3 because FGT-2 is the RP, it has pruned back the
SPT for the RP to the first hop router.
Viewing the multicast routing table (FGT-1)
FGT-1 again has some differences with regard to the PIM-SM states, there is no *,G entry
because it is not in the path of a receiver and the RP.
FGT-1_master # get router info multicast pim sparse-mode table
IP Multicast Routing Table
(*,*,RP) Entries: 0
(*,G) Entries: 0
(S,G) Entries: 1
(S,G,rpt) Entries: 1
FCR Entries: 0
Below the S,G is the SPT termination because this FortiGate unit is the first hop router,
the RPF neighbor always shows as 0.0.0.0 because the source is local to this device. Both
the joined and outgoing fields show as external because the PIM join and the stream is
egressing on this interface.
(10.166.0.11, 239.255.255.1)
RPF nbr: 0.0.0.0
RPF idx: None
SPT bit: 1
Upstream State: JOINED
Local:
Joined:
external
Asserted:
Outgoing:
external
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
251
�Multicast routing examples
Multicast forwarding
The stream has been pruned back from the RP because the end-to-end SPT is flowing,
there is no requirement for the stream to be sent to the RP in this case.
(10.166.0.11, 239.255.255.1, rpt)
RP: 0.0.0.0
RPF nbr: 10.130.0.156
RPF idx: external
Upstream State: RPT NOT JOINED
Local:
Pruned:
Outgoing:
Example multicast destination NAT (DNAT) configuration
The example topology shown in Figure 31 and described below shows how to configure
destination NAT (DNAT) for two multicast streams. Both of these streams originate from
the same source IP address, which is 10.166.0.11. The example configuration keeps the
streams separate by creating 2 multicast NAT policies.
In this example the FortiGate units in Figure 31 have the following roles:
•
FGT-1 is the RP for dirty networks, 233.0.0.0/8.
•
FGT-2 performs all firewall and DNAT translations.
•
FGT-3 is the RP for the clean networks, 239.254.0.0/16.
•
FGT-1 and FGT-3 are functioning as PM enabled routers and could be replaced can be
any PIM enabled router.
This example only describes the configuration of FGT-2.
FGT-2 performs NAT so that the receivers connected to FGT-3 receive the following
translated multicast streams.
•
•
252
If the multicast source sends multicast packets with a source and destination IP of
10.166.0.11 and 233.2.2.1; FGT-3 translates the source and destination IPs to
192.168.20.1 and 239.254.1.1
If the multicast source sends multicast packets with a source and destination IP of
10.166.0.11 and 233.3.3.1; FGT-3 translates the source and destination IPs to
192.168.20.10 and 239.254.3.1
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
Figure 31: Example multicast DNAT topology
Multicast Source
IP 10.166.0.11/24
Group 233.2.2.1
Group 233.3.3.1
10.166.0.0/24
FGT-1
RP for groups
233.0.0.0/8
Source IP: 10.166.0.11
Destination IP: 233.2.2.1
NAT
port6
10.125.0.0/24
Source IP: 10.166.0.11
FGT-2 (FW)
Destination IP: 233.3.3.1
Loopback interface
192.168.20.1/24
NAT
Static join configured for group 233.2.2.1
port7
Source IP: 192.168.20.1
Destination IP: 239.254.1.1
10.126.0.0/24
Source IP: 192.168.20.10
Destination IP: 239.254.3.1
FGT-3
BSR and RP for group
239.254.0.0/16
10.127.0.0/24
Multicast Receiver
IP 10.127.0.62/24
Group 239.254.1.1
Group 239.254.3.1
To configure FGT-2 for DNAT multicast
1 Add a loopback interface. In the example, the loopback interface is named loopback.
config system interface
edit loopback
set vdom root
set ip 192.168.20.1 255.255.255.0
set type loopback
next
end
2 Add PIM and add a unicast routing protocol to the loopback interface as if it was a
normal routed interface. Also add static joins to the loopback interface for any groups
to be translated.
config router multicast
config interface
edit loopback
set pim-mode sparse-mode
config join-group
edit 233.2.2.1
next
edit 233.3.3.1
next
end
next
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
253
�Multicast routing examples
Multicast forwarding
3 In this example, to add firewall multicast policies, different source IP addresses are
required so you must first add an IP pool:
config firewall ippool
edit Multicast_source
set endip 192.168.20.20
set interface port6
set startip 192.168.20.10
next
end
4 Add the translation firewall policies.
Policy 2, which is the source NAT policy, uses the actual IP address of port6. Policy 1,
the DNAT policy, uses an address from the IP pool.
config firewall multicast-policy
edit 1
set dnat 239.254.3.1
set dstaddr 233.3.3.1 255.255.255.255
set dstintf loopback
set nat 192.168.20.10
set srcaddr 10.166.0.11 255.255.255.255
set srcintf port6
next
edit 2
set dnat 239.254.1.1
set dstaddr 233.2.2.1 255.255.255.255
set dstintf loopback
set nat 192.168.20.1
set srcaddr 10.166.0.11 255.255.255.255
set srcintf port6
next
5 Add a firewall multicast policy to forward the stream from the loopback interface to the
physical outbound interface.
This example is an any/any policy that makes sure traffic accepted by the other
multicast policies can exit the FortiGate unit.
config firewall multicast-policy
edit 3
set dstintf port7
set srcintf loopback
next
Example PIM configuration that uses BSR to find the RP
This example shows how to configure a multicast routing network for a network consisting
of four FortiGate-500A units (FortiGate-500A_1 to FortiGate-550A_4, see Figure 32). A
multicast sender is connected to FortiGate-500A_2. FortiGate-500A_2 forwards multicast
packets in two directions to reach Receiver 1 and Receiver 2.
The configuration uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs)
instead of using static RPs. Under interface configuration, the loopback interface lo0
must join the 236.1.1.1 group (source).
254
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
This example describes:
•
Commands used in this example
•
Configuration steps
•
Example debug commands
Figure 32: PIM network topology using BSR to find the RP
FortiGate-500A_1
RP for 237.1.1.1
237.1.1.1
238.1.1.1
Sender
FortiGate-500A_2
Cisco 3640
router
Cisco 2611
router
Cisco 3550
switch
Receiver 1
FortiGate-500A_3
RP for others
Priority 256
FortiGate-500A_4
RP for others
Priority 1
Receiver 2
Commands used in this example
This example uses CLI commands for the following configuration settings:
•
Adding a loopback interface (lo0)
•
Defining the multicast routing
•
Adding the NAT multicast policy
Adding a loopback interface (lo0)
Where required, the following command is used to define a loopback interface named
lo0.
config system interface
edit lo0
set vdom root
set ip 1.4.50.4 255.255.255.255
set allowaccess ping https ssh snmp http telnet
set type loopback
next
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
255
�Multicast routing examples
Multicast forwarding
Defining the multicast routing
In this example, the following command syntax is used to define multicast routing. The
example uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead
of using static RPs. Under interface configuration, the loopback interface lo0 must join
the 236.1.1.1 group (source).
config router multicast
config interface
edit port6
set pim-mode sparse-mode
next
edit port1
set pim-mode sparse-mode
next
edit lo0
set pim-mode sparse-mode
set rp-candidate enable
config join-group
edit 236.1.1.1
next
end
set rp-candidate-priority 1
next
end
set multicast-routing enable
config pim-sm-global
set bsr-allow-quick-refresh enable
set bsr-candidate enable
set bsr-interface lo0
set bsr-priority 200
end
end
Adding the NAT multicast policy
In this example, the incoming multicast policy does the address translation. The NAT
address should be the same as the IP address of the of loopback interface. The DNAT
address is the translated address, which should be a new group.
config firewall multicast-policy
edit 1
set dstintf port6
set srcintf lo0
next
edit 2
set dnat 238.1.1.1
set dstintf lo0
set nat 1.4.50.4
set srcintf port1
next
256
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
Configuration steps
In this sample, FortiGate-500A_1 is the RP for the group 228.1.1.1, 237.1.1.1, 238.1.1.1,
and FortiGate-500A_4 is the RP for the other group which has a priority of1. OSPF is used
in this example to distribute routes including the loopback interface. All firewalls have full
mesh firewall policies to allow any to any.
•
In the FortiGate-500A_1 configuration, the NAT policy translates source address
236.1.1.1 to 237.1.1.1
•
In the FortiGate-500A_4, configuration, the NAT policy translates source 236.1.1.1 to
238.1.1.1
•
Source 236.1.1.1 is injected into network as well.
The following procedures include the CLI commands for configuring each of the FortiGate
units in the example configuration.
To configure FortiGate-500A_1
1 Configure multicast routing.
config router multicast
config interface
edit port5
set pim-mode sparse-mode
next
edit port4
set pim-mode sparse-mode
next
edit lan
set pim-mode sparse-mode
next
edit port1
set pim-mode sparse-mode
next
edit lo999
set pim-mode sparse-mode
next
edit lo0
set pim-mode sparse-mode
set rp-candidate enable
set rp-candidate-group 1
next
end
set multicast-routing enable
config pim-sm-global
set bsr-candidate enable
set bsr-interface lo0
end
end
2 Add multicast firewall policies.
config firewall multicast-policy
edit 1
set dstintf port5
set srcintf port4
next
edit 2
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
257
�Multicast routing examples
Multicast forwarding
set dstintf port4
set srcintf port5
next
edit 3
next
end
3 Add router access lists.
config router access-list
edit 1
config rule
edit 1
set prefix 228.1.1.1 255.255.255.255
set exact-match enable
next
edit 2
set prefix 237.1.1.1 255.255.255.255
set exact-match enable
next
edit 3
set prefix 238.1.1.1 255.255.255.255
set exact-match enable
next
end
next
end
To configure FortiGate-500A_2
1 Configure multicast routing.
config router multicast
config interface
edit " lan "
set pim-mode sparse-mode
next
edit " port5 "
set pim-mode sparse-mode
next
edit " port2 "
set pim-mode sparse-mode
next
edit " port4 "
set pim-mode sparse-mode
next
edit " lo_5 "
set pim-mode sparse-mode
config join-group
edit 236.1.1.1
next
end
next
end
set multicast-routing enable
end
258
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
2 Add multicast firewall policies.
config firewall multicast-policy
edit 1
set dstintf lan
set srcintf port5
next
edit 2
set dstintf port5
set srcintf lan
next
edit 4
set dstintf lan
set srcintf port2
next
edit 5
set dstintf port2
set srcintf lan
next
edit 7
set dstintf port1
set srcintf port2
next
edit 8
set dstintf port2
set srcintf port1
next
edit 9
set dstintf port5
set srcintf port2
next
edit 10
set dstintf port2
set srcintf port5
next
edit 11
set dnat 237.1.1.1
set dstintf lo_5
set nat 5.5.5.5
set srcintf port2
next
edit 12
set dstintf lan
set srcintf lo_5
next
edit 13
set dstintf port1
set srcintf lo_5
next
edit 14
set dstintf port5
set srcintf lo_5
next
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
259
�Multicast routing examples
Multicast forwarding
edit 15
set dstintf port2
set srcintf lo_5
next
edit 16
next
end
To configure FortiGate-500A_3
1 Configure multicast routing.
config router multicast
config interface
edit port5
set pim-mode sparse-mode
next
edit port6
set pim-mode sparse-mode
next
edit lo0
set pim-mode sparse-mode
set rp-candidate enable
set rp-candidate-priority 255
next
edit lan
set pim-mode sparse-mode
next
end
set multicast-routing enable
config pim-sm-global
set bsr-candidate enable
set bsr-interface lo0
end
end
2 Add multicast firewall policies.
config firewall multicast-policy
edit 1
set dstintf port5
set srcintf port6
next
edit 2
set dstintf port6
set srcintf port5
next
edit 3
set dstintf port6
set srcintf lan
next
edit 4
set dstintf lan
set srcintf port6
next
260
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
edit 5
set dstintf
set srcintf
next
edit 6
set dstintf
set srcintf
next
end
port5
lan
lan
port5
To configure FortiGate-500A_4
1 Configure multicast routing.
config router multicast
config interface
edit port6
set pim-mode sparse-mode
next
edit lan
set pim-mode sparse-mode
next
edit port1
set pim-mode sparse-mode
next
edit lo0
set pim-mode sparse-mode
set rp-candidate enable
config join-group
edit 236.1.1.1
next
end
set rp-candidate-priority 1
next
end
set multicast-routing enable
config pim-sm-global
set bsr-allow-quick-refresh enable
set bsr-candidate enable
set bsr-interface lo0
set bsr-priority 1
end
end
2 Add multicast firewall policies.
config firewall policy
edit 1
set srcintf lan
set dstintf port6
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 2
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
261
�Multicast routing examples
Multicast forwarding
set srcintf port6
set dstintf lan
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 3
set srcintf port1
set dstintf port6
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 4
set srcintf port6
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 5
set srcintf port1
set dstintf lan
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 6
set srcintf lan
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 7
set srcintf port1
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
262
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Multicast forwarding
Multicast routing examples
edit 8
set srcintf port6
set dstintf lo0
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 9
set srcintf port1
set dstintf lo0
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 10
set srcintf lan
set dstintf lo0
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
end
Example debug commands
You can use the following CLI commands to view information about and status of the
multicast configuration. This section includes get and diagnose commands and some
sample output.
get router info multicast pim sparse-mode table 236.1.1.1
get router info multicast pim sparse-mode neighbour
Neighbor
Interface
Uptime/Expires
Ver
DR
Address
Priority/
Mode
83.97.1.2
port6
02:22:01/00:01:44 v2
1 / DR
diagnose ip multicast mroute
grp=236.1.1.1 src=19.2.1.1 intf=7 flags=(0x10000000)[ ]
status=resolved
last_assert=171963 bytes=1766104 pkt=1718 wrong_if=1
num_ifs=2
index(ttl)=[6(1),10(1),]
grp=236.1.1.1 src=1.4.50.4 intf=10 flags=(0x10000000)[ ]
status=resolved
last_assert=834864 bytes=4416 pkt=138 wrong_if=0 num_ifs=2
index(ttl)=[7(1),6(1),]
grp=238.1.1.1 src=1.4.50.4 intf=10 flags=(0x10000000)[ ]
status=resolved
last_assert=834864 bytes=1765076 pkt=1717 wrong_if=0
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
263
�Multicast routing examples
Multicast forwarding
num_ifs=1
index(ttl)=[7(1),]
get router info multicast igmp groups
IGMP Connected Group Membership
Group Address
Interface
Uptime
Expires Last
Reporter
236.1.1.1
lan
00:45:48 00:03:21 10.4.1.1
236.1.1.1
lo0
02:19:31 00:03:23 1.4.50.4
get router info multicast pim sparse-mode interface
Address
Interface VIFindex Ver/
Nbr
DR
DR
Mode
Count Prior
10.4.1.2
lan
2
v2/S
0
1
10.4.1.2
83.97.1.1
port6
0
v2/S
1
1
83.97.1.2
1.4.50.4
lo0
3
v2/S
0
1
1.4.50.4
get router info multicast pim sparse-mode rp-mapping
PIM Group-to-RP Mappings
This system is the Bootstrap Router (v2)
Group(s): 224.0.0.0/4
RP: 1.4.50.4
Info source: 1.4.50.4, via bootstrap, priority 1
Uptime: 02:20:32, expires: 00:01:58
RP: 1.4.50.3
Info source: 1.4.50.3, via bootstrap, priority 255
Uptime: 02:20:07, expires: 00:02:24
Group(s): 228.1.1.1/32
RP: 1.4.50.1
Info source: 1.4.50.1, via bootstrap, priority 192
Uptime: 02:18:24, expires: 00:02:06
Group(s): 237.1.1.1/32
RP: 1.4.50.1
Info source: 1.4.50.1, via bootstrap, priority 192
Uptime: 02:18:24, expires: 00:02:06
Group(s): 238.1.1.1/32
RP: 1.4.50.1
Info source: 1.4.50.1, via bootstrap, priority 192
Uptime: 02:18:24, expires: 00:02:06
get router info multicast pim sparse-mode bsr-info
PIMv2 Bootstrap information
This system is the Bootstrap Router (BSR)
BSR address: 1.4.50.4
Uptime:
02:23:08, BSR Priority: 1, Hash mask length: 10
Next bootstrap message in 00:00:18
Role: Candidate BSR
State: Elected BSR
Candidate RP: 1.4.50.4(lo0)
Advertisement interval 60 seconds
Next Cand_RP_advertisement in 00:00:54
264
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts and examples
This section delves into more detailed firewall information and examples.
This chapter includes the following sections:
•
Adding NAT firewall policies in transparent mode
•
Adding a static NAT virtual IP for a single IP address and port
•
Double NAT: combining IP pool with virtual IP
•
Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping
•
Stateful inspection of SCTP traffic
Adding NAT firewall policies in transparent mode
Similar to operating in NAT mode, when operating a FortiGate unit in Transparent mode
you can add firewall policies and:
•
Enable NAT to translate the source addresses of packets as they pass through the
FortiGate unit.
•
Add virtual IPs to translate destination addresses of packets as they pass through the
FortiGate unit.
•
Add IP pools as required for source address translation
For NAT firewall policies to work in NAT mode you must have two interfaces on two
different networks with two different subnet addresses. Then you can create firewall
policies to translate source or destination addresses for packets as they are relayed by the
FortiGate unit from one interface to the other.
A FortiGate unit operating in Transparent mode normally has only one IP address, the
management IP. To support NAT in Transparent mode you can add a second
management IP. These two management IPs must be on different subnets. When you add
two management IP addresses, all FortiGate unit network interfaces will respond to
connections to both of these IP addresses.
In the example shown in Figure 33, all of the PCs on the internal network (subnet address
192.168.1.0/24) are configured with 192.168.1.99 as their default route. One of the
management IPs of the FortiGate unit is set to 192.168.1.99. This configuration results in
a typical NAT mode firewall. When a PC on the internal network attempts to connect to the
Internet, the PC's default route sends packets destined for the Internet to the FortiGate
unit internal interface. Similarly on the DMZ network (subnet address 10.1.1.0/24) all of
the PCs have a default route of 10.1.1.99.
This example describes adding an internal to WAN1 firewall policy to relay these packets
from the internal interface out the WAN1 interface to the Internet. Because the WAN1
interface does not have an IP address of its own, you must add an IP pool to the WAN1
interface that translates the source addresses of the outgoing packets to an IP address on
the network connected to the wan1 interface.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
265
�Adding NAT firewall policies in transparent mode
Advanced concepts and examples
The example describes adding an IP pool with a single IP address of 10.1.1.201. So all
packets sent by a PC on the internal network that are accepted by the Internal to WAN1
policy leave the WAN1 interface with their source address translated to 10.1.1.201. These
packets can now travel across the Internet to their destination. Reply packets return to the
WAN1 interface because they have a destination address of 10.1.1.201. The Internal to
WAN1 NAT policy translates the destination address of these return packets to the IP
address of the originating PC and sends them out the internal interface to the
originating PC.
Use the following steps to configure NAT in Transparent mode
•
Add two management IPs
•
Add an IP pool to the WAN1 interface
•
Add an Internal to WAN1 firewall policy
Note: You can add the firewall policy from the web-based manager and then use the CLI to
enable NAT and add the IP Pool.
Figure 33: Example NAT in Transparent mode configuration
Transparent mode Management IPs:
10.1.1.99, 192.168.1.99
10.1.1.0/24
Internet
Router
WAN 1
Internal
DMZ
Internal network
192.168.1.0/24
DMZ network
10.1.1.0/24
To add a source address translation NAT policy in Transparent mode
1 Enter the following command to add two management IPs.
The second management IP is the default gateway for the internal network.
config system settings
set manageip 10.1.1.99/24 192.168.1.99/24
end
2 Enter the following command to add an IP pool to the WAN1 interface:
config firewall ippool
edit nat-out
set interface " wan1 "
set startip 10.1.1.201
set endip 10.1.1.201
end
3 Enter the following command to add an Internal to WAN1 firewall policy with NAT
enabled that also includes an IP pool:
config firewall policy
edit 1
set srcintf " internal "
set dstintf " wan1 "
266
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts and examples
Adding a static NAT virtual IP for a single IP address and port
set
set
set
set
set
set
set
set
end
scraddr " all "
dstaddr " all "
action accept
schedule " always "
service " ANY "
nat enable
ippool enable
poolname nat-out
Adding a static NAT virtual IP for a single IP address and port
In this example, the wan1 interface of the FortiGate unit is connected to the Internet and
the DMZ1 interface is connected to the DMZ network. The IP address 192.168.37.4 on
port 80 the Internet is mapped to 10.10.10.42 on port 8000 on the private network.
Attempts to communicate with 192.168.37.4 from the Internet are translated and sent to
10.10.10.42 by the FortiGate unit. The computers on the Internet are unaware of this
translation and see a single computer at 192.168.37.4 rather than a FortiGate unit with a
private network behind it.
Figure 34: Static NAT virtual IP for a single IP address example
3
1
2
Source IP: 10.10.10.2
Destination IP: 10.10.10.42
Server
10.10.10.42
3
NAT with a virtual IP
1
2
Source IP: 172.20.120.129
Destination IP: 192.168.37.4
Internal IP
10.10.10.2
WAN1/VIP
192.168.37.4
Client
172.20.120.129
To add a static NAT virtual IP for a single IP address and port - web-based manager
1 Go to Firewall & gt; Virtual IP & gt; Virtual IP.
2 Select Create New.
3 Complete the following and select OK.
.
Name
static_NAT
External Interface
wan1
Type
Static NAT
External IP Address/Range
192.168.37.4.
Mapped IP Address/Range
10.10.10.42
Port Forwarding
Selected
Protocol
TCP
External Service Port
80
Map to Port
8000
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
267
�Adding a static NAT virtual IP for a single IP address and port
Advanced concepts and examples
To add a static NAT virtual IP for a single IP address and port - CLI
config firewall vip
edit static_NAT
set extintf wan1
set type static-nat
set extip 192.168.37.4
set mappedip 10.10.10.42
set portforward enable
set extport 80
set mappedport 8000
end
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP address packets pass through the
FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates
the destination address of these packets from the external IP to the DMZ network IP
address of the web server.
To add a static NAT virtual IP for a single IP address to a firewall policy - web-based
manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Complete the following:
Source Interface/Zone
wan1
Source Address
All
Destination Interface/Zone
dmz1
Destination Address
static_nat
Schedule
always
Service
HTTP
Action
ACCEPT
3 Select NAT.
4 Select OK.
To add a static NAT virtual IP for a single IP address to a firewall policy - CLI
config firewall policy
edit 1
set srcintf wan1
set dstintf dmz1
set srcaddr all
set dstaddr static_nat
set action accept
set schedule always
set service ANY
set nat enable
end
268
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts and examples
Double NAT: combining IP pool with virtual IP
Double NAT: combining IP pool with virtual IP
In this example, a combination of virtual IPs, IP pools and firewall policies will allow the
local users to access the servers on the DMZ. The example uses a fixed port and IP pool
to allow more than one user connection while using virtual IP to translate the destination
port from 8080 to 80. The firewall policy uses both the IP pool and the virtual IP for double
IP and/or port translation.
For this example:
•
Users in the 10.1.1.0/24 subnet use port 8080 to access server 172.16.1.1.
•
The server’s listening port is 80.
•
Fixed ports must be used.
Figure 35: Double NAT
Internal Network
10.1.1.0/24
Internet
Router without
NAT
Internal
10.1.3.0/16
WAN1
DMZ
172.20.120.2
Web Server
172.20.120.1
To create an IP pool - web-based manager
1 Go to Firewall & gt; Virtual IP & gt; IP Pool.
2 Select Create New.
3 Enter the Name pool-1.
4 Enter the IP Range/Subnet 10.1.2.1-10.1.3.254.
5 Select OK.
To create an IP pool - CLI
config firewall ippool
edit pool-1
set startip 10.1.3.1
set endip 10.1.3.254
end
Next, create the virtual IP with port translation to translate the user internal IP used by the
network users to the DMZ port and IP address of the server.
To create a Virtual IP with port translation - web-based manager
1 Go to Firewall & gt; Virtual IP & gt; Virtual IP.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
269
�Double NAT: combining IP pool with virtual IP
Advanced concepts and examples
2 Select Create New.
3 Enter the following information and select OK.
Name
server-1
External Interface
Internal
Type
Static NAT
External IP Address/Range
172.20.120.1
Note this address is the same as the server address.
Mapped IP Address/Range
172.20.120.1
Port Forwarding
Enable
Protocol
TCP
External Service Port
8080
Map to Port
80
To create a Virtual IP with port translation - CLI
config firewall vip
edit server-1
set extintf internal
set type static-nat
set extip 172.20.120.1
set mappedip 172.20.120.1
set portforward enable
set extport 80
set mappedport 8080
end
Add an internal to DMZ firewall policy that uses the virtual IP to translate the destination
port number and the IP pool to translate the source addresses.
To create the firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Complete the following and select OK:
Source Interface/Zone
internal
Source Address
all
Destination
Interface/Zone
dmz
Destination Address
server-1
Schedule
always
Service
HTTP
Action
ACCEPT
NAT
Select
Dynamic IP Pool
Select, and select the pool-1 IP pool.
To create the firewall policy - CLI
config firewall policy
edit 1
set srcintf internal
set dstintf dmz1
270
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts and examples
Double NAT: combining IP pool with virtual IP
set
set
set
set
set
set
set
set
srcaddr all
dstaddr server-1
action accept
schedule always
service HTTP
nat enable
ippool enable
poolname pool-1
end
Server load balancing and HTTP cookie persistence fields
The following options are available for the config firewall vip command when
type is set to server-load-balance, server-type is set to http or https and
persistence is set to http-cookie:
http-cookie-domain
http-cookie-path
http-cookie-generation
http-cookie-age
http-cookie-share
https-cookie-share (appears when server-type is set to https)
When HTTP cookie persistence is enabled the FortiGate unit inserts a header of the
following form into each HTTP response unless the corresponding HTTP request already
contains a FGTServer cookie:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Max-Age=3600
The value of the FGTServer cookie encodes the server that traffic should be directed to.
The value is encoded so as to not leak information about the internal network.
Use http-cookie-domain to restrict the domain that the cookie should apply to. For
example, to restrict the cookie to.server.com, enter:
set http-cookie-domain .server.com
All generated cookies will have the following form:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Domain=.server.com; Max-Age=3600
Use http-cookie-path to limit the cookies to a particular path. For example, to limit
cookies to the path /sales, enter:
set http-cookie-path /sales
All generated cookies will have the following form:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Domain=.server.com; Path=/sales; Max-Age=3600
Use http-cookie-age to change how long the browser caches the cookie. You can
enter an age in minutes or set the age to 0 to make the browser keep the cookie
indefinitely:
set http-cookie-age 0
All generated cookies will have the following form:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Domain=.server.com; Path=/sales
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
271
�Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping
Advanced concepts and examples
Use http-cookie-generation to invalidate all cookies that have already been
generated. The exact value of the generation is not important, only that it is different from
any generation that has already been used for cookies in this domain. The simplest
approach is to increment the generation by one each time invalidation is required. Since
the default is 0, enter the following to invalidate all existing cookies:
set http-cookie-generation 1
Use http-cookie-share {disable | same-ip} to control the sharing of cookies
across virtual servers in the same virtual domain. The default setting same-ip means that
any FGTServer cookie generated by one virtual server can be used by another virtual
server in the same virtual domain. For example, if you have an application that starts on
HTTP and then changes to HTTPS and you want to make sure that the same server is
used for the HTTP and HTTPS traffic then you can create two virtual servers, one for port
80 (for HTTP) and one for port 443 (for HTTPS). As long as you add the same real servers
to both of these virtual servers (and as long as both virtual servers have the same number
of real servers with the same IP addresses), then cookies generated by accessing the
HTTP server are reused when the application changes to the HTTPS server.
If for any reason you do not want this sharing to occur then select disable to make sure
that a cookie generated for a virtual server cannot be used by other virtual servers.
Use https-cookie-secure to enable or disable using secure cookies. Secure cookies
are disabled by default because secure cookies can interfere with cookie sharing across
HTTP and HTTPS virtual servers. If enabled, then the Secure tag is added to the cookie
inserted by the FortiGate unit:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Max-Age=3600; Secure
Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping
VIP addresses is typically used to map external (public) to internal (private) IP addresses
for Destination NAT (DNAT).
This example shows how to use VIP ranges to perform Source NAT (SNAT) with a static
1-to-1 mapping from internal to external IP addresses. This is similar to using an IP pool
with the advantage of having predictable and static 1-to-1 address mapping.
272
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts and examples
Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping
Figure 36: Network diagram
This example will associate each internal IP address to one external IP address for the
Source NAT (SNAT) translation.
Using the diagram above, the translations will look like the following
Traffic from Source IP
Translated to Source IP (SNAT)
10.10.10.42
192.168.37.4
10.10.10.43
192.168.37.5
...
...
10.10.10.46
192.168.37.8
First, configure the virtual IP.
To configure the virtual IP - web-based manager
1 Go to Firewall & gt; Virtual IP & gt; Virtual IP and select Create New.
2 Enter the Name of Static_NAT_1to1.
3 Select the External Interface of port 1 from the drop-down list.
4 Enter the External IP Address of 192.168.37.4.
5 Enter the Mapped IP Address range of 10.10.10.42 to 10.10.10.46.
6 Select OK.
To configure the virtual IP - CLI
config firewall vip
edit " Static_NAT_1to1 "
set extip 192.168.37.4
set extintf " port1 "
set mappedip 10.10.10.42-10.10.10.46
next
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
273
�Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping
Advanced concepts and examples
Next, configure the firewall policies. Even if no connection needs to be initiated from external to
internal, a second firewall policy number is required to activate the VIP range. Otherwise the IP
address of the physical interface is used for NAT. In this example it is set as a “DENY” firewall policy
for security purpose.
To configure the firewall policies - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Complete the following and select OK:
Source Interface/Zone
port2
Source Address
all
Destination
Interface/Zone
port1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
NAT
Select
3 Complete the following and select OK:
Source Interface/Zone
port 1
Source Address
all
Destination
Interface/Zone
port 2
Destination Address
Static_NAT_1to1
Schedule
always
Service
ALL
Action
deny
Comments
Used to activate static Source NAT 1-to-1
To configure the firewall policies - CLI
config firewall policy
edit 1
set srcintf port2
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
set nat enable
next
edit 2
set srcintf port1
set dstintf port2
set srcaddr all "
set dstaddr Static_NAT_1to1
set schedule always
set service ANY
274
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts and examples
Stateful inspection of SCTP traffic
set action deny
set comments Used to activate static Source NAT 1-to-1
next
end
end
Stateful inspection of SCTP traffic
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol similar to
TCP and UDP. SCTP is designed to provide reliable, in-sequence transport of messages
with congestion control. SCTP is defined in RFC 4960.
Some common applications of SCTP include supporting transmission of the following
protocols over IP networks:
•
SCTP is important in 3G and 4G/LTE networks (for example, HomeNodeB =
FemtoCells)
•
SS7 over IP (for example, for 3G mobile networks)
•
SCTP is also defined and used for SIP over SCTP and H.248 over SCTP
•
Transport of Public Switched Telephone Network (PSTN) signaling messages over IP
networks.
SCTP is a reliable transport protocol that runs on top of a connectionless packet network
(IP). SCTP provides the following services:
•
Acknowledged error-free non-duplicated transfer of user data
•
Data fragmentation to conform to discovered path MTU size
•
Sequenced delivery of user messages within multiple streams, with an option for orderof-arrival delivery of individual user messages
•
Optional bundling of multiple user messages into a single SCTP packet
•
network-level fault tolerance through supporting of multi-homing at either or both ends
of an association
•
Congestion avoidance behavior and resistance to flooding and masquerade attacks
SCTP is effective as the transport protocol for applications that require monitoring and
session-loss detection. For such applications, the SCTP path and session failuredetection mechanisms actively monitor the connectivity of the session. SCTP differs from
TCP in having multi-homing capabilities at either or both ends and several streams within
a connection, typically referred to as an association. A TCP stream represents a sequence
of bytes; an SCTP stream represents a sequence of messages.
Configuring FortiGate SCTP filtering
The FortiGate firewall can apply firewall policies to SCTP sessions in the same way as
TCP and UDP sessions. You can create firewall policies that accept or deny SCTP traffic
by setting the service to ANY. FortiOS does not include pre-defined SCTP services. To
configure firewall policies for traffic with specific SCTP source or destination ports you
must create custom firewall services for SCTP.
FortiGate units route SCTP traffic in the same way as TCP and UDP traffic. You can
configure policy routes specifically for routing SCTP traffic by setting the protocol number
to 132. SCTP policy routes can route SCTP traffic according to the destination port of the
traffic if you add a port range to the policy route.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
275
�Stateful inspection of SCTP traffic
Advanced concepts and examples
You can configure a FortiGate unit to perform stateful inspection of different types of SCTP
traffic by creating custom SCTP services and defining the port numbers or port ranges
used by those services. FortiGate units support SCTP over IPv4. The FortiGate unit
performs the following checks on SCTP packets:
•
Source and Destination PortandVerification Tag.
•
Chunk Type, Chunk Flags and Chunk Length
•
Verify that association exists
•
Sequence of Chunk Types (INIT, INIT ACK, etc)
•
Timer checking
•
Four way handshake checking
•
Heartbeat mechanism
•
Protection against INIT/ACK flood DoS attacks, and long-INIT flooding
•
Protection against association hijacking
FortiOS also supports SCTP sessions over IPsec VPN tunnels.
FortiOS also supports full traffic and event logging for SCTP sessions.
Adding an SCTP custom service
This example creates a custom SCTP service that accepts SCTP traffic using destination
port 2905. SCTP port number 2905 is used for SS7 Message Transfer Part 3 (MTP3) User
Adaptation Layer (M3UA) over IP.
To add the SCTP custom service - web-based manager
1 Go to Firewall & gt; Service & gt; Custom and select Create New.
2 Enter the following and select OK.
Name
M3UA_service
Protocol Type
TCP/UDP/SCTP
Protocol
SCTP
Source Port (Low)
1
Source Port (High)
65535
Destination Port (Low)
2905
Destination Port (High)
2905
To add the SCTP custom service - CLI
config firewall service custom
edit M3UA_service
set protocol TCP/UDP/SCTP
set sctp-portrange 2905
end
Adding an SCTP policy route
You can add policy routes that route SCTP traffic based on the SCTP source and
destination port as well as other policy route criteria. The SCTP protocol number is 132.
The following example directs all SCTP traffic with SCTP destination port number 2905 to
the next hop gateway at IP address 1.1.1.1.
276
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts and examples
Stateful inspection of SCTP traffic
To add the policy route - web-based manager
1 Go to Router & gt; Static & gt; Policy Route.
2 Select Create New.
3 Enter the following custom service information and select OK.
Protocol
132
Incoming interface
internal
Source address / mask
0.0.0.0 0.0.0.0
Destination address / mask
0.0.0.0 0.0.0.0
Destination Ports
From 2905 to 2905
Force traffic to:
Outgoing interface
external
Gateway Address
1.1.1.1
To add the policy route - CLI
config router policy
edit 1
set input-device internal
set src 0.0.0.0 0.0.0.0
set dst 0.0.0.0 0.0.0.0
set output-device external
set gateway 1.1.1.1
set protocol 132
set start-port 2905
set end-port 2905
end
Changing the session time to live for SCTP traffic
Use the following command to change the session timeout for SCTP protocol M3UA on
port 2905 to 3600 seconds.
config system session-ttl
config port
edit 1
set protocol 132
set start-port 2905
set end-port 2905
set timeout 3600
end
end
Adding an SCTP port forwarding virtual IP
This example shows how to add a static NAT port forwarding virtual IP that uses port
address translation to allow external access to a server on a private network. In this
example, the external IP address of the server 172.20.120.11 and the real IP address of
the web server on the internal network is 10.31.101.11.
config firewall vip
edit web_Server
set portforward enable
set extintf port1
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
277
�Stateful inspection of SCTP traffic
Advanced concepts and examples
set
set
set
set
set
end
278
extip 172.20.120.11
extport 2905
mappedip 10.31.101.11
mappedport 2905
protocol sctp
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting
When the firewall policies are in place and traffic is not flowing, or flowing more than it
should, there may be an issue with the one or more firewall policies. This chapter outlines
some troubleshooting tips and steps to diagnose where the traffic is not getting through, or
letting too much traffic through.
This chapter includes the topics:
•
Basic policy checking
•
Verifying traffic
•
Using log messages to view violation traffic
•
Traffic trace
•
Packet sniffer
Basic policy checking
Before going into a deep troubleshooting session, first verify a few simple settings in the
firewall policy configuration to ensure everything is setup correctly.
For example:
•
Verify the policy position. The FortiGate unit evaluates each policy in the firewall policy
list for a match until a match is found. When the FortiGate unit finds the first matching
policy, it applies the matching policy’s specified actions to the packet, and disregards
subsequent firewall policies. Is the order of the policies affecting traffic flow? For more
information see “Policy order” on page 216.
•
Verify that the source and destination ports and their addresses (IP Pools and virtual
IPs) are selected correctly for the correct subdomain.
•
Ensure that the NAT check box is selected in the policy. If you selected a virtual IP as
the destination address, but did not select the NAT option, the FortiGate unit performs
destination NAT rather than full NAT.
•
Verify that the UTM profiles you selected are properly configured, and that any URLs or
IP addresses are entered correctly.
•
Verify that the policy is enabled. In the firewall policy list (Firewall & gt; Policy & gt; Policy), the
Status column indicates whether a firewall policy is enabled or not. To be enabled, the
check box must be selected.
Verifying traffic
With many firewall policies in place, you may want to verify that traffic is being affected by
the policy. There is a simple way to get a quick visual confirmation within the web-based
manager. This is done by adding a counter column to the firewall policy table. These steps
are only available in the web-based manager.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
279
�Using log messages to view violation traffic
Troubleshooting
To view the traffic count on firewall policies
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Column Settings in the upper right of the window.
3 From Available fields list, select Count.
4 Select the right-facing arrow to add it to the Show these fields column.
5 Select OK.
As packets hit this policy, the count will appear in the column in kilobytes.
Note: For accelerated traffic, NP2 ports the count does not reflect the real traffic count.
Only the start of a session packet will be counted. For non-accelerated traffic, all packets
are counted.
Using log messages to view violation traffic
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance
and packet processing for traffic attempting to pass through. When the firewall receives a
connection packet, it analyzes the packet’s source address, destination address, and
service (by port number), and attempts to locate a firewall policy matching the packet. If no
Firewall Policy is matching the traffic, the packets are dropped. Because of this, you do not
need to configure a DENY Firewall Policy in the last position to block the unauthorized
traffic.
However, you may want to see what type of traffic is attempting to access the network. By
adding a DENY firewall policy, you can log the dropped traffic for analysis. Note that
storing and viewing the log for denied traffic requires a FortiAnalyzer, or a Syslog server,
or a FortiGate unit with a local hard disk.
To configure logging denied traffic you need to crate the DENY firewall policy and enable
logging. In this example, the firewall policy will deny all HTTP traffic passing from the
internal interface (Internal) to the external interface (WAN1) at all times.
To configure the logging of violation traffic - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following:
Source interface/Zone
Internal
Source address
10.13.20.22
Destination interface/Zone
WAN1
Destination address
172.20.120.141
Schedule
always
Service
HTTP
Action
DENY
3 Select Log Violation Traffic.
4 Select OK.
280
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting
Traffic trace
To create a basic accept policy for FTP - CLI
config firewall policy
edit 1
set srcintf internal
set srcaddr 10.13.20.22
set dstintf wan1
set dstaddr 172.20.120.141
set action deny
set schedule always
set service http
set logtraffic enable
end
The following is a sample syslog message from a logged traffic violation.
Warning
10.160.0.110
date=2009-09-14 time=10:16:25
devname=FG300A3906550380 device_id=FG300A3906550380 log_id=0022000003
type=traffic subtype=violation pri=warning fwver=040000 status=deny
vd= " root " src=10.160.1.10 srcname=10.160.1.10 src_port=0 dst=4.2.2.1
dstname=10.2.2.1 dst_port=0 service=8/icmp proto=1 app_type=N/A
duration=0 rule=3 policyid=1 sent=0 rcvd=0 vpn= " N/A " src_int= " port2 "
dst_int= " port1 " SN=12215 user= " N/A " group= " N/A " carrier_ep= " N/A "
Traffic trace
Traffic tracing enables you to follow a specific packet stream. View the characteristics of a
traffic session though specific firewall policies using the CLI command diagnose
system session, trace per-packet operations for flow tracing using diagnose debug
flow and trace per-Ethernet frame using diagnose sniffer packet
Session table
The FortiGate session table can be viewed from the web-based manager or the CLI. The
most useful troubleshooting data comes from the CLI. The session table in web-based
manager also provides some useful summary information, particularly the current policy
number that the session is using.
To view the session table in the web-based manager
1 Go to System & gt; Dashboard & gt; Status.
2 Select Add Content & gt; Top Sessions.
3 In the Top Sessions pane, select Details.
The Policy ID displays which firewall policy matches the session. The sessions that do not
have a Policy ID entry originate from the FortiGate unit.
To view the session table in the CLI
diagnose sys session list
The session table output using the CLI is very verbose. You can use filters to display only
the session data of interest. An entry is placed in the session table for each traffic session
passing through a firewall policy.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
281
�Traffic trace
Troubleshooting
Sample output
session info: proto=6 proto_state=05 expire=89 timeout=3600
flags=00000000 av_idx=0 use=3
bandwidth=204800/sec
guaranteed_bandwidth=102400/sec
traffic=332/sec prio=0 logtype=session ha_id=0 hakey=4450
tunnel=/
state=log shape may_dirty
statistic(bytes/packets/err): org=3408/38/0 reply=3888/31/0
tuples=2
orgin- & gt; sink: org pre- & gt; post, reply pre- & gt; post oif=3/5
gwy=192.168.11.254/10.0.5.100
hook=post dir=org act=snat 10.0.5.100:1251 & gt; 192.168.11.254:22(192.168.11.105:1251)
hook=pre dir=reply act=dnat 192.168.11.254:22 & gt; 192.168.11.105:1251(10.0.5.100:1251)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 domain_info=0 auth_info=0 ftgd_info=0 ids=0x0 vd=0
serial=00007c33 tos=ff/ff
Filter options enable you to view specific information from this command:
diagnose sys session filter & lt; option & gt;
The & lt; option & gt; values available include the following:
clear
clear session filter
dport
dest port
dst
destination IP address
negate
inverse filter
policy
policy ID
proto
protocol number
sport
source port
src
source IP address
vd
index of virtual domain. -1 matches all
Even though UDP is a sessionless protocol, the FortiGate unit still keeps track of the
following two different states:
•
UDP reply not seen with a value of 0
•
UDP reply seen with a value of 1
The table below shows the firewall session states from the session table:
State
Meaning
log
Session is being logged.
local
Session is originated from or destined for local stack.
ext
Session is created by a firewall session helper.
may_dirty
Session is created by a policy. For example, the session for ftp control
channel will have this state but ftp data channel will not. This is also seen
when NAT is enabled.
ndr
Session will be checked by IPS signature.
nds
282
Session will be checked by IPS anomaly.
br
Session is being bridged (TP) mode.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting
Traffic trace
Finding object dependencies
An administrator may not be permitted to delete a configuration object if there are other
configuration objects that depend on it. For example, you may not be able to delete a user
group because that user group is connected with a firewall policy. This command identifies
other objects which depend on or make reference to the configuration object in question. If
a message appears that an object is in use and cannot be deleted, this command can help
identify where this is occurring.
When running multiple VDOMs, this command is run in the Global configuration only and it
searches for the named object both in the Global and VDOM configuration most recently
used:
diagnose sys checkused & lt; path.object.mkey & gt;
For example, to verify which objects are referred to in a firewall policy with an ID of 1, enter
the command:
diagnose sys checkused firewall.policy.policyid 1
To verify what is referred to by port1 interface, enter the command:
diagnose sys checkused system.interface.name port1
To show all the dependencies for the WAN1 interface, enter the command:
diag sys checkused system.interface.name wan1
Sample output
entry
entry
entry
entry
entry
entry
entry
entry
used
used
used
used
used
used
used
used
by
by
by
by
by
by
by
by
table
table
table
table
table
table
table
table
firewall.address:name '10.98.23.23_host’
firewall.address:name 'NAS'
firewall.address:name 'all'
firewall.address:name 'fortinet.com'
firewall.vip:name 'TORRENT_10.0.0.70:6883'
firewall.policy:policyid '21'
firewall.policy:policyid '14'
firewall.policy:policyid '19'
In this example, the interface has dependent objects, including four address objects, one
VIP, and three firewall policies.
Flow trace
To trace the flow of packets through the FortiGate unit, use the command
diagnose debug flow trace start
Follow the packet flow by setting a flow filter using the command:
diagnose debug flow filter & lt; option & gt;
Filtering options include:
addr
IP address
clear
clear filter
daddr
destination IP address
dport
destination port
negate
inverse filter
port
port
proto
protocol number
saddr
source IP address
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
283
�Traffic trace
Troubleshooting
sport
source port
vd
index of virtual domain, -1 matches all
Enable the output to in the console:
diagnose debug flow show console enable
Start flow monitoring with a specific number of packets using the command:
diagnose debug flow trace start & lt; N & gt;
Stop flow tracing at any time using:
diagnose debug flow trace stop
Sample output
This an example shows the flow trace for the device at the IP address 203.160.224.97.
diag debug enable
diag debug flow filter addr 203.160.224.97
diag debug flow show console enable
diag debug flow show function-name enable
diag debug flow trace start 100
Flow trace output example - HTTP
Connect to the web site at the following address to observe the debug flow trace. The
display may vary slightly:
http://www.fortinet.com
Comment: SYN packet received:
id=20085 trace_id=209 func=resolve_ip_tuple_fast
line=2700 msg= " vd-root received a packet(proto=6,
192.168.3.221:1487- & gt; 203.160.224.97:80) from port5. "
SYN sent and a new session is allocated:
id=20085 trace_id=209 func=resolve_ip_tuple line=2799
msg= " allocate a new session-00000e90 "
Lookup for next-hop gateway address:
id=20085 trace_id=209 func=vf_ip4_route_input line=1543
msg= " find a route: gw-192.168.11.254 via port6 "
Source NAT, lookup next available port:
id=20085 trace_id=209 func=get_new_addr line=1219
msg= " find SNAT: IP-192.168.11.59, port-31925 "
direction“
Matched firewall policy. Check to see which policy this session matches:
id=20085 trace_id=209 func=fw_forward_handler line=317
msg= " Allowed by Policy-3: SNAT "
Apply source NAT:
id=20085 trace_id=209 func=__ip_session_run_tuple
line=1502 msg= " SNAT 192.168.3.221- & gt; 192.168.11.59:31925 "
SYN ACK received:
id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2700
msg= " vd-root received a packet(proto=6, 203.160.224.97:80 & gt; 192.168.11.59:31925) from port6. "
284
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting
Traffic trace
Found existing session ID. Identified as the reply direction:
id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2727
msg= " Find an existing session, id-00000e90, reply
direction "
Apply destination NAT to inverse source NAT action:
id=20085 trace_id=210 func=__ip_session_run_tuple
line=1516 msg= " DNAT 192.168.11.59:31925 & gt; 192.168.3.221:1487 "
Lookup for next-hop gateway address for reply traffic:
id=20085 trace_id=210 func=vf_ip4_route_input line=1543
msg= " find a route: gw-192.168.3.221 via port5 "
ACK received:
id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2700
msg= " vd-root received a packet(proto=6,
192.168.3.221:1487- & gt; 203.160.224.97:80) from port5. "
Match existing session in the original direction:
id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2727
msg= " Find an existing session, id-00000e90, original
direction "
Apply source NAT:
id=20085 trace_id=211 func=__ip_session_run_tuple
line=1502 msg= " SNAT 192.168.3.221- & gt; 192.168.11.59:31925 "
Receive data from client:
id=20085 trace_id=212 func=resolve_ip_tuple_fast
line=2700 msg= " vd-root received a packet(proto=6,
192.168.3.221:1487- & gt; 203.160.224.97:80) from port5. "
Match existing session in the original direction:
id=20085 trace_id=212 func=resolve_ip_tuple_fast
line=2727 msg= " Find an existing session, id-00000e90,
original direction "
Apply source NAT:
id=20085 trace_id=212 func=__ip_session_run_tuple
line=1502 msg= " SNAT 192.168.3.221- & gt; 192.168.11.59:31925 "
Receive data from server:
id=20085 trace_id=213 func=resolve_ip_tuple_fast
line=2700 msg= " vd-root received a packet(proto=6,
203.160.224.97:80- & gt; 192.168.11.59:31925) from port6. "
Match existing session in reply direction:
id=20085 trace_id=213 func=resolve_ip_tuple_fast
line=2727 msg= " Find an existing session, id-00000e90,
reply direction "
Apply destination NAT to inverse source NAT action:
id=20085 trace_id=213 func=__ip_session_run_tuple
line=1516 msg= " DNAT 192.168.11.59:31925 & gt; 192.168.3.221:1487 "
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
285
�Packet sniffer
Troubleshooting
Packet sniffer
The packet sniffer in the FortiGate unit can sniff traffic on a specific Interface or on all
Interfaces. There are 3 different Level of Information, a.k.a. Verbose Levels 1 to 3, where
verbose 1 shows less information and verbose 3 shows the most information.
Verbose levels in detail:
•
1Print header of packets
•
2Print header and data from the IP header of the packets
•
3Print header and data from the Ethernet header of the packets
•
4Print header of packets with interface name
•
5Print header and data from IP of packets with interface name
•
6Print header and data from ethernet of packets with interface
All Packet sniffing commands are in the format:
diagnose sniffer packet & lt; interface & gt; & lt; 'filter' & gt; & lt; verbose & gt; & lt; count & gt;
... where...
& lt; interface & gt;
can be an Interface name or “any” for all Interfaces. An interface can be
physical, VLAN, IPsec interface, Link aggregated or redundant.
& lt; verbose & gt;
the level of verbosity as described above.
& lt; count & gt;
the number of packets the sniffer reads before stopping.
& lt; 'filter' & gt;
is a very powerful filter functionality which will be described below.
Simple trace example
In this example, the packet sniffer sniffs three packets of all traffic with verbose level 1 on
internal interface
diagnose sniffer packet internal “none” 1 3
The none variable means no filter applies, 1 means verbose level 1 and 3 means catch 3
packets and stop. The resulting output is
192.168.0.1.22 - & gt; 192.168.0.30.1144: psh 2859918764 ack
1949135261?192.168.0.1.22 - & gt; 192.168.0.30.1144: psh 2859918816 ack
1949135261?192.168.0.30.1144 - & gt; 192.168.0.1.22: ack 2859918884
The sniffer has caught some packets in the middle of a communication. Because the
192.168.0.1 IP address uses port 22 (192.168.0.1.22) this particular sniff is from a SSH
Session.
Simple trace example
In this example, the packet sniffer sniff 3 packets of all traffic with verbose 1evel 1 on
internal interface
diagnose sniffer packet internal “none” 1 3
The none variable means no filter applies, 1 means verbose level 1 and 3 means catch 3
packets and stop. The resulting output is
192.168.0.30.1156 - & gt; 192.168.0.1.80: syn 2164883624
192.168.0.1.80 - & gt; 192.168.0.30.1156: syn 3792179542 ack 2164883625
192.168.0.30.1156 - & gt; 192.168.0.1.80: ack 3792179543
In this example, the sniffer captures a TCP session being set up. 192.168.0.30 is
attempting to connect to 192.168.0.1 on Port 80 with a SYN and gets a SYN ACK
returned. The session is acknowledged and established after the 3-way TCP handshake.
286
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting
Packet sniffer
With information level set to verbose 1, the source and destination IP address is visible, as
well as source and destination port. The corresponding Sequence numbers is also visible.
Note: If you do not enter a & lt; count & gt; value, for example as above, 3, the sniffer will
continue to run until you stop it.
Verbose levels 2 and 3
Verbose level 2 contains much more information; the IP header as with verbose level 1
and the payload of the IP packet itself.
The output of verbose 2 is:
diagnose sniffer packet internal “none” 2 1
192.168.0.1.22 - & gt; 192.168.0.30.1144: psh 2867817048 ack 1951061933
0x0000
4510 005c 8eb1 4000 4006 2a6b c0a8 0001
E..\..@.@.*k....
0x0010
c0a8 001e 0016 0478 aaef 6a58 744a d7ad
.......x..jXtJ..
0x0020
5018 0b5c 8ab9 0000 9819 880b f465 62a8
P..\.........eb.
0x0030
3eaf 3804 3fee 2555 8deb 24da dd0d c684 & gt; .8.
.%U..$.....
0x0040
08a9 7907 202d 5898 a85c facb 8c0a f9e5 ..y..-X..\......
0x0050
bd9c b649 5318 7fc5 c415 5a59
...IS.....ZY
Verbose level 3 includes the previous information as well as Ethernet (Ether Frame)
information. This is the format that technical support will usually request when attempting
to analyze a problem.
A script is available on the Fortinet Knowledge Base (fgt2eth.pl), which will convert a
captured verbose 3 output, into a file that can be read and decoded by Ethereal.
Trace with filters example
In this example, use the filter option of the sniffer to see the traffic information between two
PCs or a PC and a FortiGate unit. Using the following command:
diagnose sniffer packet internal 'src host 192.168.0.130 and dst
host 192.168.0.1' 1
The resulting output is:
192.168.0.130.3426 - & gt; 192.168.0.1.80: syn 1325244087
192.168.0.1.80 - & gt; 192.168.0.130.3426: syn 3483111189 ack
1325244088?192.168.0.130.3426 - & gt; 192.168.0.1.80: ack 3483111190
192.168.0.130.3426 - & gt; 192.168.0.1.80: psh 1325244088 ack 3483111190
192.168.0.1.80 - & gt; 192.168.0.130.3426: ack 1325244686
192.168.0.130.1035 - & gt; 192.168.0.1.53: udp 26
192.168.0.130.1035 - & gt; 192.168.0.1.53: udp 42?192.168.0.130.1035 - & gt;
192.168.0.1.53: udp 42
192.168.0.130 - & gt; 192.168.0.1: icmp: echo request?192.168.0.130.3426 - & gt;
192.168.0.1.80: psh 1325244686 ack 3483111190
192.168.0.1.80 - & gt;
192.168.0.130.3426: ack 1325244735?192.168.0.130 - & gt; 192.168.0.1: icmp:
echo request
Assuming there is a lot of traffic, this filter command will only display traffic (but all traffic)
from the source IP 192.168.0.130 to the destination IP 192.168.0.1. It will not show traffic
to 192.168.0.130 (for example the ICMP reply) because the command included:
'src host 192.168.0.130 and dst host 192.168.0.1'
Additional information such as ICMP or DNS queries from a PC are included. If you only
require a specific type of traffic, for example, TCP traffic only, you need to change the filter
command as below:
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
287
�Packet sniffer
Troubleshooting
diagnose sniffer packet internal 'src host 192.168.0.130 and dst host
192.168.0.1 and tcp' 1?
The resulting output would be:
192.168.0.130.3569 - & gt; 192.168.0.1.23: syn 1802541497
192.168.0.1.23 - & gt; 192.168.0.130.3569: syn 4238146022 ack 1802541498
192.168.0.130.3569 - & gt; 192.168.0.1.23: ack 4238146023
Though ICMP (ping) was also running, the trace only shows the TCP part. The destination
IP is 192.168.0.1.23, which is IP 192.168.0.1 on port 23 - a Telnet session.
288
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office
Network Protection
This document describes an example network and firewall configuration for a
small office-home office (SOHO) or a small- to medium-sized business (SMB).
SOHO and SMB networks, in this case, refer to
•
small offices
•
home offices
•
broadband telecommuter sites or large remote access populations
•
branch offices (small- to medium-sized)
•
retail stores
Note: IP addresses and domain names used in this document are examples and are not valid
outside of this example.
This document includes
•
Example small office network
•
First steps
•
Configuring settings for Finance and Engineering departments
•
Configuring settings for the Help Desk department
•
Configuring remote access VPN tunnels
•
Configuring the web server
•
Configuring the email server
•
ISP web site and email hosting
•
Other features and products for SOHO
Example small office network
The Example Corporation is a small software company performing development and
providing customer support. In addition to their internal network of 15 computers, they also
have several employees that work from home all or some of the time.
The Example Corporation requires secure connections for home-based workers. Like
many companies, they rely heavily on email and Internet access to conduct business.
They want a comprehensive security solution to detect and prevent network attacks, block
viruses, and decrease spam. They want to apply different protection settings for different
departments. They also want to integrate web and email servers into the security solution.
The Example Corporation network provides limited functionality for their needs, including:
•
a very basic router to manage the network traffic
•
an email server hosted by the Internet Service Provider (ISP)
•
a web server hosted by the ISP
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
289
�Example small office network
Concept Example: Small Office Network Protection
•
client-based antivirus software with no reliable central distribution of updates
•
no secure method of providing remote connections for home-based workers
Network management and protection requirements
The Example Corporation established several goals for planning a network security
solution. Table 11 describes the company’s goals and the FortiGate options that meet
them.
Table 11: Company security goals and FortiGate solutions
Security Policy/Goal
FortiGate solution
Protect the internal network from attacks, Enable IPS, antivirus, and spam filters.
intrusions, viruses, and spam.
Automate network protection as much as There are several features to make maintenance
possible to make management simpler
simpler:
• enable automatic daily updates of antivirus and
attack definitions
• enable automatic “push” updates so that Fortinet
updates the virus list when new threats occur
• enable FortiGuard web filtering so that web requests
are automatically filtered based on configured
policies, with no required maintenance
• enable FortiGuard Antispam, an IP address black list
and spam filter service that keeps track of known or
suspected spammers, to automatically block spam
with no required maintenance
Provide secure access for remote
workers with static or dynamic IP
addresses. Use a secure VPN client
solution.
Configure secure IPSec VPN tunnels for remote access
employees. Use Dynamic Domain Name Server
(DDNS) VPN for users with dynamic IP addresses. Use
the FortiClient software to establish a secure connection
between the FortiGate unit and the home-based worker.
See “Configuring remote access VPN tunnels” on
page 309.
Serve the web site and email from a DMZ Place the web and email servers on the DMZ network
to further protect internal data.
and create appropriate policies.
See “Configuring the web server” on page 315.
Block access by all employees to
potentially offensive web content.
Enable FortiGuard web content filtering solution.
See “Configuring web category block settings” on
page 298.
Severely limit web access for certain
employees (help desk) during work
hours.
Create a schedule that covers business hours, create a
custom web access solution, and include these in a
firewall policy for specific addresses.
See “Configuring settings for the Help Desk
department” on page 303.
Topology
Figure 37 shows the The Example Corporation network configuration after installation of
the FortiGate-100A.
290
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Example small office network
Figure 37: SOHO network topology with FortiGate-100A
VPN Tunnel
VPN Tunnel
Internet
Home User 2
192.168.21.12
Home User 1
192.168.90.12
External
172.20.120.141
DMZ
10.20.10.1
Internal
10.11.10.1
Finance Users
10.11.101.10 10.11.101.20
Email Server
10.20.10.2
Engineering Users
10.11.101.51 10.11.101.100
Help Desk Users
10.11.101.21 10.11.101.50
Web Server
10.20.10.3
Features used in this example
The following table lists the FortiGate features implemented in the Example Corporation
example network.
System
•
•
•
•
•
•
“Configuring FortiGate network interfaces” on page 292
“Configuring DNS forwarding” on page 294
“Scheduling automatic antivirus and attack definition updates” on page 295
“Setting the time and date” on page 294
“Configuring administrative access and passwords” on page 296
“Registering the FortiGate unit” on page 295
Router
•
“Adding the default route” on page 293
Firewall
•
•
•
“Removing the default firewall policy” on page 293
Adding firewall policies for different addresses and address groups, see
“Configuring firewall policies for Finance and Engineering” on page 301,
“Configuring firewall policies for help desk” on page 307, and “Configuring
firewall policies for the VPN tunnels” on page 312
Adding addresses and address groups, see “Adding the Finance and
Engineering department addresses” on page 297, “Adding the Help Desk
department address” on page 303, “Adding addresses for home-based
workers” on page 310, “Adding the web server address” on page 316, and
“Adding the email server address” on page 319
“Creating a recurring schedule” on page 307
VPN
•
“Configuring remote access VPN tunnels” on page 309 (IPSec)
IPS
•
“Scheduling automatic antivirus and attack definition updates” on page 295
Antivirus
•
•
•
“Configuring antivirus grayware settings” on page 299
enabling virus scanning (see Configuring protection profiles)
“Scheduling automatic antivirus and attack definition updates” on page 295
Web Filter
•
•
“Configuring web category block settings” on page 298 (FortiGuard)
“Creating and Configuring URL filters” on page 304
Spam Filter
•
“Configuring FortiGuard spam filter settings” on page 299
•
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
291
�First steps
Concept Example: Small Office Network Protection
First steps
First steps includes creating a network plan and configuring the basic FortiGate settings.
•
Configuring FortiGate network interfaces
•
Adding the default route
•
Removing the default firewall policy
•
Configuring DNS forwarding
•
Setting the time and date
•
Registering the FortiGate unit
•
Scheduling automatic antivirus and attack definition updates
•
Configuring administrative access and passwords
Configuring FortiGate network interfaces
The Example Corporation assigns IP addresses to the three FortiGate interfaces to
identify them on their respective networks. It is important to limit administrative access to
maintain security. The Example Corporation configures administrative access for each
interface as follows:
Interface
Administrative access
internal
HTTPS for web-based manager access from the internal network, PING for
connectivity troubleshooting, and SSH for secure access to the command line
interface (CLI) from the internal network.
wan1
HTTPS for remote access to the web-based manager from the Internet.
dmz1
PING access for troubleshooting.
To configure FortiGate network interfaces - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select the Internal interface row and select Edit:
Addressing mode
Manual
IP/Netmask
10.11.101.1/255.255.255.0
Administrative access
HTTPS, PING, SSH
3 Select OK.
4 Select the wan1 interface row and select Edit:
Addressing mode
Manual
IP/Netmask
172.20.120.141/255.255.255.0
Administrative access
HTTPS
5 Select OK.
6 Select the dmz1 interface row and select Edit:
Addressing mode
Manual
IP/Netmask
10.20.10.1/255.255.255.0
Administrative access
PING
7 Select OK.
292
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
First steps
To configure the FortiGate network interfaces - CLI
config system interface
edit internal
set ip 10.22.101.1 255.255.255.0
set allowaccess ping https ssh
next
edit wan1
set ip 172.20.120.141 255.255.255.0
set allowaccess https
next
edit dmz1
set ip 10.20.10.1 255.255.255.0
set allowaccess ping
end
Adding the default route
The Example Corporation gets the default gateway address from their ISP.
To add the default route - web-based manager
1 Go to Router & gt; Static & gt; Static Route.
2 Select Create New and enter the following information:
Destination IP/
Mask
0.0.0.0/0.0.0.0
Device
wan1
Gateway
172.20.120.39
Distance
10
3 Select OK.
Note: Entering 0.0.0.0 as the IP and mask represents any IP address.
To add the default route - CLI
config router static
edit 1
set device wan1
set gateway 172.20.120.39
set distance 10
end
Removing the default firewall policy
The FortiGate-100A comes preconfigured with a default internal - & gt; wan1 firewall policy
which allows any type of traffic from any internal source to connect to the Internet at any
time. Remove this policy to simplify policy configuration and increase security. By deleting
this policy you ensure that any traffic which does not match a configured policy is rejected,
rather than possibly matching the default policy and passing through the FortiGate unit.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
293
�First steps
Concept Example: Small Office Network Protection
To remove the default firewall policy
1 Go to Firewall & gt; Policy & gt; Policy.
2 Expand the internal - & gt; wan1 entry.
3 Select policy 1 (Source: All, Dest: All) and select Delete.
To remove the default firewall policy using the CLI
config firewall policy
delete 1
end
Configuring DNS forwarding
After deleting the default firewall policy, configure DNS forwarding from the internal
interface to allow DNS requests and replies to pass through the firewall. DNS server
addresses are usually provided by the ISP.
To configure DNS forwarding - web-based manager
1 Go to System & gt; Network & gt; Options.
2 For DNS Settings, enter the primary and secondary DNS server addresses:
Primary DNS Server
239.120.20.1
Secondary DNS Server
239.10.30.31
3 Select OK
4 Got to Network & gt; Interface.
5 Select the Internal interface row and select Edit.
6 Select Enable DNS Query and set it to Recursive.
7 Select OK.
To configure DNS forwarding - CLI
config system dns
set autosvr disable
set primary 239.120.20.1
set secondary 239.10.30.31
end
config system interface
edit internal
set dns-query recursive
end
Setting the time and date
Time can be set manually or updated automatically using an NTP server. The Example
Corporation sets the time manually.
To set the time and date - web-based manager
1 Go to System & gt; Status and select the Change link for the System Time.
2 Select the correct time zone for your location.
3 Select Set Time and set the current time and date.
4 Select OK.
294
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
First steps
To configure the time zone - CLI
config system global
set timezone 04
end
To configure the time and date - CLI
execute date & lt; 2010-03-31 & gt;
execute time & lt; 21:12:00 & gt;
Registering the FortiGate unit
The FortiGate-100A must be registered with Fortinet to receive automatic scheduled
updates and push updates. Enter the support contract number during the registration
process.
Begin by logging in to the web-based manager.
To register the FortiGate unit - web-based manager
1 Go to System & gt; Status and get the product serial number from the Unit Information
section or check the label on the bottom of the FortiGate unit.
2 Go to http://support.fortinet.com and click Product Registration.
3 Fill in all the required fields including the product model and serial number.
4 Select Finish.
Scheduling automatic antivirus and attack definition updates
The Example Corporation schedules daily antivirus and attack definition updates at 5:30
am. They also enable push updates so that critical antivirus or attack definitions are
automatically delivered to the FortiGate-100A whenever a threat is imminent.
FortiProtect Distribution Network (FDN) services provide all antivirus and attack updates
and information. A virus encyclopedia and an attack encyclopedia with useful protection
suggestions, as well as a daily newsletter, are available on the web site at
http://www.fortiguard.com.
To check server access and enable daily and push updates - web-based manager
1 Go to System & gt; Maintenance & gt; FortiGuard.
2 Expand the Antivirus and IPS Options blue arrow.
3 Select Allow Push Update.
4 Select Scheduled Update.
5 Select Daily and select 5 for the hour.
6 Select Apply.
Note: If you want to set the update time to something other than the top of the hour, you
must use the CLI command.
To check server access and enable daily and push updates - CLI
config system autoupdate push-update
set status enable
end
config system autoupdate schedule
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
295
�First steps
Concept Example: Small Office Network Protection
set frequency daily
set status enable
set time 05:30
end
Configuring administrative access and passwords
The Example Corporation adds an administrator account and password using a new readonly access profile. This read-only administrator monitors network activity and views
settings. They can notify the admin administrator if changes are required or a critical
situation occurs. The read-only administrator can only access the FortiGate web-based
manager from their own computer or the lab computer.
The admin administrator gets a new password (default is a blank password).
To configure a new access profile and administrator account - web-based manager
1 Go to System & gt; Admin & gt; Admin Profile.
2 Select Create New.
3 Enter admin_monitor as the Profile Name.
4 Select Read Only.
5 Select OK.
6 Go to System & gt; Admin & gt; Administrators.
7 Select Create New and enter or select the following settings:
Administrator
admin_2
Password
& lt; psswrd & gt;
Confirm Password
& lt; psswrd & gt;
Trusted Host #1
10.11.101.60 / 255.255.255.255 (administrator’s computer)
Trusted Host #2
10.11.101.51 / 255.255.255.255 (lab computer)
Access Profile
admin_monitor
8 Select OK.
To configure a new access profile and administrator account - CLI
config system accprofile
edit admin_monitor
set admingrp read
set authgrp read
set avgrp read
set fwgrp read
set ipsgrp read
set loggrp read
set mntgrp read
set netgrp read
set routegrp read
set spamgrp read
set sysgrp read
set updategrp read
set vpngrp read
set webgrp read
end
296
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Configuring settings for Finance and Engineering departments
config system admin
edit admin2
set accprofile admin_monitor
set password & lt; psswrd & gt;
set trusthost1 192.168.100.60 255.255.255.255
set trusthost2 192.168.100.51 255.255.255.255
end
To change the admin password - web-based manager
1 Go to System & gt; Admin & gt; Administrators.
2 Select the admin name and select Change Password.
3 Enter the new password and enter it again to confirm.
4 Select OK.
To change the admin password - CLI
config system admin
edit admin
set password & lt; psswrd & gt;
end
Configuring settings for Finance and Engineering departments
Goals
•
Provide control of web access. Tasks include:
•
•
•
Adding the Finance and Engineering department addresses
Configuring web category block settings
Protect the network from spam and outside threats. Tasks include:
•
•
•
Configuring FortiGuard spam filter settings
Configuring a corporate set of UTM profiles
Control traffic and maintain security. Tasks include:
•
Configuring firewall policies for Finance and Engineering
Adding the Finance and Engineering department addresses
Firewall addresses and address groups are used to configure connections to and through
the FortiGate-100A.Each address represents a component of the network that requires
configuration with policies.
The Example Corporation adds address ranges to the firewall for Finance and
Engineering so they can be included in firewall policies. The two address ranges are
included in an address group to further simplify policy configuration.
To add address ranges for Finance and Engineering - web-based manager
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New and enter or select the following settings:
Address Name
Finance
Type
Subnet / IP Range
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
297
�Configuring settings for Finance and Engineering departments
Concept Example: Small Office Network Protection
Subnet / IP Range
10.11.101.10 - 10.11.101.20
Interface
Internal
3 Select OK.
4 Repeat to add an address called Eng with the IP Range 10.11.101.51–10.11.101.99.
To add address ranges for Finance and Engineering - CLI
config firewall address
edit Finance
set type iprange
set start-ip 192.168.100.10
set end-ip 192.168.100.20
next
edit Eng
set type iprange
set start-ip 192.168.100.51
set end-ip 192.168.100.99
end
To include the Finance and Eng addresses in an address group - web-based
manager
1 Go to Firewall & gt; Address & gt; Group.
2 Select Create New.
3 Enter FinEng as the Group Name.
4 Use the down arrow button to move the Finance and Eng addresses into the Members
box.
5 Select OK.
To include the Finance and Eng addresses in an address group - CLI
config firewall addrgrp
edit FinEng
set member Finance Eng
end
Configuring web category block settings
The Example Corporation employs the FortiGuard web filtering service to block access by
all employees to offensive web sites. After ordering the FortiGuard service, licensing
information is automatically obtained from the server.
To enable the FortiGuard web filtering service - web-based manager
1 Go to System & gt; Maintenance & gt; FortiGuard.
2 Expand Web Filtering and Email Filtering Options.
3 Select Test Availability to ensure the FortiGate unit can access the FortiGuard server.
After a moment, the FDN Status should change from a red/yellow flashing indicator to a
solid green.
4 Select Enable CacheTTL and enter 3600 in the field.
5 Select Apply.
298
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Configuring settings for Finance and Engineering departments
Note: Enabling cache means web site ratings are stored in memory so that the FortiGuard
server need not be contacted each time an often-accessed site is requested.
To enable FortiGuard web filtering - CLI
config system fortiguard
set webfilter-cache enable
set webfilter-cache-ttl 3600
end
Configuring FortiGuard spam filter settings
The Example Corporation configures spam blocking using FortiGuard, the IP address
black list and spam filtering service from Fortinet. FortiGuard works much the same as
real-time blackhole lists (RBLs). The FortiGate unit accesses the FortiGuard server,
compares addresses against the black list, applies proprietary filters for spam and tags,
passes or blocks potential spam messages.
To enable the FortiGuard spam filtering service - web-based manager
1 Go to System & gt; Maintenance & gt; FortiGuard.
2 Expand Web Filtering and Email Filtering Options.
3 Select Enable CacheTTL and enter 3600 in the field.
4 Select Apply.
Note: Marking email as spam allows end-users to create custom filters to block tagged
spam using the keyword.
To configure the FortiGuard RBL spam filter settings - CLI
config system fortiguard
set antispam-cache enable
set antispam-cache-ttl 3600
end
Configuring antivirus grayware settings
The Example Corporation blocks known grayware programs from being downloaded by
employees. Grayware programs are unsolicited commercial software programs that get
installed on computers, often without the user’s consent or knowledge. The grayware
category list and contents are added and updated whenever the FortiGate unit receives a
virus update.
To enable grayware blocking - web-based manager
1 Go to UTM & gt; Antivirus & gt; Virus Database.
2 Select Enable Grayware Detection.
3 Select Apply.
To enable grayware blocking - CLI
config antivirus settings
set grayware enable
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
299
�Configuring settings for Finance and Engineering departments
Concept Example: Small Office Network Protection
Configuring a corporate set of UTM profiles
The Example Corporation configures a set of firewall UTM profiles called standard_profile
to apply to the Finance and Engineering departments as well as the home-based workers.
For detailed information on creating and configuring UTM profiles, see the FortiGate UTM
Guide.
With UTM profiles, the Example Corporation configures each UTM profile for antivirus,
web filtering, email filtering and IPS protection
Antivirus UTM profile
To create and configure a antivirus profile - web-based manager
1 Go to UTM & gt; Antivirus & gt; Profile.
2 Select Create New.
3 Enter standard_profile as the Profile Name.
4 For Virus Scan select HTTP, FTP, IMAP, POP3, and SMTP.
5 Select OK.
To create and configure a antivirus profile - CLI
config antivirus profile
edit standard_profile
config http
set options scan
end
config ftp
set options scan
end
config imap
set options scan
end
config pop3
set options scan
end
config smtp
set options scan
end
end
Web filter UTM profile
The Example Corporation orders FortiGuard for web filtering. FortiGuard gives
administrators the option of allowing, blocking, or monitoring web sites in 77 categories.
Categories are divided into groups to make configuration easier. By default, all categories
are set to allow. The Example Corporation configures selected categories as follows:
To create and configure a web filter profile - web-based manager
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select Create New.
3 Enter standard_profile as the Profile Name.
4 Select the HTTP option.
5 Select the following and select OK.
300
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Configuring settings for Finance and Engineering departments
Potentially Liable
Block
Controversial
Adult Materials
Block
Extremist Groups
Block
Pornography
Block
Potentially Non-productive
Games
Block
Potential Bandwidth Consuming
Block
Potentially Security Violating
Block
General Interest
Job Search
Block
Social Networking
Block
Shopping and Auction
Block
To create and configure a web filter profile - CLI
config webfilter profile
edit standard_profile
config ftgd-wf
set deny g01 8 12 14 20 g04 g05 34 37 42
end
config http
set options fortiguard-wf
end
end
Email filter UTM profile
To create and configure a email filter profile - web-based manager
1 Go to UTM & gt; Antivirus & gt; Profile.
2 Select Create New.
3 Enter standard_profile as the Profile Name.
4 For the IP Address BWL select the SMTP check box.
5 For the Email Address BWL Check, select the SMTP check box.
6 Select OK.
To create and configure a email filter profile - CLI
config spamfilter profile
edit standard_profile
config smtp
set options spamemailbwl
set options spamipbwl
end
end
Configuring firewall policies for Finance and Engineering
By configuring firewall policies for specific users you can grant different levels of access to
different groups as required.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
301
�Configuring settings for Finance and Engineering departments
Concept Example: Small Office Network Protection
Important points for firewall policy configuration
•
Policies are organized according to the direction of traffic from the originator of a
request to the receiver of the request. For example, even though viruses may come
from the external interface, the request for email or a web page comes from the
internal interface. Therefore the policy protecting the network would be an internal - & gt;
wan1 policy.
•
Policies are matched to traffic in the order they appear in the policy list (not by ID
number)
•
Policies should go from most exclusive to most inclusive so that the proper policies are
matched. As a simple example, a policy blocking internal to external HTTP access for
some employees should come before a policy that allows HTTP access for everyone.
•
Each interface can benefit from layered security created through multiple policies
Note: The following policy is an internal to wan1 policy which uses the standard_profile
protection profile to provide antivirus, web category blocking, and FortiGuard spam
filtering.
To configure the Finance and Engineering firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New.
3 Enter or select the following settings:
Source Interface / Zone
internal
Source Address
FinEng
Destination Interface / Zone
wan1
Destination Address
All
Schedule
Always
Service
ANY
Action
ACCEPT
4 Select Enable NAT.
5 Select UTM and select the Protocol Options of default.
6 Select Enable Antivirus and select standard_profile.
7 Select Enable IPS and select all_default.
8 Select Enable Web Filter and select standard_profile.
9 Select Enable Email Filter and select standard_profile.
10 Select OK.
To configure the Finance and Engineering firewall policy - CLI
config firewall policy
edit 1
set action accept
set dstaddr all
set dstintf wan1
set schedule always
set service ANY
set srcaddr FinEng
set srcintf internal
302
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
set
set
set
set
set
set
set
Configuring settings for the Help Desk department
nat enable
utm-status enable
profile-protocol-options default
av-profile standard_profile
ips-sensor all_default
webfilter-profile standard_profile
spamfilter-profile standard_profile
end
Configuring settings for the Help Desk department
Because of a high turnover rate and a need for increased productivity in the Help Desk
department, The Example Corporation implements very strict web access settings. Help
desk employees can only access four web sites that they require for their work. During
lunch hours, help desk employees have greater access to the web but are still blocked
from using Instant Messaging and Peer-to-Peer programs and accessing objectionable
web sites.
Goals
•
Provide complete control of web access. Tasks include:
•
•
•
Adding the Help Desk department address
Creating and Configuring URL filters
Enable greater access at certain times. Tasks include:
•
•
Creating a recurring schedule
Control traffic and maintain security. Tasks include:
•
Configuring firewall policies for help desk
Adding the Help Desk department address
The Example Corporation adds an address range for the Help Desk department so it can
be included in a separate firewall policy.
To add the help desk department address - web-based manager
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New and enter or select the following settings:
Address Name
Help_Desk
Type
Subnet / IP Range
Subnet / IP Range
10.11.101.21 - 10.11.101.50
Interface
Any
3 Select OK.
Adding the help desk department address - CLI
config firewall address
edit Help_Desk
set type iprange
set start-ip 10.11.101.21
set end-ip 10.11.101.50
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
303
�Configuring settings for the Help Desk department
Concept Example: Small Office Network Protection
Creating and Configuring URL filters
Antivirus, spam filter, and web filter are global settings previously configured for the
Finance and Engineering set up. In this step The Example Corporation adds additional
web filter settings to block web access with the exception of four required web sites. Web
URL filters are then enabled in the web URL policy for help desk employees.
Before you can configure filters, you must first create a list to place the filters in.
To create a filter list for blocked URLs - web-based manager
1 Go to UTM & gt; Web Filter & gt; URL Filter.
2 Select Create New.
3 Enter Example_URL_Filter as the name.
4 Select OK.
To create a filter list for blocked URLs - CLI
config webfilter urlfilter
edit # (select any unused number)
set name Example_URL_Filter
end
To configure a URL block - web-based manager
1 Go to UTM & gt; Web Filter & gt; URL Filter.
2 Select Example_URL_Filter and select Edit.
3 Select Create New.
4 Enter the following settings:
URL
.*
Type
Regex
Action
Block
5 Select Enable.
6 Select OK.
This pattern blocks all web sites.
To configure URL block - CLI
config webfilter urlfilter
edit #
config entries
edit #
set action block
set type regex
set status enable
end
end
Note: The edit command will only accept a number. Type edit ? for a list of URL filter
lists and their corresponding number
304
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Configuring settings for the Help Desk department
To configure a filter to exempt URLs - web-based manager
1 Go to UTM & gt; Web Filter & gt; URL Filter.
2 Select Example_URL_Filter and select Edit.
3 Select Create New.
4 Enter the following settings:
URL
www.example.com
Type
Simple
Action
Exempt
5 Select Enable.
6 Select OK.
7 Repeat for each of the following URLs:
• intranet.example.com
• www.dictionary.com
• www.ExampleReferenceSite.com
To configure URL exempt - CLI
config webfilter urlfilter
edit #
config entries
edit www.example.com
set action exempt
set type simple
set status enable
next
edit intranet.example.com
set action exempt
set type simple
set status enable
next
edit www.dictionary.com
set action exempt
set type simple
set status enable
next
edit www.ExampleReferenceSite.com
set action exempt
set type simple
set status enable
end
Web filter UTM profile
With the URL filtered defined, add a web filter profile to be used in the firewall policies.
To create and configure a web filter profile - web-based manager
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select Create New.
3 Enter help_desk_work as the Profile Name.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
305
�Configuring settings for the Help Desk department
Concept Example: Small Office Network Protection
4 For Web URL Filter, select the HTTP option, and select the help_desk_work.
5 Select OK.
To create and configure a web filter profile - CLI
config webfilter profile
edit help_desk_work
config http
set options urlfilter
end
config web
set urlfilter-table 1
end
end
Ordering the filtered URLs
While the list includes all the exempt URLs the help desk needs with a global block filter,
there is a problem. Since the URL Filter list is parsed from top to bottom, and the block
filter appears first, every URL will match the block filter and parsing will stop. The exempt
URL statements that follow will never be referenced. To fix this problem, reorder the list to
put the global block filter at the end.
To order the filter URLs - web-based manager
1 Select the Move To icon for the “.*” URL.
2 Select After and type www.ExampleReferenceSite.com into the URL field.
3 Select OK.
To order the filtered URLs - CLI
config webfilter urlfilter
move # after #
end
Note: The move command will only accept a number. Type move ? for a list of URL filter
lists and their corresponding numbers.
Application control or IM and P2P
By creating an application control profile, you can include the IM/P2P applications that
need to be blocked from the help desk users.
To configure the application control profile - web-based manager
1 Go to UTM & gt; Application Control & gt; Profile.
2 Select Create New.
3 Enter the profile name of IM_P2P.
4 Select OK.
5 Select the new group name and select Edit.
6 Select Create New.
7 In the Category list, select IM.
8 Set the Action to Block and Select OK.
9 Repeat the above steps to add an entry for P2P.
306
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Configuring settings for the Help Desk department
To configure the application control profile - CLI
config application list
edit IM_P2P
config entries
edit 1
set category 1
next
edit 2
set category 2
end
end
Creating a recurring schedule
The Example Corporation uses this schedule in a firewall policy for help desk employees
to allow greater web access during lunch hours. The schedule is in effect Monday through
Saturday from 11:45am to 2pm.
To create a recurring schedule - web-based manager
1 Go to Firewall & gt; Schedule & gt; Recurring.
2 Select Create New.
3 Enter lunch as the name for the schedule.
4 Select the days Mon through Fri.
5 Set the Start time as 11:45 and set the Stop time as 14:00.
6 Select OK.
To create a recurring schedule - CLI
config firewall schedule recurring
edit lunch
set day monday tuesday wednesday thursday friday
set start 11:45
set end 14:00
end
Configuring firewall policies for help desk
The Example Corporation configures two firewall policies for the help desk employees, to
implement the web block settings and use the schedule for lunch hour web access
created above. For tips on firewall policies see “Important points for firewall policy
configuration” on page 302.
The first policy is an internal - & gt; wan1 policy which uses the help_desk protection profile to
block most web access during working hours. The second policy goes above the first
policy and uses the lunch schedule and the help_desk_lunch protection profile to allow
web access at lunch.
To create and insert a policy for the help desk - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Expand the internal - & gt; wan1 entry and select the Insert Policy before icon beside
policy 1.
3 Enter or select the following settings:
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
307
�Configuring settings for the Help Desk department
Concept Example: Small Office Network Protection
Source Interface / Zone
internal
Source Address
Help_Desk
Destination Interface / Zone
wan1
Destination Address
All
Schedule
Always
Service
ANY
Action
ACCEPT
4 Select Enable NAT.
5 Select UTM and select the Protocol Options of default.
6 Select Enable Antivirus and select standard_profile.
7 Select Enable IPS and select all_default.
8 Select Enable Web Filter and select standard_profile.
9 Select Enable Email Filter and select standard_profile.
10 Select Enable Application Control and select IM_P2P.
11 Select OK.
12 Select the policy and select Move.
13 Select Before and enter Policy ID 2.
Note: The FortiGate unit checks for matching policies in the order they appear in the list
(not by policy ID number). For the ‘lunch’ policy to work, it must go before the policy using
the help-desk protection profile (above).
14 Select Create New.
15 Enter or select the following settings:
Source Interface / Zone
internal
Source Address
Help_Desk
Destination Interface / Zone
wan1
Destination Address
All
Schedule
lunch
Service
ANY
Action
ACCEPT
16 Select Enable NAT.
17 Select UTM and select the Protocol Options of default.
18 Select Enable Antivirus and select standard_profile.
19 Select Enable IPS and select all_default.
20 Select Enable Web Filter and select standard_profile.
21 Select Enable Email Filter and select standard_profile.
22 Select OK.
308
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Configuring remote access VPN tunnels
Configuring firewall policies for help desk - CLI
config firewall policy
edit 2
set action accept
set dstaddr all
set dstintf wan1
set profile-status enable
set schedule always
set service ANY
set srcaddr Help_Desk
set srcintf internal
set nat enable
set utm-status enable
set profile-protocol-options default
set av-profile standard_profile
set ips-sensor all_default
set webfilter-profile standard_profile
set spamfilter-profile standard_profile
set application-list IM_P2P
next
edit 3
set action accept
set dstaddr all
set dstintf wan1
set profile-status enable
set schedule lunch
set service ANY
set srcaddr Help_Desk
set srcintf internal
set nat enable
set utm-status enable
set profile-protocol-options default
set av-profile standard_profile
set ips-sensor all_default
set webfilter-profile standard_profile
set spamfilter-profile standard_profile
next
move 2 before 1
move 3 before 2
end
Configuring remote access VPN tunnels
Goals
•
Configure a secure connection for home-based workers. Tasks include:
•
•
•
Adding addresses for home-based workers
Configuring the FortiGate end of the IPSec VPN tunnels
Control traffic and maintain security. Tasks include:
•
Configuring firewall policies for the VPN tunnels
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
309
�Configuring remote access VPN tunnels
Concept Example: Small Office Network Protection
Adding addresses for home-based workers
To support VPN connections to the internal network, add a firewall address for the The
Example Corporation internal network.
To support a VPN connection for a home-based employee with a static IP address, add a
firewall address for this employee.
The Example Corporation uses a Dynamic Domain Name Server (DDNS) VPN
configuration for a home-based employee with a dynamic IP address. The DDNS VPN
uses the All firewall address.
To add address for home-based workers - web-based manager
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New and enter or select the following settings:
Address Name
Example_Network
Type
Subnet / IP Range
Subnet / IP Range
192.168.100.0
Interface
Any
3 Select OK.
4 Select Create New and enter or select the following settings:
Address Name
Home_User_1
Type
Subnet / IP Range
Subnet / IP Range
220.100.65.98
Interface
Any
5 Select OK.
To add addresses for home-based workers - CLI
config firewall address
edit Example_Network
set subnet 192.168.100.0 255.255.255.0
next
edit Home_User_1
set subnet 220.100.65.98 255.255.255.0
end
Configuring the FortiGate end of the IPSec VPN tunnels
The Example Corporation uses AutoIKE preshared keys to establish IPSec VPN tunnels
between the internal network and the remote workers.
Home_User_1 has a static IP address with a straightforward configuration.
Home_User_2 has a dynamic IP address and therefore some preparation is required. The
Example Corporation will register this home-based worker with a domain name. The
DDNS servers remap the IP address to the domain name whenever Home_User_2 gets a
new IP address assigned by their ISP.
The Example Corporation home-based workers use FortiClient software for VPN
configuration.
310
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Configuring remote access VPN tunnels
To configure IPSec phase 1 - web-based manager
1 Go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 Select Create Phase 1.
3 Enter or select the following settings for Home_User_1:
Name
Home1 (The name for the peer that connects to the The Example
Corporation network.)
Remote Gateway
Static IP Address
IP Address
220.100.65.98
Local Interface
wan1
Mode
Main (ID protection)
Note: The VPN peers must use the same mode.
Authentication
Method
Preshared Key
Pre-shared Key
ke8S5hOqpG73Lz4
Note: The key must contain at least 6 printable characters and should only
be known by network administrators. For optimum protection against
currently known attacks, the key should consist of a minimum of 16
randomly chosen alphanumeric characters. The VPN peers must use the
same preshared key.
Peer options
Accept any peer ID
4 Select OK.
5 Select Create Phase 1.
6 Enter or select the following settings for Home_User_2:
Name
Home2 (The name for the peer that connects to the The Example
Corporation network.)
Remote Gateway Dynamic DNS
Dynamic DNS
example.net
Local Interface
wan1
Mode
Main (ID protection)
Note: The VPN peers must use the same mode.
Authentication
Method
Preshared Key
Pre-shared Key
GT3wlf76FKN5f43U
Note: The key must contain at least 6 printable characters and should only
be known by network administrators. For optimum protection against
currently known attacks, the key should consist of a minimum of 16
randomly chosen alphanumeric characters. The VPN peers must use the
same preshared key.
Peer options
Accept any peer ID
7 Select OK.
Note: Both ends (peers) of the VPN tunnel must use the same mode and authentication
method.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
311
�Configuring remote access VPN tunnels
Concept Example: Small Office Network Protection
To configure IPSec phase 1 - CLI
config vpn ipsec phase1
edit Home1
set type static
set interface wan1
set authmethod psk
set psksecret ke8S5hOqpG73Lz4
set remote-gw 220.100.65.98
set peertype any
next
edit Home2
set
set
set
set
set
set
type ddns
interface wan1
authmethod psk
psksecret GT3wlf76FKN5f43U
remotewgw-ddns example.net
peertype any
end
To configure IPSec phase 2
1 Go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 Select Create Phase 2.
3 Enter or select the following settings:
Name
Home1_Tunnel
Phase 1
Home1
4 Select OK.
5 Select Create Phase 2.
6 Enter or select the following settings:
Name
Home2_Tunnel
Phase 1
Home2
7 Select OK.
To configure IPSec phase 2 using the CLI
config vpn ipsec phase2
edit Home1_Tunnel
set phase1name Home1
next
edit Home2_Tunnel
set phase1name Home2
end
Configuring firewall policies for the VPN tunnels
The Example Corporation configures specific policies for each home-based worker to
ensure secure communication between the home-based worker and the internal network.
312
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Configuring remote access VPN tunnels
To configure firewall policies for the VPN tunnels - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New and enter or select the following settings for Home_User_1:
Source Interface / Zone
internal
Source Address
Example_Network
Destination Interface / Zone
wan1
Destination Address
Home_User_1
Schedule
Always
Service
ANY
Action
IPSEC
VPN Tunnel
Home1
Allow Inbound
yes
Allow outbound
yes
Inbound NAT
yes
Outbound NAT
no
3 Select UTM and select the Protocol Options of default.
4 Select Enable Antivirus and select standard_profile.
5 Select Enable IPS and select all_default.
6 Select Enable Web Filter and select standard_profile.
7 Select Enable Email Filter and select standard_profile.
8 Select OK
9 Select Create New and enter or select the following settings for Home_User_2:
Source Interface / Zone
internal
Source Address
Example_Network
Destination Interface / Zone
wan1
Destination Address
All
Schedule
Always
Service
ANY
Action
IPSEC
VPN Tunnel
Home2_Tunnel
Allow Inbound
yes
Allow outbound
yes
Inbound NAT
yes
Outbound NAT
no
10 Select UTM and select the Protocol Options of default.
11 Select Enable Antivirus and select standard_profile.
12 Select Enable IPS and select all_default.
13 Select Enable Web Filter and select standard_profile.
14 Select Enable Email Filter and select standard_profile.
15 Select OK
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
313
�Configuring remote access VPN tunnels
Concept Example: Small Office Network Protection
To configure firewall policies for the VPN tunnels - CLI
config firewall policy
edit 5
set srcintf internal
set dstintf wan1
set srcaddr Example_Network
set dstaddr Home_User_1
set action ipsec
set schedule Always
set service ANY
set inbound enable
set outbound enable
set natinbound enable
set vpntunnel Home1
set utm-status enable
set profile-protocol-options default
set av-profile standard_profile
set ips-sensor all_default
set webfilter-profile standard_profile
set spamfilter-profile standard_profile
next
edit 6
set srcintf internal
set dstintf wan1
set srcaddr Example_Network
set dstaddr All
set action ipsec
set schedule Always
set service ANY
set inbound enable
set outbound enable
set natinbound enable
set vpntunnel Home2
set utm-status enable
set profile-protocol-options default
set av-profile standard_profile
set ips-sensor all_default
set webfilter-profile standard_profile
set spamfilter-profile standard_profile
end
Configuring the FortiClient end of the IPSec VPN tunnels
Fortinet has a complete range of network security products. FortiClient software is a
secure remote access client for Windows computers. Home-based workers can use
FortiClient to establish VPN connections with remote networks. For more information
about installing and configuring FortiClient please see the FortiClient Installation Guide.
Note: The specific configuration given in this example will only function with licensed copies
of the FortiClient software. The default encryption and authentication types on the FortiGate
unit are not available on the FortiClient Demo software.
314
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Configuring the web server
To configure FortiClient for Home_User_1 and Home_User_2 - web-based manager
1 Open the FortiClient software on Home_User_1’s computer.
2 Go to VPN & gt; Connections.
3 Select Add.
4 Enter the following information:
Connection Name
Home1_home (A descriptive name for the connection.)
VPN Type
Manual IPSec
Remote Gateway
172.10.120.141 (The FortiGate external interface IP address.)
Remote Network
10.11.101.0 / 255.255.255.0 The Example Corporation internal
network address and netmask.)
Authentication method Preshared Key
Preshared key
ke8S5hOqpG73Lz4 (The preshared key entered in phase 1.)
5 Select OK.
6 Repeat on Home_User_2’s computer for Home_User_2.
Configuring the web server
Goals
•
Host the web server on a separate but secure DMZ network
•
Hide the internal IP address of the web server. Tasks include:
•
•
Configuring the FortiGate unit with a virtual IP
Control traffic and maintain security. Tasks include:
•
Adding the web server address
•
Configuring firewall policies for the web server
Alternately, The Example Corporation could have their web server hosted by an ISP. See
“ISP web site and email hosting” on page 323.
Configuring the FortiGate unit with a virtual IP
With the web server located on the DMZ interface, The Example Corporation configures a
virtual IP (VIP) address so that incoming requests for the web site are routed correctly.
The virtual IP can be included later in wan1 - & gt; dmz1 firewall policies.
To configure the FortiGate unit with a virtual IP - web-based manager
1 Go to Firewall & gt; Virtual IP & gt; Virtual IP.
2 Select Create New and enter or select the following settings:
Name
Web_Server_VIP
External Interface
wan1
Type
Static NAT
External IP Address/ Range
172.20.120.141
Mapped IP Address/ Range
10.20.10.3
3 Select OK.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
315
�Configuring the web server
Concept Example: Small Office Network Protection
To configure a virtual IP - CLI
config firewall vip
edit Web_Server_VIP
set extintf wan1
set extip 172.20.120.141
set mappedip 10.20.10.3
end
Adding the web server address
The Example Corporation adds the web server address to the firewall so it can be
included later in firewall policies.
To add the web server address - web-based manager
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New and enter or select the following settings:
Address Name
Web_Server
Type
Subnet/ IP Range
Subnet/ IP Range
10.20.10.3/255.255.255.0
Interface
Any
3 Select OK.
To add the web server address - CLI
config firewall address
edit Web_Server
set subnet 10.20.10.3 255.255.255.0
end
Configuring firewall policies for the web server
wan1 - & gt; dmz1 policies
Add a policy for users on the Internet (wan1) to access the The Example Corporation web
site on the DMZ network.
To add a policy for web server access
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New and enter or select the following settings:
Source Interface / Zone
wan1
Source Address
All
Destination Interface / Zone
dmz1
Destination Address
Web_Server_VIP
Schedule
Always
Service
HTTP
Action
ACCEPT
3 Select UTM and select the Protocol Options of default.
4 Select Enable Antivirus and select standard_profile.
5 Select Enable IPS and select all_default.
316
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Configuring the web server
6 Select Enable Web Filter and select standard_profile.
7 Select Enable Email Filter and select standard_profile.
8 Select OK.
To add a policy for web server access - CLI
config firewall policy
edit 7
set action accept
set schedule always
set service HTTP
set srcaddr all
set srcintf wan1
set dstaddr Web_Server_VIP
set dstintf dmz1
set utm-status enable
set profile-protocol-options default
set av-profile standard_profile
set ips-sensor all_default
set webfilter-profile standard_profile
set spamfilter-profile standard_profile
end
dmz1 - & gt; wan1 policies
The Example Corporation does not require any dmz1 - & gt; wan1 policies since there is no
reason for the server to initiate requests to the external interface.
dmz1 - & gt; internal policies
The Example Corporation does not require any dmz1 - & gt; internal policies since there is no
reason for the server to initiate requests to the internal interface.
internal - & gt; dmz1 policies
Add a policy for the web developer to upload updates web site to the web server using
FTP.
To add the web master address to the firewall - web-based manager
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New and enter or select the following settings:
Address Name
Web_Master_J
Type
Subnet/ IP Range
Subnet/ IP Range
10.11.101.63/255.255.255.0
Interface
Any
3 Select OK.
To add the web master address to the firewall - CLI
config firewall address
edit Web_Master_J
set subnet 10.11.101.63 255.255.255.0
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
317
�Configuring the email server
Concept Example: Small Office Network Protection
To add a policy for web master access to the web server - web-based manager
1 Go to Firewall & gt; Policy.
2 Select Create New and enter or select the following settings:
Source Interface / Zone
internal
Source Address
Web_Master_J
Destination Interface / Zone
dmz1
Destination Address
Web_Server
Schedule
Always
Service
FTP
Action
ACCEPT
3 Select UTM and select the Protocol Options of default.
4 Select Enable Antivirus and select standard_profile.
5 Select Enable IPS and select all_default.
6 Select Enable Web Filter and select standard_profile.
7 Select Enable Email Filter and select standard_profile.
8 Select OK.
To add a policy for web master access to the web server - CLI
config firewall policy
edit 8
set action accept
set dstaddr Web_Server
set dstintf dmz1
set schedule always
set service FTP
set srcaddr Web_Master_J
set srcintf internal
set utm-status enable
set profile-protocol-options default
set av-profile standard_profile
set ips-sensor all_default
set webfilter-profile standard_profile
set spamfilter-profile standard_profile
end
Configuring the email server
Goals
•
Host the email server on a separate but secure network
•
Hide the internal IP addresses of the servers. Tasks include:
•
•
Configuring the FortiGate unit with a virtual IP
Control traffic and maintain security. Tasks include:
•
•
318
Adding the email server address
Configuring firewall policies for the email server
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Adding the email server address
Alternately, The Example Corporation could have their email server hosted by an ISP. See
“ISP web site and email hosting” on page 323.
Configuring the FortiGate unit with a virtual IP
With the email server on the DMZ network, The Example Corporation uses a virtual IP
(VIP) address so that incoming email requests are routed correctly. The Example
Corporation uses the IP address of the FortiGate wan1 interface for email and any SMTP
or POP3 traffic is forwarded to the email server on the DMZ. The virtual IP can be included
later in wan1 - & gt; dmz1 firewall policies.
To configure a virtual IP - web-based manager
1 Go to Firewall & gt; Virtual IP & gt; Virtual IP.
2 Select Create New and enter or select the following settings:
Name
Email_Server_VIP
External Interface
wan1
Type
Static NAT
External IP Address/ Range
172.20.120.141
Mapped IP address/ Range
10.20.10.2
3 Select OK.
To configure a virtual IP - CLI
config firewall vip
edit Email_Server_VIP
set extintf wan1
set extip 172.20.120.141
set mappedip 10.20.10.2
end
Adding the email server address
The Example Corporation adds the email server address to the firewall so it can be
included later in firewall policies.
To add the email server address to the firewall - web-based manager
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New and enter or select the following settings:
Address Name
Email_Server
Type
Subnet/ IP Range
Subnet/ IP Range
10.10.10.3/255.255.255.0
Interface
Any
3 Select OK.
To add the email server address to the firewall - CLI
config firewall address
edit Email_Server
set subnet 10.20.10.3 255.255.255.0
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
319
�Adding the email server address
Concept Example: Small Office Network Protection
end
Configuring firewall policies for the email server
Add and configure firewall policies to allow the email servers to properly handle emails.
dmz1 - & gt; wan1 policies
Add a firewall policy to allow the email server to forward messages to external mail
servers.
To add a dmz1 - & gt; wan1 firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New and enter or select the following settings:
Source Interface / Zone
dmz1
Source Address
Email_Server
Destination Interface / Zone
wan1
Destination Address
All
Schedule
Always
Service
SMTP
Action
ACCEPT
3 Select UTM and select the Protocol Options of default.
4 Select Enable Antivirus and select standard_profile.
5 Select Enable IPS and select all_default.
6 Select Enable Web Filter and select standard_profile.
7 Select Enable Email Filter and select standard_profile.
8 Select OK.
To add a dmz1 - & gt; wan1 firewall policy- CLI
config firewall policy
edit 9
set action accept
set dstaddr all
set dstintf wan1
set schedule always
set service SMTP
set srcaddr Email_Server
set srcintf dmz1
set utm-status enable
set profile-protocol-options default
set av-profile standard_profile
set ips-sensor all_default
set webfilter-profile standard_profile
set spamfilter-profile standard_profile
end
320
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
Adding the email server address
wan1 - & gt; dmz1 policies
Add a policy to allow Internet email servers to forward messages to the email server.
To add a wan1 - & gt; dmz1 firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New and enter or select the following settings:
Source Interface / Zone
wan1
Source Address
All
Destination Interface / Zone
dmz1
Destination Address
Email_Server_VIP
Schedule
Always
Service
SMTP
Action
ACCEPT
3 Select UTM and select the Protocol Options of default.
4 Select Enable Antivirus and select standard_profile.
5 Select Enable IPS and select all_default.
6 Select Enable Web Filter and select standard_profile.
7 Select Enable Email Filter and select standard_profile.
8 Select OK.
To add a wan1 - & gt; dmz1 firewall policy - CLI
config firewall policy
edit 10
set action accept
set srcintf wan1
set srcaddr all
set dstintf dmz1
set dstaddr Email_Server_VIP
set schedule always
set service SMTP
set utm-status enable
set profile-protocol-options default
set av-profile standard_profile
set ips-sensor all_default
set webfilter-profile standard_profile
set spamfilter-profile standard_profile
end
dmz1 - & gt; internal policies
The Example Corporation does not require any dmz - & gt; internal policies since there is no
reason for the server to initiate requests to the internal network.
internal - & gt; dmz1 policies
The Example Corporation needs to add two internal - & gt; dmz1 policies. One policy for
internal users to send outgoing messages to the server (SMTP) and a second policy for
internal users to read incoming mail (POP3).
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
321
�Adding the email server address
Concept Example: Small Office Network Protection
To add internal - & gt; dmz1 firewall policies - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New and enter or select the following settings:
Source Interface / Zone
internal
Source Address
All
Destination Interface / Zone
dmz1
Destination Address
Email_Server
Schedule
Always
Service
SMTP
Action
ACCEPT
3 Select UTM and select the Protocol Options of default.
4 Select Enable Antivirus and select standard_profile.
5 Select Enable IPS and select all_default.
6 Select Enable Web Filter and select standard_profile.
7 Select Enable Email Filter and select standard_profile.
8 Select OK.
9 Select Create New and enter or select the following settings:
Source Interface / Zone
internal
Source Address
All
Destination Interface / Zone
dmz1
Destination Address
Email_Server
Schedule
Always
Service
POP3
Action
ACCEPT
10 Select UTM and select the Protocol Options of default.
11 Select Enable Antivirus and select standard_profile.
12 Select Enable IPS and select all_default.
13 Select Enable Web Filter and select standard_profile.
14 Select Enable Email Filter and select standard_profile.
15 Select OK.
To add internal - & gt; dmz1 firewall policies - CLI
config firewall policy
edit 11
set action accept
set dstaddr Email_Server
set dstintf dmz1
set schedule always
set service SMTP
set srcaddr all
set srcintf internal
set utm-status enable
set profile-protocol-options default
set av-profile standard_profile
322
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Small Office Network Protection
ISP web site and email hosting
set ips-sensor all_default
set webfilter-profile standard_profile
set spamfilter-profile standard_profile
next
edit 12
set action accept
set dstaddr Email_Server
set dstintf dmz1
set schedule always
set service POP3
set srcaddr all
set srcintf internal
set
set
set
set
set
set
utm-status enable
profile-protocol-options default
av-profile standard_profile
ips-sensor all_default
webfilter-profile standard_profile
spamfilter-profile standard_profile
end
ISP web site and email hosting
Small companies such as The Example Corporation often find it more convenient and less
costly to have their email and web servers hosted by an ISP. This scenario would change
the The Example Corporation example in the following ways:
•
no need to set up a separate DMZ network
•
no need to create policies for external access to the web or email servers
•
add an internal - & gt; wan1 firewall policy for the web master to upload web site updates
via FTP
•
add an internal - & gt; wan1 POP3 firewall policy so that users can use POP3 to download
email
•
add an internal - & gt; wan1 SMTP firewall policy so that users can use SMTP to send
email
The Example Corporation internal network configuration
The Example Corporation internal network only requires a few changes to individual
computers to route all traffic correctly through the FortiGate-100A.
•
set the IP addresses within the prescribed ranges for each computer on the network
(see Figure 37 on page 291)
•
set the default gateway to the IP address of the FortiGate internal interface for each
computer on the network
•
set the DNS server to the IP address of the FortiGate internal interface for each
computer on the network
Other features and products for SOHO
Small or branch offices can use the FortiGate unit to provide a secure connection between
the branch and the main office.
Other tasks or products to consider:
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
323
�Other features and products for SOHO
Concept Example: Small Office Network Protection
•
•
Backing up the FortiGate configuration
•
Enabling Internet browsing for the home users through the VPN tunnel to ensure no
unencrypted information enters or leaves the remote site
•
324
Configuring logging and alert email for critical events
VoIP communications between branches
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network
Protection
Located in a large city, the library system is anchored by a main downtown location
serving most of the population, with a dozen branches spread throughout the city. Each
branch is wired to the Internet but none are linked with each other by dedicated
connections.
Current topology and security concerns
Each office connects to the Internet with no standard access policy or centralized
management and monitoring.
The library system does not log Internet traffic and does not have the means to do so on a
system-wide basis. In the event of legal action involving network activity, the library
system will need this information to protect itself.
The branches currently communicate with the main office through the Internet with no
encryption. This is of particular concern because all staff members access the central
email server in the main office. Email sent to or from branch office staff could be
intercepted.
Both the main and branch offices are protected from the Internet by firewalls. This
protection is limited to defending against unauthorized intrusion. No virus, worm, phishing,
or spyware defences protect the network, resulting in computer downtime when an
infection strikes.
Like the branches, the main office is protected by a single firewall device connected to the
Internet. Should this device fail, connectivity will be lost. The library system’s web page
and catalog are mission critical applications and access would be better protected by
redundant hardware.
The internal network at each location has staff computers and public access terminals
connected together. Concerns have been raised over possible vulnerabilities involving
staff computers and public terminals sharing the same network.
Budgetary constraints limit the number of public access terminals the library can provide.
With the popularity of wifi enabled laptops, the addition of a wireless access point is an
economical way to allow library patrons to access the Internet using their own equipment.
Efficient use of the library’s limited public access terminals and bandwidth can be
compromised by the installation and use of instant messaging and peer to peer file sharing
applications.
Use of library resources to browse inappropriate content is a problem. These activities are
prohibited by library policies, but there is no technical means of enforcement, leaving it to
the staff to monitor usage as best they can.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
325
�Current topology and security concerns
Concept Example: Library Network Protection
Figure 38: The library system’s current network topology
Branch staff
Public terminals
Firewall
Catalog access terminals
Branch configuration (only one branch shown)
Internet
Main office configuration
Mail
server
Web
server
Catalog
server
Firewall
DMZ
Catalog access
terminals
Main office staff
Public terminals
Library requirements
•
•
Public wireless Internet access for mobile clients.
•
Strict separation of public access terminals from staff computers.
•
An automatically maintained and updated system for stopping viruses and intrusions at
the firewall.
•
Instant messaging is blocked for public Internet terminals and public wireless access,
but not for staff. Peer-to-peer downloads are blocked network-wide.
•
326
VPN to secure all traffic between main and branch offices.
All Internet traffic from branch offices travels securely to the main office and then out
onto the Internet. Inbound traffic follows the reverse route. This allows a single point at
which all protection profiles and policies may be applied for simplified and consistent
management.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
Current topology and security concerns
•
The ability to block specific web sites and whole categories of sites from those using
the public terminals and public wireless access if deemed necessary. Users granted
special permission should be allowed to bypass the restrictions.
•
Public access traffic originates from a different address than staff and server traffic.
•
DMZ for web and email server hosting in main office.
•
The library catalog is available on the library’s web page allowing public access from
anywhere.
•
Redundant hardware for main office firewall.
The library’s decision
Every model of the FortiGate Dynamic Threat Prevention System offers real time network
protection to detect and eliminate the most damaging, content-based threats from email
and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more
in real time — without degrading network performance.
The library decided to standardize on the FortiGate-800 and the FortiWiFi-80CM:
•
Two FortiGate-800 units for main office. These enterprise-level devices have the
processing power and speed to handle the amount of traffic expected of a large busy
library system with public catalog searches, normal staff use, and on-site research
using the Internet as a resource. The two units are interconnected in HA (high
availability) mode to ensure uninterrupted service in the case of failure. A
FortiWiFi-80CM is also used to provide wireless access for patrons in main office.
•
A FortiWiFi-80CM for each branch office. In addition to being able to handle the
amount of traffic expected of a branch office, the FortiWiFi-80CM provides wireless
access for library patrons.
Proposed topology
Figure 39 shows the proposed network topology utilizing the FortiGate units. Only one
branch office is shown in the diagram although more than a dozen are configured in the
same way, including the VPN connection to the main office.
The VPN connections between the branch offices and the main office are a critical feature
securing communication between locations.
The two FortiGate-800 units in HA mode serve as the only point through which traffic flows
between the Internet and the library’s network, including the branch offices. VPN
connections between the main and branch offices provide the means to securely send
data in either direction.
Branch Internet browsing traffic is routed to the main office through the VPN by the
branch’s FortiWiFi-80CM. After reaching the FortiGate-800 at the main office, the traffic
continues out to the Internet. Inbound traffic follows the same path back to the branch
office.
With two FortiGate-800 units in HA mode serving as a single point of contact to the
Internet, only two FortiGuard subscriptions are required to protect the entire network.
Otherwise each branch would also need separate FortiGuard subscription. The
FortiGuard web filtering service can also be configured on the FortiGate-800 units,
ensuring consistent web filtering policies for all locations.
No provision is made for direct communication between branches.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
327
�Current topology and security concerns
Concept Example: Library Network Protection
Figure 39: Proposed library system network topology
Branch Staff
Public terminals
WiFi-60
10.1.2.[2-254]
Internal 10.1.2.1
DMZ
10.1.4.1
WAN1
VPN Tunnel
10.1.4.[2-254]
192.168.23.89
WAN2 10.1.3.1
Catalog access terminals
10.1.3.[2-254]
Branch configuration (branch 1 addresses shown)
Port4
10.100.5.1
Port3
10.100.4.1
External
WiFi-60
192.168.147.30
VPN Tunnel
Internet
Main location configuration
10.100.1.3
FGT-800 HA cluster
DMZ
Web
server
Mail
server
Catalog
server
10.100.1.1
Port2
10.100.3.1
10.100.1.10 10.100.1.11 10.100.1.12
Internal 10.100.2.1
Public terminals
10.100.4.[2-254]
Main office staff
10.100.2.[2-254]
Catalog access terminals
10.100.3.[2-254]
Table 12 on page 329 details the allowed connectivity between different parts of the
network.
328
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
Current topology and security concerns
Table 12: Access permission between various parts of the network
Main Public Access
Web Server
Mail Server
No
No
No
Yes
Yes Yes* Yes
No
No
No
No
Yes
No
Yes* Yes
No
No
No
Yes
No
Yes*
No
Yes
Yes Yes* Yes
No
Yes
No
Yes*
Yes
No
Yes* Yes
No
Yes
No
No
Yes
No
No
Main Staff
No
No
No
Main Catalog
No
No
No
No
Main Public Access
No
No
No
No
No
Web Server
No
No
No
No
No
No
Catalog Server
Internet Access
Main Catalog
No
No
No
Branch Catalog access
Main Staff
Connecting from:
Branch Public Access
Branch Catalog access
Branch Staff
No
Branch staff
Branch Public Access
Connecting to:
Mail Server
No
No
No
No
No
No
No
Catalog Server
No
No
No
No
No
No
No
Internet
No
No
No
No
No
No
No
No
Yes Yes† Yes†
No
No
†Only SMTP connections are permitted from the Internet to the mail server.
* An indirect connection. Access to the catalog is through the library web page. Direct
connections to the catalog server are not permitted.
Features used in this example
Table 13: Features used to fulfil requirements
Feature requirement
Location in this
example
Secure communication between each “IPSEC VPN” on
branch and the main office.
page 334
Description
Traffic between the each branch
and the main office is encrypted.
WiFi access for mobile clients.
“Wireless access” on The FortiWiFi-80CM provides WiFi
page 345
access.
Strict separation of public access
terminals from staff computers.
“Topology” on
page 331
Traffic is permitted between
network interfaces only when
policies explicitly allow it.
An automatically maintained and
updated system for stopping viruses
and intrusions at the firewall.
“FortiGuard” on
page 334
The FortiGuard Subscription
service keeps antivirus and
intrusion prevention signatures up
to date. Also included is a spam
blacklist and a web filtering service.
Instant messaging blocked for public
access, and P2P blocked systemwide.
“Protection profiles,
Application Control”
on page 341
Since staff user traffic and public
access user traffic is controlled by
separate policies, different
protection profiles can be created
for each.
The ability to block specific sites and
whole categories of sites from the
public access terminals and public
WiFi.
“Protection profiles,
FortiGuard Web
Filtering/Advanced
Filter” on page 339
The FortiGuard Web Filtering
service breaks down web sites in to
56 categories. Each can be allowed
or blocked.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
329
�Current topology and security concerns
Concept Example: Library Network Protection
Table 13: Features used to fulfil requirements
Feature requirement
Location in this
example
Description
Public access traffic originates from a “IP Pools” on
different address than staff and server page 336
traffic in case of abuse.
IP pools can have traffic controlled
by one policy originate from an IP
address different than the physical
network interface.
Mail and web server have their own IP “Mail and web
addresses, but share the same
servers” on
connection to the Internet as the rest page 348
of the main branch.
Virtual IP addresses allow a single
physical interface to share
additional IP addresses and route
traffic according to destination
address.
Before they’re allowed access, public
access users must agree that the
library takes no responsibility for what
they might see on the Internet.
“User Disclaimer” on Each policy can be set to require
page 337
authentication and/or agreement to
a disclaimer before access is
permitted.
Redundant hardware to ensure
availability.
“High Availability
(HA)” on page 332
Two FortiGate-800 units operate
together to ensure a minimum
interruption should a hardware
failure occur.
Network addressing
The IP addresses used on the library’s internal network follow a 10.x.y.z structure with a
255.255.255.0 subnet mask, where:
•
x is the branch number. The main office uses 100 while the branches are assigned
numbers starting with 1
•
y indicates the purpose of the attached devices in this range:
•
•
2 - staff computers
•
3 - catalog terminals
•
4 - public access terminals
•
•
1 - servers and other infrastructure
5 - public WiFi access
z is a range of individual machines
For example, 10.3.2.15 and 10.3.2.27 are two staff members' computers in the third library
branch.
Assigning IP addresses by location and purpose allows network administrators to define
addresses and address ranges to descriptive names on the FortiGate unit. These address
names then can also be incorporated into address groups for easy policy maintenance.
For example, the address range 10.1.2.[2-254] is assigned the name Branch_1_Staff on
the FortiGate-800 unit. Anytime a policy is required for traffic from the staff in branch 1,
this address name can be selected. Further, once an address name is specified for the
staff of each branch, all of those names can be combined into an address group named
Branch_Staff so all the branch staff can be referenced as a single entity.
330
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
Configuring the main office
Figure 40: IP address ranges are assigned names, and the names combined into address
groups.
IP Address Ranges
Address Names
10.1.2.[2-254]
Branch 1 Staff
10.2.2.[2-254]
Branch 2 Staff
10.3.2.[2-254]
Branch 3 Staff
10.100.2.[2-254]
Address Group
Main Staff
Branch Staff
The address names defined on the FortiGate-800 for Branch 1 traffic are Branch_1_Staff
(10.1.2.2-10.1.2.254), Branch_1_Catalog (10.1.3.2-10.1.3.254), Branch_1_Public
(10.1.4.2-10.1.4.254), and Branch_1_WiFi (10.1.5.2-10.1.5.254). Four address groups will
be created incorporating each type of address name from all the branches: Branch_Staff,
Branch_Catalog, Branch_Public, and Branch_WiFi.
At the main office, additional address names are configured for the web server
(Web_Server) and for the web and email servers combined (Servers).
Address names are configured in Firewall & gt; Address & gt; Address.
Address groups are configured in Firewall & gt; Address & gt; Group.
Configuring the main office
The FortiGate-800 cluster forms the hub of virtually all network communication, whether
within the main office, from the branch offices to the main branch, or from anywhere in the
library network to the Internet. This way, all virus scanning, spam and web filtering, as well
as access restrictions can be centralized and maintained in this one place.
Topology
The main office network layout is designed to keep the various parts of the network
separate. Computers on different segments of the network cannot contact each other
unless a FortiGate policy is created to allow the connection. Public terminals can access
the library’s web server for example, but they cannot access any machines belonging to
staff members. See Table 12 on page 329 for details on permitted access between
different parts of the library network.
Staff computers, email and web servers, public access terminals, and WiFi connected
systems are all protected by the FortiGuard service on the FortiGate-800 cluster. Push
updates ensure the FortiGate unit is up to date and prepared to block viruses, worms,
spyware, and attacks.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
331
�Configuring the main office
Concept Example: Library Network Protection
Figure 41: Main branch network topology
Port4
10.100.5.1
Port3
10.100.4.1
External
WiFi-60
192.168.147.30
VPN Tunnel
Internet
Main location configuration
10.100.1.3
FGT-800 HA cluster
Web
server
DMZ
Mail
server
Catalog
server
10.100.1.1
Port2
10.100.1.10 10.100.1.11 10.100.1.12
10.100.3.1
Internal 10.100.2.1
Public terminals
10.100.4.[2-254]
Main office staff
Catalog access terminals
10.100.2.[2-254]
10.100.3.[2-254]
High Availability (HA)
The two FortiGate-800 units will be connected in a high-availability (HA) cluster in activeactive mode. This is a redundant configuration ensuring network traffic will be virtually
uninterrupted should one unit fail. If only a single unit were present and experienced
problems, the main branch would be cut-off from the Internet and the branch offices.
Because the branches route their traffic through the main office, they’d also be isolated.
Active-active mode has the advantage of using the processing power of the subordinate
unit to increase the efficiency of antivirus scanning. The two FortiGate-800 units fulfil a
mission-critical role.
Configuring HA
Connect the cluster units to each other and to your network. You must connect all
matching interfaces in the cluster to the same hub or switch. Then you must connect these
interfaces to their networks using the same hub or switch.
To connect the cluster units
1 Connect the internal interfaces of each FortiGate-800 unit to a switch or hub connected
to your internal network.
2 Connect port2, port3, port4, external, and DMZ interfaces as described in step 1. See
Figure 42.
3 Connect the heartbeat interface of the both FortiGate-800 units using a crossover
cable, or normal cables connected to a switch.
332
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
Configuring the main office
Figure 42: HA Cluster Configuration with switches connecting redundant interfaces
INTERNAL
Esc
Enter
EXTERNAL
DMZ
1
HA
2
3
4
CONSOLE
USB
PWR
Heartbeat
8
External
192.168.147.30
Port3
10.100.4.1
Port2
DMZ
10.100.1.1
10.100.3.1
Internal
10.100.2.1
Port4
10.100.5.1
INTERNAL
Esc
Enter
EXTERNAL
DMZ
HA
1
2
3
4
CONSOLE
USB
PWR
8
To configure the primary unit - web-based manager
1 Power on one of the cluster units and log in to its web based interface.
2 Go to System & gt; Config & gt; HA and set the mode to Active-Active.
3 For the Group Name enter Library.
4 Enter a cluster password.
5 Select ha as the heartbeat interface.
6 Select OK.
7 Go to System & gt; Network & gt; Interface and set the interface IP addresses as indicated in
Figure 42 on page 333
To configure the primary unit - CLI
config system ha
set
set
set
set
end
mode a-a
group-name library
password #####
hbdev ha
To configure the subordinate unit - web-based manager
1 Power on the subordinate cluster unit and log in to its web based interface.
2 Go to System & gt; Config & gt; HA and set the mode to Active-Active.
3 Change the device priority from the default 128 to 64. The FortiGate unit with the
highest device priority in a cluster becomes the primary unit.
4 For the Group Name enter Library.
5 Enter the cluster password.
6 Select ha as the heartbeat interface.
7 Select OK.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
333
�FortiGuard
Concept Example: Library Network Protection
To configure the subordinate unit - CLI
config system ha
set
set
set
set
set
end
mode a-a
priority 64
group-name library
password #####
hbdev ha
The two cluster units will then connect begin communication to determine which will
become the primary. The primary will then transfer its own configuration data to the
subordinate. In the few minutes required for this process, traffic will be interrupted. Once
completed, the two clustered units will appear as a single FortiGate unit to the network.
You can now configure the cluster as if it were a single FortiGate unit.
Note: All the FortiGate units in a cluster must have unique host names. Default host names
are the device serial numbers so unique names are automatic unless changed. If any
FortiGate device host names have been changed, confirm that there is no duplication in
those to be clustered.
HA is configured in System & gt; Config & gt; HA. For more information about HA, see the
FortiGate HA Overview on the Fortinet Technical Documentation web page.
FortiGuard
Four FortiGate features take advantage of the FortiGuard Service. They are Antivirus,
Intrusion Prevention, Web Filtering, and Antispam
Antivirus and intrusion prevention (IPS) signatures are updated automatically to detect
new attacks and viruses with FortiGuard updates. Virus scanning and IPS are configured
in protection profiles.
FortiGuard Web filtering is enabled and configured in each protection profile. When a web
page is requested, the URL is sent to the FortiGuard service and the category it belongs to
is returned. The FortiGate unit checks the FortiGuard Web Filtering settings and allows or
blocks the web page. The FortiGuard Web Filtering is configured in protection profiles.
FortiGuard Antispam is also enabled or disabled in each protection profile. The FortiGuard
service is consulted on whether each message in question is spam, and the FortiGate acts
accordingly. There are a number of ways to check a message, and each method can be
enabled or disabled in the protection profile. The Antispam is configured in protection
profiles.
The library network is configured with the FortiGate-800 cluster performing all virus
scanning, spam filtering, and FortiGuard web filtering. The settings defining how the
FortiGuard Distribution Network is contacted are configured in System & gt; Maintenance & gt;
FortiGuard.
IPSEC VPN
The main office serves as a hub for the VPN connections from the branch offices. To make
the generation and maintenance of the required policies simpler, interface-mode VPNs will
be used. Interface-mode VPNs are configured largely the same as tunnel-mode VPNs, but
the way they’re use differs significantly. Interface-mode VPNs appear as network
interfaces, like the DMZ, port2, and external network interfaces.
334
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
IPSEC VPN
Network topology is easier to visualize because you no longer have a single interface
sending and receiving both encrypted VPN traffic and unencrypted regular traffic. Instead,
the physical interface handles the regular traffic, and the VPN interface handles the
encrypted traffic. Further, policies no longer need to specify whether traffic is IPsec
encrypted. If traffic is directed to a VPN interface, the FortiGate unit knows it is to be
encrypted.
Interface-mode VPNs are used in this configuration because they will require far fewer
policies. Policies for tunnel-mode VPNs require selection of a tunnel in the policy. Many
tunnels can connect to a single physical interface, so the policy needs to know what traffic
it is responsible for.
Since interface-mode VPNs are used as any other network interface, they can be
collected into a zone and treated as a single entity. Addressing names and groups
differentiate what type of user is generating the traffic, so what tunnel it comes out of isn’t
important in the library’s configuration. All branch offices are treated the same.
For example, using tunnel-mode VPNs, 12 branches would require twelve policies to allow
employees to connect directly to the email and web servers. The branch 1 policy would
allow the IP range defined for staff coming from the branch 1 tunnel access to the DMZ. A
second policy would allow the IP range defined for staff coming from the branch 2 tunnel
access to the DMZ, and so on. Since the tunnel must be specified, there must be one
policy for each tunnel, and this is just for branch staff to DMZ traffic. In the library’s network
configuration, there are nine traffic type/destination combinations using the VPN. This
would require 108 policies for 12 branches.
To simplify things we instead give names to the address ranges based on use and
location. IP address range 10.1.2.[2-255] is named Branch 1 Staff and 10.2.2.[2-255] is
named Branch 2 Staff. The same procedure is followed for the remainder of the branches
and all the resulting branch staff names are put into an address group called Branch Staff.
All branch staff computers can be referenced with a single name. Similarly, after all the
branch VPNs are created and named Branch 1, Branch 2, etc., they can be combined into
a single zone named Branches.
From here, it’s a simple matter to configure a single policy to handle staff traffic from all
branches to the email and web servers located on the main office DMZ rather than a policy
for each branch office. Should any branch require special treatment, its VPN interface can
be removed from the zone and separate policies tailored to it.
Configuring IPSEC VPNs
The VPNs secure data exchanged between each branch and the main office.
To create the main office VPN connection to branch 1 - web-based manager
1 Go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 Select Create Phase 1.
3 Enter Branch 1 for the Name.
4 Select Static IP Address for Remote Gateway.
5 Enter 192.168.23.89 for the IP Address.
6 Select External for the Local Interface.
7 Select Main (ID Protection) for the Mode.
8 Select Preshared Key as the Authentication Method and enter the preshared key.
9 Select advanced and select Enable IPsec Interface Mode.
10 Select OK.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
335
�IPSEC VPN
Concept Example: Library Network Protection
To create the main office VPN connection to branch 1 - CLI
config vpn ipsec phase1
edit Branch1
set remote-qw 192.168.23.89
set interface external
set mode main
set psksecret ########
end
Note: The preshared key is a string of alphanumeric characters and should be unique for
each branch. The preshared key entered at each end of the VPN connection must be
identical.
To configure the Phase 2 portion of the VPN connection to Branch 1 - web-based
manager
1 Go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 Select Create Phase 2.
3 Enter Main to Branch1 for the Name.
4 Select Branch 1 from the Phase 1 drop down list.
5 Select OK.
The advanced options can be left to their default values.
To configure the Phase 2 portion of the VPN connection to Branch 1 - CLI
config vpn ipsec phase2
edit Branch1
set phase1name Branch1
end
The configuration steps to create the VPN tunnel have to be repeated for each branch
office to be connected in this way. Additional branches use the same Phase 1 settings
except for Name, IP Address, and Preshared Key.
IP Pools
IP Pools allow the traffic leaving an interface to use an IP address different than the one
assigned to the interface itself. One use of IP pools is if the users receive a type of traffic
that cannot be mapped to different ports.Without IP pools, only one user at a time could
send and receive these traffic types.
In the library’s case, a single IP address will be put into an IP pool named
Public_Access_Address. All of the policies that allow traffic from the public access
terminals (including the WiFi access point) will be configured to use this IP pool. The result
is that any traffic from the public access terminals will appear to be coming from the IP
pool address rather than the external interface’s IP address. This is true even though the
public access traffic will flow out of the external interface.
The purpose is to separate the public access users from the library staff from the point of
view of the Internet at large. Should a library patron abuse the Internet connection by
sending spam or attempting to unlawfully access to a system out on the Internet, any
action taken against the source IP will not inconvenience staff. The library can continue to
function normally while the problem is dealt with.
336
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
IPSEC VPN
Configuring IP pools
To add a new IP pool for public access users - web-based manager
1 Go to Firewall & gt; Virtual IP & gt; IP Pool and select Create New.
2 Enter Public_Access_Address for the Name.
3 In the IP Range/Subnet field, enter 192.168.230.64. This address was obtained
from the library’s Internet service provider.
4 Select OK.
To add a new IP pool for public access users - CLI
config firewall ippool
edit Public_Access_Address
set startip 192.168.230.64
set endip 192.168.230.64
end
Note: Although IP pools are usually created with a range of addresses, an IP pool with a
single address is valid.
User Disclaimer
When using the public terminals or wireless access, the first time a web page external to
the library’s network is requested, a disclaimer will pop up. This is configured in policies
controlling access to the Internet. The user must agree to the stated conditions before they
can continue.
Configuring the user disclaimer
The disclaimer message is set in System & gt; Config & gt; Replacement Message & gt;
Authentication & gt; Disclaimer page. The default message is changed to reference the library
instead of the generic ‘network access provider’ as shown here:
You are about to access Internet content that is not under the control of the library. The
library is therefore not responsible for any of these sites, their content, or their privacy
policies. The library and its staff do not endorse or make any representations about these
sites, or any information, software, or other products or materials found there, or any
results that may be obtained from using them. If you decide to access any Internet
content, you do this entirely at your own risk and you are responsible for ensuring that any
accessed material does not infringe the laws governing, but not exhaustively covering,
copyright, trademarks, pornography, or any other material which is slanderous,
defamatory or might cause offence in any other way.
Do you agree to the above terms?
If the user decides not to agree to the disclaimer, a second message appears and they are
not allowed to communicate with any systems out on the Internet. This second disclaimer
message is set in System & gt; Config & gt; Replacement Message & gt; Authentication & gt; Declined
disclaimer page. The default text of this declined disclaimer is acceptable:
Sorry, network access cannot be granted unless you agree to the disclaimer.
The enabling this feature will be detailed in the policy configuration steps.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
337
�IPSEC VPN
Concept Example: Library Network Protection
Protection Profiles
Policies control whether traffic flowing through a FortiGate unit from a given source is
allows to travel to a given destination. UTM profiles are selected in each policy and define
how the traffic is examined and what action may be taken based on the results of the
examination. But before they can be selected in a policy, UTM profiles have to be defined.
A brief overview is given for a typical protection profile, and the information required for all
protection profiles, in this example, follows in table form. For complete policy construction
steps, see the FortiGate Administration Guide.
UTM profiles are grouped based on the type of network threat, and added as needed to a
given firewall policy. UTM profiles include:
•
AntiVirus
•
Protocol Options
•
Intrusion Protection
•
Web Filter
•
Email Filter (antispam)
•
Data Leak Prevention
•
Application Control
•
VoIP
The following tables provide all the settings of all four UTM profiles used in the library
network example. Each table focuses on one section of the specific UTM profile settings.
Note: The settings in the tables listed below are for the library example only. For complete
UTM profile information see the FortiGate Administration Guide.
In this example, if a setting is to be left in the default setting, it is not expanded in the tables
below.
Table 14: UTM profiles, Name and Comments
Profile Name
Staff
Public
Servers
Web_Internal
Comment
(optional)
Use with all
policies for traffic
from staff
computers.
Use with all
policies for traffic
from the public
access or WiFi.
Use for policies
allowing the
public access to
the library web
server from the
Internet, or email
server
communication.
Use for policies
allowing access
to the library web
server from
catalog terminals.
The comment field is optional, but recommended. With many profiles, the comment can
be invaluable in quickly identifying profiles.
338
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
IPSEC VPN
Table 15: UTM profiles, Antivirus settings
Profile Name
Staff
Public
Servers
Web_Internal
Virus Scan
Enable for HTTP,
FTP, IMAP, POP3,
SMTP, IM and
NNTP, Logging
Enable for HTTP,
FTP, IMAP,
POP3, SMTP, IM
and NNTP,
Logging
Enable for HTTP, Disable
FTP, IMAP,
POP3, SMTP, IM
and NNTP,
Logging
File Filter
Disable
Disable
Disable
Quarantine
Enable for HTTP,
FTP, IMAP, POP3,
SMTP, IM and
NNTP
Enable for HTTP,
FTP, IMAP,
POP3, SMTP, IM
and NNTP
Enable for HTTP, Disable
FTP, IMAP,
POP3, SMTP, IM
and NNTP
Disable
Note: The FortiGate unit must have either an internal hard drive or a configured
FortiAnalyzer unit for the Quarantine option to appear.
Table 16: UTM profiles, Protocol Options settings
Profile Name
Staff
Public
Servers
Web_Internal
Pass Fragmented Enable for IMAP,
POP3, and SMTP
Emails
Enable for IMAP,
POP3, and
SMTP
Enable for IMAP,
POP3, and
SMTP
Disable
Comfort Clients
Enable for HTTP
and FTP
Enable for HTTP
and FTP
Disable
Disable
Interval
10
10
10
10
Amount
1
1
1
1
Oversized
File/Email
Pass
Pass
Pass
Pass
Threshold
Default
Default
Default
Default
Append Signature Disable
Disable
Disable
Disable
Table 17: Protection profiles, FortiGuard Web Filtering/Advanced Filter
Profile Name
Staff
Public
Servers
Web_Internal
Enable FortiGuard Web
Filtering
Disable
Enable HTTP*
Disable
Disable
Enable FortiGuard Web
Filtering Overrides
Disable
Disable
Disable
Disable
Provide details for
blocked HTTP 4xx and
5xx errors
Disable
Enable HTTP
Disable
Disable
Rate images by URL
(blocked images will be
replaced with blanks)
Disable
Enable HTTP
Disable
Disable
Allow websites when a
rating error occurs
Disable
Disable
Disable
Disable
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
339
�IPSEC VPN
Concept Example: Library Network Protection
Table 17: Protection profiles, FortiGuard Web Filtering/Advanced Filter
Profile Name
Staff
Public
Servers
Web_Internal
Strict Blocking
Enable HTTP
Enable HTTP
Enable HTTP
Enable HTTP
Enable HTTP
Disable
Disable
Rate URLs by domain and Disable
IP address
*The Public protection profile has FortiGuard web filtering enabled and set to block
advertising, malware, and spyware categories. Additional categories can be blocked if
required by library policy.
Table 18: Protection profiles, Email Filtering
Profile Name
Staff
Public
Servers
Web_Internal
IP address check
Enable for IMAP,
POP3 and SMTP
Disable
Enable for IMAP,
POP3 and SMTP
Disable
URL check
Enable for IMAP,
POP3 and SMTP
Disable
Enable for IMAP,
POP3 and SMTP
Disable
E-mail checksum
check
Enable for IMAP,
POP3 and SMTP
Disable
Enable for IMAP,
POP3 and SMTP
Disable
Spam submission
Enable for IMAP,
POP3 and SMTP
Disable
Enable for IMAP,
POP3 and SMTP
Disable
IP address BWL
check
Disable
Disable
Disable
Disable
HELO DNS lookup
Disable
Disable
Disable
Disable
E-mail address BWL
check
Enable for IMAP,
POP3 and SMTP
Disable
Enable for IMAP,
POP3 and SMTP
Disable
Return e-mail DNS
check
Enable for IMAP,
POP3 and SMTP
Disable
Enable for IMAP,
POP3 and SMTP
Disable
Banned word check
Disable
Disable
Disable
Disable
Spam Action
Tagged
Disable
Tagged
Disable
Tag Location
Subject
Subject
Subject
Subject
Tag Format
[spam]
[spam]
Email is not scanned for spam using the Public protection profile. Users of the public
access terminals will use their own webmail accounts if checking mail, and WiFi
connected users will have their own spam solutions, if desired.
Table 19: Protection profiles, Intrusion Protection
Profile Name
Staff
Public
Servers
Web_Internal
Select all_default
Select
all_default
Select all_default
Disable
You can create your own IPS sensors by going to Intrusion Protection & gt; Signature & gt; IPS
Sensor. The IPS option does not select denial of service (DoS) sensors. For more
information, see the FortiGate Administration Guide.
340
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
IPSEC VPN
Table 20: Protection profiles, Application Control
Profile
Staff
Public
Servers
Web_Internal
Block IM
Disable for all IM
protocols
Enable for all IM
protocols
Disable for all IM
protocols
Disable for all
IM protocols
Block P2P
Block for all P2P
protocols
Block for all P2P
protocols
Block for all P2P
protocols
Block for all
P2P protocols
Staff employees are permitted to use instant messaging while public access users are not.
All users have peer to peer clients blocked.
Staff access
Staff members can access the Internet as well as directly connect to the library web and
email servers.
Since the network uses private addresses and has no internal DNS server, connections to
the web and email servers must be specified by IP address. The private network address
will keep all communication between the server and email client on the local network and
secure against interception on the Internet.
If a staff member attempts to open the library web page or connect to the email server
using either server’s virtual IP or fully qualified domain name, their request goes out over
the Internet, and returns through the FortiGate unit. This method will make their
transmission vulnerable to interception.
The web browsers on staff computers will be configured with the library web page as the
default start page. Staff members’ email software should be configured to use the email
server’s private network IP address rather than the virtual IP or fully qualified domain
name. These two steps will prevent staff from having to remember the servers’ IP
addresses.
Creating firewall policy for staff members
The first firewall policy for main office staff members allows full access to the Internet at all
times. A second policy will allow direct access to the DMZ for staff members. A second
pair of policies are required to allow branch staff members the same access.
The staff firewall policies will all use a protection profile configured specifically for staff
access. Enabled features include virus scanning, spam filtering, IPS, and blocking of all
P2P traffic. FortiGuard web filtering is also used to block advertising, malware, and
spyware sites.
A few users may need special web and catalog server access to update information on
those servers, depending on how they’re configured. Special access can be allowed
based on IP address or user.
A brief overview procedure is given for a typical policy, and the information required for all
staff policies follows in table form. For more detailed information see the FortiGate
Administration Guide.
Step-by-step policy creation example - web-based manager
1 To create a policy to allow main office staff to connect to the Internet, go to Firewall & gt;
Policy & gt; Policy and select Create New.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
341
�IPSEC VPN
Concept Example: Library Network Protection
2 Fill in the following fields:
•
Source interface/Zone
•
Source address
•
Destination interface/Zone
•
Schedule
•
Service
•
Action
•
Enable NAT
•
UTM Profile - enable all Staff profiles.
•
Log allowed traffic
•
Traffic shaping
•
User authentication disclaimer
•
Comments (optional)
3 Select OK.
The settings required for all staff policies are provided in Table 21.
Table 21: Library staff policies
Main office staff
connect to the
Internet
Main office staff
connect to library
servers
Branch office
staff connect to
the Internet
Branch office
staff connect to
library servers
Source
Interface/Zone
Internal
Internal
Branches
Branches
Source
Address
All
All
Branch_Staff
Branch_Staff
Destination
Interface/Zone
External
DMZ
External
DMZ
Destination
Address
All
Servers
All
Servers
Schedule
Always
Always
Always
Always
Service
All
All
All
All
Action
Accept
Accept
Accept
Accept
NAT
Enable
Enable
Enable
Enable
UTM Profiles
Enable and select
(all configured) Staff
Enable and select
Staff
Enable and select Enable and
Staff
select Staff
Log Allowed
Traffic
Enable
Enable
Enable
Enable
Authentication Disable
Disable
Disable
Disable
Traffic Shaping Disable
Disable
Disable
Disable
Disable
Disable
Comment
(optional)
342
Disable
User
Disable
Authentication
Disclaimer
Main office: staff
computers
connecting to the
library servers.
Branch offices:
staff computers
connecting to the
Internet.
Branch offices:
staff computers
connecting to the
library servers.
Main office: staff
computers
connecting to the
Internet.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
IPSEC VPN
Catalog terminals
Dedicated computers are provided for the public to search the library catalog. The only
application available on the catalog terminals is a web browser, and the only site the
catalog terminal web browser can access is the library web page, which includes access
to the catalog. The browser is configured to use the library web server’s private network
address as the start page.
Creating firewall policies for catalog terminals
The policy used for the catalog access terminals only allows communication with the DMZ.
Create two new policies, one for main office access and another to allow access from the
branch offices.
The settings required for all catalog terminal policies in this example are provided in
Table 22 on page 343.
For complete policy construction steps, see the FortiGate Administration Guide.
Table 22: Catalog terminal policies
Main office catalog terminals
connect to web server
Branch office catalog
terminals connect to web
server
Source Interface/Zone
port2
Branches
Source Address
All
Branch_Catalog
Destination Interface/Zone
DMZ
DMZ
Destination Address
Web_Server
Web_Server
Schedule
Always
Always
Service
HTTP
HTTP
Action
Accept
Accept
NAT
Enable
Enable
UTM Profiles
Disable
Disable
Log Allowed Traffic
Enable
Enable
Authentication
Disable
Disable
Traffic Shaping
Disable
Disable
User Authentication
Disclaimer
Disable
Disable
Comments (optional)
Main office: catalog terminals
connecting to the web server.
Branch offices: catalog
terminals connecting to the web
server.
Public access terminals
Terminals are provided for library patrons to access the Internet. Protection profile settings
block all instant messaging and peer to peer connections. In addition, library staff can
block individual sites and entire site categories as deemed necessary. Site categories are
blocked using FortiGuard web filtering configured in the protection profile.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
343
�IPSEC VPN
Concept Example: Library Network Protection
Creating firewall policies for public access terminals
Library users can access the Internet from the public terminals. The public terminal
machines have the library’s web page as the web browser’s default start page. The
address is the web server’s private network IP so the traffic between the terminal and the
web server remains on the library’s network.
The settings required for all public access terminal policies in this example are provided in
Table 23 on page 344.
For complete policy construction steps, see the FortiGate Administration Guide.
Table 23: Public access terminal policies
Main office Public Main office
access users
public access
connect to Internet users connect to
web server
Branch offices
public access
users connect
to web server
Source
Interface/Zone
Port3
Port3
Branches
Branches
Source Address
Main_Public
Main_Public
Branch_Public
Branch_Public
Destination
Interface/Zone
External
DMZ
External
DMZ
Destination
Address
All
Web_Server
All
Web_Server
Schedule
Always
Always
Always
Always
Service
All
HTTP
All
HTTP
Action
Accept
Accept
Accept
Accept
NAT
Enable NAT, enable Enable NAT.
Dynamic IP Pool
and select
Public_Access_Add
ress
UTM Profiles
Enable and select
Enable and select Enable and select Enable and
Public for each type. Web_Internal for Public for each
select
each type.
type.
Web_Internal
for each type.
Log Allowed
Traffic
Enable
Enable
Enable
Enable
Authentication
Disable
Disable
Disable
Disable
Traffic Shaping
Disable
Disable
Disable
Disable
User
Authentication
Disclaimer
Enable User
Authentication
Disclaimer and
leave Redirect URL
field blank.
Disable
Enable User
Authentication
Disclaimer and
leave Redirect
URL field blank.
Disable
Comments
(optional)
344
Branch offices
public access
users connect to
Internet
Main office: public
access terminals
connecting to the
Internet.
Main office: public
access terminals
connecting to the
library web
server.
Branch offices:
public access
terminals
connecting to the
Internet.
Branch offices:
public access
terminals
connecting to
the library web
server.
Enable NAT,
Enable NAT.
enable Dynamic
IP Pool and select
Public_Access_A
ddress
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
IPSEC VPN
Wireless access
Wireless access allow library visitors to browse the Internet from their own WiFi-enabled
laptops. The same protection profile is applied to WiFi access as is used with the Public
terminals so IM and P2P are blocked, and all the same FortiGuard web blocking is
applied.
Security considerations
The wireless interface of the FortiWiFi-80CM will have its DHCP server assign IP
addresses to users wanting to connect to the Internet. The FortiWiFi-80CM will also have
its SSID broadcast and set to ‘library’ or something similarly identifiable. Stricter security
would be of limited value because anyone could request and receive access. Also, library
staff would spend significant time serving as technical support to patrons not entirely
familiar with their own equipment. Instead, the firewall policy applied to wireless access
will limit Internet connectivity to the main office’s business hours.This decision will be
reviewed periodically, especially if public access is abused.
Wireless security is configured in System & gt; Wireless & gt; Settings.
The number of concurrent wireless users can be adjusted by reducing or expanding the
range of addresses the DHCP server on the WiFi port has available to assign. Using this
means of limiting users is only partially effective because some users may set a static
address in the same subnet and gain access. To prevent this, configure the IP range
specified in the address name used in the policy to have the same range the DHCP server
assigns. Users can still set a static IP, but the policy will not allow any access.
The wireless DHCP server is configured in System & gt; Network & gt; Interface. Select the edit
icon for the wlan interface.
Creating schedules for wireless access
Library users can access the Internet from the WiFi connection. The policies used for WiFi
incorporates a schedule to limit Internet access to only when the library is open to the
public.
The protection profile used for library users enables virus scanning, IPS, and blocking of
all P2P traffic and IM logins. Spam filtering is not enabled. FortiGuard web filtering is used
to block malware, and spyware sites. Additional categories can be blocked if required by
library policy.
The library hours are:
Mon-Thurs
10am - 9pm
Fri-Sat
10am - 6pm
Sun
1pm - 5pm
Because of the varying library hours through the week, three separate schedules are
required.
To create Monday to Thursday business hours schedule - web-based manager
1 Go to Firewall & gt; Schedule & gt; Recurring and select Create New.
2 Enter Mon-Thurs for the schedule name.
3 Select the check boxes for Monday, Tuesday, Wednesday, and Thursday.
4 Select 10 for the start hour and 00 for the start minute.
5 Select 21 for the end hour and 00 for the end minute.
6 Select OK.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
345
�IPSEC VPN
Concept Example: Library Network Protection
To create Monday to Thursday business hours schedule - CLI
config firewall schedule recurring
edit Mon-Thurs
set day monday tuesday wednesday thursday
set start 10:00
set end 21:00
end
To create Friday and Saturday business hours schedule - web-based manager
1 Go to Firewall & gt; Schedule & gt; Recurring and select Create New.
2 Enter Fri-Sat for the schedule name.
3 Select the check boxes for Friday, and Saturday.
4 Select 10 for the start hour and 00 for the start minute.
5 Select 18 for the end hour and 00 for the end minute.
6 Select OK.
To create Friday and Saturday business hours schedule - CLI
config firewall schedule recurring
edit Fri-Sat
set day friday saturday
set start 10:00
set end 18:00
end
To create Sunday business hours schedule - web-based manager
1 Go to Firewall & gt; Schedule & gt; Recurring and select Create New.
2 Enter Sun for the schedule name.
3 Select the check box for Sunday.
4 Select 13 for the start hour and 00 for the start minute.
5 Select 17 for the end hour and 00 for the end minute.
6 Select OK.
To create Monday to Thursday business hours schedule - CLI
config firewall schedule recurring
edit Sun
set sunday
set start 13:00
set end 17:00
end
For holidays, special one-time schedules can be created. These schedules allow
specifying the year, month, and day in addition to the hour and minute. Duplicate policies
can be created with one-time schedules to cover holidays. Policies are parsed from top to
bottom so position these special holiday policies above the regular recurring-schedule
policies, otherwise the holiday policies will never come into effect.
One-time schedules are configured in Firewall & gt; Schedule & gt; One-time in the web-based
manager and config firewall schedule onetime in the CLI.
Grouping schedules
346
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
IPSEC VPN
To facilitate easier firewall policy creation for the wifi policies, these policies created above
can be added to a schedule group, thereby having to make one policy with the schedule
group rather than three separate policies.
To create a schedule group - web-based manager
1 Go to Firewall & gt; Schedule & gt; Group.
2 Select Create New.
3 Enter WiFi_Schedule for the Name.
4 Select the schedules from the Available Schedules list.
5 Select the Down-arrow to add them to the Members list.
6 Select OK.
To create a schedule group - CLI
config firewall schedule
edit WiFi_Schedule
set member Mon-Thurs Fri-Sat Sun
end
Creating firewall policies for WiFi access
Two main office WiFi access policies are required. One incorporates the schedules to
cover the entire week and only allow access while the library is open to the public. The
fourth policy allows access to the library web server.
For complete policy construction steps, see the FortiGate Administration Guide.
Table 24: Main office WiFi terminal policies
Main office WiFi users
connect to Internet
Main office WiFi users
connect to web library server
Source Interface/Zone
Port4
Port4
Source Address
Main_WiFi
Main_WiFi
Destination Interface/Zone
External
DMZ
Destination Address
All
Web_Server
Schedule
Mon-Thurs
Always
Service
All
HTTP
Action
Accept
Accept
NAT
Enable NAT, enable Dynamic IP Enable NAT.
Pool and select
Public_Access_Address
UTM Profile
Enable and select Public for
each type.
Enable and select Web_Internal
for each type.
Log Allowed Traffic
Enable
Enable
Authentication
Disable
Disable
Traffic Shaping
Disable
Disable
User Authentication
Disclaimer
Enable User Authentication
Disclaimer and leave Redirect
URL field blank.
Disable
Comments (optional)
Main office: WiFi connecting to
the Internet (Mon-Thurs).
Main office: WiFi connecting to
the library web server.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
347
�IPSEC VPN
Concept Example: Library Network Protection
Two branch office WiFi access policies are required. One incorporates the schedules to
cover the entire week and only allow access while the library is open to the public. The
fourth policy allows access to the library web server.
The settings required for all branch office WiFi terminal policies in this example are
provided in Table 25 on page 348.
Table 25: Branch office WiFi terminal policies
Branch office WiFi users
connect to Interne
Branch office WiFi users
connect to web library server
Source Interface/Zone
Branches
Branches
Source Address
Branch_WiFi
Branch_WiFi
Destination
Interface/Zone
External
DMZ
Destination Address
All
Web_Server
Schedule
Mon-Thurs
Always
Service
All
HTTP
Action
Accept
Accept
NAT
Enable NAT, enable Dynamic IP
Pool and select
Public_Access_Address
Enable NAT.
UTM Profile
Enable and select Public for each Enable and select Web_Internal
type.
for each type.
Log Allowed Traffic
Enable
Enable
Authentication
Disable
Disable
Traffic Shaping
Disable
Disable
User Authentication
Disclaimer
Enable User Authentication
Disclaimer and leave Redirect
URL field blank.
Disable
Comments (optional)
Branch offices: WiFi connecting to Branch offices: WiFi connecting to
the Internet (Fri-Sat).
the library web server.
Mail and web servers
Since the branch offices do not have their own email servers, all library staff email is sent
or received using the main office email server. Users in branch offices connect though
their VPN to the main office. Maintenance of a single server is more convenient and cost
effective than each branch office having their own email server.
Staff email software will be set up with the email server’s private network IP address.
Specifying the virtual IP address or domain name would cause the email traffic to loop out
to the Internet and return, allowing the information to be intercepted. Similarly, staff
computers will be pre-configured with the library web server’s internal network IP address
as the start page address.
Creating a virtual IP for the web server
The library has arranged for another external IP address which will be used for the
library’s Internet web presence. A virtual IP configured on the FortiGate will take any traffic
directed to 172.20.16.192 on the Internet and remap it to the web server at 10.100.1.10 on
the library’s network. The 172.20.16.192 address can be registered with the library’s
domain name so anyone on the Internet entering the URL will bring up the library’s page.
348
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
IPSEC VPN
To create a virtual IP for the web server - web-based manager
1 Go to Firewall & gt; Virtual IP & gt; Virtual IP and select Create New.
2 Enter Web_Server_VIP for the Name.
3 Select External from the External Interface drop down.
4 Select Static NAT as the Type
5 Enter 172.20.16.192 as the External IP Address.
6 Enter 10.100.1.10 as the Mapped IP Address.
7 Disable Port Forwarding.
8 Select OK.
To create a virtual IP for the web server - CLI
config firewall vip
edit Web_Server_VIP
set extintf external
set nat-soruce-vip enable
set extip 172.20.16.192
set mappedip 10.100.1.10
set portforward diable
end
Creating a virtual IP for the email server
Similar to the web server, the library has another external IP address reserved for the
email server. A virtual IP configured on the FortiGate will take any traffic directed to
172.20.16.120 and remap it to the web server at 10.100.1.11 transparently.
To create a virtual IP for the email server - web-based manager
1 Go to Firewall & gt; Virtual IP & gt; Virtual IP and select Create New.
2 Enter Email_Server_VIP for the Name.
3 Select External from the External Interface drop down.
4 Select Static NAT as the Type
5 Enter 172.20.16.120 as the External IP Address.
6 Enter 10.100.1.11 as the Mapped IP Address.
7 Disable Port Forwarding.
8 Select OK.
To create a virtual IP for the email server - CLI
config firewall vip
edit Email_Server_VIP
set extintf external
set nat-soruce-vip enable
set extip 172.20.16.120
set mappedip 10.100.1.11
set portforward diable
end
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
349
�IPSEC VPN
Concept Example: Library Network Protection
Creating a server service group
Access to and from the web and email servers can be combined into a single policy. The
only difficulty is email servers exchange mail using the SMTP protocol on port 20 and
contact is made with a web server using HTTP on port 80. If the policy is to restrict traffic
to only the required ports, a service group is required.
To create a server service group - web-based manager
1 Go to Firewall & gt; Service & gt; Group and select Create New.
2 Enter Servers in the Group Name field.
3 From the Available Services list, select HTTP
4 Select the right-pointing arrow icon to move HTTP to the Members list.
5 From the Available Services list, select SMTP
6 Select the right-pointing arrow icon to move SMTP to the Members list.
7 Select OK.
To create a server service group - CLI
config firewall service group
edit Servers
set members HTTP SMTP
end
Creating firewall policies to protect email and web servers
An External to DMZ policy is required for access to the web and email servers. Only ports
80 (HTTP) and 25 (SMTP) need to be open.
A DMZ to External policy opening port 25 is required for the library email server to deliver
messages sent to addresses outside the library system.
The settings required for all server policies in this example are provided in Table 26 on
page 350.
For complete policy construction steps, see the FortiGate Administration Guide.
Table 26: Server policies
Inbound to web and email servers
Source Interface/Zone
External
DMZ
Source Address
All
Servers
Destination
Interface/Zone
DMZ
External
Destination Address
Servers
All
Schedule
Always
Always
Service
Servers
SMTP
Action
Accept
Accept
NAT
Enable
Enable
UTM Profiles
350
Outbound from email
server
Enable and select Servers for each
type.
Enable and select Servers
for each type.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
IPSEC VPN
Table 26: Server policies (Continued)
Inbound to web and email servers
Outbound from email
server
Log Allowed Traffic
Enable
Enable
Authentication
Disable
Disable
Traffic Shaping
Disable
Disable
User Authentication
Disclaimer
Disable
Disable
Comments (optional)
Incoming web connections and
Outbound email server
incoming email delivery from other mail connections.
servers.
The FortiWiFi-80CM
In the main office network, the FortiWiFi-80CM is used to provide WiFi access to main
library patrons with their own WiFi-capable laptops, and as a connection point to all the
main office public access terminals. Since all the policies and protection profiles are
configured on the FortiGate-800 cluster, the FortiWiFi-80CM only has to pass the traffic
along. For this reason, the FortiWiFi-80CM configuration is not complex.
Configuring the main office FortiWiFi-80CM.
The FortiWiFi-80CM is connected as shown in the main branch network topology diagram,
Figure 41 on page 332.
To Configure the operation mode - web-based manager
1 Go to System & gt; Config & gt; Operation and set the unit to Transparent Mode.
Since the FortiWiFi-80CM is within the library’s network, no address translation is
required.
2 Enter 10.100.1.99/255.255.255.0 as the Management IP/Netmask and
10.100.1.3 as the Default Gateway.
3 Select Apply.
You will be disconnected and will have to log in to the FortiWiFi-80CM using the
management IP address.
To Configure the operation mode - CLI
config system settings
set opmode transparent
set manageip 10.100.1.99 255.255.255.0
set gateway 10.100.1.3
end
Since the FortiWiFi-80CM will not be examining the traffic for content, only a single simple
policy is required.
The settings required for all main office WiFi-80CM policies in this example are provided in
Table 27 on page 352.
For complete policy construction steps, see the FortiGate Administration Guide.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
351
�Configuring branch offices
Concept Example: Library Network Protection
Table 27: Main office FortiWiFi-80CM policies
WiFi
Source Interface/Zone
Wlan
Source Address
All
Destination Interface/Zone
Wan1
Destination Address
All
Schedule
Always
Service
All
Action
Accept
UTM Profiles
Disable
Log Allowed Traffic
Disable
Authentication
Disable
Traffic Shaping
Disable
User Authentication Disclaimer
Disable
Comments (optional)
WiFi users connected to the main office FortiWiFi-80CM
Although the WiFi policy allows access at all times, the policies on the FortiGate-800
cluster restrict Internet access to library business hours.
Configuring branch offices
The three sections of each branch’s network (staff computers, catalog terminals, and
public access terminals) are wired separately to different interfaces on the FortiWiFi-80CM
and cannot access each other.
All external communication is sent to the main office through the VPN by the FortiWiFi80CM. After reaching the FortiGate-800, the traffic continues out to the Internet. Inbound
traffic follows the same course back.
Unless they use the email and web server private IP addresses, the computers accessing
the library web page and email server have their connections sent out to the Internet, then
back to the servers.
Topology
The branch network layout is designed to keep the various parts of the network separate.
The staff computers and public terminals are connected to different network interfaces on
the FortiGate, and those interfaces are configured to not allow direct connections between
them. See Table 12 on page 329 for details on permitted access between different
network areas.
Staff computers, email and web servers, public access terminals, WiFi connected systems
are all protected by the FortiGuard service subscription on the FortiGate-800 cluster at the
main branch.
352
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
Configuring branch offices
Figure 43: Branch office network topology
Branch Staff
Public terminals
WiFi-60
10.1.2.[2-254]
Internal 10.1.2.1
DMZ
10.1.4.1
WAN1
VPN Tunnel
10.1.4.[2-254]
192.168.23.89
WAN2 10.1.3.1
Catalog access terminals
10.1.3.[2-254]
Branch configuration (branch 1 addresses shown)
Internet
Staff access
All staff traffic is routed through the VPN to the main branch. Requests for the email or
web servers are routed to the main office DMZ while general Internet traffic is sent to the
main office then out of the library network to the Internet.
Catalog terminals
Dedicated computers are provided for library patrons to search for books and periodicals
in the library’s catalog. The catalog computers are configured so the only application
available is a web browser, and the only site it can access is the library web page which
includes access to the catalog. Requests are routed through the VPN to the web server in
the library’s main office.
Wireless/public access
Public access terminals and wireless access allow library patrons to access the Internet.
Profile settings deny all instant messaging and peer to peer connections. Also, main
branch library staff can block individual sites and entire site categories as deemed
necessary using FortiGuard web filtering.
Mail and web servers
Branch offices do not have their own email servers. When staff members send or receive
email, their email software connects to the email server in the main library location. This
connection is made through the VPN between the main and branch office. Email server
access is not available from the Internet at large.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
353
�Configuring branch offices
Concept Example: Library Network Protection
IPSEC VPN
Each branch will have a VPN connection to the main office.
To create the Phase 1 portion of the VPN to the main office - web-based manager
1 Go to VPN & gt; IPSEC & gt; Auto Key (IKE) and Select Create Phase 1.
2 In the Name field, enter Main_Office.
3 Select Static IP for Remote Gateway.
4 Enter 192.168.147.30 in the IP Address field.
5 Select WAN1 for the Local Interface.
6 Select Main (ID Protection) for the Mode.
7 Select Preshared Key as the Authentication Method and enter the key in the Preshared
Key field.
8 Select Advanced and select Enable IPsec Interface Mode.
9 Select OK.
To create the Phase 1 portion of the VPN to the main office - CLI
config vpn ipsec phase1
edit Main_Office
set remote-qw 192.168.147.30
set interface WAN1
set mode main
set psksecret ########
end
Note: The preshared key is a string of alphanumeric characters and should be unique for
each branch. The preshared key entered at each end of the VPN connection must be
identical.
To create the Phase 2 portion of the VPN to the main office - web-based manager
1 Select Create Phase 2.
2 Enter Branch 1 to Main_Office in the Name field.
3 Select Main_Office from the Phase 1 drop down.
4 Select OK.
To create the Phase 2 portion of the VPN to the main office - CLI
config vpn ipsec phase2
edit Main_Office
set phase1name Main_Office
end
The configuration steps to create the VPN tunnel have to be repeated for each branch
office to be connected in this way. Additional branches use the same Phase 1 settings
except for Name, IP Address, and Preshared Key.
Branch Firewall Policy
All traffic leaving the branch, whether destined for the main office or the Internet, is
controlled by a single policy. Additional policies and routing configured on the FortiGate800 cluster at the main office direct the traffic once it arrives there.
354
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
Traffic shaping
Creating firewall policy for the branch office
The firewall policy for all traffic leaving the branch is sent through the VPN to the main
office. For simplicity, the four network interfaces we use for the internal network (internal,
DMZ, WLAN, and WAN2) are collected into a zone called Inside_Zone. This allows a
single policy to control all the traffic leaving the branch.
Policies are configured in Firewall & gt; Policy & gt; Policy. Interface zones are defined in System
& gt; Network & gt; Zone.
The settings required for all main office WiFi-80CM policies in this example are provided in
Table 28 on page 355.
For complete policy construction steps, see the FortiGate Administration Guide.
Table 28: Branch office FortiWiFi-80CM policies
Branch policy
Source Interface/Zone
Inside_Zone
Source Address
All
Destination Interface/Zone
Main_Office
Destination Address
All
Schedule
Always
Service
All
Action
Accept
UTM Profiles
Disable
Log Allowed Traffic
Disable
Authentication
Disable
Traffic Shaping
Disable
User Authentication
Disclaimer
Disable
Comments (optional)
Policy to allow branch traffic to
main office.
Traffic shaping
Traffic shaping regulates and prioritizes traffic flow. Guaranteed bandwidth allows a
minimum bandwidth to be reserved for traffic controlled by a policy. Similarly, maximum
bandwidth caps the rate of traffic controlled by the policy. Finally, the traffic controlled by a
policy can be assigned a high, medium or low priority. If there is not enough bandwidth to
transmit all traffic, high priority traffic is processed before medium priority traffic, and
medium before low priority traffic.
Traffic shaping limits are applied only to traffic controlled by the policy they're applied to. If
you do not apply any traffic shaping rules to a policy, the policy is set to high priority by
default. Because of this, traffic shaping is of extremely limited use if applied to some
policies and not others. Enable traffic shaping on all firewall policies.
Because guaranteed bandwidth and maximum bandwidth settings are entirely dependant
on the maximum bandwidth available, the current traffic, and the relative priority of each
type of traffic, defining exact values for each policy is beyond the scope of this document
and traffic shaping is therefore disabled in the example policies.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
355
�The future
Concept Example: Library Network Protection
Priorities
Traffic can be assigned high, medium, or low priority depending on importance. Ideally,
traffic will be spread across all three priorities. If all traffic is assigned the same setting,
prioritizing traffic is effectively disabled.
On the library system’s network, there are four types of users accessing two services.
Table 29: Priority of traffic based on source and destination
To servers
From catalog terminals*
high
From Internet†
To Internet
high
From public terminals/WiFi*
high
low
From staff*
high
medium
* includes both branch and main office traffic
† includes both inbound and outbound mail server connections
On the library system’s network, the most important traffic is to and from the web and mail
servers. Locating research materials in the library’s collection is extremely difficult without
a working catalog. Email is important to staff members as they maintain important
communication using it.
Staff access to the Internet is of medium priority. Although staff members do need Internet
access, it’s rarely as time-critical as catalog access and email.
Public access to the Internet (both from provided terminals and WiFi connections) are of
the lowest priority.
Although most traffic appears to be of high importance, the most bandwidth is consumed
by Internet access, partly by staff but mostly by the public terminals/WiFi.
With this in mind, a maximum bandwidth value can also be set to limit the bandwidth
consumed by traffic controlled by the public policies. Since the rate entered for maximum
bandwidth applies only to the traffic the policy controls, care has to be taken because
public access traffic is controlled by four policies at any given time. There are branch and
main office policies for public terminals and WiFi connections. The maximum bandwidth
specified in each policy doesn’t take into account any of the others. If you wanted to limit
all public access to the Internet to no more than 200KB/s, you have to divide this value
among the four active policies.
The future
In the design of the example library network detailed in this document, decisions were
made about how it should function when initially installed. Assumptions on how the
network will be used may be incorrect, or usage may change over time. The network can
be modified to facilitate changing usage or new requirements. For example:
Logging
Should the library require detailed logging, a FortiAnalyzer unit can be added to the main
office network. The FortiGate-800 cluster could then be configured to send traffic and
event data to the FortiAnalyzer. Detailed reports can be generated to chart network
utilization, Internet use, and attack activity.
Should the library switch to a VoIP telephone system, reports can also be generated on
telephone usage.
356
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Concept Example: Library Network Protection
The future
Decentralization
If a more decentralized approach is required, Internet access from branch offices could
bypass the main office entirely. Branch FortiGate units would still maintain VPN-encrypted
communication for secure access to the library servers. A FortiManager device would
minimize the administrative effort required to deploy, configure, monitor, and maintain the
security policies across all branch office FortiGate units.
Staff WiFi
The FortiWiFi-80CM supports the creation of virtual WiFi interfaces. If staff members
require WiFi connectivity, a virtual WiFi interface could be created to allow them full
access to staff network resources while maintaining the current limited access provided to
public access users.
Further redundancy
Although the FortiGate-800 cluster ensures minimal downtime with hardware redundancy,
adding another Internet connection from a different ISP can provide connection
redundancy to the main office.
The FortiWiFi-80CM used in the branch offices supports the same High-Availability
clustering as the FortiGate-800 so if needed, the branch offices could enjoy the same HA
protection as the main office without having to upgrade to higher models.
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
357
�The future
358
Concept Example: Library Network Protection
FortiOS 4.0 MR2 FortiGate Fundamentals
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 3 System Administration
This FortiOS Handbook chapter contains the following sections:
•
Basic setup describes the simple setup requirements an Administrator should do to get
the FortiGate unit on the network and enabling the flow of traffic.
•
Using the CLI provides an overview of the command line interface (CLI) for FortiOS. If
you are new to the FortiOS CLI, this chapter provides a high level overview of how to
use this method of administration.
•
Tightening security discusses additional steps to take to further secure your network
from intruders and malicious users.
•
Best Practices discusses methods to make the various components of FortiOS more
efficient, and offer suggestions on ways to configure the FortiGate unit.
•
Wireless discusses ways to make your wireless network more secure.
•
Advanced concepts describes more involved administrative topics to enhance network
security and traffic efficiency.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
359
�360
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
The FortiGate unit, requires some basic configuration to add it to your network. These
basic steps include assigning IP addresses, adding routing and firewall policies. Until the
administrator completes these steps internetwork and internet traffic will not flow through
the device.
There are two methods of configuring the FortiGate unit: either the web-based manager or
the command line interface (CLI). This chapter will step through both methods to complete
the basic configurations to put the device on your network. Use whichever you are most
comfortable with.
This chapter also provides guidelines for password and administrator best practices as
well as how to upgrade the firmware.
This section includes the following topics:
•
Connecting to the FortiGate unit
•
Configuring NAT mode
•
Configuring transparent mode
•
Verifying the configuration
•
Additional configuration
•
Passwords
•
Administrators
•
Backing up the configuration
•
Firmware
Connecting to the FortiGate unit
To configure, maintain and administer the FortiGate unit, you need to connect to it from a
management computer. There are two ways to do this:
•
using the web-based manager: a GUI interface that you connect to using a current web
browser such as Firefox or Internet Explorer.
•
using the command line interface (CLI): a command line interface similar to DOS or
UNIX commands that you connect to using SSH or a Telnet terminal.
Connecting to the web-based manager
To connect to the web-based manager, you require:
•
a computer with an Ethernet connection
•
Microsoft Internet Explorer version 6.0 or higher or any recent version of a common
web browser
•
an Ethernet cable.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
361
�Configuring NAT mode
Basic setup
To connect to the web-based manager
1 Set the IP address of the management computer to the static IP address
192.168.1.2 with a netmask of 255.255.255.0.
2 Using the Ethernet cable, connect the internal or port 1 interface of the FortiGate unit to
the computer Ethernet connection.
3 Start your browser and enter the address https://192.168.1.99. (remember to
include the “s” in https://).
To support a secure HTTPS authentication method, the FortiGate unit ships with a
self-signed security certificate, which is offered to remote clients whenever they initiate
a HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit
displays two security warnings in a browser.
The first warning prompts you to accept and optionally install the FortiGate unit’s selfsigned security certificate. If you do not accept the certificate, the FortiGate unit
refuses the connection. If you accept the certificate, the FortiGate login page appears.
The credentials entered are encrypted before they are sent to the FortiGate unit. If you
choose to accept the certificate permanently, the warning is not displayed again.
Just before the FortiGate login page is displayed, a second warning informs you that
the FortiGate certificate distinguished name differs from the original request. This
warning occurs because the FortiGate unit redirects the connection. This is an
informational message. Select OK to continue logging in.
4 Type admin in the Name field and select Login.
Connecting to the CLI
The command line interface (CLI) is an alternative method of configuring the FortiGate
unit. The CLI compliments the web-based manager in that it not only has the same
configuration options, but additional settings not available through the web-based
manager.
If you are new to FortiOS or a command line interface configuration tool, see “Using the
CLI” on page 387 for an overview of the CLI, how to connect to it, and how to use it.
Configuring NAT mode
When configuring NAT mode, you need to define interface addresses and default routes,
and simple firewall policies. You can use the web-based manager or the CLI to configure
the FortiGate unit in NAT mode.
Configure the interfaces
When shipped, the FortiGate unit has a default address of 192.168.1.99 and a netmask of
255.255.255.0. for either the Port 1 or Internal interface. You need to configure this and
other ports for use on your network.
Note: If you change the IP address of the interface you are connecting to, you must
connect through a web browser again using the new address. Browse to https:// followed by
the new IP address of the interface. If the new IP address of the interface is on a different
subnet, you may have to change the IP address of your computer to the same subnet.
362
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Configuring NAT mode
To configure interface for manual addressing - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select an interface and select Edit.
3 Enter the IP address and netmask for the interface.
4 Select OK.
To configure an interface for manual addressing - CLI
config system interface
edit & lt; interface_name & gt;
set mode static
set ip & lt; interface_ipv4mask & gt;
end
To configure DHCP addressing - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select the Edit icon for an interface.
3 Select DHCP and complete the following:
Distance
Enter the administrative distance, between 1 and 255 for the default
gateway retrieved from the DHCP server. The administrative distance
specifies the relative priority of a route when there are multiple routes to
the same destination. A lower administrative distance indicates a more
preferred route.
Retrieve default gateway Enable to retrieve a default gateway IP address from the DHCP server.
from server
Override internal DNS
Enable to use the DNS addresses retrieved from the DHCP server
instead of the DNS server IP addresses on the DNS page on System & gt;
Network & gt; Options. You should also enable Obtain DNS server address
automatically in System & gt; Network & gt; Options.
4 Select OK.
Note: For more information on DHCP, see “DHCP servers and relays” on page 442.
To configure DHCP addressing - CLI
config system interface
edit & lt; interface_name & gt;
set mode dhcp
set distance & lt; integer & gt;
set defaultgw enable
end
To configure PPPoE addressing - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select an interface and select Edit.
3 Select PPPoE, and complete the following:
Username
Enter the username for the PPPoE server. This may have been
provided by your Internet Service Provider.
Password
Enter the password for the PPPoE server for the above user name.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
363
�Configuring NAT mode
Basic setup
Unnumbered IP
Specify the IP address for the interface. If your Internet Service Provider
has assigned you a block of IP addresses, use one of these IP
addresses. Alternatively, you can use, or borrow, the IP address of a
configured interface on the router. You may need to do this to minimize
the number of unique IP addresses within your network.
If you are borrowing an IP address, remember the interface must be
enabled, and the Ethernet cable connected to the FortiGate unit.
Initial Disc Timeout
Initial discovery timeout in seconds. The amount of time to wait before
starting to retry a PPPoE discovery. To disable the discovery timeout,
set the value to 0.
Initial PADT Timeout
Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds.
Use this timeout to shut down the PPPoE session if it is idle for this
number of seconds. Your Internet Service Provider must support PADT.
To disable the PADT timeout, set the value to 0.
Distance
Enter the administrative distance, between 1 and 255, for the default
gateway retrieved from the DHCP server. The administrative distance
specifies the relative priority of a route when there are multiple routes to
the same destination. A lower administrative distance indicates a more
preferred route.
Retrieve default gateway Enable to retrieve a default gateway IP address from the DHCP server.
The default gateway is added to the static routing table.
from server
Override internal DNS
Enable to use the DNS addresses retrieved from the DHCP server
instead of the DNS server IP addresses on the DNS page on System & gt;
Network & gt; Options. On FortiGate-100 units and lower, you should also
enable Obtain DNS server address automatically in System & gt; Network & gt;
Options.
4 Select OK.
To configure PPPoE addressing - CLI
config system interface
edit & lt; interface_name & gt;
set mode pppoe
set username & lt; pppoe_username & gt;
set password & lt; pppoe_password & gt;
set ipunnumbered & lt; unnumbered_ipv4 & gt;
set disc-retry-timeout & lt; pppoe_retry & gt;
set padt-retry-timeout & lt; pppoe_retry & gt;
set distance & lt; integer & gt;
set defaultgw enable
end
Configure a DNS server
A DNS server is a service that converts symbolic node names to IP addresses. A domain
name server (DNS server) implements the protocol. In simple terms, it acts as a phone
book for the Internet. A DNS server matches domain names with the computer IP
address. This enables you to use readable locations, such as fortinet.com when browsing
the Internet.
The FortiGate unit includes default DNS servers. However, these should be changed to
those provided by your Internet Service Provider. The defaults are DNS proxies and are
not as reliable as those from your ISP.
364
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Configuring NAT mode
To configure DNS server settings - web-based manager
1 Go to System & gt; Network & gt; Options.
2 Enter the IP address of the primary DNS server.
3 Enter the IP address of the secondary DNS server.
4 Select Apply.
Note: For more information on DNS servers see “FortiGate DNS services” on page 443.
To configure DNS server settings - CLI
config system dns
set primary & lt; dns_ipv4 & gt;
set secondary & lt; dns_ipv4 & gt;
end
Add a default route and gateway
A route provides the FortiGate unit with the information it needs to forward a packet to a
particular destination. A static route causes packets to be forwarded to a destination other
than the default gateway. You define static routes manually. Static routes control traffic
exiting the FortiGate unit. You can specify through which interface the packet will leave
and to which device the packet should be routed.
In the factory default configuration, entry number 1 in the Static Route list is associated
with a destination address of 0.0.0.0/0.0.0.0, which means any/all destinations. This route
is called the “static default route”. If no other routes are present in the routing table and a
packet needs to be forwarded beyond the FortiGate unit, the factory configured static
default route causes the FortiGate unit to forward the packet to the default gateway.
For an initial configuration, you must edit the factory configured static default route to
specify a different default gateway for the FortiGate unit. This will enable the flow of data
through the unit.
To modify the default gateway - web-based manager
1 Go to Router & gt; Static & gt; Static Route.
2 Select the default route and select Edit.
3 In the Gateway field, type the IP address of the next-hop router where outbound traffic
is directed.
4 If the FortiGate unit reaches the next-hop router through a different interface
(compared to the interface that is currently selected in Device, select the name of the
interface from the Device drop-down list.
5 Select OK.
To modify the default gateway - CLI
config router static
edit & lt; sequence_num & gt;
set gateway & lt; gateway_address_ipv4 & gt;
set device & lt; interface_name & gt;
end
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
365
�Configuring NAT mode
Basic setup
Add firewall policies
Firewall policies enable traffic to flow through the FortiGate interfaces. Firewall policies
define how the FortiGate unit processes the packets in a communication session. For the
initial installation, a single firewall policy that enables all traffic to flow through will enable
you to verify your configuration is working. On lower-end units such a default firewall policy
is already in place. For the high-end FortiGate units, you need to add a firewall policy.
The following steps add two policies that allows all traffic through the FortiGate unit, to
enable you to continue testing the configuration on the network.
These steps provide a quick way to get traffic flowing through the FortiGate unit. It is a
very broad policy and not recommended to keep on the system once initial setup and
testing are complete. You will want to add more restrictive firewall policies to provide better
network protection. For more information on firewall policies, see the FortiGate
Fundamentals.
To add an outgoing traffic firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New.
3 Set the following and select OK.
Source Interface/Zone
Select the port connected to the network.
Source Address
All
Destination Interface/Zone
Select the port connected to the Internet.
Destination Address
All
Schedule
always
Service
Any
Action
Accept
To add an outgoing traffic firewall policy - CLI
config firewall policy
edit & lt; interface_name & gt;
set srcintf & lt; name_str & gt;
set srcaddr & lt; name_str & gt;
set dstintf & lt; name_str & gt;
set dstaddr & lt; name_str & gt;
set schedule always
set service ANY
set action accept
end
To add an incoming traffic firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New.
3 Set the following and select OK.
Source Interface
Select the port connected to the Internet.
Source Address
All
Destination Interface Select the port connected to the network.
Destination Address All
366
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Configuring transparent mode
Schedule
always
Service
Any
Action
Accept
To add an incoming traffic firewall policy - CLI
config firewall policy
edit & lt; interface_name & gt;
set srcintf & lt; name_str & gt;
set srcaddr & lt; name_str & gt;
set dstintf & lt; name_str & gt;
set dstaddr & lt; name_str & gt;
set schedule always
set service ANY
set action accept
end
To create an incoming traffic firewall policy, you use the same commands with the
addresses reversed. Firewall policy configuration is the same in NAT/Route mode and
transparent mode.
These policies allow all traffic through. No UTM profiles have been configured or applied.
Ensure you create additional firewall policies to accommodate your network requirements.
Configuring transparent mode
When configuring transparent mode, you need first to switch to transparent mode. You can
then configure the management IP address, default routes, and firewall policies. You can
use the web-based manager or the CLI to configure the FortiGate unit in transparent
mode.
Switching to transparent mode
The FortiGate unit comes by default running in NAT mode. You first need to switch to
transparent mode.
To switch to transparent mode - web-based manager
1 Go to System & gt; Status.
2 Under System Information, select Change beside the Operation Mode.
3 Select Transparent.
4 Enter the Management IP/Netmask address and the Default Gateway address.
The default gateway IP address is required to tell the FortiGate unit where to send
network traffic to other networks.
5 Select Apply.
To switch to transparent mode
config system settings
set opmode transparent
set manageip & lt; manage_ipv4 & gt;
set gateway & lt; gw_ipv4 & gt;
end
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
367
�Configuring transparent mode
Basic setup
Configure a DNS server
A DNS server is a service that converts symbolic node names to IP addresses. A domain
name server (DNS server) implements the protocol. In simple terms, it acts as a phone
book for the Internet. A DNS server matches domain names with the computer IP
address. This enables you to use readable locations, such as fortinet.com when browsing
the Internet.
DNS server IP addresses are typically provided by your Internet Service Provider.
To configure DNS server settings - web-based manager
1 Go to System & gt; Network & gt; Options.
2 Enter the IP address of the primary DNS server.
3 Enter the IP address of the secondary DNS server.
4 Select Apply.
To configure DNS server settings - CLI
config system dns
set primary & lt; dns_ipv4 & gt;
set secondary & lt; dns_ipv4 & gt;
end
Add firewall policies
Firewall policies enable traffic to flow through the FortiGate interfaces. Firewall policies
define the FortiGate unit process the packets in a communication session. You can
configure the firewall policies to allow only specific traffic, users and specific times when
traffic is allowed.
For the initial installation, a single firewall policy that enables all traffic through will enable
you to verify your configuration is working. On lower-end units such a default firewall policy
is already in place. For the higher end FortiGate units, you will need to add a firewall
policy.
The following steps add two policies that allows all traffic through the FortiGate unit, to
enable you to continue testing the configuration on the network.
These steps provide a quick way to get traffic flowing through the FortiGate unit. It is a
very broad policy and not recommended to keep on the system once initial setup and
testing are complete. You will want to add more restrictive firewall policies to provide better
network protection. For more information on firewall policies, see the FortiGate
Fundamentals.
To add an outgoing traffic firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New.
3 Set the following and select OK.
Source Interface/Zone
All
Destination Interface/Zone
Select the port connected to the Internet.
Destination Address
All
Schedule
368
Select the port connected to the network.
Source Address
always
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Configuring transparent mode
Service
Any
Action
Accept
To add an outgoing traffic firewall policy - CLI
config firewall policy
edit & lt; policy_number & gt;
set srcintf & lt; name_str & gt;
set srcaddr & lt; name_str & gt;
set dstintf & lt; name_str & gt;
set dstaddr & lt; name_str & gt;
set schedule always
set service ANY
set action accept
end
To add an incoming traffic firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New.
3 Set the following and select OK.
Source Interface
Select the port connected to the Internet.
Source Address
All
Destination Interface Select the port connected to the network.
Destination Address All
Schedule
always
Service
Any
Action
Accept
To add an incoming traffic firewall policy - CLI
config firewall policy
edit & lt; policy_number & gt;
set srcintf & lt; name_str & gt;
set srcaddr & lt; name_str & gt;
set dstintf & lt; name_str & gt;
set dstaddr & lt; name_str & gt;
set schedule always
set service ANY
set action accept
end
To create an incoming traffic firewall policy, you use the same commands with the
addresses reversed.
Firewall policy configuration is the same in NAT/Route mode and transparent mode.
These policies allow all traffic through. No UTM profiles have been configured or applied.
Ensure you create additional firewall policies to accommodate your network requirements.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
369
�Verifying the configuration
Basic setup
Verifying the configuration
Your FortiGate unit is now configured and connected to the network. To verify that the
FortiGate unit is connected and configured correctly, use your web browser to browse a
web site, or use your email client to send and receive email.
If you cannot browse to the web site or retrieve/send email from your account, review the
previous steps to ensure all information was entered correctly and try again.
Remember to verify the firewall policies. The firewall policies control the flow of
information through the FortiGate unit. If the policies are not set up correctly, or are too
restrictive, they can prohibit network traffic flow.
Additional configuration
Once the FortiGate unit is connected and traffic can pass through, several more
configuration options are available. While not mandatory, they will help to ensure better
control with the firewall.
Setting the time and date
For effective scheduling and logging, the FortiGate system date and time should be
accurate. You can either manually set the system date and time or configure the FortiGate
unit to automatically keep its time correct by synchronizing with a Network Time Protocol
(NTP) server.
To set the date and time - web-based manager
1 Go to System & gt; Dashboard & gt; Status.
2 Under System Information & gt; System Time, select Change.
3 Select your Time Zone.
4 Optionally, select Automatically adjust clock for daylight saving changes.
5 Select Set Time and set the FortiGate system date and time.
6 If you want to synchronize the time with an NTP server, enable the option.
7 Select OK.
Set the time and date - CLI
config system global
set timezone & lt; zone_value & gt;
set dst enable
end
execute date [ & lt; date_str & gt; ]
execute time [ & lt; time_str & gt; ]
Note: If you choose the option Automatically adjust clock for daylight saving changes, the
system time must be manually adjusted after daylight saving time ends.
Configuring FortiGuard
The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). When the
FortiGate unit connects to the FDN, it connects to the nearest FDS. To do this, all
FortiGate units are programmed with a list of FDS addresses sorted by nearest time zone
according to the time zone configured for the FortiGate unit.
370
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Passwords
Before you can begin receiving updates, you must register your FortiGate unit from the
Fortinet web page. After which, you need to configure the FortiGate unit to connect to the
FortiGuard Distribution Network (FDN) to update the antivirus, antispam and IPS attack
definitions.
Updating antivirus and IPS signatures
After you have registered your FortiGate unit, you can update antivirus and IPS
signatures. The FortiGuard Center enables you to receive push updates, allow push
update to a specific IP address, and schedule updates for daily, weekly, or hourly intervals.
To update antivirus definitions and IPS signatures
1 Go to System & gt; Maintenance & gt; FortiGuard.
2 Select the expand arrow for AntiVirus and IPS Options to expand the options.
3 Select Update Now to update the antivirus definitions.
If the connection to the FDN is successful, the web-based manager displays a
message similar to the following:
Your update request has been sent. Your database will be updated in
a few minutes. Please check your update page for the status of the
update.
After a few minutes, if an update is available, the FortiGuard Center Services information
on the Dashboard lists new version information for antivirus definitions. The System Status
page also displays new dates and version numbers for the antivirus definitions. Messages
are recorded to the event log indicating whether or not the update was successful or not.
Note: Updating antivirus definitions can cause a very short disruption in traffic currently
being scanned while the FortiGate unit applies the new signature database. Schedule
updates when traffic is light, for example overnight, to minimize any disruption.
Passwords
The FortiGate unit ships with a default empty password, that is, there is no password.
You will want to apply a password to prevent anyone from logging into the FortiGate unit
and changing configuration options.
To change the administrator password - web-based manager
1 Go to System & gt; Admin & gt; Administrators.
2 Select the admin account and select Change Password.
3 Enter a new password and select OK.
Set the admin password - CLI
config system admin
edit admin
set password & lt; admin_password & gt;
end
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
371
�Passwords
Basic setup
Password considerations
When changing the password, consider the following to ensure better security.
•
Do not make passwords that are obvious, such as the company name, administrator
names or other obvious word or phrase.
•
Use numbers in place of letters, for example, passw0rd. Alternatively, spell words with
extra letters, for example, password.
•
Include a mixture of letters, numbers, and upper and lower case.
•
Use multiple words together, or possibly even a sentence, for example
keytothehighway, or with a combination of the above suggestions.
•
Use a password generator.
•
Change the password regularly and always use a code unique (not a variation of the
existing password by adding a “1” to it, for example password, password1).
•
Write the password down and store it in a safe place away from the management
computer, in case you forget it.
•
Alternatively, ensure at least two people know the password in the event that one
person becomes ill, is away on vacation or leaves the company. Alternatively have two
different admin logins.
Password policy
The FortiGate unit includes the ability to enforce a password policy for administrator login.
with the policy, you can enforce regular changes and specific criteria for a password
including:
•
minimum length between 8 and 32 characters.
•
if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
•
if the password must contain numbers (1, 2, 3).
•
if the password must contain non-alphanumeric characters (!, @, #, $, %, ^, & , *, ().
•
where the password applies (admin or IPsec or both).
•
the duration of the password before a new one must be specified.
To apply a password policy - web-based manager
1 Go to System & gt; Admin & gt; Settings.
2 Select Enable and configure the settings as required.
To apply a password policy - CLI
config system password-policy
set status enable
Configure the other settings as required.
Forgotten password?
It happens that the administrator of the FortiGate unit leaves the company and does not
have the opportunity to provide the administrative password or forgets. Or you simply
forgot the password.
In the event you lose or forget the password, you need to contact Customer Support for
the steps required to reset the password. For information on contacting Customer
Support, see the Support web site at web site at https://support.fortinet.com.
372
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Administrators
Administrators
By default, the FortiGate unit has a super administrator called “admin”. This user login
cannot be deleted and always has ultimate access over the FortiGate unit. As well you can
add administrators for various functions and VDOMs. Each one can have their own
username and password and set of access privileges.
To add an administrator - web-based manager
1 Go to System & gt; Admin & gt; Administrators.
2 Select Create New.
3 Enter the administrator name.
4 Select the type of account it will be. If you select Remote, the FortiGate can reference
a RADIUS, LDAP or TACAS+ server.
5 Enter the password for the user. This may be a temporary password that the
administrator can change later for added security.
6 Select OK.
To add an administrator - CLI
config system admin
edit & lt; admin_name & gt;
set password & lt; password & gt;
set accprofile & lt; profile_name & gt;
end
Trusted hosts
Setting trusted hosts for an administrators increases limiting what computers an
administrator can log in from. When you identify a trusted host, the FortiGate unit will only
accept the administrator’s login from the configured IP address. Any attempt to log in with
the same credentials from any other IP address will be dropped. To ensure the
administrator has access from different locations, you can enter up to ten IP addresses.
Ideally, this should be kept to a minimum. For higher security, use an IP address with a net
mask of 255.255.255.255, and enter an IP address (non-zero) in each of the three default
trusted host fields.
Trusted hosts are configured when adding a new administrator by going to System & gt;
Admin & gt; Administrators in the web-based manager or config system admin in the
CLI.
The trusted hosts apply to the web-based manager, ping, snmp and the CLI when
accessed through Telnet or SSH. CLI access through the console port is not affected.
Also ensure all entries contain actual IP addresses, not the default 0.0.0.0.
Backing up the configuration
Once you configure the FortiGate unit and it is working correctly, it is extremely important
that you back up the configuration. In some cases, you may need to reset the FortiGate
unit to factory defaults, or perform a TFTP upload of the firmware. In these instances, the
configuration on the device will be lost.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
373
�Backing up the configuration
Basic setup
Always back up the configuration and store it on the management computer or off site. It is
also recommended that once the FortiGate is configured, and any further changes are
made, that you back up the configuration immediately, to ensure you have the most
current configuration available.
You have the option to save the configuration file to various locations including the local
PC, USB key, FTP and TFTP site. The latter two are configurable through the CLI only.
To back up the FortiGate configuration - web-based manager
1 Go to System & gt; Dashboard & gt; Status.
2 On the System Information widget, select Backup for the System Configuration.
3 Select to back up to your Local PC, FortiManager or to a USB key.
The USB Disk option will be grayed out if no USB drive is inserted in the USB port. The
FortiManager option will not be available if the FortiGate unit is not being managed by
a FortiManager system.
4 Select Encrypt configuration file.
Encryption must be enabled on the backup file to back up VPN certificates.
5 Enter a password and enter it again to confirm it. You will need this password to restore
the file.
6 Select Backup.
7 The web browser will prompt you for a location to save the configuration file. The
configuration file will have a .conf extension.
To back up the FortiGate configuration - CLI
execute backup config management-station & lt; comment & gt;
… or …
execute backup config usb & lt; backup_filename & gt; [ & lt; backup_password & gt; ]
… or for FTP, note that port number, username are optional depending on the FTP site…
execute backup config ftp & lt; backup_filename & gt; & lt; ftp_server & gt;
[ & lt; port & gt; ] [ & lt; user_name & gt; ] [ & lt; password & gt; ]
… or for TFTP …
execute backup config tftp & lt; backup_filename & gt; & lt; tftp_server & gt; & lt; password & gt;
It is a good practice to backup the FortiGate configuration after any modification to any of
the FortiGate settings. Alternatively, before performing an upgrade to the firmware, ensure
you back up the configuration before upgrading. Should anything happen during the
upgrade that changes the configuration, you can easily restore the saved configuration.
Download a configuration file using SCP
You can use secure copy protocol (SCP) to download the configuration file from the
FortiGate unit as an alternative method of backing up the configuration file. This is done by
enabling SCP for and administrator account and enabling SSH on a port used by the SCP
client application to connect to the FortiGate unit.
374
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Backing up the configuration
Enable SCP
To enable SCP - web-based manager
1 Go to System & gt; Admin & gt; Settings.
2 Select Enable SCP.
3 Select Apply.
To enable SCP - CLI:
config system global
set admin-scp enable
end
Enable SSH access on the interface
SCP uses the SSH protocol to provide secure file transfer. The interface you use for
administration must allow SSH access.
To enable SSH - web-based manager:
1 Go to System & gt; Network & gt; Interface.
2 Select the interface you use for administrative access and select Edit.
3 In the Administrative Access section, select SSH.
4 Select OK.
To enable SSH - CLI:
config system interface
edit & lt; interface_name & gt;
set allowaccess ping https ssh
end
Note: When adding to, or removing a protocol, you must type the entire list again. For
example, if you have an access list of HTTPS and SSH, and you want to add PING, typing:
set allowaccess ping
...only PING will be set. In this case, you must type...
set allowaccess https ssh ping
Using the SCP client
The FortiGate unit downloads the configuration file as sys_conf. Use the following
syntax to download the file:
Linux
scp admin@ & lt; FortiGate_IP & gt; :sys_config & lt; location & gt;
Windows
pscp admin@ & lt; FortiGate_IP & gt; :sys_config & lt; location & gt;
These examples show how to download the configuration file from a FortiGate-100A, at IP
address 172.20.120.171, using Linux and Windows SCP clients.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
375
�Backing up the configuration
Basic setup
Linux client example
To download the configuration file to a local directory called ~/config, enter the following
command:
scp admin@172.20.120.171:sys_config ~/config
Enter the admin password when prompted.
Windows client example
To download the configuration file to a local directory called c:\config, enter the following
command in a Command Prompt window:
pscp admin@172.20.120.171:sys_config c:\config
Enter the admin password when prompted.
SCP public-private key authentication
SCP authenticates itself to the FortiGate unit in the same way as an administrator using
SSH accesses the CLI. Instead of using a password, you can configure the SCP client and
the FortiGate unit with a public-private key pair.
To configure public-private key authentication
1 Create a public-private key pair using a key generator tool compatible with your SCP
client.
2 Save the private key to the location on your computer where your SSH private keys are
stored.
This step depends on your SCP client. The Secure Shell key generator automatically
stores the private key.
3 Copy the public key to the FortiGate unit using the CLI commands:
config system admin
edit admin
set ssh-public-key1 " & lt; key-type & gt; & lt; key-value & gt; "
end
& lt; key-type & gt; must be the ssh-dss for a DSA key or ssh-rsa for an RSA key. For the
& lt; key-value & gt; , copy the public key data and paste it into the CLI command.
If you are copying the key data from Windows Notepad, copy one line at a time and
ensure that you paste each line of key data at the end of the previously pasted data. As
well:
• Do not copy the end-of-line characters that appear as small rectangles in Notepad.
• Do not copy the ---- BEGIN SSH2 PUBLIC KEY ---- or Comment: “[2048bit dsa,...]” lines.
• Do not copy the ---- END SSH2 PUBLIC KEY ---- line.
4 Type the closing quotation mark and press Enter.
Your SCP client can now authenticate to the FortiGate unit based on SSH keys rather than
the administrator password.
Restoring a configuration
Should you need to restore a configuration file, use the following steps.
To restore the FortiGate configuration - web-based manager
1 Go to System & gt; Dashboard & gt; Status.
376
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Firmware
2 On the System Information widget, select Restore for the System Configuration.
3 Select to upload the configuration file to be restored from your Local PC or a USB key.
The USB Disk option will be grayed out if no USB drive is inserted in the USB port. The
FortiManager option will not be available if the FortiGate unit is not being managed by
a FortiManager system.
4 Enter the path and file name of the configuration file, or select Browse to locate the file.
5 Enter a password if required.
6 Select Restore.
To back up the FortiGate configuration - CLI
execute restore config management-station normal 0
… or …
execute restore config usb & lt; filename & gt; [ & lt; password & gt; ]
… or for FTP, note that port number, username are optional depending on the FTP site…
execute backup config ftp & lt; backup_filename & gt; & lt; ftp_server & gt;
[ & lt; port & gt; ] [ & lt; user_name & gt; ] [ & lt; password & gt; ]
… or for TFTP …
execute backup config tftp & lt; backup_filename & gt; & lt; tftp_server & gt; & lt; password & gt;
The FortiGate unit will load the configuration file and restart. Once the restart has
completed, verify that the configuration has been restored.
Firmware
Fortinet periodically updates the FortiGate firmware to include new features and address
issues. After you have registered your FortiGate unit, you can download firmware updates
from the support web site, http://support.fortinet.com.
You can also use the instructions in this chapter to revert, to a previous version. The
FortiGate unit includes a number of firmware installation options that enables you to test
new firmware without disrupting the existing installation, and load it from different locations
as required.
Fortinet issues patch releases--maintenance release builds that resolve important issues.
Fortinet strongly recommends reviewing the release notes for the patch release, as well
as testing and reviewing the patch release before upgrading the firmware. Follow the
steps below:
•
download and review the release notes for the patch release
•
download the patch release
•
back up the current configuration
•
test the patch release until you are satisfied that it applies to your configuration.
Installing a patch release without reviewing release notes or testing the firmware may
result in changes to settings or unexpected issues.
Only FortiGate admin user and administrators whose access profiles contain system read
and write privileges can change the FortiGate firmware.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
377
�Firmware
Basic setup
Downloading firmware
Firmware images for all FortiGate units is available on the Fortinet Customer Support web
site. You must register your FortiGate unit to access firmware images. Register the
FortiGate unit by visiting http://support.fortinet.com and select Product Registration.
To download firmware
1 Log into the site using your user name and password.
2 Go to Firmware Images & gt; FortiGate.
3 Select the most recent FortiOS version.
4 Locate the firmware for your FortiGate unit, right-click the link and select the Download
option for your browser.
Note: Always review the Release Notes for a new firmware release before installing. The
Release Notes can include information that is not available in the regular documentation.
Upgrading the firmware - web-based manager
Installing firmware replaces your current antivirus and attack definitions, along with the
definitions included with the firmware release you are installing. After you install new
firmware, make sure that antivirus and attack definitions are up to date.
Note: Always remember to back up your configuration before doing any firmware upgrade
or downgrade.
To upgrade the firmware
1 Download the firmware image file to your management computer.
2 Log into the web-based manager as the admin administrative user.
3 Go to System & gt; Dashboard & gt; Status.
4 Under System Information & gt; Firmware Version, select Update.
5 Type the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiGate login. This process takes a few minutes.
Reverting to a previous version
The following procedures revert the FortiGate unit to its factory default configuration and
deletes any configuration settings.
Before beginning this procedures, ensure you back up the FortiGate unit configuration.
If you are reverting to a previous FortiOS version, you might not be able to restore the
previous configuration from the backup configuration file.
Note: Installing firmware replaces the current antivirus and attack definitions, along with the
definitions included with the firmware release you are installing. After you install new
firmware, make sure that antivirus and attack definitions are up to date.
Note: To use this procedure, you must log in using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
378
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Firmware
To revert to a previous firmware version
1 Copy the firmware image file to the management computer.
2 Log into the FortiGate web-based manager.
3 Go to System & gt; Dashboard & gt; Status.
4 Under System Information & gt; Firmware Version, select Update.
5 Type the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version,
resets the configuration, restarts, and displays the FortiGate login. This process takes
a few minutes.
7 Log into the web-based manager.
8 Restore your configuration.
For information about restoring your configuration see “Restoring a configuration” on
page 376.
Upgrading the firmware - CLI
Installing firmware replaces your current antivirus and attack definitions, along with the
definitions included with the firmware release you are installing. After you install new
firmware, make sure that antivirus and attack definitions are up to date. You can also use
the CLI command execute update-now to update the antivirus and attack definitions.
For more information, see the FortiGate Administration Guide.
Before you begin, ensure you have a TFTP server running and accessible to the FortiGate
unit.
To upgrade the firmware using the CLI
1 Make sure the TFTP server is running.
2 Copy the new firmware image file to the root directory of the TFTP server.
3 Log into the CLI.
4 Make sure the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server. For
example, if the IP address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image tftp & lt; filename & gt; & lt; tftp_ipv4 & gt;
Where & lt; name_str & gt; is the name of the firmware image file and & lt; tftp_ip4 & gt; is the IP
address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
The FortiGate unit responds with the message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
379
�Firmware
Basic setup
6 Type y.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 Update antivirus and attack definitions, by entering:
execute update-now
USB Auto-Install
The USB Auto-Install feature automatically updates the FortiGate configuration file and
firmware image file on a system reboot. Also, this feature provides you with an additional
backup if you are unable to save your system settings before shutting down or rebooting
your FortiGate unit.
Note: You need an unencrypted configuration file for this feature. Also the required files,
must be in the root directory of the USB key.
To configure the USB Auto-Install - web-based manager
1 Go to System & gt; Maintenance & gt; Advanced.
2 Select the following:
• On system restart, automatically update FortiGate configuration file if default file
name is available on the USB disk.
• On system restart, automatically update FortiGate firmware image if default image
is available on the USB disk.
3 Enter the configuration and image file names or use the default configuration filename
(system.conf) and default image name (image.out).
4 The default configuration filename should show in the Default configuration file name
field.
5 Select Apply.
To configure the USB Auto-Install using the CLI
1 Log into the CLI.
2 Enter the following command:
config system auto-install
set default-config-file & lt; filename & gt;
set auto-install-config {enable | disable}
set default-image-file & lt; filename & gt;
set auto-install-image {enable | disable}
end
Reverting to a previous version
This procedure reverts the FortiGate unit to its factory default configuration and deletes
IPS custom signatures, web content lists, email filtering lists, and changes to replacement
messages.
Before beginning this procedure, it is recommended that you:
•
380
back up the FortiGate unit system configuration using the command
execute backup config
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Firmware
•
back up the IPS custom signatures using the command execute
backup ipsuserdefsig
•
back up web content and email filtering lists
To use the following procedure, you must have a TFTP server the FortiGate unit can
connect to.
To revert to a previous firmware version using the CLI
1 Make sure the TFTP server is running
2 Copy the firmware image file to the root directory of the TFTP server.
3 Log into the FortiGate CLI.
4 Make sure the FortiGate unit can connect to the TFTP server execute by using the
execute ping command.
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image tftp & lt; name_str & gt; & lt; tftp_ipv4 & gt;
Where & lt; name_str & gt; is the name of the firmware image file and & lt; tftp_ip4 & gt; is the IP
address of the TFTP server. For example, if the firmware image file name is
imagev28.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image28.out 192.168.1.168
The FortiGate unit responds with this message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6 Type y.
The FortiGate unit uploads the firmware image file. After the file uploads, a message
similar to the following appears:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
7 Type y.
The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
8 Reconnect to the CLI.
9 To restore your previous configuration, if needed, use the command:
execute restore config & lt; name_str & gt; & lt; tftp_ip4 & gt;
10 Update antivirus and attack definitions using the command:
execute update-now.
Installing firmware from a system reboot using the CLI
This procedure installs a firmware image and resets the FortiGate unit to default settings.
You can use this procedure to upgrade to a new firmware version, revert to an older
firmware version, or re-install the current firmware.
To use this procedure, you must connect to the CLI using the FortiGate console port and a
RJ-45 to DB-9, or null modem cable.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
381
�Firmware
Basic setup
This procedure reverts the FortiGate unit to its factory default configuration.
For this procedure you install a TFTP server that you can connect to from the FortiGate
internal interface. The TFTP server should be on the same subnet as the internal
interface.
Before beginning this procedure, ensure you back up the FortiGate unit configuration.
If you are reverting to a previous FortiOS version, you might not be able to restore the
previous configuration from the backup configuration file.
Note: Installing firmware replaces your current antivirus and attack definitions, along with
the definitions included with the firmware release you are installing. After you install new
firmware, make sure that antivirus and attack definitions are up to date.
To install firmware from a system reboot
1 Connect to the CLI using the RJ-45 to DB-9 or null modem cable.
2 Make sure the TFTP server is running.
3 Copy the new firmware image file to the root directory of the TFTP server.
4 Make sure the internal interface is connected to the same network as the TFTP server.
5 To confirm the FortiGate unit can connect to the TFTP server, use the following
command to ping the computer running the TFTP server. For example, if the IP
address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
6 Enter the following command to restart the FortiGate unit.
execute reboot
The FortiGate unit responds with the following message:
This operation will reboot the system!
Do you want to continue? (y/n)
7 Type y.
As the FortiGate unit starts, a series of system startup messages appears. When the
following messages appears:
Press any key to display configuration menu..........
Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough,
the FortiGate unit reboots and you must log in and repeat the execute reboot
command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B[: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
382
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Firmware
8 Type G to get to the new firmware image form the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
9 Type the address of the TFTP server and press Enter:
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP
address can be any IP address that is valid for the network the interface is connected
to. Make sure you do not enter the IP address of another device on this network.
The following message appears:
Enter File Name [image.out]:
11 Enter the firmware image filename and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and a message
similar to the following appears:
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
12 Type D.
The FortiGate unit installs the new firmware image and restarts. The installation might
take a few minutes to complete.
Backup and Restore from a USB key
Use a USB key to either backup a configuration file or restore a configuration file. You
should always make sure a USB key is properly install before proceeding since the
FortiGate unit must recognize that the key is installed in its USB port.
Note: You can only save VPN certificates if you encrypt the file. Make sure the
configuration encryption is enabled so you can save the VPN certificates with the
configuration file. An encrypted file is ineffective if selected for the USB Auto-Install feature.
To backup configuration using the CLI
1 Log into the CLI.
2 Enter the following command to backup the configuration files:
exec backup config usb & lt; filename & gt;
3 Enter the following command to check the configuration files are on the key:
exec usb-disk list
To restore configuration using the CLI
1 Log into the CLI.
2 Enter the following command to restore the configuration files:
exec restore image usb & lt; filename & gt;
The FortiGate unit responds with the following message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
3 Type y.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
383
�Firmware
Basic setup
Testing new firmware before installing
FortiOS enables you to test a new firmware image by installing the firmware image from a
system reboot and saving it to system memory. After completing this procedure, the
FortiGate unit operates using the new firmware image with the current configuration. This
new firmware image is not permanently installed. The next time the FortiGate unit restarts,
it operates with the originally installed firmware image using the current configuration. If
the new firmware image operates successfully, you can install it permanently using the
procedure “Upgrading the firmware - web-based manager” on page 378.
To use this procedure, you must connect to the CLI using the FortiGate console port and a
RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware
image using your current configuration.
For this procedure you install a TFTP server that you can connect to from the FortiGate
internal interface. The TFTP server should be on the same subnet as the internal
interface.
To test the new firmware image
1 Connect to the CLI using a RJ-45 to DB-9 or null modem cable.
2 Make sure the TFTP server is running.
3 Copy the new firmware image file to the root directory of the TFTP server.
4 Make sure the FortiGate unit can connect to the TFTP server using the execute
ping command.
5 Enter the following command to restart the FortiGate unit:
execute reboot
6 As the FortiGate unit reboots, press any key to interrupt the system startup. As the
FortiGate unit starts, a series of system startup messages appears.
When the following messages appears:
Press any key to display configuration menu....
7 Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough,
the FortiGate unit reboots and you must login and repeat the execute reboot
command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B[: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
8 Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
384
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Basic setup
Firmware
9 Type the address of the TFTP server and press Enter:
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type an IP address of the FortiGate unit to connect to the TFTP server.
The IP address must be on the same network as the TFTP server, but make sure you
do not use the IP address of another device on the network.
The following message appears:
Enter File Name [image.out]:
11 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and the
following appears.
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
12 Type R.
The FortiGate image is installed to system memory and the FortiGate unit starts
running the new firmware image, but with its current configuration.
You can test the new firmware image as required. When done testing, you can reboot the
FortiGate unit, and the FortiGate unit will resume using the firmware that was running
before you installed the test firmware.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
385
�Firmware
386
Basic setup
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the CLI
The command line interface (CLI) is an alternative configuration tool to the web-based
manager.
Both can be used to configure the FortiGate unit. While the configuration, in the webbased manager, a point-and-click method, the CLI, would require typing commands, or
upload batches of commands from a text file, like a configuration script.
If you are new to Fortinet products, or if you are new to the CLI, this section can help you
to become familiar.
This section contains the following topics:
•
Connecting to the CLI
•
Command syntax
•
Sub-commands
•
Permissions
•
Tips
Connecting to the CLI
You can access the CLI in two ways:
•
Locally — Connect your computer directly to the FortiGate unit’s console port.
•
Through the network — Connect your computer through any network attached to one
of the FortiGate unit’s network ports. The network interface must have enabled Telnet
or SSH administrative access if you will connect using an SSH/Telnet client, or
HTTP/HTTPS administrative access if you will connect using the CLI Console widget in
the web-based manager.
Local access is required in some cases.
•
If you are installing your FortiGate unit for the first time and it is not yet configured to
connect to your network, unless you reconfigure your computer’s network settings for a
peer connection, you may only be able to connect to the CLI using a local serial
console connection. For more information, see “Connecting to the CLI” on page 362.
•
Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not
available until after the boot process has completed, and therefore local CLI access is
the only viable option.
Before you can access the CLI through the network, you usually must enable SSH and/or
Telnet on the network interface through which you will access the CLI.
Connecting to the CLI using a local console
Local console connections to the CLI are formed by directly connecting your management
computer or console to the FortiGate unit, using its DB-9 or RJ-45 console port. To
connect to the local console you need:
•
a computer with an available serial communications (COM) port
•
the RJ-45-to-DB-9 or null modem cable included in your FortiGate package
•
terminal emulation software such as HyperTerminal for Microsoft Windows
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
387
�Connecting to the CLI
Using the CLI
Note: The following procedure describes connection using Microsoft HyperTerminal
software; steps may vary with other terminal emulators.
To connect to the CLI using a local serial console connection
1 Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate unit’s console
port to the serial communications (COM) port on your management computer.
2 On your management computer, start HyperTerminal.
3 For the Connection Description, enter a Name for the connection, and select OK.
4 On the Connect using drop-down list box, select the communications (COM) port on
your management computer you are using to connect to the FortiGate unit.
5 Select OK.
6 Select the following Port settings and select OK.
Bits per second
9600
Data bits
8
Parity
None
Stop bits
1
Flow control
None
7 Press Enter or Return on your keyboard to connect to the CLI.
8 Type a valid administrator account name (such as admin) and press Enter.
9 Type the password for that administrator account and press Enter. (In its default state,
there is no password for the admin account.)
The CLI displays the following text:
Welcome!
Type ? to list available commands.
You can now enter CLI commands, including configuring access to the CLI through
SSH or Telnet. For details, see “Enabling access to the CLI through the network (SSH
or Telnet)” on page 388.
Enabling access to the CLI through the network (SSH or Telnet)
SSH or Telnet access to the CLI is accomplished by connecting your computer to the
FortiGate unit using one of its RJ-45 network ports. You can either connect directly, using
a peer connection between the two, or through any intermediary network.
Note: If you do not want to use an SSH/Telnet client and you have access to the webbiest
manager, you can alternatively access the CLI through the network using the CLI Console
widget in the web-based manager.
You must enable SSH and/or Telnet on the network interface associated with that physical
network port. If your computer is not connected directly or through a switch, you must also
configure the FortiGate unit with a static route to a router that can forward packets from
the FortiGate unit to your computer.
You can do this using either:
•
•
388
a local console connection
the web-based manager
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the CLI
Connecting to the CLI
Requirements
•
a computer with an available serial communications (COM) port and RJ-45 port
•
terminal emulation software such as HyperTerminal for Microsoft Windows
•
the RJ-45-to-DB-9 or null modem cable included in your FortiGate package
•
a network cable
•
prior configuration of the operating mode, network interface, and static route (for
details, see)
To enable SSH or Telnet access to the CLI using a local console connection
1 Using the network cable, connect the FortiGate unit’s network port either directly to
your computer’s network port, or to a network through which your computer can reach
the FortiGate unit.
2 Note the number of the physical network port.
3 Using a local console connection, connect and log into the CLI. For details, see
“Connecting to the CLI using a local console” on page 387.
4 Enter the following command:
config system interface
edit & lt; interface_str & gt;
set allowaccess & lt; protocols_list & gt;
next
end
where:
• & lt; interface_str & gt; is the name of the network interface associated with the
physical network port and containing its number, such as port1
• & lt; protocols_list & gt; is the complete, space-delimited list of permitted
administrative access protocols, such as https ssh telnet
For example, to exclude HTTP, HTTPS, SNMP, and PING, and allow only SSH and
Telnet administrative access on port1:
set system interface port1 config allowaccess ssh telnet
Caution: Telnet is not a secure access method. SSH should be used to access the CLI
from the Internet or any other untrusted network.
5 To confirm the configuration, enter the command to display the network interface’s
settings.
get system interface & lt; interface_str & gt;
The CLI displays the settings, including the allowed administrative access protocols,
for the network interfaces.
To connect to the CLI through the network interface, see “Connecting to the CLI using
SSH” on page 389 or “Connecting to the CLI using Telnet” on page 390.
Connecting to the CLI using SSH
Once the FortiGate unit is configured to accept SSH connections, you can use an SSH
client on your management computer to connect to the CLI.
Secure Shell (SSH) provides both secure authentication and secure communications to
the CLI.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
389
�Connecting to the CLI
Using the CLI
Note: FortiGate units support 3DES and Blowfish encryption algorithms for SSH.
Before you can connect to the CLI using SSH, you must first configure a network interface
to accept SSH connections. For details, see “Enabling access to the CLI through the
network (SSH or Telnet)” on page 388.
Note: The following procedure uses PuTTY. Steps may vary with other SSH clients.
To connect to the CLI using SSH
1 On your management computer, start an SSH client.
2 In Host Name (or IP Address), enter the IP address of a network interface on which
you have enabled SSH administrative access.
3 In Port, enter 22.
4 For the Connection type, select SSH.
5 Select Open.
The SSH client connects to the FortiGate unit.
The SSH client may display a warning if this is the first time you are connecting to the
FortiGate unit and its SSH key is not yet recognized by your SSH client, or if you have
previously connected to the FortiGate unit but it used a different IP address or SSH
key. If your management computer is directly connected to the FortiGate unit with no
network hosts between them, this is normal.
6 Click Yes to verify the fingerprint and accept the FortiGate unit’s SSH key. You will not
be able to log in until you have accepted the key.
The CLI displays a login prompt.
7 Type a valid administrator account name (such as admin) and press Enter.
8 Type the password for this administrator account and press Enter.
Note: If three incorrect login or password attempts occur in a row, you will be disconnected.
Wait one minute, then reconnect to attempt the login again.
The FortiGate unit displays a command prompt (its host name followed by a #).
You can now enter CLI commands.
Connecting to the CLI using Telnet
Once the FortiGate unit is configured to accept Telnet connections, you can use a Telnet
client on your management computer to connect to the CLI.
Caution: Telnet is not a secure access method. SSH should be used to access the CLI
from the Internet or any other untrusted network.
Before you can connect to the CLI using Telnet, you must first configure a network
interface to accept SSH connections. For details, see “Enabling access to the CLI through
the network (SSH or Telnet)” on page 388.
390
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the CLI
Command syntax
To connect to the CLI using Telnet
1 On your management computer, start a Telnet client.
2 Connect to a FortiGate network interface on which you have enabled Telnet.
3 Type a valid administrator account name (such as admin) and press Enter.
4 Type the password for this administrator account and press Enter.
Note: If three incorrect login or password attempts occur in a row, you will be disconnected.
Wait one minute, then reconnect to attempt the login again.
The FortiGate unit displays a command prompt (its host name followed by a #).
You can now enter CLI commands.
Command syntax
When entering a command, the command line interface (CLI) requires that you use valid
syntax, and conform to expected input constraints. It will reject invalid commands.
Fortinet documentation uses the following conventions to describe valid command syntax
Terminology
Each command line consists of a command word that is usually followed by words for the
configuration data or other specific item that the command uses or affects:
get system admin
To describe the function of each word in the command line, especially if that nature has
changed between firmware versions, Fortinet uses terms with the following definitions.
Figure 44: Command syntax terminology
Command
Subcommand
Object
Table
config system interface
edit & lt; port_name & gt;
Option
set status {up | down}
set ip & lt; interface_ipv4mask & gt;
next
end
•
Field
Value
command — A word that begins the command line and indicates an action that the
FortiGate unit should perform on a part of the configuration or host on the network,
such as config or execute. Together with other words, such as fields or values, that
end when you press the Enter key, it forms a command line. Exceptions include
multiline command lines, which can be entered using an escape sequence. (See
“Shortcuts and key commands” on page 399.)
Valid command lines must be unambiguous if abbreviated. (See “Command
abbreviation” on page 399.) Optional words or other command line permutations are
indicated by syntax notation. (See “Notation” on page 392.)
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
391
�Command syntax
Using the CLI
•
sub-command — A kind of command that is available only when nested within the
scope of another command. After entering a command, its applicable sub-commands
are available to you until you exit the scope of the command, or until you descend an
additional level into another sub-command. Indentation is used to indicate levels of
nested commands. (See “Indentation” on page 392.)
Not all top-level commands have sub-commands. Available sub-commands vary by
their containing scope. (See “Sub-commands” on page 393.)
•
object — A part of the configuration that contains tables and/or fields. Valid command
lines must be specific enough to indicate an individual object.
•
table — A set of fields that is one of possibly multiple similar sets which each have a
name or number, such as an administrator account, policy, or network interface. These
named or numbered sets are sometimes referenced by other parts of the configuration
that use them. (See “Notation” on page 392.)
•
field — The name of a setting, such as ip or hostname. Fields in some tables must
be configured with values. Failure to configure a required field will result in an invalid
object configuration error message, and the FortiGate unit will discard the invalid table.
•
value — A number, letter, IP address, or other type of input that is usually your
configuration setting held by a field. Some commands, however, require multiple input
values which may not be named but are simply entered in sequential order in the same
command line. Valid input types are indicated by constraint notation. (See “Notation”
on page 392.)
•
option — A kind of value that must be one or more words from of a fixed set of options.
(See “Notation” on page 392.)
Indentation
Indentation indicates levels of nested commands, which indicate what other
subcommittees are available from within the scope. For example, the edit sub-command
is available only within a command that affects tables, and the next sub-command is
available only from within the edit sub-command:
config system interface
edit port1
set status up
next
end
For information about available sub-commands, see “Sub-commands” on page 393.
Notation
Brackets, braces, and pipes are used to denote valid permutations of the syntax.
Constraint notations, such as & lt; address_ipv4 & gt; , indicate which data types or string
patterns are acceptable value input.
Table 30: Command syntax notation
Convention
Description
Square brackets [ ] A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and its
accompanying option, such as verbose 3.
392
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the CLI
Sub-commands
Table 30: Command syntax notation
Angle brackets & lt; & gt;
A word constrained by data type. The angled brackets contain a
descriptive name followed by an underscore ( _ ) and suffix that indicates
the valid data type. For example, & lt; retries_int & gt; , indicates that you
should enter a number of retries, such as 5.
Data types include:
• & lt; xxx_name & gt; : A name referring to another part of the configuration,
such as policy_A.
• & lt; xxx_index & gt; : An index number referring to another part of the
configuration, such as 0 for the first static route.
• & lt; xxx_pattern & gt; : A regular expression or word with wild cards that
matches possible variations, such as *@example.com to match all
email addresses ending in @example.com.
• & lt; xxx_fqdn & gt; : A fully qualified domain name (FQDN), such as
mail.example.com.
• & lt; xxx_email & gt; : An email address, such as admin@example.com.
• & lt; xxx_ipv4 & gt; : An IPv4 address, such as 192.168.1.99.
• & lt; xxx_v4mask & gt; : A dotted decimal IPv4 netmask, such as
255.255.255.0.
• & lt; xxx_ipv4mask & gt; : A dotted decimal IPv4 address and netmask
separated by a space, such as 192.168.1.99 255.255.255.0.
• & lt; xxx_ipv4/mask & gt; : A dotted decimal IPv4 address and CIDRnotation netmask separated by a slash, such as 192.168.1.1/24.
• & lt; xxx_ipv4range & gt; : A hyphen ( - )-delimited inclusive range of IPv4
addresses, such as 192.168.1.1-192.168.1.255.
• & lt; xxx_ipv6 & gt; : A colon( : )-delimited hexadecimal IPv6 address, such
as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
• & lt; xxx_v6mask & gt; : An IPv6 netmask, such as /96.
• & lt; xxx_ipv6mask & gt; : A dotted decimal IPv6 address and netmask
separated by a space.
• & lt; xxx_str & gt; : A string of characters that is not another data type, such
as P@ssw0rd. Strings containing spaces or special characters must be
surrounded in quotes or use escape sequences. See “Special
characters” on page 400.
• & lt; xxx_int & gt; : An integer number that is not another data type, such as
15 for the number of minutes.
Curly braces { }
A word or series of words that is constrained to a set of options delimited
by either vertical bars or spaces. You must enter at least one of the
options, unless the set of options is surrounded by square brackets [ ].
Options
delimited by
vertical bars |
Mutually exclusive options. For example:
{enable | disable}
indicates that you must enter either enable or disable, but must not
enter both.
Options
delimited by
spaces
Non-mutually exclusive options. For example:
{http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any order,
in a space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For example,
to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options, instead of
replacing it, or if the list is comma-delimited, the exception will be noted.
Sub-commands
Each command line consists of a command word that is usually followed by words for the
configuration data or other specific item that the command uses or affects:
get system admin
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
393
�Sub-commands
Using the CLI
Sub-commands are available from within the scope of some commands.When you enter a
sub-command level, the command prompt changes to indicate the name of the current
command scope. For example, after entering:
config system admin
the command prompt becomes:
(admin)#
Applicable sub-commands are available to you until you exit the scope of the command,
or until you descend an additional level into another sub-command.
For example, the edit sub-command is available only within a command that affects
tables; the next sub-command is available only from within the edit sub-command:
config system interface
edit port1
set status up
next
end
Note: Sub-command scope is indicated in this System Administration by indentation. See
“Indentation” on page 392.
Available sub-commands vary by command.From a command prompt within config, two
types of sub-commands might become available:
•
commands affecting fields
•
commands affecting tables
Table 31: Commands for tables
clone & lt; table & gt;
delete & lt; table & gt;
Remove a table from the current object.
For example, in config system admin, you could delete an administrator
account named newadmin by typing delete newadmin and pressing
Enter. This deletes newadmin and all its fields, such as newadmin’s
first-name and email-address.
delete is only available within objects containing tables.
edit & lt; table & gt;
394
Clone (or make a copy of) a table from the current object.
For example, in config firewall policy, you could enter the following
command to clone firewall policy 27 to create firewall policy 30:
clone 27 to 39
In config antivirus profile, you could enter the following command
to clone an antivirus profile named av_pro_1 to create a new antivirus
profile named av_pro_2:
clone av_pro_1 to av_pro_2
clone may not be available for all tables.
Create or edit a table in the current object.
For example, in config system admin:
• edit the settings for the default admin administrator account by typing
edit admin.
• add a new administrator account with the name newadmin and edit
newadmin‘s settings by typing edit newadmin.
edit is an interactive sub-command: further sub-commands are available
from within edit.
edit changes the prompt to reflect the table you are currently editing.
edit is only available within objects containing tables.
In objects such as firewall policies, & lt; table & gt; is a sequence number. To
create a new entry without the risk of overwriting an existing one, enter edit
0. The CLI initially confirms the creation of entry 0, but assigns the next
unused number after you finish editing and enter end.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the CLI
Sub-commands
Table 31: Commands for tables
end
Save the changes to the current object and exit the config command. This
returns you to the top-level command prompt.
get
List the configuration of the current object or table.
• In objects, get lists the table names (if present), or fields and their
values.
• In a table, get lists the fields and their values.
For more information on get commands, see the CLI Reference.
purge
Remove all tables in the current object.
For example, in config forensic user, you could type get to see the
list of user names, then type purge and then y to confirm that you want to
delete all users.
purge is only available for objects containing tables.
Caution: Back up the FortiGate unit before performing a purge. purge
cannot be undone. To restore purged tables, the configuration must be
restored from a backup.
Caution: Do not purge system interface or system admin tables.
purge does not provide default tables. This can result in being unable to
connect or log in, requiring the FortiGate unit to be formatted and restored.
rename & lt; table & gt;
to & lt; table & gt;
Rename a table.
For example, in config system admin, you could rename admin3 to
fwadmin by typing rename admin3 to fwadmin.
rename is only available within objects containing tables.
show
Display changes to the default configuration. Changes are listed in the form
of configuration commands.
Example of table commands
From within the system admin object, you might enter:
edit admin_1
The CLI acknowledges the new table, and changes the command prompt to show that you
are now within the admin_1 table:
new entry 'admin_1' added
(admin_1)#
Table 32: Commands for fields
abort
Exit both the edit and/or config commands without saving the fields.
end
Save the changes made to the current table or object fields, and exit the config
command. (To exit without saving, use abort instead.)
get
List the configuration of the current object or table.
• In objects, get lists the table names (if present), or fields and their values.
• In a table, get lists the fields and their values.
next
Save the changes you have made in the current table’s fields, and exit the edit
command to the object prompt. (To save and exit completely to the root prompt,
use end instead.)
next is useful when you want to create or edit several tables in the same object,
without leaving and re-entering the config command each time.
next is only available from a table prompt; it is not available from an object
prompt.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
395
�Permissions
Using the CLI
Table 32: Commands for fields
set & lt; field & gt;
& lt; value & gt;
Set a field’s value.
For example, in config system admin, after typing edit admin, you could
type set password newpass to change the password of the admin
administrator to newpass.
Note: When using set to change a field containing a space-delimited list, type
the whole new list. For example, set & lt; field & gt; & lt; new-value & gt; will replace the
list with the & lt; new-value & gt; rather than appending & lt; new-value & gt; to the list.
show
Display changes to the default configuration. Changes are listed in the form of
configuration commands.
unset
& lt; field & gt;
Reset the table or object’s fields to default values.
For example, in config system admin, after typing edit admin, typing
unset password resets the password of the admin administrator account to
the default (in this case, no password).
Example of field commands
From within the admin_1 table, you might enter:
set password my1stExamplePassword
to assign the value my1stExamplePassword to the password field. You might then
enter the next command to save the changes and edit the next administrator’s table.
Permissions
Depending on the account that you use to log in to the FortiGate unit, you may not have
complete access to all CLI commands.
Access profiles control which CLI commands an administrator account can access.
Access profiles assign either read, write, or no access to each area of the FortiGate
software. To view configurations, you must have read access. To make changes, you must
have write access.
Table 33: Areas of control in access profiles
Access control area name
In the web-based
manager
In the CLI
Admin Users
Grants access to
(For each config command, there is an equivalent
get/show command, unless otherwise noted.
config access requires write permission.
get/show access requires read permission.)
admingrp
System & gt; Admin
config system admin
config system accprofile
Auth Users
authgrp
User
config
config
config
config
config
Endpoint NAC
endpointcontrol-grp
Firewall Configuration
fwgrp
imp2p
imp2p
imp2p
imp2p
user
aim-user
icq-user
msn-user
yahoo-user
Endpoint NAC
config endpoint-control
396
Firewall
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the CLI
Permissions
Table 33: Areas of control in access profiles
config firewall
config gui topology
execute fsae refresh
FortiGuard Update
updategrp
System & gt; Maintenance & gt; FortiGuard
config system autoupdate
execute update-ase
execute update-av
execute update-ips
execute update-now
Log & Report
loggrp
Log & Report
cconfig alertemail
config log
config system alertemail
config system fortianalyzer1/2/3
execute formatlogdisk
execute fortiguard-log
execute log
Maintenance
mntgrp
System & gt; Maintenance
diagnose sys ...
execute backup ...
execute batch
execute central-mgmt
execute factoryreset
execute reboot
execute restore
execute shutdown
execute usb-disk
Network Configuration
netgrp
System & gt; Network & gt; Interface
config system interface
Router Configuration
routegrp
Router
config router ...
execute mrouter
execute router
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
397
�Permissions
Using the CLI
Table 33: Areas of control in access profiles
System Configuration
sysgrp
System & gt; Status (all), System & gt; Network & gt; Options,
System & gt; Network & gt; DNS Database,
System & gt; Config (all),
System & gt; Admin & gt; Central Management,
System & gt; Admin & gt; Settings, Wireless Controller
config gui console
config system auto-install, bug report,
central-management, console, dns,
dns-database, fips-cc, fortiguard,
fortiguard-log, global, ha, ipv6-tunnel,
modem, ntp, password-policy, replacemsg,
session-helper, session-sync, session-ttl,
settings, sit-tunnel, snmp,
switch-interface, tos-based-priority, wccp
config wireless-controller ...
execute cfg, cli, date,
disconnect-admin-session, enter,
factoryreset, fortiguard-log, ha, modem,
ping, ping-options, ping6, ping6-options,
reboot, send-fds-statistics,
set-next-reboot, shutdown, ssh, telnet, time,
traceroute
get gui console
get ipsec tunnel
get system central-mgmt, cmdb,
fdp-fortianalyzer,
fortianalyzer-connectivity,
fortiguard-log-service,
fortiguard-service, info, performance,
session
get wireless-controller
UTM Configuration
utmgrp
UTM
config
config
config
config
config
config
config
VPN Configuration
vpngrp
antivirus
application
imp2p old-version
imp2p policy
ips
spamfilter
webfilter
VPN
config vpn
execute vpn
Unlike other administrator accounts, the administrator account named admin exists by
default and cannot be deleted. The admin administrator account is similar to a root
administrator account. This administrator account always has full permission to view and
change all FortiGate configuration options, including viewing and changing all other
administrator accounts. Its name and permissions cannot be changed. It is the only
administrator account that can reset another administrator’s password without being
required to enter that administrator’s existing password.
Caution: Set a strong password for the admin administrator account, and change the
password regularly. By default, this administrator account has no password. Failure to
maintain the password of the admin administrator account could compromise the security
of your FortiGate unit.
398
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the CLI
Tips
For complete access to all commands, you must log in with the administrator account
named admin.
Tips
Basic features and characteristics of the CLI environment provide support and ease of use
for many CLI tasks.
Help
To display brief help during command entry, press the question mark (?) key.
•
Press the question mark (?) key at the command prompt to display a list of the
commands available and a description of each command.
•
Type a word or part of a word, then press the question mark (?) key to display a list of
valid word completions or subsequent words, and to display a description of each.
Shortcuts and key commands
Table 34: Shortcuts and key commands
Action
Keys
List valid word completions or subsequent words.
?
If multiple words could complete your entry, display all possible completions with
helpful descriptions of each.
Complete the word with the next available match.
Press the key multiple times to cycle through available matches.
Tab
Recall the previous command.
Command memory is limited to the current session.
Up arrow, or
Ctrl + P
Recall the next command.
Down arrow, or
Ctrl + N
Move the cursor left or right within the command line.
Left or Right
arrow
Move the cursor to the beginning of the command line.
Ctrl + A
Move the cursor to the end of the command line.
Ctrl + E
Move the cursor backwards one word.
Ctrl + B
Move the cursor forwards one word.
Ctrl + F
Delete the current character.
Ctrl + D
Abort current interactive commands, such as when entering multiple lines.
Ctrl + C
If you are not currently within an interactive command such as config or edit,
this closes the CLI connection.
Continue typing a command on the next line for a multi-line command.
For each line that you want to continue, terminate it with a backslash ( \ ). To
complete the command line, terminate it by pressing the spacebar and then the
Enter key, without an immediately preceding backslash.
\ then Enter
Command abbreviation
You can abbreviate words in the command line to their smallest number of non-ambiguous
characters.
For example, the command get system status could be abbreviated to g sy st.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
399
�Tips
Using the CLI
Environment variables
The CLI supports the following environment variables. Variable names are case-sensitive.
$USERFROM
The management access type (ssh, telnet, jsconsole for the CLI Console
widget in the web-based manager, and so on) and the IP address of the
administrator that configured the item.
$USERNAME
The account name of the administrator that configured the item.
$SerialNum
The serial number of the FortiGate unit.
For example, the FortiGate unit’s host name can be set to its serial number.
config system global
set hostname $SerialNum
end
As another example, you could log in as admin1, then configure a restricted secondary
administrator account for yourself named admin2, whose first-name is admin1 to
indicate that it is another of your accounts:
config system admin
edit admin2
set first-name $USERNAME
Special characters
The characters & lt; , & gt; , (,), #, ', and “ are not permitted in most CLI fields. These characters
are special characters, sometimes also called reserved characters.
You may be able to enter special character as part of a string’s value by using a special
command, enclosing it in quotes, or preceding it with an escape sequence — in this case,
a backslash ( \ ) character.
Table 35: Entering special characters
Character
Keys
?
Ctrl + V then ?
Tab
Ctrl + V then Tab
Space
(to be interpreted as
part of a string value,
not to end the string)
Enclose the string in quotation marks: " Security Administrator " .
Enclose the string in single quotes: 'Security Administrator'.
Precede the space with a backslash: Security\ Administrator.
'
(to be interpreted as
part of a string value,
not to end the string)
\'
"
(to be interpreted as
part of a string value,
not to end the string)
\ "
\
\\
If you need to add configuration via CLI that requires ? as part of config, you need to input
CTRL-V first. If you enter the question mark (?) without first using CTRL-V, the question
mark has a different meaning in CLI: it will show available command options in that
section.
For example, if you enter ? without CTRL-V:
400
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the CLI
Tips
edit " *.xe
token line: Unmatched double quote.
If you enter ? with CTRL-V:
edit " *.xe? "
new entry '*.xe?' added
Using grep to filter get and show command output
In many cases the get and show (and diagnose) commands may produce a large
amount of output. If you are looking for specific information in a large get or show
command output you can use the grep command to filter the output to only display what
you are looking for. The grep command is based on the standard UNIX grep, used for
searching text output based on regular expressions.
Information about how to use grep and regular expressions is available on the Internet,
just to a search for grep. For example, see
http://www.opengroup.org/onlinepubs/009695399/utilities/grep.html.
Examples
Use the following command to display the MAC address of the FortiGate unit internal
interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr
00:09:0f:cb:c2:75
Use the following command to display all TCP sessions in the session list and include the
session list line number in the output
get system session list | grep -n tcp
Use the following command to display all lines in HTTP replacement message commands
that contain URL (upper or lower case):
show system replacemsg http | grep -i url
Language support and regular expressions
Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input.
Support varies by the nature of the item being configured. CLI commands, objects, field
names, and options must use their exact ASCII characters, but some items with arbitrary
names or values may be input using your language of choice.
For example, the host name must not contain special characters, and so the web-based
manager and CLI will not accept most symbols and other non-ASCII encoded characters
as input when configuring the host name. This means that languages other than English
often are not supported. However, some configuration items, such as names and
comments, may be able to use the language of your choice.
To use other languages in those cases, you must use the correct encoding.
Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings
into UTF-8 before it is stored. If your input method encodes some characters differently
than in UTF-8, your configured items may not display or operate as expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character
values. If you enter a regular expression using another encoding, or if an HTTP
client sends a request in an encoding other than UTF-8, matches may not be what
you expect.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
401
�Tips
Using the CLI
For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as yen
symbols ( ¥ ) and vice versa. A regular expression intended to match HTTP requests
containing money values with a yen symbol therefore may not work it if the symbol is
entered using the wrong encoding.
For best results, you should:
•
use UTF-8 encoding, or
•
use only the characters whose numerically encoded values are the same in UTF-8,
such as the US-ASCII characters that are also encoded using the same values in
ISO 8859-1, Windows code page 1252, Shift-JIS and other encodings, or
•
for regular expressions that must match HTTP requests, use the same encoding as
your HTTP clients
Note: HTTP clients may send requests in encodings other than UTF-8. Encodings usually
vary by the client’s operating system or input language. If you cannot predict the client’s
encoding, you may only be able to match any parts of the request that are in English,
because regardless of the encoding, the values for English characters tend to be encoded
identically. For example, English words may be legible regardless of interpreting a web
page as either ISO 8859-1 or as GB2312, whereas simplified Chinese characters might
only be legible if the page is interpreted as GB2312.
It configure your FortiGate unit using other encodings, you may need to switch language
settings on your management computer, including for your web browser or Telnet/SSH
client. For instructions on how to configure your management computer’s operating
system language, locale, or input method, see its documentation.
Note: If you choose to configure parts of the FortiGate unit using non-ASCII characters,
verify that all systems interacting with the FortiGate unit also support the same encodings.
You should also use the same encoding throughout the configuration if possible in order to
avoid needing to switch the language settings of the web-based manager and your web
browser or Telnet/SSH client while you work.
Similarly to input, your web browser or CLI client should usually interpret display output as
encoded using UTF-8. If it does not, your configured items may not display correctly in the
web-based manager or CLI. Exceptions include items such as regular expressions that
you may have configured using other encodings in order to match the encoding of HTTP
requests that the FortiGate unit receives.
To enter non-ASCII characters in the CLI Console widget
1 On your management computer, start your web browser and go to the URL for the
FortiGate unit’s web-based manager.
2 Configure your web browser to interpret the page as UTF-8 encoded.
3 Log in to the FortiGate unit.
4 Go to System & gt; Dashboard & gt; Status.
5 In title bar of the CLI Console widget, click Edit (the pencil icon).
6 Enable Use external command input box.
7 Select OK.
The Command field appears below the usual input and display area of the CLI Console
widget.
8 In Command, type a command.
402
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the CLI
Tips
Figure 45: Entering encoded characters (CLI Console widget)
9 Press Enter.
In the display area, the CLI Console widget displays your previous command
interpreted into its character code equivalent, such as:
edit \743\601\613\743\601\652
and the command’s output.
To enter non-ASCII characters in a Telnet/SSH client
1 On your management computer, start your Telnet or SSH client.
2 Configure your Telnet or SSH client to send and receive characters using UTF-8
encoding.
Support for sending and receiving international characters varies by each Telnet/SSH
client. Consult the documentation for your Telnet/SSH client.
3 Log in to the FortiGate unit.
4 At the command prompt, type your command and press Enter.
Figure 46: Entering encoded characters (PuTTY)
You may need to surround words that use encoded characters with single quotes ( ' ).
Depending on your Telnet/SSH client’s support for your language’s input methods and
for sending international characters, you may need to interpret them into character
codes before pressing Enter.
For example, you might need to enter:
edit '\743\601\613\743\601\652'
5 The CLI displays your previous command and its output.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
403
�Tips
Using the CLI
Screen paging
You can configure the CLI to, when displaying multiple pages’ worth of output, pause after
displaying each page’s worth of text. When the display pauses, the last line displays
--More--. You can then either:
•
press the spacebar to display the next page.
•
type Q to truncate the output and return to the command prompt.
This may be useful when displaying lengthy output, such as the list of possible matching
commands for command completion, or a long list of settings. Rather than scrolling
through or possibly exceeding the buffer of your terminal emulator, you can simply display
one page at a time.
To configure the CLI display to pause when the screen is full:
config system console
set output more
end
Baud rate
You can change the default baud rate of the local console connection.
To change the baud rate enter the following commands:
config system console
set baudrate {115200 | 19200 | 38400 | 57600 | 9600}
end
Editing the configuration file on an external host
You can edit the FortiGate configuration on an external host by first backing up the
configuration file to a TFTP server. Then edit the configuration file and restore it to the
FortiGate unit.
Editing the configuration on an external host can be time-saving if you have many
changes to make, especially if your plain text editor provides advanced features such as
batch changes.
To edit the configuration on your computer
1 Use execute backup to download the configuration file to a TFTP server, such as
your management computer.
2 Edit the configuration file using a plain text editor that supports Unix-style line endings.
Caution: Do not edit the first line. The first line(s) of the configuration file (preceded by a #
character) contains information about the firmware version and FortiGate model. If you
change the model number, the FortiGate unit will reject the configuration file when you
attempt to restore it.
3 Use execute restore to upload the modified configuration file back to the
FortiGate unit.
The FortiGate unit downloads the configuration file and checks that the model
information is correct. If it is, the FortiGate unit loads the configuration file and checks
each command for errors.If a command is invalid, the FortiGate unit ignores the
command. If the configuration file is valid, the FortiGate unit restarts and loads the new
configuration.
404
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the CLI
Tips
Using Perl regular expressions
Some FortiGate features, such as spam filtering and web content filtering can use either
wildcards or Perl regular expressions.
See http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular
expressions.
Differences between regular expression and wildcard pattern matching
In Perl regular expressions, the period (‘.’) character refers to any single character. It is
similar to the question mark (‘?’) character in wildcard pattern matching. As a result:
•
fortinet.com not only matches fortinet.com but also matches
fortinetacom, fortinetbcom, fortinetccom and so on.
To match a special character such as the period ('.') and the asterisk (‘*’), regular
expressions use the slash (‘\’) escape character. For example:
•
To match fortinet.com, the regular expression should be fortinet\.com.
In Perl regular expressions, the asterisk (‘*’) means match 0 or more times of the
character before it, not 0 or more times of any character. For example:
•
forti*\.com matches fortiiii.com but does not match fortinet.com.
To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’
means 0 or more times. For example:
•
the wildcard match pattern forti*.com is equivalent to the regular expression
forti.*\.com.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For
example, the regular expression “test” not only matches the word “test” but also matches
any word that contains the word “test” such as “atest”, “mytest”, “testimony”, “atestb”. The
notation “\b” specifies the word boundary. To match exactly the word “test”, the expression
should be \btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the Web and Spam filters. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of “bad language” regardless of case.
Table 36: Perl regular expression examples
Expression
Matches
abc
abc (that exact character sequence, but anywhere in the string)
^abc
abc at the beginning of the string
abc$
abc at the end of the string
a|b
either of a and b
^abc|abc$
the string abc at the beginning or at the end of the string
ab{2,4}c
an a followed by two, three or four b's followed by a c
ab{2,}c
an a followed by at least two b's followed by a c
ab*c
an a followed by any number (zero or more) of b's followed by a c
ab+c
an a followed by one or more b's followed by a c
ab?c
an a followed by an optional b followed by a c; that is, either abc or ac
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
405
�Tips
Using the CLI
Table 36: Perl regular expression examples
a.c
a.c exactly
[abc]
any one of a, b and c
[Aa]bc
either of Abc and abc
[abc]+
any (nonempty) string of a's, b's and c's (such as a, abba, acbabcacaa)
[^abc]+
any (nonempty) string which does not contain any of a, b and c (such as
defg)
\d\d
any two decimal digits, such as 42; same as \d{2}
/i
makes the pattern case insensitive. For example, /bad language/i
blocks any instance of “bad language” regardless of case.
\w+
a " word " : a nonempty sequence of alphanumeric characters and low lines
(underscores), such as foo and 12bar8 and foo_1
100\s*mk
the strings 100 and mk optionally separated by any amount of white space
(spaces, tabs, newlines)
abc\b
abc when followed by a word boundary (e.g. in abc! but not in abcd)
perl\B
perl when not followed by a word boundary (e.g. in perlert but not in perl
stuff)
\x
406
an a followed by any single character (not newline) followed by a c
a\.c
tells the regular expression parser to ignore white space that is neither
backslashed nor within a character class. You can use this to break up your
regular expression into (slightly) more readable parts.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Tightening security
The FortiGate unit protects the network. There are additional configurations you can do in
FortiOS to more effectively hide the FortiGate unit from would-be hackers on the Internet.
This chapter describes some options to better cloak your network.
These security steps are focused on limiting administrative access on management
computers and within FortiOS. For physical security, the FortiGate unit should be housed
in a server room with limited access and locks requiring access codes or swipe cards.
This chapter includes the following sections:
•
Administrators
•
Administrative ports
•
Rejecting PING requests
•
Opening TCP 113
Administrators
One point of security breach is at the management computer. Administrators who leave
their workstations for a prolonged amount of time while staying logged into the web-based
manager or CLI (whether on purpose or not), leave the firewall open to malicious intent.
Idle time-out
To avoid the possibility of an administrator walking away from the management computer
and leaving it exposed to unauthorized personnel, you can add an idle time-out. That is, if
the web-based manager is not used for a specified amount of time, the FortiGate unit will
automatically log the user out. To continue their work, they must log in to the device again.
The time-out can be set as high as 480 minutes, or eight hours, although this is not
recommend.
To set the idle time out - web-based manager
1 Go to System & gt; Admin & gt; Settings.
2 In the Timeout Settings, enter the amount of time the Administrator login can remain
idol, or inactive before automatically logging the administrator out.
3 Select Apply.
To set the idle time out - CLI
config system global
set admintimeout & lt; minutes & gt;
end
Administrator lockout
By default, the FortiGate unit includes set number of password retries. That is, the
administrator has a maximum of three attempts to log into their account before they are
locked out for a set amount of time. The number of attempts can be set to an alternate
value.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
407
�Administrative ports
Tightening security
As well, the default wait time before the administrator can try to enter a password again is
60 seconds. You can also change this to further sway would-be hackers. Both settings are
configured only in the CLI
To configure the lockout options use the following commands:
config system global
set admin-lockout-threshold & lt; failed_attempts & gt;
set admin-lockout-duration & lt; seconds & gt;
end
For example, to set the lockout threshold to one attempt and a five minute duration before
the administrator can try again to log in enter the commands”
config system global
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
Change the admin username
The default super administrator user name, admin, is a very standard default administrator
name. Leaving this as is, is one half of the key to the FortiGate unit being compromised.
The name can be changed.
To do this, you need to create another super user with full access and log in as that user.
Then go to System & gt; Admin & gt; Administrator, select the admin account and select Edit to
change the user name.
Disable admin services
On untrusted networks, turn off the weak administrative services such as TLENET and
HTTP. With these services, passwords are passed in the clear, not encrypted.
These services can be disabled by going to System & gt; Network & gt; Interface and deselecting
the required checkboxes.
Segregated administrative roles
To minimize the affect of an administrator doing complete harm to the FortiGate
configuration and possibly jeopardize the network, create individual administrative roles
where none of the administrators have super-admin permissions.
For example, and admin solely to create firewall policies, another for users and groups,
another for VPN and so on.
Administrative ports
You can set the web-based manager access as through HTTP, HTTPS, SSH and Telnet.
In these cases, the default ports for these protocols are 80, 443, 22 and 23 respectively.
You can change the ports used for network administration to a different, unused port to
further limit potential hackers.
Note: Ensure the port you select is not a port you will be using for other applications. For a
list of assigned port numbers see http://www.iana.org/assignments/port-numbers.
408
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Tightening security
Interface settings
To change the administrative ports - web-based manager
1 Go to System & gt; Admin & gt; Settings.
2 In the Web Administration Ports section, change the port numbers.
3 Select Apply
To change the administrative ports - CLI
config system global
set admin-port & lt; http_port_number & gt;
set admin-sport & lt; https_port_number & gt;
set admin-ssh-port & lt; ssh_port_number & gt;
set admin-telnet-port & lt; telnet_port_number & gt;
end
When logging into the FortiGate unit, by default FortiOS will automatically use the default
ports. That is, when logging into the FortiGate IP address, you only need to enter the
address, for example:
https://192.168.1.1
When you change the administrative port number, the port number must be added to the
url. For example, if the port number for https access is 2112, the administrator must enter
the following address:
https://192.168.1.1:2112
Interface settings
Within FortiOS there are a few options you can set to limit unauthorized access.
Remove admin access
If any interfaces do not require access from an administrator, disable the admin access
options for it, even PING to restrict anyone sniffing for available ports.
To remove all admin access
1 Go to System & gt; Network & gt; Interface.
2 Select the interface and select Edit.
3 Clear any checkboxes in the Administrative Access section.
4 Select OK.
Within the CLI, you cannot completely clear all the admin access options; one must be
selected. It is best to either do this from the web-based manager.
Disable interfaces
If any of the interfaces on the FortiGate unit are not being used, disable traffic on that
interface. This avoids someone plugging in network cables and potentially causing
network bypass or loop issues.
To disable an interface - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select the interface from the list and select Edit.
3 For Administrative Access, select Down.
4 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
409
�Rejecting PING requests
Tightening security
To disable an interface - CLI
config system interface
edit & lt; inerface_name & gt;
set status down
end
Rejecting PING requests
The factory default configuration of your FortiGate unit allows the default public interface
to respond to ping requests. The default public interface, or the external interface, is the
interface the FortiGate unit typically connects to the Internet. Depending on the model of
your FortiGate unit the actual name of this interface will vary.
For the most secure operation, you should change the configuration of the external
interface so that it does not respond to ping requests. Not responding to ping requests
makes it more difficult for a potential attacker to detect your FortiGate unit from the
Internet. One such potential threat are Denial of Service (DoS) attacks.
A FortiGate unit responds to ping requests if ping administrative access is enabled for that
interface. Use the following procedures to disable ping access for the external, or any,
interface of a FortiGate unit.
To disable ping administrative access - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Choose the external interface and select Edit.
3 Clear the Ping Administrative Access check box.
4 Select OK.
In the CLI, when setting the allowaccess settings, by selecting the access types and not
including the PING option, that option is then not selected. In this example, only HTTPS is
selected.
To disable ping administrative access - CLI
config system interface
edit external
set allowaccess https
end
Opening TCP 113
Although seemingly contrary to conventional wisdom of closing ports from hackers, this
port, which is used for ident requests, should be opened.
Port 113 initially was used as an authentication port, and later defined as an identification
port (see RFC 1413). Some servers may still use this port to help in identifying users or
other servers and establish a connection. Because port 113 receives a lot of unsolicited
traffic, many routers, including on the FortiGate unit, close this port.
The issue arises in that unsolicited requests are stopped by the FortiGate unit, which will
send a response saying that the port is closed. In doing so, it also lets the requesting
server know there is a device at the given address, and thus announcing its presence. By
enabling traffic on port 113, requests will travel to this port, and will most likely, be ignored
and never responded to.
410
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Tightening security
Obfuscate HTTP headers
By default, the ident port is closed. To open it, use the following CLI commands:
config system interface
edit & lt; port_name & gt;
set inden_accept enable
end
You could also further use port forwarding to send the traffic to a non-existent IP address
and thus never have a response packet sent.
Obfuscate HTTP headers
The FortiGate unit can obfuscate the HTTP header information being sent to external web
servers to better cloak the source. By default this option is not enabled. To obfuscate
HTTP headers, use the following CLI command:
config system global
set http-obfucate {none | header-only | modified | no-error}
end
Where:
none — do not hide the FortiGate web server identity.
header-only — hides the HTTP server banner.
modified — provides modified error responses.
no-error — suppresses error responses.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
411
�Obfuscate HTTP headers
412
Tightening security
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Best Practices
The FortiGate unit is installed, and traffic is flowing. With your network sufficiently
protected, you can now fine tune the firewall for the best performance and efficiently. This
chapter describes configuration options that can ensure your FortiGate unit is running at
its best performance.
This chapter includes best practices and suggestions for:
•
Hardware
•
Performance
•
Firewall
•
Intrusion protection
•
Antivirus
•
Web filtering
•
Antispam
Hardware
Environmental specifications
Keep the following environmental specifications in mind when installing and setting up
your FortiGate unit.
•
Operating temperature: 32 to 104°F (0 to 40°C)
•
If you install the FortiGate unit in a closed or multi-unit rack assembly, the operating
ambient temperature of the rack environment may be greater than room ambient
temperature. Therefore, make sure to install the equipment in an environment
compatible with the manufacturer's maximum rated ambient temperature.
•
Storage temperature: -13 to 158°F (-25 to 70°C)
•
Humidity: 5 to 90% non-condensing
•
Air flow - For rack installation, make sure that the amount of air flow required for safe
operation of the equipment is not compromised.
•
For free-standing installation, make sure that the appliance has at least 1.5 in.
(3.75 cm) of clearance on each side to allow for adequate air flow and cooling.
This device complies with part FCC Class A, Part 15, UL/CUL, C Tick, CE and VCCI.
Operation is subject to the following two conditions:
•
This device may not cause harmful interference, and
•
This device must accept any interference received, including interference that may
cause undesired operation.
This equipment has been tested and found to comply with the limits for a Class B digital
device, pursuant to part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference in a residential installation. This
equipment generates, uses and can radiate radio frequency energy and, if not installed
and used in accordance with the instructions, may cause harmful interference to radio
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
413
�Hardware
Best Practices
communications. However, there is no guarantee that interference will not occur in a
particular installation. If this equipment does cause harmful interference to radio or
television reception, which can be determined by turning the equipment off and on, the
user is encouraged to try to correct the interference by one or more of the following
measures:
•
Reorient or relocate the receiving antenna.
•
Increase the separation between the equipment and receiver.
•
Connect the equipment into an outlet on a circuit different from that to which the
receiver is connected.
•
Consult the dealer or an experienced radio/TV technician for help.
The equipment compliance with FCC radiation exposure limit set forth for uncontrolled
Environment.
Caution: Risk of Explosion if battery is replaced by an incorrect type. Dispose of used
batteries according to the instructions
Caution: To reduce the risk of fire, use only No. 26 AWG or larger UL Listed or CSA
Certified Telecommunication Line Cord.
Grounding
•
Ensure the FortiGate unit is connected and properly grounded to a lightning and surge
protector. WAN or LAN connections that enter the premises from outside the building
should be connected to an Ethernet CAT5 (10/100 Mb/s) surge protector.
•
Shielded Twisted Pair (STP) Ethernet cables should be used whenever possible rather
than Unshielded Twisted Pair (UTP).
•
Do not connect or disconnect cables during lightning activity to avoid damage to the
FortiGate unit or personal injury.
Rack mount instructions
Elevated Operating Ambient - If installed in a closed or multi-unit rack assembly, the
operating ambient temperature of the rack environment may be greater than room
ambient. Therefore, consideration should be given to installing the equipment in an
environment compatible with the maximum ambient temperature (Tma) specified by the
manufacturer.
Reduced Air Flow - Installation of the equipment in a rack should be such that the
amount of air flow required for safe operation of the equipment is not compromised.
Mechanical Loading - Mounting of the equipment in the rack should be such that a
hazardous condition is not achieved due to uneven mechanical loading.
Circuit Overloading - Consideration should be given to the connection of the equipment
to the supply circuit and the effect that overloading of the circuits might have on
overcurrent protection and supply wiring. Appropriate consideration of equipment
nameplate ratings should be used when addressing this concern.
Reliable Earthing - Reliable earthing of rack-mounted equipment should be maintained.
Particular attention should be given to supply connections other than direct connections to
the branch circuit (e.g. use of power strips).
414
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Best Practices
Shutting down
Shutting down
Always shut down the FortiGate operating system properly before turning off the power
switch to avoid potential hardware problems.
To power off the FortiGate unit - web-based manager
1 Go to System & gt; Status.
2 In the Unit Operation display, select Shutdown.
To power off the FortiGate unit
execute shutdown
Once completing this step you can safely disconnect the power cables from the power
supply.
Performance
•
Disable any management features you do not need. If you don’t need SSH or SNMP
disable them. SSH also provides another possibility for would-be hackers to infiltrate
your FortiGate unit.
•
Put the most used firewall rules to the top of the interface list.
•
Log only necessary traffic. The writing of logs, especially if to an internal hard disk,
slows down performance.
•
Enable only the required application inspections.
•
Keep alert systems to a minimum. If you send logs to a syslog server, you may not
need SNMP or email alerts, making for redundant processing.
•
Establish scheduled FortiGuard updates at a reasonable rate. Daily every 4-5 hours for
most situations, or in more heavy-traffic situations, in the evening when more
bandwidth can be available.
•
Keep UTM profiles to a minimum. If you do not need a profile on a firewall rule, do not
include it.
•
Keep VDOMs to a minimum. On low-end FortiGate units, avoid using them if possible.
•
Avoid traffic shaping if you need maximum performance. Traffic shaping, by definition,
slows down traffic.
•
Avoid using the All selection for the source and destination addresses. Use addresses
or address groups.
•
Avoid using Any for the services.
•
Use logging on a policy only when necessary. For example, you may want to log all
dropped connections but be aware of the performance impact. However, use this
sparingly to sample traffic data rather than have it continually storing log information
you may not use.
•
Use the comment field to input management data; who requested the rule, who
authorized it, etc.
•
Avoid FQDN addresses if possible. It can cause a performance impact on DNS queries
and security impact from DNS spoofing.
Firewall
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
415
�Intrusion protection
Best Practices
•
If possible, avoid port ranges on services for security reasons.
•
Use groups whenever possible.
Intrusion protection
•
Create and use UTM profiles with specific signatures and anomalies you need
per-interface and per-rule.
•
Do not use predefined or generic profiles. While convenient to supply immediate
protection, you should create profiles to suit your network environment.
•
If you do use the default profiles, reduce the IPS signatures/anomalies enabled in the
profile to conserver processing time and memory.
•
If you are going to enable anomalies, make sure you tune thresholds according to your
environment.
•
If you need protection, but not audit information, disable the logging option.
•
Tune the IP-protocol parameter accordingly.
•
Enable only the protocols you need to scan. If you have antivirus scans occurring on
the SMTP server, or using FortiMail, it is redundant to have it occur on the FortiGate
unit as well.
•
Reduce the maximum file size to be scanned. Viruses travel usually in small files of
around 1 to 2 megabytes.
•
Antivirus scanning within an HA cluster can impact performance.
•
Enable grayware scanning on UTM profiles tied to internet browsing.
•
Do not quarantine files unless you regularly monitor and review them. This is otherwise
a waste of space and impacts performance.
•
Use file patterns to avoid scanning where it is not required.
•
Enable heuristics from the CLI if high security is required using the command
config antivirus heuristic.
•
Web filtering within an HA cluster impacts performance.
•
Always review the DNS settings to ensure the servers are fast.
•
Content block may cause performance overhead.
•
Local URL filter is faster than FortiGuard web filter, because the filter list is local and
the FortiGate unit does not need to go out to the Internet to get the information from a
FortiGuard web server.
•
If possible use, a FortiMail unit. The antispam engines are more robust.
•
Use fast DNS servers.
•
Use specific UTM profiles for the rule that will use antispam.
Antivirus
Web filtering
Antispam
416
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Best Practices
Security
•
DNS checks may cause false positive with HELO DNS lookup.
•
Content analysis (banned words) may impose performance overhead.
•
Use NTP to synchronize time on the FortiGate and the core network systems such as
email servers, web servers and logging services.
•
Enable log rules to match corporate policy. For example, log administration
authentication events and access to systems from untrusted interfaces.
•
Minimize adhoc changes to live systems if possible to minimize interruptions to the
network.
•
When not possible, create backup configurations and implement sound audit systems
using FortiAnalyzer and FortiManager.
•
If you only need to allow access to a system on a specific port, limit the access by
creating the strictest rule possible.
Security
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
417
�Security
418
Best Practices
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Wireless
In a wired network, computers are connected through a series of cables that transfer
information. In a wireless network, information is transferred over radio waves. There are
factors which affect the transmission of data “on the air” that you must take into account
when setting up a wireless network.
This chapter outlines the considerations for wireless networking and steps you can take to
make your wireless network as efficient as possible.
This section includes the following topics:
•
Setting up a wireless network
•
FortiWiFi operation modes
•
Wireless Security
Setting up a wireless network
In its simplest form, a wireless network is an access point communicating with one
wireless device. An access point is a device that provides a communications hub for a
wireless network. The access point and the wireless devices operate on a common radio
channel. The FortiGate unit acts as an access point by default, and assigns all wireless
users to the same subnet. With the proper firewall policies and routing, wireless users can
communicate with users on the internal network or on an external network such as the
Internet.
Figure 47: FortiGate unit as an access point
Internal
Network
Wireless Network
DMZ
Network
Internal
Router
Internet
WAN1
WAN2
DMZ
MODEM / DSL / Cable
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
419
�Setting up a wireless network
Wireless
Positioning an access point
When placing the FortiGate unit, your main concern is providing a strong signal to all
users. A strong signal ensures a fast connection and efficient data transfer. A weaker
signal means a greater chance of data transmission errors and the need to re-send
information, slowing down data transfer.
Consider the following guidelines when placing the FortiWiFi unit:
•
Physical barriers can impede the radio signals. Solid objects such as walls, furniture
and people absorb radio waves, weakening the signal. Be aware of the physical
barriers in your office space that may reduce a signal. If there is enough physical
interference, you may encounter dead spots that receive no signal.
•
Ensure the FortiWiFi unit is located in a prominent location within a room for maximum
coverage, rather than in a corner.
•
Construction materials used in a building can also weaken radio signals. Rooms with
walls of concrete or metal can affect the signal strength.
Radio Frequency interface
The 802.11b/g standard uses a frequency range of 2.4 to 2.483 GHz and the 802.11a and
802.11n standard transmit at 5 GHz. Radio frequency (RF) interference occurs when other
devices send RF signals during their normal operation that use the same frequency as the
FortiWiFi unit. Wireless devices such as cordless phones, microwave ovens and
Bluetooth devices can potentially interfere with packet transmissions on a wireless
network.
To avoid RF interference:
•
Remove these devices from the immediate area where users are working. Something
as simple as a Bluetooth enabled mouse may cause transmission interruptions.
•
Keep the FortiWiFi AP and wireless devices at least 10 feet away from appliances
such as microwave ovens and cordless phones.
•
If you must have a cordless phone, select one that does not use the 2.4GHz frequency
range for b/g or 5GHZ frequency range for wireless a.
•
Consider more FortiWiFi APs to help strengthen the signal. The weaker the signal, the
slower the transmission will be as it tries to compete against other wireless devices.
•
Choose a different channel to improve signal quality. The more wireless devices using
the same channel can cause transmission issues.
Using multiple access points
If you cannot avoid some of these impediments due to the shape of the office or building
materials used, you may need to use multiple FortiWiFi units to help distribute the radio
signal around the room. Figure 48 shows how positioning two FortiWiFi units within a
uniquely shaped office space helps to distribute signals around the area.
420
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Wireless
FortiWiFi operation modes
Figure 48: Using multiple APs to provide a constant strong signal.
Stairs
Elevator
Washrooms
This sample office has washrooms, a stairwell and an elevator shaft in the center of the
building, making it impossible to use a single FortiWiFi unit effectively. The elevator shaft
and multiple metal stalls in the washrooms can cause signal degradation. However,
placing a FortiWiFi unit in opposite corners of the office provides maximum coverage.
When using multiple access points, set each FortiWiFi unit to a different channel to avoid
interference in areas where signals from both FortiWiFi units can be received.
FortiWiFi operation modes
The FortiGate unit has two modes: Access Point and Client. You can only change the
wireless mode when the FortiWiFi unit is in NAT/Route mode.
Access point mode
When using the FortiGate unit in access point mode, the device acts as an access point
for wireless users to connect to, send and receive information over a wireless network. It
enables multiple wireless network users access to the network without the need to
connect to it physically. The FortiGate unit can connect to the internal network and act as
a firewall to the Internet.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
421
�FortiWiFi operation modes
Wireless
Figure 49: FortiGate unit in access point mode
Internal
Network
Wireless Network
DMZ
Network
Internal
Router
WAN1
Internet
WAN2
DMZ
MODEM / DSL / Cable
Client mode
When using the FortiGate unit in Client mode, the FortiWiFi unit is configured to receive
transmissions from another access point. This enables you to connect remote users to an
existing network using wireless protocols from a location that does not have a wired
infrastructure.
For example, in a warehouse where shipping and receiving are on opposite sides of the
building, running cables is not an option due to the warehouse environment. The FortiGate
unit can support wired users using its Ethernet ports and can connect to another access
point wirelessly as a Client. This connects the wired users to the network using the 802.11
wireless standard as a backbone.
Note that wireless users cannot see or connect to the FortiWifi unit wirelessly in Client
mode.
Figure 50: FortiGate unit in Client mode
Internal
Network
Wireless Network
DMZ network
Internal
Internal
Network
Web Server
DMZ
Mail Server
Hub or switch
WAN1
Router
Internet
422
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Wireless
Wireless Security
Wireless Security
Radio waves transmitted between a wireless device and access points provide the
weakest link between the wireless device and network servers. Wireless networking can
be risky. Information travels on radio waves, which is a public medium. The 802.11
standard includes security options to prevent your information from being intercepted by
unwanted sources. These are Wireless Equivalent Privacy (WEP) and WiFi Protected
Access (WPA, WPA2) encryption. Wireless encryption is only used between the wireless
device and the access point. The access point decrypts the data before sending it along
the wired network. The FortiGate unit supports both encryption methods.
Wireless Equivalent Privacy (WEP)
WEP security uses an encryption key between the wireless device and the access point.
For WEP security, the wireless device and access point must use the same encryption
key, and is manually typed by the wireless user and administrator. When activated, the
wireless device encrypts the data with the encryption key for each frame using RSA RC4
ciphers.
There has been criticism of WEP security. WEP keys are static. They must be changed
manually and frequently on both the wireless device and the access points. On a small
company or network with a few users and APs, this is not a big issue. However, the more
users and access points, changing WEP keys regularly can become an administrative
headache and potentially error prone. Consequently, keys are rarely changed over
months or years, leaving a hacker plenty of time to get the key and gain access to the
network.
In small wireless networking environments, activating WEP security will significantly
minimize outside infiltrators from getting in your network and is better than no security at
all. However, it is still very important that you regularly change the WEP key, at least
weekly; or monthly at most.
Wi-Fi Protected Access (WPA, WPA2)
WPA was developed to replace the WEP standard and provide a higher level of data
protection for wireless networks. WPA provides two methods of authentication; through
802.1X authentication or pre-shared keys.
802.1X authenticates users through an EAP authentication server such as a RADIUS
server authenticates each user before they can connect to the network. The encryption
keys can be changed at varying intervals to minimize the opportunity for hackers to crack
the key being used.
In a network setup where a RADIUS server is not a viable option, WPA also provides
authentication with preshared keys using Temporal Key Integrity Protocol (TKIP). Using
TKIP, the encryption key is continuously re-keyed while the user is connected to the
wireless network. This creates a unique key on every data packet. To further ensure data
integrity, a Message Integrity Code (MIC also known as Michael) is incorporated into each
packet. It uses an 8 byte message integrity code that is encrypted using the MAC
addresses and data from each frame to provide a more secure packet transmission.
WPA and WPA2 provides a more robust security between the wireless device and the
access point.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
423
�Wireless Security
Wireless
MAC address filtering
Enabling MAC address filtering on the FortiGate unit provides a means of allowing on
specific devices and/or users on the wireless network. By enabling this feature, you define
the wireless devices that can access the network based on their system MAC address.
When a user attempts to access the wireless network, the FortiGate unit checks the MAC
address of the user to the list you created. If the MAC address is on the approved list, the
user gains access to the network. If the user is not in the list, the user is rejected. Using
MAC address filtering makes it more difficult for a hacker using random MAC addresses or
spoofing a MAC address to gain access to your network.
To add MAC addresses - web-based manager
1 Go to System & gt; Wireless & gt; MAC Filter.
2 Select Edit and add the MAC addresses to allow on the network.
The downside for MAC address filtering is that the login information is sent in cleartext.
That is, a would-be hacker can easily sniff the devices MAC address and use it to connect
to the network.
To add MAC addresses - CLI
config system interface
edit wlan
set wifi-mac-filter enable
config wifi-mac-list
edit & lt; entry_number & gt;
set macaddress & lt; address & gt;
end
end
Service Set Identifier
The Service Set Identifier (SSID) is the network name shared by all users on a wireless
network. Wireless users should configure their computers to connect to the network that
broadcasts this network name. For security reasons, do not leave the default name of
“fortinet” as the network name.
Broadcasting enables wireless users to find a network. The FortiGate unit includes an
option to not broadcast the SSID. If you configure all wireless users to the correct SSID,
you do not need to enable the broadcasting of the SSID.
To hide the SSID - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select the WLAN interface and select Edit.
3 Select SSID Broadcast to uncheck the box.
4 Select OK.
To hide the SSID - CLI
config system interface
edit wlan
set wifi-broadcast-ssid disable
end
424
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Wireless
Wireless Security
However, while this does hide the wireless network, it does not necessarily protect it. In
simple terms, yes, the SSID is hidden. To the casual user, they cannot see the wireless
network. There are however, a number of applications that can easily see any SSID within
the host PCs range; hidden or not.
Further, when a wireless device calls to the wireless router to connect, that information is
sent in cleartext. That is, a would-be hacker can easily sniff the wireless traffic to locate
the “hidden” network name.
Not enabling the SSID provides initial cover, but it is recommended that a password at the
very least be set for the wireless network. For more information see “Wireless Security” on
page 423.
A tiered approach to security
While any of these options may not be completely secure, a layered approach will slow if
not thwart a potential intruder. Each step that they must go through may be enough to
have them look elsewhere for an easier target. For a more complete security on a wireless
network, consider not broadcasting the SSID, enable MAC address filtering and a WPA2
password.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
425
�Wireless Security
426
Wireless
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Monitoring
With network administration, the first step is installing and configuring the FortiGate unit to
be the protector of the internal network. Once the system is running efficiently, the next
step is to monitor the system and network traffic, to tweak leaks and abusers as well as
the overall health of the FortiGate unit(s) that provide that protection.
This chapter discusses the various methods of monitoring both the FortiGate unit and the
network traffic through a range of different tools available within FortiOS.
This chapter includes the topics:
•
Dashboard
•
SNMP
•
Logging
Dashboard
The FortiOS dashboard provides a location to view real-time system information. By
default, the dashboard displays the key statistics of the FortiGate unit itself, providing the
memory and CPU status, as well as the health of the ports, whether they are up or down
and their throughput.
Widgets
Within the dashboard is a number of smaller windows, called widgets, that provide this
status information. Beyond what is visible by default, you can add a number of other
widgets that display other key traffic information including application use, traffic per IP
address, top attacks, traffic history and logging statistics.
You will see when you log into the FortiGate unit, there are two separate dashboards. You
can add multiple dashboards to reflect what data you want to monitor, and add the widgets
accordingly. Dashboard configuration is only available through the web-based
manager.Administrators must have read and write privileges to customize and add
widgets when in either menu. Administrators must have read privileges if they want to view
the information.
To add a dashboard and widgets
1 Go to System & gt; Dashboard.
2 Select the Dashboard menu at the top of the window and select Add Dashboard.
3 Enter a name such as Monitoring.
4 Select the Widget menu at the top of the window.
5 From the screen, select the type of information you want to add.
6 When done, select the X in the top right of the widget.
Tip: You can position widgets within the dashboard frame by clicking and dragging it to a
different location.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
427
�SNMP
Monitoring
SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your
network. You can configure the hardware, such as the FortiGate SNMP agent, to report
system information and send traps (alarms or event messages) to SNMP managers. An
SNMP manager, or host, is a typically a computer running an application that can read the
incoming trap and event messages from the agent and send out SNMP queries to the
SNMP agents. A FortiManager unit can act as an SNMP manager, or host, to one or more
FortiGate units.
By using an SNMP manager, you can access SNMP traps and data from any FortiGate
interface or VLAN subinterface configured for SNMP management access. Part of
configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it
will be monitoring. Otherwise the SNMP monitor will not receive any traps from that
FortiGate unit, or be able to query that unit.
The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP
managers have read-only access to FortiGate system information through queries and
can receive trap messages from the FortiGate unit.
To monitor FortiGate system information and receive FortiGate traps, you must first
compile the proprietary Fortinet and FortiGate Management Information Base (MIB) files.
A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP
manager. These MIBs provide information the SNMP manager needs to interpret the
SNMP trap, event, and query messages sent by the FortiGate unit SNMP agent. FortiGate
core MIB files are available on the Customer Support website.
To download the MIB files
1 Login to the Customer Support web site at support.fortinet.com.
2 Go to Download & gt; Firmware Images.
3 Select FortiGate & gt; v4.00 & gt; Core MIB.
4 Select and download the available files.
The Fortinet implementation of SNMP includes support for most of RFC 2665
(Ethernet-like MIB) and most of RFC 1213 (MIB II). For more information, see “Fortinet
MIBs” on page 430. RFC support for SNMP v3 includes Architecture for SNMP
Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).
SNMP traps alert you to events that occur such as an a full log disk or a virus detected.
For more information about SNMP traps, see “Fortinet and FortiGate traps” on page 432.
SNMP fields contain information about the FortiGate unit, such as CPU usage percentage
or the number of sessions. This information is useful for monitoring the condition of the
unit on an ongoing basis and to provide more information when a trap occurs. For more
information about SNMP fields, see “Fortinet and FortiGate MIB fields” on page 434.
The FortiGate SNMP v3 implementation includes support for queries, traps,
authentication, and privacy. Authentication and encryption are configured in the CLI. See
the system snmp user command in the FortiGate CLI Reference.
Note: There were major changes to the MIB files between v3.0 and v4.0. You need to use
the new MIBs forv4.0 or you may be accessing the wrong traps and fields.
428
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Monitoring
SNMP
SNMP agent
You need to first enter information and enable the FortiGate SNMP Agent. Enter
information about the FortiGate unit to identify it so that when your SNMP manager
receives traps from the FortiGate unit, you will know which unit sent the information.
To configure the SNMP agent - web-based manager
1 Go to System & gt; Config & gt; SNMP v1/v2c.
2 Select Enable for the SNMP Agent.
3 Enter a descriptive name for the agent.
4 Enter the location of the FortiGate unit.
5 Enter a contact or administrator for the SNMP Agent or FortiGate unit.
6 Select Apply.
To configure SNMP agent - CLI
config system snmp sysinfo
set status enable
set contact-info & lt; contact_information & gt;
set description & lt; description_of_FortiGate & gt;
set location & lt; FortiGate_location & gt;
end
SNMP community
An SNMP community is a grouping of devices for network administration purposes. Within
that SNMP community, devices can communicate by sending and receiving traps and
other information. One device can belong to multiple communities, such as one
administrator terminal monitoring both a firewall SNMP community and a printer SNMP
community.
Add SNMP communities to your FortiGate unit so that SNMP managers can connect to
view system information and receive SNMP traps.
You can add up to three SNMP communities. Each community can have a different
configuration for SNMP queries and traps. Each community can be configured to monitor
the FortiGate unit for a different set of events. You can also add the IP addresses of up to
8 SNMP managers to each community.
Note: When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on
interfaces in the management virtual domain. Traps cannot be sent over other interfaces.
To add an SNMP community - web-based manager
1 Go to System & gt; Config & gt; SNMP v1/v2c.
2 Select Create New and enter a name.
3 Enter the IP address and Identify the SNMP managers that can use the settings in this
SNMP community to monitor the FortiGate unit.
4 Select the interface if the SNMP manager is not on the same subnet as the FortiGate
unit.
5 Enter the Port number that the SNMP managers in this community use for SNMP v1
and SNMP v2c queries to receive configuration information from the FortiGate unit.
Select the Enable check box to activate queries for each SNMP version.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
429
�SNMP
Monitoring
6 Enter the Local and Remote port numbers that the FortiGate unit uses to send SNMP
v1 and SNMP v2c traps to the SNMP managers in this community.
7 Select the Enable check box to activate traps for each SNMP version.
8 Select OK.
To add an SNMP community - CLI
config system snmp community
edit & lt; index_number & gt;
set events & lt; events_list & gt;
set name & lt; community_name & gt;
set query-v1-port & lt; port_number & gt;
set query-v1-status {enable | disable}
set query-v2c-port & lt; port_number & gt;
set query-v2c-status {enable | disable}
set status {enable | disable}
set trap-v1-lport & lt; port_number & gt;
set trap-v1-rport & lt; port_number & gt;
set trap-v1-status {enable | disable}
set trap-v2c-lport & lt; port_number & gt;
set trap-v2c-rport & lt; port_number & gt;
set trap-v2c-status {enable | disable}
end
Enabling on the interface
Before a remote SNMP manager can connect to the FortiGate agent, you must configure
one or more FortiGate interfaces to accept SNMP connections.
To configure SNMP access - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Choose an interface that an SNMP manager connects to and select Edit.
3 In Administrative Access, select SNMP.
4 Select OK.
To configure SNMP access - CLI
config system interface
edit & lt; interface_name & gt;
set allowaccess snmp
end
Note: When using the allowaccess command to add SNMP, you need to also include any
other access for the interface. This command will only use what is entered. That is, if you
had HTTPS and SSH enabled before, these will be disabled if only the above command is
used. In this case, for the allow access command, enter
set allowaccess https ssh snmp.
Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC
1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665
(Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit
configuration.
430
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Monitoring
SNMP
There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The
Fortinet MIB contains traps, fields and information that is common to all Fortinet products.
The FortiGate MIB contains traps, fields and information that is specific to FortiGate units.
Each Fortinet product has its own MIB—if you use other Fortinet products you will need to
download their MIB files as well.
The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in
this section. You can download the two FortiGate MIB files from Fortinet Customer
Support.
To download the MIB files
1 Login to the Customer Support web site at support.fortinet.com.
2 Go to Download & gt; Firmware Images.
3 Select FortiGate & gt; v4.00 & gt; Core MIB.
4 Select and download the available files.
Your SNMP manager may already include standard and private MIBs in a compiled
database that is ready to use. You must add the Fortinet proprietary MIB to this database
to have access to the Fortinet specific information. You need to obtain and compile the two
MIBs for this release.
Note: There were major changes to the MIB files between v3.0 and v4.0. You need to use
the new MIBs for v4.0 or you may mistakenly access the wrong traps and fields.
Table 37: Fortinet MIBs
MIB file name or RFC
Description
FORTINET-CORE-MIB.mib
The proprietary Fortinet MIB includes all system configuration
information and trap information that is common to all Fortinet
products.
Your SNMP manager requires this information to monitor
FortiGate unit configuration settings and receive traps from
the FortiGate SNMP agent. For more information, see
“Fortinet and FortiGate traps” on page 432 and “Fortinet and
FortiGate MIB fields” on page 434.
FORTINET-FORTIGATE-MIB.mib
The proprietary FortiGate MIB includes all system
configuration information and trap information that is specific
to FortiGate units.
Your SNMP manager requires this information to monitor
FortiGate configuration settings and receive traps from the
FortiGate SNMP agent. FortiManager systems require this
MIB to monitor FortiGate units.
For more information, see “Fortinet and FortiGate traps” on
page 432 and “Fortinet and FortiGate MIB fields” on
page 434.
RFC-1213 (MIB II)
The FortiGate SNMP agent supports MIB II groups with the
following exceptions.
• No support for the EGP group from MIB II (RFC 1213,
section 3.11 and 6.10).
• Protocol statistics returned for MIB II groups
(IP/ICMP/TCP/UDP/etc.) do not accurately capture all
FortiGate traffic activity. More accurate information can be
obtained from the information reported by the Fortinet
MIB.
RFC-2665 (Ethernet-like MIB)
The FortiGate SNMP agent supports Ethernet-like MIB
information with the following exception.
No support for the dot3Tests and dot3Errors groups.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
431
�SNMP
Monitoring
Fortinet and FortiGate traps
An SNMP manager can request information from the Fortinet device’s SNMP agent, or
that agent can send traps when an event occurs. Traps are a method used to inform the
SNMP manager that something has happened or changed on the Fortinet device.
To receive FortiGate device SNMP traps, you must load and compile the
FORTINET-CORE-MIB and FORTINET-FORTIGATE-MIB into your SNMP manager.
Traps sent include the trap message as well as the FortiGate unit serial number
(fnSysSerial) and hostname (sysName).
The tables in this section include information about SNMP traps and variables. These
tables have been included to help you locate the object identifier number (OID), trap
message, and trap description of the Fortinet trap or variable you need.
The name of the table indicates if the trap is found in the Fortinet MIB or the FortiGate
MIB. The Trap Message column includes the message included with the trap as well as
the SNMP MIB field name to help locate the information about the trap. Traps starting with
fn such as fnTrapCpuThreshold are defined in the Fortinet MIB. Traps starting with fg
such as fgTrapAvVirus are defined in the FortiGate MIB.
The object identifier (OID) is made up of the number at the top of the table with the index
added to the end. For example if the OID is 1.3.6.1.4.1.12356.101.2.0 and the index is 4,
the full OID is 1.3.6.1.4.1.12356.101.2.0.4. The OID and the name of the object are how
SNMP managers refer to fields and traps from the Fortinet and FortiGate MIBs.
Indented rows are fields that are part of the message or table associated with the
preceding row.
The following tables include:
•
Generic Fortinet traps (OID 1.3.6.1.4.1.12356.101.2.0)
•
System traps (OID1.3.6.1.4.1.12356.100.3.0)
•
FortiGate VPN traps (OID1.3.6.1.4.1.12356.101.2.0)
•
FortiGate IPS traps (OID1.3.6.1.4.1.12356.101.2.0)
•
FortiGate antivirus traps (OID1.3.6.1.4.1.12356.101.2.0)
•
FortiGate HA traps (OID1.3.6.1.4.1.12356.101.2.0)
Table 38: Generic Fortinet traps (OID 1.3.6.1.4.1.12356.101.2.0)
Index Trap message
Description
.1
.2
.3
.4
Standard traps as described in RFC 1215.
ColdStart
WarmStart
LinkUp
LinkDown
Table 39: System traps (OID1.3.6.1.4.1.12356.100.3.0)
Index Trap message
.101
CPU usage high
(fnTrapCpuThreshold)
CPU usage exceeds 80%. This threshold can be set in the
CLI using config system snmp sysinfo, set
trap-high-cpu-threshold.
.102
Memory low
(fnTrapMemThreshold)
Memory usage exceeds 90%. This threshold can be set in
the CLI using config system snmp sysinfo, set
trap-low-memory-threshold.
.103
432
Description
Log disk too full
(fnTrapLogDiskThreshold)
Log disk usage has exceeded the configured threshold.
Only available on devices with log disks. This threshold can
be set in the CLI using config system snmp sysinfo,
set trap-log-full-threshold.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Monitoring
SNMP
Table 39: System traps (OID1.3.6.1.4.1.12356.100.3.0)
Index Trap message
Description
.104
Temperature too high
(fnTrapTempHigh)
A temperature sensor on the device has exceeded its
threshold. Not all devices have thermal sensors. See
manual for specifications.
.105
Voltage outside acceptable
range
(fnTrapVoltageOutOfRange)
Power levels have fluctuated outside of normal levels. Not
all devices have voltage monitoring instrumentation.
.106
Power supply failure
(fnTrapPowerSupplyFailure)
Power supply failure detected. Not available on all models.
Available on some devices which support redundant power
supplies.
.201
Interface IP change
(fnTrapIpChange)
The IP address for an interface has changed.
The trap message includes the name of the interface, the
new IP address and the serial number of the Fortinet unit.
You can use this trap to track interface IP address changes
for interfaces with dynamic IP addresses set using DHCP
or PPPoE.
.999
Diagnostic trap
(fnTrapTest)
This trap is sent for diagnostic purposes.
It has an OID index of .999.
Table 40: FortiGate VPN traps (OID1.3.6.1.4.1.12356.101.2.0)
Index Trap message
Description
.301
VPN tunnel is up
(fgTrapVpnTunUp)
An IPSec VPN tunnel has started.
.302
VPN tunnel down
(fgTrapVpnTunDown)
An IPSec VPN tunnel has shut down.
Local gateway address
(fgVpnTrapLocalGateway)
Address of the local side of the VPN tunnel.
This information is associated with both of the VPN
tunnel traps.
(OID1.3.6.1.4.1.12356.101.12.3.2)
Remote gateway address
Address of remote side of the VPN tunnel.
(fgVpnTrapRemoteGateway) This information is associated with both of the VPN
tunnel traps.
(OID1.3.6.1.4.1.12356.101.12.3.2)
Table 41: FortiGate IPS traps (OID1.3.6.1.4.1.12356.101.2.0)
Index Trap message
Description
.503
IPS Signature
(fgTrapIpsSignature)
IPS signature detected.
.504
IPS Anomaly
(fgTrapIpsAnomaly)
IPS anomaly detected.
.505
IPS Package Update
(fgTrapIpsPkgUpdate)
The IPS signature database has been updated.
(fgIpsTrapSigId)
ID of IPS signature identified in trap.
(OID 1.3.6.1.4.1.12356.101.9.3.1)
(fgIpsTrapSrcIp)
IP Address of the IPS signature trigger.
(OID 1.3.6.1.4.1.12356.101.9.3.2)
(fgIpsTrapSigMsg)
Message associated with IPS event.
(OID 1.3.6.1.4.1.12356.101.9.3.3)
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
433
�SNMP
Monitoring
Table 42: FortiGate antivirus traps (OID1.3.6.1.4.1.12356.101.2.0)
Index Trap message
Description
.601
Virus detected
(fgTrapAvVirus)
The antivirus engine detected a virus in an infected file
from an HTTP or FTP download or from an email
message.
.602
Oversize file/email detected
(fgTrapAvOversize)
The antivirus scanner detected an oversized file.
.603
Filename block detected
(fgTrapAvPattern)
The antivirus scanner blocked a file that matched a
known virus pattern.
.604
Fragmented file detected
(fgTrapAvFragmented)
The antivirus scanner detected a fragmented file or
attachment.
.605
(fgTrapAvEnterConserve)
The AV engine entered conservation mode due to low
memory conditions.
.606
(fgTrapAvBypass)
The AV scanner has been bypassed due to conservation
mode.
.607
(fgTrapAvOversizePass)
An oversized file has been detected, but has been
passed due to configuration.
.608
(fgTrapAvOversizeBlock)
An oversized file has been detected, and has been
blocked.
(fgAvTrapVirName)
The virus name that triggered the event.
(OID1.3.6.1.4.1.12356.101.8.3.1)
Table 43: FortiGate HA traps (OID1.3.6.1.4.1.12356.101.2.0)
Index Trap message
Description
.401
HA switch
(fgTrapHaSwitch)
The specified cluster member has switched from a slave
role to a master role.
.402
HA State Change
(fgTrapHaStateChange)
The trap sent when the HA cluster member changes its
state.
.
.403
HA Heartbeat Failure
(fgTrapHaHBFail)
The heartbeat failure count has exceeded the configured
threshold.
.404
HA Member Unavailable
(fgTrapHaMemberDown)
An HA member becomes unavailable to the cluster.
.405
HA Member Available
(fgTrapHaMemberUp)
An HA member becomes available to the cluster.
(fgHaTrapMemberSerial)
Serial number of an HA cluster member. Used to identify
the origin of a trap when a cluster is configured.
(OID1.3.6.1.4.1.12356.101.13.3.1)
Fortinet and FortiGate MIB fields
The FortiGate MIB contains fields reporting current FortiGate unit status information. The
tables below list the names of the MIB fields and describe the status information available
for each one. You can view more details about the information available from all Fortinet
and FortiGate MIB fields by compiling the FORTINET-CORE-MIB.mib and
FORTINET-FORTIGATE-MIB.mib files into your SNMP manager and browsing the MIB
fields on your computer.
To help locate a field, the object identifier (OID) number for each table of fields has been
included. The OID number for a field is that field’s position within the table, starting at 0.
For example fnSysVersion has an OID of 1.3.6.1.4.1.12356.2.
434
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Monitoring
SNMP
The following tables include:
•
FortiGate HA MIB Information fields (OID 1.3.6.1.4.1.12356.101.13.1)
•
FortiGate HA unit stats fields (OID 1.3.6.1.4.1.12356.101.13.2)
•
FortiGate Administrator accounts (OID 1.3.6.1.4.1.12356.101)
•
FortiGate Virtual domains (OID 1.3.6.1.4.1.12356.101.3.1)
•
FortiGate Virtual domain table entries (OID 1.3.6.1.4.1.12356.101.3.2.1.1)
•
FortiGate Active IP sessions table (OID 1.3.6.1.4.1.12356.101.11.2.1.1)
•
FortiGate Firewall policy statistics table (OID 1.3.6.1.4.1.12356.101.5.1.2.1.1)
•
FortiGate Dialup VPN peers (OID 1.3.6.1.4.1.12356.101.12.2.1.1)
•
VPN Tunnel table (OID 1.3.6.1.4.1.12356.101.12.2.2.1)
Table 44: FortiGate HA MIB Information fields (OID 1.3.6.1.4.1.12356.101.13.1)
MIB field
Description
Index
fgHaSystemMode
High-availability mode (Standalone, A-A or A-P).
.1
fgHaGroupId
HA cluster group ID.
.2
fgHaPriority
HA clustering priority (default - 127).
.3
fgHaOverride
Status of a master override flag.
.4
fgHaAutoSync
Status of an automatic configuration synchronization.
.5
fgHaSchedule
Load balancing schedule for cluster in Active-Active mode.
.6
fgHaGroupName
HA cluster group name.
.7
fgHaTrapMemberSerial
Serial number of an HA cluster member.
.8
Table 45: FortiGate HA unit stats fields (OID 1.3.6.1.4.1.12356.101.13.2)
MIB field
Description
fgHaStatsTable
Statistics for the individual FortiGate unit in the HA cluster.
Index
fgHaStatsIndex
The index number of the unit in the cluster.
.1
fgHaStatsSerial
The FortiGate unit serial number.
.2
fgHaStatsCpuUsage
The current FortiGate unit CPU usage (%).
.3
fgHaStatsMemUsage The current unit memory usage (%).
.4
fgHaStatsNetUsage
The current unit network utilization (Kbps).
.5
fgHaStatsSesCount
The number of active sessions.
.6
fgHaStatsPktCount
The number of packets processed.
fgHaStatsByteCount The number of bytes processed by the
FortiGate unit
.7
.8
fgHaStatsIdsCount
The number of attacks that the IPS detected in .9
the last 20 hours.
fgHaStatsAvCount
The number of viruses that the antivirus
system detected in the last 20 hours.
.10
fgHaStatsHostname
Hostname of HA Cluster's unit.
.11
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
435
�SNMP
Monitoring
Table 46: FortiGate Administrator accounts (OID 1.3.6.1.4.1.12356.101)
MIB field
Description
Index
fgAdminIdleTimeout
Idle period after which an administrator is automatically logged
out of the system.
.1
fgAdminLcdProtection
Status of the LCD protection, either enabled or disabled.
.2
fgAdminTable
Table of administrators on this FortiGate unit.
fgAdminVdom The virtual domain the administrator belongs to.
(OID 1.3.6.1.4.1.12356.101.6.1.2.1.1.1)
Table 47: FortiGate Virtual domains (OID 1.3.6.1.4.1.12356.101.3.1)
MIB field
Description
Index
fgVdInfo
FortiGate unit Virtual Domain related information.
fgVdNumber
The number of virtual domains configured on this
FortiGate unit.
.1
fgVdMaxVdoms
The maximum number of virtual domains allowed on .2
the FortiGate unit as allowed by hardware or
licensing.
fgVdEnabled
Whether virtual domains are enabled on this
FortiGate unit.
.3
Table 48: FortiGate Virtual domain table entries (OID 1.3.6.1.4.1.12356.101.3.2.1.1)
MIB field
Description
Index
fgVdTable.fgV Table of information about each virtual domain—each virtual domain has an
fgVdEntry. Each entry has the following fields.
dEntry
fgVdEntIndex
Internal virtual domain index used to uniquely identify .1
entries in this table.
This index is also used by other tables referencing a
virtual domain.
fgVdEntName
The name of the virtual domain.
.2
fgVdEntOpMode
Operation mode of this virtual domain - either NAT or .3
Transparent.
Table 49: FortiGate Active IP sessions table (OID 1.3.6.1.4.1.12356.101.11.2.1.1)
MIB field
Description
Index
fgIpSessIndex
The index number of the IP session within the fgIpSessTable
table
.1
fgIpSessProto
The IP protocol the session is using (IP, TCP, UDP, etc.).
.2
fgIpSessFromAddr The source IPv4 address of the active IP session.
.3
fgIpSessFromPort
The source port of the active IP session (UDP and TCP only).
.4
fgIpSessToAddr
The destination IPv4 address of the active IP session.
.5
fgIpSessToPort
The destination port of the active IP session (UDP and TCP only).
.6
fgIpSessExp
The number of seconds remaining until the sessions expires (if
idle).
.7
fgIpSessVdom
Virtual domain the session is part of. Corresponds to the index in
fgVdTable.
.8
fgIpSessStatsTable IP Session statistics table for the virtual domain.
fgIpSessStatsEntry. Total sessions on this virtual domain.
fgIpSessNumber
(OID 1.3.6.1.4.1.12356.101.11.2.1.2.1.1)
436
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Monitoring
SNMP
Table 50: FortiGate Firewall policy statistics table (OID 1.3.6.1.4.1.12356.101.5.1.2.1.1)
MIB field
Description
fgFwPolicyStatsTable.fg
FwPolicyStatsEntry
Entries in the table for firewall policy statistics on a virtual domain.
Index
fgFwPolicyID
Firewall policy ID.
Only enabled policies are available for querying.
Policy IDs are only unique within a virtual domain.
fgFwPolicyPktCount
Number of packets matched to policy (passed or blocked,
.2
depending on policy action). Count is from the time the policy
became active.
fgFwPolicyByteCount
Number of bytes matched to policy (passed or blocked,
.3
depending on policy action). Count is from the time the policy
became active.
.1
Table 51: FortiGate Dialup VPN peers (OID 1.3.6.1.4.1.12356.101.12.2.1.1)
MIB field
Description
Index
fgVpnDialupIndex
An index value that uniquely identifies an VPN dial-up peer in
the table.
.1
fgVpnDialupGateway
The remote gateway IP address on the tunnel.
.2
fgVpnDialupLifetime
VPN tunnel lifetime in seconds.
.3
fgVpnDialupTimeout
Time remaining until the next key exchange (seconds) for this
tunnel.
.4
fgVpnDialupSrcBegin
Remote subnet address of the tunnel.
.5
fgVpnDialupSrcEnd
Remote subnet mask of the tunnel.
.6
fgVpnDialupDstAddr
Local subnet address of the tunnel.
.7
fgVpnDialupVdom
The virtual domain this tunnel is part of. This index
corresponds to the index in fgVdTable.
.8
fgVpnDialUpInOctets
The number of bytes received over the tunnel.
.9
fgVpnDialUpOutOctets
The number of byes send over the tunnel.
.10
Table 52: VPN Tunnel table (OID 1.3.6.1.4.1.12356.101.12.2.2.1)
MIB field
Description
Index
fgVpnTunEntIndex
An index value that uniquely identifies a VPN tunnel
within the VPN tunnel table.
.1
fgVpnTunEntPhase1Name
The descriptive name of the Phase1 configuration for
the tunnel.
.2
fgVpnTunEntPhase2Name
The descriptive name of the Phase2 configuration for
the tunnel.
.3
fgVpnTunEntRemGwyIp
The IP of the remote gateway used by the tunnel.
.4
fgVpnTunEntRemGwyPort
The port of the remote gateway used by the tunnel, if it .5
is UDP.
fgVpnTunEntLocGwyIp
The IP of the local gateway used by the tunnel.
fgVpnTunEntLocGwyPort
The port of the local gateway used by the tunnel, if it is .7
UDP.
.6
fgVpnTunEntSelectorSrcBegin Beginning of the address range of the source selector. .8
Ip
fgVpnTunEntSelectorSrcEndIp Ending of the address range of the source selector.
.9
fgVpnTunEntSelectorSrcPort
.10
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Source selector port.
437
�Logging
Monitoring
Table 52: VPN Tunnel table (OID 1.3.6.1.4.1.12356.101.12.2.2.1)
MIB field
Description
fgVpnTunEntSelectorDstBegin Beginning of the address range of the destination
selector.
Ip
Index
.11
fgVpnTunEntSelectorDstEndIp Ending of the address range of the destination selector. .12
fgVpnTunEntSelectorDstPort
Destination selector port.
.13
fgVpnTunEntSelectorProto
Protocol number for the selector.
.14
fgVpnTunEntLifeSecs
Lifetime of the tunnel in seconds, if time based lifetime .15
is used.
fgVpnTunEntLifeBytes
Lifetime of the tunnel in bytes, if byte transfer based
lifetime is used.
.16
fgVpnTunEntTimeout
Timeout of the tunnel in seconds.
.17
fgVpnTunEntInOctets
Number of bytes received on the tunnel.
.18
fgVpnTunEntOutOctets
Number of bytes sent out on the tunnel.
.19
fgVpnTunEntStatus
Current status of the tunnel - either up or down.
.20
fgVpnTunEntVdom
Virtual domain the tunnel belongs to. This index
corresponds to the index used in fgVdTable.
.21
Logging
FortiOS provides a robust logging environment that enables you to monitor, store and
report traffic information and FortiGate events including attempted log ins and hardware
status. Depending on your requirements, you can log to a number of different hosts.
To configure logging in the web-based manager, go to Log & Report & gt; Log Config & gt; Log
Setting.
To configure logging in the CLI use the commands config log & lt; log_location & gt; .
For details on configuring logging see the accompanying FortiOS documentation and
FortiAnalyzer Administration Guide.
FortiGate memory
Inexpensive yet volatile, for basic event logs or verifying traffic, AV or spam patterns,
logging to memory is a simple option. However, because logs are stored in the limited
space of the internal memory, only a small amount is available for logs. As such logs can
fill up and be overridden with new entries, negating the use of recursive data. This is
especially true for traffic logs. Also, should the FortiGate unit be shut down or rebooted, all
log information will be lost.
FortiGate hard disk
For those FortiGate units with an internal hard disk, you can store logs to this location.
Efficient and local, the hard disk provides a convenient storage location. If you choose to
store logs in this manner, remember to backup the log data regularly. Typically there is
only one hard disk, and as such no RAID options are available.
Syslog server
An industry standard for collecting log messages, for off site storage. In the web-based
manager, you are able to send logs to a single syslog server, however in the CLI you can
configure up to three syslog servers where you can also use multiple configuration
options. For example, send traffic logs to one server, antivirus logs to another.
438
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Monitoring
Alert email
FortiGuard Analysis and Management service
The FortiGuard Analysis and Management Service is a subscription based hosted service.
With this service, you can have centralized management, logging, and reporting
capabilities found in FortiAnalyzer and FortiManager platforms, without any additional
hardware to buy, install or maintain.
This service includes a full range of reporting, analysis and logging, firmware
management and configuration revision history. It is hosted within Fortinet's global
FortiGuard Network for maximum reliability and performance, and includes reporting, and
drill-down analysis widgets makes it easy to develop custom views of network and security
events.
FortiAnalyzer
The FortiAnalyzer family of logging, analyzing, and reporting appliances securely
aggregate log data from Fortinet devices and other syslog-compatible devices. Using a
comprehensive suite of easily-customized reports, users can filter and review records,
including traffic, event, virus, attack, Web content, and email data, mining the data to
determine your security stance and assure regulatory compliance. FortiAnalyzer also
provides advanced security management functions such as quarantined file archiving,
event correlation, vulnerability assessments, traffic analysis, and archiving of email, Web
access, instant messaging and file transfer content.
Alert email
As an administrator, you want to be certain you can respond quickly to issues occurring on
your network or on the FortiGate unit. Alert email provides an efficient and direct method
of notifying an administrator of events. By configuring alert messages, you can define the
threshold when a problem becomes critical and needs attention. When this threshold is
reached, the FortiGate unit will send an email to one or more individuals notifying them of
the issue.
In the following example, the FortiGate unit is configured to send email to two
administrators (admin1 and admin2) when multiple intrusions are detected every two
minutes. The FortiGate unit has its own email address on the mail server.
To configure alert email - web-based manager
1 Go to Log & Report & gt; Log Config & gt; Alert E-mail.
2 Enter the following information.
SMTP Server
Enter the address or name of the email server. For example,
smtp.example.com.
Email from
fortigate@example.com
Email to
admin1@example.com
admin2@example.com
Authentication
Enable authentication if required by the email server.
SMTP User
FortiGate
Password
*********************
Interval Time
2
3 For the Interval Time, enter 2.
4 Select Intrusion Detected.
5 Select Apply.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
439
�Alert email
Monitoring
To configure alert email - CLI
config system alert email
set port 25
set server smtp.example.com
set authenticate enable
set username FortiGate
set password *************
end
config alertemail setting
set username fortigate@example.com
set mailto1 admin1@example.com
set mailto2 admin2@example.com
set filter category
set IPS-logs enable
end
440
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts
This chapter provides configuration ideas and techniques to enhance your network
security.
This chapter includes the following sections:
•
Central NAT table
•
DHCP servers and relays
•
Administration for schools
•
Blocking port 25 to email server traffic
•
Blocking HTTP access by IP
•
Assigning IP address by MAC address
Central NAT table
The central NAT table enables you to define, and control with more granularity, the
address translation performed by the FortiGate unit. With the NAT table, you can define
the rules which dictate the source address or address group and which IP pool the
destination address uses.
While similar in functionality to IP pools, where a single address is translated to an
alternate address from a range of IP addresses, with IP pools there is no control over the
translated port. When using the IP pool for source NAT, you can define a fixed port to
guarantee the source port number is unchanged. If no fix port is defined, the port
translation is randomly chosen by the FortiGate unit. With the central NAT table, you have
full control over both the IP address and port translation.
The NAT table also functions in the same way as the firewall policy table. That is, the
FortiGate unit reads the NAT rules in a top-down methodology, until it hits a matching rule
for the incoming address. This enables you to create multiple NAT policies that dictate
which IP pool is used based on the source address. The NAT policies can be rearranged
within the policy list as well, the same way as firewall policies.
NAT policies are applied to network traffic after a firewall policy.
NAT policies are created in the web-based manager by going to Firewall & gt; Policy & gt;
Central NAT Table. The NAT policies are enabled when you configure the firewall policy by
selecting the Use Central NAT Table option.
NAT policies are created in the CLI by using the commands under config firewall
central-nat. To enable the policies use the commands
config firewall policy
edit & lt; policy_number & gt;
set central-nat enable
end
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
441
�DHCP servers and relays
Advanced concepts
DHCP servers and relays
The DHCP protocol enables hosts to automatically obtain an IP address from a DHCP
server. Optionally, they can also obtain default gateway and DNS server settings. A
FortiGate interface or VLAN subinterface can provide the following DHCP services:
•
Basic DHCP servers for non-IPSec IP networks
•
IPSec DHCP servers for IPSec (VPN) connections
•
DHCP relay for regular Ethernet or IPSec (VPN) connections
An interface cannot provide both a server and a relay for connections of the same type
(regular or IPSec). However, you can configure a Regular DHCP server on an interface
only if the interface is a physical interface with a static IP address. You can configure an
IPSec DHCP server on an interface that has either a static or a dynamic IP address.
You can configure one or more DHCP servers on any FortiGate interface. A DHCP server
dynamically assigns IP addresses to hosts on the network connected to the interface. The
host computers must be configured to obtain their IP addresses using DHCP.
If an interface is connected to multiple networks via routers, you can add a DHCP server
for each network. The IP range of each DHCP server must match the network address
range. The routers must be configured for DHCP relay.
You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP
requests from DHCP clients to an external DHCP server and returns the responses to the
DHCP clients. The DHCP server must have appropriate routing so that its response
packets to the DHCP clients arrive at the unit.
Service
On FortiGate 50 and 60 series units, a DHCP server is configured, by default, on the
Internal interface:
IP Range
192.168.1.110 to 192.168.1.210
Netmask
255.255.255.0
Default gateway 192.168.1.99
Lease time
7 days
DNS Server 1
192.168.1.99
You can disable or change this default DHCP Server configuration. However, you cannot
configure DHCP in Transparent mode. In Transparent mode DHCP requests pass through
the unit. An interface must have a static IP before you configure a DHCP server on it.
These settings are appropriate for the default Internal interface IP address of
192.168.1.99. If you change this address to a different network, you need to change the
DHCP server settings to match.
Reserving IP addresses for specific clients
You can reserve an IP address for a specific client identified by the client device MAC
address and the connection type, regular Ethernet or IPSec. The DHCP server always
assigns the reserved address to that client. You can assign up to 200 IP addresses as
reserved.
Use the config system dhcp reserved-address command to reserve IP address
for specific clients.
442
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts
FortiGate DNS services
FortiGate DNS services
You can configure a unit to be the DNS server for any networks that can communicate with
a FortiGate interface. You set up the DNS configuration for each interface in one of three
ways:
•
The interface relays DNS requests to the DNS servers configured for the unit by going
to System & gt; Network & gt; Options.
•
The interface resolves DNS requests using a FortiGate DNS database. DNS requests
for host names not in the FortiGate DNS database are dropped.
•
The interface resolves DNS requests using the FortiGate DNS database and relays
DNS requests for host names not in the FortiGate DNS database to the DNS servers
configured for the unit (System & gt; Network & gt; Options). This is called a split DNS
configuration.
If virtual domains are not enabled you can create one DNS database that is shared by all
FortiGate interfaces. If virtual domains are enabled, you create a DNS database in each
VDOM. All of the interfaces in a VDOM share the DNS database in that VDOM.
Split DNS
In a split DNS configuration you create a DNS database on the FortiGate unit, usually for
host names on an internal network or for a local domain. When users on the internal
network attempt to connect to these host names the IP addresses are provided by the
FortiGate DNS database. Host names that are not in the FortiGate DNS database are
resolved by relaying the DNS lookup to an external DNS server.
A split DNS configuration can be used to provide internal users access to resources on
your private network that can also be accessed from the Internet. For example, you could
have a public web server behind a FortiGate unit operating in NAT/Route mode. Users on
the Internet access this web server using a port forwarding virtual IP. So the web server
has a public IP address for internet users. But you may want users on your internal
network to access the server using its private IP address to keep traffic from internal users
off of the Internet.
To do this, you create a split DNS configuration on the unit and add the host name of the
server to the FortiGate DNS database, but include the internal IP address of server
instead of the external IP address. Because the unit checks the FortiGate DNS database
first, all DNS lookups for the server host name will return the internal IP address of the
server. For an example of how to configure split DNS, see “To configure a split DNS
configuration” on page 445.
To configure a DNS server
1 Go to System & gt; Network & gt; Options and add the IP addresses of a Primary and
Secondary DNS server.
These should be the DNS servers provided by your ISP or other public DNS servers.
The unit uses these DNS servers for its own DNS lookups and can be used to supply
DNS look ups for your internal networks.
2 Go to System & gt; Network & gt; Interface and edit the interface connected to a network that
you want the unit to be a DNS server for.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
443
�FortiGate DNS services
Advanced concepts
3 Select Enable DNS Query.
When you select Enable DNS Query, the unit relays all DNS queries received by this
interface to the DNS servers configured under System & gt; Network & gt; Options. Select
Recursive or Non-Recursive to control how this works.
Recursive looks up domain names in the FortiGate DNS database. If the entry is not
found, the request is replayed to the DNS servers configured in System & gt; Network & gt;
Options. This setting can be used to split DNS configuration.
Non-recursive looks up domain names in the FortiGate DNS database. This setting
does not relay the request to the DNS servers that are configured in System & gt; Network
& gt; Options.
4 Go to System & gt; Network & gt; DNS Server and configure the FortiGate DNS database.
Add zones and entries as required. See “Configuring the FortiGate DNS database” on
page 445.
5 Configure the hosts on the internal network to use the FortiGate interface as their DNS
server.
If you are also using a FortiGate DHCP server to configure the hosts on this network,
add the IP address of the FortiGate interface to the DNS Server IP address list.
Configure a FortiGate interface to relay DNS requests to the DNS servers configured for
the FortiGate unit under System & gt; Network & gt; Options.
To configure a FortiGate interface to relay DNS requests to external DNS servers
1 Go to System & gt; Network & gt; Options and add the IP addresses of a Primary and
Secondary DNS server.
These should be the DNS servers provided by your ISP or other public DNS servers.
The unit uses these DNS servers for its own DNS lookups and can be used to supply
DNS look ups for your internal networks.
2 Go to System & gt; Network & gt; Interface and edit the interface connected to a network that
you want the unit to be a DNS server.
3 Select Enable DNS Query and select Recursive.
The interface is configured to look up domain names in the FortiGate DNS database.
and relay the requests for names not in the FortiGate DNS database to the DNS
servers configured under System & gt; Network & gt; Options. If you do not add entries to the
FortiGate DNS database all DNS requests are relayed to the DNS servers configured
under System & gt; Network & gt; Options.
4 Configure the hosts on the internal network to use the FortiGate interface as their DNS
server.
If you are also using a FortiGate DHCP server to configure the hosts on this network,
add the IP address of the FortiGate interface to the DNS Server IP address list.
Configure a FortiGate interface to resolve DNS requests using the FortiGate DNS
database and to drop requests for host names that not in the FortiGate DNS database.
To configure a interface to resolve DNS requests using the FortiGate DNS database
1 Go to System & gt; Network & gt; Options and add the IP addresses of a Primary and
Secondary DNS server.
These should be the DNS servers provided by your ISP or other public DNS servers.
The FortiGate unit uses these DNS servers for its own DNS lookups and can be used
to supply DNS look ups for your internal networks.
444
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts
FortiGate DNS services
2 Go to System & gt; Network & gt; Interface and edit the interface connected to a network that
you want the FortiGate unit to be a DNS server.
3 Select Enable DNS Query and select Non-Recursive.
When you select Non-Recursive only the entries in the FortiGate DNS database are
used.
4 Go to System & gt; Network & gt; DNS Server and configure the FortiGate DNS database.
Add zones and entries as required. See “Configuring the FortiGate DNS database” on
page 445.
5 Configure the hosts on the internal network to use the FortiGate interface as their DNS
server.
If you are also using a FortiGate DHCP server to configure the hosts on this network,
add the IP address of the FortiGate interface to the DNS Server IP address list.
Configure an interface to resolve DNS requests using the FortiGate DNS database and
relay DNS requests for host names not in the FortiGate DNS database to the DNS servers
configured under System & gt; Network & gt; Options. This is called a split DNS configuration.
See “Split DNS” on page 443.
To configure a split DNS configuration
1 Go to System & gt; Network & gt; Options and add the IP addresses of a Primary and
Secondary DNS server.
These should be the DNS servers provided by your ISP or other public DNS servers.
The unit uses these DNS servers for its own DNS lookups and can be used to supply
DNS look ups for your internal networks.
2 Go to System & gt; Network & gt; Interface and edit the interface connected to a network that
you want the unit to be a DNS server for.
3 Select Enable DNS Query and select Recursive.
The interface is configured to look up domain names in the FortiGate DNS database.
and relay the requests for names not in the FortiGate DNS database to the DNS
servers configured under System & gt; Network & gt; Options. You can add entries to the
FortiGate DNS database for users on the internal network.
4 Go to System & gt; Network & gt; DNS Server and configure the FortiGate DNS database.
Add zones and entries as required for users on the internal network. See “Configuring
the FortiGate DNS database” on page 445.
5 Configure the hosts on the internal network to use the FortiGate interface as their DNS
server.
If you are also using a FortiGate DHCP server to configure the hosts on this network,
add the IP address of the FortiGate interface to the DNS Server IP address list.
Configuring the FortiGate DNS database
The FortiGate DNS database must be configured so that DNS lookups from an internal
network are resolved by the FortiGate DNS database.
Each entry in the DNS database is a host name and the IP address it resolves to. You can
use entries as an IPv4 address (A), an IPv6 address (AAAA), a name server (NS), a
canonical name (CNAME), or a mail exchange (MX) name.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
445
�Administration for schools
Advanced concepts
To configure the FortiGate DNS database in the web-based manager, go to System & gt;
Network & gt; DNS Server.
To use the CLI use the commands:
conf system dns-database
edit & lt; zone-string & gt;
set domain & lt; domain & gt;
set ttl & lt; int & gt;
config dns-entry
edit & lt; entry-id & gt;
set canonical-name & lt; canonical_name_string & gt;
set hostname & lt; hostname_string & gt;
set ip & lt; ip_address & gt;
set ipv6 & lt; ipv6_address & gt;
set preference & lt; preference_value & gt;
set status {enable | disable}
set ttl & lt; entry_ttl_value & gt;
set type {A|AAAA|MX|NS|CNAME}
end
end
Administration for schools
For system administrator in the school system it is particularly difficult to maintain a
network and access to the Internet. There are potential legal liabilities if content is not
properly filtered and children are allowed to view pornography and other non-productive
and potentially dangerous content. For a school, too much filtering is better than too little.
This section describes some basic practices administrators can employ to help maintain
control without being too draconian for access to the internet.
Firewall policies
The default firewall policies in FortiOS allow all traffic on all ports and all IP addresses. Not
the most secure. While applying UTM profiles can help to block viruses, detect attacks and
prevent spam, this doesn’t provide a solid overall security option. The best approach is a
layered approach; the first layer being the firewall policy.
When creating outbound firewall policies, you need to know the answer to the question
“What are the students allowed to do?” The answer is surf the web, connect to FTP sites,
send/receive email, and so on.
Once you know what the students need to do, you can research the software used and
determine the ports the applications use. For example, if the students only require web
surfing, then there are only two ports (80 - HTTP and 443 - HTTPS) needed to complete
their tasks. Setting the firewall policies to only allow traffic through two ports (rather than
all 65,000), this will significantly lower any possible exploits. By restricting the ports to
known services, mean s stopping the use of proxy servers, as many of them operate on a
non-standard port to hide their traffic from URL filtering or HTTP inspection.
DNS
Students should not be allowed to use whatever DNS they want. this opens another port
for them to use and potentially smuggle traffic on. The best approach is to point to an
internal DNS server and only allow those devices out on port 53. Its the same approach
one would use for SMTP. Only allow the mail server to use port 25 since nothing else
should be sending email.
446
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts
Administration for schools
If there is no internal DNS server, then the list of allowed DNS servers they can use should
be restrictive. One possible exploit would be for them to set up their own DNS server at
home that serves different IPs for known hosts, such as having Google.com sent back the
IP for playboy.com.
Encrypted traffic (HTTPS)
Generally speaking, students should not be allowed to access encrypted web sites.
Encrypted traffic cannot be sniffed, and therefore, cannot be monitored. HTTPS traffic
should only be allowed when necessary. Most web sites a student needs to access are
HTTP, not HTTPS. Due to the nature of HTTPS protocol, and the fact that encryption is an
inherent security risk to your network, its use should be restricted.
Adding a firewall policy that encompasses a list of allowed secure sites will ensure that
any HTTPS sites that are required are the only sites a student can go to.
FTP
For the most part, students should not be using FTP. FTP is not HTTP or HTTPS so you
cannot use URL flitting to restrict where they go. This can be controlled with destination
IPs in the firewall policy. With a policy that specifically outlines which FTP addresses are
allowed, all other will be blocked.
Example firewall policies
Given these requirements, an example set of firewall policies could look like the following
illustration. In a large setup, all the IPs for the students are treated by one of these four
policies.
Figure 51: Simple firewall policy setup
The last policy in the list, included by default, is a deny policy.This adds to the potential of
error that could end up allowing unwanted traffic to pass. The deny policy ensures that any
traffic making it to this point is stopped. It can also help in further troubleshooting by
viewing the logs for denied traffic.
With these policies in place, even before packet inspection occurs, the FortiGate, and the
network are fairly secure. Should any of the UTM profiles fail, there is still a basic level of
security.
UTM Profiles
In FortiOS 4.0 MR2, the protection profiles have been broken into individual profiles. Each
UTM feature is now its own component, which can make setting up network security
easier.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
447
�Administration for schools
Advanced concepts
Antivirus profiles
Antivirus screening should be enabled for any service you have enabled in the firewall
policies. In the case above, HTTP, FTP, as well as POP3 and SMTP (assuming there is
email access for students). There is not a virus scan option for HTTPS, because the
content is encrypted. Generally speaking, most of the network traffic will be students
surfing the web.
To configure antivirus profiles in the web-based manager, go to UTM & gt; Antivirus & gt; Profile,
or use the CLI commands under config antivirus profile.
Under the antivirus banner is also file filtering. While there should be no reason for a
student to download files - applications or otherwise - to the host PC, you can enable file
pattern matching to limit what can be downloaded. The most common file types are
available to enable for virus checking.
to configure file filtering in the web-based manager, go to UTM & gt; Antivirus & gt; File Filter, on
in the CLI under config antivirus filepattern.
Web filtering
The actual filtering of URLs - sites and content - should be performed by FortiGuard. It is
easier and web sites are constantly being monitored, and new ones reviewed and added
to the FortiGuard databases every day. The FortiGuard categories provide an extensive
list of offensive, and non-productive sites.
As well, there are additional settings to include in a web filtering profile to best contain a
student’s web browsing.
•
Web URL filtering should be enabled to set up exemptions for web sites that are
blocked or reasons other than category filtering. It also prevents the us of IP addresses
to get around web filtering. For details on setting this up, see “Blocking HTTP access
by IP” on page 452.
•
Block invalid URLs - HTTPS only. This option inspects the HTTPS certificate and looks
at the URL to ensure it’s valid. It is common for proxy sites to create an HTTPS
certificate with a garbage URL. If the site is legitimate, it should be set up correctly. If
the site approach to security is to ignore it, then their security policy puts your network
at risk and the site should be blocked.
Web filtering options are configured in the web-based manager by going to UTM & gt; Web
filter & gt; Profile, or in the CLI under config webfilter profile.
Advanced options
There are a few Advanced options to consider for a web filtering profile:
•
•
Enable Rate Images by URL. This option only works with Google images. It examines
the URL that the images is stored at to get a rating on it, then blocks or allows the
image based on the rating of the originating URL. It does not inspect the image
contents. Most image search engines to a prefect and pass the images directly to the
browser.
•
448
Enable Provide details for blocked HTTP 4xx and 5xx errors. Under normal
circumstances there are exploits that can be used with 400 and 500 series messages
to access the web site. While most students probably won’t know how to do this, there
is no harm in being cautious. It only takes one.
Enable Block HTTP redirects by rating. An HTTP redirect is one method of getting
around ratings. Go to one web site that has an allowed rating, and it redirects to
another web site that may want blocked.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts
Administration for schools
Categories and Classifications
For the selection of what FortiGuard categories and classifications that should be blocked,
that is purely based on the school system and its Internet information policy. Some
categories that could be blocked include:
•
Hacking
•
Illegal or Unethical
•
Racism and Hate
•
Proxy Avoidance
•
Plagiarism
•
Adult Materials
•
Nudity and Risque
•
Pornography
•
Tasteless
•
Lingerie and Swimsuit
Email Filtering
Other than specific teacher-led email inboxes, there is no reason why a student should be
able to access, read or send personal email. Ports for POP3, SMTP and IMAP should not
be opened in a firewall policies.
IPS
The intrusion protection profiles should be used to ensure the student PCs are not
vulnerable to attacks, nor do you want students making attacks. As well, IPS can do more
than simple vulnerability scans. With a FortiGuard subscription, IPS signatures are
pushed to the FortiGate unit. New signatures are released constantly for various intrusions
as they are discovered.
FortiOS includes a number of predefined IPS sensors that you can enable by default.
Selecting the all_default signature is a good place to start as it includes the major
signatures.
To configure IPS sensors in the web-based manager, go to UTM & gt; IPS & gt; IPS Sensor, on
the CLI use commands under config ips sensor.
Application control
Application control uses IPS signatures to limit the use of instant messaging and peer-topeer applications which can lead to possible infections on a student’s PC. FortiOS
includes a number of pre-defined application categories. To configure and maintain
application control profiles in the web-based manager, go to UTM & gt; Application Control & gt;
Application Control List. In the CLI use commands under config application list.
Some applications to consider include proxies, botnets, toolbars and P2P applications.
Logging
Turn on all logging - every option in this section should be enabled. This is not where you
decide what you are going to log. It is simply defining what the UTM profiles can log.
Logging everything is a way to monitor traffic on the network, see what student’s are
utilizing the most, and locate any potential holes in your security plan. As well, keeping this
information may help to prove negligence later in necessary.
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
449
�Blocking port 25 to email server traffic
Advanced concepts
Blocking port 25 to email server traffic
Port 25 is the default port for SMTP traffic. Certain types of malware can install themselves
on an unsuspecting user’s computer and send spam using its own email server. By
blocking port 25, this prevents a host system, and potentially your network or company,
from being deemed a spam source.
This does, however limit your corporation from using a web server. You have a few options
for this:
•
if the email server is on a dedicated port, such as a DMZ port, firewall policies can
ensure no traffic goes out from this port except the email server.
•
Block all traffic on port 25 except the specific address of the email server.
Dedicated traffic
This example show the steps to ensure only traffic exits from the DMZ where the email
server is connected. The internal port is connected to the internal network and the WAN1
port connects to the Internet.
First, create a firewall policy that will not allow any traffic through port 25 from the internal
interface, which connects to the internal network. Place this policy at the top of the firewall
policy list.
To block traffic on port 25 - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Set the following options and select OK.
Source Interface
Internal
Source Address
ALL
Destination Interface WAN1
Destination Address ALL
Schedule
ALWAYS
Service
SMTP
Action
DENY
Comments
Prevent Malware spam.
You may also want to enable Log Violation Traffic to see if there is any potential malware
or other user sending email using the non-corporate email server.
To block traffic on port 25 - CLI
config firewall policy
edit & lt; policy_number & gt;
set srcintf Internal
set srcaddr all
set dstintf wan1
set dstaddr all
set schedule always
set service smtp
set action deny
set comment “Prevent Malware spam.”
end
Next, create a firewall policy for the email server, IP address 10.10.11.29 that only allows
SMTP traffic from the email server on port 25.
450
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts
Blocking port 25 to email server traffic
To allow traffic on port 25 for the email server - web-based manager
3 Go to Firewall & gt; Policy & gt; Policy and select Create New.
4 Set the following options and select OK.
Source Interface
DMZ
Source Address
10.10.11.29
Destination Interface WAN1
Destination Address ALL
Schedule
ALWAYS
Service
SMTP
Action
ACCEPT
To allow traffic on port 25 for the email server- CLI
config firewall policy
edit & lt; policy_number & gt;
set srcintf dmz
set srcaddr 10.10.11.29
set dstintf wan1
set dstaddr all
set schedule always
set service smtp
set action allow
end
Restricting traffic on port 25
This example shows how to limit traffic on port 25 on the wan port to only traffic from the
email server. The web server’s address is 10.10.10.29.
To allow traffic on port 25 for the email server - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Set the following options and select OK.
Source Interface
INTERNAL
Source Address
10.10.10.29
Destination Interface WAN1
Destination Address ALL
Schedule
ALWAYS
Service
SMTP
Action
ACCEPT
To allow traffic on port 25 for the email server- CLI
config firewall policy
edit & lt; policy_number & gt;
set srcintf internal
set srcaddr 10.10.10.29
set dstintf wan1
set dstaddr all
set schedule always
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
451
�Blocking HTTP access by IP
Advanced concepts
set service smtp
set action allow
end
Next, add a deny firewall policy that blocks all SMTP traffic from the Internal port to the
WAN1 port. Ensure this policy is directly after the policy created above.
To block SMTP traffic on port 25 for the rest of the company - web-based manager
3 Go to Firewall & gt; Policy & gt; Policy and select Create New.
4 Set the following options and select OK.
Source Interface
INTERNAL
Source Address
ALL
Destination Interface WAN1
Destination Address ALL
Schedule
ALWAYS
Service
SMTP
Action
DENY
To block SMTP traffic on port 25 for the rest of the company - CLI
config firewall policy
edit & lt; policy_number & gt;
set srcintf internal
set srcaddr all
set dstintf wan1
set dstaddr all
set schedule always
set service smtp
set action deny
end
Blocking HTTP access by IP
To block a web site using the IP, create a URL filter entry, using the additional information
below. Note that this is only effective with HTTP or FortiGate units running Deep
Inspection.
You need to create two URL filter entries. The first filter only allowing a text string
containing two or more sets of text separated by a period. This is to match the various
domain possibilities for websites, for example:
•
example.org
•
www.example.com
•
www.example.co.jp
The second filter blocks any IP address lookup.
To add the URL filter entries
1 Go to UTM & gt; Web Filter & gt; URL Filter.
2 Select Create New to add a filter group, give it a name and select OK.
3 Select Create New for a new filter.
452
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced concepts
Assigning IP address by MAC address
4 Enter the URL of ^([a-z0-9-]+\.){1,}[a-z]+
5 Set the Type to Regex.
6 Set the Action to Allow.
7 Select OK.
8 Select Create New.
9 Enter the URL of [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
10 Set the Type to Regex.
11 Set the Action to Block.
12 Select OK.
Position these at the end of the URL filter list so that any exemptions or blocks before that
are still effective.
Both of these filter entries are required. If you only enter the second one, the FortiGate
unit will also catch a URL lookup as they both behave in a similar fashion after the URL is
resolved to an IP. The first entry is needed to break out of the URL filter and allow the
website before it does the second check if they entered text.
Assigning IP address by MAC address
To prevent users in the from changing their IP addresses and causing IP address conflicts
or unauthorized use of IP addresses, you can bind an IP address to a specific MAC
address using DHCP.
Use the CLI to reserve an IP address for a particular client identified by its device MAC
address and type of connection. The DHCP server then always assigns the reserved IP
address to the client. The number of reserved addresses that you can define ranges from
10 to 200 depending on the FortiGate model.
In the example below, the IP address 10.10.10.55 for User1 is assigned to MAC address
00:09:0F:30:CA:4F.
To assign an IP address to a specific MAC address
config system dhcp reserved-address
edit & lt; User1 & gt;
set ip & lt; 10.10.10.55 & gt;
set mac & lt; 00:09:0F:30:CA:4F & gt;
set type regular
end
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
453
�Assigning IP address by MAC address
454
Advanced concepts
FortiOS™ Handbook FortiOS 4.0 MR2 System Administration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 4 Logging and Reporting
•
This FortiOS Handbook chapter contains the following sections:
Logging practices in FortiOS 4.0 provides general information about logging. We
recommend that you begin with this chapter as it contains information for both beginners
and advanced users as well.
Configuring log devices provides information about how to configure your chosen log
device. Configuring multiple FortiAnalyzer units or Syslog servers is also included.
Logging in FortiOS 4.0 provides information about the different log types and subtypes,
and how to enable logging of FortiGate features.
FortiGate SQL log databases provides information about SQL statements as well as
examples that you can use to base your own custom datasets on.
FortiGate log messages provides general information about log messages, such as what
is a log header. Detailed examples of each log type are discussed as well. For additional
information about all log messages recorded by a FortiGate unit running FortiOS 4.0 and
higher, see the FortiGate Log Message Reference.
Configuring reports in FortiOS 4.0 provides information about how to configure reports if
you have logged to a FortiAnalyzer unit, FortiGate system memory, or the FortiGate unit’s
hard disk SQL database.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
455
�456
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging practices in FortiOS 4.0
This section contains valuable information about logging practices and what you need to
consider before logging FortiGate features on your FortiGate unit. This section includes
how logging affects system performance, what logging devices are appropriate for your
logging setup, and solutions for ensuring that logs are not lost if a failure occurs with your
logging device.
Fortinet recommends reading this section when one or more of the following applies:
•
You are new to logging in general or new to logging using a FortiGate unit and log
device.
•
You are deciding on a log scenario for your network environment and need to know
what log devices are available for the FortiGate unit, including what FortiGate features
would be best suited for your network traffic.
•
You want to upgrade your current log scenario which may mean a new log device
(such as a FortiGuard Analysis server)
•
You need to create a new log scenario because the current one no longer meets your
network’s growing logging requirements.
The following topics are included in this section:
•
About logging
•
Logging FortiGate features
•
Log devices
•
Backup solutions for logging
About logging
Logging is a valuable tool, providing insight into how to better protect the network traffic
against attacks, including misuse and abuse. This valuable tool requires a plan so that you
can properly configure logging for your particular network’s needs.
This plan should provide you with an outline of what log requirements your network needs.
You plan should cover:
•
what FortiGate features you want logged
•
the logging device best suited for your network
•
if you want or are required to archive log files
•
ensuring log files are not lost in the event a failure occurs (backup solution).
Your plan should also include the following:
•
The FortiGate features you want to log.
•
The amount of storage space required to log the chosen FortiGate features. For
example, traffic logs cannot be stored in the FortiGate system memory because they
are large files.
•
The type of device appropriate for logging the chosen FortiGate features. If your
organization/company requires reports compiled from log data, a FortiAnalyzer unit
may be a better solution since it can create reports at scheduled times.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
457
�Logging FortiGate features
Logging practices in FortiOS 4.0
•
A backup solution in the event your logging device becomes unavailable.
Figure 52: Example of the integration of a log device (FortiAnalyzer) in a network
environment
Internal
network
Internet
Hub or switch
Logging FortiGate features
When you are deciding which FortiGate features to log, it is important to know what types
of features are best suited for your logging requirements. For example, you want to
archive only spam email messages and log VoIP, IM/P2P, event, and traffic logs. You also
need to know if your logging device accepts the types of FortiGate features that you want
logged. For example, a FortiGuard Analysis server accepts all DLP archive logs, but a
Syslog server does not. The backup solution must also fit with what you want to log. For
example, you have enabled traffic, event and DLP archiving to log to a FortiAnalyzer unit
with a Syslog server as a backup solution: a power failure occurs with the FortiAnalyzer
unit and only traffic and event logs are sent to the Syslog server because DLP archives
are not supported.
The FortiGate unit can log ten types of features. These types are:
•
traffic
•
event
•
Data Leak Prevention (DLP)
•
application control
•
antivirus
•
web filtering
•
attack (IPS)
•
spam filtering
•
DLP archiving (not supported on Syslog servers)
•
network scanning
If you have enabled and configured VDOMs on your FortiGate unit, you can enable
logging of FortiGate features within each VDOM. The log message, whether recorded in a
VDOM or not, provides what VDOM that log message was recorded in. For example, an
event log recorded user_1 editing that administrative profile for user_23 in the vdom_hq.
This type of detail provides you with additional help in tracking down and taking action
against such things as misuse and abuse or attacks.
If you want to archive logs, only specific log types are available. These log types are:
•
458
DLP logs
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging practices in FortiOS 4.0
Log devices
•
quarantine logs
•
IPS packet logs
•
Email messages
•
web
•
FTP
•
IM
•
VoIP
Archived logs can be stored on a FortiAnalyzer unit, local hard disk, or a FortiGuard
Analysis server.
Log devices
Log devices provide a central, secure place to store and view generated log files;
however, some of these devices can also provide much more. For example, a
FortiAnalyzer unit provides both archiving and reporting features.
The following explains each of the supported log devices, including why that logging
device may be a good choice for your network.
System memory
The system memory on the FortiGate unit logs the following features:
•
Event log
•
Attack log
•
Antivirus log
•
Webfilter log
•
Spam log
•
Data Leak Prevention log
•
Application Control log
•
IM/P2P log
•
VoIP log
•
Network Scan log
System memory is limited; the system memory cannot log traffic or DLP archive logs
because of their file size and occurrence; however, if you have a local disk, it can log traffic
or DLP archive logs.
If you configured system memory logging, these logs display in Log & Report & gt; Log Access
& gt; Memory. Logging to system memory is a good choice when you only require logging a
few FortiGate features or for small networks, such as a home business.
Local disk or AMC disks
If your FortiGate unit has a hard disk, and that disk contains a Structured Query Language
(SQL) database, you can store logs directly to the hard disk. This option is available only
to FortiGate models with hard disks. When you store logs to a local hard disk, you can
also configure reports from those logs. This is available only for FortiGate units running
FortiOS 4.0 MR2 or higher.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
459
�Log devices
Logging practices in FortiOS 4.0
If your FortiGate unit has an AMC disk, you can configure a scheduled upload of logs to a
FortiAnalyzer unit. This provides a way to ensure your logs are not lost in the event your
FortiGate unit fails. You can configure the scheduled upload of logs to a FortiAnalyzer unit
using the CLI.
FortiAnalyzer unit
The FortiAnalyzer unit logs all FortiGate features and can also archive logs. If you also
require creating reports from log data, the FortiAnalyzer unit provides a wide variety of
reports. Reports contain log information that is presented in both graphical and tabular
formats. Reports are a useful tool for reviewing what has occurred on your network in a
daily, weekly, or monthly time period.
Logs are accessed from either the web-based manager of the FortiAnalyzer unit or the
web-based manager of the FortiGate unit (Log & Report & gt; Log Access & gt; Remote).
You can configure up to three FortiAnalyzer units for logging FortiGate features; however,
this is more of a redundant option than a back up solution.
The FortiAnalyzer unit is perfect for large networks that require DLP archiving and reports.
FortiGuard Analysis server
You can also configure logging to a FortiGuard Analysis server. The FortiGuard Analysis
Service provides a server which you can configure a FortiGate unit to log FortiGate
features to. The FortiGuard Analysis Service is a subscription-based service that provides
logging and reporting capabilities previously only found on a FortiAnalyzer unit. You can
log to a FortiGuard Analysis server if your FortiGate unit is running FortiOS 4.0 and higher.
The FortiGuard Analysis server can log all FortiGate features including traffic logs, as well
as full DLP archiving of all archival FortiGate features, such as email messages and FTP.
You can also generate reports from the log data stored on the FortiGuard Analysis server.
FortiGuard Analysis servers provide all the features of a FortiAnalyzer unit, but without
having an actual, physical FortiAnalyzer unit. This service provides an easy,
maintenance-free environment for logging and is best for those networks that are growing
or administrators who may not have a lot of experience with logging with a FortiGate unit.
The FortiGuard Analysis server can be used in all types of networks, large or small.
Syslog server
The Syslog server is a remote computer running syslog software. Syslog is a standard for
forwarding log messages in an IP network. Syslog servers capture log information
provided by network devices.
Syslog servers are useful in any network setup, large or small. This type of log device,
however, cannot produce reports from logs stored on the server, or archive logs. A syslog
server may not be the best choice if you require archival storage for logs, and/or reports.
The Syslog server can log all FortiGate features, including VoIP logs. You can also
configure up to three Syslog servers to log all FortiGate features; however, configuring
three Syslog servers is more of a redundant solution than a back up solution.
NetIQ WebTrends server
A NetIQ WebTrends server is useful in any network setup, large or small. The NetIQ
WebTrends server logs all FortiGate features, except DLP archive and reports are not
supported. You can configure only one NetIQ WebTrends server to log FortiGate features.
460
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging practices in FortiOS 4.0
Backup solutions for logging
Backup solutions for logging
You need to have a backup solution, or backup plan, in the event the logging device
becomes unavailable. If you decide not to include a backup solution when you begin
logging, log files may be lost if the logging device becomes unavailable.
The FortiGuard Analysis Service has several secondary FortiGuard Analysis servers
configured as backup servers in the event the FortiGuard Analysis server that is storing
your log files becomes unavailable. The FortiGuard Analysis service does not require a
backup solution because the secondary servers provide the backup solution you may
need if the FortiGuard Analysis server your FortiGate unit is logging to becomes
unavailable.
Figure 53: Example of a backup solution for logging with a FortiAnalyzer unit and FortiGuard
Analysis servers
Internal
network
Router
Internet
FortiGuard
Analysis servers
This topic explains the available backup solutions that you can configure.
FortiGate units with hard disks and AMC hard disks
You can use the hard disk, if available, to log to a FortiAnalyzer unit with buffering to the
hard disk by configuring this in the CLI using the config log disk setting
command.
You can configure the AMC hard disk on the FortiGate unit, if available, to store logs
including DLP archives and then upload these logs to a FortiAnalyzer unit on a daily basis.
You can also schedule when to upload these logs from the AMC disk to the FortiAnalyzer
unit.
FortiAnalyzer unit
A backup solution to a FortiAnalyzer unit may be a Syslog server or NetIQ WebTrends
server. You could use a FortiGuard Analysis server as a backup solution to a FortiAnalyzer
unit as well.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
461
�Backup solutions for logging
Logging practices in FortiOS 4.0
Figure 54: Example of a back up solution for a FortiGate unit
Syslog
server
Internal
network
Internet
Hub or switch
Syslog server
You can configure up to three Syslog servers for ensuring logs are not lost when a failure
occurs. When the FortiGate unit logs to all three Syslog servers, all three Syslog servers
receive the same logs. This ensures logs are available at all times.
NetIQ WebTrends server backup solution
You can log to the FortiGate system memory or hard disk, as a backup solution when
logging FortiGate features to a NetIQ WebTrends server.
462
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring log devices
The FortiGate unit supports a variety of logging devices, including the FortiGuard Analysis
server. This provides great flexibility when choosing a log device for the first time, as well
as when logging requirements change.
The FortiGate unit supported the following log devices:
•
FortiGate system memory
•
Hard disk or AMC
•
SQL database (for FortiGate units that have a hard disk)
•
FortiAnalyzer unit
•
FortiGuard Analysis server (part of the FortiGuard Analysis and Management Service)
•
Syslog server
•
NetIQ WebTrends server
This section explains how to configure your chosen log device, as well as how to configure
multiple FortiAnalyzer units or Syslog servers. This section also includes how to log to a
FortiGuard Analysis server, which is available if you subscribed to the FortiGuard Analysis
and Management Service.
The following topics are included in this section:
•
Logging to the FortiGate unit’s system memory
•
Logging to the FortiGate unit’s hard disk
•
Logging to a FortiAnalyzer unit
•
Logging to a FortiGuard Analysis server
•
Logging to a Syslog server
•
Logging to a WebTrends server
•
Logging to multiple FortiAnalyzer units or Syslog servers
Note: You may need to reschedule uploading or rolling of log files because the size of logs
files is reduced in FortiOS 4.0 MR1 and higher. Reduction in size provides more storage
room for large amounts of log files on log devices.
Logging to the FortiGate unit’s system memory
The FortiGate system memory has a limited capacity for log messages. The system
memory displays recent log entries and stores most log types except traffic and content
logs. The FortiGate system memory cannot store traffic and content logs because of their
size and frequency of log entries. When the system memory is full, the FortiGate unit
overwrites the oldest messages. All log entries stored in system memory are cleared when
the FortiGate unit restarts.
Note: All log entries are cleared from the FortiGate unit’s system memory when the
FortiGate unit restarts.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
463
�Logging to the FortiGate unit’s hard disk
Configuring log devices
To configure the FortiGate unit to save logs in memory- web-based manager
1 Go to Log & Report & gt; Log Config & gt; Log Setting.
2 Expand Local Logging & Archiving.
3 Select the check box beside Memory.
4 Select a log level from the Minimum log level drop-down list.
5 To enable logging of IPS packet archives, select the check box beside Enable IPS
Packet Archive.
6 Select Apply.
The FortiGate unit logs all messages at and above the logging severity level you select.
To configure the FortiGate unit to save logs in memory - CLI
1 Log in to the CLI.
2 Enter the following command syntax:
config log memory setting
set diskfull & lt; overwrite & gt;
set ips-archive {enable | disable}
set status {enable | disable}
end
Logging to the FortiGate unit’s hard disk
If your FortiGate unit contains a hard disk, you can configure the FortiGate unit to store
logs on the disk. You can configure logging to the FortiGate unit’s hard disk from
Log & Report & gt; Log Config & gt; Log Settings. When you are configuring to log to a hard disk,
you can also configure a schedule to upload those logs to either a FortiAnalyzer unit, if the
hard disk is AMC.
To log to the hard disk on a FortiGate unit - web-based manager
1 Go to Log & Report & gt; Log Config & gt; Log Settings.
2 Expand Local Logging & Archiving to reveal the available options.
3 Select the check box beside Disk.
4 Select a log level from the Minimum log level drop-down list.
5 Select an action the FortiGate unit will take when the log disk is full from the When log
disk is full drop-down list.
6 To enable archiving of either DLP or IPS packet archives, (or both), select the check
box beside Enable DLP Archive for DLP archiving, or select the check box beside
Enable IPS Packet Archive.
If you do not select the check box beside Enable DLP Archive, no logs will be archived,
even if you have applied the DLP archive sensor to a firewall policy.
7 To enable SQL logging, select the log types that you want to log.
To log to the hard disk on a FortiGate unit - CLI
1 Log in to the CLI.
2 Enter the following command syntax:
config log disk setting
set status enable
end
464
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring log devices
Logging to a FortiAnalyzer unit
Use the config log disk filter command to disable the FortiGate features you do
not want to log. By default, most FortiGate features are enabled in the config log
disk filter command.
To log to an AMC hard disk and schedule uploading of logs to a FortiAnalyzer unit
1 Log in to the CLI.
2 Enter the following command syntax. You need to choose fortianalyzer as the
destination for uploading files to:
config log disk setting
set status {enable | disable}
set upload {enable | disable}
set upload-destination {ftp-server | fortianalyzer}
set uploadip & lt; class_ip & gt;
set uploadtype {app-crtl | attack | dlp | dlp-archive | event
| spamfilter | traffic | virus | webfilter}
set uploadsched {enable | disable}
set uploadtime & lt; time_integer & gt;
end
Logging to a FortiAnalyzer unit
A FortiAnalyzer unit can log all FortiGate features that are available for logging, including
DLP archiving. The following procedure assumes that you have only one FortiAnalyzer
unit to configure. If you are configuring more than one, you must configuring the other
FortiAnalyzer units in the CLI. Use the procedures in “Configuring multiple FortiAnalyzer
units” on page 470 to configure multiple FortiAnalyzer units.
To send logs to a FortiAnalyzer unit - web-based manager
1 Go to Log & Report & gt; Log Config & gt; Log Setting.
2 Expand Remote Logging & Archiving to reveal the available options.
3 Select the check box beside FortiAnalyzer.
When you select the check box beside FortiAnalyzer, the options for configuring your
FortiGate unit to send logs to a FortiAnalyzer unit, display.
4 In the IP Address field, enter either the IP address of the FortiAnalyzer unit.
5 Select a log level from the Minimum log level drop-down list.
6 To buffer the hard disk and schedule an upload of logs, select the check box beside
Buffer to hard disk and upload, select either Daily or Weekly from the drop-down list,
and then enter the time in hours and minutes.
7 If you selected Weekly, select the check box or boxes beside the days of the week.
8 Select Apply.
You must enable the gui-display command in the CLI to show the submenus for
Report Config and Report Access. These menus and their submenus are hidden by
default on the web-based manager.
To send logs to a FortiAnalyzer unit - CLI
1 Log in to the CLI.
2 Enter the following command syntax:
config log fortianalyzer setting
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
465
�Logging to a FortiAnalyzer unit
Configuring log devices
set
set
set
set
set
set
end
status {enable | disable}
server & lt; ip_address & gt;
use-hdd {enable | disable}
roll-schedul {daily | weekly}
roll-time & lt; hh:mm & gt;
diskfull {nolog | overwrite}
Testing the FortiAnalyzer configuration
After configuring FortiAnalyzer settings, you can test the connection between the
FortiGate unit and the FortiAnalyzer unit to ensure the connection is working properly. This
enables you to view the connection settings between the FortiGate unit and the
FortiAnalyzer unit.
To test the connection
1 Go to Log & Report & gt; Log Config & gt; Log Settings.
2 Expand Remote Logging & Archiving, if not already expanded.
3 In the IP Address field row, select Test Connectivity.
When you select Test Connectivity, a window appears with general information about
the FortiAnalyzer unit, disk space available and used on the FortiAnalyzer unit, as well
as privileges that the FortiGate unit while connected to the FortiAnalyzer unit.
4 Select Close when you are done viewing the connection status and general
information.
Connecting to a FortiAnalyzer unit using Automatic Discovery
Automatic Discovery is a method of establishing a connection to a FortiAnalyzer unit by
using the FortiGate unit to find a FortiAnalyzer unit on the network. The Fortinet Discovery
Protocol (FDP) is used to locate the FortiAnalyzer unit. Both units must be on the same
subnet to use FDP, and they must also be able to connect using UDP.
When you select Automatic Discovery, the FortiGate unit uses HELLO packets to locate
any FortiAnalyzer units that are available on the network within the same subnet. When
the FortiGate unit discovers the FortiAnalyzer unit, the FortiGate unit automatically
enables logging to the FortiAnalyzer unit and begins sending log data.
To connect using automatic discovery
1 Log in to the CLI.
2 Enter the following command syntax:
config log fortianalyzer setting
set status {enable | disable}
set server & lt; ip_address & gt;
set gui-display {enable | disable}
set address-mode auto-discovery
end
If your FortiGate unit is in Transparent mode, the interface using the automatic discovery
feature will not carry traffic. For more information about how to enable the interface to also
carry traffic when using the automatic discovery feature, see the Fortinet Knowledge Base
article, Fortinet Discovery Protocol in Transparent mode.
466
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring log devices
Logging to a FortiGuard Analysis server
Note: The FortiGate unit searches within the same subnet for a response from any
available FortiAnalyzer units.
Logging to a FortiGuard Analysis server
You can configure logging to a FortiGuard Analysis server after registering for the
FortiGuard Analysis and Management Service. The following procedure assumes that you
have already configured the service account ID in System & gt; Maintenance & gt; FortiGuard.
To log to a FortiGuard Analysis server - web-based manager
1 Go to Log & Report & gt; Log Config & gt; Log Settings.
2 Expand Remote Logging & Archiving to reveal the available options.
3 Select the check box beside FortiGuard Analysis & Management Service.
4 Enter the account ID in the Account ID field.
5 Select one of the following:
Overwrite oldest logs Deletes the oldest log entry and continues logging when the
maximum log disk space is reached.
Do not log
Stops log messages going to the FortiGuard Analysis server when
the maximum log disk space is reached.
6 Select a severity level.
7 Select Apply.
To log to a FortiGuard Analysis server - CLI
1 Log in to the CLI.
2 Enter the following command syntax:
config log fortiguard setting
set status {enable | disable}
set quotafull {nolog | overwrite}
end
Logging to a Syslog server
The Syslog server is a remote computer running syslog software. Syslog is a standard for
forwarding log messages in an IP network. Syslog servers capture log information
provided by network devices.
The following procedure configures one Syslog server. You can configure up to three
Syslog servers. Use the procedure in “Configuring multiple Syslog servers” on page 471 to
configure multiple Syslog servers.
To send logs to a syslog server - web-based manager
1 Go to Log & Report & gt; Log Config & gt; Log Setting.
2 Select the check box beside Syslog.
After you select the check box, the Syslog options appear.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
467
�Logging to a Syslog server
Configuring log devices
3 Enter the appropriate information for the following:
IP/FDQN
Enter the domain name or IP address of the syslog server.
Port
Enter the port number for communication with the syslog
server, usually port 514.
Minimum log level
Select a log level the FortiGate unit will log all messages at and
above that logging severity level.
Facility
Facility indicates to the syslog server the source of a log
message. By default, the FortiGate reports facility as local7.
You can change the Facility if you want to distinguish log
messages from different FortiGate units.
Enable CSV Format
Select to have logs formatted in CSV format. When you enable
CSV format, the FortiGate unit produces the log in Comma
Separated Value (CSV) format. If you do not enable CSV
format, the FortiGate unit produces plain text files.
4 Select Apply.
To log to a Syslog server - CLI
1 Log in to the CLI.
2 Enter the following command syntax:
config log syslogd setting
set status {enable | disable}
set server & lt; address_ipv4 & gt;
set port & lt; port_integer & gt;
set csv {enable | disable}
set facility {alert | audit | auth | authpriv | clock | cron
| daemon | ftp | kernel | local0 | local1 | local2 |
local3 | local4 | local5 | local6 | local7 | lpr | mail |
news | ntp | syslog | user | uucp}
end
Enabling reliable syslog
The reliable syslog feature is based on RFC 3195. Reliable syslog logging uses TCP,
which ensures that connections are set up, including packets transmitted.
There are several profiles available for reliable syslog, but only the RAW profile is
currently supported on the FortiGate unit. The RAW profile is designed to provide a highperformance, low-impact footprint using essentially the same format as the existing UDPbased syslog service. The reliable syslog feature is available on FortiGate units running
FortiOS 4.0 MR1 or higher.
When you enable reliable syslog in the CLI, TCP is used. The default setting, disable,
uses UDP. TCP ensures that packets are transmitted easily, as well as connections are set
up.
The following procedure assumes that you have already configured the Syslog server.
To enable reliable syslog
1 Log in to the CLI.
2 Enter the following command syntax:
config log syslogd setting
set status enable
set reliable enable
end
468
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring log devices
Logging to a WebTrends server
Logging to a WebTrends server
A WebTrends server is a remote computer, similar to a Syslog server, running NetIQ
WebTrends firewall reporting server. FortiGate log formats comply with WebTrends
Enhanced Log Format (WELF) and are compatible with NetIQ WebTrends Security
Reporting Center and Firewall Suite 4.1.
To send logs to a WebTrends server, log in to the CLI and enter the following commands:
config log webtrends setting
set server & lt; address_ip4 & gt;
set status {disable | enable}
end
Example
This example shows how to enable logging to and set an IP address for a remote NetIQ
WebTrends server.
config log webtrends settings
set status enable
set server 172.25.82.145
end
Logging to multiple FortiAnalyzer units or Syslog servers
FortiOS 4.0 allows you to configure multiple FortiAnalyzer units or multiple Syslog servers,
ensuring that all logs are not lost in the event one of them fails.
You can configure multiple FortiAnalyzer units or Syslog servers within the CLI.
This topic includes the following:
•
Configuring multiple FortiAnalyzer units
•
Configuring multiple Syslog servers
•
Example of configuring multiple FortiAnalyzer units
Figure 55: Logging to multiple FortiAnalyzer units
Internal
network
Internet
FortiAnalyzer_1 FortiAnalyzer_2
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
FortiAnalyzer_3
469
�Logging to multiple FortiAnalyzer units or Syslog servers
Configuring log devices
Figure 56: Logging to multiple Syslog servers
Internal
network
Internet
Syslog
server_1
Syslog
server_2
Syslog
server_3
Configuring multiple FortiAnalyzer units
Fortinet recommends that you contact a FortiAnalyzer administrator first, to verify that the
IP addresses of the FortiAnalyzer units you want to send logs to are correct and that all
FortiAnalyzer units are currently installed with FortiAnalyzer 4.0 firmware.
If VDOMs are enabled, you can configure multiple FortiAnalyzer units or Syslog servers
for each VDOM.
The following procedure does not contain how to enable logging of FortiGate features
within the CLI. Most FortiGate features are, by default, enabled within the log filter
command in the CLI. You should disable the FortiGate features that you do not want
logged within the log filter command.
To enable logging to multiple FortiAnalyzer units
1 Log in to the CLI.
2 Enter the following commands, using encrypt and psksecret if you want to encrypt
the connection:
config log fortianalyzer setting
set status enable
set server & lt; faz_ip address & gt;
set encrypt [disable | enable]
set psksecret & lt; password & gt;
set localid & lt; identification_ipsectunnel & gt;
set conn-timeout & lt; value_seconds & gt;
end
3 Enter the following commands for the second FortiAnalyzer unit, using encrypt and
psksecret if you want to encrypt the connection:
config log fortianalyzer2 setting
set status {disable | enable}
set server & lt; fortianalyzer_ipv4 & gt;
set encrypt [disable | enable]
set psksecret & lt; password & gt;
set localid & lt; identification_ipsectunnel & gt;
470
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring log devices
Logging to multiple FortiAnalyzer units or Syslog servers
set ver-1 {disable | enable}
set conn-timeout & lt; value_seconds & gt;
end
4 Enter the following commands for the last FortiAnalyzer unit, using encrypt and
psksecret if you want to encrypt the connection:
config log fortianalyzer3 setting
set status enable
set server & lt; faz_ip address & gt;
set encrypt [disable | enable]
set psksecret & lt; password & gt;
set localid & lt; identification_ipsectunnel & gt;
set conn-timeout & lt; value_seconds & gt;
end
Configuring multiple Syslog servers
When configuring multiple Syslog servers (or one Syslog server), you can configure
reliable delivery of log messages from the Syslog server. Configuring of reliable delivery is
available only in the CLI.
If VDOMs are enabled, you can configure multiple FortiAnalyzer units or Syslog servers
for each VDOM.
The following procedure does not contain how to enable logging of FortiGate features
within the CLI. Most FortiGate features are, by default, enabled within the log filter
command in the CLI. You should disable the FortiGate features that you do not want
logged within the log filter command.
To enable logging to multiple Syslog servers
1 Log in to the CLI.
2 Enter the following commands:
config log syslogd setting
set csv {disable | enable}
set facility & lt; facility_name & gt;
set port & lt; port_integer & gt;
set reliable {disable | enable}
set server & lt; ip_address & gt;
set status {disable | enable}
end
3 Enter the following commands to configure the second third Syslog server:
config log syslogd2 setting
set csv {disable | enable}
set facility & lt; facility_name & gt;
set port & lt; port_integer & gt;
set reliable {disable | enable}
set server & lt; ip_address & gt;
set status {disable | enable}
end
4 Enter the following commands to configure the third Syslog server:
config log syslogd3 setting
set csv {disable | enable}
set facility & lt; facility_name & gt;
set port & lt; port_integer & gt;
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
471
�Logging to multiple FortiAnalyzer units or Syslog servers
Configuring log devices
set reliable {disable | enable}
set server & lt; ip_address & gt;
set status {disable | enable}
end
Example of configuring multiple FortiAnalyzer units
The IT department at your organization’s headquarters discovers that their one and only
FortiAnalyzer unit is not working properly; however, it is soon up and running again. When
it is working properly again, your department’s managers realize that two day’s worth of
logs are lost. Your IT manager asks you to install and configure two FortiAnalyzer units
onto the network so that logs are not lost again.
In this example, you have already installed and configured the two FortiAnalyzer units and
are now ready to configure sending logs from the FortiGate unit to the two FortiAnalyzer
units.
The three units are named as follows: FortiAnalyzer_Main (main log storage unit),
FortiAnalyzer_1 (first back up), and FortiAnalyzer_2 (second back up).
To configure logging to multiple FortiAnalyzer units
1 Verify that FortiAnalyzer_Main configuration is correct and communication between the
FortiGate unit and FortiAnalyzer_Main is working properly.
You can do this by using Test Connectivity from the FortiGate unit. See “Testing the
FortiAnalyzer configuration” on page 466.
2 Go to System & gt; Dashboard & gt; Status and locate the CLI console widget.
3 Log in to the CLI using the CLI Console widget on the Status page.
4 Enter the following command syntax for FortiAnalyzer_1:
config log fortianalyzer2 setting
set status enable
set server 10.10.20.125
set encrypt enable
set psksecret it123456
set localid ipsec_vpn1
set conn-timeout 1200
set max-buffer-size 800
end
5 Enter the following command syntax for FortiAnalyzer_2:
config log fortianalyzer3 setting
set status enable
set server 10.10.22.120
set encrypt enable
set psksecret it123456
set localid ipsec_vpn1
set conn-timeout 1200
set max-buffer-size 800
end
6 Enter the following command syntax to log the FortiGate features:
config log fortianalyzer2 filter
get log fortianalyzer filter
The get log fortianalyzer filter displays the FortiGate features that are
enabled by default.
472
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring log devices
Logging to multiple FortiAnalyzer units or Syslog servers
7 Enter the following variables to disable the four FortiGate features that you do not
want:
set wanopt-traffic disable
set netscan disable
set vulnerability disable
end
8 Repeat steps 6 and 7 for FortiAnalyzer_2.
Logs are now configured to go to multiple FortiAnalyzer units.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
473
�Logging to multiple FortiAnalyzer units or Syslog servers
474
Configuring log devices
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging in FortiOS 4.0
This section introduces you to the types of logs the FortiGate unit records, log severity
levels, as well as how to configure and enable FortiGate features in FortiOS 4.0.
The following topics are included in this section:
•
FortiGate log types and subtypes
•
Log severity levels
•
Enabling logging of FortiGate features
•
Filtering and customizing the display of log messages in the web-based manager
•
Alert email messages
•
Viewing quarantined files
FortiGate log types and subtypes
The FortiGate unit can record the following log types based on the network traffic.
Table 53: Log Types based on network traffic
Log Type
File name
Description
Traffic
tlog.log
The traffic log records all traffic to and through the FortiGate
interface.
Event
elog.log
The event log records management and activity events. For
example, when an administrator logs in or logs out of the
web-based manager.
Antivirus
vlog.log
The antivirus log records virus incidents in Web, FTP, and email
traffic.
Web
wlog.log
The web filter log records HTTP FortiGate log rating errors
including web content blocking actions that the FortiGate unit
performs.
Attack
alog.log
The attack log records attacks that are detected and prevented by
the FortiGate unit.
Email Filter
slog.log
The email filter log records blocking of email address patterns and
content in SMTP, IMAP, and POP3 traffic.
Data Leak
Prevention
dlog.log
The Data Leak Prevention log records log data that is considered
sensitive and that should not be made public. This log also records
data that a company does not want entering their network.
Application
Control
rlog.log
The application control log records data detected by the FortiGate
unit and the action taken against the network traffic depending on
the application that is generating the traffic, for example, instant
messaging software, such as MSN Messenger.
DLP archive
clog.log
The DLP archive log, or clog.log, records all log messages,
including most IM log messages as well as the following session
control protocols (VoIP protocols) log messages:
• SIP start and end call
• SCCP phone registration
• SCCP call info (end of call)
• SIMPLE log message
Netscan
nlog.log
The Network Vulnerability Scan log records vulnerabilities during
the scanning of the network.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
475
�FortiGate log types and subtypes
Logging in FortiOS 4.0
FortiGate logs also include log subtypes, which are types of log messages that are within
the main log type. For example, in the event log type there are the subtype admin log
messages. FortiGate log types and subtypes are numbered, and these numbers appear
within the log identification field of the log message.
The following table provides log types and subtypes for FortiOS Carrier as well as
FortiOS.
Table 54: Log types and subtypes
Log Type
traffic (Traffic
Log)
event
(Event Log)
Category Sub-Type
Number
00
01
Sub-Type
Number
allowed – Policy allowed traffic
violation – Policy violation traffic
Other
webcache – Web cache
wanopt – WAN optimization
21
22
38
23
29
system – System activity event
ipsec – IPSec negotiation event
dhcp – DHCP service event
ppp – L2TP/PPTP/PPPoE service event
admin – admin event
ha – HA activity event
auth – Firewall authentication event
pattern – Pattern update event
nac quarantine – Endpoint NAC
alertemail – Alert email notifications
chassis – FortiGate-4000 and
FortiGate-5000 series chassis event
sslvpn-user – SSL VPN user event
sslvpn-admin – SSL VPN administration event
sslvpn-session – SSL VPN session event
voip – VoIP
his-performance – performance statistics
GTP – (FortiOS Carrier only) GTP events
notification – Notification
radius – RADIUS
event-amc-inf-bypass – AMC events
mms-stats – (FortiOS Carrier only) MMS
wireless – Wireless
vipssl – VIP SSL events
ldb-monitor – LDB monitor events
wad - WAN opt events
00
01
02
03
04
05
06
07
12
23
60
32
33
34
40
43
44
45
46
58
61
63
41
42
53
dlp
(Data Leak
Prevention)
dlp – Data Leak Prevention
54
app-crtl
(Application
Control Log)
476
09
10
app-crtl-all – All application control
59
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging in FortiOS 4.0
Log severity levels
Table 54: (Continued)Log types and subtypes
Log Type
Category Sub-Type
Number
DLP archive
(DLP Archive
Log)
06
virus (Antivirus
Log)
02
Sub-Type
Number
HTTP – Virus infected
FTP – FTP content metadata
SMTP – SMTP content metadata
POP3 – POP3 content metadata
IMAP – IMAP content metadata
HTTPS – Virus infected
im-all – IM messages
NNTP – NNTP content metadata
VOIP – VoIP content metadata
MM1 (FortiOS Carrier only)
MM3 (FortiOS Carrier only)
MM4 (FortiOS Carrier only)
MM7 (FortiOS Carrier only)
SMTPS – SMTPS content metadata
POP3S – POP3S content metadata
IMAPS – IMAPS content metadata
24
25
26
27
28
30
31
39
40
48
49
50
51
55
56
57
infected – Virus infected
filename – Filename blocked
oversize – File oversized
scanerror
11
12
13
62
content – content block
urlfilter – URL filter
ftgd_block – FortiGuard block
ftgd_allow – FortiGuard allowed
ftgd_err – FortiGuard error
ftgd_quota – FortiGuard quota
activexfilter – ActiveX script filter
cookiefilter – Cookie script filter
appletfilter – Applet script filter
14
15
16
17
18
40
35
36
37
ips (Attack Log) 04
signature – Attack signature
anomaly – Attack anomaly
19
20
emailfilter
(Spam Filter
Log)
05
SMTP
POP3
IMAP
carrier-endpoint-filter (FortiOS Carrier only)
Mass-MMS (FortiOS Carrier only)
08
09
10
47
52
network scan
16
discovery
vulnerability
00
01
webfilter (Web
Filter Log)
03
Log severity levels
You can define what severity level the FortiGate unit records logs at when configuring the
logging location. The FortiGate unit logs all message at and above the logging severity
level you select. For example, if you select Error, the unit logs Error, Critical, Alert, and
Emergency level messages.
Table 55: Log severity levels
Levels
Description
0 - Emergency
The system has become unstable.
1 - Alert
Immediate action is required.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
477
�Enabling logging of FortiGate features
Logging in FortiOS 4.0
Table 55: Log severity levels
Levels
Description
2 - Critical
Functionality is affected.
3 - Error
An error condition exists and functionality could be
affected.
4 - Warning
Functionality could be affected.
5 - Notification
Information about normal events.
6 - Information
General information about system operations.
The Debug severity level, not shown in Table 55, is rarely used. It is the lowest log severity
level and usually contains some firmware status information that is useful when the
FortiGate unit is not functioning properly. Debug log messages are only generated if the
log severity level is set to Debug. Debug log messages are generated by all types of
FortiGate features.
Enabling logging of FortiGate features
Within FortiOS 4.0, there are many different logs you can enable. Depending on what you
choose to log, you need to enable them in various locations within the web-based
manager. This section describes where you enable logging for each log type.
When you are logging FortiGate features, most of these features are associated with the
UTM menu, with the exception being firewall policy traffic logging and netscan logs. For
example, you must create an antivirus profile so that you can log antivirus scanning
activities. Fortinet recommends reviewing the UTM chapter of the FortiOS Handbook
before enabling logging of FortiGate features, so that you have a better understanding of
how to configure UTM profiles, sensors, and an application control list that are required
when logging FortiGate features.
This topic includes the following:
•
Firewall policy traffic logging
•
Event logging
•
Data Leak Prevention logging
•
Application control logging
•
Antivirus logging
•
Web Filter logging
•
IPS packet logging and archiving
•
Attack logging
•
Email filter logging
•
Netscan logging
•
DLP archiving
Firewall policy traffic logging
Firewall policy traffic logging records the traffic, both permitted and denied by the firewall
policy, based on the profiles associated with that firewall policy. Firewall policy traffic
logging records packets that match the policy. This method of traffic logging is preferred
because it reduces system load on the FortiGate unit.
478
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging in FortiOS 4.0
Enabling logging of FortiGate features
To enable firewall policy traffic logging
1 Go to Firewall & gt; Policy & gt; Policy.
2 Expand to reveal the policy list of a policy.
3 Edit the policy.
If required, create a new firewall policy by selecting Create New.
4 Select the check box beside Log Allowed Traffic.
5 Select OK.
Note: You need to set the logging severity level to Notification when configuring a logging
location to record traffic log messages.
Event logging
The event log records management and activity events, such as when a configuration has
changed, admin login, or high availability (HA) events occur.
When you are logged in to VDOMs, certain options may not be available, such as VIP ssl
event or CPU and memory usage events. You can enable event logs only when you are
logged in to a VDOM; you cannot enable event logs in the root VDOM.
To enable the event logs
1 Go to Log & Report & gt; Log Config & gt; Event Log.
2 Select the Enable check box.
3 Select one or more of the following logs:
System activity
event
All system-related events, such as ping server failure and gateway
status.
IPSec negotiation
event
All IPSec negotiation events, such as process and error reports.
DHCP service event
All DHCP-events, such as the request and response log.
L2TP/PPTP/PPPoE
service event
All protocol-related events, such as manager and socket create
processes.
HA activity event
All high availability events, such as link, member, and stat
information.
Wireless activity
event
All wireless controller activities, such as Rogue AP.
Firewall
All firewall-related events, such as user authentication.
authentication event
AMC interface bypass All AMC interface bypass mode events that occur.
mode event
SSL VPN user
All administrator events related to SSL VPN, such as SSL
authentication event configuration and CA certificate loading and removal.
SSL VPN
All administration events related to SSL VPN, such as SSL
administration event configuration and CA certificate loading and removal.
SSL VPN session
event
All session activity such as application launches and blocks,
timeouts, verifications and so on.
VIP ssl event
All server-load balancing events that are happening during SSL
session, especially details about handshaking.
VIP server health
monitor event
All related VIP server health monitor events that occur when the
VIP health monitor is configured, such as an interface failure.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
479
�Enabling logging of FortiGate features
Logging in FortiOS 4.0
CPU & memory usage Real-time CPU and memory events only, at 5-minute intervals.
(every 5 min)
VoIP event
All VoIP activity, such as SIP and SCCP violations.
NAC Quarantine
event
All endpoint activity that have quarantined hosts when Endpoint
NAC is checking hosts.
4 Select Apply.
Data Leak Prevention logging
Data Leak Prevention (DLP) provides additional information for administrators that can
better analyze and detect data leaks. You can enable logging of your configured settings
for DLP within the DLP sensor.
Before enabling logging of DLP events, verify that you have the correct DLP sensor for
what you want logged and that logging has been enabled. DLP sensors are configured in
UTM & gt; Data Leak Prevention & gt; Sensor.
The following procedure assumes that you have already enabled logging in the DLP
sensor.
To enable logging of DLP events
1 Go to Firewall & gt; Policy & gt; Policy.
2 Edit the policy that you want to enable DLP logging to.
3 Select the check box beside UTM, if not already selected.
4 Select the check box beside Enable DLP Sensor and then select the DLP Sensor from
the drop-down list.
5 Select OK.
Application control logging
This log file includes IPS, IM/P2P and VoIP events that the FortiGate unit records. The
application control log also includes some IPS activities.
Before enabling logging of application control events, verify that the correct application
control list is available for what you want to log. An application control list is required for
logging application control events. Application control lists are configured in UTM & gt;
Application Control & gt; Application Control List.
To enable logging of application control settings
1 Go to Firewall & gt; Policy & gt; Policy.
2 Edit the policy that you want to enable application control logging to.
3 Select the check box beside UTM, if not already selected.
4 Select the check box beside Enable Application Control and then select the application
control list from the drop-down list.
5 Select OK.
Antivirus logging
The antivirus logs record virus incidents in Web, FTP and email traffic. For example, when
the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or
email. You can also apply filters to customize what the FortiGate unit logs, which are:
•
480
Viruses – The FortiGate unit logs all virus infections
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging in FortiOS 4.0
Enabling logging of FortiGate features
•
Blocked Files – The FortiGate unit logs all instances of blocked files.
•
Oversized Files/Emails – The FortiGate unit logs all instances of files and email
messages exceeding defined thresholds.
•
AV Monitor – The FortiGate unit logs all instances of viruses, blocked files, and
oversized files and email. This applies to HTTP, FTP, IMAP, POP3, SMTP, and IM
traffic.
You must configure an antivirus profile before logging virus incidents. Antivirus profiles are
configured in UTM & gt; Antivirus & gt; Profile.
To enable antivirus logs
1 Go to Firewall & gt; Policy & gt; Policy.
2 Edit the policy that you want to enable antivirus logging to.
3 Select the check box beside UTM, if not already selected.
4 Select the check box beside Enable Antivirus and then select the antivirus profile from
the drop-down list.
5 Select OK.
Web Filter logging
Web Filter logs record HTTP, FortiGuard log rating errors including web content blocking
actions. You must configure a web filter profile before enabling this feature in a firewall
policy. Web filter profiles are configured in UTM & gt; Web Filter & gt; Profile.
To enable web filter logs
1 Go to Firewall & gt; Policy & gt; Policy.
2 Edit the policy that you want to enable web filter logging to.
3 Select the check box beside UTM, if not already selected.
4 Select the check box beside Enable Web Filter and then select the web filter profile
from the drop-down list.
5 Select OK.
IPS packet logging and archiving
When you enable packet logging, that log file is intended to capture those packets that
match a signature, which then triggers an action that was configured within the IPS
sensor.
You can enable packet logging within the IPS sensor and then view those logs from
Log & Report & gt; Log Access & gt; Attack. IPS packet logs are recorded within the attack log.
If you want to archive packet logs, you must enable this option on the Log Setting page.
You cannot enable archiving of packet logs from within the IPS sensor; only logging is
supported.
To enable IPS packet logging
1 Go to UTM & gt; Intrusion Protection & gt; IPS Sensor.
2 Edit the IPS sensor that you want to enable packet logging on.
3 On the Edit IPS Sensor page, edit the filter that you want to enable packet logging for.
4 Under Signature Settings, in the Packet Logging row, select Enable all.
5 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
481
�Enabling logging of FortiGate features
Logging in FortiOS 4.0
6 Repeat steps 3 to 5 to enable packet logging for the other filters in the Filters list.
To enable IPS packet archiving
1 Go to Log & Report & gt; Log Config & gt; Log Setting.
2 To enable packet archiving for system memory, select the check box beside Enable
IPS Packet Archive in Memory.
3 To enable packet archiving for the local hard disk, select the check box beside Enable
IPS Packet Archive in Disk.
4 Select Apply.
Attack logging
The attack log records attacks detected and prevented by the FortiGate unit. The
FortiGate unit will log attack signatures and attack anomalies.
To enable the attack logs
1 Go to Firewall & gt; Policy & gt; Policy.
2 Edit the policy that you want to enable antivirus logging to.
3 Select the check box beside UTM, if not already selected.
4 Select the check box beside Enable IPS and then select the IPS sensor from the dropdown list.
5 Select OK.
Email filter logging
Email, or spam filter logs, record blocking of email address patterns and content in SMTP,
IMAP, and POP3 traffic. You must first configure an email filter profile before enabling
logging of this feature in a firewall policy.
To enable the spam log
1 Go to Firewall & gt; Policy & gt; Policy.
2 Edit the policy that you want to enable antivirus logging to.
3 Select the check box beside UTM, if not already selected.
4 Select the check box beside Enable Email Filter and then select the email filter profile
from the drop-down list.
5 Select OK.
Netscan logging
Netscan logs are recorded when a network vulnerability scan occurs. You must schedule a
scan in Endpoint & gt; Network Vulnerability & gt; Scan.
To enable the netscan log
1 Verify that there is a network scan scheduled in Endpoint & gt; Network Vulnerabilty Scan
& gt; Scan.
There must be scheduled scan that occurs on a daily, weekly, or monthly basis.
2 Verify that there is an endpoint profile enabled for a firewall policy in the UTM section of
the firewall policy, Firewall & gt; Policy & gt; Policy.
3 Go to Log & Report & gt; Log Config & gt; Log Setting.
482
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging in FortiOS 4.0
Filtering and customizing the display of log messages in the web-based manager
4 Expand Local Logging & Archiving.
5 Under Enable SQL Logging, select the check box beside Network Vulnerability Scan
Log.
6 Select Apply.
DLP archiving
You can archive FTP, Email, IM, and Web (including HTTPS and all other secure
protocols), using DLP rules and sensors. This is referred to as DLP archiving or archiving.
You can use the two default DLP sensors that were configured specifically for archiving
log data, Content_Archive and Content_Summary. They are available in UTM & gt; Data Leak
Prevention & gt; Sensor. Content_Archive provides full content archiving, while
Content_Summary provides summary archiving.
You must enable the setting Enable DLP Archive in Log & Report & gt; Log Config & gt; Log
Setting to log archives. Logs are not archived unless this setting is enabled, regardless of
whether or not the DLP sensor for archiving is applied to the firewall policy.
To enable DLP archiving
1 Go to UTM & gt; Data Leak Prevention & gt; Sensor and configure a sensor to use for only
archiving logs.
If you do not want to configure a new sensor for archiving logs, use one of the default
DLP sensors for archiving.
2 Go to Firewall & gt; Policy & gt; Policy.
3 Edit the firewall policy that you want to enable logging to.
4 Select the check box beside UTM, if not already selected, select the check box beside
Enable DLP Sensor, and then select the sensor from the drop-down list.
5 Select OK.
6 Go to Log & Report & gt; Log Config & gt; Log Settings.
7 In Local Logging & Archiving, select the check box beside Enable DLP Archive.
8 Select Apply.
Note: When viewing web archives, the URL is usually saved as a PDF, except for XML
pages which are saved as XML.
Filtering and customizing the display of log messages in the
web-based manager
After the configuration is completed, and logging of FortiGate features begins, you can
customize and filter the log messages you see in the Log Access menu. Filtering and
customizing the display provides a way to view specific log information without sifting
through pages of log messages to find the information.
Filtering information is similar to customizing, however, filtering allows you to enter specific
information that indicates what should appear on the page. For example, including only
log messages that appeared on April 4 between the hours of 8:00 and 8:30 am.
Customizing log messages allows you to remove or add columns to the page, allowing
you to view certain information. The most columns represent the fields from within a log
message, for example, the user column represents the user field, as well as additional
information.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
483
�Filtering and customizing the display of log messages in the web-based manager
Logging in FortiOS 4.0
The following is an example of how to filter and customize the display of application
control log messages. Use the following example to filter and customize the display of log
messages in the web-based manager.
Filtering and customizing application control log messages
The following example displays only the HTTP.BROWSER application name, without the
columns Status, Profile Type, Profile Group Name, User, Group, and Profile Name
displayed.
To filter and customize log messages
1 Go to Log & Report & gt; Log Access & gt; Application Control.
2 On the page, select Column Settings.
3 In the Show these fields in this order:, remove each of the following by selecting the
column name and then using the & lt; - arrow:
• Status
• Profile Type
• Profile Group Name
• User
• Group
• Profile Name
4 Select OK.
5 On the page, locate the column, Application Name.
6 Select the filter icon beside Application Name.
The Edit Filters window appears.
7 Select the check box beside Edit.
8 Enter the application name HTTP.BROWSER in the Text field.
9 Select OK.
In Figure 57 on page 485, only the applications HTTP.BROWSER display, without the
columns Status, Profile Type, Profile Group Name, User, Group, and Profile Name.
484
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging in FortiOS 4.0
Alert email messages
Figure 57: Filter and column settings applied to application control log messages.
Alert email messages
Alert email messages provide notification about activities or events logged. These email
messages also provide notification about log severities that are recorded, such as a
critical or emergency.
You can send alert email messages to up to three email addresses. Alert messages are
also logged and can be viewed from the Log Access menu. Alert messages are recorded
in the event-system log file.
This topic contains the following:
•
Configuring an alert email message
•
Configuring an alert email for notification of FortiGuard license expiry
Configuring an alert email message
You can use the alert email feature to monitor logs for log messages, and to send email
notification about a specific activity or event logged. For example, if you require
notification about administrators logging in and out, you can configure an alert email that is
sent whenever an administrator logs in and out. You can also base alert email messages
on the severity levels of the logs.
Before configuring alert email, you must configure at least one DNS server if you are
configuring with an Fully Qualified Domain Server (FQDN). The FortiGate unit uses the
SMTP server name to connect to the mail server, and must look up this name on your
DNS server. You can also specify an IP address.
To configure an alert email message
1 Go to Log & Report & gt; Log Config & gt; Alert E-mail.
2 On the Alert E-mail page, enter the information for the SMTP server.
3 If the SMTP user requires authentication, enter the information after selecting the
check box beside Enable.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
485
�Alert email messages
Logging in FortiOS 4.0
4 Select Apply to apply the SMTP server information.
5 To verify these settings are correct, select Test Connectivity.
6 To send an alert email message based on a log’s severity, select Send to alert email for
logs based on severity, and then select a severity from the Minimum log level dropdown list.
7 To send an alert email message based on different activities, such as an administrator
logging in and out, select from the following options:
Interval Time
(1-9999 minutes)
Enter the minimum time interval between consecutive alert emails.
Use this to rate-limit the volume of alert emails.
Intrusion detected
Select if you require an alert email message based on attempted
intrusion detection.
Virus detected
Select if you require an alert email message based on virus
detection.
Web access blocked Select if you require an alert email message based on blocked
web sites that were accessed.
HA status changes
Select if you require an alert email message based on HA status
changes.
Violation traffic
detected
Select if you require an alert email message based on violated
traffic that is detected by the FortiGate unit.
Firewall
Select if you require an alert email message based on firewall
authentication failure authentication failures.
SSL VPN login failure Select if you require an alert email message based on any SSL
VPN logins that failed.
Administrator
login/logout
Select if you require an alert email message based on whether
administrators log in or out.
IPSec tunnel errors
Select if you require an alert email message based on whether
there is an error in the IPSec tunnel configuration.
L2TP/PPTP/PPPoE
errors
Select if you require an alert email message based on errors that
occurred in L2TP, PPTP, or PPPoE.
Configuration
changes
Select if you require an alert email message based on any
changes made to the FortiGate configuration.
FortiGuard license
expiry time (1-100
days)
Enter the number of days before the FortiGuard license expiry
time notification is sent.
FortiGuard log quota Select if you require an alert email message based on the
FortiGuard Analysis server log disk quota getting full.
usage
8 Select Apply.
Note: The default minimum log severity level is Alert. If the FortiGate unit collects more
than one log message before an interval is reached, the FortiGate unit combines the
messages and sends out one alert email.
Configuring an alert email for notification of FortiGuard license expiry
You can configure an alert email to notify you prior to when the FortiGuard license will
actually expire. By sending this type of alert email, users are reminded sooner about their
license requiring renewal soon, rather than later.
To configure an alert email for notification of FortiGuard license expiry - web-based
manager
1 Go to Log & Report & gt; Log Config & gt; Alert Email.
486
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Logging in FortiOS 4.0
Viewing quarantined files
2 Configure the SMTP server, email from and to fields, and if applicable, authentication.
3 Verify that Select Send Alert email is selected.
4 Select the check box beside FortiGuard license expiry time: n (1-100 days).
The default for the expiry time is 15 days. This means that 15 days before the actual
expiry date, an alert message is sent informing you that your license will expire in 15
days.
5 Enter a number for the number of days prior to the expiry date in the field provided.
For example, you want to be notified five days before the expiry date (December 31),
an email is sent to the specified email address on December 27, five days before
December 31.
6 Select Apply.
If you have configured FortiGate system memory as your log device, logging alert email
notifications for FortiGuard license expiry requires you to enable event and admin in the
log memory filter command. Use the following procedure when you want to log this event
and your log device is system memory. If you have enabled system memory on a
FortiGate unit that has a local disk, you do not have use the following procedure.
All other log devices, including the FortiGate unit’s local disk, log alert messages by
default. You can find the alert email logs within the event-system log file.
To configure logging of an alert email notification of FortiGuard license expiry
(memory only)- CLI
1 Log in to the CLI.
2 To enable logging of an alert email notification using system memory, enter the
following command syntax:
config log memory setting
set status enable
end
config log memory filter
set event enable
set admin enable
end
Viewing quarantined files
You can view quarantined files from Log & Report & gt; Archive Access & gt; Quarantine Files.
You can also search through these files to find a specific quarantined file, or filter the
information you are currently viewing.
You must configure quarantine settings with UTM & gt; Antivirus & gt; Quarantine, before you can
view quarantine logs. For more information about quarantined files, see the UTM chapter
of the FortiOS Handbook.
The Quarantine page allows you to filter the information on the page as well as remove
files from the list.
Quarantine page
Lists all files that are considered quarantined by the FortiGate unit. On this page you can filter
information so that only specific files are displayed on the page.
Source
Either FortiAnalyzer or Hard disk, depending where you configure to
quarantined files to be stored.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
487
�Viewing quarantined files
Logging in FortiOS 4.0
Sort by
Filter
Filter the list. Choose either Status (infected, blocked, or heuristics) or Service
(IMAP, POP3, SMTP, FTP, HTTP, MM1, MM3, MM4, MM7, IM, or NNTP). Select
Apply to complete the filtering. Heuristics mode is configurable through the CLI
only.
If your FortiGate unit supports SSL content scanning and inspection service can
also be IMAPS, POP3S, SMTPS, or HTTPS. For more information, see the
UTM chapter of the FortiOS Handbook.
Apply
Select to apply the sorting and filtering selections to the list of quarantined files.
Delete
Select to delete the selected files.
Page Controls
Use the controls to page through the list.
Remove All
Entries
Removes all quarantined files from the local hard disk.
This icon only appears when the files are quarantined to the hard disk.
File Name
The file name of the quarantined file.
Date
The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm.
This value indicates the time that the first file was quarantined if duplicates are
quarantined.
Service
The service from which the file was quarantined (HTTP, FTP, IMAP, POP3,
SMTP, MM1, MM3, MM4, MM7, IM, NNTP, IMAPS, POP3S, SMTPS, or
HTTPS).
Status
The reason the file was quarantined: infected, heuristics, or blocked.
Status
Description
Specific information related to the status, for example, “File is infected with
“W32/Klez.h”” or “File was stopped by file block pattern.”
DC
Duplicate count. A count of how many duplicates of the same file were
quarantined. A rapidly increasing number can indicate a virus outbreak.
TTL
Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit
labels the file as EXP under the TTL heading. In the case of duplicate files, each
duplicate found refreshes the TTL.
The TTL information is not available if the files are quarantined on a
FortiAnalyzer unit.
Upload status
Y indicates the file has been uploaded to Fortinet for analysis, N indicates the
file has not been uploaded.
This option is available only if the FortiGate unit has a local hard disk.
Download icon
Select to download the corresponding file in its original format.
This option is available only if the FortiGate unit has a local hard disk.
Submit icon
488
Sort the list. Choose from: Status, Service, File Name, Date, TTL, or Duplicate
Count. Select Apply to complete the sort.
Select to upload a suspicious file to Fortinet for analysis.
This option is available only if the FortiGate unit has a local hard disk.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate SQL log databases
FortiGate units with hard disks support local SQLite databases for storage of log tables.
You require knowledge of SQL because datasets are required for charts and these
datasets are configured using SQL. You can configure datasets or customize existing
datasets using SQL statements that will query the database. These statements are based
on SQLite3.
This section explains how to create the statements for use in datasets. This section also
includes examples of SQL statements that you can use to base your own custom datasets
on.
If you require more information, see the technical note SQL Log Database Query, which
includes information about SQL on the FortiAnalyzer unit.
This section contains the following topics:
•
SQL overview
•
SQL tables
•
SQL statement examples
•
Troubleshooting SQL statements
SQL overview
The syntax for SQL queries is based on the SQLite3 syntax (see
http://www.sqlite.org/lang.html for more information).
There is an additional convenience macro, F_TIMESTAMP, that allows you to easily
specify a time interval for the query. It takes this form:
F_TIMESTAMP(base_timestring, unit, relative value). For example,
F_TIMESTAMP('now','hour','-23') means “last 24 hours” or that the hour in the
timestamp is 23 less than now. The FortiGate unit will automatically translate the macro
into SQLite3 syntax.
You can use the following CLI commands to write SQL statements to query the SQLite
database.
config report dataset
edit & lt; dataset_name & gt;
set query & lt; sql_statement & gt;
next
end
For more information about specific examples that are used in creating custom datasets,
see the “SQL statement examples” on page 490.
SQL tables
The FortiGate unit creates a database table for each log type, when log data is recorded. If
the FortiGate unit is not recording log data, it does not create log tables for that device.
The command syntax, get report database schema, allows you to view all the
tables, column names and types that are available to use when creating SQL statements
for datasets.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
489
�SQL statement examples
FortiGate SQL log databases
SQL statement examples
The following examples help to explain SQL statements and how they are configured
within a dataset. Datasets contain SQL statements which are used to query the SQL
database.
Distribution of Applications by Type in the last 24 hours
This dataset is created to show the distribution of the type of applications that were used,
and will use the application control logs to get this information.
CLI commands
config report dataset
edit " appctrl.Dist.Type.last24h "
set query " select app_type, count(*) as totalnum from
app_control_log where timestamp & gt; =
F_TIMESTAMP('now','hour','-23') and (app_type is not null
and app_type!='N/A') group by app_type order by totalnum
desc "
next
Explanation about the parts of the statement
•
edit " appctrl.Dist.Type.last24h " - creates a new dataset with descriptive
title.
•
F_TIMESTAMP('now','hour','-23') - the F_TIMESTAMP macro covers the last
24 hours (from now until 23 hours ago).
•
The application control module classifies each firewall session in app_type. One
firewall session may be classified to multiple app_types. For example, an HTTP
session can be classified to: HTTP and Facebook, as well as others.
•
Some app/app_types may not be able to detected, then the ‘app_type’ field may be
null or ‘N/A’. These will be ignored by this query.
•
The result is ordered by the total session number of the same app_type. The most
frequent app_types will appear first.
Top 10 Application Bandwidth Usage Per Hour Summary
This dataset is created to show the bandwidth used by the top ten applications.
Application control logs are used to gather this information.
CLI commands
config report dataset
edit " appctrl.Count.Bandwidth.Top10.Apps.last24h "
set query " select (timestamp-timestamp%3600) as hourstamp,
(CASE WHEN app!=\'N/A\' and app!=\'\' then app ELSE service
END) as appname, sum(sent+rcvd) as bandwidth from
traffic_log where timestamp & gt; =
F_TIMESTAMP(\'now\',\'hour\',\'-23\') and (appname in
(select (CASE WHEN app!=\'N/A\' and app!=\'\' then app ELSE
service END) as appname from traffic_log where timestamp & gt; =
F_TIMESTAMP(\'now\',\'hour\',\'-23\') group by appname
order by sum(sent+rcvd) desc limit 10)) group by hourstamp,
appname order by hourstamp desc "
490
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate SQL log databases
SQL statement examples
next
Explanation about the parts of the statement
•
(timestamp-timestamp%3600) as hourstamp - this calculates an " hourstamp "
to indicate bandwidth per hour.
•
(CASE WHEN app!=\'N/A\' and app!=\'\' then app ELSE service END)
as appname - use the app as 'appname', or if it's undefined, use the service instead.
•
appname in (select (CASE WHEN app!=\'N/A\' and app!=\'\' then
app ELSE service END) as appname from traffic_log where
timestamp & gt; = F_TIMESTAMP(\'now\',\'hour\',\'-23\') group by
appname order by sum(sent+rcvd) desc limit 10) - selects the top 10
apps using most bandwidth
•
order by hourstamp desc - this orders the results by descending hourstamp
•
LIMIT 10 - this lists only the top 10 applications.
Top 10 Attacks Over The Last 24 Hours
This dataset is created to show the top ten attacks that were detected by the FortiGate
unit. The information is gathered from IPS logs, or attack logs.
CLI commands
config report datatset
edit " attack.Top10.last24h "
set query " select attack_id, count(*) as totalnum from
attack_log where timestamp & gt; = F_TIMESTAMP('now','hour','23') and attack_id is not null group by attack_id order by
totalnum desc limit 10 "
next
Explanation about the parts of the statement
•
The result is ordered by the total attack number of the same attack_id. The most
frequent attack_id will appear first.
•
In a graph or report, the attack_id can be translated into the attack name.
Wan Optimization Application in LAN Composition over Last 24 Hours
The following is a very complex SQL statement. The WAN optimizer module will log each
application's bandwidth. All bandwidth data is logged in traffic logs and wan opt data will
have the subtype ‘wanopt-traffic’.
CLI commands
config report datatset
edit " traffic.Dist.WanOpt.App.WAN.Bandwidth.last24h "
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
491
�Troubleshooting SQL statements
FortiGate SQL log databases
set query " select (case (wanopt_app_type in ( select
wanopt_app_type from traffic_log where subtype=\'wanopttraffic\' and timestamp & gt; =
F_TIMESTAMP(\'now\',\'hour\',\'-23\') group by
wanopt_app_type order by sum(wan_in+wan_out) desc limit 5)
) when 1 then wanopt_app_type else \'others\' end) as
wanopt_app_type, sum(wan_in+wan_out)/1000000.0 as wan,
max(coalesce((sum(wan_in+wan_out)*100.0/(select
sum(wan_in+wan_out) from traffic_log where
subtype=\'wanopt-traffic\' and timestamp & gt; =
F_TIMESTAMP(\'now\',\'hour\',\'-23\'))),0.0),0.0) as
percentage from traffic_log where subtype=\'wanopttraffic\' and timestamp & gt; =F_TIMESTAMP(\'now\',\'hour\',\'23\') group by wanopt_app_type order by wan desc "
next
Explanation of the parts of the statement
•
select wanopt_app_type from traffic_log where subtype=\'wanopttraffic\' and timestamp & gt; = F_TIMESTAMP(\'now\',\'hour\',\'-23\')
group by wanopt_app_type order by sum(wan_in+wan_out) desc limit
5 - find 5 wanopt_app_types who consume most of the bandwidth.
•
case (wanopt_app_type in (...)) when 1 then wanopt_app_type
else \'others\' end) as wanopt_app_type - select only the 5
wanopt_app_types who consume most of the bandwidth, keep the wanopt_app_type
name, and all other wanopt_app_types are grouped as ‘others’.
•
sum(wan_in+wan_out)/1000000.0 as wan - calculate in and out traffic and
convert to MB
•
max(coalesce((sum(wan_in+wan_out)*100.0/(select
sum(wan_in+wan_out) from traffic_log where subtype=\'wanopttraffic\' and timestamp & gt; = F_TIMESTAMP(\'now\',\'hour\',\'23\'))),0.0),0.0) as percentage - calculate (one wanopt_app_type traffic / all
wanopt traffic) as percentage
Troubleshooting SQL statements
If the query is unsuccessful, an error message appears in the results window indicating
the cause of the problem. The following are issues that may arise when creating
statements for datasets that query the SQL database.
SQL statement syntax errors
Here are some example error messages and possible causes:
You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax
error at or near... (local/PostgreSQL)
•
Verify that the SQL keywords are spelled correctly, and that the query is well-formed.
•
Table and column names are demarked by grave accent (`) characters. Single (') and
double ( " ) quotation marks will cause an error.
No data is covered.
•
492
The query is correctly formed, but no data has been logged for the log type. Verify that
you have configured the FortiGate unit to save that log type. On the Log Settings page,
make sure that the log type is checked.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate SQL log databases
Troubleshooting SQL statements
Connection problems
If well formed queries do not produce results, and logging is turned on for the log type,
there may be a database configuration problem with the remote database.
Ensure that:
•
MySQL is running and using the default port 3306.
•
You have created an empty database and a user with create permissions for the
database.
Here is an example of creating a new MySQL database named fazlogs, and adding a
user for the database:
#Mysql –u root –p
mysql & gt; Create database fazlogs;
mysql & gt; Grant all privileges on fazlogs.* to ‘fazlogger’@’*’
identified by ‘fazpassword’;
mysql & gt; Grant all privileges on fazlogs.* to
‘fazlogger’@’localhost’ identified by ‘fazpassword’;
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
493
�Troubleshooting SQL statements
494
FortiGate SQL log databases
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
FortiGate log messages present detailed accounts of an event or activity that happened
on your network recorded by the FortiGate unit. These log messages provide valuable
information about your network that inform you about attacks, misuse and abuse, and
traffic activity.
The following information provides explanations for each type of log message in FortiOS
4.0 MR2.
If you require more information about FortiGate log messages than this chapter provides,
see the FortiGate Log Message Reference.
The following topics are included in this section:
•
Explanation of log messages
•
Viewing log messages
•
Examples of log messages
•
Traffic log messages
•
Event log messages
•
DLP Archive logs
•
Antivirus log messages
•
WebFilter log messages
•
Attack log messages
•
Email Filter log messages
•
DLP log message
•
Application control log message
•
Network Vulnerability Scan
Explanation of log messages
The following log messages are explained in detail and are all recorded in FortiOS
4.0 MR2. Each field of each log message is clearly outlined and explained.
Before proceeding, you should be aware of the two parts that make up a log message: the
header and the body. The header is the beginning part of a log message and includes key
information about that specific log message, such as the date and time of when it was
recorded.
The following is an example of a log header:
2010-04-10 12:55:06 log_id=0104032001 type=event subtype=admin
pri=information vd=root
The rest of the log message is the log body, which includes the log message. The log
message body contains specific information for that specific log type and subtype.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
495
�Viewing log messages
FortiGate log messages
Viewing log messages
When accessing log messages from a log device, such as the FortiAnalyzer unit, you can
view each log message from a table within the page. The table, which appears on the right
side of the page that contains log messages, provides a more clear view of each of the
fields that are within a log message. The table provides next and previous arrows, allowing
you to view each log message from the table.
This table appears when you select a row within the log messages’ page and is available
until you close the table.
If you want to view log messages in their Raw format, select Raw at the top of the page.
Raw format displays the log message as it would appear in the log file.
To view log messages using the log table
1 Go to Log & Report & gt; Log Access.
2 Select the submenu that you want to access logs from.
For example, the Log Access & gt; DLP.
3 From within the page, select inside the row of the log message that you want to view.
The log message row is highlighted and the log table appears, located on the right side
of the page.
4 To close the table, select Close.
5 To view the next log message from the table, select the next arrow, and to view a
previous log message from the table, select the previous arrow.
Examples of log messages
The following are examples of times when you need to understand and view log
messages, such as when you are trying to successfully establish an IPSec VPN. Log
messages provide valuable information about errors that may occur when configuring
features, or when you need to verify if a connection (such as an SMTP server connection)
is working properly.
Example 1: Alert email test configuration
You have just configured the settings for an alert email message that will be sent to your
inbox whenever web access is blocked, violation traffic is detected, and IPSec tunnel
errors. You select Test Connectivity to test the configuration; however, there is no test
email in your inbox.
You immediately go to the log messages to see what is going on.
1 Log & Report & gt; Log Access & gt; Event.
2 The following message appears in the Message field: Failed to send alert email from
mail.example.com.
Raw format of the log message:
2010-04-05 13:34:31 log_id=01000200003 type=event subtype=system
vd=root pri=notice user=system ui=system action=alert-email
status=failure count=5 msg=“Failed to send alert email from
mail.example.com to myemailaddress@example.com”
The above log message indicates that the alert email message could not be sent to
your inbox. You must verify the SMTP server, and if incorrect, enter the correct SMTP
server and try again.
496
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
Examples of log messages
3 If you get the following log message, it means that the address you entered in the
SMTP server field was not correct. You need to verify that it is the correct address.
2010-04-05 13:34:31 log_id=01000200003 type=event subtype=system
vd=root pri=notice user=“system” ui=“system” action=“unknown”
status=“failure” msg=“Can’t resolve the IP address of
mail.example.com” vd=root pri=notice
An alert email log message is not recorded if the alert email configuration is correct. If it is
correct, you should see a test alert email message in your inbox and no log messages
concerning alert email configuration settings, similar to those in this example.
Example 2: Verifying to see if a network scan was performed
When you have configured an asset for a scan and a schedule for when to scan, you may
want to verify that the asset is working properly. The log file that records network scanning
is the netscan log.
You have just configured an asset to scan. You verify the scan by selecting Discover
Assets on the Asset page (Endpoint & gt; Network Vulnerability Scan & gt; Asset). After the scan
is complete, you view the netscan logs. The following four log messages appear:
4097
This log message indicates that the scanned was performed.
2010-04-05 13:34:31 log_id=1600004097 type=netscan
subtype=discovery pri=notice vd=root action=scan start=1275363661
end=1275363719 engine=1.053 plugin=1.098
4100
Both these log messages indicate that the scan discovered two separate service-detection
events.
2010-04-05 13:34:31 log_id=1600004100 type=netscan
subtype=discovery pri=notice vd=root action=service-detection
ip=10.10.20.3 service=microsoft-ds proto=tcp prot=445
2010-04-05 13:34:31 log_id=1600004100 type=netscan
subtype=discovery pri=notice vd=root action=service-detection
ip=10.10.20.3 service=netbios-ssn proto=tcp port=139
4099
This log message indicates that the scan discovered a host, and explains the host’s
operating system, family that the OS belongs to, the type of generation, and the vendor or
company that created the OS.
2010-04-05 13:34:31 log_id=1600004099 type=netscan
subtype=discovery pri=notice vd=root action=host-detection
ip=10.10.20.3 os=“Windows XP” os_family=“Windows”
os_gen=“NT/2K/XP” os_vendor=“Microsoft”
Example 3: License expiry log message
You recently configured an alert message that would notify when the FortiGuard Analysis
service license expires. You know that the expiry date is 2010-08-30, but want to verify
that the alert message will notify you both by email and by log message, so 100 days was
entered. You have made sure that the log configuration includes logging alert messages
as well.
You receive an alert email message in your inbox stating the following:
Message meets Alert condition
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
497
�Examples of log messages
FortiGate log messages
date=2010-06-08 time=11:55:52 devname=FG50BH3G09601792
device_id=FG50BH3G09601792 log_id=0104032014 type=event
subtype=admin pri=warning vd=root msg= " FortiGuard analysis
service license will expire in 82 day(s) "
You go to Log & Report & gt; Log Access & gt; Event to view the license expiry log message using
a filter on the Message column:
1 In Log & Report & gt; Log Access & gt; Event, select the filter icon beside the Message
column’s name.
2 In the Edit Filters window, select the check box beside Enable.
3 In the Text field, enter the sentence found in the alert email message: FortiGuard
analysis service license will expire in 82 day(s).
4 Select OK.
The following log message appears in the first line on the first page of the Event page
(Raw format):
2010-06-03 13:55:22 log_id=32014 type=event subtype=admin
pri=warning vd=root msg=“FortiGuard analysis service license
will expire in 82 day(s)”
498
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
Traffic log messages
Traffic log messages
The Traffic log message records all traffic to and through the interfaces on the FortiGate
unit. The following is an example of a traffic log message.
2010-03-24 16:56:05 log_id=0021000002 type=traffic subtype=allowed
pri=notice vd=“root” status=“accept”dir_disp=“org” tran_disp=noop
src=“172.16.120.25” srcname=“172.16.120.25” src_port=1027
dst=“192.168.100.99” dstname=“192.168.100.99” dst_port=161
tran_ip=“N/A” tran_port=0 service=“161/udp” proto=17
app_type=“N/A” duration=209 rule=1 policyid=1 identidx=0 sent=525
rcvd=4451 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0
shaper_sent_name=“trafficshaper1”
shaper_rcvd_name=“trafficshaper1” perip_name=“perip_shaper”
sent_pkt=5 rcvd_pkt=5 vpn=“N/A” src_int=“internal” dst_int=“wan1”
SN=29059 app=“Snmp.Monitor” app_cat=“network-service” user=“N/A”
group=“N/A” carrier_ep=“N/A”
date=(2010-03-24)
The year, month and day of when the event occurred in yyyy-mmdd format.
time=(16:56:05)
The hour, minute and second of when the event occurred in the
format hh:mm:ss.
log_id=(0021000002)
A ten-digit number. The first two digits represent the log type and
the following two digits represent the log subtype. The last five
digits are the message id.
type=(traffic)
The section of system where the event occurred.
subtype=(allowed)
The subtype of the log message. This represents a profile applied
to a firewall policy.
pri=(notice)
The severity level of the event. There are six severity levels to
specify.
vd=(“root”)
The virtual domain where the traffic was logged. In this example, it
is the root virtual domain.
status=(“accept”)
The status of the session.
dir_disp=(“org”)
The direction of the sessions. Org displays if a session is not a
child session or the child session originated in the same direction
as the master session. Reply displays if a different direction is
taken from the master session.
tran_disp=(noop)
The packet is source NAT translated or destination NAT translated.
src=(“172.16.135.25”)
The source IP address.
srcname=
(“172.16.135.25”)
The source name or the IP address.
src_ port=(2504)
The source port of the TCP or UDP traffic. The source protocol is
zero for other types of traffic.
dst=(“172.16.25.125”)
The destination IP address.
dstname=
(“172.16.25.125”)
The destination name or IP address.
dst_ port=(80)
The destination port number of the TCP or UDP traffic. The
destination port is zero for other types of traffic.
tran_ip=(“N/A”)
The translated IP in NAT mode. For transparent mode, it is
“0.0.0.0”.
tran_port=(0)
The translated port number in NAT mode. For transparent mode, it
is zero (0).
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
499
�Traffic log messages
FortiGate log messages
service=(“161/udp”)
proto=(6)
The protocol that applies to the session or packet. The protocol
number in the packet header that identifies the next level protocol.
Protocol number’s are assigned by the Internet Assigned Number
Authority (IANA).
app_type=(“N/A”)
The application or program used. If there was no program used to
create the traffic, then it is empty and displays N/A. The following
are application types:
• BitTorrent
• eDonkey
• Gnutella
• KaZaa
• Skype
• WinNY
• AIM
• ICQ
• MSN
• Yahoo!
duration=(209)
This represents the value in seconds.
rule=(1)
The rule number.
policyid=(1)
The ID number of the firewall policy that applies to the session or
packet.
Any policy that is automatically added by the FortiGate will have
an index number of zero. For more information, see the Fortinet
Knowledge Base article, Firewall policy=0.
identidx=(0)
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an indentity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is
only locally unique within a given firewall policy.
sent=(525)
The total number of bytes sent.
rcvd=(4451)
The total number of bytes received.
shaper_drop_sent=(0)
The number of sent traffic shaper bytes that were dropped.
shaper_drop_rcvd=(0)
The number of received traffic shaper bytes that were dropped.
perip_drop=(0)
The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name=
(“trafficshaper1”)
The name of the traffic shaper sending bytes.
shaper_rcvd_name=
(“trafficshaper1”)
The name of the received traffic shaper.
perip_name=
(“perip_shaper”)
The name of the per-IP traffic shaper.
sent_ pckt=(8)
The total number of packets sent during the session.
rcvd_pckt=(6)
The total number of packets received during the session.
vpn=(“N/A”)
The name of the VPN tunnel used by the traffic.
src_ int= (“internal”)
The interface where the through traffic comes in. For outgoing
traffic originating from the firewall, it is “unknown”.
dst_ int=(“wan1”)
The interface where the through traffic goes to the public or
Internet. For incoming traffic to the firewall, it is “unknown”.
SN=(29059)
500
The IP network service that applies to the session or packet. The
services displayed correspond to the services configured in the
firewall policy.
The session number of the log message.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
Traffic log messages
app=(“Snmp.Monitor”)
The type of application. You can look up this application type in
UTM & gt; Application Control & gt; Application List, and then select the
name that is in the field to go to more detailed information on the
FortiGuard Encyclopedia.
app_cat=
(“network-service”)
The application category that the application is associated with.
user=(“N/A”)
The name of the user creating the traffic.
group=(“N/A”)
The name of the group creating the traffic.
carrier_ep=(“N/A”)
The FortiOS Carrier end-point identification. For example, it would
display the MSISDN of the phone that sent the MMS message. If
you do not have FortiOS Carrier installed, this field always displays
N/A.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
501
�Event log messages
FortiGate log messages
Event log messages
The Event log message records all event activity. The following is an example of an event
log message that recorded an admin user adding a firewall policy.
2010-05-11 17:19:09 log_id=0104032120 type=event subtype=hisperformance pri=information vd=“root” action=perf-status cpu=0
mem=45 total_session=12 msg= “Performance statistics”
date=(2010-05-11)
time=(17:19:09)
The hour, minute and second of when the event occurred in the
format hh:mm:ss.
log_id=(0104032120)
A ten-digit number. The first two digits represent the log type
and the following two digits represent the log subtype. The last
five digits are the message id.
type=(event)
The section of system where the event occurred.
subtype=(his-performance)
The subtype of the log message. This represents a profile
applied to a firewall policy.
pri=(information)
The severity level of the event. There are six severity levels to
specify. For more information, see “Log severity levels” on
page 477.
vd=(“root”)
The virtual domain where the traffic was logged.
action=(perf-status)
The type of action that was done. In this example, the status of
the FortiGate unit’s performance was done.
cpu=(0)
The CPU usage that was used.
mem=(45)
The memory amount in percentage that was used. In this
example, 45 percent was used at the time the log was
recorded.
total_session=(12)
The total number of sessions.
msg=
(“Performance statistics”)
502
The year, month and day of when the event occurred in yyyymm-dd format.
Explains the activity or event that the FortiGate unit recorded.
In this example, FortiGate performance statistics were
recorded.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
DLP Archive logs
DLP Archive logs
The DLP Archive log message provides information concerning logs that are archived on
either the FortiAnalyzer unit or the hard drive of your FortiGate unit.
The following is an example of a DLP archive web log message:
2010-04-14 11:19:36 log_id=0624032768 type=contentlog subtype=HTTP
pri=information vd=“root” clogver=“N/A” epoch=342741827 eventid=2
cstatus=dlp infection=“dlp” virus=“N/A” SN=196190 user=“N/A”
group=“N/A” carrier_ep=“N/A” profiletype=“Group_Profile”
profile=“N/A” profilegroup=“N/A” client=172.16.124.125
server=10.10.10.1 rcvd=28730 sent=808 dlp_sensor=“Content_Archive”
method=“GET” url=“/rss/newsonline_world_edition/front_page
/rss.xml” cat=N/A cat_desc=“N/A”
date=(2010-04-14)
The year, month and day of when the event occurred in yyyy-mmdd format.
time (11:19:36)
The hour, minute and second of when the DLP archive logged the
email event.
log_id=
(06224032768)
A number identifying the log message. In the above example, 06
identifies the log as the DLP archive log and 24 identifies the DLP
archive log as a web archive log message.
log_type=
(contentlog)
The type of log that was recorded. An archived log message is put
in the content log file.
subtype=(HTTP)
The subtype of the DLP archive. In archive log messages, this
represents the type of
In this example, it is a web archive because the subtype is HTTP.
pri=(information)
The severity or priority level of the event. For more information, see
“Log severity levels” on page 477.
vd=(root)
The virtual domain where the traffic was logged.
clogver=(“N/A”)
The content log version number.
epoch=(3242741827)
The time period in seconds.
eventid=(2)
The event identification number or serial number.
cstatus=(dlp)
The log’s content status. In this example, the content status is DLP.
infection=(“dlp”)
The type of infection that was detected.
virus=(“N/A”)
The name of the virus.
SN=(196190)
The session number of the log message.
user=(“N/A”)
The name of the user creating the traffic.
group=(“N/A”)
The name of the group creating the traffic.
carrier_ep=(N/A)
The carrier endpoint identification number. This field appears N/A
unless FortiOS Carrier is running on the FortiGate unit.
profiletype=(Group_Profile)
The type of profile that was used to detect the virus. For example,
Antivirus_Profile.
profile=(“N/A”)
The name of the profile that is applied to the firewall policy, which
was used in detecting the virus.
profilegroup=(“N/A”)
The group that the antivirus profile is part of. This field contains N/A
if there is no profile group configured. Profile groups are only
available in FortiOS Carrier.
client=(172.16.124.125)
The internal IP address of the FortiGate unit.
server=(10.10.10.1)
The IP address of the server.
rcvd=(28730)
The total number of bytes received.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
503
�DLP Archive logs
FortiGate log messages
sent=(808)
The total number of bytes sent.
dlp_sensor=
(“Content-Archive”)
The name of the sensor that was used to detect and take action. In
this example, the DLP sensor that was used is the default sensor,
Content_Archive.
method=(“GET”)
The type of method used.
url=
The URL address.
(“/rss/newsonline_world_ed
ition/front_page /rss.xml”)
cat=(N/A)
cat_desc=(N/A)
504
The FortiGuard web site category number.
The name of the FortiGuard web site category.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
Antivirus log messages
Antivirus log messages
The Antivirus log records virus incidents in Web, FTP, and email traffic. The following is an
example of an antivirus log message.
2010-05-20 02:25:01 log_id=0212008450 type=virus subtype=filename
pri=warning vd=“root” msg=“File is blocked.” status=“blocked”
service=“smtp” src=172.16.120.152 dst=192.168.1.157 sport=1532
src_port=1532 dport=25 dst_port=25 src_int=“internal”
dst_int=“wan1” policyid=1 identidx=0 serial=483186
filefilter=“file pattern” file=“filex.zip” checksum=“238of2”
quarskip=“No skip” profiletype=“Antivirus_Profile” profile=“av_1”
from=“user1@example.com” to=“user2@example.com”
date=(2010-05-20)
The year, month and day of when the event occurred in
yyyy-mm-dd format.
time=(02:25:01)
The hour, minute and second of when the event occurred in the
format hh:mm:ss.
log_id=(0212008450)
A ten-digit number. The first two digits represent the log type
and the following two digits represents the log subtype. The last
five digits are the message ID.
type=(virus)
The section of system where the event occurred.
subtype=(filename)
The subtype of the log message. This represents a policy
applied to the FortiGate feature in the firewall policy.
pri=(warning)
The severity level of the event. For more information, see “Log
severity levels” on page 477.
vd=(root)
The virtual domain where the event originated from.
msg=(“File is blocked”)
The message or reason for what triggered and logged the
event.
status=(“blocked”)
The decision the antivirus engine on how to treat the file. This
field can be:
• blocked – File is blocked by the FortiGate unit
• passthrough – File is allowed to get through the FortiGate
unit
• monitored – File is being monitored by the FortiGate unit
service=(“smtp”)
The type of protocol that was used to send and receive the
traffic. In this example, the antivirus profile was used to scan an
email message which was sent and received using the SMTP
protocol.
You can view more information from the predefined list in
Firewall & gt; Service & gt; Predefined.
src=(172.16.120.152)
The source IP address.
dst=(192.168.1.157)
The destination IP address.
sport=(1532)
The source port number.
src_port=(1532)
The source port number.
dport=(25)
The destination port number.
dst_port=(52)
The destination port number.
src_int=(“internal”)
The name of the source interface.
dst_int=(“wan1”)
The name of the destination interface.
policyid=(1)
The firewall policy identification number.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
505
�Antivirus log messages
FortiGate log messages
identidx=(0)
The identity-based policy identification number. This field
displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based
policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
serial=(483186)
The serial number of the log.
filefilter=(“file pattern”)
The file filter that matched the file. This field can be:
• none – No file filter matched the file
• file pattern – The pattern in the file matched
• file type – The type of file that was matched
file=(filex.zip)
The name of the file that was scanned by the FortiGate unit.
checksum=(238of2)
The checksum of the file that was scanned. If two files have
different names but the same checksum, the FortiGate unit
assumes that they have the same content.
quarskip=(No skip)
The reason for not quarantining the file. This field can be:
• No skip – File was quarantined
• filepattern – The HTTP GET file pattern block is not
quarantined
• oversized – The oversized files are not quarantined.
• unknown – File was not quarantined for another reason
profiletype=(Antivirus_Profile) The type of profile that was used to scan the email message.
This profile type is provided automatically and is not configured
during configuration of settings for logging FortiGate features or
log devices.
profile=(av_1)
from=(user1@example.com)
The sender’s email address.
to=(user2@example.com)
506
The name of the profile that was used to detect and block the
email message.
The recipient's email address.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
WebFilter log messages
WebFilter log messages
The Webfilter log messages record HTTP FortiGate log rating errors, including web
content blocking actions that the FortiGate unit performs. The following is an example of a
Web filter log message.
2010-04-21 12:56:54 log_id=0336013573 type=webfilter
subtype=cookiefilter pri=notice vd=“root” policyid=1 identidx=0
serial=85630 user=“N/A” group=”N/A” src=172.16.22.122 sport=1934
src_port=1934 src_int=”internal” dst=10.10.30.120 dport=80
dst_port=80 dst_int=”wan1” service=”http” hostname=”x.example.com”
profiletype=”Webfilter_Profile” profilegroup=“N/A”
status=“blocked” req_type=”referral” url=”example1.example.com”
msg=”cookie was removed”
date=(2010-04-21)
The year, month and day of when the event occurred in yyyymm-dd format.
time=(12:56:54
The hour, minute and second of when the event occurred in the
format hh:mm:ss.
log_id=(0336013573)
A ten-digit number. The first two digits represent the log type
and the following two digits represent the log subtype. The last
five digits are the message ID.
type=(webfilter)
The section of system where the event occurred.
subtype=(cookiefilter)
The subtype of the log message. This represents a profile
applied to a firewall policy.
pri=(notice)
The severity level of the event.
vd=(“root”)
The virtual domain where the event was logged.
policyid=(1)
The firewall policy identification number.
identidx=(0)
The identity-based policy identification number. This field
displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based
policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
serial=(85630)
The serial number of the log ID.
user=(“N/A”)
The name of the user creating the traffic.
group=(“N/A”)
The group name of the user creating the traffic.
src=(172.16.22.122)
The source IP address.
sport=(1934)
The source port number.
src_port=(1934)
The source port number.
src_int=(“internal”)
The name of the source interface. In this example, the source
interface is the internal interface of the FortiGate unit.
dst=(10.10.30.120)
The destination IP address.
dport=(80)
The destination port number.
dst_port=(80)
The destination port number.
dst_int=(“wan1”)
The name of the destination interface. In this example, the
destination interface is the external interface of the FortiGate
unit.
service=(“http”)
The service of where the event or activity occurred.
hostname=
(“x.example.com”)
The name of the web site accessed.
profiletype=
(“Webfilter_Profile”)
The type of profile that was used to detect the web filter activity.
In this example, its WebFilter_Profile.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
507
�WebFilter log messages
FortiGate log messages
profilegroup=(“N/A”)
status=(“blocked”)
The status of the action taken when the event occurred. In this
example, the URL was exempted.
req_type=(“referral”)
The type of request, which can be one of the following:
• referral – If the HTTP transaction is requested from a parent
web site such as selecting a link on a web page.
• direct – a direct connection to a web page, such as typing in
the URL address manually.
url=
(“example1.example.com”)
The URL of the web site.
msg=(“cookie was removed”)
508
The group that the webfilter profile is part of. This field contains
N/A if there is no profile group configured. Profile groups are
only available in FortiOS Carrier.
Explains the activity or event that the FortiGate unit recorded.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
Attack log messages
Attack log messages
The Attack log messages record all attacks that occur against your network. These log
messages also contain links to the Fortinet Vulnerability Encyclopedia where you can
better assess the attack.
The following is an example of an attack log message.
2010-05-22 19:02:11 log_id=0419018432 type=ips subtype=anomaly
pri=alert severity=critical carrier_ep=N/A profile=N/A
src=172.16.125.133 dst=192.168.20.125 src_int=“wan1”
dst_int=“internal” policyid=2 identidx=0 serial=581265
status=clear_session proto=6 service=139/tcp vd=“root” count=1
src_port=51509 dst_port=22 attack_id=100663402 sensor=slow-ratetcp ref=http://www.fortinet.com/ids/VID100663402 msg=“anomaly:
tcp_src_session 3 & gt; threshold 2, repeats 3 times” policyid=0
carrier_ep=N/A profile=N/A dst_int=N/A user=N/A group=N/A
identidx=0
date=(2010-05-22)
The year, month and day of when the event occurred in
yyyy-mm-dd format.
time=(19:02:11)
The hour, minute and second of when the event occurred in
the format hh:mm:ss.
log_id=(0419018432)
A ten-digit number. The first two digits represent the log type
and the following two digits represent the log subtype. The
last five digits are the message ID.
type=(ips)
The part of the system where the event occurred.
subtype=(anomaly)
The subtype of the log message. This represents a profile
applied to a firewall policy.
pri=(alert)
The severity level of the event. For more information, see
“Log severity levels” on page 477.
severity=(critical)
The specified severity level of the attack.
carrier_ep=(N/A)
The FortiOS Carrier end-point identification. For example, it
would display the MSISDN of the phone that sent the MMS
message. If you do not have FortiOS Carrier, this field
always display N/A.
profile=(N/A)
The name of the profile that was used to detect and block
the attack.
src=(172.16.22.122)
The source IP address.
dst=(10.10.20.10)
The destination IP address.
src_int=(“wan1”)
The name of the source interface.
dst_int=( " internal”)
The name of the destination interface.
policyid=(2)
The firewall policy identification number.
identidx=(0)
The identity-based policy identification number. This field
displays zero if the firewall policy does not use an identitybased policy; otherwise, it displays the number of the
identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within
a given firewall policy.
serial=(581265)
The serial number of the log message.
status=(clear_session)
The status of the action taken when the event occurred. In
this example, the URL was exempted.
proto=(6)
The protocol of the event.
service=(139/tcp)
The service of where the event or activity occurred.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
509
�Attack log messages
FortiGate log messages
vd=(“root”)
The virtual domain name of where the traffic was recorded
in.
count=(1)
The number of times that attack was detected within a short
period of time. This is useful when the attacks are DoS
attacks.
src_port=(51509)
The source port number.
dst_port=(22)
The destination port number.
attack_id=(100663402)
The identification number of the attack log message.
sensor=(slow-rate-tcp)
The DLP sensor that was used.
ref=(http://www.fortinet.com/ids/V The reference URL of where to find more information about
the attack.
ID13707)
user=(N/A)
The name of the group creating the traffic.
incident_serialno=(86324148)
The unique ID for this attack. This number is used for
cross-referencing IPS packet logs.
msg=
(“anomaly: tcp_src_session 3
& gt; threshold 2, repeats 3 times”)
510
The name of the user creating the traffic.
group=(N/A)
Explains the activity or event that the FortiGate unit
recorded.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
Email Filter log messages
Email Filter log messages
The email filter log messages record blocking of email address patterns and content in
SMTP, IMAP and POP3 traffic. The following is an example of an email filter log message.
2010-06-20 10:19:04 log_id=0509020481 type=emailfilter
subtype=smtp pri=notice vd=root policyid=1 identidx=0 serial=1094
src=“172.16.130.25” sport=1874 src_int=“internal”
dst=“192.168.39.80” dport=110 dst_int=“wan2” service=“smtp”
profile=“eamil filter” profiletype=“Antispam_Profile”
status=”detected” from=”admin1@example.com”
to=”user23@example.com” banword=“autumn” msg=”The email contains
banned word(s).”
date=(2010-06-20)
The year, month and day of when the event occurred in
yyyy-mm-dd format.
time=(10:19:04)
The hour, minute and second of when the event occurred in the
format hh:mm:ss.
log_id=(0509020481)
A ten-digit number. The first two digits represent the log type
and the following two digits represent the log subtype. The last
five digits are the message id.
type=(emailfilter)
The section of system where the event occurred.
subtype=(smtp)
The subtype of the log message. This represents a profile
applied to a firewall policy.
pri=(notice)
The severity level of the event. For more information, see “Log
severity levels” on page 477.
vd=(root)
The virtual domain where the event was logged.
policyid=(1)
The firewall policy identification number.
identidx=(0)
The identity-based policy identification number. This field
displays zero if the firewall policy does not use an identitybased policy; otherwise, it displays the number of the identitybased policy entry that the traffic matched. This number is not
globally unique, it is only locally unique within a given firewall
policy.
serial=(1094)
The serial number of the log.
vd=(root)
The virtual domain where the event was logged.
src=(“172.16.130.25”)
The source IP address.
sport=(1874)
The source port number.
src_port=(1874)
The source port number.
src_int=(“internal”)
The name of the source interface.
dst=(“192.168.39.8”)
The destination IP address.
dport=(“110”)
The destination port number.
dst_port=(110)
The destination port number.
dst_int=(“wan2”)
The name of the destination interface.
service=(“smtp”)
The service of where the event or activity occurred.
profile=(“email filter”)
The name of the profile that was used to detect and block the
email message.
profiletype=
(Antispam_Profile”)
The type of profile that was used to detect the email filter
activity. In this example, it is Antispam_Profile.
status=(“detected”)
The status of the email message. In this example, the FortiGate
unit detected that the email message had a banned word.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
511
�Email Filter log messages
FortiGate log messages
from=
(“admin1@example.com”)
to=
(“user23@example.com”)
The receiver’s email address.
banword=(“autumn”)
The banned word that was found in the email message.
msg=[“The email contains
banned word(s).”)]
512
The sender’s email address.
Explains the activity or event that the FortiGate unit recorded.
In this example, the sender’s email address is in the blacklist
and matches the fourth email address in that list.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
DLP log message
DLP log message
The Data Leak Prevention log messages record events that may be either leaking out
from or entering your network.
The following is an example of a data leak prevention log message.
2010-05-15 12:22:36 log_id=09054024577 type=dlp subtype=dlp
pri=notice vd=“root” policyid=1 identidx=0 serial=613874
src=“10.10.20.55” sport=1521 src_port=1521 src_int=“internal”
dst=“172.20.142.121 dport=80 dst_port=80 dst_int=“wan1”
service=“http” status=“detected” hostname=“1.example.com”
url=“/example.com/image/exampleX.jpg” msg=“data leak detected(Data
Leak Prevention Rule matched)” rulename=“All-HTTP” action=“logonly” severity=1
date=(2010-05-15)
The year, month and day of when the event occurred in
yyyy-mm-dd format.
time=(12:22:36)
The hour, minute and second of when the event occurred in
the format hh:mm:ss.
log_id=(0905402477)
A ten-digit number. The first two digits represent the log type
and the following two digits represent the log subtype. The last
five digits are the message ID.
type=(dlp)
The section of system where the event occurred.
subtype=(dlp)
The subtype of the log message. This represents a profile
applied to a firewall policy.
pri=(notice)
The severity level of the event. For more information, see “Log
severity levels” on page 477.
vd=(“root”)
The virtual domain where the event was logged.
policyid=(1)
The firewall policy identification number.
identidx=(0)
The identity-based policy identification number. This field
displays zero if the firewall policy does not use an identitybased policy; otherwise, it displays the number of the identitybased policy entry that the traffic matched. This number is not
globally unique, it is only locally unique within a given firewall
policy.
serial=(613874)
The serial number of the log.
src=(“10.10.20.55”)
The source IP address.
sport=(1521)
The source port number.
src_port=(1521)
The source port number.
src_int=(“internal”)
The name of the source interface.
dst=(“172.20.142.121”)
The destination IP address.
dport=(80)
The destination port number.
dst_port=(80)
The destination port number.
dst_int=(“wan1”)
The name of the destination interface.
service=(“http”)
The service of where the event or activity occurred.
status=(“detected”)
The action the FortiGate unit took when the attack occurred.
hostname=(“1.example.com”)
The host name. In this example, it is a URL address.
url=(“/example.com/image.exam The URL address of the web site that was visited.
pleX.jpg”)
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
513
�DLP log message
FortiGate log messages
msg=[“(data leak detected (Data Explains the activity or event that the FortiGate unit recorded.
In this example, the data leak that was detected match the
Leak Prevention Rule
rule, All-HTTP, in the DLP sensor.
matched”)]
rulename=(“All-HTTP”)
action=(“log-only”)
The action that was specified within the rule. In some rules
within sensors, you can specify content archiving. If no log
type is specified, this field displays log-only.
severity=(“1”)
514
The name of the rule within the DLP sensor.
The level of severity for the specified rule.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
Application control log message
Application control log message
The application control log messages records IM, P2P and VoIP activity. This log file also
records some IPS activities.
The following is an example of an application control log message.
2010-05-08 13:55:23 log_id=1059028704 type=app-crtl subtyp=appcrtl-all pri=information vd=root attack_id=15896
src=“172.16.125.144” src_port=2675 src_int=“internal”
dst=“10.10.20.1” dst_port=443 dst_int=“wan1”
src_name=“172.16.125.144” dst_name=“10.10.20.1” proto=6
service=“https” policyid=1 serial=197261 app_list=“monitor-all”
app_type=“network-service” app=“SSL” action=“pass” count=1
msg=“network-service:SSL”
date=(2010-05-08)
The year, month and day of when the event occurred in
yyyy-mm-dd format.
time=(13:55:23)
The hour, minute and second of when the event occurred in
the format hh:mm:ss.
log_id=(1059028704)
A ten-digit number. The first two digits represent the log
type and the following two digits represent the log subtype.
The last five digits are the message id.
type=(app-crtl)
The section of system where the event occurred.
subtype=(app-crtl-all)
The subtype of the log message. This represents a policy
applied to the FortiGate feature in the firewall policy.
pri=(information)
The severity level of the event. For more information, see
“Log severity levels” on page 477.
vd=(root)
The virtual domain where the event was logged.
attack_id=(15896)
The identification number of the attack log message.
src=(“172.16.125.144”)
The source IP address.
src_port=(2675)
The source port.
src_int=(“internal”)
The name of the source interface.
dst=(“10.10.20.1”)
The destination IP address.
dst_port=(443)
The destination port.
dst_int=(“wan1”)
The name of the destination interface.
src_name=(“172.16.125.144”)
The name of the source.
dst_name=(“10.10.20.1”)
The name of the destination.
proto=(6)
The protocol number.
service=(“https”)
The service of where the event or activity occurred.
policyid=(1)
The firewall policy identification number.
serial=(197261)
The session number of the application control log
message. same as dlp
app_list=(“monitor-all”)
The name of the application control list that was used to
detect the action. In this example, the default application
control list that was used was monitor-all.
app_type=(“network-service”)
The type of application that triggered the action within the
control list.
app=(“SSL”)
The name of the application that triggered the action within
the control list.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
515
�Application control log message
FortiGate log messages
action=(pass)
count=(1)
The number of times the same event was detected within a
short period of time.
msg=(“network-service:SSL”)
516
The action that was taken by the application control engine.
This can be any one of the following:
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
• unknown
Explains the activity or event that the FortiGate unit
recorded. In this example, the application control list App_1
detected an unknown application.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate log messages
Network Vulnerability Scan
Network Vulnerability Scan
The network vulnerability scan logs provide information about what the FortiGate unit finds
when performing a network scan.
2010-04-12 13:00:01 log_id=1600004097 type=netscan
subtype=discovery pri=notice vd=“root” action=scan
start=1271106001 end=1271106001 engine=1.053 plugin=1.098
date=(2010-04-12)
The year, month and day of when the event occurred in
yyyy-mm-dd format.
time=(13:00:01)
The hour, minute and second of when the event occurred in
the format hh:mm:ss.
log_id=(1600004097)
A ten-digit number. The first two digits represent the log
type and the following two digits represent the log subtype.
The last five digits are the message id.
type=(netscan)
The section of system where the event occurred.
subtype=(discovery)
The subtype of the log message. This represents a policy
applied to the FortiGate feature in the firewall policy.
pri=(notice)
The severity level of the event. For more information, see
“Log severity levels” on page 477.
vd=(“root”)
The virtual domain where the event was logged.
action=(scan)
The nature of the event or activity that occurred. In this
example, a scan occurred.
start=(1271106001)
The GMT epoch time that the scan started. Epoch time is in
the format of seconds.
end=(1721106001)
The GMT epoch time that the scan ended. Epoch time is in
the form of seconds.
engine=(1.053)
The netscan engine version number.
plugin=(1.098)
The netscan plugin version number.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
517
�Network Vulnerability Scan
518
FortiGate log messages
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring reports in FortiOS 4.0
Reports provide a way to analyze log data without manually going through a large amount
of logs to get to the information you need. There are three distinct reports you can
configured: a FortiOS report, a FortiAnalyzer report, and executive summary reports. This
section explains these reports and how to configure and view them.
The following topics are included in this section:
•
Report overview
•
FortiOS reports
•
FortiAnalyzer reports
•
Executive Summary reports
•
Viewing reports
•
Report examples
Note: Configuring reports from other log devices, such as a Syslog server, are not
supported.
Report overview
Reports provide a clear, concise overview of what is happening on your network based on
log data, without manually going through large amounts of logs. Reports can be
configured and generated from the FortiGate unit, or from a FortiAnalyzer unit. There are
three distinct reports you can configured: a FortiOS report, a FortiAnalyzer report, and
executive summary reports.
A FortiOS report is a report configured and generated from the FortiGate unit. FortiOS
reports consist of charts, a theme, an image (or more), and a layout. The layout is used as
a template by the FortiGate unit to compile the log data and then generate the report. A
FortiOS report is usually configured in the following order:
1 Charts
2 Theme
3 Image
4 Layout
A report schedule is a FortiAnalyzer report configured on the FortiGate unit, and then
generated on the FortiAnalyzer unit. FortiAnalyzer report schedules can be configured on
the FortiGate unit, if logs are being stored on the FortiAnalyzer unit. The report schedule is
generated on the FortiAnalyzer unit and you can view the generated report from either the
FortiGate unit (in Log & Report & gt; Report Access & gt; FortiAnalyzer) or the FortiAnalyzer unit
itself.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
519
�FortiOS reports
Configuring reports in FortiOS 4.0
An executive summary report is a collection of widgets, which are used to display the log
information in a graphical format are actually charts that are also used when configuring a
FortiOS report layout.. Executive summary reports are configured on the Executive
Summary page, in the Report Access menu. These widgets, or charts, use the log
information that is associated with them, for example, the appcrtl.Count.Bandwidth.Top10
.Apps.last24h(Graph), displays the top ten application control applications, with the
amount of bandwidth usage stated on the y axis of the graph chart.
When you are ready to configure reports, and your FortiGate unit is currently running
FortiOS 4.0 MR2, you may not be able to view the Report Config and Report Access
menus from the web-based manager. You must log in to the CLI and use the following
commands to enable these two menus within the web-based manager. These menus do
not appear regardless of whether your log storage location is the FortiGate unit or the
FortiAnalyzer unit.
config log fortianalyzer setting
set gui-display enable
end
FortiOS reports
FortiOS reports are configured from logs stored on the FortiGate unit’s hard drive. These
reports are generated by the FortiGate unit itself, providing a central location for not only
configuring reports, but also generating them.
FortiOS reports consist of multiple parts which are all configured separately and then
added within the layout. The parts of a report are:
•
charts (including datasets within the charts themselves)
•
themes (including styles which are within the themes themselves)
•
images
•
layouts
Charts are used to display the log information in a clear and concise way using graphs and
tables. Charts contain datasets, which are SQL queries and help the FortiGate unit to add
specific log information into the chart using the SQL logs that are stored on the FortiGate
unit’s local disk. If you want to configure a chart, you must configure the dataset first.
Datasets are required for each chart, and if there is no dataset included in a chart, the
chart will not be saved.
Themes provide a one-step style application for report layouts. Themes contain various
styles for the table of contents, headings, headers and footers, as well as the margins of
the report’s pages. Themes are applied to layouts. The styles that are applied to themes
are configured separately.
You can easily upload your company or organization’s logo to use within a report from the
Images menu. By uploading your company or organization’s own logo and applying it in a
report, you provide a personalized report that is recognizable as your company or
organization’s report. The image must be in JPEG, JPG or PNG format.
Layouts provide a way to incorporate the charts, image, and themes that are configured to
create a formatted report. A layout is used as a template by the FortiGate unit to compile
and then generate the report.
This topic contains the following:
•
•
520
Creating datasets for charts
Configuring the charts for the report
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring reports in FortiOS 4.0
FortiOS reports
•
Configuring a theme for the report
•
Customizing and creating styles for a theme
•
Importing images for the report
•
Configuring the layout for the report
Creating datasets for charts
You must configure datasets because they are required when configuring a chart. You can
use the default datasets that are available when configuring a chart. Datasets require
knowledge of SQL because the logs are stored in an SQL database. You can view the
SQL schema using the get report database schema CLI command syntax.
Note: If you are configuring a chart for a report, you must create a dataset for that chart.
The chart cannot be configured without a dataset. There are no default datasets.
Use the following to configure a dataset that will be applied to a chart.
config report dataset
edit & lt; report_dataset & gt;
set query & lt; SQL_statement & gt;
config field
edit & lt; field_id & gt;
set displayname & lt; string & gt;
set type {text | integer | date | ip}
next
end
end
If you need more information about queries required for datasets, see “FortiGate SQL log
databases” on page 489.
Configuring the charts for the report
Charts are used to display the log information in a clear and concise way using either a
graph or table. The charts that display the log information as a graph use a bar, pie, or line
graph type format.
Before configuring a chart for a report, you may want to see the list of available default
charts in Log & Report & gt; Report Config & gt; Chart. You can create your own chart, however,
you must use either a default dataset or create your own dataset. SQL knowledge is
required when configuring a dataset. There are many default charts to choose from, along
with datasets, which can be found in the list on the Chart page.
You should verify that the datasets you want to use are configured and available before
configuring a chart because a chart cannot be configured without a dataset. Charts are
also used to configure executive summary reports.
To create a graph chart
1 Go to Log & Report & gt; Report Config & gt; Chart.
2 Select the down arrow beside Create New and then select Graph Chart.
3 On the Add Graph Report Chart page, enter a name for the chart in the Name field.
4 Use the drop-down lists in Dataset and Category to choose the dataset and category
that will be used.
5 If you want to add a description or comment, enter it in the Comments field.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
521
�FortiOS reports
Configuring reports in FortiOS 4.0
6 To include the chart in the Favorites category, select the check box beside Add to
Favorites.
7 Select the type of graph that you want displayed in the chart from the Graph Type dropdown list.
8 In the X Series section, enter the information for the x axis part of the chart.
9 In the Y Series section, enter the information for the y axis part of the chart.
10 Select OK.
To create a table chart
1 Go to Log & Report & gt; Report Config & gt; Chart.
2 Select the down arrow beside Create New and then select Table Chart.
3 On the Add Table Report Chart page, enter the information you want to include in the
chart.
4 If you want to add this chart to the Favorites chart list, select the check box beside Add
to Favorites.
5 Select OK.
Configuring a theme for the report
When you are configuring a layout for a report, you can also add a theme. A theme is a
group of settings that create the general style of a report. For example, the styles that are
applied to the table of contents section of the report. Themes are configured only in the
CLI.
You may want to configure your own styles for a theme, such as the type of alignment for
the text. Styles are configured within the CLI, and you can also customize the default
styles as well.
Use the following procedure to configure a theme for a report, which can then be applied
to a report’s layout.
To configure a theme for a report
1 Log in to the CLI.
2 Enter the following command syntax:
config report theme
edit & lt; theme_name & gt;
set column-count [ 1 | 2 | 3]
set default-html-style & lt; string & gt;
set default-pdf-style & lt; string & gt;
set graph-chart-style & lt; string & gt;
set heading1-style & lt; string & gt;
set heading2-style & lt; string & gt;
set heading3-style & lt; string & gt;
set heading4-style & lt; string & gt;
set hline-style & lt; string & gt;
set image-style & lt; string & gt;
set normal-text-style & lt; string & gt;
set page-footer-style & lt; string & gt;
set page-header-style & lt; string & gt;
set page-orient {landscape | portrait}
set page-style & lt; string & gt;
set report-subtitle-style & lt; string & gt;
522
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring reports in FortiOS 4.0
FortiOS reports
set
set
set
set
set
set
set
set
set
set
set
report-title-style & lt; string & gt;
table-chart-caption-style & lt; string & gt;
table-chart-even-row-style & lt; string & gt;
table-chart-head-style & lt; string & gt;
table-chart-odd-row-style & lt; string & gt;
table-chart-style & lt; string & gt;
toc-heading1-style & lt; string & gt;
toc-heading2-style & lt; string & gt;
toc-heading3-style & lt; string & gt;
toc-heading4-style & lt; string & gt;
toc-title-style & lt; string & gt;
end
3 To choose a style for any one of the above commands, except for column-count and
page-orient, enter ? to view the available choices.
4 To change the style of any one of the above commands, except for column-count
and page-orient, go to “Customizing and creating styles for a theme” on page 523.
Customizing and creating styles for a theme
You can customize the default styles or create your own styles for reports. There are
default styles and summary styles to choose from. Default styles use a default style
scheme, and the summary styles are for summary reports that contain one or two pages
with a small graph or table.
To customize an existing style
1 Log in to the CLI.
2 Enter the following command syntax:
config report style
edit style & lt; style_name & gt;
For example default.graph.
3 To view a list of available styles, enter ? after entering edit.
To create a new style
1 Log in to the CLI.
2 Enter the following command syntax:
config report style
edit & lt; new_style_name & gt;
set options {align | border | color | column | font | margin
| padding | size | text }
set align {center | justify | left | right}
set bg-color {colour_name1 | color_name2 | color_name3 | …}
set border-bottom & lt; border width_pixels & gt; & lt; border_style_{solid
| dotted | dashed} & gt; & lt; border_color & gt;
set border-left & lt; border width_pixels & gt; & lt; border_style_{solid |
dotted | dashed} & gt; & lt; border_color & gt;
set border-right & lt; border width_pixels & gt; & lt; border_style_{solid
| dotted | dashed} & gt; & lt; border_color & gt;
set border-top & lt; border width_pixels & gt; & lt; border_style_{solid |
dotted | dashed} & gt; & lt; border_color & gt;
set column-gap & lt; pixels & gt;
set column-span {all |none}
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
523
�FortiOS reports
Configuring reports in FortiOS 4.0
set fg-color & lt; color & gt;
set font-family {Arial | Courier | Helvetica | Times |
Verdana}
set font-size {xx-small | x-small | small | medium | large |
x-large | xx-large | & lt; pixels & gt; }
set font-style {italic | normal}
set font-weight {bold | normal}
set height & lt; pixels or percentage & gt;
set line-height & lt; pixels or percentage & gt;
set margin-bottom & lt; pixels & gt;
set margin-left & lt; pixels & gt;
set margin-right & lt; pixels & gt;
set margin-top & lt; pixels & gt;
set padding-bottom & lt; pixels & gt;
set padding-left & lt; pixels & gt;
set padding-right & lt; pixels & gt;
set padding-top & lt; pixels & gt;
set width & lt; pixels or percentage & gt;
end
Example of a style for a theme
The following example shows how to configure a specific style that is then applied to a
theme.
config report style
edit style_1
set options align color font margin text
set align center
set bg-color navy
set fg-color white
set font-family Verdana
set font-size medium
set font-weight bold
set line-height 100
set margin-bottom 20
set margin-left 20
set margin-right 30
set margin-top 50
end
config report theme
edit theme_1
set column-count 2
set page-style style_1
end
Importing images for the report
Images can be imported for use in reports. The supported images are JPEG, JPG and
PNG.
To import images for the report
1 Go to Log & Report & gt; Report Config & gt; Image.
2 Select Import.
524
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring reports in FortiOS 4.0
FortiOS reports
3 On the Import Image File page, either enter the location of the image file or select
Browse to locate the image file.
4 Select OK.
Configuring the layout for the report
A layout, similar to the layout configured for a FortiAnalyzer report, contains settings for
including charts, images, and whether or not to schedule when the report will be
generated.
The Report Components section of the Add Report Layout page provides a place where
you can add and view what charts, sections and images you want included in the layout.
To configure a layout for the report
1 Go to Log & Report & gt; Report Config & gt; Layout.
2 Select Create New.
3 On the Add Report Layout page, enter the information that you want included in the
report.
For example, you want to add a newly created theme to the report, so you select it from
the Report Theme drop-down list.
4 To schedule when a report is generated, select the Schedule options that suite the type
of schedule you want.
5 Select the plus sign beside Report Components to add each of the following
components to the layout:
Text
A description that will appear in a Heading 1, 2, 3 or Normal format.
Chart
Add a chart to the report, which can be either a default chart or a chart that you
created. You must add each chart separately; you cannot add multiple charts at
one time.
Image
Add a specific image to the report. If you have uploaded an image or images,
they are also included in this list.
Misc
Add a page break, column break, or horizontal line.
Note: You must add the report components one at a time to the report layout. Adding
multiple components at the same time is not supported.
6 After adding the report components, arrange them in the order you want them
presented in the report.
Cloning a layout
Cloning a layout allows you to reuse settings in a previously configured layout and apply
those settings along with new settings to a new layout.
To clone a layout
1 Go to Log & Report & gt; Report Config & gt; Layout.
2 Highlight the report that you want to use, and then select the Clone icon.
3 Enter the name of the new report in the Name field.
4 Enter the information for the new report.
5 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
525
�FortiAnalyzer reports
Configuring reports in FortiOS 4.0
Generating a report at any time
You can generate a report at any time, regardless of whether or not it is scheduled. This is
often referred to as on-demand reports, because they are generated whenever they are
needed.
To generate a report at any time
1 Go to Log & Report & gt; Report Config & gt; Layout.
2 Highlight the report you want immediately generated, and then select the Run icon.
The following message appears:
Report On-Demand- & lt; report layout title & gt; - & lt; yyyy & gt; - & lt; mm & gt; - & lt; dd & gt; & lt; time_seconds & gt; has been queued; Please check its progress on
Report Access & gt; Disk.
3 Select Return to return to the Layout page.
The length of time to generate a report depends on the report itself. A large report may
take a long time, while a simple and smaller report may take a few minutes.
4 Go to Log & Report & gt; Report Access & gt; Disk to view the on-demand report.
On-demand reports contain “On-Demand” in the report file’s title.
FortiAnalyzer reports
FortiAnalyzer reports are configured on a FortiAnalyzer unit; however, you can configure a
report schedule from the FortiGate unit in Log & Report & gt; Report Config & gt; Schedule. You
need to have a report layout when configuring a report schedule. Report layouts are
configured only on the FortiAnalyzer unit.
If you want to configure a report schedule based on another report schedule, you can
clone the report schedule. Cloning a report schedule produces a duplicate of the original
and then editing that duplicate to create a new schedule.
Configuring a FortiAnalyzer report schedule
You can configure only a FortiAnalyzer report schedule from the FortiGate unit. Before you
can configure a report schedule, a FortiAnalyzer report layout must also be configured.
Contact your FortiAnalyzer administrator verify the report layout is available for you to add
to the report schedule that you are configuring on the FortiGate unit. You should also
contact the FortiAnalyzer administrator if you want to include a FortiAnalyzer output
template to the schedule.
To configure a report schedule
1 Go to Log & Report & gt; Report Config & gt; FortiAnalyzer.
2 Select Create New.
3 On the Create Schedule page, enter the information required for the schedule.
4 Select OK.
The report schedule may take time, depending on the amount of log data needed and if
there are other reports being generated on the FortiAnalyzer unit.
To clone a report schedule
1 Go to Log & Report & gt; Report Config & gt; FortiAnalyzer.
526
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring reports in FortiOS 4.0
Executive Summary reports
2 Highlight the report and then select the Clone icon.
You are redirected to the Edit Schedule page.
3 On the Edit Schedule page, enter the new information that is required for the schedule.
4 Select OK.
Executive Summary reports
If you have configured logging to a FortiGate unit’s SQL database, you can create reports
from those logs. SQL database reports appear on the Executive Summary page and are
represented as widgets. You cannot customize the type of chart, such as bar or pie, but
you can customize what column the widget displays in, such as the second column.
These reports can be viewed in Log & Report & gt; Report Access & gt; Executive Summary.
To configure an executive summary report - web-based manager
1 Go to Log & Report & gt; Report Access & gt; Execute Summary.
2 Select + Add Widget.
3 In Add New Widgets to Report Summary, select a report widget from the Widgets list.
Certain report widgets only display a table and others only display a graph. You cannot
customize the type of graph that displays.
4 Select OK.
The report widget appears on the Execute Summary page.
5 Repeat steps 2 to 4 until all of the report widgets that you need on the Executive
Summary page are configured.
To configure an executive summary report - CLI
1 Log in to the CLI.
2 Enter the following command syntax:
config report summary
edit & lt; id_number & gt;
set widget & lt; chart_name & gt;
set column {1 | 2 | 3}
set schedule {daily | weekly}
set day {sunday | monday | tuesday | wednesday | thursday
| friday | saturday}
set time & lt; hh:mm & gt;
end
3 Enter a day in set day only if you want to schedule a weekly refresh of the
information.
Viewing reports
You can view various reports from the Report Access menu, including Executive Summary
reports. When you are viewing FortiOS reports, you go to Log & Report & gt; Report Access & gt;
Disk. When you are viewing FortiAnalyzer reports, you go to Log & Report & gt; Report Access
& gt; FortiAnalyzer.
The following table explains the Disk page when you are viewing FortiOS reports.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
527
�Report examples
Configuring reports in FortiOS 4.0
Disk page
Displays each generated report. Reports are removed using the Delete icon. You can view either
HTML reports or PDF reports directly from this page. A HTML report opens up in a separate window,
while a PDF report opens within the Disk page.
Delete
Removes one, multiple or all reports from the list. If you select the check box in
the check box column, you can remove all reports from the list at one time.
Report File
The name of the report file, which includes the date and time.
Note: To view a HTML report, select the name in this column. The HTML report
appears in a separate window.
Started
The time when the report began generating. This format includes the date and is
displayed in this type of format, yyyy-mm-dd hh:mm:ss. The hour is in the 24
hour format.
Finished
The time when the report stopped generating. This format includes the date and
is displayed in this type of format, yyyy-mm-dd hh:mm:ss. The hour is in the 24
hour format.
Size (bytes)
The size of the report file, in bytes.
Other Formats
Displays PDF formatted generated reports. Select the format in this column to
view the report in PDF.
The following table explains the FortiAnalyzer page, when you are viewing historical
FortiAnalyzer reports. The current FortiAnalyzer report displays when you go to
Log & Report & gt; Report Access & gt; FortiAnalyzer. If you want a hard copy of a FortiAnalyzer
report, select Print which appears when you are viewing a current report.
FortiAnalyzer page
Displays each historical report that was generated.
Report FIles
The name of the report. Expand the report to view
Date
The date and time of when the report was generated on. The date is in the
format & lt; day_name & gt; & lt; month_name & gt; & lt; dd & gt; & lt; hh & gt; : & lt; mm & gt; : & lt; ss & gt; & lt; yyyy & gt; . For
example, Thu Apr 22 04:05:55 2010.
Size(bytes)
The size of the report file, in bytes.
Other Formats
Displays other formats that the report has been formatted in, such as XML and
PDF. Select the format in this column to view the report in PDF.
Report examples
The following are examples of two specific reports, a simple traffic report, and a more
complicated network scan report.
Report for analyzing traffic on the network
The managers of all departments within your organization want to know how much traffic
has been coming in and out of the internal network within the month of April. You have a
look at the Traffic History widget to get an idea of what log information you need to include
for the report.
To configure a traffic report
1 Go to Log & Report & gt; Report Config & gt; Layout.
2 Select Create New.
3 Enter the name, Traffic Report, in the Name: field.
4 Select the summary report theme from the drop-down list in Report Theme.
5 Enter the report’s title, Traffic Report for April 2010, in the Title field.
528
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring reports in FortiOS 4.0
Report examples
6 Select the check box beside HTML in Output Format.
7 Select the plus sign (+) beside Report Components.
8 In the Add Component window, select Chart.
9 Select Traffic from the Categories drop-down list.
10 To select the charts, you must select each one individually, as follows:
• In Available Charts, select traffic.Count.Network.Session.last2h, and then select
OK.
• Use the steps 7-10, and then select traffic.Dist.Network.Bandwidth.last24h.
11 Select OK.
12 On the Layout page, highlight Traffic Report and select the Run icon.
In Report Generation Status, the following appears:
Report On-Demand-Traffic Report-2010-04-20-172928 has been
queued; Please check its progress on Report Access - & gt; Disk.
13 Select Return to return to the Layout page.
Report for application usage on the network
The CEO of your organization has personally asked the manager of your IT department to
gather information on the applications that are used on your network. The CEO wants to
know the top ten applications that are being used, their bandwidth usage, and the top
media downloads. The CEO plans on showcasing the report during a presentation with
the organization’s board of directors.
This report requires a specific layout, charts, and image. The image must be the
organization’s new corporate image, since the image will be presented during the
presentation.
This example assumes that all logs are stored on the FortiGate unit’s local disk.
Importing the image
The following procedure imports the organization’s image, which will be included in the
report, at the top of the cover page and as a footer.
To import the image
1 Go to Log & Report & gt; Report Config & gt; Image.
2 On the Image page, select Import.
3 On the Import Image File page, either enter the file path of the location of the new
corporate image, or select Browse and locate the image.
4 Select OK.
Configuring the style and theme
The organization wants to use their own style for the report. The following procedure
configures a style which is then applied to a theme. Styles and themes are configured only
in the CLI.
You need to configure the style as follows:
•
font – Helvetica
•
size of font – large
•
style of font should be italics for headings, normal for text
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
529
�Report examples
Configuring reports in FortiOS 4.0
•
border – thin, and appearing only at the bottom of each page s
•
no columns
•
alignment – only the report title and image should be centered; all other headings and
text should be left aligned
•
margins – should be that left is 2.0 and right is 0.0
There should be a style for headings that also includes the table of contents headings. For
example, style_toc is applied to only the table of contents headings.
To configure the style and theme
1 Log in to the CLI.
2 Enter the following command syntax to configure the general PDF style:
config report style
edit org_pdf
set options font text margin align
set align left
set line-height 120%
set font-family Helvetica
set font-size large
set font-style normal
set font-weight normal
set margin-bottom 100px
set margin-top 100px
set margin-left 17px
set margin-right 10px
next
3 Enter the following command syntax to configure the title style:
config report style
edit org_title
set options font align
set align center
set font-family Helvetica
set font-size xx-large
set font-style italic
set font-weight bold
next
4 Enter the following command syntax to configure the style of headings 1, 2 and 3 as
well as the table of contents headings:
config report style
edit org_heading1
set options font align
set align left
set font-family Helvetica
set font-size x-large
set font-style italic
set font-weight normal
next
edit org_heading2
set options font align
set align left
set font-family Helvetica
set font-size medium
530
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring reports in FortiOS 4.0
Report examples
set font-style italic
set font-weight normal
next
edit org_heading3
set options font align
set align left
set font-family Helvetica
set font-size small
set font-style italic
set font-weight normal
next
edit org_toc_title
set options font align
set align left
set font-family Helvetica
set font-size large
set font-style italic
set font-weight normal
next
edit org_toc_heading1
set options font align
set align left
set font-family Helvetica
set font-size medium
set font-style italic
set font-weight normal
next
edit org_toc_heading2
set options font align
set align left
set font-family Helvetica
set font-size small
set font-style italic
set font-weight normal
5 Enter the following command syntax to configure the chart style:
config report style
edit org_chart
set options font align
set align center
set font-family Helvetica
set font-size large
set font-style normal
set font-weight bold
end
6 Enter the command syntax to configure the footer that will be on each page:
config report style
edit org_footer
set options font align border color
set align right
set border-bottom 100px
set color red
set font-family Helvetica
set font-size xx-small
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
531
�Report examples
Configuring reports in FortiOS 4.0
set font-style normal
set font-weight normal
end
7 Enter the following command syntax to apply the style to a theme:
config report theme
edit org_theme
set column-count
set default-pdf-style org_pdf
set graph-chart-style org_chart
set heading1-style org_heading1
set heading2-style
set heading3-style
set image-style logo_img
set normal-text-style org_pdf
set page-footer-style org_footer
set page-orient portrait
set report-title-style org_title
set page-orient portrait
set page-style org_pdf
set toc-heading1-style org_toc_heading1
set toc-heading2-style org_toc_heading2
end
Layout
The following procedure applies the image and theme to the report, as well as the charts
required and additional settings.
To configure a layout
1 Go to Log & Report & gt; Report Config & gt; Layout.
2 Select Create New.
3 On the Add Report Layout page, enter the name for the report, Network
application usage on our network, in the Name field.
4 Select org_theme from the Report Theme drop-down list.
5 Enter the title for the report, The Application usage on our network, in the
Title field.
6 In Option, select the check boxes beside HTML Navigation Bar and Auto Heading
Number.
This removes the HTML navigation bar and heading numbers from being included in
the report.
7 In Output Format, select HTML.
By selecting HTML, only PDF will be applied as the format to the report.
8 Select the plus sign beside Report Components to begin adding the additional
components, such as charts, to the layout.
532
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring reports in FortiOS 4.0
Report examples
9 In the Add Component window, add the following charts. You must add each chart
individually:
• appcrtl.Dist.Type.last24h
• appcrtl.Users.Media.last24h
• appcrtl.Users.Web.last24h
• appcrtl.Top10.Apps.Used.last24h
• appcrtl.Top10.Media.Dest.last24h
• appcrtl.Top10.Media.Source.last24h
• appcrtl.Top10.Apps.Bandwidth.last24h
10 In Component Type, select Image, and then select the organization’s image.
11 After the layout is complete, on the Layout page, highlight the report and select Run.
The following message appears:
Report On-Demand-Network application usage on our network-201005-24-161931 has been queued; Please check its progress on
Report Access- & gt; Disk.
12 Select Return to return to the Layout page.
13 Go to Log & Report & gt; Report Access & gt; Disk to view the status of the report.
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
533
�Report examples
534
Configuring reports in FortiOS 4.0
FortiOS™ Handbook FortiOS 4.0 MR2 Logging and Reporting
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 5 UTM Guide
This FortiOS Handbook chapter contains the following sections:
UTM overview: Describes UTM components and their relation to firewall policies, as well
as SSL content scanning and inspection. We recommend starting with this section to
become familiar with the different features in your FortiGate unit.
Network defense: Explains basic denial of service (DoS) and distributed denial of service
(DDOS) concepts and provides an overview of the best practices to use with all the UTM
features to defend your network against infection and attack.
AntiVirus: Explains how the FortiGate unit scans files for viruses and describes how to
configure the antivirus options.
Email filter: Explains how the FortiGate unit filters email, describes how to configure the
filtering options and the action to take with email detected as spam.
Intrusion protection: Explains basic Intrusion Protection System (IPS) concepts and how
to configure IPS options; includes guidance and a detailed table for creating custom
signatures as well as several examples.
Web filter and FortiGuard Web Filter: The first of these sections describes basic web
filtering concepts, the order in which the FortiGate unit performs web filtering, and
configuration. The second section describes enhanced features of the subscription-based
FortiGuard Web Filtering service and explains how to configure them. We recommend
reading both sections if you are using FortiGuard Web Filtering because settings you
configure in one feature may affect the other.
Data leak prevention: Describes the DLP features that allow you to prevent sensitive
data from leaving your network and explains how to configure the DLP rules, compound
rules, and sensors.
Application control: Describes how your FortiGate unit can detect and take action
against network traffic based on the application generating the traffic.
DoS policy: Describes how to use DoS policies to protect your network from DoS attacks.
Sniffer policy: Describes how to use your FortiGate unit as a one-armed intrusion
detection system (IDS) to report on attacks.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
535
�536
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�UTM overview
Ranging from the FortiGate®-30 series for small businesses to the FortiGate-5000 series
for large enterprises, service providers and carriers, the FortiGate line combines a number
of security features to protect your network from threats. As a whole, these features, when
included in a single Fortinet security appliance, are referred to as Unified Threat
Management (UTM). The UTM features your FortiGate model includes are:
•
AntiVirus
•
Intrusion Prevention System (IPS)
•
Anomaly protection (DoS policies)
•
One-armed IPS (Sniffer policies)
•
Web filtering
•
E-mail filtering, including protection against spam and grayware
•
Data Leak Prevention (DLP)
•
Application Control (for example, IM and P2P).
Firewall policies limit access, and while this and similar features are a vital part of securing
your network, they are not covered in this document.
The following topics are included in this section:
•
UTM components
•
UTM profiles/lists/sensors
•
UTM and Virtual domains (VDOMs)
•
Conserve mode
•
SSL content scanning and inspection
•
Viewing and saving logged packets
UTM components
AntiVirus
Your FortiGate unit stores a virus signature database that can identify more than 15,000
individual viruses. FortiGate models that support additional virus databases are able to
identify hundreds of thousands of viruses. With a FortiGuard AntiVirus subscription, the
signature databases are updated whenever a new threat is discovered.
AntiVirus also includes file filtering. When you specify files by type or by file name, the
FortiGate unit will stop the matching files from reaching your users.
FortiGate units with a hard drive or configured to use a FortiAnalyzer unit can store
infected and blocked files for that you can examine later.
Intrusion Protection System (IPS)
The FortiGate Intrusion Protection System (IPS) protects your network against hacking
and other attempts to exploit vulnerabilities of your systems. More than 3,000 signatures
are able to detect exploits against various operating systems, host types, protocols, and
applications. These exploits can be stopped before they reach your internal network.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
537
�UTM components
UTM overview
You can also write custom signatures, tailored to your network.
Anomaly protection (DoS policies)
A complement to the signature-based IPS, anomaly protection detects unusual network
traffic that can be used to attack your network. When you set thresholds for various types
of network operations, the FortiGate unit will block any attempt to exceed the thresholds
you have defined.
One-armed IDS (sniffer policies)
You can use sniffer policies on the FortiGate unit as a one-arm intrusion detection system
(IDS). The unit examines traffic for matches to the configured IPS sensor and application
control list. Matches are logged and then all received traffic is dropped. In this way, you
can configure a unit to sniff network traffic for attacks without actually processing the
packets.
The FortiGate unit can log all detected IPS signatures and anomalies in a traffic stream.
Web filtering
Web filtering includes a number of features you can use to protect or limit your users’
activity on the web.
FortiGuard Web Filtering is a subscription service that allows you to limit access to web
sites. More than 60 million web sites and two billion web pages are rated by category. You
can choose to allow or block each of the 77 categories.
URL filtering can block your network users from access to URLs that you specify.
Web content filtering can restrict access to web pages based on words and phrases
appearing on the web page itself. You can build lists of words and phrases, each with a
score. When a web content list is selected in a web filter profile, you can specify a
threshold. If a user attempts to load a web page and the score of the words on the page
exceeds the threshold, the web page is blocked.
Email filtering
FortiGuard AntiSpam is a subscription service that includes an IP address black list, a
URL black list, and an email checksum database. These resources are updated whenever
new spam messages are received, so you do not need to maintain any lists or databases
to ensure accurate spam detection.
You can use your own IP address lists and email address lists to allow or deny addresses,
based on your own needs and circumstances.
Data Leak Prevention (DLP)
Data leak prevention allows you to define the format of sensitive data. The FortiGate unit
can then monitor network traffic and stop sensitive information from leaving your network.
Rules for U.S. social security numbers, Canadian social insurance numbers, as well as
Visa, Mastercard, and American Express card numbers are included.
Application Control (for example, IM and P2P)
Although you can block the use of some applications by blocking the ports they use for
communications, many applications do not use standard ports to communicate.
Application control can detect the network traffic of more than 1000 applications,
improving your control over application communication.
538
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�UTM overview
UTM profiles/lists/sensors
UTM profiles/lists/sensors
A profile is a group of settings that you can apply to one or more firewall policies. Each
UTM feature is enabled and configured in a profile, list, or sensor. These are then selected
in a firewall policy and the settings apply to all traffic matching the policy. For example, if
you create an antivirus profile that enables antivirus scanning of HTTP traffic, and select
the antivirus profile in the firewall policy that allows your users to access the World Wide
Web, all of their web browsing traffic will be scanned for viruses.
Because you can use profiles in more than one firewall policy, you can configure one
profile for the traffic types handled by a set of firewall policies requiring identical protection
levels and types, rather than repeatedly configuring those same profile settings for each
individual firewall policy.
For example, while traffic between trusted and untrusted networks might need strict
protection, traffic between trusted internal addresses might need moderate protection. To
provide the different levels of protection, you might configure two separate sets of profiles:
one for traffic between trusted networks, and one for traffic between trusted and untrusted
networks.
The UTM profiles include:
•
antivirus profile
•
IPS sensor
•
Web filter profile
•
Email filter profile
•
Data Leak Prevention profile
•
Application Control list
•
VoIP profile
Although they’re called profiles, sensors, and lists, they’re functionally equivalent. Each is
used to configure how the feature works.
UTM and Virtual domains (VDOMs)
If you enable virtual domains (VDOMs) on your FortiGate unit, all UTM configuration is
limited to the VDOM in which you configure it.
While configuration is not shared, the various databases used by UTM features are
shared. The FortiGuard antivirus and IPS databases and database updates are shared.
The FortiGuard web filter and spam filter features contact the FortiGuard distribution
network and access the same information when checking email for spam and web site
categories and classification.
Conserve mode
FortiGate units perform all UTM processing in physical RAM. Since each model has finite
amount of memory, conserve mode is activated when the remaining free memory is nearly
exhausted or the AV proxy has reached the maximum number of sessions it can service.
While conserve mode is active, the AV proxy does not accept new sessions.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
539
�Conserve mode
UTM overview
The AV proxy
Most content inspection the FortiGate unit performs requires that the files, email
messages, URLs, and web pages be buffered and examined as a whole. The AV proxy
performs this function, and because it may be buffering many files at the same time, it
uses a significant amount of memory. Conserve mode is designed to prevent all the
component features of the FortiGate unit from trying to use more memory than it has.
Because the AV proxy uses so much memory, conserve mode effectively disables it in
most circumstances. As a result, the content inspection features that use the AV proxy are
also disabled in conserve mode.
All of the UTM features use the AV proxy with the exception of IPS, application control,
flow-based antivirus scanning, and DoS. These features continue to operate normally
when the FortiGate unit enters conserve mode.
Entering and exiting conserve mode
A FortiGate unit will enter conserve mode because it is nearly out of physical memory, or
because the AV proxy has reached the maximum number of sessions it can service. The
memory threshold that triggers conserve mode varies by model, but it is about 20% free
memory. When memory use rises to the point where less than 20% of the physical
memory is free, the FortiGate unit enters conserve mode.
The FortiGate unit will leave conserve mode only when the available physical memory
exceeds about 30%. When exiting conserve mode, all new sessions configured to
scanned with features requiring the AV proxy will be scanned as normal, with the
exception of a unit configured with the one-shot option.
Conserve mode effects
What happens when the FortiGate unit enters conserve mode depends on how you have
av-failopen configured. There are four options:
off
The off setting forces the FortiGate unit to stop all traffic that is configured for content
inspection by UTM features that use the AV proxy. New sessions are not allowed but
current sessions continue to be processed normally unless they request more memory.
Sessions requesting more memory are terminated.
For example, if a firewall policy is configured to use antivirus scanning, the traffic it permits
is blocked while in conserve mode. A policy with IPS scanning enabled continues as
normal. A policy with both IPS and antivirus scanning is blocked because antivirus
scanning requires the AV proxy.
Use the off setting when security is more important than a loss of access while the
problem is rectified.
pass
The pass setting allows traffic to bypass the AV proxy and continue to its destination.
Since the traffic is bypassing the proxy, no UTM scanning that requires the AV proxy is
performed. UTM scanning that does not require the AV proxy continues normally.
Use the pass setting when access is more important than security while the problem is
rectified.
Pass is the default setting.
540
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�UTM overview
SSL content scanning and inspection
one-shot
The one-shot setting is similar to pass in that traffic is allowed when conserve mode is
active. The difference is that a system configured for one-shot will force new sessions to
bypass the AV proxy even after it leaves conserve mode. The FortiGate unit resumes use
of the AV proxy only when the av-failopen setting is changed or the unit is restarted.
idledrop
The idledrop setting will recover memory and session space by terminating all the
sessions associated with the host that has the most sessions open. The FortiGate may
force this session termination a number of times, until enough memory is available to
allow it to leave conserve mode.
The idledrop setting is primarily designed for situations in which malware may continue to
open sessions until the AV proxy cannot accept more new sessions, triggering conserve
mode. If your FortiGate unit is barely able to handle the traffic of your network, this setting
could cause the termination of valid sessions. Use this option with caution.
Configuring the av-failopen command
You can configure the av-failopen command using the CLI.
config system global
set av-failopen {off | pass | one-shot | idledrop}
end
The default setting is pass.
SSL content scanning and inspection
If your FortiGate model supports SSL content scanning and inspection, you can apply
antivirus scanning, web filtering, FortiGuard Web Filtering, and email filtering to encrypted
traffic. You can also apply DLP and DLP archiving to HTTPS, IMAPS, POP3S, and
SMTPS traffic. To perform SSL content scanning and inspection, the FortiGate unit does
the following:
•
intercepts and decrypts HTTPS, IMAPS, POP3S, and SMTPS sessions between
clients and servers (FortiGate SSL acceleration speeds up decryption)
•
applies content inspection to decrypted content, including:
•
•
HTTPS web filtering and FortiGuard web filtering
•
•
HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP, and DLP archiving
IMAPS, POP3S, and SMTPS email filtering
encrypts the sessions and forwards them to their destinations.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
541
�SSL content scanning and inspection
UTM overview
Figure 58: FortiGate SSL content scanning and inspection packet flow
3
1
2
Decrypted
packets
4
3
2
Content scanning and
inspection applied
(antivirus, web filtering,
spam filtering, DLP,
DLP archiving)
SSL decrypt/encrypt process
decrypts SSL sessions
using session certificate
and key
UTM profiles includes
SSL content scanning and
inspection
Encrypted
packets
3
Content scanning
and inspection
SSL Decrypt/
Encrypt Process
Session encrypted
5 using SSL session
certificate and key
UTM profiles
1
3
2
1
2
Firewall
HTTPS, IMAPS, POP3S or
1 SMTPS encrypted packets
Client Starts
HTTPS, IMAPS,
accepted by firewall policy
POP3S or
SMTPS session
Encrypted
packets
HTTPS, IMAPS,
Encrypted packets
POP3S, or
forwarded to destination SMTPS Server
6
Setting up certificates to avoid client warnings
To use SSL content scanning and inspection, you need to set up and use a certificate that
supports it. FortiGate SSL content scanning and inspection intercepts the SSL keys that
are passed between clients and servers during SSL session handshakes and then
substitutes spoofed keys. Two encrypted SSL sessions are set up, one between the client
and the FortiGate unit, and a second one between the FortiGate unit and the server.
Inside the FortiGate unit the packets are decrypted.
While the SSL sessions are being set up, the client and server communicate in clear text
to exchange SSL session keys. The session keys are based on the client and server
certificates. The FortiGate SSL decrypt/encrypt process intercepts these keys and uses a
built-in signing CA certificate named Fortinet_CA_SSLProxy to create keys to send to the
client and the server. This signing CA certificate is used only by the SSL decrypt/encrypt
process. The SSL decrypt/encrypt process then sets up encrypted SSL sessions with the
client and server and uses these keys to decrypt the SSL traffic to apply content scanning
and inspection.
Some client programs (for example, web browsers) can detect this key replacement and
will display a security warning message. The traffic is still encrypted and secure, but the
security warning indicates that a key substitution has occurred.
You can stop these security warnings by importing the signing CA certificate used by the
server into the FortiGate unit SSL content scanning and inspection configuration. Then the
FortiGate unit creates keys that appear to come from the server and not the FortiGate unit.
Note: You can add one signing CA certificate for SSL content scanning and inspection. The
CA certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported for SSL
content scanning and encryption.
542
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�UTM overview
SSL content scanning and inspection
You can replace the default signing CA certificate, Fortinet_CA_SSLProxy, with another
signing CA certificate. To do this, you need the signing CA certificate file, the CA certificate
key file, and the CA certificate password.
All SSL content scanning and inspection uses the same signing CA certificate. If your
FortiGate unit is operating with virtual domains enabled, the same signing CA certificate is
used by all virtual domains.
To add a signing CA certificate for SSL content scanning and inspection
1 Obtain a copy of the signing CA certificate file, the CA certificate key file, and the
password for the CA certificate.
2 Go to System & gt; Certificates & gt; Local Certificates and select Import.
3 Set Type to Certificate.
4 For Certificate file, use the Browse button to select the signing CA certificate file.
5 For Key file, use the Browse button to select the CA certificate key file.
6 Enter the CA certificate Password.
7 Select OK.
The CA certificate is added to the Local Certificates list. In this example the signing CA
certificate name is Example_CA. This name comes from the certificate file and key file
name. If you want the certificate to have a different name, change these file names.
8 Add the imported signing CA certificate to the SSL content scanning and inspection
configuration. Use the following CLI command if the certificate name is Example_CA.
config firewall ssl setting
set caname Example_CA
end
The Example_CA signing CA certificate will now be used by SSL content scanning and
inspection for establishing encrypted SSL sessions.
SSL content scanning and inspection settings
If SSL content scanning and inspection is available on your FortiGate unit, you can
configure SSL settings. The following table provides an overview of the options available
and where to find further instruction:
Table 56: SSL content scanning and inspection settings
Setting
Description
Predefined
The IMAPS, POP3S and SMTPS predefined services. You can select these
firewall services services in a firewall policy and a DoS policy.
Protocol
recognition
The TCP port numbers that the FortiGate unit inspects for HTTPS, IMAPS,
POP3S, and SMTPS. Go to Firewall & gt; Protocol Options. Add or edit a protocol
options profile, configure HTTPS, IMAPS, POP3S, and SMTPS.
Using Protocol Options, you can also configure the FortiGate unit to perform
URL filtering of HTTPS or to use SSL content scanning and inspection to
decrypt HTTPS so that the FortiGate unit can also apply antivirus and DLP
content inspection and DLP archiving to HTTPS. Using SSL content scanning
and inspection to decrypt HTTPS also allows you to apply more web filtering
and FortiGuard Web Filtering options to HTTPS.
To enable full SSL content scanning of web filtering, select Enable Deep
Scanning under HTTPS in the protocol options profile.
Antivirus
Antivirus options including virus scanning and file filtering for HTTPS, IMAPS,
POP3S, and SMTPS.
Go to UTM AntiVirus & gt; Profile. Add or edit a profile and configure Virus Scan for
HTTPS, IMAPS, POP3S, and SMTPS.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
543
�SSL content scanning and inspection
UTM overview
Table 56: SSL content scanning and inspection settings (Continued)
Setting
Description
Antivirus
quarantine
Antivirus quarantine options to quarantine files in HTTPS, IMAPS, POP3S, and
SMTPS sessions.
Go to UTM & gt; AntiVirus & gt; Quarantine. You can quarantine infected files,
suspicious files, and blocked files found in HTTPS, IMAPS, POP3S, and
SMTPS sessions.
Web filtering
Web filtering options for HTTPS:
• Web Content Filter
• Web URL Filter
• ActiveX Filter
• Cookie Filter
• Java Applet Filter
• Web Resume Download Block
• Block invalid URLs
Go to UTM & gt; Web Filter & gt; Profile. Add or edit a web filter profile and configure
web filtering for HTTPS.
FortiGuard Web FortiGuard Web Filtering options for HTTPS:
Filtering
• Enable FortiGuard Web Filtering
• Enable FortiGuard Web Filtering Overrides
• Provide Details for Blocked HTTP 4xx and 5xx Errors
• Rate Images by URL (Blocked images will be replaced with blanks)
• Allow Websites When a Rating Error Occurs
• Strict Blocking
• Rate URLs by Domain and IP Address
• Block HTTP Redirects by Rating
Go to UTM & gt; Web Filter & gt; Profile. Add or edit a profile and configure FortiGuard
Web Filtering for HTTPS.
Email filtering
Data Leak
Prevention
544
Email filtering options for IMAPS, POP3S, and SMTPS:
• FortiGuard Email Filtering IP Address Check, URL check, E-mail Checksum
Check, and Spam Submission
• IP Address BWL Check
• E-mail Address BWL Check
• Return S-mail DNS Check
• Banned Word Check
• Spam Action
• Tag Location
• Tag Format
Go to UTM & gt; Email Filter & gt; Profile. Add or edit a profile and configure email
filtering for IMAPS, POP3S, and SMTPS.
DLP for HTTPS, IMAPS, POP3S, and SMTPS. To apply DLP, follow the steps
below:
• Go to UTM & gt; Data Leak Prevention & gt; Rule to add DLP rules. For HTTPS,
add an HTTP rule and select HTTPS POST and HTTPS GET. For IMAPS,
POP3S, and SMTPS, add an Email rule and select IMAPS, POP3S, and
SMTPS.
• Go to UTM & gt; Data Leak Prevention & gt; Sensor, create a new DLP sensor or
edit an existing one and then add the DLP rules to a DLP sensor.
• Go to Firewall & gt; Protocol Options. Add or edit a profile and select Enable
Deep Scan under HTTPS.
• Go to Firewall & gt; Policy, edit the required policy, enable UTM, select Enable
DLP Sensor and select the DLP sensor.
• Go to Firewall & gt; Policy, edit the required policy, enable Protocol Options and
select a profile that has Enable Deep Scan selected under HTTPS. Note: If
no protocol options profile is selected, or if Enable Deep Scan is not
selected within the protocol options profile, DLP rules cannot inspect
HTTPS.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�UTM overview
Viewing and saving logged packets
Table 56: SSL content scanning and inspection settings (Continued)
Setting
Description
DLP archiving
DLP archiving for HTTPS, IMAPS, POP3S, and SMTPS. Add DLP Rules for the
protocol to be archived.
Monitor DLP
content
information on
the system
dashboard
DLP archive information on the Log and Archive Statistics widget on the system
dashboard for HTTPS, IMAPS, POP3S, and SMTPS.
Go to Firewall & gt; Protocol Options. Add or edit a profile. For each protocol you
want monitored on the dashboard, enable Monitor Content Information for
Dashboard.
These options display meta-information on the Statistics dashboard widget.
Viewing and saving logged packets
The FortiGate unit supports packet logging for IPS and application control. The packets
that trigger a signature match for IPS or application recognition for application control are
saved for later viewing when packet logging is enabled.
For information on how to enable packet logging, see “Enable IPS packet logging” on
page 609 and “Application control packet logging” on page 673.
Once the FortiGate unit has logged packets, you can view or save them.
To view and save logged packets
1 Go to Log & Report & gt; Log Access & gt; Attack.
2 Depending on where the logs are configured to be stored, select the appropriate
option:
Memory
Select if logs are stored in the FortiGate unit memory.
Disk
Select if the FortiGate unit has an internal hard disk and logs are
stored there.
Remote
Select if logs are sent to a FortiAnalyzer unit or to the FortiGuard
Analysis and Management Service.
3 Select the Packet Log icon of the log entry you want to view.
The IPS Packet Log Viewer window appears.
4 Select the packet to view the packet in binary and ASCII. Each table row represents a
captured packet.
5 Select Save to save the packet data in a PCAP formatted file.
PCAP files can be opened and examined in network analysis software such as Wireshark.
Configuring packet logging options
You can use a number of CLI commands to further configure packet logging.
Limiting memory use
When logging to memory, you can define the maximum amount of memory used to store
logged packets.
config ips settings
set packet-log-memory 256
end
The acceptable range is from 64 to 8192 kilobytes. This command affects only logging to
memory.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
545
�Viewing and saving logged packets
UTM overview
Limiting disk use
When logging to the FortiGate unit internal hard disk, you can define the maximum
amount of space used to store logged packets.
config ips settings
set ips-packet-quota 256
end
The acceptable range is from 0 to 4294967295 megabytes. This command affects only
logging to disk.
Configuring how many packets are captured
Since the packet containing the signature is sometimes not sufficient to troubleshoot a
problem, you can specify how many packets are captured before and after the packet
containing the IPS signature match.
config ips settings
packet-log-history
packet-log-post-attack
end
The packet-log-history command specifies how many packets are captured before
and including the one in which the IPS signature is detected. If the value is more than 1,
the packet containing the signature is saved in the packet log, as well as those preceding
it, with the total number of logged packets equalling the packet-log-history setting.
For example, if packet-log-history is set to 7, the FortiGate unit will save the packet
containing the IPS signature match and the six before it.
The acceptable range for packet-log-history is from 1 to 255. The default is 1.
Note: Setting packet-log-history to a value larger than 1 can affect the
performance of the FortiGate unit because network traffic must be buffered. The
performance penalty depends on the model, the setting, and the traffic load.
The packet-log-post-attack command specifies how many packets are logged after
the one in which the IPS signature is detected. For example, if packet-log-postattack is set to 10, the FortiGate unit will save the ten packets following the one
containing the IPS signature match.
The acceptable range for packet-log-post-attack is from 0 to 255. The default is 0.
546
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network defense
This section describes in general terms the means by which attackers can attempt to
compromise your network and steps you can take to protect it. The goal of an attack can
be as complex as gaining access to your network and the privileged information it
contains, or as simple as preventing customers from accessing your web server. Even
allowing a virus onto your network can cause damage, so you need to protect against
viruses and malware even if they are not specifically targeted at your network.
The following topics are included in this section:
•
Monitoring
•
Blocking external probes
•
Defending against DoS attacks
•
Traffic inspection
•
Content inspection and filtering
Monitoring
Monitoring, in the form of logging, alert email, and SNMP, does not directly protect your
network. But monitoring allows you to review the progress of an attack, whether
afterwards or while in progress. How the attack unfolds may reveal weaknesses in your
preparations. The packet archive and sniffer policy logs can reveal more details about the
attack. Depending on the detail in your logs, you may be able to determine the attackers
location and identity.
While log information is valuable, you must balance the log information with the resources
required to collect and store it.
Blocking external probes
Protection against attacks is important, but attackers often use vulnerabilities and network
tools to gather information about your network to plan an attack. It is often easier to
prevent an attacker from learning important details about your network than to defend
against an attack designed to exploit your particular network.
Attacks are often tailored to the hardware or operating system of the target, so
reconnaissance is often the first step. The IP addresses of the hosts, the open ports, and
the operating systems the hosts are running is invaluable information to an attacker.
Probing your network can be as simple as an attacker performing an address sweep or
port scan to a more involved operation like sending TCP packets with invalid combinations
of flags to see how your firewall reacts.
Address sweeps
An address sweep is a basic network scanning technique to determine which addresses in
an address range have active hosts. A typical address sweep involves sending an ICMP
ECHO request (a ping) to each address in an address range to attempt to get a response.
A response signifies that there is a host at this address that responded to the ping. It then
becomes a target for more detailed and potentially invasive attacks.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
547
�Blocking external probes
Network defense
Address sweeps do not always reveal all the hosts in an address range because some
systems may be configured to ignore ECHO requests and not respond, and some firewalls
and gateways may be configured to prevent ECHO requests from being transmitted to the
destination network. Despite this shortcoming, Address sweeps are still used because
they are simple to perform with software tools that automate the process.
Use the icmp_sweep anomaly in a DoS sensor to protect against address sweeps.
There are a number of IPS signatures to detect the use of ICMP probes that can gather
information about your network. These signatures include AddressMask, Traceroute,
ICMP.Invalid.Packet.Size, and ICMP.Oversized.Packet. Include ICMP
protocol signatures in your IPS sensors to protect against these probes/attacks.
Port scans
Potential attackers may run a port scan on one or more of your hosts. This involves trying
to establish a communication session to each port on a host. If the connection is
successful, a service may be available that the attacker can exploit.
Use the DoS sensor anomaly tcp_port_scan to limit the number of sessions (complete
and incomplete) from a single source IP address to the configured threshold. If the
number of sessions exceed the threshold, the configured action is taken.
Use the DoS sensor anomaly udp_scan to limit UDP sessions in the same way.
Probes using IP traffic options
Every TCP packet has space reserved for eight flags or control bits. They are used for
communicating various control messages. Although space in the packet is reserved for all
eight, there are various combinations of flags that should never happen in normal network
operation. For example, the SYN flag, used to initiate a session, and the FIN flag, used to
end a session, should never be set in the same packet.
Attackers may create packets with these invalid combinations to test how a host will react.
Various operating systems and hardware react in different ways, giving a potential
attackers clues about the components of your network.
The IPS signature TCP.Bad.Flags detects these invalid combinations. The default
action is pass though you can override the default and set it to Block in your IPS sensor.
Configure packet reply and TCP sequence checking
The anti-reply CLI command allows you to set the level of checking for packet replay and
TCP sequence checking (or TCP Sequence (SYN) number checking). All TCP packets
contain a Sequence Number (SYN) and an Acknowledgement Number (ACK). The TCP
protocol uses these numbers for error free end-to-end communications. TCP sequence
checking can also be used to validate individual packets.
FortiGate units use TCP sequence checking to make sure that a packet is part of a TCP
session. By default, if a packet is received with sequence numbers that fall out of the
expected range, the FortiGate unit drops the packet. This is normally a desired behavior,
since it means that the packet is invalid. But in some cases you may want to configure
different levels of anti-replay checking if some of your network equipment uses non-RFC
methods when sending packets.
Configure the anti-reply CLI command:
config system global
anti-reply {disable | loose | strict}
end
548
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network defense
Blocking external probes
You can set anti-replay protection to the following settings:
•
disable — No anti-replay protection.
•
loose — Perform packet sequence checking and ICMP anti-replay checking with the
following criteria:
•
•
The FortiGate unit does not allow more than one ICMP error packet through before
it receives a normal TCP or UDP packet.
•
•
The SYN, FIN, and RST bit can not appear in the same packet.
If the FortiGate unit receives an RST packet, and check-reset-range is set to strict,
the FortiGate unit checks to determine if its sequence number in the RST is within
the un-ACKed data and drops the packet if the sequence number is incorrect.
strict — Performs all of the loose checking but for each new session also checks to
determine of the TCP sequence number in a SYN packet has been calculated correctly
and started from the correct value for each new session. Strict anti-replay checking can
also help prevent SYN flooding.
If any packet fails a check it is dropped.
Configure ICMP error message verification
check-reset-range {disable | strict}
Enable ICMP error message verification to ensure an attacker can not send an invalid
ICMP error message.
config system global
check-reset-range {disable | strict}
end
•
disable — the FortiGate unit does not validate ICMP error messages.
•
strict — enable ICMP error message checking.
If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) |
TCP(C,D) header, then if FortiOS can locate the A:C- & gt; B:D session it checks to make sure
that the sequence number in the TCP header is within the range recorded in the session.
If the sequence number is not in range then the ICMP packet is dropped. Strict checking
also affects how the anti-replay option checks packets.
Protocol header checking
Select the level of checking performed on protocol headers.
config system global
check-protocol-header {loose | strict}
end
•
loose — the FortiGate unit performs basic header checking to verify that a packet is
part of a session and should be processed. Basic header checking includes verifying
that the layer-4 protocol header length, the IP header length, the IP version, the IP
checksum, IP options are correct, etc.
•
strict — the FortiGate unit does the same checking as above plus it verifies that
ESP packets have the correct sequence number, SPI, and data length.
If the packet fails header checking it is dropped by the FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
549
�Blocking external probes
Network defense
Evasion techniques
Attackers employ a wide range of tactics to try to disguise their techniques. If an attacker
disguises a known attack in such a way that it is not recognized, the attack will evade your
security and possibly succeed. FortiGate security recognizes a wide variety of evasion
techniques and normalizes data traffic before inspecting it.
Packet fragmentation
Information sent across local networks and the Internet is encapsulated in packets. There
is a maximum allowable size for packets and this maximum size varies depending on
network configuration and equipment limitations. If a packet arrives at a switch or gateway
and it is too large, the data it carries is divided among two or more smaller packets before
being forwarded. This is called fragmentation.
When fragmented packets arrive at their destination, they are reassembled and read. If
the fragments do not arrive together, they must be held until all of the fragments arrive.
Reassembly of a packet requires all of the fragments.
The FortiGate unit automatically reassembles fragmented packets before processing
them because fragmented packets can evade security measures. Both IP packets and
TCP packets are reassembled by the IPS engine before examination.
For example, you have configured the FortiGate unit to block access to the example.org
web site. Any checks for example.com will fail if a fragmented packet arrives and one
fragment contains http://www.exa while the other contains mple.com/. Viruses and
malware can be fragmented and avoid detection in the same way. The FortiGate unit will
reassemble fragmented packets before examining network data to ensure that inadvertent
or deliberate packet fragmentation does not hide threats in network traffic.
Non-standard ports
Most traffic is sent on a standard port based on the traffic type. The FortiGate unit
recognizes most traffic by packet content rather than the TCP/UDP port and uses the
proper IPS signatures to examine it. Protocols recognized regardless of port include
DHCP, DNP3, FTP, HTTP, IMAP, MS RPC, NNTP, POP3, RSTP, SIP, SMTP, and SSL, as
well as the supported IM/P2P application protocols.
In this way, the FortiGate unit will recognize HTTP traffic being sent on port 25 as HTTP
rather than SMTP, for example. Because the protocol is correctly identified, the FortiGate
unit will examine the traffic for any enabled HTTP signatures.
Negotiation codes
Telnet and FTP servers and clients support the use of negotiation information to allow the
server to report what features it supports. This information has been used to exploit
vulnerable servers. To avoid this problem, the FortiGate unit removes negotiation codes
before IPS inspection.
HTTP URL obfuscation
Attackers encode HTML links using various formats to evade detection and bypass
security measures. For example, the URL www.example.com/cgi.bin could be encoded in
a number of ways to avoid detection but still work properly, and be interpreted the same, in
a web browser.
The FortiGate prevents the obfuscation by converting the URL to ASCII before inspection.
550
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network defense
Defending against DoS attacks
Table 57: HTTP URL obfuscation types
Encoding type
Example
No encoding
http://www.example.com/cgi.bin/
Decimal encoding
http://www.example.com/ & #99; & #103; & #105; & #46; & #98; & #105; & #110
; & #47;
URL encoding
http://www.example.com/%43%47%49%2E%42%49%4E%2F
ANSI encoding
http://www.example.com/%u0063%u0067%u0069%u002E%u0062%u
0069%u006E/
Directory traversal
http://www.example.com/cgi.bin/test/../
HTTP header obfuscation
The headers of HTTP requests or responses can be modified to make the discovery of
patterns and attacks more difficult. To prevent this, the FortiGate unit will:
•
remove junk header lines
•
reassemble an HTTP header that’s been folded onto multiple lines
•
move request parameters to HTTP POST body from the URL
The message is scanned for any enabled HTTP IPS signatures once these problems are
corrected.
HTTP body obfuscation
The body content of HTTP traffic can be hidden in an attempt to circumvent security
scanning. HTTP content can be GZipped or deflated to prevent security inspection. The
FortiGate unit will uncompress the traffic before inspecting it.
Another way to hide the contents of HTTP traffic is to send the HTTP body in small pieces,
splitting signature matches across two separate pieces of the HTTP body. The FortiGate
unit reassembles these ‘chunked bodies’ before inspection.
Microsoft RPC evasion
Because of its complexity, the Microsoft Remote Procedure Call protocol suite is subject to
a number of known evasion techniques, including:
•
SMB-level fragmentation
•
DCERPC-level fragmentation
•
DCERPC multi-part fragmentation
•
DCERPC UDP fragmentation
•
Multiple DCERPC fragments in one packet
The FortiGate unit reassembles the fragments into their original form before inspection.
Defending against DoS attacks
A denial of service is the result of an attacker sending an abnormally large amount of
network traffic to a target system. Having to deal with the traffic flood slows down or
disables the target system so that legitimate users can not use it for the duration of the
attack.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
551
�Defending against DoS attacks
Network defense
Any network traffic the target system receives has to be examined, and then accepted or
rejected. TCP, UDP, and ICMP traffic is most commonly used, but a particular type of TCP
traffic is the most effective. TCP packets with the SYN flag are the most efficient DoS
attack tool because of how communication sessions are started between systems.
The “three-way handshake”
Communication sessions between systems start with establishing a TCP/IP connection.
This is a simple three step process, sometimes called a “three-way handshake,” initiated
by the client attempting to open the connection.
1 The client sends a TCP packet with the SYN flag set. With the SYN packet, the client
informs the server of its intention to establish a connection.
2 If the server is able to accept the connection to the client, it sends a packet with the
SYN and the ACK flags set. This simultaneously acknowledges the SYN packet the
server has received, and informs the client that the server intends to establish a
connection.
3 To acknowledge receipt of the packet and establish the connection, the client sends an
ACK packet.
Figure 59: Establishing a TCP/IP connection
Connection initiation request: SYN
Request acknowledgement: SYN/ACK
Server
Client
Connection initiated: ACK
The three-way handshake is a simple way for the server and client to each agree to
establish a connection and acknowledge the other party expressing its intent.
Unfortunately, the three-way handshake can be used to interfere with communication
rather than facilitate it.
SYN flood
When a client sends a SYN packet to a server, the server creates an entry in its session
table to keep track of the connection. The server then sends a SYN+ACK packet
expecting an ACK reply and the establishment of a connection.
An attacker intending to disrupt a server with a denial of service (DoS) attack can send a
flood of SYN packets and not respond to the SYN+ACK packets the server sends in
response. Networks can be slow and packets can get lost so the server will continue to
send SYN+ACK packets until it gives up, and removes the failed session from the session
table. If an attacker sends enough SYN packets to the server, the session table will fill
completely, and further connection attempts will be denied until the incomplete sessions
time out. Until this happens, the server is unavailable to service legitimate connection
requests.
552
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network defense
Defending against DoS attacks
Figure 60: A single client launches a SYN flood attack
Connection initiation request: SYN
Request acknowledgement: SYN/ACK
Connection initiation request: SYN
Server
Request acknowledgement: SYN/ACK
Client
Connection initiation request: SYN
Request acknowledgement: SYN/ACK
SYN floods are seldom launched from a single address so limiting the number of
connection attempts from a single IP address is not usually effective.
SYN spoofing
With a flood of SYN packets coming from a single attacker, you can limit the number of
connection attempts from the source IP address or block the attacker entirely. To prevent
this simple defense from working, or to disguise the source of the attack, the attacker may
spoof the source address and use a number of IP addresses to give the appearance of a
distributed denial of service (DDoS) attack. When the server receives the spoofed SYN
packets, the SYN+ACK replies will go to the spoofed source IP addresses which will either
be invalid, or the system receiving the reply will not know what to do with it.
Figure 61: A client launches a SYN spoof attack
Client
Connection initiation request: SYN
Server
Request acknowledgement: SYN/ACK
Connection initiation request: SYN
Request acknowledgement: SYN/ACK
DDoS SYN flood
The most severe form of SYN attack is the distributed SYN flood, one variety of distributed
denial of service attack (DDoS). Like the SYN flood, the target receives a flood of SYN
packets and the ACK+SYN replies are never answered. The attack is distributed across
multiple sources sending SYN packets in a coordinated attack.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
553
�Defending against DoS attacks
Network defense
Figure 62: Multiple attackers launch a distributed SYN flood
Connection initiation request: SYN
Request acknowledgement: SYN/ACK
Connection initiation request: SYN
Server
Request acknowledgement: SYN/ACK
Connection initiation request: SYN
Request acknowledgement: SYN/ACK
The distributed SYN flood is more difficult to defend against because multiple clients are
capable of creating a larger volume of SYN packets than a single client. Even if the server
can cope, the volume of traffic may overwhelm a point in the network upstream of the
targeted server. The only defence against this is more bandwidth to prevent any
choke-points.
Configuring the SYN threshold to prevent SYN floods
The preferred primary defence against any type of SYN flood is the DoS sensor
tcp_syn_flood threshold. The threshold value sets an upper limit on the number of new
incomplete TCP connections allowed per second. If the number of incomplete connections
exceeds the threshold value, and the action is set to Pass, the FortiGate unit will allow the
SYN packets that exceed the threshold. If the action is set to Block, the FortiGate unit will
block the SYN packets that exceed the threshold, but it will allow SYN packets from clients
that send another SYN packet.
The tools attackers use to generate network traffic will not send a second SYN packet
when a SYN+ACK response is not received from the server. These tools will not “retry.”
Legitimate clients will retry when no response is received, and these retries are allowed
even if they exceed the threshold with the action set to Block.
For more information, see “Creating and configuring a DoS sensor” on page 677. For
recommendations on how to configure DoS policies, see “DoS policy recommendations”
on page 556.
SYN proxy
FortiGate units with Fortinet security processing modules installed offer a third action for
the tcp_syn_flood threshold when a module is installed. Instead of Block and Pass,
you can choose to Proxy the incomplete connections that exceed the threshold value.
When the tcp_syn_flood threshold action is set to Proxy, incomplete TCP connections
are allowed as normal as long as the configured threshold is not exceeded. If the
threshold is exceeded, the FortiGate unit will intercept incoming SYN packets from clients
and respond with a SYN+ACK packet. If the FortiGate unit receives an ACK response as
expected, it will “replay” this exchange to the server to establish a communication session
between the client and the server, and allow the communication to proceed.
554
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network defense
Traffic inspection
Other flood types
UDP and ICMP packets can also be used for DoS attacks, though they are less common.
TCP SYN packets are so effective because the target receives them and maintains a
session table entry for each until they time out. Attacks using UDP or ICMP packets do not
require the same level of attention from a target, rendering them less effective. The target
will usually drop the offending packets immediately, closing the session.
Use the udp_flood and icmp_flood thresholds to defend against these DoS attacks.
Traffic inspection
When the FortiGate unit examines network traffic one packet at a time for IPS signatures,
it is performing traffic analysis. This is unlike content analysis where the traffic is buffered
until files, email messages, web pages, and other files are assembled and examined as a
whole.
DoS policies use traffic analysis by keeping track of the type and quantity of packets, as
well as their source and destination addresses.
Application control uses traffic analysis to determine which application generated the
packet.
Although traffic inspection doesn’t involve taking packets and assembling files they are
carrying, the packets themselves can be split into fragments as they pass from network to
network. These fragments are reassembled by the FortiGate unit before examination.
No two networks are the same and few recommendations apply to all networks. This topic
offers suggestions on how you can use the FortiGate unit to help secure your network
against content threats.
IPS signatures
IPS signatures can detect malicious network traffic. For example, the Code Red worm
attacked a vulnerability in the Microsoft IIS web server. Your FortiGate’s IPS system can
detect traffic attempting to exploit this vulnerability. IPS may also detect when infected
systems communicate with servers to receive instructions.
IPS recommendations
•
Enable IPS scanning at the network edge for all services.
•
Use FortiClient endpoint IPS scanning for protection against threats that get into your
network.
•
Subscribe to FortiGuard IPS Updates and configure your FortiGate unit to receive push
updates. This will ensure you receive new IPS signatures as soon as they are
available.
•
Your FortiGate unit includes IPS signatures written to protect specific software titles
from DoS attacks. Enable the signatures for the software you have installed and set the
signature action to Block.
You can view these signatures by going to UTM & gt; Intrusion Protection & gt; Predefined
and sorting by, or applying a filter to, the Group column.
•
Because it is critical to guard against attacks on services that you make available to the
public, configure IPS signatures to block matching signatures. For example, if you
have a web server, configure the action of web server signatures to Block.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
555
�Traffic inspection
Network defense
Suspicious traffic attributes
Network traffic itself can be used as an attack vector or a means to probe a network before
an attack. For example, SYN and FIN flags should never appear together in the same
TCP packet. The SYN flag is used to initiate a TCP session while the FIN flag indicates
the end of data transmission at the end of a TCP session.
The FortiGate unit has IPS signatures that recognize abnormal and suspicious traffic
attributes. The SYN/FIN combination is one of the suspicious flag combinations detected
in TCP traffic by the TCP.BAD.FLAGS signature.
The signatures that are created specifically to examine traffic options and settings, begin
with the name of the traffic type they are associated with. For example, signatures created
to examine TCP traffic have signature names starting with TCP.
DoS policies
DDoS attacks vary in nature and intensity. Attacks aimed at saturating the available
bandwidth upstream of your service can only be countered by adding more bandwidth.
DoS policies can help protect against DDoS attacks that aim to overwhelm your server
resources.
DoS policy recommendations
•
Use and configure DoS policies to appropriate levels based on your network traffic and
topology. This will help drop traffic if an abnormal amount is received.
•
It is important to set a good threshold. The threshold defines the maximum number of
sessions/packets per second of normal traffic. If the threshold is exceeded, the action
is triggered. Threshold defaults are general recommendations, although your network
may require very different values.
One way to find the correct values for your environment is to set the action to Pass and
enable logging. Observe the logs and adjust the threshold values until you can
determine the value at which normal traffic begins to generate attack reports. Set the
threshold above this value with the margin you want. Note that the smaller the margin,
the more protected your system will be from DoS attacks, but your system will also be
more likely to generate false alarms.
Application control
While applications can often be blocked by the ports they use, application control allows
convenient management of all supported applications, including those that do not use set
ports.
Application control recommendations
•
•
556
Some applications behave in an unusual manner in regards to application control. For
more information, see “Application considerations” on page 674.
By default, application control allows the applications not specified in the application
control list. For high security networks, you may want to change this behavior so that
only the explicitly allowed applications are permitted.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network defense
Content inspection and filtering
Content inspection and filtering
When the FortiGate unit buffers the packets containing files, email messages, web pages,
and other similar files for reassembly before examining them, it is performing content
inspection. Traffic inspection, on the other hand, is accomplished by the FortiGate unit
examining individual packets of network traffic as they are received.
No two networks are the same and few recommendations apply to all networks. This topic
offers suggestions on how you can use the FortiGate unit to help secure your network
against content threats. Be sure to understand the effects of the changes before using the
suggestions.
AntiVirus
The FortiGate antivirus scanner can detect viruses and other malicious payloads used to
infect machines. The FortiGate unit performs deep content inspection. To prevent
attempts to disguise viruses, the antivirus scanner will reassemble fragmented files and
uncompress content that has been compressed. Patented Compact Pattern Recognition
Language (CPRL) allows further inspection for common patterns, increasing detection
rates of virus variations in the future.
AntiVirus recommendations
•
Enable antivirus scanning at the network edge for all services.
•
Use FortiClient endpoint antivirus scanning for protection against threats that get into
your network.
•
Subscribe to FortiGuard AntiVirus Updates and configure your FortiGate unit to receive
push updates. This will ensure you receive new antivirus signatures as soon as they
are available.
•
Enable the Extended Virus Database if your FortiGate unit supports it.
•
Examine antivirus logs periodically. Take particular notice of repeated detections. For
example, repeated virus detection in SMTP traffic could indicate a system on your
network is infected and is attempting to contact other systems to spread the infection
using a mass mailer.
•
The builtin-patterns file filter list contains nearly 20 file patterns. Many of the
represented files can be executed or opened with a double-click. If any of these file
patterns are not received as a part of your normal traffic, blocking them may help
protect your network. This also saves resources since files blocked in this way do not
need to be scanned for viruses.
•
To conserve system resources, avoid scanning email messages twice. Scan messages
as they enter and leave your network or when clients send and retrieve them, rather
than both.
FortiGuard Web Filtering
The web is the most popular part of the Internet and, as a consequence, virtually every
computer connected to the Internet is able to communicate using port 80, HTTP. Botnet
communications take advantage of this open port and use it to communicate with infected
computers. FortiGuard Web Filtering can help stop infections from malware sites and help
prevent communication if an infection occurs.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
557
�Content inspection and filtering
Network defense
FortiGuard Web Filtering recommendations
•
Enable FortiGuard Web Filtering at the network edge.
•
Install the FortiClient application and use FortiGuard Web Filtering on any systems that
bypass your FortiGate unit.
•
Block categories such as Pornography, Malware, Spyware, and Phishing. These
categories are more likely to be dangerous.
•
In the email filter profile, enable IP Address Check in FortiGuard Email Filtering. Many
IP addresses used in spam messages lead to malicious sites; checking them will
protect your users and your network.
Email filter
Spam is a common means by which attacks are delivered. Users often open email
attachments they should not, and infect their own machine. The FortiGate email filter can
detect harmful spam and mark it, alerting the user to the potential danger.
Email filter recommendations
•
Enable email filtering at the network edge for all types of email traffic.
•
Use FortiClient endpoint scanning for protection against threats that get into your
network.
•
Subscribe to the FortiGuard AntiSpam Service.
DLP
Most security features on the FortiGate unit are designed to keep unwanted traffic out of
your network while DLP can help you keep sensitive information from leaving your
network. For example, credit card numbers and social security numbers can be detected
by DLP sensors.
DLP recommendations
•
•
558
Rules related to HTTP posts can be created, but if the requirement is to block all HTTP
posts, a better solution is to use application control or the HTTP POST Action option in
the web filter profile.
While DLP can detect sensitive data, it is more efficient to block unnecessary
communication channels than to use DLP to examine it. If you don’t use instant
messaging or peer-to-peer communication in your organization, for example, use
application control to block them entirely.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�AntiVirus
This section describes how to configure the antivirus options. From an antivirus profile you
can configure the FortiGate unit to apply antivirus protection to HTTP, FTP, IMAP, POP3,
SMTP, IM, and NNTP sessions. If your FortiGate unit supports SSL content scanning and
inspection, you can also configure antivirus protection for HTTPS, IMAPS, POP3S, and
SMTPS sessions.
The following topics are included in this section:
•
Antivirus concepts
•
Enable antivirus scanning
•
Enable the file quarantine
•
Enable file filtering
•
Enable grayware scanning
•
Testing your antivirus configuration
•
AntiVirus examples
Antivirus concepts
The word “antivirus” refers to a group of features that are designed to prevent unwanted
and potentially malicious files from entering your network. These features all work in
different ways, which include checking for a file size, name, or type, or for the presence of
a virus or grayware signature.
The antivirus scanning routines your FortiGate unit uses are designed to share access to
the network traffic. This way, each individual feature does not have to examine the
network traffic as a separate operation, and the overhead is reduced significantly. For
example, if you enable file filtering and virus scanning, the resources used to complete
these tasks are only slightly greater than enabling virus scanning alone. Two features do
not require twice the resources.
How antivirus scanning works
Antivirus scanning examines files for viruses, worms, trojans, and malware. The antivirus
scan engine has a database of virus signatures is uses to identify infections. If the scanner
finds a signature in a file, it determines that the file is infected and takes the appropriate
action.
The most thorough scan requires that the FortiGate unit have the whole file for the
scanning procedure. To achieve this, the antivirus proxy buffers the file as it arrives. Once
the transmission is complete, the virus scanner examines the file. If no infection is present,
it is sent to the destination. If an infection is present, a replacement message is set to the
destination.
During the buffering and scanning procedure, the client must wait. With a default
configuration, the file is released to the client only after it is scanned. You can enable client
comforting in the protocol options profile to feed the client a trickle of data to prevent them
from thinking the transfer is stalled, and possibly cancelling the download.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
559
�Antivirus concepts
AntiVirus
Buffering the entire file allows the FortiGate unit to eliminate the danger of missing an
infection due to fragmentation because the file is reassembled before examination.
Archives can also be expanded and the contents scanned, even if archives are nested.
Since the FortiGate unit has a limited amount of memory, files larger than a certain size do
not fit within the memory buffer. The maximum size varies by model, but the default size is
10 MB. You can use the uncompsizelimit CLI command to adjust the size of this
memory buffer.
Files larger than the buffer are passed to the destination without scanning. You can use
the Oversize File/Email setting to block files larger than the antivirus buffer if allowing files
that are too large to be scanned is an unacceptable security risk.
Flow-based antivirus scanning
If your FortiGate unit supports flow-based antivirus scanning, you can choose to select it
instead of proxy-based antivirus scanning. Flow-based antivirus scanning uses the
FortiGate IPS engine to examine network traffic for viruses, worms, trojans, and malware,
without the need to buffer the file being checked.
The advantages of flow-based scanning include faster scanning and no maximum file
size. Flow-based scanning doesn’t require the file be buffered so it is scanned as it passes
through the FortiGate unit, packet-by-packet. This eliminates the maximum file size limit
and the client begins receiving the file data immediately.
The trade-off for these advantages is that flow-based scans detect a smaller number of
infections. Viruses in documents, packed files, and some archives are less likely to be
detected because the scanner can only examine a small portion of the file at any moment.
Note however that your choice of flow-based or proxy-based scans only affects antivirus
scans. Although you enable file filtering in the antivirus profile, it requires that files be
proxied. Therefore, if you enable both flow-based antivirus scanning and file filtering, files
will not be proxied for antivirus scans, but they will be proxied for file filtering.
Note: Your choice of flow-based or proxy-based scanning affects only antivirus scans. File
filtering requires that files be proxied. If you enable both flow-based antivirus scanning and
file filtering, files will not be proxied for antivirus scans, but they will be proxied for file
filtering.
Antivirus scanning order
The antivirus scanning function includes various modules and engines that perform
separate tasks.
Proxy-based antivirus scanning order
Figure 63 on page 561 illustrates the antivirus scanning order when using proxy-based
scanning (i.e. the normal, extended, or extreme databases). The first check for oversized
files/email is to determine whether the file exceeds the configured size threshold. The
uncompsizelimit check is to determine if the file can be buffered for file type and
antivirus scanning. If the file is too large for the buffer, it is allowed to pass without being
scanned. For more information, see the config antivirus service command in the
FortiGate CLI Reference. The antivirus scan includes scanning for viruses, as well as for
grayware and heuristics if they are enabled.
Note: File filtering includes file pattern and file type scans which are applied at different
stages in the antivirus process.
560
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�AntiVirus
Antivirus concepts
Figure 63: Antivirus scanning order when using the normal, extended, or extreme database
File or message
is buffered
Start
FTP, NNTP, SMTP,
POP3, IMAP, or
HTTP traffic.
No
File/email
exceeds
oversized
threshold
Oversized
file/email
action
Yes
Pass
Block
File
Pattern
Match?
Matching
file pattern
action
Yes
Allow
No
Yes
File
Pattern
Match?
Block
file/email
Block
Matching
file pattern
action
Block
Block
file/email
Allow
No
Yes
File/email
exceeds
uncompsizelimit
threshold
File/email
exceeds
uncompnestlimit
threshold?
No
No
No
Yes
Yes
Antivirus
scan detects
infection?
Block
Pass
file/email
No
File type
match?
Yes
Matching
file type
action
Block
Pass
file/email
Allow
No
File type
match?
Yes
Matching
file type
action
Allow
If a file fails any of the tasks of the antivirus scan, no further scans are performed. For
example, if the file fakefile.EXE is recognized as a blocked file pattern, the FortiGate
unit will send the end user a replacement message, and delete or quarantine the file. The
unit will not perform virus scan, grayware, heuristics, and file type scans because the
previous checks have already determined that the file is a threat and have dealt with it.
Flow-based antivirus scanning order
Figure 64 on page 562 illustrates the antivirus scanning order when using flow-based
scanning (i.e. the flow-based database). The antivirus scan takes place before any other
antivirus-related scan. If file filter is not enabled, the file is not buffered. The antivirus scan
includes scanning for viruses, as well as for grayware and heuristics if they are enabled.
Note: File filtering includes file pattern and file type scans which are applied at different
stages in the antivirus process.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
561
�Antivirus concepts
AntiVirus
Figure 64: Antivirus scanning order when using the flow-based database
Yes
File or message
is buffered
File filter
enabled in
antivirus
profile?
No
Antivirus
scan detects
infection?
No
Yes
Start
FTP, NNTP, SMTP,
POP3, IMAP, or
HTTP traffic.
Pass
file/email
File/email
exceeds
oversized
threshold
Yes
Oversized
file/email
action
Block
Pass
No
File
Pattern
Match?
Yes
Matching
file pattern
action
Block
Block
file/email
Allow
No
Block
File/email
exceeds
uncompsizelimit
threshold
No
File type
match?
Yes
Yes
No
Matching
file type
action
Allow
Pass
file/email
Antivirus databases
The antivirus scanning engine relies on a database to detail the unique attributes of each
infection. The antivirus scan searches for these signatures, and when one is discovered,
the FortiGate unit determines the file is infected and takes action.
All FortiGate units have the normal antivirus signature database but some models have
additional databases you can select for use. Which you choose depends on your network
and security needs.
Normal
Extended
Includes the normal database in addition to recent viruses that are no-longer active.
These viruses may have been spreading within the last year but have since nearly or
completely disappeared.
Extreme
Includes the extended database in addition to a large collection of ‘zoo’ viruses.
These are viruses that have not spread in a long time and are largely dormant today.
Some zoo viruses may rely on operating systems and hardware that are no longer
widely used.
Flow
562
Includes viruses currently spreading as determined by the FortiGuard Global
Security Research Team. These viruses are the greatest threat. The Normal
database is the default selection and it is available on every FortiGate unit.
The flow-based database is a subset of the extreme database. Flow-based scans
can not detect polymorphic and packed-file viruses so those signatures and not
included in the flow-based database.
Note that flow-based scanning is not just another database, but a different type of
scanning. For more information, see “How antivirus scanning works” on page 559.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�AntiVirus
Antivirus concepts
Antivirus techniques
The antivirus features work in sequence to efficiently scan incoming files and offer your
network optimum antivirus protection. The first four features have specific functions, the
fifth, heuristics, protects against any new, previously unknown virus threats. To ensure that
your system is providing the most protection available, all virus definitions and signatures
are updated regularly through the FortiGuard antivirus services. The features are
discussed in the order that they are applied, followed by FortiGuard antivirus.
File size
This task checks if files and email messages exceed configured size thresholds. You
enable this check by editing your protocol options profiles and setting the Oversized
File/Email option to Block for each protocol. The maximum size you can set varies by
model.
File pattern
Once a file is accepted, the FortiGate unit applies the file pattern recognition filter. The unit
will check the file against the file pattern setting you have configured. If the file is a blocked
pattern, “.EXE” for example, then it is stopped and a replacement message is sent to the
end user. No other levels of protection are applied. If the file is not a blocked pattern, the
next level of protection is applied.
Virus scan
If the file passes the file pattern scan, the FortiGate unit applies a virus scan to it. The virus
definitions are kept up-to-date through the FortiGuard Distribution Network (FDN). For
more information, see “FortiGuard Antivirus” on page 564.
Grayware
If the file passes the virus scan, it will be checked for grayware. Grayware configurations
can be turned on and off as required and are kept up to date in the same manner as the
antivirus definitions. For more information, see “Enable grayware scanning” on page 572.
Heuristics
After an incoming file has passed the grayware scan, it is subjected to the heuristics scan.
The FortiGate heuristic antivirus engine, if enabled, performs tests on the file to detect
virus-like behavior or known virus indicators. In this way, heuristic scanning may detect
new viruses, but may also produce some false positive results.
Note: You can configure heuristics only through the CLI. See the FortiGate CLI Reference.
File type
Finally, the FortiGate unit applies the file type recognition filter. The FortiGate unit will
check the file against the file type setting you have configured. If the file is a blocked type,
then it is stopped and a replacement message is sent to the end user. No other levels of
protection are applied.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
563
�Enable antivirus scanning
AntiVirus
FortiGuard Antivirus
FortiGuard Antivirus services are an excellent resource which includes automatic updates
of virus and IPS (attack) engines and definitions, as well as the local spam DNSBL,
through the FDN. The FortiGuard Center web site also provides the FortiGuard Antivirus
virus and attack encyclopedia.
The connection between the FortiGate unit and FortiGuard Center is configured in
System & gt; Maintenance & gt; FortiGuard.
Enable antivirus scanning
Antivirus scanning is enabled in the antivirus profile. Once it is enabled, and selected in
one or more firewall policies, all the traffic controlled by those firewall policies will scanned
according to your settings.
To enable antivirus scanning — web-based manager
1 Go to UTM & gt; AntiVirus & gt; Profile.
2 Select Create New to create a new antivirus profile, or select an existing antivirus
profile and choose Edit.
3 In the row labeled Virus Scan, select the check boxes associated with the traffic you
want scanned for viruses.
4 Select OK.
To enable antivirus scanning — CLI
config antivirus profile
edit my_av_profile
config http
set options scan
end
end
Viewing antivirus database information
The FortiGate antivirus scanner relies on up-to-date virus signatures to detect the newest
threats. To view the information about the FortiGate unit virus signatures, check the status
page or the Virus Database information page:
•
Status page: Go to System & gt; Dashboard & gt; Status. In the License Information section
under FortiGuard Services, the AV Definitions field shows the regular antivirus
database version as well when it was last updated.
If your FortiGate unit supports extended and extreme virus database definitions, the
database versions and date they were last updated is displayed in the Extended set
and Extreme DB fields.
The flow-based virus database is distributed as part of the IPS signature database. Its
database version and date it was last updated is displayed in the IPS Definitions field.
•
Virus Database: Go to UTM & gt; AntiVirus & gt; Virus Database. This page shows the
version number, number of included signatures, and a description of the regular virus
database.
If your FortiGate unit supports extended, extreme, or flow-based virus database
definitions, the version numbers, number of included signatures, and descriptions of
those databases are also displayed.
564
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�AntiVirus
Enable antivirus scanning
Changing the default antivirus database
If your FortiGate unit supports extended, extreme, or flow-based virus database
definitions, you can select the virus database most suited to your needs.
In most circumstances, the regular virus database provides sufficient protection. Viruses
known to be active are included in the regular virus database. The extended database
includes signatures of the viruses that have become rare within the last year in addition to
those in the normal database. The extreme database includes legacy viruses that have
not been seen in the wild in a long time in addition to those in the extended database.
The flow-based database contains a subset of the virus signatures in the extreme
database. Unlike the other databases, selecting the flow-based database also changes
the way the FortiGate unit scans your network traffic for viruses. Instead of the standard
proxy-based scan, network traffic is scanned as it streams thought the FortiGate unit. For
more information on the differences between flow-based and proxy-based antivirus
scanning, see “How antivirus scanning works” on page 559.
If you require the most comprehensive antivirus protection, enable the extended virus
database. The additional coverage comes at a cost, however, because the extra
processing requires additional resources.
To change the antivirus database — web-based manager
1 Go to UTM & gt; AntiVirus & gt; Virus Database.
2 Select the antivirus database the FortiGate unit will use as the default database to
perform antivirus scanning of your network traffic.
3 Select Apply.
To change the antivirus database — CLI
config antivirus settings
set default-db extended
end
Overriding the default antivirus database
The default antivirus database is used for all antivirus scanning. If you have a particular
policy or traffic type that requires scanning using a different antivirus database, you can
override the default database. Antivirus database overrides are applied to individual traffic
types in an antivirus profile. The override will affect only the traffic types to which the
override is applied for the traffic handled by the firewall policy the antivirus profile is
applied to. Antivirus database overrides can be set using only the CLI.
In this example, a database override is applied to HTTP traffic in a protocol options profile
named web_traffic. The flow-based database is specified.
To override the default antivirus database — CLI
config antivirus profile
edit web-traffic
config http
set avdb flow-based
end
end
With this configuration, the flow-based database is used for antivirus scans on HTTP
traffic controlled by firewall policies in which this antivirus profile is selected. Other traffic
types will use the default database, as specified in UTM & gt; AntiVirus & gt; Virus Database.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
565
�Enable antivirus scanning
AntiVirus
Adding the antivirus profile to a firewall policy
This procedure is required only if your antivirus profile does not yet belong to a firewall
policy. You need to add the antivirus profile to a policy before any antivirus profile settings
can take effect.
To add the antivirus profile to a policy
1 Go to Firewall & gt; Policy.
2 Select Create New to add a new policy, or select the Edit icon of the firewall policy to
which you want to add the profile.
3 Enable UTM.
4 Select Enable AntiVirus and select the antivirus profile that contains the quarantine
configuration.
5 Select OK to save the firewall policy.
Configuring the scan buffer size
When checking files for viruses using the proxy-based scanning method, there is a
maximum file size that can be buffered. Files larger than this size are passed without
scanning. The default size for all FortiGate models is 10 megabytes.
Archived files are extracted and email attachments are decoded before the FortiGate unit
determines if they can fit in the scan buffer. For example, a 7 megabyte ZIP file containing
a 12 megabyte EXE file will be passed without scanning with the default buffer size.
Although the archive would fit within the buffer, the uncompressed file size will not.
In this example, the uncompsizelimit CLI command is used to change the scan buffer
size to 20 megabytes for files found in HTTP traffic:
config antivirus service http
set uncompsizelimit 20
end
The maximum buffer size varies by model. Enter set uncompsizelimit ? to display
the buffer size range for your FortiGate unit.
Note: Flow-based scanning does not use a buffer and therefore has no file-size limit. File
data is scanned as it passes through the FortiGate unit. The uncompsizelimit setting
has no effect for flow-based scanning.
Configuring archive scan depth
The antivirus scanner will open archives and scan the files inside. Archives within other
archives, or nested archives, are also scanned to a default depth of twelve nestings. You
can adjust the number of nested archives to which the FortiGate unit will scan with the
uncompnestlimit CLI command. Further, the limit is configured separately for each
traffic type.
For example, this CLI command sets the archive scan depth for SMTP traffic to 5. That is,
archives within archives will be scanned five levels deep.
config antivirus service smtp
set uncompnestlimit 5
end
You can set the nesting limit from 2 to 100.
566
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�AntiVirus
Enable antivirus scanning
Configuring a maximum allowed file size
The protocol option profile allows you to enforce a maximum allowed file size for each of
the network protocols in the profile. They are HTTP, FTP, IMAP, POP3, SMTP, IM, and
NNTP. If your FortiGate unit supports SSL content scanning and inspection, you can also
configure a maximum file size for HTTPS, IMAPS, POP3S, and SMTPS.
The action you set determines what the FortiGate unit does with a file that exceeds the
oversized file threshold. Two actions are available:
Block
Files that exceed the oversize threshold with the Block action set are
dropped and a replacement message is sent to the user instead of the
file.
Pass
Files exceed the oversized threshold with the Pass action set are
allowed through the FortiGate unit to their destination. Note that
passed files that exceed the oversized threshold are not scanned for
viruses. File Filtering, both file pattern and file type, are applied,
however.
You can also use the maximum file size to help secure your network. If you’re using a
proxy-based virus scan, there is a limit to the size of the files that can be scanned for
infection. Files larger than this limit are passed without scanning. If you configure the
maximum file size to block files larger than the maximum size the proxy-based scanner
can inspect, infected file will not be able to by-pass antivirus scans simply because they
are large.
In this example, the maximum file size will be configured to block files larger than 10
megabytes, the largest file that can be antivirus scanned with the default settings. You will
need to configure a protocol options profile and add it to a firewall policy.
Create a protocol options profile to block files larger than 10 MB
1 Go to Firewall & gt; Policy & gt; Protocol Options.
2 Select Create New.
3 Enter 10MB_Block for the protocol options policy name.
4 For the comment, enter Files larger than 10MB are blocked.
5 Expand each protocol listed and select Block for the Oversized File/Email setting. Also
confirm that the Threshold is set to 10.
6 Select OK.
The protocol options profile is configured, but to block files, you must select it in the
firewall profiles handling the traffic that contains the files you want blocked.
To select the protocol options profile in a firewall policy
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select a firewall policy.
3 Select the Edit icon.
4 Enable UTM.
5 Select Protocol Options.
6 Select 10MB_Block from the Protocol Options list.
7 Select OK to save the firewall policy.
Once you complete these steps, any files in the traffic handled by this policy that are larger
than 10MB will be blocked. If you have multiple firewall policies, examine each to
determine if you want to apply similar file blocking the them as well.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
567
�Enable antivirus scanning
AntiVirus
Configuring client comforting
When proxy-based antivirus scanning is enabled, the FortiGate unit buffers files as they
are downloaded. Once the entire file is captured, the FortiGate unit scans it. If no infection
is found, it is set along to the client. The client initiates the file transfer and nothing
happens until the FortiGate finds the file clean, and releases it. Users can be impatient,
and if the file is large or the download slow, they may cancel the download, not realizing
that the transfer is in progress.
The client comforting feature solves this problem by allowing a trickle of data to flow to the
client so they can see the file is being transferred. The default client comforting transfer
rate sends one byte of data to the client every ten seconds. This slow transfer continues
while the FortiGate unit buffers the file and scans it. If the file is infection-free, it is released
and the client will receive the remainder of the transfer at full speed. If the file is infected,
the FortiGate unit caches the URL and drops the connection. The client does not receive
any notification of what happened because the download to the client had already started.
Instead, the download stops and the user is left with a partially downloaded file.
If the user tries to download the same file again within a short period of time, the cached
URL is matched and the download is blocked. The client receives the Infection cache
message replacement message as a notification that the download has been blocked.
The number of URLs in the cache is limited by the size of the cache.
Caution: Client comforting can send unscanned and therefore potentially infected content
to the client. You should only enable client comforting if you are prepared to accept this risk.
Keeping the client comforting interval high and the amount low will reduce the amount of
potentially infected data that is downloaded.
Client comforting is available for HTTP and FTP traffic. If your FortiGate unit supports SSL
content scanning and inspection, you can also configure client comforting for HTTPS
traffic.
Enable and configure client comforting
1 Go to Firewall & gt; Policy & gt; Protocol Options.
2 Select a protocol options profile and choose Edit, or select Create New to make a new
one.
3 Expand HTTP, FTP, and if your FortiGate unit supports SSL content scanning and
inspection, expand HTTPS as well.
4 To enable client comforting, select Comfort Clients for each of the protocols in which
you want it enabled.
5 Select OK to save the changes.
6 Select this protocol options profile in any firewall policy for it to take effect on all traffic
handled by the policy.
The default values for Interval and Amount are 10 and 1, respectively. This means that
when client comforting takes effect, 1 byte of the file is sent to the client every 10 seconds.
You can change these values to vary the amount and frequency of the data transferred by
client comforting.
568
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�AntiVirus
Enable the file quarantine
Enable the file quarantine
You can quarantine blocked and infected files if you have a FortiGate unit with a local hard
disk. You can view the file name and status information about the file in the Quarantined
Files list and submit specific files and add file patterns to the AutoSubmit list so they will
automatically be uploaded to the FortiGuard AntiVirus service for analysis.
FortiGate units can also quarantine blocked and infected files to a FortiAnalyzer unit. Files
stored on the FortiAnalyzer unit can also be viewed from the Quarantined Files list in the
FortiGate unit.
General configuration steps
The following steps provide an overview of the file quarantine configuration. For best
results, follow the procedures in the order given. Note that if you perform any additional
actions between procedures, your configuration may have different results.
1 Go to UTM & gt; AntiVirus & gt; Quarantine to configure the quarantine service and
destination.
2 Go to UTM & gt; AntiVirus & gt; Profile and edit an existing antivirus profile or create a new
one. In the Quarantine row, select the check boxes of the protocols for which you want
the quarantine enabled. The Quarantine option only appears if your FortiGate unit has
a local disk or if your FortiGate unit is configured to use a FortiAnalyzer unit to
quarantine files.
Note: Antivirus profiles also have a configurable feature called Quarantine Virus Sender (to
Banned User List). This is a different feature unrelated to the Quarantine option.
3 If you have not previously done so, go to Firewall & gt; Policy and add the antivirus profile
to a firewall policy.
Configuring the file quarantine
You can configure quarantine options for HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP
Traffic. If your FortiGate unit supports SSL content scanning and inspection you can also
quarantine blocked and infected files from HTTPS, IMAPS, POP3S, and SMTPS traffic.
To configure the file quarantine
1 Go to UTM & gt; AntiVirus & gt; Quarantine.
2 In the options table, select the files to quarantine.
The options table lists three detection methods used to find potentially problematic
files, as well as the types of traffic scanned for these files. Select one or more check
boxes for the following traffic types to enable quarantine for detected files:
• Infected Files: files in which the FortiGate unit detects virus signatures
• Suspicious Files: files detected by the heuristics scanner
• Blocked Files: files matching patterns or types defined in a file filter.
3 In the Max Filesize to Quarantine field, enter the maximum file size to quarantine, in
megabytes. Files that exceed this size limit are not quarantined.
4 In the Age Limit field, enter the number of hours quarantined files will be saved. Files
older than the specified number of hours are deleted.
5 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
569
�Enable file filtering
AntiVirus
Viewing quarantined files
The Quarantined Files list displays information about each quarantined file. You can sort
the files by file name, date, service, status, duplicate count (DC), or time to live (TTL). You
can also filter the list to view only quarantined files from a specific service.
To view quarantined files, go to Log & Report & gt; Quarantined Files.
Downloading quarantined files
You can download any non-expired file from the quarantine. You may want to do so if it
was quarantined as the result of a false positive or if you want to examine the contents.
To download a quarantined file
1 Go to Log & Report & gt; Quarantined Files.
2 In the quarantine file list, find the file you want to download.
To find the file more quickly, use the Sort by function to change the sort order. Available
sort criteria include status, services, file name, date, TTL, and duplicate count. You can
also use the Filter function to display the files quarantined from an individual traffic
type.
3 Select the Download icon to save a copy of the quarantined file on your computer.
Enable file filtering
File filtering is a feature that allows you to block files based on their file name or their type.
•
File patterns are a means of filtering based purely on the names of files. They may
include wildcards (*). For example, blocking *.scr will stop all files with an scr file
extension, which is commonly used for Windows screen saver files. Files trying to pass
themselves off as Windows screen saver files by adopting the file-naming convention
will also be stopped.
Files can specify the full or partial file name, the full or partial file extension, or any
combination. File pattern entries are not case sensitive. For example, adding *.exe to
the file pattern list also blocks any files ending with .EXE.
Files are compared to the enabled file patterns from top to bottom, in list order.
In addition to the built-in patterns, you can specify more file patterns to block. For
details, see “Creating a file filter list” on page 571.
•
File types are a means of filtering based on an examination of the file contents,
regardless of the file name. If you were to block the file type Archive (zip), all zip
archives would be blocked even if they were renamed to have a different file extension.
The FortiGate examines the file contents to determine what type of file it is and then
acts accordingly.
The FortiGate unit can take either of the following actions toward the files that match a
configured file pattern or type:
•
Block: the file will be blocked and a replacement messages will be sent to the user. If
both file pattern filtering and virus scan are enabled, the FortiGate unit blocks files that
match the enabled file filter and does not scan these files for viruses.
•
Allow: the file will be allowed to pass.
The FortiGate unit also writes a message to the virus log and sends an alert email
message if configured to do so.
570
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�AntiVirus
Enable file filtering
Note: File filter does not detect files within archives. You can use file filter to block or allow
the archives themselves, but not the contents of the archives.
General configuration steps
The following steps provide an overview of the file filtering configuration. For best results,
follow the procedures in the order given. Also, note that if you perform any additional
actions between procedures, your configuration may have different results.
1 Create a file filter list.
2 Create one or more file patterns or file types to populate the file filter list.
3 Enable the file filter list by adding it to a firewall policy.
Creating a file filter list
Before your FortiGate unit can filter files by pattern or type, you must create a file filter list.
To create a file filter list
1 Go to UTM & gt; AntiVirus & gt; File Filter.
2 Select Create New.
3 Enter a Name for the new file filter list.
4 Select OK.
The new list is created and the edit file filter list window appears. The new list is empty.
You need to populate it with one or more file patterns or file types.
Creating a file pattern
A file pattern allows you to block or allow files based on the file name. File patterns are
created within file filter lists.
To create a file pattern
1 Go to UTM & gt; AntiVirus & gt; File Filter.
2 Select the Edit icon of the file filter list to which you will add the file pattern.
3 Select Create New.
4 Select File Name Pattern as the Filter Type.
5 Enter the pattern in the Pattern field. The file pattern can be an exact file name or can
include wildcards (*). The file pattern is limited to a maximum of 80 characters.
6 Select the action the FortiGate unit will take when it discovers a matching file: Allow or
Block.
7 The filter is enabled by default. Clear the Enable check box if you want to disable the
filter.
8 Select OK.
Creating a file type
A file type allows you to block or allow files based on the kind of file. File types are created
within file filter lists.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
571
�Enable grayware scanning
AntiVirus
To create a file type
1 Go to UTM & gt; AntiVirus & gt; File Filter.
2 Select the Edit icon of the file filter list to which you will add the file type.
3 Select Create New.
4 Select File Type as the Filter Type.
5 Select the kind of file from the File Type list.
6 Select the action the FortiGate unit will take when it discovers a matching file: Allow or
Block.
7 The filter is enabled by default. Clear the Enable check box if you want to disable the
filter.
8 Select OK.
Enable file filtering
You need to add a file filter list to an antivirus profile to enable file filtering.
To enable file filtering
1 Go to UTM & gt; AntiVirus & gt; Profile.
2 Select Create New to add an antivirus profile or select the Edit icon of an existing one
for which you want to enable file filtering.
3 In the row labeled File Filter, select the check boxes associated with the traffic you
want scanned for files.
4 At the end of the File Filter row, select the file filter list containing the file types and
patterns that the FortiGate unit will scan.
5 Select OK.
You also need to add the antivirus profile to a firewall policy for all settings to take effect.
For more information, see “Adding the antivirus profile to a firewall policy” on page 566.
Enable grayware scanning
Grayware programs are unsolicited software programs installed on computers, often
without the user’s consent or knowledge. Grayware programs are generally considered an
annoyance, but they can also cause system performance problems or be used for
malicious purposes.
To allow the FortiGate unit to scan for known grayware programs, you must enable both
antivirus scanning and grayware detection. By default, grayware detection is disabled. To
enable antivirus scanning, see “Enable antivirus scanning” on page 564.
To enable grayware detection — web-based manager
1 Go to UTM & gt; AntiVirus & gt; Virus Database.
2 Select Enable Grayware Detection.
To enable grayware detection — CLI
config antivirus settings
set grayware enable
end
With grayware detection enabled, the FortiGate unit will scan for grayware any time it
checks for viruses.
572
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�AntiVirus
Testing your antivirus configuration
Testing your antivirus configuration
You have configured your FortiGate unit to stop viruses, but you’d like to confirm your
settings are correct. Even if you have a real virus, it would be dangerous to use for this
purpose. An incorrect configuration will allow the virus to infect your network.
To solve this problem, the European Institute of Computer Anti-virus Research has
developed a test file that allows you to test your antivirus configuration. The EICAR test
file is not a virus. It can not infect computers, nor can it spread or cause any damage. It’s a
very small file that contains a sequence of characters. Your FortiGate unit recognizes the
EICAR test file as a virus so you can safely test your FortiGate unit antivirus configuration.
Go to http://www.fortiguard.com/antivirus/eicartest.html to download the test file
(eicar.com) or the test file in a ZIP archive (eicar.zip).
If the antivirus profile applied to the firewall policy that allows you access to the Web is
configured to scan HTTP traffic for viruses, any attempt to download the test file will be
blocked. This indicates that you are protected.
AntiVirus examples
The following examples provide a sample antivirus configuration scenario for a fictitious
company.
Configuring simple antivirus protection
Small offices, whether they are small companies, home offices, or satellite offices, often
have very simple needs. This example details how to enable antivirus protection on a
FortiGate unit located in a satellite office. The satellite office does not have an internal
email server. To send and retrieve email, the employees connect to an external mail
server.
Creating an antivirus profile
Most antivirus settings are configured in an antivirus profile. Antivirus profiles are selected
in firewall policies. This way, you can create multiple antivirus profiles, and tailor them to
the traffic controlled by the firewall policy in which they are selected. In this example, you
will create one antivirus profile.
To create an antivirus profile — web-based manager
1 Go to UTM & gt; AntiVirus & gt; Profile.
2 Select Create New.
3 In the Name field, enter basic_antivirus.
4 In the Comments field, enter Antivirus protection for web and email
traffic.
5 Select the Virus Scan check boxes for the HTTP, IMAP, POP3, and SMTP traffic types.
6 Select OK to save the antivirus profile.
To create an antivirus profile — CLI
config antivirus profile
edit basic_antivirus
set comment " Antivirus protection for web and email traffic "
config http
set options scan
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
573
�AntiVirus examples
AntiVirus
end
config imap
set options scan
end
config pop3
set options scan
end
config smtp
set options scan
end
end
Selecting the antivirus profile in a firewall policy
An antivirus profile directs the FortiGate unit to scan network traffic only when it is selected
in a firewall policy. When an antivirus profile is selected in a firewall policy, its settings are
applied to all the traffic the firewall policy handles.
To select the antivirus profile in a firewall policy — web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select a policy.
3 Select the Edit icon.
4 Enable UTM.
5 Select default from the Protocol Options list.
UTM can not be enabled without selecting a protocol options profile. A default profile is
provided.
6 Select the Enable AntiVirus option.
7 Select the basic_antivirus profile from the list.
8 Select OK to save the firewall policy.
To select the antivirus profile in a firewall policy — CLI
config firewall policy
edit 1
set utm-status enable
set profile-protocol-options default
set av-profile basic_antivirus
end
HTTP, IMAP, POP3, and SMTP traffic handled by the firewall policy you modified will be
scanned for viruses. A small office may have only one firewall policy configured. If you
have multiple policies, consider enabling antivirus scanning for all of them.
Protecting your network against malicious email attachments
Viruses and grayware are commonly delivered by email or the web. The Example.com
corporation has been the victim of multiple virus infections in the past. Now that the
company has a FortiGate unit protecting its network, you (Example.com’s system
administrator) can configure the unit to scan email and web traffic to filter out harmful
attachments. Example.com’s FortiGate unit supports SSL content scanning and
inspection.
574
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�AntiVirus
AntiVirus examples
Enabling antivirus scanning in the antivirus profile
The primary means to avoid viruses is to configure the FortiGate unit to scan email and
web traffic for virus signatures. You enable virus scanning in the antivirus profile and then
select the antivirus profile in firewall policies that control email traffic.
To enable antivirus scanning in the antivirus profile
1 Go to UTM & gt; AntiVirus & gt; Profile.
2 Select Create New to add a new antivirus profile, or select the Edit icon of an existing
antivirus profile.
3 Select the Virus Scan check box for HTTP to scan web traffic for viruses.
4 Select the Virus Scan check box for IMAP, POP3, and SMTP to scan all email
protocols for viruses.
5 Select OK to save the antivirus profile.
Enabling grayware scanning
Grayware can also threaten Example.com’s network. Viruses, email messages and the
web are often the means by which grayware infections are delivered.
To enable grayware scanning
1 Go to UTM & gt; AntiVirus & gt; Virus Database.
2 Select Enable Grayware Detection.
When Enable Grayware Detection is selected, virus scanning will also include
grayware scanning. Any traffic scanned for viruses will also be scanned for grayware.
Configuring and enabling file filtering
Executable files are never sent or received at Example.com. Since many executable files
attached to spam messages install malware or infect the system with viruses,
Example.com decided to stop all executable files attached to email messages by using file
filters.
Creating the file filtering list
1 Go to UTM & gt; AntiVirus & gt; File Filter.
2 Select Create New.
3 Enter a name for the new file filter list.
4 Optionally, enter a descriptive comment for the list.
5 Select OK to save the new list.
6 Select Create New to add an entry to the file pattern list.
7 For Filter Type, select File Type.
8 For File Type, select Executable (exe).
9 For Action, select Block.
10 Select OK to save the new file filter list entry.
11 Select OK to save the file filter list.
With the file filter list created, you must now enable file filtering in the antivirus profile and
select the list.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
575
�AntiVirus examples
AntiVirus
Enabling file filter
1 Go to UTM & gt; AntiVirus & gt; Profile.
2 Select the antivirus profile in which you already enabled virus scanning and choose
Edit.
3 Select the File Filter check box for IMAP, POP3, and SMTP to scan all email protocols
for viruses.
4 At the end of the File Filter row, select the file filter list you created.
5 Select OK.
To complete the example, you also need to add the antivirus profile to a firewall policy for
all settings to take effect.
Selecting the antivirus profile in a firewall policy
An antivirus profile directs the FortiGate unit to scan network traffic only when it is selected
in a firewall policy. When an antivirus profile is selected in a firewall policy, its settings are
applied to all the traffic the firewall policy handles.
To select the antivirus profile in a firewall policy
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select the policy that controls the network traffic controlling email traffic.
3 Select the Edit icon.
4 Enable UTM.
5 Select default from the Protocol Options list.
UTM can not be enabled without selecting a protocol options profile. A default profile is
provided.
6 Select the Enable AntiVirus option.
7 Select the antivirus profile from the list.
8 Select OK to save the firewall policy.
576
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Email filter
This section describes how to configure FortiGate email filtering for IMAP, POP3, and
SMTP email. Email filtering includes both spam filtering and filtering for any words or files
you want to disallow in email messages. If your FortiGate unit supports SSL content
scanning and inspection, you can also configure spam filtering for IMAPS, POP3S, and
SMTPS email traffic.
The following topics are included in this section:
•
Email filter concepts
•
Enable email filter
•
Configure the spam action
•
Configure the tag location
•
Configure the tag format
•
Email filter examples
Email filter concepts
You can configure the FortiGate unit to manage unsolicited commercial email by detecting
and identifying spam messages from known or suspected spam servers.
The FortiGuard Antispam Service uses both a sender IP reputation database and a spam
signature database, along with sophisticated spam filtering tools, to detect and block a
wide range of spam messages. Using FortiGuard Antispam email filter profile settings, you
can enable IP address checking, URL checking, email checksum checking, and spam
submission. Updates to the IP reputation and spam signature databases are provided
continuously via the global FortiGuard Distribution Network.
From the FortiGuard Antispam Service page in the FortiGuard Center, you can find out
whether an IP address is blacklisted in the FortiGuard antispam IP reputation database, or
whether a URL or email address is in the signature database.
Email filter techniques
The FortiGate unit has a number of techniques available to help detect spam. Some use
the FortiGuard Antispam Service and require a subscription. The remainder use your DNS
servers or use lists that you must maintain.
FortiGuard IP address check
The FortiGate unit queries the FortiGuard Antispam Service to determine if the IP address
of the client delivering the email is blacklisted. A match will cause the FortiGate unit to
treat delivered messages as spam.
The default setting of the smtp-spamhdrip CLI command is disable. If enabled, the
FortiGate unit will check all the IP addresses in the header of SMTP email against the
FortiGuard Antispam Service. For more information, see the FortiGate CLI Reference.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
577
�Email filter concepts
Email filter
FortiGuard URL check
The FortiGate unit queries the FortiGuard Antispam service to determine if any URL in the
message body is associated with spam. If any URL is blacklisted, the FortiGate unit
determines that the email message is spam.
FortiGuard email checksum check
The FortiGate unit sends a hash of an email to the FortiGuard Antispam server, which
compares the hash to hashes of known spam messages stored in the FortiGuard
Antispam database. If the hash results match, the email is flagged as spam.
FortiGuard spam submission
Spam submission is a way you can inform the FortiGuard AntiSpam service of non-spam
messages incorrectly marked as spam. When you enable this setting, the FortiGate unit
adds a link to the end of every message marked as spam. You then select this link to
inform the FortiGuard AntiSpam service when a message is incorrectly marked.
IP address black/white list check
The FortiGate unit compares the IP address of the client delivering the email to the
addresses in the IP address black/white list specified in the email filter profile. If a match is
found, the FortiGate unit will take the action configured for the matching black/white list
entry against all delivered email.
The default setting of the smtp-spamhdrip CLI command is disable. If enabled, the
FortiGate unit will check all the IP addresses in the header of SMTP email against the
specified IP address black/white list. For more information, see the FortiGate CLI
Reference.
HELO DNS lookup
The FortiGate unit takes the domain name specified by the client in the HELO greeting
sent when starting the SMTP session and does a DNS lookup to determine if the domain
exists. If the lookup fails, the FortiGate unit determines that any messages delivered
during the SMTP session are spam.
Email address black/white list check
The FortiGate unit compares the sender email address, as shown in the message
envelope MAIL FROM, to the addresses in the email address black/white list specified in
the email filter profile. If a match is found, the FortiGate unit will take the action configured
for the matching black/white list entry.
Return email DNS check
The FortiGate unit performs a DNS lookup on the reply-to domain to see if there is an A or
MX record. If no such record exists, the message is treated as spam.
Banned word check
The FortiGate unit blocks email messages based on matching the content of the message
with the words or patterns in the selected spam filter banned word list.
Order of spam filtering
The FortiGate unit checks for spam using various filtering techniques. The order in which
the FortiGate unit uses these filters depends on the mail protocol used.
578
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Email filter
Enable email filter
Filters requiring a query to a server and a reply (FortiGuard Antispam Service and
DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other
filters are running. The first reply to trigger a spam action takes effect as soon as the reply
is received.
Each spam filter passes the email to the next if no matches or problems are found. If the
action in the filter is Mark as Spam, the FortiGate unit tags the email as spam according to
the settings in the email filter profile.
For SMTP and SMTPS, if the action is discard, the email message is discarded or
dropped.
If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. If
the action in the filter is Mark as Reject, the email session is dropped. Rejected SMTP or
SMTPS email messages are substituted with a configurable replacement message.
Order of SMTP and SMTPS spam filtering
The FortiGate unit scans SMTP and SMTPS email for spam in the order given below.
SMTPS spam filtering is available on FortiGate units that support SSL content scanning
and inspection.
1 IP address black/white list (BWL) check on last hop IP
2 DNSBL & ORDBL check on last hop IP, FortiGuard Antispam IP check on last hop IP,
HELO DNS lookup
3 MIME headers check, E-mail address BWL check
4 Banned word check on email subject
5 IP address BWL check (for IPs extracted from “Received” headers)
6 Banned word check on email body
7 Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard
Antispam URL check, DNSBL & ORDBL check on public IP extracted from header.
Order of IMAP, POP3, IMAPS and POP3S spam filtering
The FortiGate unit scans IMAP, POP3, IMAPS and POP3S email for spam in the order
given below. IMAPS and POP3S spam filtering is available on FortiGate units that support
SSL content scanning and inspection.
1 MIME headers check, E-mail address BWL check
2 Banned word check on email subject
3 IP BWL check
4 Banned word check on email body
5 Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard
Antispam URL check, DNSBL & ORDBL check.
Enable email filter
Unlike antivirus protection, no single control enables all email filtering. Your FortiGate unit
uses many techniques to detect spam; some may not be appropriate for every situation.
To enable any of the email filtering options, however, you must allow the FortiGate unit to
inspect email traffic.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
579
�Enable email filter
Email filter
To enable email traffic inspection
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to enable email traffic inspection and
choose Edit.
3 The top row lists each type of email traffic the FortiGate unit is capable of inspecting.
Select the check box for the traffic types you want the FortiGate unit to inspect.
4 Select OK.
Once you allow the FortiGate unit to examine one or more types of email traffic, you can
enable any of the individual email filtering techniques.
Enabling FortiGuard IP address checking
When you enable FortiGuard IP address checking, your FortiGate unit will submit the IP
address of the client to the FortiGuard service for checking. If the IP address exists in the
FortiGuard IP address black list, your FortiGate unit will treat the message as spam.
To enable FortiGuard IP address checking
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to enable FortiGuard IP address
checking and choose Edit.
3 Under the heading FortiGuard Email Filtering, the IP Address Check row has check
boxes for each email traffic type. Select the types of traffic you want scanned.
4 Select OK.
Select the edited email filter profile in a firewall policy, and the traffic controlled by the
firewall policy will be scanned according to the settings you configured. You may select the
email filter profile in more than one firewall policy if required.
Enabling FortiGuard URL checking
When you enable FortiGuard IP address checking, your FortiGate unit will submit all URLs
appearing in the email message body to the FortiGuard service for checking. If a URL
exists in the FortiGuard URL black list, your FortiGate unit will treat the message as spam.
To enable FortiGuard URL checking
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to enable FortiGuard URL checking and
choose Edit.
3 Under the heading FortiGuard Email Filtering, the URL Check row has check boxes for
each email traffic type. Select the types of traffic you want scanned.
4 Select OK.
Select the edited email filter profile in a firewall policy, and the traffic controlled by the
firewall policy will be scanned according to the settings you configured. You may select the
email filter profile in more than one firewall policy if required.
Enabling FortiGuard email checksum checking
When you enable FortiGuard email checksum checking, your FortiGate unit will submit a
checksum of each email message to the FortiGuard service for checking. If a checksum
exists in the FortiGuard checksum black list, your FortiGate unit will treat the message as
spam.
580
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Email filter
Enable email filter
To enable FortiGuard checksum checking
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to enable FortiGuard checksum
checking and choose Edit.
3 Under the heading FortiGuard Email Filtering, the E-mail Checksum Check row has
check boxes for each email traffic type. Select the types of traffic you want scanned.
4 Select OK.
Select the edited email filter profile in a firewall policy, and the traffic controlled by the
firewall policy will be scanned according to the settings you configured. You may select the
email filter profile in more than one firewall policy if required.
Enabling FortiGuard spam submission
When you enable FortiGuard email checksum checking, your FortiGate unit will append a
link to the end of every message detected as spam. This link allows email users to
“correct” the FortiGuard service by informing it that the message is not spam.
Note: Carefully consider the use of the Spam submission option on email leaving your
network. Users not familiar with the feature may click the link on spam messages because
they are curious. This will reduce the accuracy of the feature.
To enable FortiGuard Spam submission
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to enable FortiGuard spam submission
and choose Edit.
3 Under the heading FortiGuard Email Filtering, the Spam Submission row has check
boxes for each email traffic type. Select the types of traffic you want processed.
4 Select OK.
Select the edited email filter profile in a firewall policy, and the traffic controlled by the
firewall policy will be scanned according to the settings you configured. You may select the
email filter profile in more than one firewall policy if required.
Enabling IP address black/white list checking
When you enable IP address black/white list checking, your FortiGate unit will compare
the client IP address with the IP address black/white list specified in the email filter profile.
If the client IP address exists, the FortiGate unit acts according to the action configured for
the IP address in the list: allow the message, reject it, or mark it as spam.
The next two topics describe adding and configuring the IP address black/white list that
you will need before you can enable the checking. If you already have this list, go to
“Enabling the IP address black/white list checking” on page 582.
Creating an IP address black/white list
Before you can enable IP address black/white list spam filtering in the email filter profile,
you must create an IP address black/white list.
To create an IP address black/white list
1 Go to UTM & gt; Email Filter & gt; IP Address.
2 Select Create New.
3 Enter a name for the IP address list.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
581
�Enable email filter
Email filter
4 Optionally, enter a description or comments about the list.
5 Select OK to save the IP address black/white list.
When a new IP address back/white list is created, it is empty. To perform any actions, you
must add IP addresses to the list.
Adding addresses to an IP address black/white list
Each IP address black/white list contains a number of IP addresses, each having a
specified action. When the FortiGate unit accepts mail from a client with an IP address on
the IP address black/white list specified in the active email filter profile, it performs the
action specified for the address.
To add an address to an IP address black/white list
1 Go to UTM & gt; Email Filter & gt; IP Address.
2 Select the list to which you want to add an address and choose Edit.
3 Select Create New.
4 Enter the address or netmask in the IP/netmask field.
5 Select the action:
• Mark as Clear: Messages from clients with matching IP addresses will be allowed,
bypassing further email filtering.
• Mark as Reject: Messages from clients with matching IP addresses will be rejected.
The FortiGate unit will return a reject message to the client. Mark as Reject only
applies to mail delivered by SMTP. If an IP address black/white list is used with
POP3 or IMAP mail, addresses configured with the Mark as Reject action will be
marked as spam.
• Mark as Spam: Messages from clients with matching IP addresses will be treated as
spam, subject to the action configured in the applicable email filter profile. For more
information, see “Configure the spam action” on page 588.
6 By default, the address is enabled and the FortiGate unit will perform the action if the
address is detected. To disable checking for the address, clear the Enable check box.
7 Select OK.
Enabling the IP address black/white list checking
Once you have created a black/white list and added the IP addresses, you can enable the
checking.
To enable IP address black/white list checking
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to enable IP address black/white list
checking and choose Edit.
3 The IP Address BWL Check row has check boxes for each email traffic type. Select the
types of traffic you want scanned.
4 Select the IP address black/white list to use from the drop-down list at the end of the
row.
5 Select OK.
Select the edited email filter profile in a firewall policy, and the traffic controlled by the
firewall policy will be scanned according to the settings you configured. You may select the
email filter profile in more than one firewall policy if required.
582
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Email filter
Enable email filter
Enabling HELO DNS lookup
Whenever a client opens an SMTP session with a server, the client sends a HELO
command with the client domain name. When you enable HELO DNS lookup, your
FortiGate unit will take the domain the client submits as part of the HELO greeting and
send it to the configured DNS. If the domain does not exist, your FortiGate unit will treat all
messages the client delivers as spam.
The HELO DNS lookup is available only for SMTP traffic.
To enable HELO DNS lookup
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the Edit icon of the email filter profile in which you want to enable HELO DNS
lookup.
3 The HELO DNS Lookup row has a check box for the SMTP traffic type. Select the
check box to enable HELO DNS lookup.
4 Select OK.
Select the edited email filter profile in a firewall policy, and the traffic controlled by the
firewall policy will be scanned according to the settings you configured. You may select the
email filter profile in more than one firewall policy if required.
Enabling email address black/white list checking
When you enable email address black/white list checking, your FortiGate unit will compare
the sender email address with the email address black/white list specified in the email filter
profile. If the sender email address exists, the FortiGate unit acts according to the action
configured for the email address in the list: allow the message or mark it as spam.
The next two topics describe adding and configuring the email address black/white list that
you will need before you can enable the checking. If you already have this list, go to
“Enabling email address black/white list checking” on page 584.
Creating an email address black/white list
Before you can enable email address black/white list spam filtering in the email filter
profile, you must create an email address black/white list.
To create an email address black/white list
1 Go to UTM & gt; Email Filter & gt; E-mail Address.
2 Select Create New.
3 Enter a name for the email address list.
4 Optionally, enter a description or comments about the list.
5 Select OK to save the email address black/white list.
When a new IP address back/white list is created, it is empty. To perform any actions, you
must add email addresses to the list.
Adding addresses to an email address black/white list
Each email address black/white list may contain a number of email addresses, each
having a specified action. When the FortiGate unit accepts an email message from a client
with a reply-to address that appears in the email address black/white list specified in the
active email filter profile, it performs the action specified for the email message.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
583
�Enable email filter
Email filter
To add an address to an email address black/white list
1 Go to UTM & gt; Email Filter & gt; E-mail Address.
2 Select the Edit icon of the list to which you want to add an address.
3 Select Create New.
4 Enter the email address in the Email Address field.
5 If you need to enter a pattern in the Email Address field, select whether to use
wildcards or regular expressions to specify the pattern.
Wildcard uses an asterisk (“*”) to match any number of any character. For example,
*@example.com will match all addresses ending in @example.com.
Regular expressions use Perl regular expression syntax. See
http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular
expressions.
6 Select the action:
• Mark as Spam: Messages with matching reply-to email addresses will be treated as
spam, subject to the action configured in the applicable email filter profile. For more
information, see “Configure the spam action” on page 588.
• Mark as Clear: Messages with matching reply-to addresses will be allowed,
bypassing further email filtering.
7 By default, the address is enabled and the FortiGate unit will perform the action if the
address is detected. To disable checking for the address, clear the Enable check box.
8 Select OK to save the address.
Enabling email address black/white list checking
Once you have created a black/white list and added the email addresses, you can enable
the checking.
To enable email address black/white list checking
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to enable email address black/white list
checking and choose Edit.
3 The E-mail Address BWL Check row has check boxes for each email traffic type.
Select the types of traffic you want scanned.
4 Select the email address black/white list to use from the drop-down list at the end of
the row.
5 Select OK.
Select the edited email filter profile in a firewall policy, and the traffic controlled by the
firewall policy will be scanned according to the settings you configured. You may select the
email filter profile in more than one firewall policy if required.
Enabling return email DNS checking
When you enable return email DNS checking, your FortiGate unit will take the domain in
the reply-to email address and send it to the configured DNS. If the domain does not exist,
your FortiGate unit will treat the message as spam.
584
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Email filter
Enable email filter
To enable return email DNS check
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to enable return email DNS checking
and choose Edit.
3 The Return E-mail DNS Check row has check boxes for each email traffic type. Select
the types of traffic you want checked.
4 Select OK.
Select the edited email filter profile in a firewall policy, and the traffic controlled by the
firewall policy will be scanned according to the settings you configured. You may select the
email filter profile in more than one firewall policy if required.
Enabling banned word checking
When you enable banned word checking, your FortiGate unit will examine the email
message for words appearing in the banned word list specified in the email filter profile. If
the total score of the banned word discovered in the email message exceeds the threshold
value set in the email filter profile, your FortiGate unit will treat the message as spam.
When determining the banned word score total for an email message, each banned word
score is added once no matter how many times the word appears in the message.
The next two topics describe adding and configuring the banned word list that you will
need before you can enable the checking. If you already have this list, go to “Enabling
banned word checking” on page 587.
How content is evaluated
Every time the banned word filter detects a pattern in an email message, it adds the
pattern score to the sum of scores for the message. You set this score when you create a
new pattern to block content. The score can be any number from zero to 99999. Higher
scores indicate more offensive content. When the total score equals or exceeds the
threshold, the email message is considered as spam and treated according to the spam
action configured in the email filter profile. The score for each pattern is counted only
once, even if that pattern appears many times in the email message. The default score for
banned word patterns is 10 and the default threshold is 10. This means that by default, an
email message is blocked by a single match.
A pattern can be part of a word, a whole word, or a phrase. Multiple words entered as a
pattern are treated as a phrase. The phrase must appear as entered to match. You can
also use wildcards or regular expressions to have a pattern match multiple words or
phrases.
For example, the FortiGate unit scans an email message that contains only this sentence:
“The score for each word or phrase is counted only once, even if that word or phrase
appears many times in the email message.”
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
585
�Enable email filter
Email filter
Banned word
pattern
Pattern
type
Assigned
score
Score
added to
the sum
for the
entire
page
word
Wildcard
20
20
The pattern appears twice but multiple
occurrences are only counted once.
word phrase
Wildcard
20
0
Although each word in the phrase
appears in the message, the words do
not appear together as they do in the
pattern. There are no matches.
word*phrase
Wildcard
20
20
The wildcard represents any number of
any character. A match occurs as long
as “word” appears before “phrase”
regardless of what is in between them.
mail*age
Wildcard
20
20
Since the wildcard character can
represent any characters, this pattern is
a match because “email message”
appears in the message.
Comment
In this example, the message is treated as spam if the banned word threshold is set to 60
or less.
Creating a banned word list
Before you can enable IP address black/white list spam filtering in the email filter profile,
you must create an IP address black/white list.
To create an IP address black/white list
1 Go to UTM & gt; Email Filter & gt; Banned Word.
2 Select Create New.
3 Enter a name for the banned word list.
4 Optionally, enter a description or comments about the list.
5 Select OK to save the banned word list.
When a new banned word list is created, it is empty. To perform any actions, you must add
words to the list.
Adding words to a banned word list
Each banned word list contains a number of words, each having a score, and specifying
whether the email FortiGate unit will search for the word in the message subject, message
body, or both.
When the FortiGate unit accepts an email message containing one or more words in the
banned word list specified in the active email filter profile, it totals the scores of the banned
words in the email message. If the total is higher than the threshold set in the email filter
profile, the email message will be detected as spam. If the total score is lower than the
threshold, the message will be allowed to pass as normal.
The score of a banned word present in the message will be counted toward the score total
only once, regardless of how many times the word appears in the message.
586
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Email filter
Enable email filter
To add words to a banned word list
1 Go to UTM & gt; Email Filter & gt; Banned Word.
2 Select the Edit icon of the list to which you want to add a word.
3 Select Create New.
4 Enter the word or the pattern in the Pattern field.
5 In the Pattern Type field, select whether you use wildcards or regular expressions.
Wildcard uses an asterisk (“*”) to match any number of any character. For example, re*
will match all words starting with “re”.
Regular expression uses Perl regular expression syntax. See
http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular
expressions.
6 In the Language field, select the language.
7 Select where the FortiGate unit will check for the banned word. The options are Body,
Subject, or All, which combines the other two options.
8 Enter a score. If the word appears in the message as determined by the Where setting,
the score is added to the scores of all the other banned words appearing in the email
message. If the score total is higher than the threshold set in the email filter profile, the
email message will be detected as spam. If the total score is lower than the threshold,
the message will be allowed to pass as normal.
9 By default, the banned word is enabled and will appear in the list. To disable checking
for the banned word, clear the Enable check box.
10 Select OK to save the banned word.
Enabling banned word checking
Once you have created a black/white list and added the email addresses, you can enable
the checking.
To enable banned word checking
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to enable banned word checking and
choose Edit.
3 The Banned Word Check row has check boxes for each email traffic type. Select the
types of traffic you want scanned.
4 Select the banned word list to use from the drop-down list at the end of the row.
5 Enter a threshold value. If the total score of the banned words appearing in the
message exceeds this threshold, the FortiGate unit treats the message as spam.
6 Select OK.
Select the edited email filter profile in a firewall policy, and the traffic controlled by the
firewall policy will be scanned according to the settings you configured. You may select the
email filter profile in more than one firewall policy if required.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
587
�Configure the spam action
Email filter
Configure the spam action
When spam is detected, the FortiGate unit will deal with it according to the Spam Action
setting in the email filter profile. Note that POP3S, IMAPS and SMTPS spam filtering is
available only on FortiGate units that support SSL content scanning and inspection.
POP3, IMAP, POP3S and IMAPS mail can only be tagged. SMTP and SMTPS mail can be
set to Discard or Tagged:
•
Discard: When the spam action is set to Discard, messages detected as spam are
deleted. No notification is sent to the sender or recipient.
•
Tagged: When the spam action is set to Tagged, messages detected as spam are
labelled and delivered normally. The text used for the label is set in the Tag Format
field and the label is placed in the subject or the message header, as set with the
Tag Location option.
To configure the spam action
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to configure the spam action and
choose Edit.
3 The Spam Action row has a drop-down selection under the SMTP and SMTPS traffic
type. Select Discard or Tagged.
No selection is available for POP3, IMAP, POP3S or IMAPS traffic. Tagged is the only
applicable action for those traffic types.
By default, the tag location for any traffic set to Tagged is Subject and the tag format is
Spam. If you want to change these settings, continue with “Configure the tag location”
on page 588 and “Configure the tag format” on page 589.
4 Select OK.
Select the edited email filter profile in a firewall policy, and the traffic controlled by the
firewall policy will be scanned according to the settings you configured. You may select the
email filter profile in more than one firewall policy if required.
Configure the tag location
When the spam action is set to Tagged, the Tag Location setting determines where the tag
is applied in the message.
To configure the tag location
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to configure the tag location action and
choose Edit.
3 The Tag Location row has two options for SMTP traffic. Select the tag location:
• Subject: The FortiGate unit inserts the tag at the beginning of the message subject.
For example, if the message subject is “Buy stuff!” and the tag is “[spam]”, the new
message subject is “[spam] Buy stuff!” if the message is detected as spam.
• MIME: The FortiGate unit inserts the tag into the message header. With most mail
readers and web-based mail services, the tag will not be visible. Despite this, you
can still set up a rule based on the presence or absence of the tag.
4 Select OK.
588
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Email filter
Configure the tag format
Configure the tag format
When the spam action is set to Tagged, the Tag Format setting determines what text is
used as the tag applied to the message.
To configure the tag format
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile in which you want to configure the tag format and choose
Edit.
3 The Tag Format row has a field for each traffic type. Enter the text the FortiGate unit
will use as the tag for each traffic type.
4 Select OK.
Email filter examples
Configuring simple antispam protection
Small offices, whether they are small companies, home offices, or satellite offices, often
have very simple needs. This example details how to enable antispam protection on a
FortiGate unit located in a satellite office.
Creating an email filter profile
Most email filter settings are configured in an email filter profile. Email filter profiles are
selected in firewall policies. This way, you can create multiple email filter profiles, and
tailor them to the traffic controlled by the firewall policy in which they are selected. In this
example, you will create one email filter profile.
To create an email filter profile — web-based manager
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select Create New.
3 In the Name field, enter basic_emailfilter.
4 Ensure that IMAP, POP3, and SMTP are selected in the header row.
These header row selections enable or disable examination of each email traffic type.
When disabled, the email traffic of that type is ignored by the FortiGate unit and no
email filtering options are available.
5 Under FortiGuard Email Filtering, enable IP Address Check for the IMAP, POP3, and
SMTP email traffic types.
6 Under FortiGuard Email Filtering, enable URL Check for the IMAP, POP3, and SMTP
email traffic types.
7 Under FortiGuard Email Filtering, enable E-mail Checksum Check for the IMAP, POP3,
and SMTP email traffic types.
8 Select OK to save the email filter profile.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
589
�Email filter examples
Email filter
To create an email filter profile — CLI
config spamfilter profile
edit basic_emailfilter
config imap
set options spamfsip spamfsurl spamfschksum
end
config pop3
set options spamfsip spamfsurl spamfschksum
end
config smtp
set options spamfsip spamfsurl spamfschksum
end
end
Selecting the email filter profile in a firewall policy
An email filter profile directs the FortiGate unit to scan network traffic only when it is
selected in a firewall policy. When an email filter profile is selected in a firewall policy, its
settings are applied to all the traffic the firewall policy handles.
To select the email filter profile in a firewall policy — web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select a policy.
3 Select the Edit icon.
4 Enable UTM.
5 Select default from the Protocol Options list.
UTM can not be enabled without selecting a protocol options profile. A default profile is
provided.
6 Select the Enable Email Filter option.
7 Select the basic_emailfilter profile from the list.
8 Select OK to save the firewall policy.
To select the email filter profile in a firewall policy — CLI
config firewall policy
edit 1
set utm-status enable
set profile-protocol-options default
set spamfilter-profile basic_emailfilter
end
IMAP, POP3, and SMTP email traffic handled by the firewall policy you modified will be
scanned for spam. Spam messages have the text “Spam” added to their subject lines. A
small office may have only one firewall policy configured. If you have multiple policies,
consider enabling spam scanning for all of them.
Blocking email from a user
Employees of the Example.com corporation have been receiving unwanted email
messages from a former client at a company called example.net. All ties between the
company and the client have been severed, but the messages continue. The FortiGate
unit can be configured to prevent these messages from being delivered.
590
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Email filter
Email filter examples
To create the email address list
1 Go to UTM & gt; Email Filter & gt; E-mail Address.
2 Select Create New.
3 Enter a name for the new email address list.
4 Optionally, enter a descriptive comment for the email address list.
5 Select OK to create the list.
6 Select Create New to add a new entry to the email address list.
7 Enter *@example.net in the E-mail Address field.
8 Leave Pattern Type set to the default, Wildcard.
9 Leave Action as Mark as Spam to have the FortiGate unit mark all messages from
example.net as spam.
Now that the email address list is created, you must enable the email filter in the email
filter profile.
To enable Email Filter
1 Go to UTM & gt; Email Filter & gt; Profile.
2 Select the email filter profile that is used by the firewall policies handling email traffic
and choose Edit.
3 Select the check boxes labeled IMAP, POP3, and SMTP in the table header row
immediately above the FortiGuard Email Filtering heading.
4 In the row E-mail Address BWL Check, select all three check boxes.
5 At the end of the E-mail address BWL check row, select the email address list you
created in the previous procedure.
6 In the row Tag Location, select Subject for all three mail protocols.
7 In the row Tag Format, enter SPAM: in all three fields.
8 Select OK.
With these changes, the FortiGate unit will add “SPAM:” to the subject of any email
message from an address ending with @example.net. Recipients can ignore the message
or they can configure their email clients to automatically delete messages with “SPAM:” in
the subject.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
591
�Email filter examples
592
Email filter
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
The FortiGate Intrusion Protection system combines signature detection and prevention
with low latency and excellent reliability. With intrusion protection, you can create multiple
IPS sensors, each containing a complete configuration based on signatures. Then, you
can apply any IPS sensor to any firewall policy.
This section describes how to configure the FortiGate Intrusion Protection settings.
If you enable virtual domains (VDOMs) on the FortiGate unit, intrusion protection is
configured separately for each virtual domain.
The following topics are included:
•
IPS concepts
•
Enable IPS scanning
•
Configure IPS options
•
Enable IPS packet logging
•
IPS examples
IPS concepts
The FortiGate intrusion protection system protects your network from outside attacks.
Your FortiGate unit has two techniques to deal with these attacks: anomaly- and
signature-based defense.
Anomaly-based defense
Anomaly-based defense is used when network traffic itself is used as a weapon. A host
can be flooded with far more traffic than it can handle, making the host inaccessible. The
most common example is the denial of service (DoS) attack, in which an attacker directs a
large number of computers to attempt normal access of the target system. If enough
access attempts are made, the target is overwhelmed and unable to service genuine
users. The attacker does not gain access to the target system, but it is not accessible to
anyone else.
The FortiGate DoS feature will block traffic above a certain threshold from the attacker and
allow connections from other legitimate users.
Signature-based defense
Signature-based defense is used against known attacks or vulnerability exploits. These
often involve an attacker attempting to gain access to your network. The attacker must
communicate with the host in an attempt to gain access and this communication will
include particular commands or sequences of commands and variables. The IPS
signatures include these command sequences, allowing the FortiGate unit to detect and
stop the attack.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
593
�IPS concepts
Intrusion protection
Signatures
IPS signatures are the basis of signature-based intrusion protection. Every attack can be
reduced to a particular string of commands or a sequence of commands and variables.
Signatures include this information so your FortiGate unit knows what to look for in
network traffic.
Signatures also include characteristics about the attack they describe. These
characteristics include the network protocol in which the attack will appear, the vulnerable
operating system, and the vulnerable application.
To view the complete list of predefined signatures, go to UTM & gt; Intrusion Protection & gt;
Predefined.
Protocol decoders
Before examining network traffic for attacks, the IPS engine uses protocol decoders to
identify each protocol appearing in the traffic. Attacks are protocol-specific, so your
FortiGate unit conserves resources by looking for attacks only in the protocols used to
transmit them. For example, the FortiGate unit will only examine HTTP traffic for the
presence of a signature describing an HTTP attack.
To view the protocol decoders, go to UTM & gt; Intrusion Protection & gt; Protocol Decoder.
IPS engine
Once the protocol decoders separate the network traffic by protocol, the IPS engine
examines the network traffic for the attack signatures.
IPS sensors
The IPS engine does not examine network traffic for all signatures, however. You must
first create an IPS sensor and specify which signatures are included. You do not have to
choose each signature you want to include individually. Instead, filters are used to define
the included signatures.
To view the IPS sensors, go to UTM & gt; Intrusion Protection & gt; IPS Sensor.
IPS filters
IPS sensors contain one or more IPS filters. A filter is a collection of signature attributes
that you specify. The signatures that have all of the attributes specified in a filter are
included in the IPS signature.
For example, if your FortiGate unit protects a Linux server running the Apache web server
software, you could create a new filter to protect it. By setting OS to Linux, and Application
to Apache, the filter will include only the signatures that apply to both Linux and Apache. If
you wanted to scan for all the Linux signatures and all the Apache signatures, you would
create two filters, one for each.
To view the filters in an IPS sensor, go to UTM & gt; Intrusion Protection & gt; IPS Sensor, select
the IPS sensor containing the filters you want to view, and choose Edit.
Policies
To use an IPS sensor, you must select it in a firewall policy or an interface policy. An IPS
sensor that it not selected in a policy will have no effect on network traffic.
IPS is most often configured as part of a firewall policy. Unless stated otherwise,
discussion of IPS sensor use will be in regards to firewall policies in this document.
594
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
Enable IPS scanning
Enable IPS scanning
Enabling IPS scanning involves two separate parts of the FortiGate unit:
•
The firewall policy allows certain network traffic based on the sender, receiver,
interface, traffic type, and time of day. Firewall policies can also be used to deny traffic,
but those policies do not apply to IPS scanning.
•
The IPS sensor contains filters, overrides, or both. These specify which signatures are
included in the IPS sensor.
When IPS is enabled, an IPS sensor is selected in a firewall policy, and all network traffic
matching the policy will be checked for the signatures in the IPS sensor.
General configuration steps
For best results in configuring IPS scanning, follow the procedures in the order given.
Also, note that if you perform any additional actions between procedures, your
configuration may have different results.
1 Create an IPS sensor.
2 Create filters and/or overrides in the IPS sensor. The filters and overrides specify which
signatures the IPS engine will look for in the network traffic.
3 Select a firewall policy or create a new one.
4 In the firewall policy, enable UTM protection and select Enable IPS and select the IPS
sensor from the list.
All the network traffic controlled by this firewall policy will be processed according to the
settings in the policy. These settings include the IPS sensor you specify in the policy.
Creating an IPS sensor
You need to create an IPS sensor and save it before configuring it with filters and override
settings.
To create a new IPS sensor
1 Go to UTM & gt; Intrusion Protection & gt; IPS Sensor.
2 Select Create New.
3 Enter the name of the new IPS sensor.
4 Optionally, you can also enter a comment. The comment will appear in the IPS sensor
list and can remind you of the details of the sensor.
5 Select OK.
The IPS sensor is created and the sensor configuration window appears. A newly created
sensor is empty and contains no filters or overrides. You need to create one or more filters
or overrides before the sensor can take effect.
Creating an IPS filter
Filters determine which signatures are included in an IPS sensor. Rather than choosing
each signature, you choose the characteristics of the signatures you want included in the
IPS sensor by configuring a filter. You can create multiple filters in an IPS sensor.
To create a new IPS filter
1 Go to UTM & gt; Intrusion Protection & gt; IPS Sensor.
2 Select the Edit icon of the IPS sensor to which you want to add the filter.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
595
�Enable IPS scanning
Intrusion protection
3 Select Add Filter.
4 Enter the name of the new filter.
5 Configure the filter that you require. Signatures matching all of the characteristics you
specify in the filter will be included in the IPS sensor.
6 Select OK.
The filter is created and added to the filter list. The number of signatures included in the
filter is listed in the Count column. You can view a list of the included signatures by
selecting the View Rules icon.
Note: Signature overrides are checked before filters.
Updating predefined IPS signatures
The FortiGuard Service periodically updates the pre-defined signatures and adds new
signatures to counter emerging threats as they appear.
Because the signatures included in filters are defined by specifying signature attributes,
new signatures matching existing filter specifications will automatically be included in
those filters. For example, if you have a filter that includes all signatures for the Windows
operating system, your filter will automatically incorporate new Windows signatures as
they are added.
Creating an IPS signature override
Pre-defined and custom signature overrides are configured and work largely the same as
filters, except they define the behavior of only one signature.
You can use overrides in two ways:
•
To change the behavior of a signature already included in a filter.
For example, to protect a web server, you can create a filter that includes and enables
all signatures related to servers. If you want to disable one of those signatures, the
simplest way is to create an override and mark the signature as disabled.
•
To add an individual signature, not included in any filters, to an IPS sensor. This is the
only way to add custom signatures to IPS sensors.
When a pre-defined signature is specified in an override, the default status and action
attributes of the signature are ignored. These settings must be explicitly set when creating
the override.
Note: Before an override can affect network traffic, you must add it to a filter, and you must
select the filter in a firewall policy. An override does not have the ability to affect network
traffic until these steps are taken. For more information, see “Enable IPS scanning” on
page 595.
To create an IPS signature override
1 Go to UTM & gt; Intrusion Protection & gt; IPS Sensor.
2 Select the IPS sensor to which you want to add the override and select the Edit icon.
3 Select either Add Pre-defined Override or Add Custom Override, depending on the
type of IPS signature override you require.
4 For the Action, select Pass, Block, or Reset. When the override is enabled, the action
determines what the FortiGate will do with traffic containing the specified signature.
5 Select Logging to log all occurrences of the signature.
596
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
Enable IPS scanning
6 Select Packet Log to save the packets containing the specified signature. For more
information, see “Enable IPS packet logging” on page 609.
7 Select the Browse icon and choose the signature to include in the override.
8 Select Enable.
9 Select OK.
Creating a custom IPS signature
The FortiGate predefined signatures cover common attacks. If you use an unusual or
specialized application or an uncommon platform, add custom signatures based on the
security alerts released by the application and platform vendors.
You can add or edit custom signatures using the web-based manager or the CLI.
To create a custom signature
1 Go to UTM & gt; Intrusion Protection & gt; Custom.
2 Select Create New to add a new custom signature.
3 Enter a Name for the custom signature.
4 Enter the Signature. For information about completing this field, see “Custom signature
syntax and keywords”.
5 Select OK.
Custom signature syntax and keywords
All custom signatures follow a particular syntax. Each begins with a header and is followed
by one or more keywords. The syntax and keywords are detailed in the next two topics.
Custom signature syntax
A custom signature definition is limited to a maximum length of 512 characters. A
definition can be a single line or span multiple lines connected by a backslash (\) at the
end of each line.
A custom signature definition begins with a header, followed by a set of keyword/value
pairs enclosed by parenthesis [( )]. The keyword and value pairs are separated by a semi
colon (;) and consist of a keyword and a value separated by a space. The basic format of
a definition is HEADER (KEYWORD VALUE;)
You can use as many keyword/value pairs as required within the 512 character limit. To
configure a custom signature, go to UTM & gt; Intrusion Protection & gt; Signature & gt; Custom and
enter the data directly into the Signature field, following the guidance in the next topics.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
597
�Enable IPS scanning
Intrusion protection
Table 58 shows the valid characters and basic structure. For details about each keyword
and its associated values, see “Custom signature keywords” on page 598.
Table 58: Valid syntax for custom signature fields
Field
Valid Characters
Usage
HEADER
F-SBID
The header for an attack definition
signature. Each custom signature
must begin with this header.
KEYWORD
Each keyword must start with a pair of
dashes (--), and consist of a string of 1 to
19 characters.
Normally, keywords are an English word
or English words connected by an
underscore (_). Keywords are case
insensitive.
The keyword is used to identify a
parameter. See “Custom signature
keywords” on page 598 for tables of
supported keywords.
VALUE
Double quotes ( " ) must be used around
the value if it contains a space and/or a
semicolon (;).
If the value is NULL, the space between
the KEYWORD and VALUE can be
omitted.
Values are case sensitive.
Note: If double quotes are used for
quoting the value, the double quotes are
not considered as part of the value string.
The value is set specifically for a
parameter identified by a keyword.
Custom signature keywords
Table 59: Information keywords
Keyword and value
Description
--attack_id & lt; id_int & gt; ; Use this optional value to identify the signature. It cannot be the
same value as any other custom rules. If an attack ID is not
specified, the FortiGate automatically assigns an attack ID to the
signature. If you are using VDOMs, custom signatures appear only
in the VDOM in which you create them. You can use the same attack
ID for signatures in different VDOMs.
An attack ID you assign must be between 1000 and 9999.
Example:
--attack_id 1234;
--name & lt; name_str & gt; ;
598
Enter the name of the rule. A rule name must be unique. If you are
using VDOMs, custom signatures appear only in the VDOM in which
you create them. You can use the same rule name for signatures in
different VDOMs.
The name you assign must be a string greater than 0 and less than
64 characters in length.
Example:
--name " Buffer_Overflow " ;
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
Enable IPS scanning
Table 60: Session keywords
Keyword and value
Description
--flow {from_client |
from_server |
bi_direction };
Specify the traffic direction and state to be inspected. They can
be used for all IP traffic.
Example:
--src_port 41523; --flow bi_direction;
The signature checks traffic to and from port 41523.
Previous FortiOS versions used to_client and to_server
values. These are now deprecated, but still function for
backwards compatibility.
--service {HTTP |
TELNET | FTP | DNS |
SMTP | POP3 | IMAP |
SNMP | RADIUS | LDAP |
MSSQL | RPC | SIP |
H323 | NBSS | DCERPC |
SSH | SSL};
Specify the protocol type to be inspected.
This keyword allows you to specify the traffic type by protocol
rather than by port. If the decoder has the capability to identify
the protocol on any port, the signature can be used to detect
the attack no matter what port the service is running on.
Currently, HTTP, SIP, SSL, and SSH protocols can be
identified on any port based on the content.
Table 61: Content keywords
Keyword and value
Description
--byte_jump
& lt; bytes_to_convert & gt; ,
& lt; offset & gt; [, relative]
[, big] [, little]
[, string] [, hex] [, dec]
[, oct] [, align];
Use the byte_jump option to extract a number of bytes from
a packet, convert them to their numeric representation, and
jump the match reference up that many bytes (for further
pattern matching or byte testing). This keyword allows
relative pattern matches to take into account numerical
values found in network data.
The available keyword options include:
• & lt; bytes_to_convert & gt; : The number of bytes to
examine from the packet.
• & lt; offset & gt; : The number of bytes into the payload to start
processing.
• relative: Use an offset relative to last pattern match.
• big: Process the data as big endian (default).
• little: Process the data as little endian.
• string: The data is a string in the packet.
• hex: The converted string data is represented in
hexadecimal notation.
• dec: The converted string data is represented in decimal
notation.
• oct: The converted string data is represented in octal
notation.
• align: Round up the number of converted bytes to the
next 32-bit boundary.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
599
�Enable IPS scanning
Intrusion protection
Table 61: Content keywords (Continued)
Keyword and value
Use the byte_test keyword to compare a byte field against
a specific value (with operator). This keyword is capable of
testing binary values or converting representative byte
strings to their binary equivalent and testing them.
The available keyword options include:
• & lt; bytes_to_convert & gt; : The number of bytes to
compare.
• & lt; operator & gt; : The operation to perform when comparing
the value ( & lt; , & gt; ,=,!, & ).
• & lt; value & gt; : The value to compare the converted value
against.
• & lt; offset & gt; : The number of bytes into the payload to start
processing.
• relative: Use an offset relative to last pattern match.
• big: Process the data as big endian (default).
• little: Process the data as little endian.
• string: The data is a string in the packet.
• hex: The converted string data is represented in
hexadecimal notation.
• dec: The converted string data is represented in decimal
notation.
• oct: The converted string data is represented in octal
notation.
--depth & lt; depth_int & gt; ;
Use the depth keyword to search for the contents within the
specified number of bytes after the starting point defined by
the offset keyword. If no offset is specified, the offset
is assumed to be equal to 0.
If the value of the depth keyword is smaller than the length
of the value of the content keyword, this signature will
never be matched.
The depth must be between 0 and 65535.
--distance & lt; dist_int & gt; ;
Use the distance keyword to search for the contents within
the specified number of bytes relative to the end of the
previously matched contents. If the within keyword is not
specified, continue looking for a match until the end of the
payload.
The distance must be between 0 and 65535.
--content
[!] " & lt; content_str & gt; " ;
600
Description
--byte_test
& lt; bytes_to_convert & gt; ,
& lt; operator & gt; , & lt; value & gt; ,
& lt; offset & gt; [, relative]
[, big] [, little]
[, string] [, hex] [, dec]
[, oct];
Deprecated, see pattern and context keywords.
Use the content keyword to search for the content string in
the packet payload. The content string must be enclosed in
double quotes.
To have the FortiGate search for a packet that does not
contain the specified context string, add an exclamation mark
(!) before the content string.
Multiple content items can be specified in one rule. The value
can contain mixed text and binary data. The binary data is
generally enclosed within the pipe (|) character.
The double quote ( " ), pipe sign(|) and colon(:) characters
must be escaped using a back slash if specified in a content
string.
If the value of the content keyword is greater than the
length of the value of the depth keyword, this signature will
never be matched.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
Enable IPS scanning
Table 61: Content keywords (Continued)
Keyword and value
Description
--context {uri | header |
body | host};
Specify the protocol field to look for the pattern. If context is
not specified for a pattern, the FortiGate unit searches for the
pattern anywhere in the packet buffer. The available context
variables are:
• uri: Search for the pattern in the HTTP URI line.
• header: Search for the pattern in HTTP header lines or
SMTP/POP3/SMTP control messages.
• body: Search for the pattern in HTTP body or
SMTP/POP3/SMTP email body.
• host: Search for the pattern in HTTP HOST line.
Example:
--pattern " GET "
--context uri
--pattern " yahoo.com "
--context host
--no_case
--pcre " /DESCRIBE\s+\/\s+RTSP\//i "
--context header
--no_case;
Use the no-case keyword to force the FortiGate unit to
perform a case-insensitive pattern match.
--offset & lt; offset_int & gt; ;
Use the offset keyword to look for the contents after the
specified number of bytes into the payload. The specified
number of bytes is an absolute value in the payload. Follow
the offset keyword with the depth keyword to stop looking
for a match after a specified number of bytes. If no depth is
specified, the FortiGate unit continues looking for a match
until the end of the payload.
The offset must be between 0 and 65535.
--pattern
[!] " & lt; pattern_str & gt; " ;
The FortiGate unit will search for the specified pattern.
A pattern keyword normally is followed by a context
keyword to define where to look for the pattern in the packet.
If a context keyword is not present, the FortiGate unit looks
for the pattern anywhere in the packet buffer.
To have the FortiGate search for a packet that does not
contain the specified URI, add an exclamation mark (!)
before the URI.
Example:
--pattern " /level/ "
--pattern " |E8 D9FF FFFF|/bin/sh "
--pattern ! " |20|RTSP/ "
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
601
�Enable IPS scanning
Intrusion protection
Table 61: Content keywords (Continued)
Keyword and value
Similarly to the pattern keyword, use the pcre keyword to
specify a pattern using Perl-compatible regular expressions
(PCRE). A pcre keyword can be followed by a context
keyword to define where to look for the pattern in the packet.
If no context keyword is present, the FortiGate unit looks
for the pattern anywhere in the packet buffer.
For more information about PCRE syntax, go to
http://www.pcre.org.
The switches include:
• i: Case insensitive.
• s: Include newlines in the dot metacharacter.
• m: By default, the string is treated as one big line of
characters. ^ and $ match at the beginning and ending of
the string. When m is set, ^ and $ match immediately
following or immediately before any newline in the buffer,
as well as the very start and very end of the buffer.
• x: White space data characters in the pattern are ignored
except when escaped or inside a character class.
• A: The pattern must match only at the start of the buffer
(same as ^ ).
• E: Set $ to match only at the end of the subject string.
Without E, $ also matches immediately before the final
character if it is a newline (but not before any other
newlines).
• G: Invert the “greediness” of the quantifiers so that they
are not greedy by default, but become greedy if followed
by ?.
• R: Match relative to the end of the last pattern match.
(Similar to distance:0;).
• U: Deprecated, see the context keyword. Match the
decoded URI buffers.
--uri [!] " & lt; uri_str & gt; " ;
Deprecated, see pattern and context keywords.
Use the uri keyword to search for the URI in the packet
payload. The URI must be enclosed in double quotes ( " ).
To have the FortiGate unit search for a packet that does not
contain the specified URI, add an exclamation mark (!)
before the URI.
Multiple content items can be specified in one rule. The value
can contain mixed text and binary data. The binary data is
generally enclosed within the pipe (|) character.
The double quote ( " ), pipe sign (|) and colon (:) characters
must be escaped using a back slash (\) if specified in a URI
string.
--within & lt; within_int & gt; ;
602
Description
--pcre
[!] " (/ & lt; regex & gt; /|m & lt; delim & gt; & lt; re
gex & gt; & lt; delim & gt; )[ismxAEGRUB] " ;
Use this together with the distance keyword to search for
the contents within the specified number of bytes of the
payload.
The within value must be between 0 and 65535.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
Enable IPS scanning
Table 62: IP header keywords
Keyword and Value
Description
--dst_addr [!] & lt; ipv4 & gt; ;
Use the dst_addr keyword to search for the destination IP
address.
To have the FortiGate search for a packet that does not
contain the specified address, add an exclamation mark (!)
before the IP address.
You can define up to 28 IP addresses or CIDR blocks.
Enclose the comma separated list in square brackets.
Example: dst_addr [172.20.0.0/16,
10.1.0.0/16,192.168.0.0/16]
--ip_id & lt; field_int & gt; ;
Check the IP ID field for the specified value.
--ip_option {rr | eol | nop
| ts | sec | lsrr | ssrr |
satid | any};
Use the ip_option keyword to check various IP option
settings. The available options include:
• rr: Check if IP RR (record route) option is present.
• eol: Check if IP EOL (end of list) option is present.
• nop: Check if IP NOP (no op) option is present.
• ts: Check if IP TS (time stamp) option is present.
• sec: Check if IP SEC (IP security) option is present.
• lsrr: Check if IP LSRR (loose source routing) option is
present.
• ssrr: Check if IP SSRR (strict source routing) option is
present.
• satid: Check if IP SATID (stream identifier) option is
present.
• any: Check if IP any option is present.
--ip_tos & lt; field_int & gt; ;
Check the IP TOS field for the specified value.
--ip_ttl [ & lt; | & gt; ] & lt; ttl_int & gt; ; Check the IP time-to-live value against the specified value.
Optionally, you can check for an IP time-to-live greater-than
( & gt; ) or less-than ( & lt; ) the specified value with the appropriate
symbol.
--protocol
{ & lt; protocol_int & gt; | tcp |
udp | icmp};
Check the IP protocol header.
Example:
--protocol tcp;
--src_addr [!] & lt; ipv4 & gt; ;
Use the src_addr keyword to search for the source IP
address.
To have the FortiGate unit search for a packet that does not
contain the specified address, add an exclamation mark (!)
before the IP address.
You can define up to 28 IP addresses or CIDR blocks.
Enclose the comma separated list in square brackets.
Example: src_addr 192.168.13.0/24
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
603
�Enable IPS scanning
Intrusion protection
Table 63: TCP header keywords
Keyword and Value
--ack & lt; ack_int & gt; ;
Check for the specified TCP acknowledge number.
--dst_port [!]{ & lt; port_int & gt; |
: & lt; port_int & gt; | & lt; port_int & gt; : |
& lt; port_int & gt; : & lt; port_int & gt; };
Use the dst_port keyword to specify the destination port
number.
You can specify a single port or port range:
• & lt; port_int & gt; is a single port.
• : & lt; port_int & gt; includes the specified port and all lower
numbered ports.
• & lt; port_int & gt; : includes the specified port and all
higher numbered ports.
• & lt; port_int & gt; : & lt; port_int & gt; includes the two specified
ports and all ports in between.
--seq & lt; seq_int & gt; ;
Check for the specified TCP sequence number.
--src_port [!]{ & lt; port_int & gt; |
: & lt; port_int & gt; | & lt; port_int & gt; : |
& lt; port_int & gt; : & lt; port_int & gt; };
Use the src_port keyword to specify the source port
number.
You can specify a single port or port range:
• & lt; port_int & gt; is a single port.
• : & lt; port_int & gt; includes the specified port and all lower
numbered ports.
• & lt; port_int & gt; : includes the specified port and all
higher numbered ports.
• & lt; port_int & gt; : & lt; port_int & gt; includes the two specified
ports and all ports in between.
--tcp_flags
& lt; SAFRUP120 & gt; [!|*|+]
[, & lt; SAFRUP120 & gt; ];
Specify the TCP flags to match in a packet.
• S: Match the SYN flag.
• A: Match the ACK flag.
• F: Match the FIN flag.
• R: Match the RST flag.
• U: Match the URG flag.
• P: Match the PSH flag.
• 1: Match Reserved bit 1.
• 2: Match Reserved bit 2.
• 0: Match No TCP flags set.
• !: Match if the specified bits are not set.
• *: Match if any of the specified bits are set.
• +: Match on the specified bits, plus any others.
The first part if the value ( & lt; SAFRUP120 & gt; ) defines the bits
that must be present for a successful match. For example:
--tcp_flags AP
only matches the case where both A and P bits are set.
The second part ([, & lt; SAFRUP120 & gt; ]) is optional, and
defines the additional bits that can be present for a match.
For example:
tcp_flags S,12
matches the following combinations of flags: S, S and 1, S
and 2, S and 1 and 2.
The modifiers !, * and + cannot be used in the second
part.
--window_size
[!] & lt; window_int & gt; ;
604
Description
Check for the specified TCP window size.
You can specify the window size as a hexadecimal or
decimal integer. A hexadecimal value must be preceded
by 0x.
To have the FortiGate search for the absence of the
specified window size, add an exclamation mark (!) before
the window size.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
Enable IPS scanning
Table 64: UDP header keywords
Keyword and Value
Description
--dst_port [!]{ & lt; port_int & gt; |
: & lt; port_int & gt; | & lt; port_int & gt; : |
& lt; port_int & gt; : & lt; port_int & gt; };
Specify the destination port number.
You can specify a single port or port range:
• & lt; port_int & gt; is a single port.
• : & lt; port_int & gt; includes the specified port and all lower
numbered ports.
• & lt; port_int & gt; : includes the specified port and all
higher numbered ports.
• & lt; port_int & gt; : & lt; port_int & gt; includes the two specified
ports and all ports in between.
--src_port [!]{ & lt; port_int & gt; |
: & lt; port_int & gt; | & lt; port_int & gt; : |
& lt; port_int & gt; : & lt; port_int & gt; };
Specify the source port number.
You can specify a single port or port range:
• & lt; port_int & gt; is a single port.
• : & lt; port_int & gt; includes the specified port and all lower
numbered ports.
• & lt; port_int & gt; : includes the specified port and all
higher numbered ports.
• & lt; port_int & gt; : & lt; port_int & gt; includes the two specified
ports and all ports in between.
Table 65: ICMP keywords
Keyword and Value
Usage
--icmp_code & lt; code_int & gt; ;
Specify the ICMP code to match.
--icmp_id & lt; id_int & gt; ;
Check for the specified ICMP ID value.
--icmp_seq & lt; seq_int & gt; ;
Check for the specified ICMP sequence value.
--icmp_type & lt; type_int & gt; ;
Specify the ICMP type to match.
Table 66: Other keywords
Keyword and Value
Description
--data_size { & lt; size_int & gt; |
& lt; & lt; size_int & gt; | & gt; & lt; size_int & gt; |
& lt; port_int & gt; & lt; & gt; & lt; port_int & gt; };
Test the packet payload size. With data_size
specified, packet reassembly is turned off
automatically. So a signature with data_size and
only_stream values set is wrong.
• & lt; size_int & gt; is a particular packet size.
• & lt; & lt; size_int & gt; is a packet smaller than the
specified size.
• & gt; & lt; size_int & gt; is a packet larger than the
specified size.
• & lt; size_int & gt; & lt; & gt; & lt; size_int & gt; is a packet within
the range between the specified sizes.
--data_at & lt; offset_int & gt; [,
relative];
Verify that the payload has data at a specified offset,
optionally looking for data relative to the end of the
previous content match.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
605
�Enable IPS scanning
Intrusion protection
Table 66: Other keywords (Continued)
Keyword and Value
Description
--rate & lt; matches_int & gt; , & lt; time_int & gt; ;
Instead of generating log entries every time the
signature is detected, use this keyword to generate
a log entry only if the signature is detected a
specified number of times within a specified time
period.
• & lt; matches_int & gt; is the number of times a
signature must be detected.
• & lt; time_int & gt; is the length of time in which the
signature must be detected, in seconds.
For example, if a custom signature detects a pattern,
a log entry will be created every time the signature is
detected. If --rate 100,10; is added to the
signature, a log entry will be created if the signature
is detected 100 times in the previous 10 seconds.
Use this command with --track to further limit log
entries to when the specified number of detections
occur within a certain time period involving the same
source or destination address rather than all
addresses.
--rpc_num & lt; app_int & gt; [,
& lt; ver_int & gt; | *][,
& lt; proc_int & gt; | * & gt; ];
Check for RPC application, version, and procedure
numbers in SUNRPC CALL requests. The *
wildcard can be used for version and procedure
numbers.
--same_ip;
Check that the source and the destination have the
same IP addresses.
--track {src_ip | dst_ip |
dhcp_client };
When used with --rate, this keyword narrows the
custom signature rate totals to individual addresses.
• src_ip has the FortiGate unit maintain a
separate count of signature matches for each
source address.
• dst_ip has the FortiGate unit maintain a
separate count of signature matches for each
destination address.
• dhcp_client has the FortiGate unit maintain a
separate count of signature matches for each
DHCP client.
For example, if --rate 100,10 is added to the
signature, a log entry will be created if the signature
is detected 100 times in the previous 10 seconds.
The FortiGate unit maintains a single total,
regardless of source and destination address.
If the same custom signature also includes
--track src_ip; matches are totalled separately
for each source address. A log entry is added when
the signature is detected 100 times in 10 seconds
within traffic from the same source address.
Use of the --track keyword is invalid without the
--rate keyword. The --rate keyword can be
used without --track, however.
IPS processing in an HA cluster
IPS processing in an HA cluster is no different than with a single FortiGate unit, from the
point of view of the network user. The difference appears when a secondary unit takes
over from the primary, and what happens depends on the HA mode.
606
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
Configure IPS options
Active-passive
In an active-passive HA cluster, the primary unit processes all traffic just as it would in a
stand-alone configuration. Should the primary unit fail, a secondary unit will assume the
role of the primary unit and begin to process network traffic. By default, the state of active
communication sessions are not shared with secondary units and will not survive the failover condition. Once the sessions are reestablished however, traffic processing will
continue as normal.
If your network requires that active sessions are taken over by the new primary unit, select
Enable Session Pick-up in your HA configuration. Because session information must be
sent to all subordinate units on a regular basis, session pick-up is a resource-intensive
feature and is not enabled by default.
Active-active
The fail-over process in an active-active cluster is similar to an active-passive cluster.
When the primary unit fails, a secondary unit takes over and traffic processing continues.
The load-balancing schedule used to distribute sessions to the cluster members is used
by the new primary unit to redistribute sessions among the remaining subordinate units. If
session pick-up is not enabled, the sessions active on the failed primary are lost, and the
sessions redistributed among the secondary units may also be lost. If session pick-up is
enabled, all sessions are handled according to their last-known state.
For more information about HA options and settings, see “High Availability” on page 1427.
Configure IPS options
There are a number of CLI commands that influence how IPS functions.
Configuring the IPS engine algorithm
The IPS engine is able to search for signature matches in two ways. One method is faster
but uses more memory, the other uses less memory but is slower. Use the algorithm
CLI command to select one method:
config ips global
set algorithm {high | low | engine-pick}
end
Specify high to use the faster more memory intensive method or low for the slower
memory efficient method. The default setting is engine-pick, which allows the IPS
engine to choose the best method on the fly.
Configuring the IPS engine-count
FortiGate units with multiple processors can run more than one IPS engine concurrently.
The engine-count CLI command allows you to specify how many IPS engines are used
at the same time:
config ips global
set engine-count & lt; int & gt;
end
The recommended and default setting is 0, which allows the FortiGate unit to determine
the optimum number of IPS engines.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
607
�Configure IPS options
Intrusion protection
Configuring fail-open
If the IPS engine fails for any reason, it will fail open by default. This means that traffic
continues to flow without IPS scanning. If IPS protection is more important to your network
than the uninterrupted flow if network traffic, you can disable this behavior using the
fail-open CLI command:
config ips global
set fail-open {enable | disable}
end
The default setting is enable.
Configuring the session count accuracy
The IPS engine can keep track of the number of open session in two ways. An accurate
count uses more resources than a less accurate heuristic count.
config ips global
set session-limit-mode {accurate | heuristic}
end
The default is heuristic.
Configuring the IPS buffer size
Set the size of the IPS buffer.
config ips global
set socket-size & lt; int & gt;
end
The acceptable range is from 1 to 64 megabytes. The default size varies by model.
Configuring protocol decoders
The FortiGate Intrusion Protection system uses protocol decoders to identify the abnormal
traffic patterns that do not meet the protocol requirements and standards. For example,
the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the
HTTP protocol standards.
To view the decoders and the port numbers that each protocol decoder monitors, go to
UTM & gt; Intrusion Protection & gt; Protocol Decoder. The port or ports monitored by each
decoder are listed. Many decoders are able to recognize traffic by type rather than by port.
These decoders have their port listed as auto because the traffic will be recognized
automatically, regardless of the port.
To change the ports a decoder examines, you must use the CLI. In this example, the ports
examined by the DNS decoder are changed from the default 53 to 100, 200, and 300.
config ips decoder dns_decoder
set port_list " 100,200,300 "
end
You cannot assign specific ports to decoders that are set to auto by default. These
decoders can detect their traffic on any port. Specifying individual ports is not necessary.
608
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
Enable IPS packet logging
Configuring security processing modules
FortiGate Security Processing Modules, such as the CE4, XE2, and FE8, can increase
overall system performance by accelerating some security and networking processing on
the interfaces they provide. They also allow the FortiGate unit to offload the processing to
the security module, thereby freeing up its own processor for other tasks. The security
module performs its own IPS and firewall processing, but you can configure it to favor IPS
in hostile high-traffic environments.
If you have a security processing module, use the following CLI commands to configure it
to devote more resources to IPS than firewall. This example shows the CLI commands
required to configure a security module in slot 1 for increased IPS performance.
config system amc-slot
edit sw1
set optimization-mode fw-ips
set ips-weight balanced
set ips-p2p disable
set ips-fail-open enable
set fp-disable none
set ipsec-inb-optimization enable
set syn-proxy-client-timer 3
set syn-proxy-server-timer 3
end
In addition to offloading IPS processing, security processing modules provide a hardware
accelerated SYN proxy to defend against SYN flood denial of service attacks. When using
a security module, configure your DoS sensor tcp_syn_flood anomaly with the Proxy
action. The Proxy action activates the hardware accelerated SYN proxy.
Note: Because DoS sensors are configured before being applied to an interface, you can
assign a DoS sensor with the Proxy action to an interface that does not have hardware
SYN proxy support. In this circumstance, the Proxy action is invalid and a Pass action will
be applied.
Enable IPS packet logging
Packet logging saves the network packets containing the traffic matching an IPS signature
to the attack log. The FortiGate unit will save the logged packets to wherever the logs are
configured to be stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the
FortiGuard Analysis and Management Service.
You can enable packet logging only in signature overrides or in filters. Use caution in
enabling packet logging in a filter. Filters configured with few restrictions can contain
thousands of signatures, potentially resulting in a flood of saved packets. This would take
up a great deal of space, require time to sort through, and consume considerable system
resources to process. Packet logging is designed as a focused diagnostic tool and is best
used with a narrow scope.
Caution: Although logging to multiple FortiAnalyzer units is supported, packet logs are not
sent to the secondary and tertiary FortiAnalyzer units. Only the primary unit receives packet
logs.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
609
�IPS examples
Intrusion protection
To enable packet logging for a signature
1 Create either a pre-defined override or a custom override in an IPS sensor. For more
information, see “Creating an IPS signature override” on page 596.
2 Before saving the override, select Packet Log.
3 Select the IPS sensor in the firewall policy that allows the network traffic the FortiGate
unit will examine for the signature.
To enable packet logging for a filter
1 Create a filter in an IPS sensor. For more information, see “Creating an IPS filter” on
page 595.
2 Before saving the filter, select Enable All for Packet Logging.
3 Select the IPS sensor in the firewall policy that allows the network traffic the FortiGate
unit will examine for the signature.
For information on viewing and saving logged packets, see “Viewing and saving logged
packets” on page 545.
IPS examples
Configuring basic IPS protection
Small offices, whether they are small companies, home offices, or satellite offices, often
have very simple needs. This example details how to enable IPS protection on a FortiGate
unit located in a satellite office. The satellite office contains only Windows clients.
Creating an IPS sensor
Most IPS settings are configured in an IPS sensor. IPS sensors are selected in firewall
policies. This way, you can create multiple IPS sensors, and tailor them to the traffic
controlled by the firewall policy in which they are selected. In this example, you will create
one IPS sensor.
To create an IPS sensor— web-based manager
1 Go to UTM & gt; Intrusion Protection & gt; IPS Sensor.
2 Select Create New.
3 In the Name field, enter basic_ips.
4 In the Comments field, enter IPS protection for Windows clients.
5 Select OK.
6 In the Filters section, select Create New.
7 In the Name field, enter windows_clients.
8 For Target, select Specify and Client.
9 For OS, select Specify and Windows.
10 Select OK to save the filter.
11 Select OK to save the IPS sensor.
To create an IPS sensor — CLI
config ips sensor
edit basic_ips
set comment " IPS protection for Windows clients "
610
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
IPS examples
config filter
edit windows_clients
set location client
set os windows
end
end
Selecting the antivirus profile in a firewall policy
An antivirus profile directs the FortiGate unit to scan network traffic only when it is selected
in a firewall policy. When an antivirus profile is selected in a firewall policy, its settings are
applied to all the traffic the firewall policy handles.
To select the IPS sensor in a firewall policy — web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select a policy.
3 Select the Edit icon.
4 Enable UTM.
5 Select the Enable IPS option.
6 Select the basic_ips profile from the list.
7 Select OK to save the firewall policy.
To select the antivirus profile in a firewall policy — CLI
config firewall policy
edit 1
set utm-status enable
set ips-sensor basic_ips
end
All traffic handled by the firewall policy you modified will be scanned for attacks against
Windows clients. A small office may have only one firewall policy configured. If you have
multiple policies, consider enabling antivirus scanning for all of them.
Using IPS to protect your web server
Many companies have web servers and they must be protected from attack. Since web
servers must be accessible, protection is not as simple as blocking access. IPS is one tool
your FortiGate unit has to allow you to protect your network.
In this example, we will configure IPS to protect a web server. As shown in Figure 65 on
page 612, a FortiGate unit protects a web server and an internal network. The internal
network will have its own policies and configuration but we will concentrate on the web
server in this example.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
611
�IPS examples
Intrusion protection
Figure 65: A simple network configuration
Web Server
Internal
network
Port 2
External
Internet
Port 1
The FortiGate unit is configured with:
•
a virtual IP to give the web server a unique address accessible from the Internet.
•
a firewall policy to allow access to the web server from the Internet using the virtual IP.
To protect the web server using intrusion protection, you need to create an IPS sensor,
populate it with filters, then enable IPS scanning in the firewall policy.
To create an IPS sensor
1 Go to UTM & gt; Intrusion Protection & gt; IPS Sensor and select Create New.
2 Enter web_server as the name of the new IPS sensor.
3 Select OK.
The new IPS sensor is created but it has no filters, and therefore no signatures are
included.
The web server operating system is Linux, so you need to create a filter for all Linux server
signatures.
To create the Linux server filter
1 Go to UTM & gt; Intrusion Protection & gt; IPS Sensor and select the web_server IPS
sensor and select the Edit icon.
2 Select Add Filter.
3 Enter Linux Server as the name of the new filter.
4 For Target, select Specify and choose server.
5 For OS, select Specify and choose Linux.
6 Select OK.
The filter is saved and the IPS sensor page reappears. In the filter list, find the Linux
Server filter and look at the value in the Count column. This shows how many signatures
match the current filter settings. You can select the View Rules icon to see a listing of the
included signatures.
The web server software is Apache, so you need to create a second filter for all Apache
signatures.
612
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
IPS examples
To create the Apache filter
1 Go to UTM & gt; Intrusion Protection & gt; IPS Sensor and select the web_server IPS
sensor and select the Edit icon.
2 Select Add Filter.
3 Enter Apache as the name of the new filter.
4 For Application, select Specify and choose Apache from the Available list.
5 Select the right-arrow to move Apache to the Selected list.
6 Select OK.
The filter is saved and the IPS sensor page reappears.
It might seem that you can skip a step and create one filter that specifies both Linux server
and Apache signatures. However, this would include a smaller number of filters. It would
not include signatures to detect attacks against the operating system directly, for example.
You have created the IPS sensor and the two filters that include the signatures you need.
To have it start scanning traffic, you must edit the firewall policy.
To edit the firewall policy
1 Go to Firewall & gt; Policy & gt; Policy, select firewall policy that allows access to the web
server, and select the Edit icon.
2 Enable UTM.
3 Select the Enable IPS option and choose the web_server IPS sensor from the list.
4 Select OK.
Since IPS is enabled and the web_server IPS sensor is specified in the firewall policy
controlling the web server traffic, the IPS sensor examines the web server traffic for
matches to the signatures it contains.
Create and test a packet logging IPS sensor
In this example, you create a new IPS sensor and include a filter that detects the EICAR
test file and saves a packet log when it is found. This is an ideal first experience with
packet logging because the EICAR test file can cause no harm, and it is freely available
for testing purposes.
Create an IPS senor
1 Go to UTM & gt; Intrusion Protection & gt; IPS Sensor.
2 Select Create New.
3 Name the new IPS sensor EICAR test.
4 Select OK.
Create an Override
1 Select Add Pre-defined Override.
2 Select the signature browse icon.
3 Rather than search through the signature list, use the name filter by selecting the filter
icon in the header of the Name column.
4 In the Filters list, select Name.
5 Select Enable.
6 In the Field selection, choose Contains.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
613
�IPS examples
Intrusion protection
7 Enter EICAR in the Text field.
8 Select OK.
9 Select the EICAR.AV.Test.File.Download signature.
10 Select OK.
11 Select Enable, Logging, and Packet Log.
12 Select OK.
13 Select Block as the Action.
14 Select OK to save the IPS sensor.
You are returned to the IPS sensor list. The EICAR test sensor appears in the list.
Add the IPS sensor to the firewall policy allowing Internet access
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select the firewall policy that allows you to access the Internet.
3 Select the Edit icon.
4 Enable Log Allowed Traffic.
5 Enable UTM.
6 Select Enable IPS.
7 Choose EICAR test from the available IPS sensors.
8 Select OK.
With the IPS sensor configured and selected in the firewall policy, the FortiGate unit
should block any attempt to download the EICAR test file.
Test the IPS sensor
1 Using your web browser, go to http://www.eicar.org/anti_virus_test_file.htm.
2 Scroll to the bottom of the page and select eicar.com from the row labeled as using the
standard HTTP protocol.
3 The browser attempts to download the requested file and,
• If the file is successfully downloaded, the custom signature configuration failed at
some point. Check the custom signature, the IPS sensor, and the firewall profile.
• If the download is blocked with a high security alert message explaining that you’re
not permitted to download the file, the EICAR test file was blocked by the FortiGate
unit antivirus scanner before the IPS sensor could examine it. Disable antivirus
scanning and try to download the EICAR test file again.
• If no file is downloaded and the browser eventually times out, the custom signature
successfully detected the EICAR test file and blocked the download.
Viewing the packet log
1 Go to Log & Report & gt; Log Access & gt; Attack.
2 Locate the log entry that recorded the blocking of the EICAR test file block. The
Message field data will be tools: EICAR.AV.Test.File.Download.
3 Select the View Packet Log icon in the Packet Log column.
4 The packet log viewer is displayed.
614
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
IPS examples
Creating a custom signature to block access to example.com
In this first example, you will create a custom signature to block access to the
example.com URL.
This example describes the use of the custom signature syntax to block access to a URL.
To create the custom signature entry in the FortiGate unit web-based manager, see
“Creating a custom IPS signature” on page 597.
1 Enter the custom signature basic format
All custom signatures have a header and at least one keyword/value pair. The header
is always the same:
F-SBID( )
The keyword/value pairs appear within the parentheses and each pair is followed by a
semicolon.
2 Choose a name for the custom signature
Every custom signature requires a name, so it is a good practice to assign a name
before adding any other keywords.
Use the --name keyword to assign the custom signature a name. The name value
follows the keyword after a space. Enclose the name value in double-quotes:
F-SBID( --name " Block.example.com " ; )
The signature, as it appears here, will not do anything if you try to use it. It has a name,
but does not look for any patterns in network traffic. You must specify a pattern that the
FortiGate unit will search for.
3 Add a signature pattern
Use the --pattern keyword to specify what the FortiGate unit will search for:
F-SBID( --name " Block.example.com " ; --pattern " example.com " ; )
The signature will now detect the example.com URL appearing in network traffic. The
custom signature should only detect the URL in HTTP traffic, however. Any other traffic
with the URL should be allowed to pass. For example, an email message to or from
example.com should not be stopped.
4 Specify the service
Use the --service keyword to limit the effect of the custom signature to only the
HTTP protocol.
F-SBID( --name " Block.example.com " ; --pattern " example.com " ;
--service HTTP; )
The FortiGate unit will limit its search for the pattern to the HTTP protocol. Even though
the HTTP protocol uses only TCP traffic, the FortiGate will search for HTTP protocol
communication in TCP, UDP, and ICMP traffic. This is a waste of system resources that
you can avoid by limiting the search further, as shown below.
5 Specify the traffic type.
Use the --protocol tcp keyword to limit the effect of the custom signature to only
TCP traffic. This will save system resources by not unnecessarily scanning UDP and
ICMP traffic.
F-SBID( --name " Block.example.com " ; --pattern " example.com " ;
--service HTTP; --protocol tcp; )
The FortiGate unit will limit its search for the pattern to TCP traffic and ignore UDP and
ICMP network traffic.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
615
�IPS examples
Intrusion protection
6 Ignore case sensitivity
By default, patterns are case sensitive. If a user directed his or her browser to
Example.com, the custom signature would not recognize the URL as a match.
Use the --no_case keyword to make the pattern matching case insensitive.
F-SBID( --name " Block.example.com " ; --pattern " example.com " ;
--service HTTP; --no_case; )
Unlike all of the other keywords in this example, the --no_case keyword has no
value. Only the keyword is required.
7 Limit pattern scans to only traffic sent from the client
The --flow command can be used to further limit the network traffic being scanned
to only that send by the client or by the server.
F-SBID( --name " Block.example.com " ; --pattern " example.com " ;
--service HTTP; --no_case; --flow from_client; )
Web servers do not contact clients until clients first open a communication session.
Therefore, using the --flow from_client command will force the FortiGate to
ignore all traffic from the server. Since the majority of HTTP traffic flows from the server
to the client, this will save considerable system resources and still maintain protection.
8 Specify the context
When the client browser tries to contact example.com, a DNS is first consulted to get
the example.com server IP address. The IP address is then specified in the URL field
of the HTTP communication. The domain name will still appear in the host field, so this
custom signature will not function without the --context host keyword/value pair.
F-SBID( --name " Block.example.com " ; --pattern " example.com " ;
--service HTTP; --no_case; --flow from_client;
--context host; )
Creating a custom signature to block the SMTP “vrfy” command
The SMTP “vrfy” command can be used to verify the existence of a single email address
or to list all of the valid email accounts on an email server. A spammer could potentially
use this command to obtain a list of all valid email users and direct spam to their inboxes.
In this example, you will create a custom signature to block the use of the vrfy command.
Since the custom signature blocks the vrfy command from coming through the FortiGate
unit, the administrator can still use the command on the internal network.
This example describes the use of the custom signature syntax to block the vrfy
command. To create the custom signature entry in the FortiGate unit web-based manager,
see “Creating a custom IPS signature” on page 597.
1 Enter the custom signature basic format
All custom signatures have a header and at least one keyword/value pair. The header
is always the same:
F-SBID( )
The keyword/value pairs appear within the parentheses and each pair is followed by a
semicolon.
2 Choose a name for the custom signature
Every custom signature requires a name, so it is a good practice to assign a name
before you add any other keywords.
Use the --name keyword to assign the custom signature a name. The name value
follows the keyword after a space. Enclose the name value in double-quotes:
616
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
IPS examples
F-SBID( --name " Block.SMTP.VRFY.CMD " ; )
The signature, as it appears here, will not do anything if you try to use it. It has a name,
but does not look for any patterns in network traffic. You must specify a pattern that the
FortiGate unit will search for.
3 Add a signature pattern
Use the --pattern keyword to specify what the FortiGate unit will search for:
F-SBID( --name " Block.SMTP.VRFY.CMD " ; --pattern " vrfy " ; )
The signature will now detect the vrfy command appearing in network traffic. The
custom signature should only detect the command in SMTP traffic, however. Any other
traffic with the pattern should be allowed to pass. For example, an email message
discussing the vrfy command should not be stopped.
4 Specify the service
Use the --service keyword to limit the effect of the custom signature to only the
HTTP protocol.
F-SBID( --name " Block.SMTP.VRFY.CMD " ; --pattern " vrfy " ;
--service SMTP; )
The FortiGate unit will limit its search for the pattern to the SMTP protocol.
Even though the SMTP protocol uses only TCP traffic, the FortiGate will search for
SMTP protocol communication in TCP, UDP, and ICMP traffic. This is a waste of
system resources that you can avoid by limiting the search further, as shown below.
5 Specify the traffic type.
Use the --protocol tcp keyword to limit the effect of the custom signature to only
TCP traffic. This will save system resources by not unnecessarily scanning UDP and
ICMP traffic.
F-SBID( --name " Block.SMTP.VRFY.CMD " ; --pattern " vrfy " ;
--service SMTP; --protocol tcp; )
The FortiGate unit will limit its search for the pattern to TCP traffic and ignore the
pattern in UDP and ICMP network traffic.
6 Ignore case sensitivity
By default, patterns are case sensitive. If a user directed his or her browser to
Example.com, the custom signature would not recognize the URL as a match.
Use the --no_case keyword to make the pattern matching case insensitive.
F-SBID( --name " Block.SMTP.VRFY.CMD " ; --pattern " vrfy " ;
--service SMTP; --no_case; )
Unlike all of the other keywords in this example, the --no_case keyword has no
value. Only the keyword is required.
7 Specify the context
The SMTP vrfy command will appear in the SMTP header. The --context host
keyword/value pair allows you to limit the pattern search to only the header.
F-SBID( --name " Block.SMTP.VRFY.CMD " ; --pattern " vrfy " ;
--service SMTP; --no_case; --context header; )
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
617
�IPS examples
Intrusion protection
Configuring a Fortinet Security Processing module
The Example Corporation has a web site that is the target of SYN floods. While they
investigate the source of the attacks, it’s very important that the web site remain
accessible. To enhance the ability of the company’s FortiGate-620B to deal with SYN
floods, the administrator will install an ASM-CE4 Fortinet Security Processing module and
have all external access to the web server come though it.
The security processing modules not only accelerate and offload network traffic from the
FortiGate unit’s processor, but they also accelerate and offload security and content
scanning. The ability of the security module to accelerate IPS scanning and DoS
protection greatly enhances the defense capabilities of the FortiGate-620B.
Assumptions
As shown in other examples and network diagrams throughout this document, the
Example Corporation has a pair of FortiGate-620B units in an HA cluster. To simplify this
example, the cluster is replaced with a single FortiGate-620B.
An ASM-CE4 is installed in the FortiGate-620B.
The network is configured as shown in Figure 66.
Network configuration
The Example Corporation network needs minimal changes to incorporate the ASM-CE4.
Interface amc-sw1/1 of the ASM-CE4 is connected to the Internet and interface
amc-sw1/1 is connected to the web server.
Since the main office network is connected to port2 and the Internet is connected to port1,
a switch is installed to allow both port1 and amc-sw1/1 to be connected to the Internet.
Figure 66: The FortiGate-620B network configuration
Internal network
port2: 10.11.101.100
port1: 172.20.120.141
Web server
10.11.201.120
amc-sw1/2: 10.11.201.100
amc-sw1/1: 172.20.120.212
Switch
Internet
618
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
IPS examples
The switch used to connect port1 and amc-sw1/1 to the Internet must be able to handle
any SYN flood, all of the legitimate traffic to the web site, and all of the traffic to and from
the Example Corporation internal network. If the switch can not handle the bandwidth, or if
the connection to the service provider can not provide the required bandwidth, traffic will
be lost.
Security module configuration
The Fortinet security modules come configured to give equal priority to content inspection
and firewall processing. The Example Corporation is using a ASM-CE4 module to defend
its web server against SYN flood attacks so firewall processing is a secondary
consideration.
Use these CLI commands to configure the security module in ASM slot 1 to devote more
resources to content processing, including DoS and IPS, than to firewall processing.
config system amc-slot
edit sw1
set optimization-mode fw-ips
set ips-weight balanced
set ips-p2p disable
set ips-fail-open enable
set fp-disable none
set ipsec-inb-optimization enable
set syn-proxy-client-timer 3
set syn-proxy-server-timer 3
end
These settings do not disable firewall processing. Rather, when the security module nears
its processing capacity, it will chose to service content inspection over firewall processing.
DoS sensor configuration
Defend against anomaly-based attacks using a DoS sensor. For the SYN floods launched
against the Example Corporation web site, the tcp_syn_flood anomaly is the best defense.
Create a DoS sensor for SYN flood protection
1 Go to UTM & gt; Intrusion Protection & gt; DoS Sensor.
2 Select Create New.
3 Enter Web site SYN protection for the DoS sensor name.
4 Select OK to create the sensor.
The default tcp_syn_flood threshold is 2000. This means that the configured action will be
triggered when the number of TCP packets with the SYN flag set exceeds 2000 per
second.
For some applications, this value will be too high, while for others it will be too low. One
way to find the correct values for your environment is to set the action to Pass and enable
logging. Observe the logs and adjust the threshold values until you can determine the
value at which normal traffic begins to generate attack reports. Set the threshold above
this value with the margin you want. Note that the smaller the margin, the more protected
your network will be from DoS attacks, but your network traffic will also be more likely to
generate false alarms.
Configure a DoS sensor for SYN flood protection
1 Go to UTM & gt; Intrusion Protection & gt; DoS Sensor.
2 Select the Web site SYN protection sensor and select the Edit icon.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
619
�IPS examples
Intrusion protection
3 Select Enable and Logging for the tcp_syn_flood anomaly.
4 Select the Proxy action for the tcp_syn_flood anomaly.
5 Enter the threshold value for the tcp_syn_flood anomaly.
6 Select OK.
With the action configured as Proxy, TCP packets with the SYN flag set will be passed
until the threshold value is exceeded. At that point, TCP packets with the SYN flag set until
their numbers fall below the threshold value.
The ASM-CE4 security module will intercept the packet, and reply to the client with a TCP
packet that has the SYN and ACK flags set. If the connection request is legitimate, the
client will reply with a packet that has the ACK flag set. The ASM-CE4 will then ‘replay’ this
exchange to the server and allow the client and server to communicate directly.
If the client does not reply with the expected packet, the ASM-CE4 will close the
connection. Therefore, if the security module receives a flood of SYN packets, they will be
blocked. Only the legitimate connections will be allowed through to the server.
DoS policy configuration
Before the DoS sensor can begin examining network traffic, you must create and
configure a DoS policy and specify the DoS sensor.
Create a DoS policy
1 Go to Firewall & gt; DoS Policy.
2 Select Create New.
3 Select amc-sw1/1 for Source Interface/Zone.
4 Select all for Source Address.
5 Select all for Destination Address.
6 Select ANY for Service.
7 Enable DoS Sensor and select the Web site SYN protection sensor from the list.
8 Select OK.
Virtual IP configuration
Traffic destined for the web server will arrive at the amc-sw1/1 interface. You must create
a virtual IP mapping to have the ASM-CE4 direct the traffic to the web server.
Create a virtual IP mapping
1 Go to Firewall & gt; Virtual IP & gt; Virtual IP.
2 Select Create New.
3 In the Name field, enter web_server.
4 Select amc-sw1/1 as the External Interface.
5 Enter 172.20.120.212 as the External IP Address/Range.
6 Enter 10.11.201.120 as the Mapped IP Address/Range.
7 Select OK.
Firewall policy configuration
A firewall policy is required to allow traffic through to the web server. Further, the firewall
policy must include the virtual IP so the traffic is directed to the web server.
620
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Intrusion protection
IPS examples
Create a firewall policy
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New.
3 Select amc-sw1/1 for the Source Interface/Zone.
4 Select all for the Source Address.
5 Select amc-sw1/2 for the Destination Interface/Zone.
6 Select web_server for the Destination Address.
7 Select Enable NAT.
8 Select OK.
Attempts to connect to 172.20.120.212 will be forwarded to the web server with this
firewall policy in place.
View proxy statistics
With a FortiGate security module installed, a CLI command displays the current proxy
statistics.
At the CLI prompt, type execute npu-cli /dev/ce4_0 showsynproxy. The last
nine lines will list the proxy statistics:
Total Proxied TCP Connections:
434055223
Working Proxied TCP Connections:
515699
Retired TCP Connections:
433539524
Valid TCP Connections:
0
Attacks, No Ack From Client:
433539524
No SynAck From Server:
0
Rst By Server (service not supported):
0
Client timeout setting:
3 Seconds
Server timeout setting:
3 Seconds
Total Proxied TCP Connections
The number of proxied TCP connection attempts since
the FortiGate unit was restarted.
This value is the sum of the working and retired
connection totals.
Working Proxied TCP Connections
The number of TCP connection attempts currently being
proxied.
Retired TCP Connections
The number of proxied TCP connection attempts
dropped or allowed. These connection attempts are nolonger being serviced.
This value is the sum of the valid and attacks totals.
Valid TCP Connections
The number of valid proxied TCP connection attempts.
Attacks, No Ack From Client
The number of proxied TCP connection attempts in
which the client did not reply. These are typically attacks.
No SynAck From Server
The number of valid client connection attempts in which
the server does not reply.
Rst By Server (service not supported)
The number of valid client connection attempts in which
the server resets the connection.
Client timeout setting
The client time-out duration.
Server timeout setting
The server time-out duration.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
621
�IPS examples
622
Intrusion protection
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web filter
This section describes FortiGate web filtering for HTTP traffic. The three main parts of the
web filtering function, the Web Content Filter, the URL Filter, and the FortiGuard Web
Filtering Service interact with each other to provide maximum control over what the
Internet user can view as well as protection to your network from many Internet content
threats. Web Content Filter blocks web pages containing words or patterns that you
specify. URL filtering uses URLs and URL patterns to block or exempt web pages from
specific sources. FortiGuard Web Filtering provides many additional categories you can
use to filter web traffic.
This section describes the Web Content Filter and URL Filter functions. For information on
FortiGuard Web Filtering, see “FortiGuard Web Filter” on page 639.
The following topics are included in this section:
•
Web filter concepts
•
Web content filter
•
URL filter
•
SafeSearch
•
Advanced web filter configuration
•
Web filtering example
Web filter concepts
Web filtering is a means of controlling the content that an Internet user is able to view.
With the popularity of web applications, the need to monitor and control web access is
becoming a key component of secure content management systems that employ
antivirus, web filtering, and messaging security. Important reasons for controlling web
content include:
•
lost productivity because employees are accessing the web for non-business reasons
•
network congestion — when valuable bandwidth is used for non-business purposes,
legitimate business applications suffer
•
loss or exposure of confidential information through chat sites, non-approved email
systems, instant messaging, and peer-to-peer file sharing
•
increased exposure to web-based threats as employees surf non-business-related
web sites
•
legal liability when employees access/download inappropriate and offensive material
•
copyright infringement caused by employees downloading and/or distributing
copyrighted material.
As the number and severity of threats increase on the World Wide Web, the risk potential
increases within a company's network as well. Casual non-business related web surfing
has caused many businesses countless hours of legal litigation as hostile environments
have been created by employees who download and view offensive content. Web-based
attacks and threats are also becoming increasingly sophisticated. Threats and web-based
applications that cause additional problems for corporations include:
•
spyware/grayware
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
623
�Web filter concepts
Web filter
•
phishing
•
pharming
•
instant messaging
•
peer-to-peer file sharing
•
streaming media
•
blended network attacks.
Spyware, also known as grayware, is a type of computer program that attaches itself to a
user’s operating system. It does this without the user’s consent or knowledge. It usually
ends up on a computer because of something the user does such as clicking on a button
in a pop-up window. Spyware can track the user’s Internet usage, cause unwanted pop-up
windows, and even direct the user to a host web site. For further information, visit the
FortiGuard Center.
Some of the most common ways of grayware infection include:
•
downloading shareware, freeware, or other forms of file-sharing services
•
clicking on pop-up advertising
•
visiting legitimate web sites infected with grayware.
Phishing is the term used to describe attacks that use web technology to trick users into
revealing personal or financial information. Phishing attacks use web sites and email that
claim to be from legitimate financial institutions to trick the viewer into believing that they
are legitimate. Although phishing is initiated by spam email, getting the user to access the
attacker’s web site is always the next step.
Pharming is a next generation threat that is designed to identify and extract financial, and
other key pieces of information for identity theft. Pharming is much more dangerous than
phishing because it is designed to be completely hidden from the end user. Unlike
phishing attacks that send out spam email requiring the user to click to a fraudulent URL,
pharming attacks require no action from the user outside of their regular web surfing
activities. Pharming attacks succeed by redirecting users from legitimate web sites to
similar fraudulent web sites that have been created to look and feel like the authentic web
site.
Instant messaging presents a number of problems. Instant messaging can be used to
infect computers with spyware and viruses. Phishing attacks can be made using instant
messaging. There is also a danger that employees may use instant messaging to release
sensitive information to an outsider.
Peer-to-peer (P2P) networks are used for file sharing. Such files may contain viruses.
Peer-to-peer applications take up valuable network resources and may lower employee
productivity but also have legal implications with the downloading of copyrighted or
sensitive company material.
Streaming media is a method of delivering multimedia, usually in the form of audio or
video to Internet users. Viewing streaming media impacts legitimate business by using
valuable bandwidth.
Blended network threats are rising and the sophistication of network threats is
increasing with each new attack. Attackers learn from each previous successful attack and
enhance and update attack code to become more dangerous and fast spreading. Blended
attacks use a combination of methods to spread and cause damage. Using virus or
network worm techniques combined with known system vulnerabilities, blended threats
624
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web filter
Web content filter
can quickly spread through email, web sites, and Trojan applications. Examples of
blended threats include Nimda, Code Red, Slammer, and Blaster. Blended attacks can be
designed to perform different types of attacks, which include disrupting network services,
destroying or stealing information, and installing stealthy backdoor applications to grant
remote access.
Different ways of controlling access
The methods available for monitoring and controlling Internet access range from manual
and educational methods to fully automated systems designed to scan, inspect, rate and
control web activity.
Common web access control mechanisms include:
•
establishing and implementing a well-written usage policy in the organization on proper
Internet, email, and computer conduct
•
installing monitoring tools that record and report on Internet usage
•
implementing policy-based tools that capture, rate, and block URLs.
The final method is the focus of this topic. The following information shows how the filters
interact and how to use them to your advantage.
Order of web filtering
The FortiGate unit applies web filters in a specific order:
1 URL filter
2 FortiGuard Web Filter
3 web content filter
4 web script filter
5 antivirus scanning.
If you have blocked a FortiGuard Web Filter category but want certain users to have
access to URLs within that pattern, you can use the Override within the FortiGuard Web
Filter. This will allow you to specify which users have access to which blocked URLs and
how long they have that access. For example, if you want a user to be able to access
www.example.com for one hour, you can use the override to set up the exemption. Any
user listed in an override must fill out an online authentication form that is presented when
they try to access a blocked URL before the FortiGate unit will grant access to it. For more
information, see “FortiGuard Web Filter” on page 639.
Web content filter
You can control web content by blocking access to web pages containing specific words or
patterns. This helps to prevent access to pages with questionable material. You can also
add words, phrases, patterns, wild cards and Perl regular expressions to match content on
web pages. You can add multiple web content filter lists and then select the best web
content filter list for each web filter profile.
Enabling web content filtering involves three separate parts of the FortiGate configuration.
•
The firewall policy allows certain network traffic based on the sender, receiver,
interface, traffic type, and time of day.
•
The web filter profile specifies what sort of web filtering is applied.
•
The web content filter list contains blocked and exempt patterns.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
625
�Web content filter
Web filter
The web content filter feature scans the content of every web page that is accepted by a
firewall policy. The system administrator can specify banned words and phrases and
attach a numerical value, or score, to the importance of those words and phrases. When
the web content filter scan detects banned content, it adds the scores of banned words
and phrases in the page. If the sum is higher than a threshold set in the web filter profile,
the FortiGate unit blocks the page.
General configuration steps
Follow the configuration procedures in the order given. Also, note that if you perform any
additional actions between procedures, your configuration may have different results.
1 Create a web content filter list.
2 Add patterns of words, phrases, wildcards, and regular expressions that match the
content to be blocked or exempted.
You can add the patterns in any order to the list. You need to add at least one pattern
that blocks content.
3 In a web filter profile, enable the web content filter and select a web content filter list
from the options list.
To complete the configuration, you need to select a firewall policy or create a new one.
Then, in the firewall policy, enable UTM and select the appropriate web filter profile from
the list.
Creating a web filter content list
You can create multiple content lists and then select the best one for each web filter
profile.
To create a web filter content list
1 Go to UTM & gt; Web Filter & gt; Web Content Filter.
2 Select Create New.
3 Enter a Name for the new list.
4 Enter optional comments to identify the list.
5 Select OK.
Configuring a web content filter list
Once you have created the web filter content list, you need to add web content patterns to
it. There are two types of patterns: Wildcard and Regular Expression.
You use the Wildcard setting to block or exempt one word or text strings of up to 80
characters. You can also use the wildcard symbols, such as “*” or “?”, to represent one or
more characters. For example, as a wildcard expression, forti*.com will match fortinet.com
and forticare.com. The “*” represents any kind of character appearing any number of
times.
You use the Regular Expression setting to block or exempt patterns of Perl expressions,
which use some of the same symbols as wildcard expressions, but for different purposes.
The “*” represents the character before the symbol. For example, forti*.com will match
fortiii.com but not fortinet.com or fortiice.com. The symbol “*” represents “i” in this case,
appearing any number of times.
The maximum number of web content patterns in a list is 5000.
626
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web filter
Web content filter
To add a web content pattern
1 Go to UTM & gt; Web Filter & gt; Web Content Filter.
2 Select the web content filter list and choose Edit.
3 Select Create New.
4 Select Block or Exempt, as required, from the Action list.
5 Enter the content Pattern.
6 Select a Pattern Type from the drop-down list.
7 Select a Language for the pattern from the drop-down list if you need to change the
default.
8 Enter a score for the banned pattern.
The score can be left at the default value or set to another value. For more information,
see “How content is evaluated” on page 627.
9 Select Enable.
10 Select OK.
How content is evaluated
Every time the web content filter detects banned content on a web page, it adds the score
for that content to the sum of scores for that web page. You set this score when you create
a new pattern to block the content. The score can be any number from zero to 99999.
Higher scores indicate more offensive content. When the sum of scores equals or exceeds
the threshold score, the web page is blocked. The default score for web content filter is 10
and the default threshold is 10. This means that by default a web page is blocked by a
single match. Blocked pages are replaced with a message indicating that the page is not
accessible according to the Internet usage policy.
Banned words or phrases are evaluated according to the following rules:
•
The score for each word or phrase is counted only once, even if that word or phrase
appears many times in the web page.
•
The score for any word in a phrase without quotation marks is counted.
•
The score for a phrase in quotation marks is counted only if it appears exactly as
written.
The following table describes how these rules are applied to the contents of a web page.
Consider the following, a web page that contains only this sentence: “The score for each
word or phrase is counted only once, even if that word or phrase appears many times in
the web page.”
Table 67: Banned Pattern Rules
Banned
pattern
Assigned
score
Score
added to
the sum
for the
entire
page
word
20
20
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Threshold
score
Comment
20
Appears twice but only counted
once. Web page is blocked.
627
�URL filter
Web filter
Table 67: Banned Pattern Rules (Continued)
Banned
pattern
Assigned
score
Score
added to
the sum
for the
entire
page
word
phrase
20
40
20
Each word appears twice but only
counted once giving a total score of
40. Web page is blocked
word
sentence
20
20
20
“word” appears twice, “sentence”
does not appear, but since any word
in a phrase without quotation marks
is counted, the score for this pattern
is 20. Web page is blocked.
“word
sentence”
20
0
20
“This phrase does not appear
exactly as written. Web page is
allowed.
“word or
phrase”
20
20
20
This phrase appears twice but is
counted only once. Web page is
blocked.
Threshold
score
Comment
Enabling the web content filter and setting the content threshold
When you enable the web content filter, the web filter will block any web pages when the
sum of scores for banned content on that page exceeds the content block threshold. The
threshold will be disregarded for any exemptions within the web filter list.
To enable the web content filter and set the content block threshold
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select Create New to add a new web filter profile or select an existing profile and
choose Edit.
3 Select Web Content Filter.
4 Select the web content list in the Option column.
5 Enter the threshold for the web content filter.
6 Select OK.
URL filter
You can allow or block access to specific URLs by adding them to the URL filter list. You
add the URLs by using patterns containing text and regular expressions. The FortiGate
unit allows or blocks web pages matching any specified URLs or patterns and displays a
replacement message instead.
Note: URL blocking does not block access to other services that users can access with a
web browser. For example, URL blocking does not block access to ftp:// ftp.example.com.
Instead, use firewall policies to deny ftp connections.
When adding a URL to the URL filter list, follow these rules:
628
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web filter
URL filter
•
Type a top-level URL or IP address to control access to all pages on a web site. For
example, www.example.com or 192.168.144.155 controls access to all pages at
this web site.
•
Enter a top-level URL followed by the path and file name to control access to a single
page on a web site. For example, www.example.com/news.html or
192.168.144.155/news.html controls access to the news page on this web site.
•
To control access to all pages with a URL that ends with example.com, add
example.com to the filter list. For example, adding example.com controls access to
www.example.com, mail.example.com, www.finance.example.com, and so on.
•
Control access to all URLs that match patterns using text and regular expressions (or
wildcard characters). For example, example.* matches example.com, example.org,
example.net and so on.
Note: URLs with an action set to exempt or pass are not scanned for viruses. If users on
the network download files through the FortiGate unit from a trusted web site, add the URL
of this web site to the URL filter list with an action to pass it so the FortiGate unit does not
virus scan files downloaded from this URL.
URL filter actions
You can select one of four actions for URL patterns you include in URL filter lists.
Block
Attempts to access any URLs matching the URL pattern are denied. The user will be
presented with a replacement message.
Allow
Any attempt to access a URL that matches a URL pattern with an allow action is
permitted. The traffic is passed to the remaining antivirus proxy operations, including
FortiGuard Web Filter, web content filter, web script filters, and antivirus scanning.
Allow is the default action. If a URL does not appear in the URL list, it is permitted.
Pass
Traffic to, and reply traffic from, sites matching a URL pattern with a pass action will
bypass all antivirus proxy operations, including FortiGuard Web Filter, web content filter,
web script filters, and antivirus scanning.
Make sure you trust the content of any site you pass.
Exempt
Exempt is similar to Pass in that it allows trusted traffic to bypass the antivirus proxy
operations, but it functions slightly differently. In general, if you’re not certain that you need
to use the Exempt action, use Pass.
HTTP 1.1 connections are persistent unless declared otherwise. This means the
connections will remain in place until closed or the connection times out. When a client
loads a web page, the client opens a connection to the web server. If the client follows a
link to another page on the same site before the connection times out, the same
connection is used to request and receive the page data.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
629
�URL filter
Web filter
When you add a URL pattern to a URL filter list and apply the Exempt action, traffic sent to
and replies traffic from sites matching the URL pattern will bypass all antivirus proxy
operations, as with the Pass action. The difference is that the connection itself inherits the
exemption. This means that all subsequent reuse of the existing connection will also
bypass all antivirus proxy operations. When the connection times out, the exemption is
cancelled.
For example, consider a URL filter list that includes example.com/files configured
with the Exempt action. A user opens a web browser and downloads a file from the URL
example.com/sample.zip. This URL does not match the URL pattern so it is scanned
for viruses. The user then downloads example.com/files/beautiful.exe and since
this URL does match the pattern, the connection itself inherits the exempt action. The user
then downloads example.com/virus.zip. Although this URL does not match the
exempt URL pattern, a previously visited URL did, and since the connection inherited the
exempt action and was re-used to download a file, the file is not scanned.
If the user next goes to an entirely different server, like example.org/photos, the
connection to the current server cannot be reused. A new connection to example.org is
established. This connection is not exempt. Unless the user goes back to example.com
before the connection to that server times out, the server will close the connection. If the
user returns after the connection is closed, a new connection to example.com is created
and it is not exempt until the user visits a URL that matches the URL pattern.
Web servers typically have short time-out periods. A browser will download multiple
components of a web page as quickly as possible by opening multiple connections. A web
page that includes three photos will load more quickly if the browser opens four
connections to the server and downloads the page and the three photos at the same time.
A short time-out period on the connections will close the connections faster, allowing the
server to avoid unnecessarily allocating resources for a long period. The HTTP session
time-out is set by the server and will vary with the server software, version, and
configuration.
Using the exempt action can have unintended consequences in certain circumstances.
You have a web site at example.com and since you control the site, you trust the contents
and configure example.com as exempt. But example.com is hosted on a shared server
with a dozen other different sites, each with a unique domain name. Because of the
shared hosting, they also share the same IP address. If you visit example.com, your
connection your site becomes exempt from any antivirus proxy operations. Visits to any of
the 12 other sites on the same server will reuse the same connection and the data you
receive is exempt from scanned.
Use of the exempt action is not suitable for configuration in which connections through the
FortiGate unit use an external proxy. For example, you use proxy.example.net for all
outgoing web access. Also, as in the first example, URL filter list that includes a URL
pattern of example.com/files configured with the Exempt action. Users are protected
by the antivirus protection of the FortiGate unit until a user visits a URL that matches the of
example.com/files URL pattern. The pattern is configured with the Exempt action so
the connection to the server inherits the exemption. With a proxy however, the connection
is from the user to the proxy. Therefore, the user is entirely unprotected until the
connection times out, no matter what site he visits.
Ensure you are aware of the network topology involving any URLs to which you apply the
Exempt action.
Examples using exempt and pass actions
These examples illustrate the differences between the exempt and pass actions.
The URL filter list in use has a single entry: www.example.com/files/content/
630
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web filter
URL filter
•
With an exempt action, the user downloads the file
www.example.com/files/content/eicar.com. This URL matches the URL filter
list entry so the file is not scanned. Further, the connection itself inherits the exemption.
The user next downloads www.example.com/virus/eicar.com. Although this
does not match the URL filter list entry, the existing connection to example.com will be
used so the file is not scanned.
•
With a pass action, the user downloads the file
www.example.com/files/content/eicar.com. This URL matches the URL filter
list entry so the file is not scanned. The user next downloads
www.example.com/virus/eicar.com. This does not match the URL filter entry so
it will be scanned. The pass action does not affect the connection and every URL the
user accesses is checked against the URL filter list.
The URL filter list in use has a single entry: www.domain.com/files/content/. The
user’s browser is configured to use an external web proxy. All user browsing takes
advantage of this proxy.
•
With an exempt action, the user downloads
www.example.com/files/content/eicar.com through the proxy. This matches
the URL filter list entry so the file is not scanned. Further, the connection to the proxy
inherits the exemption. The user next downloads
www.eicar.org/virus/eicar.com through the proxy. Although this does not
match the URL filter list entry, the existing connection to the proxy will be used so the
file is not scanned. In fact, until the user stops browsing long enough for the connection
to time out, all the user web traffic is exempt and will not be scanned.
•
With a pass action, the user downloads
www.example.com/files/content/eicar.com through the proxy. This matches
the URL filter list entry so the file is not scanned. The user next downloads
www.eicar.org/virus/eicar.com through the proxy. This does not match the
URL filter entry so it will be scanned. The pass action does not affect the connection
and every URL the user accesses is checked against the URL filter list.
General configuration steps
Follow the configuration procedures in the order given. Also, note that if you perform any
additional actions between procedures, your configuration may have different results.
1 Create a URL filter list.
2 Add URLs to the URL filter list.
3 Select a web filter profile or create a new one.
4 In the web filter profile, enable the Web URL Filter and select a URL filter list from the
drop-down list.
To complete the configuration, you need to select a firewall policy or create a new one.
Then, in the firewall policy, enable UTM and select the appropriate web filter profile from
the list.
Creating a URL filter list
To create a URL Filter list
1 Go to UTM & gt; Web Filter & gt; URL Filter.
2 Select Create New.
3 Enter a Name for the new URL filter list.
4 Enter optional comments to describe it.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
631
�SafeSearch
Web filter
5 Select OK.
Configuring a URL filter list
Each URL filter list can have up to 5000 entries. For this example, the URL
www.example*.com will be used. You configure the list by adding one or more URLs to it.
To add a URL to a URL filter list
1 Go to UTM & gt; Web Filter & gt; URL Filter.
2 Select an existing list and choose Edit.
3 Select Create New.
4 Enter the URL, without the “http”, for example: www.example*.com.
5 Select a Type: Simple, Wildcard or Regular Expression.
In this example, select Wildcard.
6 Select the Action to take against matching URLs: Exempt, Block, Allow, or Pass.
7 Select Enable.
8 Select OK.
SafeSearch
SafeSearch is a feature of popular search sites that prevents explicit web sites and
images from appearing in search results. Although SafeSearch is a useful tool, especially
in educational environments, the resourceful user may be able to simply turn it off.
Enabling SafeSearch for the supported search sites enforces its use by rewriting the
search URL to include the code to indicate the use of the SafeSearch feature.
Three search sites are supported:
Google
Enforce the strict filtering level of safe search protection for Google search results by
adding & safe=on to search URL requests. Strict filtering removes both explicit text
and explicit images from the search results.
Yahoo!
Enforce the strict filtering level of safe search protection for Yahoo! search results by
adding & vm=r to search URL requests. Strict filtering removed adult web, video, and
images from search results.
Bing
Enforce the strict filtering level of safe search protection for Bing search results by
adding adlt=strict to search URL requests. Strict filtering removes explicit text,
images, and video from the search results.
Enabling SafeSearch — Web-based manager
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select the profile in which you want to enable SafeSearch and choose Edit.
3 Under the SafeSearch heading, select the check boxes for Google, Yahoo!, and Bing
in the Options column.
4 Select OK.
The CLI can also be used to enable SafeSearch in a web filter profile. In this example, the
safe_web web filter is configured to enable SafeSearch.
Enabling SafeSearch — CLI
config webfilter profile
edit safe_web
config web
632
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web filter
Advanced web filter configuration
set safe-search bing google yahoo
end
end
This enforces the use of SafeSearch in traffic controlled by the firewall policies using the
web filter you configure.
Advanced web filter configuration
The Advanced Filter section of the web filter profile provides a number of advanced
filtering options. The FortiGuard Web Filter options in the advance filter section are
detailed in the FortiGuard Web Filter section, in “Advanced FortiGuard Web Filter
configuration” on page 646.
ActiveX filter
Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX may not function
properly with this filter enabled.
Cookie filter
Enable to filter cookies from web traffic. Web sites using cookies may not function properly
with this enabled.
Java applet filter
Enable to filter java applets from web traffic. Web sites using java applets may not function
properly with this filter enabled.
Web resume download block
Enable to prevent the resumption of a file download where it was previously interrupted.
With this filter enabled, any attempt to restart an aborted download will download the file
from the beginning rather than resuming from where it left off.
This prevents the unintentional download of viruses hidden in fragmented files.
Note that some types of files, such as PDF, fragment files to increase download speed and
enabling this option can cause download interruptions. Enabling this option may also
break certain applications that use the Range Header in the HTTP protocol, such as YUM,
a Linux update manager.
Block Invalid URLs
Select to block web sites when their SSL certificate CN field does not contain a valid
domain name.
FortiGate units always validate the CN field, regardless of whether this option is enabled.
However, if this option is not selected, the following behavior occurs:
•
If the request is made directly to the web server, rather than a web server proxy, the
FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the
IP address only, not the domain name.
•
If the request is to a web server proxy, the real IP address of the web server is not
known. Therefore, rating queries by either or both the IP address and the domain
name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web
Filtering.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
633
�Web filtering example
Web filter
HTTP POST action
Select the action to take with HTTP POST traffic. HTTP POST is the command used by
your browser when you send information, such as a form you have filled-out or a file you
are uploading, to a web server.
The available actions include:
Normal
Allow use of the HTTP POST command as normal.
Comfort
Use client comforting to slowly send data to the web server as the FortiGate unit
scans the file. Use this option to prevent a server time-out when scanning or other
filtering is enabled for outgoing traffic.
The client comforting settings used are those defined in the protocol options profile
selected in the firewall policy. For more information, see “Configuring client
comforting” on page 568.
Block
Block the HTTP POST command. This will limit users from sending information and
files to web sites.
When the post request is blocked, the FortiGate unit sends the http-post-block
replacement message to the web browser attempting to use the command.
Web filtering example
Web filtering is particularly important for protecting school-aged children. There are legal
issues associated with improper web filtering as well as a moral responsibility not to allow
children to view inappropriate material. The key is to design a web filtering system in such
a way that students and staff do not fall under the same web filter profile in the FortiGate
configuration. This is important because the staff may need to access websites that are
off-limits to the students.
School district
The background for this scenario is a school district with more than 2300 students and 500
faculty and staff in a preschool, three elementary schools, a middle school, a high school,
and a continuing education center. Each elementary school has a computer lab and the
high school has three computer labs with connections to the Internet. Such easy access to
the Internet ensures that every student touches a computer every day.
With such a diverse group of Internet users, it was not possible for the school district to set
different Internet access levels. This meant that faculty and staff were unable to view
websites that the school district had blocked. Another issue was the students’ use of proxy
sites to circumvent the previous web filtering system. A proxy server acts as a go-between
for users seeking to view web pages from another server. If the proxy server has not been
blocked by the school district, the students can access the blocked website.
When determining what websites are appropriate for each school, the district examined a
number of factors, such as community standards and different needs of each school
based on the age of the students.
The district decided to configure the FortiGate web filtering options to block content of an
inappropriate nature and to allow each individual school to modify the options to suit the
age of the students. This way, each individual school was able to add or remove blocked
sites almost immediately and have greater control over their students’ Internet usage.
In this simplified example of the scenario, the district wants to block any websites with the
word example on them, as well as the website www.example.com. The first task is to
create web content filter lists for the students and the teachers.
634
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web filter
Web filtering example
To create a web content filter list for the students
1 Go to UTM & gt; Web Filter & gt; Web Content Filter.
2 Select Create New.
3 Enter the Name of the new list: Student Web Content List.
4 Enter optional comments to identify the list.
5 Select OK.
To create a web content filter list for the teachers
1 Go to UTM & gt; Web Filter & gt; Web Content Filter.
2 Select Create New.
3 Enter the Name of the new list: Teacher Web Content List.
4 Enter optional comments to identify the list.
5 Select OK.
The next step is to configure the two web content filters that were just created. The first will
be the Student Web Content List.
To add a pattern to the student web content filter list
1 Go to UTM & gt; Web Filter & gt; Web Content Filter.
2 Select the Student Web Content List and choose Edit.
3 Select Create New.
4 Enter the word example as the content block Pattern.
5 Leave the rest of the settings at their default values.
6 Select OK.
It might be more efficient if the Teacher Web Content List included the same blocked
content as the student list. From time to time a teacher might have to view a blocked page.
It would then be a matter of changing the Action from Block to Allow as the situation
required.
To change a pattern from Block to Exempt
1 Go to UTM & gt; Web Filter & gt; Web Content Filter.
2 Select the Teacher Web Content List and choose Edit.
3 Select example from the Pattern list and choose Edit.
4 Select Exempt from the Action list.
5 Ensure that Enable is selected.
6 Select OK.
URL filter lists with filters to block unwanted web sites must be created for the students
and teachers. For this example the URL www.example.com will be used.
To create a URL filter for the students
1 Go to UTM & gt; Web Filter & gt; URL Filter.
2 Select Create New.
3 Enter Student URL List as the URL filter Name.
4 Enter optional comments to describe the contents of the list.
5 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
635
�Web filtering example
Web filter
The URL filter for the students has been created. Now it must be configured.
To configure the URL filter for the students
1 Go to UTM & gt; Web Filter & gt; URL Filter.
2 Select Student URL List and choose Edit.
3 Select Create New.
4 Enter www.example.com in the URL field.
5 Select Simple from the Type list.
6 Select Block from the Action list.
7 Select Enable.
8 Select OK.
The teachers should be able to view the students’ blocked content, however, so an
addition URL filter is needed.
To create a URL filter for the teachers
1 Go to UTM & gt; Web Filter & gt; URL Filter.
2 Select Create New.
3 Enter Teacher URL List as the URL filter Name.
4 Enter optional comments to describe the list.
5 Select OK.
To configure the URL filter for the teachers
1 Go to UTM & gt; Web Filter & gt; URL Filter.
2 Select Teachers URL List and choose Edit.
3 Select Create New.
4 Enter www.example.com in the URL field.
5 Select Simple from the Type list.
6 Select Exempt from the Action list.
7 Select Enable.
8 Select OK.
A web filter profile must be created for the students and the teachers.
To create a web filter profile for the students
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select Create New.
3 Enter Students as the Profile Name.
4 Enter optional comments to identify the profile.
5 Enable Web Content Filter and select Student Web Content List from the drop-down
list.
6 Enable Web URL Filter and select Student URL List from the drop-down list.
7 Expand the Advanced Filter section.
636
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web filter
Web filtering example
8 Enable Web Resume Download Block.
Selecting this setting will block downloading parts of a file that have already been
downloaded and prevent the unintentional download of virus files hidden in fragmented
files. Note that some types of files, such as PDFs, are fragmented to increase
download speed, and that selecting this option can cause download interruptions with
these types.
9 Select OK.
To create a firewall policy for the students
1 Go to Firewall & gt; Policy.
2 Select Create New.
3 Enable UTM.
4 Select Enable Web Filter.
5 Select Students from the web filter drop-down list.
6 Enter optional comments.
7 Select OK.
To create a web filter profile for the teachers
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select Create New.
3 Enter Teachers as the Profile Name.
4 Enter optional comments to identify the profile.
5 Enable Web Content Filter and select Teacher Web Content List from the list.
6 Enable Web URL Filter and select Teacher URL List from the list.
7 Expand the Advanced Filter section.
8 Enable Web Resume Download Block.
9 Select OK.
To create a firewall policy for Teachers
1 Go to Firewall & gt; Policy.
2 Select Create New.
3 Enable UTM.
4 Select Enable Web Filter.
5 Select Teachers from the web filter drop-down list.
6 Enter optional comments.
7 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
637
�Web filtering example
638
Web filter
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGuard Web Filter
This section describes FortiGuard Web Filter for HTTP and HTTPS traffic.
FortiGuard Web Filter is a managed web filtering solution available by subscription from
Fortinet. FortiGuard Web Filter enhances the web filtering features supplied with your
FortiGate unit by sorting billions of web pages into a wide range of categories users can
allow or block. The FortiGate unit accesses the nearest FortiGuard Web Filter Service
Point to determine the category of a requested web page, and then applies the firewall
policy configured for that user or interface.
FortiGuard Web Filter includes over 45 million individual ratings of web sites that apply to
more than two billion pages. Pages are sorted and rated into several dozen categories
administrators can allow or block. Categories may be added or updated as the Internet
evolves. To make configuration simpler, you can also choose to allow or block entire
groups of categories. Blocked pages are replaced with a message indicating that the page
is not accessible according to the Internet usage policy.
FortiGuard Web Filter ratings are performed by a combination of proprietary methods
including text analysis, exploitation of the web structure, and human raters. Users can
notify the FortiGuard Web Filter Service Points if they feel a web page is not categorized
correctly, so that the service can update the categories in a timely fashion.
The following topics are discussed in this section:
•
Before you begin
•
FortiGuard Web Filter and your FortiGate unit
•
Enable FortiGuard Web Filter
•
Advanced FortiGuard Web Filter configuration
•
Add or change FortiGuard Web Filter ratings
•
Create FortiGuard Web Filter overrides
•
Customize categories and ratings
•
FortiGuard Web Filter examples
Before you begin
Before you follow the instructions in this section, you should have a FortiGuard Web Filter
subscription and your FortiGate unit should be properly configured to communicate with
the FortiGuard servers. For more information about FortiGuard services, see the
FortiGuard Center web page. You should also have a look at “Web filter concepts” on
page 623.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
639
�FortiGuard Web Filter and your FortiGate unit
FortiGuard Web Filter
FortiGuard Web Filter and your FortiGate unit
When FortiGuard Web Filter is enabled in a web filter profile, the setting is applied to all
firewall policies that use this profile. When a request for a web page appears in traffic
controlled by one of these firewall policies, the URL is sent to the nearest FortiGuard
server. The URL category is returned. If the category is blocked, the FortiGate unit
provides a replacement message in place of the requested page. If the category is not
blocked, the page request is sent to the requested URL as normal.
Order of web filtering
The FortiGate unit applies web filters in a specific order:
1 URL filter
2 FortiGuard Web Filter
3 web content filter
4 web script filter
5 antivirus scanning.
The flowchart in Figure 67 on page 641 shows the steps involved in FortiGuard Web
Filtering. Most features are included but some of the advanced options, including
overrides, are not. The features appearing in the flowchart are described in this section.
640
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGuard Web Filter
FortiGuard Web Filter and your FortiGate unit
Figure 67: FortiGuard Web Filter sequence of events
Deny access to the
URL and stop any
running quota timer
Query FortiGuard
for URL category
and classification
Start
User attempts to
load a URL
Block
Block
Is the URL
category set
to block or
allow?
Strict
Blocking?
Yes
Is the URL
classification set
to block or
allow?
Allow
Yes
Allow
Is there a
classification
for this URL?
No
No
Is the URL
category set
to block or
allow?
Is
FortiGuard Quota
exempt for the
Category?
Allow
Allow access
to the URL
Yes
Block
No
Allow
Is there a
classification
for this URL?
Is
FortiGuard Quota
enabled for the
Category?
Is the URL
classification set
to block or
allow?
Yes
No
Block
No
Yes
Is there any
time remaining
for this category
quota?
Yes
Start the category
timer and allow
access to the URL
No
Deny access to the
URL and stop any
running quota timer
Deny access to the
URL and stop any
running quota timer
Is
FortiGuard Quota
exempt for the
classification?
Allow access
to the URL
Yes
No
Allow access to the
URL and stop any
running quota timer
Is
FortiGuard Quota
exempt for the
category group?
Is
FortiGuard Quota
enabled for the
category group?
No
No
No
Yes
Is
FortiGuard Quota
enabled for the
classification?
Yes
Allow access
to the URL
Yes
Yes
Is there any
time remaining
for this classification
quota?
Start the classification
timer and allow
access to the URL
No
Deny access to the
URL and stop any
running quota timer
Is there any
time remaining
for this category
group quota?
No
Yes
Deny access to the
URL and stop any
running quota timer
Start the category
group timer and allow
access to the URL
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
641
�Enable FortiGuard Web Filter
FortiGuard Web Filter
Enable FortiGuard Web Filter
FortiGuard Web Filter is enabled and configured within web filter profiles. Overrides, local
categories, and local ratings are configured in UTM & gt; Web Filter.
General configuration steps
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select the Edit icon of the web filter profile in which you want to enable FortiGuard Web
Filter, or select Create New to add a new web filter profile.
3 Expand the FortiGuard Web Filtering section.
4 Under the FortiGuard Web Filtering heading, the Enable FortiGuard Web Filtering row
allows you to enable the feature for HTTP and HTTPS traffic. Select either or both
check boxes as required.
5 The category and classification tables allow you to block or allow access to general or
more specific web site categories. Configure access as required.
6 Select OK to save the web filter profile.
7 To complete the configuration, you need to select the firewall policy controlling the
network traffic you want to restrict. Then, in the firewall policy, enable UTM and select
Enable Web Filter and select the appropriate web filter profile from the list.
Configuring FortiGuard Web Filter settings
FortiGuard Web Filter includes a number of settings that allow you to determine various
aspects of the filtering behavior.
To configure FortiGuard Web Filter settings
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select the Edit icon of the web filter profile in which you want to enable FortiGuard Web
Filter, or select Create New to add a new web filter profile.
3 Expand the FortiGuard Web Filtering section.
4 Select one or both of the HTTP and HTTPS check boxes in the row labeled FortiGuard
Web Filtering to enable FortiGuard Web Filter for HTTP and HTTPS web traffic.
At least one of these check boxes must be selected for FortiGuard Web Filter to
function for the protocol. Other web filter features, such as web content filter and URL
filter, will function as configured, however.
5 Select FortiGuard Web Filtering Overrides to enable the overrides configured in UTM & gt;
Web Filter & gt; Override. Select HTTP, HTTPS, or both to enable overrides. For more
information, see “Create FortiGuard Web Filter overrides” on page 648.
6 Select OK to save your changes to the web filter profile.
Configuring FortiGuard Web Filter categories
Categories are a means to describe the content of web sites. FortiGuard Web Filter
divides the web into dozens of categories in eight category groups.
Every URL and IP address is associated with one category. URLs and IP addresses that
have not been rated are placed in the Unrated category so you can still apply actions,
overrides, and quotas to them.
642
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGuard Web Filter
Enable FortiGuard Web Filter
To configure the FortiGuard Web Filter categories
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select Create New to add a new web filter profile, or select an existing web filter profile
and choose Edit to configure the FortiGuard Web Filter categories.
3 Expand the FortiGuard Web Filtering section.
4 Under the FortiGuard Web Filtering heading, the category groups are listed in a table.
You can expand each category group to view and configure every category within the
group. If you change the setting of a category group, all categories within the group
inherit the change.
5 Select Allow to allow access to the sites within the category.
6 Select Block to restrict access to sites within the category. Users attempting to access
a blocked site will receive a replacement message explaining that access to the site is
blocked.
7 Select Log to record attempts to access sites in a category.
8 Select Allow Override to allow users to override blocked categories. For more
information, see “Understanding administrative and user overrides” on page 648.
Before you can allow an override, you must create it (see “Create FortiGuard Web
Filter overrides” on page 648) and then enable FortiGuard Web Filtering Overrides in
the web filter profile.
9 Select OK.
Configuring FortiGuard Web Filter classifications
Classifications are assigned based on characteristics of the site, not the topic of the site
content. For example, the cached content classification tells you the site caches content
from other sites. It tells you nothing about what the content is.
Unlike categories, not every rated URL and IP address has an assigned classification.
To configure the FortiGuard Web Filter classifications
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select Create New to add a new web filter profile or select the web filter profile in which
you want to configure the FortiGuard Web Filter categories and select Edit.
3 Expand the FortiGuard Web Filtering section.
The classification table is listed below the category table.
4 Select Allow to allow access to the sites within the classification.
5 Select Block to restrict access to sites within the classification. Users attempting to
access a blocked site will receive a replacement message explaining that access to the
site is blocked.
6 Select Log to record attempts to access sites in a classification.
7 Select Allow Override to allow users to override blocked classifications.
This option is not available unless you also:
• select the Enable FortiGuard Web Filtering Overrides option that appears just
before the table
• create overrides in UTM & gt; Web Filter & gt; Override. For more information, see “Create
FortiGuard Web Filter overrides” on page 648.
8 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
643
�Enable FortiGuard Web Filter
FortiGuard Web Filter
Configuring FortiGuard Web Filter usage quotas
In addition to using category and classification blocks and overrides to limit user access to
URLs, you can set a daily timed access quota by category, category group, or
classification. Quotas allow access for a specified length of time, calculated separately for
each user. Quotas are reset every day at midnight.
Users must authenticate with the FortiGate unit. The quota is applied to each user
individually so the FortiGate must be able to identify each user. One way to do this is to
configure a firewall policy using the identity based policy feature. Apply the web filter
profile in which you have configured FortiGuard Web Filter and FortiGuard Web Filter
quotas to such a firewall policy.
Caution: The use of FortiGuard Web Filter quotas requires that users authenticate to gain
web access. The quotas are ignored if applied to a firewall policy in which user
authentication is not required.
When a user first attempts to access a URL, they’re prompted to authenticate with the
FortiGate unit. When they provide their username and password, the FortiGate unit
recognizes them, determines their quota allowances, and monitors their web use. The
category and classification of each page they visit is checked and FortiGate unit adjusts
the user’s remaining available quota for the category or classification.
Note: Editing the web filter profile resets the quota timers for all users.
To configure the FortiGuard Web Filter categories
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select an existing web filter profile and choose Edit to configure the FortiGuard Web
Filter categories.
3 Expand the FortiGuard Web Filtering section.
4 Under the FortiGuard Web Filtering heading, the category groups are listed in a table.
You can expand each category group to view and configure every category within the
group.
5 Under the FortiGuard Quota heading, select Enable to activate the quota for the
category, category group, or classification.
6 Select Hours, Minutes, or Seconds and enter the number of hours, minutes, or
seconds. This is the daily quota allowance for each user.
7 Select OK.
Apply the web filter profile to an identify-based firewall policy and all the users subject to
the policy will be restricted by the quotas.
Quota hierarchy
You can apply quotas to categories, category groups, and classifications. Only one quota
per user can be active at any one time. The one used depends on how you configure the
FortiGuard Web Filter.
644
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGuard Web Filter
Enable FortiGuard Web Filter
When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the
category and classification of the URL. From highest to lowest, the relative priority of the
quotas are:
1 Category
2 Classification
3 Category group
So for example, the Business Oriented category group contains the Information
Technology category. When a user visits a page in the Information Technology category,
the FortiGate unit will check for quotas in sequence:
•
Is there is a quota set for the Information Technology category? If there is, the category
quota timer is started and the user is allowed access to the URL. If no time remains in
the category quota, the URL is blocked and the user cannot access it for the remainder
of the day.
•
If there is no quota set for the Information Technology category, is there a quota set for
any classification that applies to the URL? If there is, the classification quota timer is
started and the user is allowed access to the URL. If no time remains in the
classification quota, the URL is blocked and the user cannot access it for the remainder
of the day.
•
If no quota is set, or no classification exists for the URL, is there a quota set for the
Business Oriented category group? If there is, the category group quota timer is
started and the user is allowed access to the URL. If no time remains in the category
group quota, the URL is blocked and the user cannot access it for the remainder of the
day.
•
Finally, if there is no category group quota, the user is allowed to access the URL.
Getting to this point means there are no quotas set for the page. The FortiGate unit will
stop any running quota timer because the current URL has no quota.
Only one quota timer can be running at any one time for a single user. Whenever a quota
timer is started or a page is blocked, the timer running because of the previous URL
access is stopped. Similarly, a URL with no quotas will stop a quota timer still running
because of the URL the user previously accessed.
Quota exempt
The quota checking sequence occurs for every URL the user accesses. This is true for
every web page, and every element of the web page that is loaded. For example, if a user
loads a web page, the quota is checked for the web page as soon as it is loaded. If there is
a photo on the page, it is also checked and the quota is adjusted accordingly.
This can cause unexpected behavior. For example, if the web page a user loads is in the
Information Technology category and it has a quota, the quota timer is started. The web
page includes a number of graphics so as these are loaded, each is checked and the
appropriate quota is started. If they all share the same category rating, which they often
will, there is no problem. But if the last graphic or page element loaded comes from
another site, the quota may not work as you expect. If the last graphic is an ad, loaded
from a site categorized as Advertising, the Information Technology category quota timer
will stop almost as soon as it is started because the FortiGate unit will see the ad URL and
find that it belongs to the Advertising category. If Advertising has a quota, its timer will
start. If it is blocked or allowed, the Information Technology category quota timer will be
stopped and the user can view the page without using the quota set to limit the Information
Technology category.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
645
�Advanced FortiGuard Web Filter configuration
FortiGuard Web Filter
To solve this problem, you can configure a category, category group, or classification as
exempt. This effectively allows the quota system to ignore it entirely. Any quota timer
running when an exempt URL is encountered continues to run. An exempt category,
category group, or classification can not have a quota. This may sound the same as
simply disabling the quota and setting the FortiGuard Web Filter action to allow, but there
is a difference. The exempt action will not stop an already running quota timer while the
allow and block actions will stop an already running quota timer.
The exempt action is generally used for commonly accessed web pages that load
elements from other sites that have different category ratings. Pages that load ads from
advertising sites are the most common example.
Checking quota usage
With quotas enabled, the FortiGate unit keeps track of quota usage for each user in each
web filter profile. You can check the amount of quota usage for each user and their
remaining time for each individual quota.
To view FortiGuard Web Filter quota usage
1 Go to UTM & gt; Web Filter & gt; FortiGuard Quota.
2 The table shows the users who have used some or all of their quota allowance. The
total time used is listed by web filter profile for each user.
3 Select the View icon in any row to view the remaining quota for each category,
category group, and classification. A category, category group, or classification
displayed in bold type indicates the quota currently in use.
Quotas are reset every day at midnight.
Advanced FortiGuard Web Filter configuration
The Advanced Filter section of the web filter profile provides a number of advanced filter
options. The web filter options in the advance filter section unrelated to FortiGuard Web
Filter are detailed in the web filter section, in “Advanced web filter configuration” on
page 633.
Provide Details for Blocked HTTP 4xx and 5xx Errors
Enable to have the FortiGate unit display its own replacement message for 400 and
500-series HTTP errors. If the server error is allowed through, malicious or objectionable
sites can use these common error pages to circumvent web filtering.
Rate Images by URL (blocked images will be replaced with blanks)
Enable to have the FortiGate retrieve ratings for individual images in addition to web sites.
Images in a blocked category are not displayed even if they are part of a site in an allowed
category.
Blocked images are replaced on the originating web pages with blank place-holders.
Rated image file types include GIF, JPEG, PNG, BMP, and TIFF.
Allow Websites When a Rating Error Occurs
Enable to allow access to web pages that return a rating error from the FortiGuard Web
Filter service.
646
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGuard Web Filter
Add or change FortiGuard Web Filter ratings
If your FortiGate unit cannot contact the FortiGuard service temporarily, this setting
determines what access the FortiGate unit allows until contact is re-established. If
enabled, users will have full unfiltered access to all web sites. If disabled, users will not be
allowed access to any web sites.
Strict Blocking
This setting determines when the FortiGate unit blocks a site. Enable strict blocking to
deny access to a site if any category or classification assigned to the site is set to Block.
Disable strict blocking to deny access to a site only if all categories and classifications
assigned to the site are set to Block.
All rated URLs are assigned one or more categories. URLs may also be assigned a
classification. If Rate URLs by domain and IP address is enabled, the site URL and IP
address each carry separately assigned categories and classifications. Depending on the
FortiGuard rating and the FortiGate configuration, a site could be assigned to at least two
categories and up to two classifications.
Rate URLs by Domain and IP Address
Enable to have the FortiGate unit request the rating of the site by URL and IP address
separately, providing additional security against attempts to bypass the FortiGuard Web
Filter.
Note: FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings
for URLs. This can sometimes cause the FortiGate unit to allow access to sites that should
be blocked, or to block sites that should be allowed.
Block HTTP Redirects by Rating
Enable to block HTTP redirects.
Many web sites use HTTP redirects legitimately but in some cases, redirects may be
designed specifically to circumvent web filtering, as the initial web page could have a
different rating than the destination web page of the redirect.
This option is not supported for HTTPS.
Daily log of remaining quota
Enable to log daily quota use.
As part of the quota reset at midnight, the FortiGate unit will record a log entry for every
quota each user consumed during the day. These log entries are labeled with the sub-type
ftgd_quota. Each entry includes the VDOM, user name, web filter profile name,
category description, quota used (in seconds), and quota (in seconds). You can use log
filtering to quickly limit the displayed entries to those you want, and generate reports from
the logs.
Add or change FortiGuard Web Filter ratings
The FortiGuard Center web site allows you to check the current category assigned to any
URL.
To check the category assigned to a URL
1 Using your web browser, go to the FortiGuard Center Web Filter URL Lookup &
Submission page at http://www.fortiguard.com/webfiltering/webfiltering.html.
2 Enter the URL as directed.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
647
�Create FortiGuard Web Filter overrides
FortiGuard Web Filter
3 Select Search.
4 If the URL has been rated by the FortiGuard web filter team, the category is displayed.
If a URL has not been rated, or you believe it is incorrectly rated, you can suggest the
appropriate category and classification.
To add or change the category for a URL
1 Check the category assigned to the URL as described in the previous procedure.
2 Below the rating, select Check to submit the URL.
3 Enter your name, company, and email address.
4 Optionally, you may enter a comment.
5 Select the most appropriate category and classification for the URL.
6 Select Submit to send your submission to the FortiGuard web filter team.
Create FortiGuard Web Filter overrides
You can configure FortiGuard Web Filter to allow or deny access to web sites by category
and classification. You may want to block a category but allow your users temporary
access to one site within the blocked category. You may need to allow only some users to
temporarily access one site within a blocked category. You can do these things by using
administrative and user overrides.
Understanding administrative and user overrides
The administrative overrides are backed up with the main configuration. The
administrative overrides are not deleted when they expire and you can reuse them by
extending their expiry dates. You can create administrative overrides either through the
CLI or the web-based manager.
The user overrides are not backed up as part of the main configuration. These overrides
are automatically deleted when they expire. You can only view and delete the user
override entries. Users create user overrides using the authentication form opened from
the block page when they attempt to access a blocked site, if override is enabled.
To create an administrative override
1 Go to UTM & gt; Web Filter & gt; Override.
2 Select Administrative Overrides and choose Edit.
3 Select Create New.
4 Using the Type selection, choose the type of override to create:
• A Directory override will allow access to a particular directory on a blocked site.
• An Exact Domain override will allow access to a blocked domain.
• A Categories override will allow access to a blocked category.
5 If you select a directory or domain override, enter the directory or domain in the URL
field.
If you select a category override, select the categories and classifications you want to
allow.
648
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGuard Web Filter
Customize categories and ratings
6 Using the Scope selection, choose how the override will be applied:
• A User scope limits the override to a single user. Enter the user ID in the User field.
• A User Group scope limits the override to the users you have included in a user
group. Using the User Group selection, choose the user group.
• An IP scope limits the override to an IPv4 address. Enter the address in the IP field.
• An IPv6 scope limits the override to an IPv6 address. Enter the address in the IPv6
field.
7 Select whether to Allow or Deny content from Off-site URLs.
This option defines whether the web page visible as the result of an override will
display the images and other contents from other blocked offsite URLs.
For example, if all FortiGuard categories are blocked, but you want to allow access to a
web site, you can create a domain override for the site and view the page. If the
images on the site are served from a different domain and Off-site URLs is set to Deny,
all the images on the page will appear broken because they come from a domain that
the existing override rule does not apply to. If Off-site URLs is set to Allow, the images
on the page will appear properly.
8 Select when the override expires by entering the exact time and date.
9 Select OK to save the override rule.
Customize categories and ratings
The FortiGuard Web Filter rating categories are general enough that virtually any web site
can be accurately categorized in one of them. The rigid structure of the categories can
create complications, however. You might decide to block the Web-based Email category,
but what if your company uses one web-based email provider?
Local categories and local ratings allow you to assign sites to any category you choose.
You can even create new categories. These settings only apply to your FortiGate unit
however. The changes you make are not sent to the FortiGuard Web Filter Service.
Creating local categories
Categories are labels that describe web site content. Creating your own category allows
you to customize how the FortiGuard Web Filter service works.
Local categories appear in the web filter profile FortiGuard Web Filter category list under
the Local Categories category group. Local categories are empty when created. To
populate local categories with web sites, see “Customizing site ratings” on page 649.
To create a local category
1 Go to UTM & gt; Web Filter & gt; Local Categories.
2 Enter the name of the new local category in the field above the local category list.
3 Select Add.
The new local category is added to the list, but will remain empty until you add a web
site to it.
Customizing site ratings
You may find it convenient to change the rating of a site. For example, if you want to block
all the sites in a category except one, you can move the one site to a different category.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
649
�FortiGuard Web Filter examples
FortiGuard Web Filter
To customize a site rating
1 Go to UTM & gt; Web Filter & gt; Local Ratings.
2 Select Create New.
3 In the URL field, enter the URL of the site you want to change.
4 In the Category Rating table, select the category or categories to apply to the site.
If you created any local categories, a Local Categories group will appear.
5 In the Classification Rating table, select a classification to apply to the site.
6 Select OK.
FortiGuard Web Filter examples
FortiGuard Web Filter can provide more powerful filtering to your network because you
can use it to restrict access to millions of sites by blocking the categories they belong to.
Configuring simple FortiGuard Web Filter protection
Small offices, whether they are small companies, home offices, or satellite offices, often
have very simple needs. This example details how to enable FortiGuard Web Filter
protection on a FortiGate unit located in a satellite office.
Creating a web filter profile
Most FortiGuard Web Filter settings are configured in a web filter profile. Web filter profiles
are selected in firewall policies. This way, you can create multiple web filter profiles, and
tailor them to the traffic controlled by the firewall policy in which they are selected. In this
example, you will create one web filter profile.
To create a web filter profile — web-based manager
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select Create New.
3 In the Name field, enter basic_FGWF.
4 Select the FortiGuard Web Filtering check boxes for the HTTP and HTTPS traffic
types.
5 Select the FortiGuard Web Filtering expand arrow.
6 Select the Block action for the Potentially Liable, Controversial, and Potentially
Security Violating categories.
7 Select OK to save the web filter profile.
650
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGuard Web Filter
FortiGuard Web Filter examples
To create a web filter profile — CLI
config webfilter profile
edit basic_FGWF
config http
set options fortiguard-wf
end
config https
set options fortiguard-wf
end
config ftgd-wf
set deny g01 g02 g05
end
end
Selecting the web filter profile in a firewall policy
A web filter profile directs the FortiGate unit to scan network traffic only when it is selected
in a firewall policy. When a web filter profile is selected in a firewall policy, its settings are
applied to all the traffic the firewall policy handles.
To select the web filter profile in a firewall policy — web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select a policy.
3 Select the Edit icon.
4 Enable UTM.
5 Select default from the Protocol Options list.
UTM can not be enabled without selecting a protocol options profile. A default profile is
provided.
6 Select the Enable Web Filter option.
7 Select the basic_FGWF profile from the list.
8 Select OK to save the firewall policy.
To select the web filter profile in a firewall policy — CLI
config firewall policy
edit 1
set utm-status enable
set profile-protocol-options default
set webfilter-profile basic_FGWF
end
HTTP and HTTPS traffic handled by the firewall policy you modified will be monitored for
attempts to access to the blocked sites. A small office may have only one firewall policy
configured. If you have multiple policies, consider enabling web filter scanning for all
outgoing policies.
School district
Continuing with the example in the Web filter section, you can use FortiGuard Web Filter
to protect students from inappropriate material. For the first part of this example, see “Web
filtering example” on page 634.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
651
�FortiGuard Web Filter examples
FortiGuard Web Filter
To enable FortiGuard Web Filter
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select the web filter profile named Students and choose Edit.
3 In the FortiGuard Web Filtering row, select both the HTTP and HTTPS options.
4 Select OK.
The Students web filter profile has FortiGuard Web Filter enabled, but all the categories
are set to Allow. With this configuration, no sites are blocked.
To configure the sites to block
1 Go to UTM & gt; Web Filter & gt; Profile.
2 Select the web filter profile named Students and choose Edit.
3 Expand the FortiGuard Web Filter section.
4 In the category table, select Block for these categories: Potentially Liable,
Controversial, and Potentially Non-productive.
5 Select OK to save the web filter profile.
The students will not be able to access any of the web sites in those three general
categories or the categories within them.
652
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Data leak prevention
The FortiGate data leak prevention (DLP) system allows you to prevent sensitive data
from leaving your network. When you define sensitive data patterns, data matching these
patterns will be blocked, logged, and archived, or any combination of these three actions,
when passing through the FortiGate unit. You configure the DLP system by creating
individual rules, combining the rules into DLP sensors, and then assigning a sensor to a
firewall policy.
Although the primary use of the DLP feature is to stop sensitive data from leaving your
network, it can also be used to prevent unwanted data from entering your network and to
archive some or all of the content passing through the FortiGate unit.
This section describes how to configure the DLP settings.
The following topics are included:
•
Data leak prevention concepts
•
Enable data leak prevention
•
DLP archiving
•
DLP examples
Data leak prevention concepts
Data leak prevention examines network traffic for data patterns you specify. You define
whatever patterns you want the FortiGate unit to look for in network traffic. The DLP
feature is broken down into a number of parts.
DLP sensor
A DLP sensor is a package of DLP rules and DLP compound rules. To use DLP you must
enable it in a firewall policy and select the DLP sensor to use. The traffic controlled by the
firewall policy will be searched for the patterns defined in the DLP sensor. Matching traffic
will be passed or blocked according to how you configured the DLP sensor and rules. You
can also log the matching traffic.
DLP rule
Each DLP rule includes a single condition and the type of traffic in which the condition is
expected to appear.
For example, the FortiGate DLP system includes a modifiable default rule consisting of a
regular expression that you can use to find messages matching U.S. Social Security
numbers (SSN). You can apply this sample DLP rule, called Email-US-SSN, to have the
FortiGate unit examine the Email protocols SMTP, IMAP, and POP3 for messages in
which the Body has Matches of the ASCII formatted Regular Expression of \b(?!000)([06]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00) \d\d\3(?!0000)\d{4}(\b|\W).
DLP rules allow you to specify various conditions depending on the type of traffic for which
the rule is created. Table 68 on page 654 lists the available conditions by traffic type.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
653
�Data leak prevention concepts
Data leak prevention
Table 68: Conditions available by traffic type for DLP rules
Field
Email
HTTP
HTTPS
FTP
NNTP
IM
Always
yes
yes
yes
yes
yes
yes
Body
yes
yes
-
-
yes
-
Subject
yes
-
-
-
-
-
Sender
yes
-
-
-
-
yes
Receiver
yes
-
-
-
-
-
Attachment Size
yes
-
-
-
-
-
Attachment type
yes
-
-
-
-
-
Attachment text
yes
-
-
-
-
-
Transfer size
yes
yes
-
yes
yes
yes
Binary file pattern
yes
yes
-
yes
yes
yes
Authenticated User
yes
yes
-
yes
yes
yes
User group
yes
yes
-
yes
yes
yes
File is/is not encrypted
yes
yes
-
yes
yes
yes
URL
-
yes
-
-
-
-
Cookie
-
yes
-
-
-
-
CGI parameters
-
yes
-
-
-
-
HTTP header
-
yes
-
-
-
-
Hostname
-
yes
-
-
-
-
File type
-
yes
-
yes
yes
yes
File text
-
-
-
yes
yes
yes
Server
-
-
-
yes
yes
-
The HTTPS protocol is only available on FortiGate units that do not support SSL content
scanning and inspection. Units with SSL content scanning and inspection support include
HTTPS GET and HTTPS POST as options within the HTTP protocol.
DLP compound rule
Compound rules allow you to require that all the conditions specified in multiple DLP rules
are true before the action is taken. In this way, you can configure the FortiGate unit to
search for very specific conditions. For example, you can create a DLP sensor containing
two DLP rules, one that checks all email traffic for messages that have the word “credit” in
the subject, and one that checks all email traffic for messages from the sender
user43@example.com.
Multiple DLP rules in a DLP sensor are connected with a Boolean “or” operation. The
FortiGate unit will find a match in network traffic if the word “credit” appears in the
message subject, or if the message is from user43@example.com. If either condition is
true, a match is found.
If the same rules are added to a compound rule, and the compound rule is added to the
sensor, the rules in the compound are connected with a Boolean “and” operation. The
FortiGate unit will find a match in network traffic if the word “credit” appears in the
message subject and if the message is from user43@example.com. Both conditions must
be true before a match is found.
654
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Data leak prevention
Enable data leak prevention
Enable data leak prevention
DLP examines your network traffic for data patterns you specify. You must configure DLP
in sequence.
General configuration steps
Follow the configuration procedures in the order given. Also, note that if you perform any
additional actions between procedures, your configuration may have different results.
1 Create one or more DLP rules.
DLP rules are the foundation of the data leak prevention feature. Each rule describes
the attributes of a type of sensitive data. The DLP feature uses this information to
detect sensitive data in network traffic.
2 Optionally, combine rules into compound rules.
When using individual rules, any matching rule triggers the action assigned to the rule.
Combining rules into a compound rule and using the compound rule changes their
behavior in that all the rules included in the compound rule must be true for the
assigned action to be triggered.
3 Create a DLP sensor.
New DLP sensors are empty. DLP sensors allow you to combine the DLP rules you’ve
created for different purposes.
4 Add one or more DLP rules and compound rules to the DLP sensor.
New sensors contain no rules and therefore will match no traffic. You must add one or
more rules and compound rules to a DLP sensor.
5 Add the DLP sensor to one or more firewall policies that control the traffic to be
examined.
Creating a DLP rule
The DLP rules define the data to be protected so the FortiGate unit can recognize it. For
example, the FortiGate default sensor rules include one that uses regular expressions to
describe the U.S. Social Security Number:
\b(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00)
\d\d\3(?!0000)\d{4}(\b|\W)
Rather than having to list every possible Social Security Number, this regular expression
describes the structure of a Social Security Number. With the pattern, the FortiGate unit
recognizes any numbers that follow the pattern.
To create a DLP rule
1 Go to UTM & gt; Data Leak Prevention & gt; Rule.
2 Select Create New.
3 In the Name field, enter the name of the new DLP rule.
4 Use the Protocol selection to choose the type of network traffic the FortiGate unit will
examine for the presence of the conditions in the DLP rule.
Changing the protocol can change the available sub-protocol and rule options.
If your FortiGate unit does not support SSL content scanning and inspection, HTTPS
will still be an available protocol selection. Although the contents of HTTPS traffic
cannot be examined, HTTPS traffic can be detected, allowed or denied, and logged. If
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
655
�Enable data leak prevention
Data leak prevention
your FortiGate unit does support SSL content scanning and inspection, HTTPS POST
and HTTPS GET appear in the HTTP protocol. For more information, see “SSL content
scanning and inspection” on page 541.
5 Below the protocol selection, select the sub-protocols the FortiGate unit will examine
for the presence of the conditions in the DLP rule:
SMTP, IMAP, POP3
When you select the Email protocol, you can configure the rule to
apply to any or all of the supported email protocols (SMTP, IMAP,
and POP3).
SMTPS, IMAPS, POP3S
When you select the Email protocol and your FortiGate unit
supports SSL content scanning and inspection, you can also
configure the rule to apply to SMTPS, IMAPS, POP3S or any
combination of these protocols.
HTTP POST, HTTP GET
When you select the HTTP protocol, you can configure the rule to
apply to HTTP post traffic, HTTP get traffic, or both. traffic types.
HTTPS POST, HTTPS GET When you select the HTTP protocol and your FortiGate unit
supports SSL content scanning and inspection, you can also
configure the HTTP rule to apply to HTTPS get traffic, HTTPS post
traffic, or both traffic types.
To scan these encrypted traffic types, you must select Enable Deep
Scanning in the HTTPS section of the protocol options profile. If
Enable Deep Scanning is not selected, the DLP sensors will not
scan HTTPS content.
FTP PUT, FTP GET
When you select the FTP protocol, you can configure the rule to
apply to FTP put traffic, FTP get traffic, or both traffic types.
AIM, ICQ, MSN, Yahoo!
When you select the Instant Messaging protocol, you can configure
the rule to apply to file transfers using any or all of the supported IM
protocols (AIM, ICQ, MSN, and Yahoo!).
Only file transfers using the IM protocols are subject to DLP rules.
IM messages are not scanned.
6 If you select file or attachment rules in a protocol that supports it, you can select
various File options to configure how the DLP rule handles archive files, MS Word files,
and PDF files found in content traffic.
Scan archive contents
When selected, files within archives are extracted and scanned in
the same way as files that are not archived.
Scan archive files whole
When selected, archives are scanned as a whole. The files within
the archive are not extracted and scanned individually.
Scan MS-Word text
When selected, the text contents of MS Word DOC documents are
extracted and scanned for a match. All metadata and binary
information is ignored.
Note: Office 2007/2008 DOCX files are not recognized as
MS-Word by the DLP scanner. To scan the contents of DOCX files,
select the Scan archive contents option.
Scan MS-Word file whole When selected, MS Word DOC files are scanned. All binary and
metadata information is included.
If you are scanning for text entered in a DOC file, use the
Scan MS-Word option. Binary formatting codes and file information
may appear within the text, causing text matches to fail.
Note: Office 2007/2008 DOCX files are not recognized as
MS-Word by the DLP scanner. To scan the contents of DOCX files,
select the Scan archive contents option.
656
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Data leak prevention
Enable data leak prevention
Scan PDF text
When selected, the text contents of PDF documents are extracted
and scanned for a match. All metadata and binary information is
ignored.
Scan PDF file whole
When selected, PDF files are scanned. All binary and metadata
information is included.
If you are scanning for text in PDF files, use the Scan PDF Text
option. Binary formatting codes and file information may appear
within the text, causing text matches to fail.
7 Select the Rule that defines the condition the FortiGate unit will search for.
Rule
Description
Always
This option will cause an automatic match of the Email, HTTP,
selected protocol and sub-protocols, regardless of HTTPS, FTP,
the contents of the network traffic itself.
NNTP, IM,
Session Control
Attachment size
Check the attachment file size.
Email
Attachment text
Search email attachments for the specified text.
Email
Attachment type
Search email attachments for file types or file
patterns as specified in the selected file filter.
Email
Authenticated User
Search for traffic from the specified authenticated Email, HTTP,
user.
FTP, NNTP, IM
Binary file pattern
Search for the specified binary string in network
traffic.
Body
Search for the specified string in the message or Email, HTTP,
page body.
NNTP
CGI parameters
Search for the specified CGI parameters in any
web page with CGI code.
HTTP
Cookie
Search the contents of cookies for the specified
text.
HTTP
File is/not encrypted
Check whether the file is or is not encrypted.
Encrypted files are archives and MS Word files
protected with passwords. Because they are
password protected, the FortiGate unit cannot
scan their contents.
Email, HTTP,
FTP, NNTP, IM
File text
Search for the specified text in transferred text
files.
FTP, NNTP, IM
File type
Search for the specified file patterns and file
HTTP, FTP,
types. The patterns and types are configured in NNTP, IM
file filter lists, and a list is selected in the DLP rule.
Hostname
Search for the specified host name when
contacting an HTTP server.
HTTP
HTTP header
Search for the specified string in HTTP headers.
HTTP
Receiver
Search for the specified string in the message
recipient email address.
Email
Sender
Search for the specified string in the message
Email, IM
sender user ID or email address.
For email, the sender is determined by the “From:”
address in the email header. For IM, all members
of an IM session are senders, and the senders are
determined by finding the IM user IDs in the
session.
Server
Search for the server’s IP address in a specified
address range.
FTP, NNTP
Subject
Search for the specified string in the message
subject.
Email
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Protocol
Email, HTTP,
FTP, NNTP, IM
657
�Enable data leak prevention
Data leak prevention
Transfer size
Check the total size of the information transfer.
For email traffic, for example, the transfer size
includes the message header, body, and any
encoded attachment.
Email, HTTP,
FTP, NNTP, IM
URL
Search for the specified URL in HTTP traffic.
HTTP
User group
Search for traffic from any user in the specified
user group.
Email, HTTP,
FTP, NNTP, IM
8 Select the required rule operators, if applicable:
matches/does not match This operator specifies whether the FortiGate unit is searching for
the presence or absence of a specified string.
• Matches: The rule will be triggered if the specified string is
found in network traffic.
• Does not match: The rule will be triggered if the specified string
is not found in network traffic.
ASCII/UTF-8
Select the encoding used for text files and messages.
Regular
Expression/Wildcard
Select the means by which patterns are defined.
is/is not
This operator specifies if the rule is triggered when a condition is
true or not true.
• Is: The rule will be triggered if the rule is true.
• Is not: The rule will be triggered if the rule is not true.
For example, if a rule specifies that a file type is found within a
specified file type list, all matching files will trigger the rule.
Conversely, if the rule specifies that a file type is not found in a file
type list, only the file types not in the list would trigger the rule.
==/ & gt; =/ & lt; =/!=
These operators allow you to compare the size of a transfer or
attached file to an entered value.
• == is equal to the entered value.
• & gt; = is greater than or equal to the entered value.
• & lt; = is less than or equal to the entered value.
• != is not equal to the entered value.
9 Enter the data pattern, if the rule type you selected requires it.
Most rules types end with a field or selection of the data pattern to be matched,
whether it is a file size, text string, email address, or file name.
10 Select OK.
Understanding the default DLP rules
A number of default DLP rules are provided with your FortiGate unit. You can use these as
provided, or modify them as required.
Note: These rules affect only unencrypted traffic types. If you are using a FortiGate unit that
can decrypt and examine encrypted traffic, you can enable those traffic types in these rules
to extend their functionality if required.
Caution: Before using the rules, examine them closely to ensure you understand how they
will affect the traffic on your network.
658
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Data leak prevention
Enable data leak prevention
All-Email, All-FTP,
These rules will detect all email, FTP, HTTP, instant messaging, and
All-HTTP, All-IM, All-NNTP NNTP traffic.
Email-AmEx,
Email-Canada-SIN,
Email-US-SSN,
Email-Visa-Mastercard
These four rules detect American Express numbers, Canadian Social
Insurance Numbers, U.S. Social Security Numbers, or Visa and
Mastercard numbers within the message bodies of SMTP, POP3, and
IMAP email traffic.
HTTP-AmEx,
HTTP-Canada-SIN,
HTTP-US-SSN,
HTTP-Visa-Mastercard
These four rules detect American Express numbers, Canadian Social
Insurance Numbers, U.S. Social Security Numbers, or Visa and
Mastercard numbers sent using the HTTP POST command. The
HTTP POST command is used to send information to a web server.
As written, these rules are designed to detect data the user is sending
to web servers. This rule does not detect the data retrieved with the
HTTP GET command, which is used to retrieve web pages.
Large-Attachment
This rule detects files larger than 5MB attached to SMTP, POP3, and
IMAP email messages.
Large-FTP-Put
This rule detects files larger than 5MB sent using the FTP PUT
command. Files received using FTP GET are not examined.
Large-HTTP-Post
This rule detects files larger than 5MB sent using the HTTP POST
command. Files received using HTTP GET are not examined.
Creating a compound DLP rule
DLP compound rules are groupings of DLP rules that also change the way they behave
when added to a DLP sensor. Individual rules can be configured with only a single
condition. When this condition is discovered in network traffic, the rule is activated.
Compound rules allow you to group individual rules to specify far more detailed activation
conditions. Each included rule is configured with a single condition, but the conditions of
every included rule must be detected before the compound rule is activated.
If only some of the conditions specified in the rules within a compound rule are detected,
the compound rule is not triggered.
To create a compound DLP rule
1 Go to UTM & gt; Data Leak Prevention & gt; Compound.
2 Select Create New.
3 In the Name field, enter the name of the new DLP compound rule.
4 Use the Protocol selection to filter the available DLP rules based on their protocol
settings. For example, if you select the Email protocol, only the DLP rules configured
with the email protocol will appear for you to select.
5 Below the protocol selection, select the required sub-protocols to further restrict which
rules will appear for you to choose.
6 Select the first DLP rule to include in the compound rule from the Rule drop-down list.
7 Select the blue “plus” icon to add a second rule. Each subsequent rule will allow you to
add another so you can add as many DLP rules as you require. Similarly, the blue
“minus” icon allows you to delete the last added rule.
8 Select OK.
Creating a DLP sensor
DLP sensors are collections of DLP rules and DLP compound rules. You must also specify
an action for the rule or compound rule when you add it to a sensor. Once a DLP sensor is
configured, it can be selected in a firewall policy profile. Any traffic handled by the firewall
policy will be examined according to the DLP sensor configuration.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
659
�Enable data leak prevention
Data leak prevention
To create a DLP sensor
1 Go to UTM & gt; Data Leak Prevention & gt; Sensor.
2 Select Create New.
3 In the Name field, enter the name of the new DLP compound rule.
4 Optionally, you may also enter a comment. The comment appears in the DLP sensor
list and can remind you of the details of the sensor.
5 Select OK.
The DLP sensor is created and the sensor configuration window appears.
6 Select Enable Logging to have the FortiGate unit record details of DLP operation to the
DLP log.
7 Select Enable NAC Quarantine Logging to have the FortiGate unit record details of
DLP operation involving the ban and quarantine actions to the event log. This allows
you to be notified about NAC quarantine events by alert email if necessary. For this to
function correctly, the event log must be enabled with the NAC Quarantine event option
enabled.
8 Select OK.
A newly created sensor is empty, containing no rules or compound rules. Without rules,
the DLP sensor will do nothing.
Adding rules to a DLP sensor
Once you have created a DLP sensor, you need to add DLP rules.
To add rules to a DLP sensor
1 Go to UTM & gt; Data Leak Prevention & gt; Sensor.
2 Select the DLP sensor to which you want to add the rule and choose Edit.
3 Select Create New.
4 Select the Action the FortiGate unit will take against network traffic matching the rule. A
number of actions are available:
660
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Data leak prevention
Enable data leak prevention
None
The FortiGate unit will take no action on network traffic matching a
rule with this action. Other matching rules in the same sensor and
other sensors may still operate on matching traffic.
Block
Traffic matching a rule with the block action will not be delivered. The
matching message or download is replaced with the data leak
prevention replacement message.
Exempt
The exempt action prevents any DLP sensors from taking action on
matching traffic. This action overrides the action assigned to any
other matching sensors.
Ban
If the user is authenticated, this action blocks all traffic to or from the
user using the protocol that triggered the rule and adds the user to
the Banned User list.
If the user is not authenticated, this action blocks all traffic of the
protocol that triggered the rule from the user’s IP address.
If the banned user is using HTTP, FTP, or NNTP (or HTTPS if the
FortiGate unit supports SSL content scanning and inspection) the
FortiGate unit displays the “Banned by data leak prevention”
replacement message for the protocol. If the user is using IM, the IM
and P2P “Banned by data leak prevention” message replaces the
banned IM message and this message is forwarded to the recipient.
If the user is using IMAP, POP3, or SMTP (or IMAPS, POP3S,
SMTPS if your FortiGate unit supports SSL content scanning and
inspection) the Mail “Banned by data leak prevention” message
replaces the banned email message and this message is forwarded
to the recipient. These replacement messages also replace all
subsequent communication attempts until the user is removed from
the banned user list.
Ban Sender
This action blocks email or IM traffic from the sender of matching
email or IM messages and adds the sender to the Banned User list.
This action is available only for email and IM protocols. For email,
the sender is determined by the From: address in the email header.
For IM, all members of an IM session are senders and the senders
are determined by finding the IM user IDs in the session. Similar to
Ban, IM or Mail “Banned by data leak prevention” message replaces
the banned message and this message is forwarded to the recipient.
These replacement messages also replace all subsequent
communication attempts until the user is removed from the banned
user list.
Quarantine IP address
This action blocks access for any IP address that sends traffic
matching a sensor with this action. The IP address is added to the
Banned User list. The FortiGate unit displays the “NAC Quarantine
DLP Message” replacement message for all connection attempts
from this IP address until the IP address is removed from the banned
user list.
Quarantine Interface
This action blocks access to the network for all users connecting to
the interface that received traffic matching a sensor with this action.
The FortiGate unit displays the “NAC Quarantine DLP Message”
replacement message for all connection attempts to the interface
until the interface is removed from the banned user list.
Ban, Ban Sender, Quarantine IP, and Quarantine Interface provide functionality similar
to NAC quarantine. However, these DLP options block users and IP addresses at the
application layer while NAC quarantine blocks IP addresses and interfaces at the
network layer.
Caution: If you have configured DLP to block IP addresses and if the FortiGate unit
receives sessions that have passed through a NAT device, all traffic from that NAT
device—not just traffic from individual users—could be blocked. You can avoid this problem
by implementing authentication or, where possible, select Ban Sender.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
661
�Enable data leak prevention
Data leak prevention
Tip: To view or modify the replacement message text, go to System & gt; Config & gt;
Replacement Message.
5 Select how traffic matching the rule will be archived.
Disable
Do not archive network traffic matching the rule.
Summary Only
Archive a summary of matching network traffic.
For example, if applied to a rule governing email, the information
archived includes the sender, recipient, message subject, message
size, and other details.
Full
Archive the matching network traffic in addition to the summary
information. For example, full archiving of email traffic includes the
email messages and any attached files.
Note: Archiving requires a FortiAnalyzer device or a subscription to the FortiGuard Analysis
and Management Service.
6 If you selected one of the ban or quarantine actions, the Expires setting allows you to
choose how long the offending user/address/interface will remain on the banned user
list.
Select Indefinitely to keep the banned user entry in place until it is manually deleted.
Select After to enter the number of minutes, hours, or days, after which the banned
user entry is automatically deleted.
7 Choose the Severity rating to be attached to log entries created when network traffic
matches any rules in the sensor.
The severity setting has no effect on how DLP functions. It only affects DLP log entries
and the reports generated from the logs.
8 Select the type of rule you want to add to the DLP sensor using the Member type dropdown list. You may choose either Rule or Compound rule, and the list below your
selection will display only the type you choose.
9 From the table, select the rule or compound rule to add to the DLP sensor.
10 Select OK.
The rule is added to the sensor. You may select Create New to add more rules, or select
OK to return to the DLP sensor list.
Understanding default DLP sensors
A number of default DLP sensors are provided with your FortiGate unit. You can use these
as provided, or modify them as you require.
Caution: Before use, examine the sensors and rules in the sensors closely to ensure you
understand how they will affect the traffic on your network.
Note: DLP prevents duplicate action. Even if more than one rule in a sensor matches some
content, DLP will not create more than one content archive entry, quarantine item, or ban
entry from the same content.
662
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Data leak prevention
DLP archiving
Content_Archive
All non-encrypted email, FTP, HTTP, IM, and NNTP traffic is archived
to a FortiAnalyzer unit or the FortiGuard Analysis & Management
Service. No blocking or quarantine is performed.
If you have a FortiGate unit that supports SSL content scanning and
inspection, you can modify this sensor to archive encrypted traffic as
well.
Content_Summary
A summary of all non-encrypted email, FTP, HTTP, IM, and NNTP
traffic is saved to a FortiAnalyzer unit or the FortiGuard Analysis &
Management Service. No blocking or quarantine is performed.
If you have a FortiGate unit that supports SSL content scanning and
inspection, you can modify this sensor to archive a summary of
encrypted traffic as well.
Credit-Card
The number formats used by American Express, Visa, and Mastercard
credit cards are detected in HTTP and email traffic.
As provided, the sensor is configured not to archive matching traffic
and an action of None is set. Configure the action and archive options
that you require.
Large-File
Files larger than 5MB will be detected if attached to email messages or
if send using HTTP or FTP.
As provided, the sensor is configured not to archive matching traffic
and an action of None is set. Configure the action and archive options
that you require.
SSN-Sensor
The number formats used by U.S. Social Security and Canadian
Social Insurance numbers are detected in email and HTTP traffic.
As provided, the sensor is configured not to archive matching traffic
and an action of None is set. Configure the action and archive options
that you require.
DLP archiving
DLP is typically used to prevent sensitive information from getting out of your company
network, but it can also be used to record network use. This is called DLP archiving. The
DLP engine examines email, FTP, IM, NNTP, and web traffic. Enabling archiving for rules
when you add them to sensors directs the FortiGate unit to record all occurrences of these
traffic types when they are detected by the sensor.
Since the archive setting is configured for each rule in a sensor, you can have a single
sensor that archives only the things you want.
DLP archiving comes in two forms: Summary Only, and Full.
Summary archiving records information about the supported traffic types. For example,
when an email message is detected, the sender, recipient, message subject, and total size
are recorded. When a user accesses the Web, every URL the user visits recorded. The
result is a summary of all activity the sensor detected.
For more detailed records, full archiving is necessary. When an email message is
detected, the message itself, including any attachments, is archived. When a user
accesses the Web, every page the user visits is archived. Far more detailed than a
summary, full DLP archives require more storage space and processing.
Because both types of DLP archiving require additional resources, DLP archives are
saved to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service
(subscription required).
Two sample DLP sensors are provided with DLP archiving capabilities enabled. If you
select the Content_Summary sensor in a firewall policy, it will save a summary DLP
archive of all traffic the firewall policy handles. Similarly, the Content_Archive sensor
will save a full DLP archive of all traffic handled the firewall policy you apply it to. These
two sensors are configured to detect all traffic of the supported types and archive them.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
663
�DLP examples
Data leak prevention
DLP examples
Configuring DLP content archiving
This example details how to enable DLP content archiving on a FortiGate unit located in a
satellite office. With this DLP sensor selected in a firewall policy, all email, FTP, HTTP, IM,
and NNTP traffic controlled by the policy is saved to your FortiAnalyzer unit. This example
assumes the FortiGate unit is configured to send all logs to a FortiAnalyzer unit or to the
FortiGuard Analysis and Management Service.
Using the DLP content archive sensor
DLP sensors are created by selecting DLP rules. Each rule specifies a condition and an
action. When the condition is true, the action is taken.
Your FortiGate unit comes with a sample DLP sensor that generates a DLP content
archive of all email, FTP, HTTP, IM, and NNTP traffic.
Selecting the DLP sensor in a firewall policy
A DLP sensor directs the FortiGate unit to scan network traffic only when it is selected in a
firewall policy. When a DLP sensor is selected in a firewall policy, its settings are applied to
all the traffic the firewall policy handles.
To select the DLP content archive sensor in a firewall policy — web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select a policy and choose the Edit icon.
3 Enable UTM.
4 Select the Enable DLP Sensor option.
5 Select default from the Protocol Options list.
DLP can not be enabled without selecting a protocol options profile. A default profile is
provided.
6 Select the Content_Archive sensor from the list.
7 Select OK to save the firewall policy.
To select the antivirus profile in a firewall policy — CLI
config firewall policy
edit 1
set utm-status enable
set profile-protocol-options default
set dlp-sensor Content_Archive
end
All email, FTP, HTTP, IM, and NNTP traffic handled by the firewall policy you modified will
be archived. A small office may have only one firewall policy configured. If you have
multiple policies, select the Content_Archive sensor in every policy you want archived.
Blocking sensitive email messages
Someone in the Example.com corporation has been sending copies of the company
president’s monthly update email messages to the press. These messages have included
the full header. Rather than try to block them, the IT department at Example.com will find
out who is sending the messages using DLP.
664
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Data leak prevention
DLP examples
All messages include the text From: president@example.com and Subject: XYZ
Monthly Update where XYZ is the month the update applies to.
You will create a rule for the email address and a rule for the subject, combine them in a
compound rule, and add the compound rule to a DLP sensor. You will then add the DLP
sensor to the firewall policy that controls outgoing email traffic.
To create the “address” rule
1 Go to UTM & gt; Data Leak Prevention & gt; Rule.
2 Select Create New.
3 In the Name field, enter President address.
4 In the Comments field, enter Finds “president@example.com” in email.
5 For Protocol, select Email.
6 Select the SMTP, IMAP, and POP3 check boxes.
7 Select the Body rule.
8 For the three drop-down menus in the Body row, select, matches, ASCII, and Wildcard.
9 In the final field in the Body row, enter president@example.com
10 Select OK to save the rule.
To create the “subject rule”
1 Go to UTM & gt; Data Leak Prevention & gt; Rule.
2 Select Create New.
3 In the Name field, enter President subject.
4 In the Comments field, enter Finds “XYZ Monthly Update” in email.
5 For Protocol, select Email.
6 Select the SMTP, IMAP, and POP3 check boxes.
7 Select the Body rule.
8 For the three drop-down menus in the Body row, select, matches, ASCII, and Wildcard.
9 In the final field in the Body row, enter * Monthly Update
The asterisk (‘*’) can represent any characters so the rule will match any monthly
update.
10 Select OK to save the rule.
Adding these two rules to a DLP sensor may generate a large number of false positives
because any rule in a sensor will trigger the action. If the action were to log messages
matching the address and subject rules in this example, then left as individual rules, the
DLP sensor would log Monthly Updates from any employee and log all the president’s
email messages. In this case, you only want to know when both rules are true for a single
message. To do this, you must first add the rules to a compound rule.
To create the “president + subject” compound rule.
1 Go to UTM & gt; Data Leak Prevention & gt; Compound.
2 Select Create New.
3 In the Name field, enter President + subject.
4 For Protocol, select Email.
5 Select the SMTP, IMAP, and POP3 check boxes.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
665
�DLP examples
Data leak prevention
6 In the Rules drop-down menu, select President address.
7 Select the blue Add Rule button.
8 In the second Rules drop-down menu, select President subject.
9 Select OK to save this compound rule.
To create the “president” DLP sensor
1 Go to UTM & gt; Data Leak Prevention & gt; Sensor.
2 Select Create New.
3 In the Name field, enter president.
4 In the Comments field, enter Finds “president@example.com” and “XYZ
Monthly Update” in email.
5 Select OK to save the new sensor.
6 Select Enable Logging so the activity of this sensor will be logged.
7 Select Create New to add a rule to the sensor.
8 Set the Action to None.
9 Set Member type to Compound rule.
10 Select the President + subject rule.
11 Select OK.
With the DLP sensor ready for use, you need to select it in the firewall policy.
To select the DLP sensor in the firewall policy
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select the firewall policy that controls outgoing email traffic.
3 Select the Edit icon.
4 Enable UTM.
5 Select default from the Protocol Options list.
UTM can not be enabled without selecting a protocol options profile. A default profile is
provided.
6 Select the Enable DLP Sensor option.
7 Select the president sensor from the list.
8 Select OK to save the firewall policy.
With the DLP sensor specified in the correct firewall policy, any email message with both
president@example.com and Monthly Update in the message body will trigger the sensor
and a DLP log entry will be created. The sender IP address is recorded and this will
indicate which computer was used to send the message.
666
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Application control
Using the application control UTM feature, your FortiGate unit can detect and take action
against network traffic depending on the application generating the traffic. Based on
FortiGate Intrusion Protection protocol decoders, application control is a user-friendly and
powerful way to use Intrusion Protection features to log and manage the behavior of
application traffic passing through the FortiGate unit. Application control uses IPS protocol
decoders that can analyze network traffic to detect application traffic even if the traffic
uses non-standard ports or protocols.
The FortiGate unit can recognize the network traffic generated by a large number of
applications. You can create application control lists that specify the action to take with the
traffic of the applications you need to manage and the network on which they are active,
and then add application control lists to the firewall policies that control the network traffic
you need to monitor.
This section describes how to configure the application control settings.
If you enable virtual domains (VDOMs) on the Fortinet unit, you need to configure
application control separately for each virtual domain.
The following topics are included in this section:
•
Application control concepts
•
Enable application control
•
Application traffic shaping
•
Application control monitor
•
Application control packet logging
•
Application considerations
•
Application control examples
Application control concepts
You can control network traffic by the source or destination address, or by the port, the
quantity or similar attributes of the traffic itself. If you want to control the flow of traffic from
a specific application, these methods may not be sufficient to precisely define the traffic.
To address this problem, the application control feature examines the traffic itself for
signatures unique to the application generating it.
Application control does not require knowledge of any server addresses or ports. The
FortiGate unit comes with signatures for over 1000 applications, services, and protocols.
Updated and new application signatures are delivered to your FortiGate unit as part of
your FortiGuard Application Control Service subscription.
Fortinet is constantly increasing the number of applications that application control can
detect by adding applications to the FortiGuard Application Control Database. Because
intrusion protection protocol decoders are used for application control, the application
control database is part of the FortiGuard Intrusion Protection System Database and both
of these databases have the same version number.
To view the version of the application control database installed on your FortiGate unit, go
to the License Information dashboard widget and find the IPS Definitions version.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
667
�Enable application control
Application control
To see the complete list of applications supported by FortiGuard Application Control go to
the FortiGuard Application Control List. This web page lists all of the supported
applications. You can select any application name to see details about the application.
Enable application control
Application control examines your network traffic for traffic generated by the applications
you want it to control.
General configuration steps
Follow the configuration procedures in the order given. Also, note that if you perform any
additional actions between procedures, your configuration may have different results.
1 Create an application control list.
2 Configure the list to include the signatures for the application traffic you want the
FortiGate unit to detect. Configure each entry to allow or pass the traffic, and optionally
log the traffic.
3 Enable UTM and application control in a firewall policy and select the application
control list.
Creating an application control list
You need to create an application control list before you can enable application control.
To create an application control list
1 Go to UTM & gt; Application Control & gt; Application Control List.
2 Select Create New.
3 In the Name field, enter the name of the new application control list.
4 Optionally, you may also enter a comment.
5 Select OK.
The application control list is created and the list configuration window appears. A newly
created application control list is empty, containing no applications. Without applications,
the application control list will have no effect.
Adding applications to an application control list
Once you have created an application control list, you need to need to define the
applications that you want to control.
To add applications to an application control list
1 Go to UTM & gt; Application Control & gt; Application Control List.
2 Select the application control list to which you want to add the application and choose
Edit.
3 Select Create New.
4 Using the Category selection, choose the type of application you want to add. For
example, if you want to add Facebook chat, choose im.
The Category selection limits the options available in the Application selection. If you
want to have all the applications listed, leave Category set to All Categories.
668
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Application control
Enable application control
5 Using the Application selection, choose the application you want to add.
The application available to you will be limited to those in the category you selected. If
you want to include all the applications in a category, leave Application set to
All Applications.
6 Select the Action the FortiGate unit will take when it detects network traffic from the
application:
• Block will prevent all traffic from the application from flowing through the FortiGate
unit.
• Pass allows the application traffic to flow normally through the FortiGate unit.
7 If you set the action to Pass, you have the option of enabling traffic shaping for the
application or applications specified in this application list entry. For more information
about application control traffic shaping, see “Application traffic shaping” on page 670
8 Enable Session TTL to specify a time-to-live value for the session, in seconds. If this
option is not enabled, the TTL defaults to the setting of the CLI command config
system session-ttl.
9 Select Enable Logging to have the FortiGate unit log the occurrence and action taken
when traffic from the application is detected.
10 Select Enable Packet Log to have the FortiGate unit save the packets that application
control used to determine the traffic came from the application.
11 Some applications have additional options:
IM Options (for example AIM)
Block Login
Select to prevent users from logging in to the selected
IM system.
Block File Transfers
Select to prevent the sending and receiving of files
using the selected IM system.
Block Audio
Select to prevent audio communication using the
selected IM system.
Inspect Non-standard Port
Select to allow the FortiGate unit to examine nonstandard ports for the IM client traffic.
Display DLP meta-information on
the system dashboard
Select to include meta-information detected for the IM
system on the FortiGate unit dashboard.
Other Options
Command
Some traffic types include a command option. These
include FTP.Command, NNTP.Command,
POP3.Command, and SMTP.Command. Specify a
command that appears in the traffic that you want to
block or pass.
For example, enter GET as a command in the
FTP.Command application to have the FortiGate unit
examine FTP traffic for the GET command. Multiple
commands can be entered.
Method
A method option is available for HTTP, RTSP, and SIP
protocols. Specify a method that appears in the traffic
that you want to block or pass.
For example, enter POST as a method in the
HTTP.Method application to have the FortiGate unit
examine HTTP traffic for the POST method. Multiple
methods can be entered.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
669
�Application traffic shaping
Application control
Program Number
Enter the program number appearing in Sun Remote
Procedure Calls (RPC) that you want to block or pass.
Multiple program numbers can be entered.
UUID
Enter the UUID appearing in Microsoft Remote
Procedure Calls (MSRPC) that you want to block or
pass. Multiple UUIDs can be entered.
Understanding the default application control lists
A number of default application control lists are provided with your FortiGate unit. You can
use these as provided, or modify them as required.
Caution: Before using the default application control lists, examine them closely to ensure
you understand how they will affect the traffic on your network.
block-p2p
Use this list to block the applications in the P2P category and allow all
other application traffic.
monitor-all
This list allows all application traffic and enables the application
control monitoring for all traffic. Only FortiGate units with a hard drive
support application monitoring.
monitor-p2p-and-media
This list allows all application traffic, and enables the application
control monitoring for the applications in the P2P and media
categories. Only FortiGate units with a hard drive support application
monitoring.
Application traffic shaping
For application list entries you configure to pass, you can apply traffic shaping. Traffic
shaping allows you to limit or guarantee the bandwidth available to the application or
applications specified in an application list entry. You can also prioritize traffic by using
traffic shaping.
When the action is set to Pass, two options appear: Traffic Shaping and Reverse Direction
Traffic Shaping. When enabled, you can select traffic shapers configured in Firewall & gt;
Traffic Shaper.
You can create or edit traffic shapers by going to Firewall & gt; Traffic Shaper & gt; Shared.
Per-IP traffic shapers are not available for use in application control traffic shaping.
For more information about traffic shaping, see “Traffic shaping methods” on page 1705.
Enabling application control traffic shaping
Enabling traffic shaping in an application control list entry involves selecting the required
shaper. You can create or edit shapers in Firewall & gt; Traffic Shaper & gt; Shared.
To enable traffic shaping
1 Go to UTM & gt; Application Control & gt; Application Control List.
2 Select the application control list you want to configure and choose Edit.
3 Select the application control list entry you want to configure and choose Edit.
4 Select Traffic Shaping and choose the required traffic shaper from the list.
If the action is set to Block, the traffic shaping option is not available. Only allowed
traffic can be shaped.
670
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Application control
Application traffic shaping
5 Select Reverse Direction Traffic Shaping and choose the required traffic shaper from
the list if traffic flowing in the opposite direction also requires shaping.
6 Select OK.
Any firewall policy with this application control list selected will shape application traffic
according to the applications specified in the list entry and the shaper configuration.
Reverse direction traffic shaping
To enable traffic shaping, you must set the action to Pass, enable Traffic Shaping and then
choose the shaper. This will apply the shaper configuration to the application traffic
specified in the entry, but only in the direction as specified in the firewall policy in which the
application control list is selected. To shape traffic travelling in the opposite direction,
enable Reverse Direction Traffic Shaper.
For example, if you find that your network bandwidth is being overwhelmed by streaming
HTTP video, one solution is to limit the bandwidth by applying a traffic shaper to an
application control entry that allows the HTTP.Video application. Your users access the
Web using a firewall policy that allows HTTP traffic from the internal interface to the
external interface. Firewall policies are required to initiate communication so even though
web sites respond to requests, a policy to allow traffic from the external interface to the
internal interface is not required for your users to access the Web. The internal to external
policy allows them to open communication sessions to web servers, and the external
servers can reply using the existing session.
If you enable Traffic Shaping and select the shaper in an application control list specified
in the firewall policy, the problem will continue. The reason is the shaper you select for
Traffic Shaping is applied only to the application traffic moving in the direction stated in the
firewall policy. In this case, that is from the internal interface to the external interface. The
firewall policy allows the user to visit the web site and start the video, but the video itself is
streamed from the server to the user, or from the external interface to the internal
interface. This is the reverse of the direction specified in the firewall policy. To solve the
problem, you must enable Reverse Direction Traffic Shaping and select the shaper.
Shaper re-use
Shapers are created independently of firewall policies and application control lists so you
are free to reuse the same shapers in multiple list entries and policies. Shared shapers
can be configured to apply separately to each firewall policy or across all policies. This
means that if a shaper is configured to guaranteed 1000 KB/s bandwidth, each firewall
policy using the shaper will have its own 1000 KB/s reserved, or all of the policies using
the shaper will share a pool if 1000 KB/s, depending on how it is configured.
The same thing happens when a shaper is used in application control list entries. If an
application control list using a shaper is applied to two separate policies, how the
bandwidth is limited or guaranteed depends on whether the shaper is set to apply
separately to each policy or across all policies. In fact, if a shaper is applied directly to one
firewall policy, and it is also included in an application control list that is applied to another
firewall policy, the same issue occurs. How the bandwidth is limited or guaranteed
depends on the shaper configuration.
If a shaper is used more than once within a single application control list, all of the
applications using the shaper are restricted to the maximum bandwidth or share the same
guaranteed bandwidth.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
671
�Application control monitor
Application control
For example, you want to limit the bandwidth used by Skype and Facebook chat to no
more than 100 KB/s. Create a shaper, enable Maximum Bandwidth, and enter 100. Then
create an application control list with and entry for Skype and another entry for Facebook
chat. Apply the shaper to each entry and select the application control list in the firewall
policy that allows your users to access both services.
This configuration uses the same shaper for each entry, so Skype and Facebook chat
traffic are limited to no more than 100 KB/s in total. That is, traffic from both applications is
added and the total is limited to 100 KB/s. If you want to limit Skype traffic to 100 KB/s and
Facebook chat traffic to 100 KB/s, you must use separate shapers for each application
control entry.
Application control monitor
The application monitor allows you to gain an insight into the applications generating
traffic on your network. When monitor is enabled in an application control list entry and the
list is selected in a firewall policy, all the detected traffic required to populate the selected
charts is logged to the SQL database on the FortiGate unit hard drive. The charts are
available for display in the executive summary section of the log and report menu.
Because the application monitor relies on a SQL database, the feature is available only on
FortiGate units with an internal hard drive.
While the monitor charts are similar to the top application usage dashboard widget, it
offers several advantages. The widget data is stored in memory so when you restart the
FortiGate unit, the data is cleared. Application monitor data is stored on the hard drive and
restarting the system does not affect old monitor data.
Application monitor allows you to choose to compile data for any or all of three charts: top
ten applications by bandwidth use, top ten media users by bandwidth, and top ten P2P
users by bandwidth. Further, there is a chart of each type for the traffic handled by each
firewall policy with application monitor enabled. The top application usage dashboard
widget shows only the bandwidth used by the top applications since the last system
restart.
Enabling application control monitor
Once you have configured and enabled application control, you can enable application
monitor. There are three steps, as detailed below: enabling application monitor in an
application control list, selecting the charts in the firewall policy, and displaying the charts
in the Executive Summary.
To enable application control monitor in an application control list
1 Go to UTM & gt; Application Control & gt; Application Control List.
2 Select the application control list you want to modify and choose Edit.
3 Select Enable Monitoring.
4 Select OK.
With application control monitoring enabled, the FortiGate begins collecting data for the
applications specified in the application control list from the traffic handled by all policies
using the list. If you require monitoring in other application control lists, follow the same
procedure to enable it in each list.
672
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Application control
Application control packet logging
To configure the charts for which data is collected
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select the firewall policy in which the application control list is selected and choose
Edit. Note the firewall policy ID number.
3 Under UTM, the Enable Application Control selection has three new options, one for
each chart type. Select one or more chart types.
4 Select OK.
5 If you have the application control list specified in multiple firewall policies, repeat this
procedure for each policy.
For more information about executive summary charts, see “Executive Summary reports”
on page 527.
To display the application monitor charts
1 Go to Log & Report & gt; Report Access & gt; Executive Summary.
2 Select Add Widget.
3 Select the chart you want from the Widgets list.
The three application monitor charts correspond to the three chart selections in the
firewall policy. They are listed in the list as:
• top10-application-bw-X-0
• top10-media-user-X-0
• top10-p2p-user-bw-X-0
If you have application monitor enabled in multiple firewall policies, one chart of each
type per policy will be available for you to choose. The ‘X’ in the chart name is the
firewall policy number.
4 Select a Daily or Weekly schedule. The chart will display the data collected from only
the current day or current week, depending on the setting. The chart will be reset daily
on the hour specified, or weekly on the hour and day specified.
5 Select OK.
Application control packet logging
Packet logging saves the network packets that application control identifies application
traffic with. These packets can be used to trouble-shoot false positives or for forensic
investigation.The FortiGate unit saves the logged packets to the attack log, wherever the
logs are configured to be stored, whether memory, internal hard drive, a FortiAnalyzer
unit, or the FortiGuard Analysis and Management Service.
You can enable packet logging in individual application list entries. Use caution in enabling
packet logging. Application control list entries configured with few restrictions can contain
hundreds of applications, potentially resulting in a flood of saved packets. This would take
up a great deal of space, require time to sort through, and consume considerable system
resources to process. Packet logging is designed as a focused diagnostic tool and is best
used with a narrow scope.
Caution: Although logging to multiple FortiAnalyzer units is supported, packet logs are not
sent to the secondary and tertiary FortiAnalyzer units. Only the primary unit receives packet
logs.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
673
�Application considerations
Application control
To enable application control packet logging
1 Create an entry in an application control list. For more information, see “Adding
applications to an application control list” on page 668.
2 Before saving the entry, select Enable Packet Log.
3 Select the application control list in the firewall policy that allows the network traffic the
FortiGate unit will examine for the application or applications.
For information on viewing and saving logged packets, see “Viewing and saving logged
packets” on page 545.
Application considerations
Some applications behave differently from most others. You should be aware of these
differences before using application control to regulate their use.
IM applications
Application control regulates most instant messaging applications by preventing or
allowing user access to the service. Selecting Block Login will not disconnect users who
are logged in when the change is made. Once they log themselves out, however, they will
not be able to log in again.
Skype
Based on the NAT firewall type, Skype takes advantage of several NAT firewall traversal
methods, such as STUN (Simple Traversal of UDP through NAT), ICE (Interactive
Connectivity Establishment) and TURN (Traversal Using Relay NAT), to make the
connection.
The Skype client may try to log in with either UDP or TCP, on different ports, especially
well-known service ports, such as HTTP (80) and HTTPS (443), because these ports are
normally allowed in firewall settings. A client who has previously logged in successfully
could start with the known good approach, then fall back on another approach if the known
one fails.
The Skype client could also employ Connection Relay. This means if a reachable host is
already connected to the Skype network, other clients can connect through this host. This
makes any connected host not only a client but also a relay server.
Application control examples
Blocking all instant messaging
Instant messaging use is not permitted at the Example Corporation. Application control
helps enforce this policy.
First you will create an application control list with a single entry that includes all instant
messaging applications. You will set the list action to block.
To create the application control list
1 Go to UTM & gt; Application Control & gt; Application Control List.
2 Select Create New.
3 In the Name field, enter no IM for the application control list name.
4 Select OK to create the new list.
674
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Application control
Application control examples
5 Select Create New to add a new list entry.
6 For Category, select im.
7 For Action, select Block.
8 Select OK to save the new list entry.
9 Select OK to save the list.
Next you will enable application control and select the list.
To enable application control and select the application control list
1 Go to Firewall & gt; Policy.
2 Select the firewall policy that allows the network users to access the Internet and
choose Edit.
3 Enable UTM.
4 Select Enable Application Control.
5 Select the no IM application control list.
6 Select OK to save the firewall policy.
No IM use will be allowed by the firewall policy. If other firewall policies handle traffic that
users could use for IM, enable application control with the no IM list for those as well.
Allowing only software updates
Some departments at Example Corporation do not require access to the Internet to
perform their duties. Management therefore decided to block their Internet access.
Software updates quickly became an issue because automatic updates will not function
without Internet access and manual application of updates is time-consuming.
The solution is configuring application control to allow only automatic software updates to
access the Internet.
To create an application control list — web-based manager
1 Go to UTM & gt; Application Control & gt; Application Control List.
2 Select Create New.
3 In the Name field, enter Updates_Only as the application control list name.
4 Select OK.
5 Select Create New.
6 Select update from the Category list.
7 Select Pass from the Action list.
8 Select OK to save the entry.
This application list entry will allow all software update application traffic.
9 Select the All Other Known Applications entry.
10 Select Edit.
11 Select Block from the Action list.
12 Select OK.
This application list entry will block all traffic from recognized applications that are not
specified in this application control list.
13 Select the All Other Unknown Applications entry.
14 Select Edit.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
675
�Application control examples
Application control
15 Select Block from the Action list.
16 Select OK.
This application list entry will block all traffic from applications that are not recognized
by the application control feature.
17 Select OK.
18 Select OK to save the application control list.
To create an application control list — CLI
config application list
edit Updates_Only
config entries
edit 1
set category 17
set action pass
end
set other-application-action block
set unknown-application-action block
end
Selecting the application control list in a firewall policy
An application control list directs the FortiGate unit to scan network traffic only when it is
selected in a firewall policy. When an application control list is selected in a firewall policy,
its settings are applied to all the traffic the firewall policy handles.
To select the application control list in a firewall policy — web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select a policy.
3 Select the Edit icon.
4 Enable UTM.
5 Select the Enable Application Control option.
6 Select the Updates_only list.
7 Select default from the Protocol Options list.
Application control can not be enabled without selecting a protocol options profile. A
default profile is provided.
8 Select OK to save the firewall policy.
To select the application control list in a firewall policy — CLI
config firewall policy
edit 1
set utm-status enable
set profile-protocol-options default
set application-list Updates_Only
end
Traffic handled by the firewall policy you modified will be scanned for application traffic.
Software updates are permitted and all other application traffic is blocked.
676
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�DoS policy
Denial of Service (DoS) policies are primarily used to apply DoS sensors to network traffic
based on the FortiGate interface it is entering as well as the source and destination
addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic
that does not fit known or common traffic patterns and behavior. A common example of
anomalous traffic is the denial of service attack. A denial of service occurs when an
attacking system starts an abnormally large number of sessions with a target system. The
large number of sessions slows down or disables the target system, so that legitimate
users can no longer use it.
This section describes how to create and configure DoS sensors and policies to protect
the publicly accessible servers on your network.
The following topics are included in this section:
•
DoS policy concepts
•
Enable DoS
•
DoS example
DoS policy concepts
DoS policies are similar to firewall policies except that instead of defining the way traffic is
allowed to flow, they keep track of certain traffic patterns and attributes and will stop traffic
displaying those attributes. Further, DoS policies affect only incoming traffic on a single
interface. You can further limit a DoS policy by source address, destination address, and
service.
DoS policies examine network traffic very early in the sequence of protective measures
the FortiGate unit deploys to protect your network. Because of this early detection, DoS
policies are a very efficient defence that uses few resources. Denial of service attacks, for
example, are detected and its packets dropped before requiring firewall policy look-ups,
antivirus scans, and other protective but resource-intensive operations. For more
information about DoS attacks, see “Defending against DoS attacks” on page 551.
Enable DoS
A DoS policy examines network traffic arriving at an interface for anomalous patterns
usually indicating an attack. Enable DoS sensors to protect your FortiGate unit from
attack. To apply a DoS policy, you must follow the steps below in sequence:
1 Create a DoS sensor.
2 Create a DoS policy
3 Apply the DoS sensor to the DoS policy.
Creating and configuring a DoS sensor
Because an improperly configured DoS sensor can interfere with network traffic, no DoS
sensors are present on a factory default FortiGate unit. You must create your own and
then enable them before they will take effect. Thresholds for newly created sensors are
preset with recommended values that you can adjust to meet the needs of your network.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
677
�Enable DoS
DoS policy
Note: It is important to know normal and expected network traffic before changing the
default anomaly thresholds. Setting the thresholds too low could cause false positives, and
setting the thresholds too high could allow otherwise avoidable attacks.
To create a DoS sensor
1 Go to UTM & gt; Intrusion Protection & gt; DoS Sensor.
2 Select Create New.
3 In the Name field, enter the name of the DoS sensor.
4 Optionally, enter a description of the DoS sensor in the Comment field.
5 Select OK.
The DoS sensor is created and the sensor configuration window appears. However, a
newly created DoS sensor contains default values which may not be appropriate for your
network. You can adjust these values by configuring the DoS sensor thresholds.
To configure a DoS sensor
1 Go to UTM & gt; Intrusion Protection & gt; DoS Sensor.
2 Select the DoS sensor you want to configure and choose Edit.
3 The DoS sensor configuration window appears.
The Anomalies Configuration table lists 12 types of network anomalies.
Anomaly
If the SYN packet rate of new TCP connections, including
retransmission, to one destination IP address exceeds the configured
threshold value, the action is executed. The threshold is expressed in
packets per second.
tcp_port_scan
If the SYN packet rate of new TCP connections, including
retransmission, from one source IP address exceeds the configured
threshold value, the action is executed. The threshold is expressed in
packets per second.
tcp_src_session
If the number of concurrent TCP connections from one source IP
address exceeds the configured threshold value, the action is executed.
tcp_dst_session
If the number of concurrent TCP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
udp_flood
If the UDP traffic to one destination IP address exceeds the configured
threshold value, the action is executed. The threshold is expressed in
packets per second.
udp_scan
If the number of UDP sessions originating from one source IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
udp_src_session
If the number of concurrent UDP connections from one source IP
address exceeds the configured threshold value, the action is executed.
udp_dst_session
If the number of concurrent UDP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
icmp_flood
If the number of ICMP packets sent to one destination IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
icmp_sweep
678
Description
tcp_syn_flood
If the number of ICMP packets originating from one source IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�DoS policy
Enable DoS
icmp_src_session
If the number of concurrent ICMP connections from one source IP
address exceeds the configured threshold value, the action is executed.
icmp_dst_session
If the number of concurrent ICMP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
4 Select Enable to have the FortiGate unit examine traffic for the anomaly.
5 Select Logging to create an entry in the attack log if the anomaly is detected.
6 Select an Action for the anomaly. By default, the action is Pass, which allows the traffic
containing the anomaly to pass uninterrupted. If set to Block, the anomalous traffic is
blocked and will not flow through the FortiGate unit.
With a Fortinet security processing module installed, FortiGate units that support these
modules offer a third action for the tcp_syn_flood threshold. In addition to Block
and Pass, you can choose to Proxy connect attempts when their volume exceeds the
threshold value. When the tcp_syn_flood threshold action is set to Proxy,
incomplete TCP connections are allowed as normal as long as the configured
threshold is not exceeded. If the threshold is exceeded, the FortiGate unit will intercept
incoming SYN packets with a hardware accelerated SYN proxy to determine whether
the connection attempts are legitimate or a SYN flood attack. Legitimate connections
are allowed while an attack is blocked.
Note: Because DoS sensors are configured before being applied to an interface, you can
assign a DoS sensor with the Proxy action to an interface that does not have hardware
SYN proxy support. In this circumstance, the Proxy action is invalid and a Pass action will
be applied.
7 Set the Threshold value for the anomaly. See the table in step 3 for details about the
threshold values for each anomaly.
8 Select OK.
Creating a DoS policy
DoS policies examine network traffic entering an interface. The DoS sensor specified in
the DoS policy allows you to limit certain anomalous traffic to protect against attacks.
To create a DoS policy
1 Go to Firewall & gt; Policy & gt; DoS Policy and select Create New.
2 For Source Interface/Zone, select the interface on which the DoS policy will examine
incoming traffic.
3 For Source Address, select the address or address group that defines the source
addresses of the traffic the DoS policy will examine. Network traffic from addresses not
included in the selected address group is ignored by this DoS policy.
4 For Destination Address, select the address or address group that defines the
destination addresses of the traffic the DoS policy will examine. Network traffic to
addresses not included in the selected address group is ignored by this DoS policy.
5 For Service, select the type of network traffic the DoS policy will examine. Protocols not
included in the selected service or service group are ignored by this DoS policy.
6 Select the DoS Sensor check box and choose the required sensor from the list.
7 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
679
�DoS example
DoS policy
Apply an IPS sensor to a DoS policy
Although IPS sensors are usually applied to firewall policies, you can also apply them to
DoS policies by using CLI commands. There are two reasons you might want to apply an
IPS sensor to a DoS policy:
•
If you want to have all traffic coming into one FortiGate unit interface checked for the
signatures in an IPS sensor, it is simpler to apply the IPS sensor once to a DoS policy.
In a complex configuration, there could be many policies controlling the traffic coming
in on a single interface.
•
The operations in a DoS policy occur much earlier in the sequence of operations
performed on incoming traffic. This means that IPS examination of traffic occurs much
sooner if the IPS sensor is applied to a DoS policy. Fewer system resources are used
because signatures set to block traffic will take effect before firewall policy checking
and all of the scans specified in the firewall policy.
The CLI command for configuring DoS policies is config firewall
interface-policy. The following command syntax shows how to add an example IPS
sensor called all_default_pass to a DoS policy with policy ID 5 that was previously
added from the web-based manager.
config firewall interface-policy
edit 5
set ips-sensor-status enable
set ips-sensor all_default_pass
end
DoS example
The Example.com corporation installed a web server and connected it to Port5 on its
FortiGate unit. To protect against denial of service attacks, you will configure and apply a
DoS sensor to protect the web server.
To create the DoS sensor
1 Go to UTM & gt; Intrusion Protection & gt; DoS Sensor.
2 Select Create New.
3 Enter Web Server in the Name field.
4 In the Anomalies Configuration table, select the Enable check box in the table heading.
This enables all the anomalies with a single selection.
5 Select OK to save the new DoS policy.
As suggested in “Defending against DoS attacks” on page 551, the IT administrators will
run the DoS policy with logging enabled and the anomaly actions set to Pass until they
determine the correct threshold values for each anomaly.
To create a DoS policy
1 Go to Firewall & gt; Policy & gt; DoS Policy.
2 Select Create New.
3 In the Source Interface/Zone field, select Port1 which is the interface connected to the
Internet.
4 In the Source Address field, select all.
680
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�DoS policy
DoS example
5 In the Destination Address field, select all.
If there were more than one publicly accessible server connected to the FortiGate unit,
you would specify the address of the web server in this field.
6 In the Service field, select ANY.
7 Select the DoS Sensor check box and choose Web Server from the list.
8 Select OK to save the DoS policy.
The DoS policy will monitor all network traffic entering Port1 and log the violations if the
thresholds in the Web Server DoS sensor are exceeded.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
681
�DoS example
682
DoS policy
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Sniffer policy
Sniffer policies are used to configure a physical interface on the FortiGate unit as a onearm intrusion detection system (IDS). Traffic sent to the interface is examined for matches
to the configured IPS sensor and application control list. Matches are logged and then all
received traffic is dropped. Sniffing only reports on attacks. It does not deny or otherwise
influence traffic.
This section describes how to configure your network topology to use the FortiGate unit as
a one-arm intrusion detection system. It also describes how to configure and enable a
sniffer policy.
The following topics are included in this section:
•
Sniffer policy concepts
•
Before you begin
•
Enable one-arm sniffing
•
Sniffer example
Sniffer policy concepts
Using the one-arm intrusion detection system (IDS), you can configure a FortiGate unit to
operate as an IDS appliance by sniffing network traffic for attacks without actually
processing the packets.
To configure one-arm IDS, you enable sniffer mode on a FortiGate interface and connect
the interface to a hub or to the SPAN port of a switch that is processing network traffic.
Then you add DoS policies for that FortiGate interface, Each policy can include a DoS
sensor, an IPS sensor, and an application control list to detect attacks and application
traffic in the network traffic that the FortiGate interface receives from the hub or switch
SPAN port.
The sniffer policy list
The sniffer policy list shows all of the sniffer policies you have created. The policies are
listed by sniffer interface. This is important because multiple sniffer policies can be applied
to sniffer interfaces. Traffic entering a sniffer interface is checked against the sniffer
policies for matching source and destination addresses and for service. This check
against the policies occurs in listed order, from top to bottom. The first sniffer policy
matching all three attributes then examines the traffic. Once a policy matches the
attributes, checks for policy matches stop. If no sniffer policies match, the traffic is dropped
without being examined.
Once a policy match is detected, the matching policy compares the traffic to the contents
of the DoS sensor, IPS sensor, and application list specified in the policy. If any matches
are detected, the FortiGate unit creates an entry in the log of the matching sensor/list. If
the same traffic matches multiple sensors/lists, it is logged for each match. When this
comparison is complete, the network traffic is dropped.
Figure 68 illustrates this process.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
683
�Before you begin
Sniffer policy
Figure 68: How the intrusion detection system uses sniffer policies to examine traffic
Start
A packet arrives at
the sniffer interface
Does the
packet source
address, destination
address, and type
match a sniffer
policy?
Yes
Does this
packet trigger
any threshold
violation in the
specified DoS
sensor?
Accept the packet
for examination
No
Discard the packet
Log the violation
Yes
No
Log the match
Yes
Does this
packet match any
signatures in the
specified IPS
sensor?
No
End
Does this
packet come
from any application
in the specified
application
control list?
Log the match
Yes
No
End
Discard the packet
Before you begin
Traffic entering an interface in sniffer mode is examined for DoS sensor violations, IPS
sensor matches, and application control matches. After these checks, all network traffic is
dropped. To avoid losing data, you must direct a copy of the network traffic to the
FortiGate unit interface configured to sniff packets.
The easiest way to do this is to either use a hub or a switch with a SPAN port.
A hub is the easiest solution to implement but carries a downside. Connecting the
FortiGate unit interface configured with the sniffer policy to a hub will deliver all traffic
passing through the hub to the interface. However, if the network carries a heavy traffic
load, the hub could slow the network because every hub interface sends out all the traffic
the hub received on every interface.
A better solution is a switch with a SPAN port. Network switches receive traffic on all
interfaces but they only send traffic out on the interface connected to the destination.
Network slowdowns are less common when using switches instead of hubs.
684
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Sniffer policy
Enable one-arm sniffing
Connecting the sniffer interface to a regular switch interface will not work because no
traffic is addressed to the sniffer interface. A SPAN port is a special-purpose interface that
mirrors all the traffic the switch receives. Traffic is handled normally on every other switch
interface, but the SPAN port sends a copy of everything. If you connect your FortiGate unit
sniffer interface to the switch SPAN port, all the network traffic will be examined without
any being lost because of the examination.
Figure 69: A network configured for intrusion detection using a sniffer policy
One-arm
IPS scanner
Internal
network
Connection
to
SPAN port
Internet
Switch
Main firewall
Enable one-arm sniffing
Sniffer policies examine network traffic for anomalous patterns that usually indicate an
attack. Since all traffic entering a sniffer interface is dropped, you need to first add a switch
or hub to your network as described in “Before you begin” on page 684. The following
steps are based on the assumption that you have added the switch or hub.
General configuration steps
The interface first must be designated as the sniffer interface, then the sniffer policy can
be configured to use the sniffer interface.
1 Add a switch or hub to your network as described in “Before you begin” on page 684.
This configuration will send a copy of your network traffic to the sniffer interface.
Caution: When an interface is configured as a sniffer interface, all traffic received
by the interface is dropped after being examined by the sniffer policy.
2 Designate a physical interface as a sniffer interface.
3 Create a sniffer policy that specifies the sniffer interface.
4 Specify a DoS sensor, IPS sensor, application control list, or any combination of the
three to define the traffic you want logged.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
685
�Enable one-arm sniffing
Sniffer policy
Designating a sniffer interface
An interface must be designated as a sniffer interface before it can be used with a sniffer
policy. Once an interface is designated as a sniffer interface, if functions differently from a
regular network interface in two ways:
•
A sniffer mode interface accepts all traffic and drops it. If a sniffer policy is configured to
use the sniffer interface, traffic matching the attributes configured in the policy will be
examined before it is dropped. No traffic entering a sniffer mode interface will exit the
FortiGate unit from any interface.
•
A sniffer mode interface will be the only available selection in sniffer policies. The
sniffer interface will not appear in firewall policies, routing tables, or anywhere else
interfaces can be selected.
Designating a sniffer interface
1 Go to System & gt; Network & gt; Interface.
2 Select the interface.
3 Select the Edit icon.
Caution: When an interface is configured as a sniffer interface, all traffic received
by the interface is dropped after being examined by the sniffer policy.
4 Select the Enable one-arm sniffer check box.
If the check box is not available, the interface is in use. Ensure that the interface is not
selected in any firewall policies, routes, virtual IPs or other features in which a physical
interface is specified.
5 Select OK.
Creating a sniffer policy
Sniffer interfaces accept all traffic. To examine the traffic before it is dropped, a sniffer
policy is required.
To create a sniffer policy
1 Go to Firewall & gt; Policy & gt; Sniffer Policy and select Create New.
2 For Source Interface/Zone, select the interface configured as the sniffer interface. If no
interfaces are available for selection, no interfaces have been defined as sniffer
interfaces. For more information, see “Designating a sniffer interface” on page 686.
3 For Source Address, select the address or address group that defines the source
addresses of the traffic the sniffer policy will examine. Network traffic from addresses
not included in the selected address group is ignored by this sniffer policy.
4 For Destination Address, select the address or address group that defines the
destination addresses of the traffic the sniffer policy will examine. Network traffic to
addresses not included in the selected address group is ignored by this sniffer policy.
5 For Service, select the type of network traffic the sniffer policy will examine. Protocols
not included in the selected service or service group are ignored by this sniffer policy.
6 To have the sniffer policy log violations specified in a DoS sensor, select the
DoS Sensor check box and choose the sensor from the list.
7 To have the sniffer policy log signatures appearing in an IPS sensor, select the
IPS Sensor check box and choose the sensor from the list.
686
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Sniffer policy
Sniffer example
8 To have the sniffer policy log traffic from applications specified in an application control
list, select the Application Black/White List check box and choose the application
control list.
9 Select OK.
DoS sensors, IPS sensors, and application control lists all allow you to choose actions and
log traffic. When included in a sniffer sensor, these settings are ignored. Actions in these
other settings do not apply, and all matches are logged regardless of the logging setting.
Sniffer example
An IDS sniffer configuration
The Example.com Corporation uses a pair of FortiGate-620B units to secure the head
office network. To monitor network attacks and create complete log records of them, the
network administrator has received approval to install a FortiGate-82C to record all IPS
signature matches in incoming and outgoing network traffic using a sniffer policy. This
example details the set-up and execution of this network configuration.
Although this example uses a separate FortiGate unit for sniffer-mode operation, the
sniffer traffic can be sent to the FortiGate unit protecting the network. The switch must still
be configured to create a copy of the data because the sniffer interface drops all incoming
traffic. In this case, the administrator requested a FortiGate-82C for this purpose because
sniffer-mode operation is resource intensive, and using a separate FortiGate unit frees the
FortiGate-620B cluster from this task. The FortiGate-82C unit also has four internal hard
drives, making it ideal for storing large log files.
Configuring the network
Connect the Port1 interface of the FortiGate-82C to the Port8 interface of the switch.
You must configure your network to deliver a copy of the traffic to be examined to the
sniffer interface because all network traffic entering a sniffer interface is dropped after
examination.
Since the corporate network uses a pair of FortiGate units in an HA cluster, a switch is
already in place connecting the Internet to Port1 of both FortiGate units.
Figure 70: Switch configuration
FortiGate-82C
FortiGate-620B Cluster
Port1
Port1
Port2
Port1:
(sniffer mode)
Port3
Port8
(mirror of Port2 and port3)
Switch
Port1
Internet
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
687
�Sniffer example
Sniffer policy
The company Internet feed is connected to Port1 of the switch. The FortiGate units are
connected to Port2 and Port3 of the switch. Since they are configured as an HA cluster,
they must both have access to the Internet in the event of a failure.
To allow a FortiGate unit sniffer interface to examine the network traffic, the switch must be
configured to create a copy of all network traffic entering or leaving Port2 and Port3 and
send it out Port8. When configured this way, the switch port sending the duplicate traffic is
called a mirror port or a SPAN port.
Consult the switch documentation for instructions on how to configure a SPAN port.
Note: The traffic between Port1 and Port2/Port3 is not modified or diverted in any way by
the creation of a SPAN port. The traffic is duplicated with the copy being send out of the
SPAN port.
Configuring the FortiGate sniffer interface
No sniffer interfaces are included in the default configuration of any FortiGate unit. A copy
of all of the network traffic is being sent to Port1 of the FortiGate-82C so you must
configure Port1 as a sniffer-mode interface.
Caution: All network traffic entering a sniffer-mode interface is dropped after examination
and logging according to the configured sniffer policy.
To configure the sniffer mode interface — web-based manager
1 Log in to the FortiGate-82C web-based manager.
2 Go to System & gt; Network & gt; Interface.
3 Select the Port1 interface.
4 Select Edit.
5 Select Enable one-arm sniffer.
6 Select OK.
To configure the sniffer mode interface — CLI
config system interface
edit port1
set ips-sniffer-mode enable
end
Creating an IPS sensor
A sniffer policy allows you to select an IPS sensor, a DOS sensor, and an application
control list. Any conditions these sensors and list are configured to detect and log are
saved to the appropriate log.
For this example, create an IPS sensor that detects and logs the occurrence of all the
predefined IPS signatures.
To create an IPS sensor — web-based manager
1 Go to UTM & gt; Intrusion Protection & gt; IPS Sensor.
2 Select Create New.
3 In the Name field, enter IPS_sniffer.
4 In the Comments field, enter IPS sensor for use in the sniffer policy.
688
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Sniffer policy
Sniffer example
5 In the Filters section, select Create New.
6 In the name field, enter All signatures, logged.
7 For the Logging setting under Signatures Settings, select Enable all.
8 Select OK to save the filter.
9 Ensure Enable Logging is selected in the sensor.
10 Select OK to save the IPS sensor.
To create an IPS sensor — CLI
config ips sensor
edit IPS_sniffer
set comment " IPS sensor for use in the sniffer policy. "
config filter
edit " All signatures, logged "
set log enable
end
end
Creating the sniffer policy
The sniffer policy allows us to choose
To create the sniffer policy — web-based manager
1 Go to Firewall & gt; Policy & gt; Sniffer Policy.
2 Select Create New.
3 Select Port1 for the Source Interface/Zone.
4 Enable IPS Sensor and select the IPS_sniffer sensor.
5 Select OK to save the sniffer policy.
To create the sniffer policy — web-based manager
config firewall sniff-interface-policy
edit 0
set interface port1
set srcaddr all
set dstaddr all
set service ANY
set ips-sensor-status enable
set ips-sensor IPS_sniffer
end
With this configuration, all traffic entering the sniffer port is checked for matching
signatures. Matches are logged and the traffic is dropped.
To examine the network traffic for more issues, you can create a DoS sensor and select it
in the sniffer policy to log traffic anomalies. You can also create an application list with the
specific application you’d like to check for and select it in the sniffer policy.
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
689
�Sniffer example
690
Sniffer policy
FortiOS™ Handbook FortiOS 4.0 MR2 UTM Guide
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 6 User Authentication
This FortiOS Handbook chapter contains the following sections:
“Introduction to authentication” describes some basic elements and concepts of
authentication.
“Authentication servers” describes external authentication servers and how to configure a
FortiGate unit to use them.
“Users and user groups” describes the different types of user accounts and user groups.
Authenticated access to resources is based on user identities and user groups.
“Configuring authenticated access” provides detailed procedures for setting up
authenticated access in firewall policies and authenticated access to VPNs.
“FSAE for integration with Windows AD or Novell” describes how to install and configure
the Fortinet Server Authentication Extension (FSAE) on network domain controllers and
the FortiGate unit. On the FortiGate unit, Windows AD or Novell network user groups can
be made members of Directory Services user groups. With FSAE, network users have
single sign-on access to resources through the FortiGate unit.
“Certificate-based authentication” describes authentication by means of X.509 certificates.
“Monitoring authenticated users” describes the FortiGate unit authenticated user
monitoring screens.
“Example” provides a configuration example in which Windows AD and other network
users are provided authenticated access to the Internet.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
691
�692
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to authentication
This section describes some basic elements and concepts of authentication.
The following topics are included in this section:
•
What is authentication?
•
Means of authentication
•
Types of authentication
•
User’s view of authentication
•
FortiGate administrator’s view of authentication
What is authentication?
Authentication is the act of confirming the identity of a person or other entity. In the context
of a private computer network, the identities of users or host computers must be
established to ensure that only authorized parties can access the network. The FortiGate
unit provides network access control and applies authentication to users of firewall
policies and VPN clients.
Means of authentication
FortiGate unit authentication divides into two basic types: password authentication for
people and certificate authentication for hosts or endpoints. (An exception to this is that
FortiGate units in an HA cluster and FortiManager units use password authentication.)
Password authentication verifies individual user identities, but access to network
resources is based on membership in user groups. A firewall policy, for example, can be
configured to permit access only to the members of one or more user groups. Any user
who attempts network access through that policy is then authenticated through a request
for their user name and password.
Local password authentication
The simplest authentication is based on user accounts stored locally on the FortiGate unit.
For each account, a user name and password is stored. The account also has a disable
option so that you can suspend the account without deleting it.
Local user accounts work well for a single-FortiGate installation. If your network has
multiple FortiGate units that will use the same accounts, the use of an external
authentication server can simplify account configuration and maintenance.
You create local user accounts in the web-based manager under User & gt; User. This page is
also used to create accounts where an external authentication server stores and verifies
the password.
Server-based password authentication
Using external LDAP, RADIUS, or TACACS+ authentication servers is desirable when
multiple FortiGate units need to authenticate the same users, or where the FortiGate unit
is added to a network that already contains an authentication server.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
693
�Means of authentication
Introduction to authentication
When you use an authentication server external to the FortiGate unit, the FortiGate unit
sends the user’s entered credentials to the external server. (The password is
encrypted.)The server’s response indicates whether the supplied credentials are valid or
not.
You must configure the FortiGate unit to access the external authentication servers that
you want to use. The configuration includes the parameters that authenticate the
FortiGate unit to the authentication server.
You can use external authentication servers in two ways:
•
Create user accounts on the FortiGate unit, but instead of storing each user’s
password, specify the server used to authenticate that user. As with accounts that
store the password locally, you add these users to appropriate user groups.
•
Add the authentication server to user groups. Any user who has an account on the
server can be authenticated and have the access privileges of the FortiGate user
group. Optionally, when an LDAP server is a FortiGate user group member, you can
limit access to users who belong to specific groups defined on the LDAP server.
Single Sign On authentication using FSAE
“Single sign on” means that users logged on to a computer network are authenticated for
access to network resources through the FortiGate unit without having to enter their user
name and password again. The Fortinet Server Authentication Extension (FSAE) provides
Single Sign On capability for
•
Microsoft Windows networks using either Active Directory or NTLM authentication
•
Novell networks, using eDirectory
FSAE monitors user logons and sends the FortiGate unit the user name, IP address, and
the list of Windows AD user groups to which the user belongs. When the user tries to
access network resources, the FortiGate unit selects the appropriate firewall policy for the
destination. If the user belongs to one of the permitted user groups, the connection is
allowed.
For detailed information about FSAE see “FSAE for integration with Windows AD or
Novell” on page 729.
Certificate-based authentication
An RSA X.509 server certificate is a small file issued by a Certificate Authority (CA) that is
installed on a computer or FortiGate unit to authenticate itself to other devices on the
network. When one party on a network presents the certificate as authentication, the other
party can validate that the certificate was issued by the CA. The identification is therefore
as trustworthy as the Certificate Authority (CA) that issued the certificate.
To protect against compromised or misused certificates, CAs can revoke any certificate by
adding it to a Certificate Revocation List (CRL). Certificate status can also be checked
online using Online Certificate Status Protocol (OCSP).
RSA X.509 certificates are based on public-key cryptography, in which there are two keys:
the private key and the public key. Data encrypted with the private key can be decrypted
only with the public key and vice versa. As the names suggest, the private key is never
revealed to anyone and the public key can be freely distributed. Encryption with the
recipient’s public key creates a message that only the intended recipient can read.
Encryption with the sender’s private key creates a message whose authenticity is proven
because it can be decrypted only with the sender’s public key.
694
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to authentication
Types of authentication
Server certificates contain a signature string encrypted with the CA’s private key. The CA’s
public key is contained in a CA root certificate. If the signature string can be decrypted with
the CA’s public key, the certificate is genuine.
Certificate authorities
A certificate authority can be
•
an organization, such as VeriSign Inc., that provides certificate services
•
a software application, such as Microsoft Certificate Services or OpenSSH
For a company web portal or customer-facing SSL VPN, a third-party certificate service
has some advantages. The CA certificates are already included in popular web browsers
and customers trust the third-party. On the other hand, third-party services have a cost.
For administrators and for employee VPN users, the local CA based on a software
application provides the required security at low cost. You can generate and distribute
certificates as needed. If an employee leaves the organization, you can simply revoke
their certificate.
Certificates for users
FortiGate unit administrators and SSL VPN users can install certificates in their web
browsers to authenticate themselves. If the FortiGate unit uses a CA-issued certificate to
authenticate itself to the clients, the browser will also need the appropriate CA certificate.
FortiGate IPsec VPN users can install server and CA certificates according to the
instructions for their IPsec VPN client software. The FortiClient Endpoint Security
application, for example, can import and store the certificates required by VPN
connections.
FortiGate units are also compatible with some Public Key Infrastructure systems. For
example, see “RSA/ACE (SecurID) servers” on page 709.
Two-factor authentication
Optionally, you can require both a certificate and user name/password authentication.
Certificates are installed on the user’s computer. Requiring a password in addition protects
against unauthorized use of that computer. Two-factor authentication is available for PKI
users. For more information, see “Two-factor authentication” on page 714.
Types of authentication
Authentication applies to several FortiGate features:
•
firewall policies (identity-based policies)
•
VPNs
Firewall authentication (Identity-based policies)
Firewall policies enable traffic to flow between network interfaces. If you want to limit
which users have access to particular resources, you create identity-based firewall
policies that allow access only to members of specific user groups. Authentication, a
request for user name and password, is triggered when a user attempts to access a
resource for which data must pass through an identity-based firewall policy.
The user’s authentication expires if the connection is idle for too long. The Authentication
Timeout setting is in User & gt; Authentication. It has a default timeout of 30 minutes.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
695
�Types of authentication
Introduction to authentication
FortiGuard Web Filter override authentication
Optionally, users can be allowed the privilege of overriding FortiGuard Web Filtering to
view blocked web sites. Depending on the override settings, the override can apply to the
user who requested it, the entire user group to which the user belongs, or all users who
share the same web filter profile. As with other FortiGate features, access to FortiGuard
overrides is controlled through user groups. Firewall and Directory Services user groups
are eligible for the override privilege. Go to UTM & gt; Web Filter & gt; Profile to configure Web
Filter profiles. In the FortiGuard Web Filtering Overrides section of the profile, you can
select the user groups that are allowed to override the web filter. For more information
about web filtering and overrides, see the UTM chapter of this FortiOS Handbook.
VPN authentication
In IPsec VPNs, there is authentication of the peer device and optionally of the peer user.
Authenticating IPsec VPN peers (devices)
The simplest way for IPsec VPN peers to authenticate each other is through use of a
preshared key, sometimes also called a shared secret. The preshared key is a text string
used to encrypt the data exchanges that establish the VPN tunnel. The tunnel cannot be
established if the two peers do not use the same key. The disadvantage of preshared key
authentication is that it can be difficult to securely distribute and update the preshared
keys.
RSA X.509 certificates are a better way for VPN peers to authenticate each other. Each
peer offers a certificate signed by a Certificate Authority (CA) which the other peer can
validate with the appropriate CA root certificate. For more information about certificates,
see “Certificate-based authentication” on page 757.
You can supplement either preshared key or certificate authentication by requiring the
other peer to provide a specific peer ID value. The peer ID is a text string configured on
the peer device. On a FortiGate peer or FortiClient Endpoint Security peer, the peer ID
provided to the remote peer is called the Local ID.
Authenticating IPsec VPN users
An IPsec VPN can be configured to accept connections from multiple dynamically
addressed peers. You would do this to enable employees to connect to the corporate
network while traveling or from home. On a FortiGate unit, you create this configuration by
setting the Remote Gateway to Dialup User.
It is possible to have an IPsec VPN in which remote peer devices authenticate using a
common preshared key or a certificate, but there is no attempt to identify the user at the
remote peer. To add user authentication, you can do one of the following:
•
require a unique preshared key for each peer
•
require a unique peer ID for each peer
•
require a unique peer certificate for each peer
•
require additional user authentication (XAuth)
The peer ID is a text string configured on the peer device. On a FortiGate peer or
FortiClient Endpoint Security peer, the peer ID provided to the remote peer is called the
Local ID.
696
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to authentication
User’s view of authentication
Authenticating SSL VPN users
SSL VPN users can be
•
user accounts with passwords stored on the FortiGate unit
•
user accounts authenticated by an external RADIUS, LDAP or TACACS+ server
•
PKI users authenticated by certificate
You need to create a user group for your SSL VPN. Prior to FortiOS 4.0 MR2, there was a
separate SSL VPN user group type. Now you simply create a firewall user group, enable
SSL VPN access for the group, and select the web portal the users will access.
SSL VPN access requires an SSL VPN firewall policy that permits access to members of
your user group.
Authenticating PPTP and L2TP VPN users
You can configure PPTP and L2TP VPNs only in the CLI. Each of these VPNs can accept
authenticated users from only one user group. Before you configure the VPN, create a
firewall user group and add to it the users who are permitted to use the L2TP VPN. Users
are authenticated when they attempt to connect to the VPN. For more information about
configuring PPTP or L2TP VPNs, refer to the FortiGate CLI Reference.
User’s view of authentication
The user sees a request for authentication when they try to access a protected resource.
The way in which the request is presented to the user depends on the method of access to
that resource.
VPN authentication usually controls remote access to a private network.
Web-based user authentication
Firewall policies usually control browsing access to an external network that provides
connection to the Internet. In this case, the FortiGate unit requests authentication through
the web browser:
The user types a user name and password and then selects Continue/Login. If the
credentials are incorrect, the authentication screen is redisplayed with blank fields so that
the user can try again. When the user enters valid credentials, they get access to the
required resource. In some cases, if a user tries to authenticate several times without
success, a message appears, such as: “Too many bad login attempts. Please try again in
a few minutes.”
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
697
�FortiGate administrator’s view of authentication
Introduction to authentication
Note: After a defined period of user inactivity (the authentication timeout, defined by the
FortiGate administrator), the user access will expire. The default is 5 minutes. To access
the resource, the user will have to authenticate again.
VPN client-based authentication
A VPN provides remote clients with access to a private network for a variety of services
that include web browsing, email, and file sharing. A client program such as FortiClient
negotiates the connection to the VPN and manages the user authentication challenge
from the FortiGate unit.
FortiClient can store the user name and password for a VPN as part of the configuration
for the VPN connection and pass them to the FortiGate unit as needed. Or, FortiClient can
request the user name and password from the user when the FortiGate unit requests
them.
SSL VPN is a form of VPN that can be used with a standard Web browser. There are two
modes of SSL VPN operation (supported in NAT/Route mode only):
•
web-only mode, for thin remote clients equipped with a web-browser only
•
tunnel mode, for remote computers that run a variety of client and server applications.
Note: After a defined period of user inactivity on the VPN connection (the idle timeout,
defined by the FortiGate administrator), the user access will expire. The default is 30
minutes. To access the resource, the user will have to authenticate again.
FortiGate administrator’s view of authentication
Authentication is based on user groups. You configure authentication parameters for
firewall policies and VPN tunnels to permit access only to members of particular user
groups. A member of a user group can be:
•
a user whose user name and password are stored on the FortiGate unit
•
a user whose name is stored on the FortiGate unit and whose password is stored on a
remote or external authentication server
•
a remote or external authentication server with a database that contains the user name
and password of each person who is permitted access
The general process of setting up authentication is as follows:
1 If remote or external authentication is needed, configure the required servers.
2 Configure local and peer (PKI) user identities. For each local user, you can choose
whether the FortiGate unit or a remote authentication server verifies the password.
Peer members can be included in user groups for use in firewall policies.
698
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to authentication
FortiGate administrator’s view of authentication
3 Create user groups.
Add local/peer user members to each user group as appropriate. You can also add an
authentication server to a user group. In this case, all users in the server’s database
can authenticate. You can only configure peer user groups through the CLI.
4 Configure firewall policies and VPN tunnels that require authenticated access.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
699
�FortiGate administrator’s view of authentication
700
Introduction to authentication
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Authentication servers
FortiGate units support the use of external authentication servers. If you are going to use
authentication servers, you must configure the servers before you configure FortiGate
users or user groups that require them. An authentication server can provide password
checking for selected FortiGate users or it can be added as a member of a FortiGate user
group.
This section describes:
•
RADIUS servers
•
LDAP servers
•
TACACS+ servers
•
Directory Service servers
•
RSA/ACE (SecurID) servers
RADIUS servers
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication,
authorization, and accounting functions. FortiGate units use the authentication and
accounting functions of the RADIUS server.
Your RADIUS server listens on either port 1812 or port 1645 for authentication requests.
You must configure it to accept the FortiGate unit as a client.
The RADIUS server user database can be any combination of:
•
user names and passwords defined in a configuration file
•
an SQL database
•
user account names and passwords configured on the computer where the RADIUS
server is installed.
The RADIUS server uses a “shared secret” key to encrypt information passed between it
and clients such as the FortiGate unit.
The FortiGate units send the following RADIUS attributes:
1. Acct-Session-ID
2. User Name
3. NAS-Identifier (FGT hostname)
4. Framed-IP-Address (IP address assigned to the client)
5. Fortinet-VSA (IP address client is connecting from)
6. Acct-Input-Octets
7. Acct-Output-Octets
Table 69 describes the supported authentication events and the RADIUS attributes that
are sent in the RADIUS accounting message.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
701
�RADIUS servers
Authentication servers
Table 69: RADIUS attributes sent in RADIUS accounting message
ATTRIBUTE
AUTHENTICATION METHOD
1
2
3
4
5
Web
X
X
X
X
XAuth of IPSec (without DHCP)
X
X
X
X
XAuth of IPSec (with DHCP)
X
X
X
X
X
PPTP/L2TP (in PPP)
X
X
X
X
X
SSL-VPN
X
X
X
6
7
X
X
X
In order to support vendor-specific attributes (VSA), the RADIUS server requires a
dictionary to define what the VSAs are.
Fortinet’s dictionary is configured this way:
##
Fortinet’s VSA’s
#
VENDOR fortinet 12356
BEGIN-VENDOR fortinet
ATTRIBUTE Fortinet-Group-Name 1 string
ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr
ATTRIBUTE Fortinet-Vdom-Name 3 string
#
# Integer Translations
#
END-VENDOR Fortinet
See the documentation provided with your RADIUS server for configuration details.
Configuring the FortiGate unit to use a RADIUS server
To configure the FortiGate unit to use a RADIUS server, you need to know the server’s
domain name or IP address and its shared secret key. You will select the authentication
protocol. The maximum number of remote RADIUS servers that can be configured for
authentication is 10.
On the FortiGate unit, the default port for RADIUS traffic is 1812. If your RADIUS server is
using port 1645, you can either:
•
Reconfigure the RADIUS server to use port 1812. See your RADIUS server
documentation for more information.
or
•
Change the FortiGate unit default RADIUS port to 1645 using the CLI:
config system global
set radius_port 1645
end
To configure the FortiGate unit for RADIUS authentication - web-based manager
1 Go to User & gt; Remote & gt; RADIUS and select Create New.
2 Enter a name for the RADIUS server.
3 In Primary Server Name/IP, enter the domain name or IP address of the RADIUS
server.
702
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Authentication servers
LDAP servers
4 In Primary Server Secret, enter the server secret key.
5 Optionally, enter the information for a secondary RADIUS server in the
Secondary Server Name/IP and Secondary Server Secret fields.
6 Select the Authentication Scheme.
Use Default Authentication Scheme will usually work. Or, you can select
Specify Authentication Protocol and select the protocol your RADIUS server requires.
7 Select OK.
To configure the FortiGate unit for RADIUS authentication - CLI example
config user radius
edit ourRADIUS
set auth-type auto
set server 10.11.102.100
set secret aoewmntiasf
end
For more information about RADIUS server options, refer to the FortiGate CLI Reference.
LDAP servers
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain
authentication data that may include departments, people, groups of people, passwords,
email addresses, and printers. An LDAP consists of a data-representation scheme, a set
of defined operations, and a request/response network.
The scale of LDAP servers ranges from big public servers such as BigFoot and Infospace,
to large organizational servers at universities and corporations, to small LDAP servers for
workgroups. This document focuses on the institutional and workgroup applications of
LDAP.
A directory is a set of objects with similar attributes organized in a logical and hierarchical
way. Generally, an LDAP directory tree reflects geographic and/or organizational
boundaries, with the Domain name system (DNS) names to structure the top level of the
hierarchy. The common name identifier for most LDAP servers is cn, however some
servers use other common name identifiers such as uid.
If you have configured LDAP support and a user is required to authenticate using an
LDAP server, the FortiGate unit contacts the LDAP server for authentication. To
authenticate with the FortiGate unit, the user enters a user name and password. The
FortiGate unit sends this user name and password to the LDAP server. If the LDAP server
can authenticate the user, the user is successfully authenticated with the FortiGate unit. If
the LDAP server cannot authenticate the user, the connection is refused by the FortiGate
unit.
Binding is the step where the LDAP server authenticates the user, and if the user is
successfully authenticated, allows the user access to the LDAP server based on that
user’s permissions.
The FortiGate unit can be configured to use one of three types of binding:
•
anonymous - bind using anonymous user search
•
regular - bind using user name/password and then search
•
simple - bind using a simple password authentication without a search
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
703
�LDAP servers
Authentication servers
You can use simple authentication if the user records all fall under one dn. If the users are
under more than one dn, use the anonymous or regular type, which can search the entire
LDAP database for the required user name.
If your LDAP server requires authentication to perform searches, use the regular type and
provide values for user name and password.
The FortiGate unit supports LDAP protocol functionality defined in RFC 2251: Lightweight
Directory Access Protocol v3, for looking up and validating user names and passwords.
FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition, FortiGate
LDAP supports LDAP over SSL/TLS. To configure SSL/TLS authentication, refer to the
FortiGate CLI Reference.
FortiGate LDAP does not support proprietary functionality, such as notification of
password expiration, which is available from some LDAP servers. FortiGate LDAP does
not supply information to the user about why authentication failed.
To configure your FortiGate unit to work with an LDAP server, you need to understand the
organization of the information on the server.
The top of the hierarchy is the organization itself. Usually this is defined as Domain
Component (DC), a DNS domain. If the name contains a dot, such as “example.com”, it is
written as two parts: “dc=example,dc=com”.
In this example, Common Name (CN) identifiers reside at the Organization Unit (OU)
level, just below DC. The Distinguished Name (DN) is ou=People,dc=example,dc=com.
In addition to the DN, the FortiGate unit needs an identifier for the individual person.
Although the FortiGate unit GUI calls this the Common Name (CN), the identifier you use
is not necessarily CN. On some servers, CN is the full name of a person. It might be more
convenient to use the same identifier used on the local computer network. In this example,
User ID (UID) is used.
You need to determine the levels of the hierarchy from the top to the level that contains the
identifier you want to use. This defines the DN that the FortiGate unit uses to search the
LDAP database. Frequently used distinguished name elements include:
•
pw (password)
•
cn (common name)
•
ou (organizational unit)
•
o (organization)
•
c (country)
One way to test this is with a text-based LDAP client program. For example, OpenLDAP
includes a client, ldapsearch, that you can use for this purpose.
704
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Authentication servers
LDAP servers
Enter the following command:
ldapsearch -x '(objectclass=*)'
The output is lengthy, but the information you need is in the first few lines:
version: 2
#
# filter: (objectclass=*)
# requesting: ALL
#
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
...
dn: uid=auser,ou=People,dc=example,dc=com
uid: auser
cn: Alex User
Configuring the FortiGate unit to use an LDAP server
After you determine the common name and distinguished name identifiers and the domain
name or IP address of the LDAP server, you can configure the server on the FortiGate
unit. The maximum number of remote LDAP servers that can be configured for
authentication is 10.
To configure the FortiGate unit for LDAP authentication - web-based manager
1 Go to User & gt; Remote & gt; LDAP and select Create New.
Figure 71: Configure FortiGate unit for LDAP authentication
2 Enter a name for the LDAP server.
3 In Server Name/IP enter the server’s FQDN or IP address.
4 If the server does not use port 389, enter the port number in the Server Port field.
5 Enter the Common Name Identifier (20 characters maximum). cn is the default.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
705
�LDAP servers
Authentication servers
6 In the Distinguished Name field, enter the base distinguished name for the server using
the correct X.500 or LDAP format.
The FortiGate unit passes this distinguished name unchanged to the server. The
maximum number of characters is 512.
If you don’t know the distinguished name, leave the field blank and select the Query
icon to the right of the field. For more information, see the “Using the Query icon” on
page 29.
7 In Bind Type, select Regular.
8 In User DN, enter the LDAP administrator’s distinguished name.
9 In Password, enter the LDAP administrator’s password.
10 Select OK.
For detailed information about configuration options for LDAP servers, see the FortiGate
Administration Guide.
To configure the FortiGate unit for LDAP authentication - CLI example
config user ldap
edit ourLDAPsrv
set
set
set
set
set
set
server 10.11.101.160
cnid cn
dn cn=users,dc=office,dc=example,dc=com
type regular
username cn=administrator,cn=users,dc=office,dc=example,dc=com
password w5AiGVMLkgyPQ
end
Using the Query icon
The LDAP Distinguished Name Query list displays the LDAP Server IP address, and all
the distinguished names associated with the Common Name Identifier for the LDAP
server. The tree helps you to determine the appropriate entry for the DN field. To see the
distinguished name associated with the Common Name identifier, select the Expand icon
next to the CN identifier. Select the DN from the list. The DN you select is displayed in the
Distinguished Name field. Select OK and the Distinguished Name you selected will be
saved in the Distinguished Name field of the LDAP Server configuration.
To see the users within the LDAP Server user group for the selected Distinguished Name,
expand the Distinguished Name in the LDAP Distinguished Name Query tree.
706
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Authentication servers
TACACS+ servers
Figure 72: LDAP server Distinguished Name Query tree
Common Name Identifier (CN)
Distinguished Name (DN)
TACACS+ servers
In recent years, remote network access has shifted from terminal access to LAN access.
Users are now connecting to their corporate network (using notebooks or home PCs) with
computers that utilize complete network connections. Remote node technology allows
users the same level of access to the corporate network resources as they would have if
they were physically in the office. When users connect to their corporate network remotely,
they do so through a remote access server. As remote access technology has evolved,
the need for network access security has become increasingly important.
Terminal Access Controller Access-Control System (TACACS+) is a remote authentication
protocol that provides access control for routers, network access servers, and other
networked computing devices via one or more centralized servers. TACACS+ allows a
client to accept a user name and password and send a query to a TACACS+
authentication server. The server host determines whether to accept or deny the request
and sends a response back that allows or denies network access to the user. The default
TCP port for a TACACS+ server is 49. You can only change the default port of the
TACACS+ server using the CLI.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
707
�TACACS+ servers
Authentication servers
There are several different authentication protocols that TACACS+ can use during the
authentication process:
•
ASCII
Machine-independent technique that uses representations of English characters.
Requires user to type a user name and password that are sent in clear text
(unencrypted) and matched with an entry in the user database stored in ASCII format.
•
PAP (password authentication protocol)
Used to authenticate PPP connections. Transmits passwords and other user
information in clear text.
•
CHAP (challenge-handshake authentication protocol)
Provides the same functionality as PAP, but is more secure as it does not send the
password and other user information over the network to the security server.
•
MS-CHAP (Microsoft challenge-handshake authentication protocol v1)
Microsoft-specific version of CHAP.
The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.
Configuring the FortiGate unit to use a TACACS+ authentication server
The maximum number of remote TACACS+ servers that can be configured for
authentication is 10.
To configure the FortiGate unit for TACACS+ authentication - web-based manager
1 Go to User & gt; Remote & gt; TACACS+ and select Create New.
2 Enter the following information, and select OK.
Figure 73: TACACS+ server configuration
Name
Enter the name of the TACACS+ server.
Server Name/IP
Enter the server domain name or IP address of the
TACACS+ server.
Server Key
Enter the key to access the TACACS+ server.
Authentication Type
Select the authentication type to use for the TACACS+
server. Auto tries PAP, MSCHAP, and CHAP (in that order).
To configure the FortiGate unit for TACACS+ authentication - CLI
config user tacacs+
edit & lt; server_name & gt;
set auth-type {ascii | auto | chap | ms_chap | pap}
set key & lt; server_key & gt;
set tacacs+-port & lt; tacacs+_port_num & gt;
set server & lt; domain & gt;
end
708
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Authentication servers
Directory Service servers
Directory Service servers
Novell and Microsoft Windows networks provide user authentication based on
directory services: eDirectory for Novell, Active Directory for Windows. Users can
log on at any computer in the domain and have access to resources as defined in
their user account. The Fortinet Server Authentication Extension (FSAE) enables
FortiGate units to authenticate these network users for firewall policy or VPN
access without asking them for their user name and password.
When a user logs in to the Windows or Novell domain, FSAE sends the FortiGate
unit the user’s IP address and the names of the user groups to which the user
belongs. The FortiGate unit uses this information to maintain a copy of the domain
controller user group database. Because the domain controller authenticates
users, the FortiGate unit does not perform authentication. It recognizes group
members by their IP address.
In the FortiGate Directory Services configuration, you specify the network
computers where the FSAE collector agent is installed. The FortiGate unit
retrieves the names of the Novell or Active Directory user groups. You cannot use
these groups directly. You must define FortiGate user groups of the Directory
Services type and then add the Novell or Active Directory user groups to them.
The Directory Services user groups that you created can used in firewall policies
and VPN configurations.
For more information about Directory Services and FSAE, see “FSAE for
integration with Windows AD or Novell” on page 729.
RSA/ACE (SecurID) servers
SecurID is a one-time password system. The user carries a small device, a
“token”, that generates and displays a password. The token is time-synchronized
with the authentication server and the password changes about once per minute.
To authenticate, users enter their User ID and the password currently displayed
on the token.
To use SecurID with a FortiGate unit, you need to:
•
configure the RSA ACE/Server and the RADIUS server to work with each
other (refer to the RSA ACE/Server documentation)
•
configure the FortiGate unit as an Agent Host within the RSA ACE/Server
database
•
configure the FortiGate unit to access the RADIUS server
•
create a FortiGate user group for SecurID users
The instructions provide here are based on RSA ACE/Server version 5.1.
To configure the FortiGate unit as an Agent Host on the RSA ACE/Server
1 On the RSA ACE/Server computer, go to Start & gt; Programs & gt; RSA ACE/Server,
and then Database Administration - Host Mode.
2 On the Agent Host menu, select Add Agent Host.
3 In the Name field, enter a name for the FortiGate unit.
4 In the Network address field, enter the FortiGate unit IP address.
5 Select Secondary Nodes and define all hostname/IP addresses that resolve to
the FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
709
�RSA/ACE (SecurID) servers
Authentication servers
If needed, refer to the RSA ACE/Server documentation for more information.
To configure the FortiGate unit to use the RADIUS server
1 Go to User & gt; Remote & gt; RADIUS and select Create New.
2 In the Name field, enter a name for the RADIUS server.
3 In the Primary Server Name/IP and Primary Server Secret fields, enter the appropriate
information about the RADIUS server you configured for use with SecurID.
4 Select OK.
To create a SecurID user group
1 Go to User & gt; User Group.
2 Select Create New.
3 In the Name field, enter a name for the group.
4 In the Available Users/Groups list, select the RADIUS server you configured for use
with SecurID.
5 Select the right arrow button to move the selected server to the Members list.
6 Select OK.
Using the SecurID user group for authentication
You can use the SecurID user group in several FortiGate features that authenticate by
user group:
Firewall policy
Select Enable Identity Based Policy and then select Add. Add the SecurID user group to
the Selected User Groups list. Set other options as desired and select OK.
IPsec VPN XAuth
In the Phase 1 Advanced settings, in the XAuth section, select Enable as Server and
choose the SecurID user group.
PPTP VPN
PPTP VPN is configured in the CLI. In the PPTP configuration (config vpn pptp), set
usrgrp to the SecurID user group.
SSL VPN
In the SecurID user group, select the appropriate web portal for these users. In the firewall
policy for the SSL VPN, include the SecurID user group in the list of selected user groups.
710
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Users and user groups
FortiGate authentication controls system access by user group. By assigning individual
users to the appropriate user groups you can control each user’s access to network
resources.
This section describes:
•
Users
•
User groups
Users
A user is a user account consisting of user name, password, and in some cases other
information, configured on the FortiGate unit or on an external authentication server.
Users can access resources that require authentication only if they are members of an
allowed user group. There are several different types of user accounts with slightly
different methods of authentication:
Table 70: How the FortiGate unit authenticates different types of users
User type
Authentication
Local user with password
stored on the FortiGate unit
The user name and password must match a user account
stored on the FortiGate unit.
Local user with password
stored on an authentication
server
The user name must match a user account stored on the
FortiGate unit and the user name and password must
match a user account stored on the authentication server.
On the external authentication server, there may be user
groups to which users can be assigned. These groups exist
independently of FortiGate unit user groups.
Authentication server user
A FortiGate user group can include user accounts that exist
on an external authentication server or particular user
groups on that server.
Any of the included users can authenticate and get access
to the resources permitted to the FortiGate user group.
Directory Services user
Using the Fortinet Server Authentication Extension (FSAE),
users on a Microsoft Windows or Novell network can use
their network authentication to access resources through
the FortiGate unit.
Access is controlled through Directory Services user groups
which contain Windows or Novell user groups as their
members.
Peer user with certificate
authentication
A peer user is a digital certificate holder that authenticates
using a client certificate. No password is required, unless
two-factor authentication is enabled.
This section describes how to configure local users and peer users. For information about
configuration of authentication servers see “Authentication servers” on page 701.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
711
�Users
Users and user groups
Creating local users
To define a local user you need:
•
a user name
•
a password or the name of the authentication server that contains the user account
If the user is authenticated externally, the user name on the FortiGate unit must be
identical to the user name on the authentication server.
To create a local user - web-based manager
1 Go to User & gt; User and select Create New.
Figure 74: Creating new local user
2 Enter the user name.
3 Do one of the following:
• To authenticate this user locally, select Password and type a password.
The password should be at least six characters long.
•
To authenticate this user using an external authentication server, select the
Match user option for the appropriate type of server and select the server name.
If you want to use an authentication server, you must configure access to it first. See
“Authentication servers” on page 701.
4 Select OK.
To create a local user - CLI examples
Locally authenticated user
config user local
edit user1
set type password
set passwd ljt_pj2gpepfdw
end
User authenticated on an LDAP server
config user local
edit user2
set type ldap
set ldap_server ourLDAPsrv
end
User authenticated on a RADIUS server
config user local
edit user3
set type radius
712
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Users and user groups
Users
set radius_server ourRADIUSsrv
end
User authenticated on a TACACS+ server
config user local
edit user4
set type tacacs+
set tacacs+_server ourTACACS+srv
end
To remove a user from the FortiGate unit configuration - web-based manager
1 Go to User & gt; User.
Figure 75: Local user list
2 Select the check box of the user that you want to remove.
3 Select Delete.
4 Select OK.
Note: You cannot remove a user that belongs to a user group. Remove the user from the
user group first.
To remove a user from the FortiGate unit configuration - CLI example
config user local
delete user4444
end
Creating PKI or peer users
A PKI or peer user is a digital certificate holder. A PKI user account on the FortiGate unit
contains the information required to determine which CA certificate to use to validate the
user’s certificate. Peer users can be included in firewall user groups or peer certificate
groups used in IPsec VPNs.
To define a peer user you need:
•
a peer user name
•
the text from the subject field of the user’s certificate, or the name of the CA certificate
used to validate the user’s certificate
To create a peer user for PKI authentication - web-based manager
1 Go to User & gt; PKI and select Create New.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
713
�Users
Users and user groups
Figure 76: PKI peer user configuration
2 Enter the user name.
3 Fill in at least one of the following fields:
Subject
The text string that appears in the Subject field of the user’s certificate.
CA
Select the CA certificate that must be used to authenticate this peer user.
4 Select OK.
To create a peer user for PKI authentication - CLI example
config user peer
edit peer1
set subject E=peer1@mail.example.com
set ca CA_Cert_1
end
Note: If you create a PKI user in the CLI with no values in subject or ca, you will not be
able to open the user record in the web-based manager, or you will be prompted to add a
value in Subject (subject) or CA (ca).
There are other configuration settings that can be added/modified for PKI authentication,
for example, you can configure the use of an LDAP server to check access rights for client
certificates. For information about the detailed PKI configuration settings only available
through the CLI, see the FortiGate CLI Reference.
Two-factor authentication
You can increase security by requiring both certificate and password authentication for
PKI users. Certificates are installed on the user’s computer. Requiring a password in
addition protects against unauthorized use of that computer.
To create a peer user with two-factor authentication - web-based manager
While configuring a peer user (see Figure 76, above), select Require two-factor
authentication and enter a password.
To create a peer user with two-factor authentication - CLI example
config user peer
edit peer1
set subject E=peer1@mail.example.com
set ca CA_Cert_1
set two-factor enable
set passwd fdktguefheygfe
end
714
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Users and user groups
User groups
User groups
A user group is a list of user identities. An identity can be:
•
a local user account (user name/password) stored on the FortiGate unit
•
a local user account with the password stored on a RADIUS, LDAP, or TACACS+
server
•
a PKI user account with digital client authentication certificate stored on the FortiGate
unit
•
a RADIUS, LDAP, or TACACS+ server, optionally specifying particular user groups on
that server
•
a user group defined on a Directory Service server.
Identity-based firewall policies and some types of VPN configurations allow access only to
specified user groups.
In most cases, the FortiGate unit authenticates users by requesting their user name and
password. The FortiGate unit checks local user accounts first. If a match is not found, the
FortiGate unit checks the RADIUS, LDAP, or TACACS+ servers that belong to the user
group. Authentication succeeds when a matching user name and password are found.
There are two types of FortiGate user group: Firewall and Directory Services.
Firewall user groups
When a user attempts to access resources controlled by an identity-based firewall policy,
the FortiGate unit requests authentication. If the user authenticates successfully and is a
member of one of the permitted groups, the user’s session is allowed to proceed.
A firewall user group can contain any type of user identity except a Directory Services
group.
SSL VPN access
In any firewall user group, you can enable SSL VPN access and select the web-portal that
the users can access. When the user connects to the FortiGate unit via HTTPS on the
SSL VPN port (default 10443), the FortiGate unit requests a user name and password.
SSL VPN access also requires an SSL VPN firewall policy (Action is SSL VPN) with an
identity-based rule enabling access for the user group. For more information, see the SSL
VPN chapter of the FortiOS Handbook.
IPsec VPN access
A firewall user group can provide access for dialup users of an IPSec VPN. In this case,
the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option.
The user’s VPN client is configured with the user name as peer ID and the password as
pre-shared key. The user can connect successfully to the IPSec VPN only if the user
name is a member of the allowed user group and the password matches the one stored on
the FortiGate unit.
Note: A user group cannot be a dialup group if any member is authenticated using an
external authentication server.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
715
�User groups
Users and user groups
Configuring a firewall user group
A user group can contain:
•
local users, whether authenticated by the FortiGate unit or an authentication server
•
PKI users
•
authentication servers, optionally specifying particular user groups on the server
To create a Firewall user group - web-based manager
1 Go to User & gt; User Group and select Create New.
Figure 77: User group configuration - Firewall
2 Enter a name for the user group.
3 In Type, select Firewall.
4 From the Available User Groups list, select users and then select the right arrow button
to move the names to the Members list.
If you select an authentication server as a group member, by default all user accounts
on the authentication server are members of this FortiGate user group. Follow steps 5
through 8 if you want to include only specific user groups from the authentication
server. Otherwise, select OK.
5 Select Add.
6 From the Remote Server list, select the authentication server.
Only servers that are already members of this user group are available.
7 In the Group Name field, enter the group name in the appropriate format for the type of
server.
For example, an LDAP server requires LDAP format, such as:
cn=users,dn=office,dn=example,dn=com
8 Repeat steps 5 through 7 as needed to specify more authentication server user
groups.
9 Select OK.
716
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Users and user groups
User groups
To create a firewall user group - CLI example
In this example, the members of group01 are User1 and all of the members of usergroup1
on RADIUSsrvr2.
config user group
edit group01
set group-type firewall
set member User1 RADIUSsrvr2
config match
edit 0
set server-name RADIUSsrvr2
set group-name usergroup1
end
end
For more information about user group CLI commands, see the Fortinet CLI Guide.
Directory Service user groups
A Directory Service user group contains only Windows or Novell network user groups. No
other user types are permitted as members. Information about the Windows or Novell user
groups and the logon activities of their members is provided by the Fortinet Server
Authentication Extension (FSAE) installed on the network domain controllers.
You can specify Directory Service user groups in identity-based firewall policies in the
same way as you specify firewall user groups. Directory Service user groups cannot have
SSL VPN or dialup IPsec VPN access.
For information about configuring Directory Services user groups, see “Creating Directory
Service user groups” on page 753. For complete information about installing and
configuring FSAE, see “FSAE for integration with Windows AD or Novell” on page 729.
Configuring Peer user groups
Peer user groups can only be configured using the CLI. Peers are digital certificate
holders defined using the config user peer command. You use the peer groups you
define here in dialup IPsec VPN configurations that accept RSA certificate authentication
from members of a peer certificate group. For more information, see “Authenticating IPsec
VPN users with security certificates” on page 767.
To create a peer group - CLI example
config user peergrp
edit vpn_peergrp1
set member pki_user1 pki_user2 pki_user3
end
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
717
�User groups
Users and user groups
Viewing, editing and deleting user groups
To view the list of FortiGate user groups, go to User & gt; User Group.
Figure 78:Example User group list
To edit a user group - web-based manager
1 Go to User & gt; User Group.
2 Select the check box for the user group that you want to edit.
3 Select the Edit button.
4 Modify the user group as needed.
5 Select OK.
To edit a user group - CLI example
This example adds user3 to Group1. Note that you must re-specify the full list of users:
config user group
edit Group1
set member user2 user4 user3
end
To remove a user group - web-based manager
1 Go to User & gt; User Group.
2 Select the check box for the user group that you want to remove.
3 Select the Delete button.
4 Select OK.
To remove a user group - CLI example
config user group
delete Group2
end
Note: You cannot remove a user group that is part of a firewall policy. Remove it from the
firewall policy first.
718
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring authenticated access
When you have configured authentication servers, users, and user groups, you are ready
to configure firewall policies and certain types of VPNs to require user authentication.
This section describes:
•
Authentication timeout
•
Authentication protocols
•
Authentication in firewall policies
•
VPN authentication
Authentication timeout
You set the firewall user authentication timeout (Authentication Timeout) to control how
long an authenticated connection can be idle before the user must authenticate again. The
maximum timeout is 480 minutes (8 hours). The default timeout is 5 minutes.
To set the firewall authentication timeout
1 Go to User & gt; User & gt; Authentication.
2 Enter the Authentication Timeout value in minutes.
The default authentication timeout is 5 minutes.
3 Select Apply.
You set the SSL VPN user authentication timeout (Idle Timeout) to control how long an
authenticated connection can be idle before the user must authenticate again. The
maximum timeout is 28800 seconds. The default timeout is 300 seconds.
To set the SSL VPN authentication timeout
1 Go to VPN & gt; SSL & gt; Config.
2 Enter the Idle Timeout value (seconds).
3 Select Apply.
Password policy
Password authentication is effective only if the password is sufficiently strong and is
changed periodically. By default, the FortiGate unit requires only that passwords be at
least eight characters in length. You can set a password policy to enforce higher standards
for both length and complexity of passwords. Password policies can apply to administrator
passwords or IPsec VPN preshared keys.
To set a password policy in the web-based manager, go to System & gt; Admin & gt; Settings.
In the CLI, use the config system password-policy command.
Password length
The default minimum password length on the FortiGate unit is eight characters, but up to
32 characters is permitted. Security experts suggest a minimum length of 14 characters.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
719
�Authentication protocols
Configuring authenticated access
Password complexity
Users usually create passwords composed of alphabetic characters and perhaps some
numbers. Password policy can require the inclusion of upper case letters, lower case
letters, numerals or punctuation characters.
Suggestions for users
In addition to length and complexity, there are security factors that cannot be enforced in a
policy but should be encouraged through guidelines issued to users:
Avoid:
•
words found in a dictionary of any language
•
numeric sequences, such as “12345”
•
sequences of adjacent keyboard characters, such as “qwerty”
•
repeated characters
•
personal information, such as your name, birthday, or telephone number
Include:
•
one or more upper case characters
•
one or more of the numerals
•
one or more non alpha-numeric characters, such as punctuation marks
Authentication protocols
User authentication can be performed for the following protocols:
•
HTTP
•
HTTPS
•
FTP
•
Telnet
When user authentication is enabled on a firewall policy, the authentication challenge is
normally issued for any of the four protocols (dependent on the connection protocol). By
making selections in the Protocol Support list, the user controls which protocols support
the authentication challenge. The user must connect with a supported protocol first so
they can subsequently connect with other protocols. If you have selected HTTP, FTP, or
Telnet, user name and password-based authentication occurs: the FortiGate unit prompts
network users to input their firewall user name and password. If you have selected
HTTPS, certificate-based authentication (HTTPS, or HTTP redirected to HTTPS only)
occurs: you must install customized certificates on the FortiGate unit and on the browsers
of network users.
Note: If you do not install certificates on the network user’s web browser, the network users
may see an SSL certificate warning message and have to manually accept the default
FortiGate certificate. The network user’s web browser may deem the default certificate as
invalid.
Note: When you use certificate authentication, if you do not specify any certificate when
you create the firewall policy, the global settings are used. If you specify a certificate, the
per-policy setting will overwrite the global setting. For information about the use of
certificate authentication, see “Certificate-based authentication” on page 757.
720
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring authenticated access
Authentication in firewall policies
To set the authentication protocols
1 Go to User & gt; User & gt; Authentication.
2 In Protocol Support, select the required authentication protocols.
3 If using HTTPS protocol support, in Certificate, select a Local certificate from the dropdown list.
4 Click Apply.
Figure 79: Authentication Settings
Authentication in firewall policies
Firewall policies control traffic between FortiGate interfaces, both physical interfaces and
VLAN subinterfaces. Without authentication, a firewall policy enables access from one
network to another for all users on the source network. Authentication enables you to
allow access only for users who are members of selected user groups. To include
authentication in a firewall policy, you must create an identity-based policy.
The style of the authentication method varies by the authentication protocol. If you have
selected HTTP, FTP or Telnet, user name and password-based authentication occurs: the
FortiGate unit prompts network users to input their firewall user name and password. If
you have selected HTTPS, certificate-based authentication (HTTPS or HTTP redirected to
HTTPS only) occurs: you must install customized certificates on the FortiGate unit and on
the browsers of network users, which the FortiGate unit matches.
Note: You can only configure user authentication for firewall policies where Action is set to
Accept.
Configuring authentication for a firewall policy
To include authentication in a firewall policy, you must create an identity-based policy.
To create an identity based firewall policy
1 Create users and one or more Firewall user groups.
For more information, see “Users and user groups” on page 711.
2 Go to Firewall & gt; Policy.
3 Select Create New to create a new policy or select an existing policy and the select the
Edit icon.
4 Make sure that the Action for the policy is ACCEPT.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
721
�Authentication in firewall policies
Configuring authenticated access
5 Select Enable Identity Based Policy and then select Add.
Figure 80: Adding an identity-based policy
6 In the Available User Groups list, select the user groups that will be allowed to use this
policy and then select the right arrow button to move them to the Selected User Groups
list.
7 From from the Available Services list, select the services users will be allowed to
access and then select the right arrow button to move them to the Selected Services
list.
To enable use of all services, select the ANY service.
8 Set other options as required and then select OK.
Figure 81: Identity Based Policy list and options in firewall policy
9 If users will use a certificate for authentication, from the Certificate list select the CA
certificate to use to validate the users’ certificates.
722
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring authenticated access
VPN authentication
10 To require the user to accept a disclaimer to connect to the destination, select Enable
Disclaimer. If the user is to be redirected after accepting the disclaimer, enter the URL
in the Redirect URL to field.
You can edit the User Authentication Disclaimer replacement message text in
System & gt; Config & gt; Replacement Messages.
11 Select OK.
Configuring authenticated access to the Internet
A policy for accessing the Internet is similar to a policy for accessing a specific network,
but the destination address is set to all. The destination interface is the one that connects
to the Internet service provider. For general purpose Internet access, the Service is set to
ANY.
Access to HTTP, HTTPS, FTP and Telnet sites may require access to a domain name
service. DNS requests do not trigger authentication. You must configure a policy to permit
unauthenticated access to the appropriate DNS server, and this policy must precede the
policy for Internet access.
VPN authentication
All VPN configurations require users to authenticate. Authentication based on user groups
applies to:
•
SSL VPNs
•
PPTP and L2TP VPNs
•
an IPsec VPN that authenticates users using dialup groups
•
a dialup IPsec VPN that uses XAUTH authentication (Phase 1)
You must create user accounts and user groups before performing the procedures in this
section. If you create a user group for dialup IPsec clients or peers that have unique peer
IDs, their user accounts must be stored locally on the FortiGate unit. You cannot
authenticate these types of users using a RADIUS or LDAP server.
Configuring authentication of SSL VPN users
The major steps required to authenticate SSL VPN users are:
1 Configure user accounts.
2 Create one or more firewall user groups for SSL VPN users.
See “Configuring user accounts and user groups for SSL VPN” in the SSL VPN
chapter of this FortiOS Handbook.
Note: Prior to FortiOS 4.0 MR2, there was a specific SSL VPN type of user group.
Now you create a firewall user group, enable SSL VPN access, and select the web
portal that users in the group will access.
3 Enable SSL VPN.
4 Optionally, set inactivity and authentication timeouts.
5 Configure a firewall policy with SSL VPN action. Add an identity-based rule to allow
access for the user groups you created for SSL VPN users.
See “Configuring firewall policies” in the SSL VPN chapter of this FortiOS Handbook.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
723
�VPN authentication
Configuring authenticated access
Configuring authentication timeout
By default, the SSL VPN authentication expires after 8 hours (28 800 seconds). You can
change it only in the CLI. For example, to change the timeout to one hour, you would
enter:
config vpn ssl settings
set auth-timeout 3600
end
When you configure the timeout settings, if you set the authentication timeout
(auth-timeout) to 0, then the remote client does not have to re-authenticate again
unless they log out of the system. In order to fully take advantage of this setting, the value
for idle-timeout has to be set to 0 also, so the client does not timeout if the maximum
idle time is reached. If the idle-timeout is not set to the infinite value, the system will
log out if it reaches the limit set, regardless of the auth-timeout setting.
Configuring authentication of remote IPsec VPN users
An IPsec VPN on a FortiGate unit can authenticate remote users through a dialup group.
The user account name is the peer ID and the password is the pre-shared key. For
information about authentication using peer IDs and peer groups, see the
FortiGate IPsec VPN User Guide.
Authentication through user groups is supported for groups containing only local users. To
authenticate users using a RADIUS or LDAP server, you must configure XAUTH settings.
See “Configuring XAuth authentication” on page 725.
To configure user group authentication for dialup IPsec - web-based manager
1 Configure the dialup users who are permitted to use this VPN. Create a user group
with Type:Firewall and add them to it.
For more information, see “Users and user groups” on page 711.
2 Go to VPN & gt; IPsec & gt; Auto Key (IKE), select Create Phase 1 and enter the following
information.
Figure 82: Configure VPN IPsec dialup authentication
724
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring authenticated access
VPN authentication
Name
Name for group of dialup users using the VPN for authentication.
Remote Gateway
List of the types of remote gateways for VPN. Select Dialup User.
Authentication Method
List of authentication methods available for users. Select
Preshared Key and enter the preshared key.
Peer Options
Select Accept peer ID in dialup group. Select the user group that is
to be allowed access to the VPN. The listed user groups contain
only users with passwords on the FortiGate unit.
Note: The Accept peer ID in dialup group option does not support authentication of users
through an authentication server.
3 Select Advanced to reveal additional parameters and configure other VPN gateway
parameters as needed.
4 Select OK.
To configure user group authentication for dialup IPsec - CLI example
The peertype and usrgrp options configure user group based authentication.
config vpn ipsec phase1
edit office_vpn
set interface port1
set type dynamic
set psksecret yORRAzltNGhzgtV32jend
set proposal 3des-sha1 aes128-sha1
set peertype dialup
set usrgrp Group1
end
Configuring XAuth authentication
Extended Authentication (XAuth) increases security by requiring additional user
authentication in a separate exchange at the end of the VPN Phase 1 negotiation. The
FortiGate unit challenges the user for a user name and password. It then forwards the
user credentials (password is encrypted) to an external RADIUS or LDAP server for
verification.
XAuth can be used in addition to or in place of IPsec phase 1 peer options to provide
access security through an LDAP or RADIUS authentication server. You must configure
dialup users as members of a user group who are externally authenticated. None can
have passwords stored on the FortiGate unit.
To configure authentication for a dialup IPsec VPN - web-based manager
1 Configure the users who are permitted to use this VPN. Create a user group and add
them to it.
For more information, see “Users and user groups” on page 711.
2 Go to VPN & gt; IPsec & gt; Auto Key (IKE).
3 Select Create Phase 1 and configure the basic VPN phase1 settings.
Remote Gateway must be Dialup User.
4 Select Advanced to reveal additional parameters and enter the following information.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
725
�VPN authentication
Configuring authenticated access
XAuth
Select Enable as Server.
Server Type
Select PAP, CHAP, or AUTO. Use CHAP whenever possible. Use PAP
with all implementations of LDAP and with other authentication servers
that do not support CHAP, including some implementations of Microsoft
RADIUS. Use AUTO with the Fortinet Remote VPN Client and where
the authentication server supports CHAP but the XAuth client does not.
User Group
Select the user group that is to have access to the VPN. The list of user
groups does not include any group that has members whose password
is stored on the FortiGate unit.
5 Select OK.
For more information about XAUTH configuration, see the IPsec VPN chapter of this
FortiOS Handbook.
To configure authentication for a dialup IPsec VPN - CLI example
The xauthtype and authusrgrp fields configure XAuth authentication.
config vpn ipsec phase1
edit office_vpn
set interface port1
set type dynamic
set psksecret yORRAzltNGhzgtV32jend
set proposal 3des-sha1 aes128-sha1
set peertype dialup
set xauthtype pap
set authusrgrp Group1
end
Some parameters specific to setting up the VPN itself are not shown here. For detailed
information about configuring an IPsec VPN, see the IPsec VPN chapter of this FortiOS
Handbook.
Configuring authentication of PPTP VPN users/user groups
Configuration of a PPTP VPN is possible only through the CLI. You can configure user
groups and firewall policies using either CLI or web-based manager.
To configure authentication for a PPTP VPN
1 Configure the users who are permitted to use this VPN. Create a firewall user group
and add them to it.
For more information, see “Users and user groups” on page 711.
2 Configure the PPTP VPN in the CLI as in this example.
config vpn pptp
set status enable
set sip 192.168.0.100
set eip 192.168.0.110
set usrgrp PPTP_Group
end
The sip and eip fields define a range of virtual IP addresses assigned to PPTP
clients.
3 Configure a firewall policy. The source interface is the one through which the clients will
connect. The source address is the PPTP virtual IP address range. The destination
interface and address depend on the network to which the clients will connect. The
policy action is ACCEPT.
726
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring authenticated access
VPN authentication
Configuring authentication of L2TP VPN users/user groups
Configuration of a L2TP VPN is possible only through the CLI. You can configure user
groups and firewall policies using either CLI or web-based manager.
To configure authentication for a PPTP VPN
1 Configure the users who are permitted to use this VPN. Create a firewall user group
and add them to it.
For more information, see “Users and user groups” on page 711.
2 Configure the L2TP VPN in the CLI as in this example.
config vpn l2tp
set status enable
set sip 192.168.0.100
set eip 192.168.0.110
set usrgrp L2TP_Group
end
The sip and eip fields define a range of virtual IP addresses assigned to L2TP
clients.
3 Configure a firewall policy. The source interface is the one through which the clients will
connect. The source address is the L2TP virtual IP address range. The destination
interface and address depend on the network to which the clients will connect. The
policy action is ACCEPT.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
727
�VPN authentication
728
Configuring authenticated access
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows
AD or Novell
This chapter provides an overview of the Fortinet Server Authentication Extension
(FSAE). The following topics are included:
•
Introduction to FSAE
•
Installing FSAE
•
Configuring FSAE on Windows AD
•
Configuring FSAE on FortiGate units
•
Testing the configuration
Introduction to FSAE
The Fortinet Server Authentication Extension (FSAE) provides seamless authentication
support for Microsoft Windows Active Directory and Novell eDirectory users in a FortiGate
environment.
On a Microsoft Windows or Novell network, users authenticate with the Active Directory or
Novell eDirectory at logon. It would be inconvenient if users then had to enter another user
name and password for network access through the FortiGate unit. FSAE provides
authentication information to the FortiGate unit so that users automatically get access to
permitted resources.
There are several mechanisms for passing user authentication information to the
FortiGate unit:
•
FSAE software installed on a Novell network monitors user logons and sends the
required information to the FortiGate unit. The FSAE software can obtain information
from the Novell eDirectory using either the Novell API or LDAP.
•
FSAE software installed on a Windows AD network monitors user logons and sends
the required information to the FortiGate unit. The FSAE software can obtain this
information by polling the domain controllers or by using an agent on each domain
controller that monitors user logons in real time. Optionally, a FortiGate unit running
FortiOS 3.0 MR6 or later can obtain group information directly from the AD using
Lightweight Directory Access Protocol (LDAP).
•
On a Windows AD network, the FSAE software can also serve NTLM requests coming
from client browsers (forwarded by the FortiGate unit).
Using FSAE in a Windows AD environment
FSAE installed in a Windows AD environment can provide two kinds of services:
•
Monitor user logon activity and send the information to FortiGate unit so that the
FortiGate unit can support Single Sign On (SSO).
•
Provide NTLM authentication service for requests coming from FortiGate.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
729
�Introduction to FSAE
FSAE for integration with Windows AD or Novell
FSAE user logon monitoring
FSAE installed in a Windows Active Directory environment can monitor which user is
logged on to which workstation and pass that information to the FortiGate unit which can
use that information to apply its firewall policies.
When a Windows AD user logs in at a workstation, FSAE
•
detects the logon event and records workstation name, domain, and user,
•
resolves the workstation name to an IP address,
•
uses Active Directory to determine which groups the user belongs to,
•
sends the user logon information, including IP address and groups list, to the FortiGate
unit.
When the user tries to access network resources, the FortiGate unit selects the
appropriate firewall policy for the destination. If the user belongs to one of the permitted
user groups, the connection is allowed.
FSAE can use either of two different methods to monitor user logon activity: DC Agent
mode or Polling mode.
DC Agent mode
In DC Agent mode (see Figure 83), an agent is installed on each domain controller to
monitor user logon events and pass the information to the FSAE collector agent, which
forwards the information to the FortiGate unit.
Figure 83: FSAE in DC agent mode
Internet
Windows server with
FSAE Collector agent installed
update
Client User
Domain controllers with
FSAE DC agent installed
DC Agent mode provides reliable user logon information, however you must install a DC
agent on every domain controller in the domain. A reboot is needed after the agent is
installed.
730
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Introduction to FSAE
Polling mode
In Polling mode (see Figure 84), the FSAE collector agent polls each domain controller for
user logon information and forwards it to the FortiGate unit.
Figure 84: FSAE in Polling mode
Internet
Windows server with
FSAE Collector agent installed
poll
Client User
Domain controllers
The polling mode provides logon information less reliably. For example, under heavy
system load a poll might miss some user logon events. However, you do not need to install
a DC agent on each domain controller.
NTLM authentication with FSAE
In a Windows AD network, FSAE can also provide NTLM authentication service to the
FortiGate unit (see Figure 85). When the user makes a request that requires
authentication, the FortiGate unit initiates NTLM negotiation with the client browser. The
FortiGate unit does not process the NTLM packets itself. Instead, it forwards all the NTLM
packets to the FSAE service to process.
If the NTLM authentication with the Windows AD network is successful, and the user
belongs to one of the groups permitted in the relevant firewall policy, the FortiGate unit
allows the connection. Fortinet has tested NTLM authentication on Internet Explorer and
Firefox browsers.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
731
�Introduction to FSAE
FSAE for integration with Windows AD or Novell
Figure 85: NTLM FSAE implementation
Internet
FSAE collector agent
on a member AD server
Client User
Domain controllers
Understanding the NTLM authentication process
1 The user attempts to connect to an external (internet) HTTP resource. The client
application (browser) on the user’s computer issues an unauthenticated request
through the FortiGate unit.
2 The FortiGate is aware that this client has not authenticated previously, so responds
with a 401 Unauthenticated status code, and tells the client which authentication
method to reply with in the header: Proxy-Authenticated: NTLM. The session is
dismantled.
3 The client application connects again, and issues a GET-request, with a
Proxy-Authorization: NTLM & lt; negotiate string & gt; header.
& lt; negotiate-string & gt; is a base64-encoded NTLM Type 1 negotiation packet.
4 The FortiGate unit replies with a 401 “proxy auth required” status code, and a
Proxy-Authenticate: NTLM & lt; challenge string & gt; (a base 64-encoded NTLM
Type 2 challenge packet). In this packet is the challenge nonce, a random number
chosen for this negotiation that is used once and prevents replay attacks.
Note: The TCP connection must be kept alive, as all subsequent authentication-related
information is tied to the TCP connection. If it is dropped, the authentication process must
start again from the beginning.
5 The client sends a new GET-request with a header: Proxy-Authenticate: NTLM
& lt; authenticate string & gt; , where & lt; authenticate string & gt; is a NTLM Type 3
Authentication packet that contains:
• user name and domain
• the challenge nonce encoded with the client password (it may contain the challenge
nonce twice using different algorithms).
6 If the negotiation is successful and the user belongs to one of the groups permitted in
the firewall policy, the connection is allowed, Otherwise, the FortiGate unit denies the
authentication by issuing a 401 return code and prompts for a username and
password. Unless the TCP connection is broken, no further credentials are sent from
the client to the proxy.
732
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Installing FSAE
Note: If the authentication policy reaches the authentication timeout period, a new NTLM
handshake occurs.
Using FSAE in a Novell eDirectory environment
FSAE in a Novell eDirectory environment works similar to the FSAE Polling mode in the
Windows AD environment. The FSAE eDirectory agent polls the eDirectory servers for
user logon information and forwards it to the FortiGate unit.
When a user logs on at a workstation, FSAE
•
detects the logon event by polling the eDirectory server and records the IP address
and user ID,
•
looks up in the eDirectory which groups this user belongs to,
•
sends the IP address and user groups information to the FortiGate unit.
When the user tries to access network resources, the FortiGate unit selects the
appropriate firewall policy for the destination. If the user belongs to one of the permitted
user groups, the connection is allowed.
Operating system requirements
Consult the FortiOS v4.0 MR2 Release Notes for operating system compatibility
information.
Installing FSAE
The components you need to install depend on whether you are installing FSAE on
Windows AD or Novell eDirectory.
FSAE components for Windows AD
FSAE has two components to install on your network:
•
the collector agent must be installed on at least one network computer
•
the domain controller (DC) agent must be installed on every domain controller if you
will use DC Agent mode, but is not required if you use Polling mode.
The FSAE installer first installs the collector agent. You can then continue with installation
of the DC agent, or install it later by going to Start & gt; Programs & gt; Fortinet & gt;
Fortinet Server Authentication Extension & gt; Install DC Agent. The installer installs a DC
agent on the domain controllers of all of the trusted domains in your network.
If you install the collector agent on two or more computers, you can create a redundant
configuration on the FortiGate unit for greater reliability. If the current collector agent fails,
the FortiGate unit switches to the next one in its list of up to five collector agents.
You must install FSAE using an account that has administrator privileges. You can use the
default Administrator account, but then you must re-configure FSAE each time the
account password changes. Fortinet recommends that you create a dedicated account
with administrator privileges and a password that does not expire.
FSAE components for Novell eDirectory
For a Novell network, there is only one FSAE component to install, the FSAE eDirectory
agent. In some cases, you also need to install the Novell Client.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
733
�Installing FSAE
FSAE for integration with Windows AD or Novell
Installing FSAE for Windows AD
To install FSAE, you must obtain the FSAE Setup file from the Fortinet Support web site.
Perform the following installation procedure on the computer that will run the Collector
Agent. This can be any server or domain controller that is part of your network. The
procedure also installs the DC Agent on all of the domain controllers in your network.
To install the FSAE collector agent
1 Create an account with administrator privileges and a password that does not expire.
See Microsoft Advanced Server documentation for more information.
2 Log in to the account that you created in Step 1.
3 Double-click the FSAESetup.exe file.
The FSAE InstallShield Wizard starts.
4 Select Next. Optionally, you can change the FSAE installation location.
5 Select Next.
6 In the Password field, enter the password for the account listed in the User Name field.
This is the account you are logged into currently.
7 Select Next.
8 By default, FSAE authenticates users both by monitoring logons and by accepting
authentication requests using the NTLM protocol.
If you want to support only NTLM authentication
• Clear the Monitor user logon events and send the information to Fortinet check box.
• Select the Serve NTLM authentication requests coming from FortiGate check box.
If you do not want to support NTLM authentication
• Clear the Serve NTLM authentication requests coming from FortiGate check box.
• Select the Monitor user logon events and send the information to Fortinet check
box.
You can also change these options after installation.
9 Select the access method to use for Windows Directory:
• Select Standard to use Windows domain and user name credentials.
• Select Advanced if you will set up LDAP access to Windows Directory.
10 Select Next and then select Install.
11 For DC Agent mode, when the FSAE InstallShield Wizard completes FSAE collector
agent installation, ensure that Launch DC Agent Install Wizard is selected and then
select Finish.
To install the DC Agent
1 If you have just installed the FSAE collector agent, the FSAE - Install DC Agent wizard
starts automatically. Otherwise, go to Start & gt; Programs & gt; Fortinet & gt; Fortinet Server
Authentication Extension & gt; Install DC Agent.
2 Verify the Collector Agent IP address.
If the Collector Agent computer has multiple network interfaces, ensure that the one
that is listed is on your network. The listed Collector Agent listening port is the default.
You should change this only if the port is already used by some other service.
3 Select Next.
734
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Installing FSAE
4 Select the domains to monitor and select Next.
If any of your required domains are not listed, cancel the wizard and set up the proper
trusted relationship with the domain controller. Then run the wizard again by going to
Start & gt; Programs & gt; Fortinet & gt; Fortinet Server Authentication Extension & gt;
Install DC Agent.
5 Optionally, select users that you do not want monitored. These users will not be able to
authenticate to FortiGate units using FSAE. You can also do this later. See
“Configuring FSAE on Windows AD” on page 736.
6 Select Next.
7 Optionally, clear the check boxes of domain controllers on which you do not want to
install the FSAE DC Agent.
8 Select the Working Mode: DC Agent Mode or Polling Mode. For more information, see
“DC Agent mode” on page 730 and “Polling mode” on page 731.
9 Select Next.
10 Select Yes when the wizard requests that you reboot the computer.
Note: If you reinstall the FSAE software on this computer, your FSAE configuration is
replaced with default settings.
If you want to create a redundant configuration, repeat the procedure “To install the FSAE
collector agent” on page 734 on at least one other Windows AD server.
Note: When you start to install a second collector agent, when the Install Wizard dialog
appears the second time, cancel it. From the configuration GUI, the monitored domain
controller list should show your domain controllers unselected. Select the ones you wish to
monitor with this collector agent, and click Apply.
Before you can use FSAE, you need to configure it on both Windows AD and on the
FortiGate units. See the next section, “Configuring FSAE on Windows AD”, and
“Configuring FSAE on FortiGate units” on page 748.
Installing FSAE for Novell
To install FSAE, you must obtain the FSAE_Setup_eDirectory file from the Fortinet
Support web site. Perform the following installation procedure on the computer that will
run the FSAE eDirectory agent. This can be any server or domain controller that is part of
your network.
To install the FSAE eDirectory agent
1 Create an account with administrator privileges and a password that does not expire.
See Novell documentation for more information.
2 Log in to the account that you created in Step 1.
3 Double-click the FSAE_Setup_edirectory.exe file.
The Fortinet eDirectory Agent InstallShield Wizard starts.
4 Optionally, fill in the User Name and Organization fields.
5 Select the Anyone who uses this computer (all users) option.
6 Select Next.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
735
�Configuring FSAE on Windows AD
FSAE for integration with Windows AD or Novell
7 Optionally, enter any of the following information:
You can also enter or modify this information after installation. See “Configuring FSAE
on Novell networks” on page 745.
eDirectory Server
Server Address
Enter the IP address of the eDirectory server.
Use secure connection
(SSL)
Select to connect to the eDirectory server
using SSL security.
Search Base DN
Enter the base Distinguished Name for the
user search.
eDirectory Authentication
User name
Enter a user name that has access to the
eDirectory, using LDAP format.
User password
Enter the password.
8 Select Next.
9 Select Install.
Configuring FSAE on Windows AD
On the FortiGate unit, firewall policies control access to network resources based on user
groups. Each FortiGate user group is associated with one or more Windows AD user
groups.
FSAE sends information about Windows user logons to FortiGate units. If there are many
users on your Windows AD domains, the large amount of information might affect the
performance of the FortiGate units. To avoid this problem, you can configure the FSAE
collector agent to send logon information only for groups named in the FortiGate unit’s
firewall policies.
On each computer that runs a collector agent, you need to configure
•
Windows AD user groups
•
collector agent settings, including the domain controllers to be monitored
•
the collector agent Ignore User list
•
the collector agent FortiGate Group Filter for each FortiGate unit
•
LDAP access settings, if LDAP is used to obtain group information
Note: In some environments where user IP addresses change frequently, it might be
necessary to configure the alternate IP address tracking method. For more information, see
“Configuring alternate user IP address tracking” on page 742.
Configuring Windows AD server user groups
FortiGate units control access at the group level. All members of a group have the same
network access as defined in FortiGate firewall policies. You can use existing Windows AD
user groups for authentication to FortiGate units if you intend that all members within each
group have the same network access privileges. Otherwise, you need to create new user
groups for this purpose.
If you change a user’s group membership, the change does not take effect until the user
logs off and then logs on again.
736
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Configuring FSAE on Windows AD
FSAE sends only Domain Local Security Group and Global Security Group information to
FortiGate units. You cannot use Distribution group types for FortiGate access. No
information is sent for empty groups.
Refer to Microsoft documentation for information about creating groups.
Configuring collector agent settings
You need to configure which domain controllers you use and which domains you monitor
for user logons. You can also alter default settings and settings you made during
installation.
To configure the FSAE collector agent
1 From the Start menu select Programs & gt; Fortinet & gt;
Fortinet Server Authentication Extension & gt; Configure FSAE.
2 Enter the following information and then select Save & Close.
Monitoring user logon events
Select to automatically authenticate users as they log on to
the Windows domain.
Support NTLM authentication
Select to facilitate logon of users who are connected to a
domain that does not have the DC Agent installed.
Collector Agent Status
Shows RUNNING when collector agent is active.
Listening ports
You can change port numbers if necessary.
FortiGate
TCP port for FortiGate units. Default 8000.
DC Agent
UDP port that DC Agents use. Default 8002.
Logging
Log level
Select the minimum severity level of logged messages.
Log file size limit (MB)
Enter the maximum size for the log file in MB.
View Log
View all FSAE logs.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
737
�Configuring FSAE on Windows AD
FSAE for integration with Windows AD or Novell
Log logon events in
separate logs
Record user login-related information separately from other
logs. The information in this log includes
• data received from DC agents
• user logon/logoff information
• workstation IP change information
• data sent to FortiGate units
View Logon Events
If Log logon events in separate logs is enabled, you can
view user login-related information.
Authentication
Require authenticated
Select to require the FortiGate unit to authenticate before
connection from FortiGate connecting to the Collector Agent.
Password
Enter the password that FortiGate units must use to
authenticate. The maximum password length is 16
characters. The default password is “fortinetcanada”.
Timers
Workstation verify interval Enter the interval in minutes at which FSAE checks whether
the user is still logged in. The default is every 5 minutes.
(minutes)
If ports 139 or 445 cannot be opened on your network, set
the interval to 0 to prevent checking. See “Configuring TCP
ports for FSAE on client computers” on page 742.
Dead entry timeout interval Enter the interval in minutes after which FSAE purges
information for user logons that it cannot verify. The default
is 480 minutes (8 hours).
Dead entries usually occur because the computer is
unreachable (in standby mode or disconnected, for
example) but the user has not logged off.
You can also prevent dead entry checking by setting the
interval to 0.
IP address change verify
interval
FSAE periodically checks the IP addresses of logged-in
users and updates the FortiGate unit when user IP
addresses change. This does not apply to users
authenticated through NTLM. Enter the verification interval
in seconds. IP address verification prevents users from
being locked out if they change IP addresses. You can enter
0 to prevent IP address checking if you use static IP
addresses.
Cache user group lookup result Enable caching.
Cache expire in (minutes)
FSAE caches group information for logged-in users. Enter
the duration in minutes after which the cache entry expires.
If you enter 0, the cache never expires.
Clear Group Cache
Clear group information of logged-in users.
Common Tasks
Show Service Status
View information about the status of the collector agent and
connected FortiGate units. See “Viewing collector agent
status” on page 742.
Show Monitored DCs
Shows detailed information about connected DC agents.
Use the Select DC to Monitor button to select domain
controllers to monitor and choose Working Mode. See
“Selecting Domain Controllers and working mode for
monitoring” on page 744.
Show Logon Users
View a list of currently logged-in users. Select the column
headers to sort the list.
Select Domains to Monitor Select this button to remove domains that you do not want to
monitor. From the Domain Filter dialog box that displays,
clear check boxes for unwanted domains and select OK.
Set Directory Access
Information
738
See “Configuring Directory Access settings” on page 739.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Configuring FSAE on Windows AD
Set Group Filters
Configure group filtering for each FortiGate unit. See
“Configuring FortiGate group filters” on page 740.
Set Ignore User List
Exclude users such as system accounts that do not
authenticate to any FortiGate unit. See “Configuring the
Ignore User List” on page 739.
Sync Configuration With
Other Agents
Copy this collector agent's Ignore User List and Group
Filters to the other collector agents to synchronize the
configuration. You are asked to confirm synchronization for
each collector agent.
Export Configuration
Export FSAE configuration to a text file. The file is named
" saved_config.txt " and is saved in the FSAE program
directory.
Save & Close
Save the modified settings and exit.
Apply
Apply changes now.
Default
Change all settings to the default values.
Help
View the online Help.
Note: To view the version and build number information for your FSAE configuration,
click the Fortinet icon in the upper left corner of the Fortinet Collector Agent
Configuration screen and select “About FSAE configuration”
Configuring Directory Access settings
FSAE can access Windows Active Directory in one of two modes:
•
Standard — FSAE receives group information from the collector agent in the form
domain\group. This is available on FortiOS 3.0 and later.
•
Advanced — FSAE obtains user group information using LDAP. This is compatible with
FortiOS 3.0 MR6 and later. Group information is in LDAP format.
If you change AD access mode, you must reconfigure your group filters to ensure that the
group information is in the correct format.
To configure Directory Access settings
1 From the Start menu select Programs & gt; Fortinet & gt;
Fortinet Server Authentication Extension & gt; Configure FSAE.
2 In the Common Tasks section, select Set Directory Access Information.
The Set Directory Access Information dialog box opens.
3 From the AD access mode list, select either Standard or Advanced.
4 If you selected Advanced AD access mode, select Advanced Setting and configure the
following settings and then select OK:
AD server address
Enter the address of your network’s global catalog server.
AD server port
The default AD server port is 3268. Change this only if your server
uses a different port.
BaseDN
Enter the Base distinguished name for the global catalog.
User name
If the global catalog accepts your FSAE agent’s credentials, you can
leave these fields blank. Otherwise, enter credentials for an account
that can access the global catalog.
Password
Configuring the Ignore User List
The Ignore User List excludes users such as system accounts that do not authenticate to
any FortiGate unit. The logons of these users are not reported to FortiGate units.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
739
�Configuring FSAE on Windows AD
FSAE for integration with Windows AD or Novell
To configure the Ignore User List
1 From the Start menu select Programs & gt; Fortinet & gt;
Fortinet Server Authentication Extension & gt; Configure FSAE.
2 In the Common Tasks section, select Set Ignore User List.
The current list of ignored users is displayed. You can expand each domain to view the
names of ignored users.
3 Do any of the following:
• To remove a user from the list, select the check box beside the user name and then
select Remove. The user’s login is no longer ignored.
• To add users to be ignored, select Add, select the check box beside each required
user name, and then select Add.
4 Select OK.
Configuring FortiGate group filters
FortiGate filters control the user logon information sent to each FortiGate unit. You need to
configure the list so that each FortiGate unit receives user logon information for the user
groups that are named in its firewall policies.
You do not need to configure a group filter on the collector agent if the FortiGate unit
retrieves group information from Windows AD using LDAP. In that case, the collector
agent uses as its filter the list of groups you selected on the FortiGate unit.
The filter list is initially empty. You need to configure filters for your FortiGate units using
the Add function. At minimum, you should create a default filter that applies to all FortiGate
units that do not have a specific filter defined for them.
Note: If no filter is defined for a FortiGate unit and there is no default filter, the collector
agent sends all Windows AD group and user logon events to the FortiGate unit. While this
normally is not a problem, limiting the amount of data sent to the FortiGate unit improves
performance by reducing the amount of memory the unit uses to store the group list.
To configure a FortiGate group filter
1 From the Start menu select Programs & gt; Fortinet & gt;
Fortinet Server Authentication Extension & gt; Configure FSAE.
2 In the Common Tasks section, select Set Group Filters.
The FortiGate Filter List opens. It has the following columns:
740
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Configuring FSAE on Windows AD
FortiGate SN
The serial number of the FortiGate unit to which this filter applies.
Description
An optional description of the role of this FortiGate unit.
Monitored
Groups
The Windows AD user groups that are relevant to the firewall policies
on this FortiGate unit.
Add
Create a new filter.
Edit
Modify the filter selected in the list.
Remove
Remove the filter selected in the list.
OK
Save the filter list and exit.
Cancel
Cancel changes and exit.
3 Select Add to create a new filter. If you want to modify an existing filter, select it in the
list and then select Edit.
4 Enter the following information and then select OK.
Default filter
Select to create the default filter. The default filter applies to any
FortiGate unit that does not have a specific filter defined in the list.
FortiGate Serial
Number
Enter the serial number of the FortiGate unit to which this filter applies.
This field is not available if Default is selected.
Description
Enter a description of this FortiGate unit’s role in your network. For
example, you could list the resources accessed through this unit. This
field is not available if Default is selected.
Monitor the following
groups
The collector agent sends to the FortiGate unit the user logon
information for the Windows AD user groups in this list. Edit this list
using the Add, Advanced and Remove buttons.
Add
In the preceding single-line field, enter the Windows AD domain name
and user group name, and then select Add. If you don’t know the exact
name, use the Advanced button instead.
The format of the entry depends on the AD access mode (see
“Configuring Directory Access settings” on page 739):
Standard: Domain\Group
Advanced: cn=group, ou=corp, dc=domain
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
741
�Configuring FSAE on Windows AD
FSAE for integration with Windows AD or Novell
Advanced
Select Advanced, select the user groups from the list, and then select
Add.
Remove
Remove the user groups selected in the monitor list.
Configuring TCP ports for FSAE on client computers
Windows AD records when users log on but not when they log off. For best performance,
FSAE monitors when users log off. To do this, FSAE needs read-only access to each
client computer’s registry over TCP port 139 or 445. At least one of these ports should be
open and not blocked by firewall policies.
If it is not feasible or acceptable to open TCP port 139 or 445, you can turn off FSAE logoff
detection. To do this, set the collector agent workstation verify interval to 0. FSAE
assumes that the logged on computer remains logged on for the duration of the collector
agent dead entry timeout interval. By default this is eight hours. For more information
about both interval settings, see “Timers” on page 738.
Configuring ports on the collector agent computer
On the computer where you install the collector agent, you must make sure that the
firewall does not block the listening ports for the FortiGate unit and the DC Agent. By
default, these are TCP port 8000 and UDP port 8002. For more information about setting
these ports, see “To configure the FSAE collector agent” on page 737.
Configuring alternate user IP address tracking
In environments where user IP addresses change frequently, you can configure FSAE to
use an alternate method to track user IP address changes. Using this method, FSAE
responds more quickly to user IP address changes because it directly queries workstation
IP addresses to match users and IP addresses. You need to have FSAE version 3.5.27 or
later and FortiOS 3.0 MR7 or later.
To configure alternate user IP address tracking
1 On the computer where the collector agent is installed, go to Start & gt; Run.
2 Enter regedit or regedt32 and select OK.
The Registry Editor opens.
3 Find the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent.
4 Set the supportFSAEauth value (dword) to 00000001.
5 Close the Registry Editor.
6 From the Start menu select Programs & gt; Fortinet & gt;
Fortinet Server Authentication Extension & gt; Configure FSAE.
7 Select Apply.
The FSAE service restarts with the updated registry settings.
Viewing collector agent status
Use the Show Service Status function to view your collector agents.
To view collector agent status
1 From the Start menu select Programs & gt; Fortinet & gt;
Fortinet Server Authentication Extension & gt; Configure FSAE.
742
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Configuring FSAE on Windows AD
2 In the Common Tasks section, select Show Service Status.
The FSAE Collector Agent Status window opens.
You can see which FortiGate units have a collector agent installed and how long the
agent has been connected.
Viewing DC agent status
Use the Show Monitored DCs function to view the status of DC agents.
To view domain controller agent status
1 From the Start menu select Programs & gt; Fortinet & gt;
Fortinet Server Authentication Extension & gt; Configure FSAE.
2 In the Common Tasks section, select Show Monitored DCs.
For each DC Agent, you can view the IP address, number of logon events received,
the last logon event and when it was received.
3 If you want to change which DC agents are monitored or change the working mode for
logon event monitoring, select Select DC to Monitor. For more information see
“Selecting Domain Controllers and working mode for monitoring” on page 744.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
743
�Configuring FSAE on Windows AD
FSAE for integration with Windows AD or Novell
Selecting Domain Controllers and working mode for monitoring
You can change which DC agents are monitored or change the working mode for logon
event monitoring.
1 From the Start menu select Programs & gt; Fortinet & gt;
Fortinet Server Authentication Extension & gt; Configure FSAE.
2 In the Common Tasks section, select Show Service Status.
3 Select Select DC to Monitor.
Working Mode
DC Agent mode — a Domain Controller agent monitors user logon events and
passes the information to the FSAE collector agent. This provides reliable user logon
information, however you must install a DC agent on every domain controller in the
domain.
Polling mode — the FSAE collector agent polls each domain controller for user
logon information. Under heavy system load this might provide information less
reliably, but you do not need to install a DC agent on each domain controller.
744
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Configuring FSAE on Novell networks
Configuring FSAE on Novell networks
You need to configure the FSAE eDirectory agent to communicate with eDirectory servers.
You may have provided some of this information during installation.
To configure the eDirectory agent
1 From the Start menu select Programs & gt; Fortinet & gt; eDirectory Agent & gt; eDirectory
Config Utility.
The eDirectory Agent Configuration Utility dialog opens.
2 Enter the following information and select OK.
eDirectory Authentication
User name
Enter a user name that has access to the eDirectory, using
LDAP format.
User password
Enter the password.
Listening port
Enter the TCP port on which FSAE listens for connections
from FortiGate units. The default is 8000. You can change the
port if necessary.
Refresh interval
Enter the interval in seconds between polls of the eDirectory
server to check for new logins. The default is 30 seconds.
FortiGate Connection Authentication
Require authenticated
connection from FortiGate
Select to require the FortiGate unit to authenticate before
connecting to the eDirectory Agent.
Password
Enter the password that FortiGate units must use to
authenticate. The maximum password length is 16 characters.
The default password is “FortinetCanada”.
User logon info search
method
Select how the FSAE eDirectory agent accesses user logon
information: LDAP or Native (Novell API). LDAP is the default.
If you select Native, you must also have the Novell Client
installed on the PC.
Logging
Log level
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Select Debug, Info, Warning or Error as the minimum severity
level of message to log or select None to disable logging.
745
�Configuring FSAE on Novell networks
FSAE for integration with Windows AD or Novell
Log file size limit (MB)
Enter the maximum size for the log file in MB.
View Log
View the current log file.
Dump Session
List the currently logged-on users in the log file. This can be
useful for troubleshooting.
eDirectory server list
If you specified an eDirectory server during installation, it
appears in this list.
Add
Add an eDirectory server. See “To add an eDirectory server”,
next.
Delete
Delete the selected eDirectory server.
Edit
Modify the settings for the selected server.
Group Filter
Select the user groups whose user logons will be reported to
the FortiGate unit. This is used only if user groups are not
selected on the FortiGate unit. See “Configuring a group filter”
on page 747.
To add an eDirectory server
1 In the eDirectory Agent Configuration Utility dialog box (see the preceding procedure,
“To configure the eDirectory agent”), select Add.
The eDirectory Setup dialog box opens.
2 Enter the following information and select OK:
eDirectory Server Address
Enter the IP address of the eDirectory server.
Port
If the eDirectory server does not use the default port 389,
clear the Default check box and enter port number.
Use default credential
Select to use the credentials specified in the eDirectory
Configuration Utility. See “To configure the eDirectory agent”
on page 745. Otherwise, leave the check box clear and enter
a User name and Password below.
User name
Enter a user name that has access to the eDirectory, using
LDAP format.
User password
Enter the password.
Use secure connection (SSL)
746
Select to connect to the eDirectory server using SSL security.
Search Base DN
Enter the base Distinguished Name for the user search.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Configuring FSAE on Novell networks
Configuring a group filter
The FSAE eDirectory agent sends user logon information to the FortiGate unit for all user
groups unless you either
•
configure an LDAP server entry for the eDirectory on the FortiGate unit and select the
groups that you want to monitor (see “Configuring LDAP server access” on page 748),
or
•
configure the group filter on the eDirectory agent (see “To configure the group filter”,
below).
If both the FortiGate LDAP configuration and the FSAE eDirectory agent group filter are
present, the FortiGate user group selections are used.
To configure the group filter
1 From the Start menu select Programs & gt; Fortinet & gt; eDirectory Agent & gt; eDirectory
Config Utility.
2 Select Group Filter.
3 Do one of the following:
• Enter group names, then select Add.
• Select Advanced, select groups, and then select Add.
4 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
747
�Configuring FSAE on FortiGate units
FSAE for integration with Windows AD or Novell
Configuring FSAE on FortiGate units
To configure your FortiGate unit to operate with FSAE, you
•
Configure LDAP access to the Novell eDirectory or Windows AD global catalog. Skip
this step if you are using FSAE Standard mode.
•
Specify the FSAE collector agent or Novell eDirectory agent that will provide user logon
information.
•
Add Active Directory user groups to FortiGate user groups,
•
Create firewall policies for FSAE-authenticated groups,
•
optionally, specify a guest protection profile to allow guest access.
Configuring LDAP server access
LDAP access is required if your network has a Novell eDirectory agent or a collector agent
using Advanced AD access mode. If you are using FSAE Standard mode, go to
“Specifying your collector agents or Novell eDirectory agents” on page 750.
The LDAP configuration on the FortiGate unit not only provides access to the LDAP
server, it sets up the retrieval of Windows AD user groups for you to select in Directory
Services. The LDAP Server configuration (in User & gt; Remote & gt; LDAP) includes a function
to preview the LDAP server’s response to your distinguished name query. If you already
know the appropriate Distinguished Name (DN) and User DN settings, you may be able to
skip some of the following steps.
1 Go to User & gt; Remote & gt; LDAP and select Create New.
2 Select the Query distinguished name button to the right of the Distinguished Name
field.
A new window opens, like this:
Figure 86: Result of initial DN query
If more than one name is listed, you might need to explore each name following the
steps below to determine which one is relevant to your needs.
3 Copy the name string to the Distinguished Name field and select OK.
This closes the window and copies the name string to the Distinguished Name field of
the LDAP Server configuration.
4 Set Bind Type to Regular.
5 In the User DN field, enter the administrative account name that you created for FSAE.
For example, if the account is FSAE_Admin, enter “cn=FSAE_Admin,cn=users”.
6 Make sure that the User DN entry ends with a comma and append the string from the
Distinguished Name field to the end of it.
Example: cn=FSAE_Admin,cn=users,dc=office,dc=example,dc=com
7 Enter the administrative account password in the Password field.
748
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Configuring FSAE on FortiGate units
8 Select the Query distinguished name button again.
The LDAP Distinguished Name Query window opens again and looks like this:
Figure 87: Authenticated DN query
You can expand any of the DNs that contain entries. When you select an expandable
DN, the Distinguished Name field is updated. Look for the DN that contains the users
or groups whose logon you want to monitor.
9 Select the DN that you want to monitor and then select OK.
This closes the window and updates the Distinguished Name field of the LDAP Server
configuration.
10 Check the following fields and select OK:
Name
Enter a name to identify the LDAP server.
Common Name
Identifier
The default common name identifier is cn. This is correct for most LDAP
servers. However some servers use other identifiers such as uid.
Secure Connection
Do not select. The FSAE collector agent does not support secure
connection.
To configure LDAP for Directory Services - CLI example
config user ldap
edit " ADserver "
set server " 10.11.101.160 "
set cnid " cn "
set dn " cn=users,dc=office,dc=example,dc=com "
set type regular
set username
" cn=administrator,cn=users,dc=office,dc=example,dc=com "
set password set_a_secure_password
next
end
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
749
�Configuring FSAE on FortiGate units
FSAE for integration with Windows AD or Novell
Specifying your collector agents or Novell eDirectory agents
You need to configure the FortiGate unit to access at least one FSAE collector agent or
Novell eDirectory agent. You can specify up to five servers on which you have installed a
collector or eDirectory agent. The FortiGate unit accesses these servers in the order that
they appear in the list. If a server becomes unavailable, the unit accesses the next one in
the list.
To specify collector agents
1 Go to User & gt; Directory Service and select Create New.
Figure 88: Directory Service server configuration
2 Enter the following information and select OK:
Name
Enter a name for the Windows AD server. This name appears in the list of
Windows AD servers when you create user groups.
Enter the following information for up to five collector agents.
FSAE Collector Enter the IP address or the name of the server where this agent is
installed. Maximum name length is 63 characters.
IP/Name
Port
Enter the TCP port used for FSAE. This must be the same as the FortiGate
listening port specified in the Novell eDirectory or FSAE collector agent
configuration. See “Configuring collector agent settings” on page 737 or
“Configuring FSAE on Novell networks” on page 745.
Password
Enter the password for the collector agent or eDirectory agent. For the
FSAE collector agent, this is required only if you configured the agent to
require authenticated access.
LDAP Server
For Novell eDirectory, enable.
For Windows AD, enable if the collector agent is configured to use
Advanced AD access mode.
Select the LDAP server you configured previously. See “Configuring LDAP
server access” on page 748.
To specify the collector agent for Directory Services - CLI example
config user fsae
edit WinGroups
set ldap-server ADserver
set password ENC
G7GQV7NEqilCM9jKmVmJJFVvhQ2+wtNEe9T0iYA5Sa+EqT2J8zhOrbkJFD
r0RmY3c4LaoXdsoBczA1dONmcGfthTxxwGsigzGpbJdC71spFlQYtj
set server 10.11.101.160
end
750
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Configuring FSAE on FortiGate units
Selecting Windows user groups (LDAP only)
If the collector agent uses Advanced AD access mode, the FortiGate unit obtains user
group information using LDAP. You need to select the Windows user groups that you want
to monitor. These user group names are then available to add to FortiGate Directory
Service user groups.
To select Windows user groups
1 Go to User & gt; Directory Service.
The list of Directory Service servers is displayed.
Figure 89: List of Directory Service servers
2 Select the Edit Users/Groups icon.
The FortiGate unit performs an LDAP query and displays the result.
Figure 90: Result of Directory Service LDAP query
3 Select the check boxes of the user groups that you want to monitor and then select OK.
You can also use the Add User/Group icon to select a group by entering its
distinguished name.
Viewing information imported from the Windows AD server
You can view the domain and group information that the FortiGate unit receives from the
AD Server. Go to User & gt; Directory Service. The display differs for Standard and Advanced
AD access mode.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
751
�Configuring FSAE on FortiGate units
FSAE for integration with Windows AD or Novell
Figure 91: List of groups from Active Directory server (Standard AD access mode)
Directory Service Server
Domain
Groups
Figure 92: List of monitored groups (Advanced AD access mode)
Directory Service Server
Domain
and
groups
in LDAP
format
Remove group
Create New
Add a new Directory Service server.
Name
Server
The name defined for the Directory Service server.
Domain
Domain name imported from the Directory Service server.
Groups
The group names imported from the Directory Service server.
FSAE Collector IP
Delete icon
Delete this server definition.
Edit icon
Edit this server definition.
Refresh icon
Get user group information from the Directory Service server.
Add User/Group
Add a user or group to the list. You must know the distinguished name for
the user or group. This is available for Windows AD in Advanced AD
access mode only.
Edit Users/Groups
752
The IP address of the FSAE agent on the Directory Service server
Select users and groups to add to the list. See “Selecting Windows user
groups (LDAP only)” on page 751. This is available in Advanced AD access
mode only.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Configuring FSAE on FortiGate units
Creating Directory Service user groups
You cannot use Windows or Novell groups directly in FortiGate firewall policies. You must
create FortiGate user groups of the Directory Service type and add Windows or Novell
groups to them.
To create a user group for FSAE authentication
1 Go to User & gt; User Group.
2 Select Create New.
The New User Group dialog box opens.
Figure 93: Creating a new Directory Services user group
3 In the Name box, enter a name for the group, FSAE_Internet_users for example.
4 In Type, select Directory Service.
5 From the Available Members list, select the required Directory Service groups.
Using the CTRL or SHIFT keys, you can select multiple groups.
6 Select the green right arrow button to move the selected groups to the Members list.
7 Select OK.
To create the FSAE_Internet-users user group - CLI example
config user group
edit FSAE_Internet_users
set group-type directory-service
set member
CN=Engineering,cn=users,dc=office,dc=example,dc=com
CN=Sales,cn=users,dc=office,dc=example,dc=com
end
Creating firewall policies
Policies that require FSAE authentication are very similar to other firewall policies. Using
identity-based policies, you can configure access that depends on the Directory Service
user group.
To create a firewall policy for FSAE authentication
1 Go to Firewall & gt; Policy and select Create New.
2 Enter the following information:
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
753
�Configuring FSAE on FortiGate units
FSAE for integration with Windows AD or Novell
Source interface and address
as required
Destination interface and address
as required
Action
ACCEPT
NAT
as needed
3 Select Enable Identity Based Policy and then select Add.
The New Authentication Rule window opens.
4 Select the required user group from the Available User Groups list and then select the
right arrow button to move the selected group to the Selected User Groups list.
You can select multiple groups using the CTRL or SHIFT keys.
5 Select the required service from the Available Services list and then select the right
arrow button to move the selected service to the Selected Services list.
You can select multiple services using the CTRL or SHIFT keys.
6 Select a Schedule from the list as needed.
7 Optionally, select UTM and enable UTM options.
8 Select OK to close the New Authentication Rule window.
9 Select Directory Service (FSAE).
10 Select OK.
To create a firewall policy for FSAE authentication - CLI example
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr internal_net
set dstaddr all
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule always
set groups FSAE_Internet_users
set service ANY
end
end
Enabling guests to access FSAE policies
You can enable guest users to access FSAE firewall policies. Guests are users who are
unknown to the Windows AD or Novell network and servers that do not log on to a
Windows AD domain.
To enable guest access in your FSAE firewall policy, add an identity-based policy
assigned to the built-in user group FSAE_Guest_Users. Specify the services, schedule
and protection profile that apply to guest users. For more information, see “Creating
firewall policies” on page 753.
754
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FSAE for integration with Windows AD or Novell
Testing the configuration
Testing the configuration
To verify that you have correctly configured FSAE on your network and on your FortiGate
units:
1 From a workstation on your network, log on to your domain using an account that
belongs to a group that is configured for authentication on the FortiGate unit.
2 Try to connect to the resource that is protected by the firewall policy requiring
authentication through FSAE.
You should be able to connect to the resource without being asked for user name or
password.
3 Log off and then log on using an account that does not belong to a group you have
configured for authentication on the FortiGate unit.
4 Try to connect to the resource that is protected by the firewall policy requiring
authentication through FSAE.
Your attempt to connect to the resource should fail.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
755
�Testing the configuration
756
FSAE for integration with Windows AD or Novell
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Certificate-based authentication
This section provides an overview of how the FortiGate unit verifies the identities of
administrators, SSL VPN users, or IPsec VPN peers using security certificates. The
FortiGate unit employs a variety of Internet protocols to secure access to the FortiGate
unit.
The following topics are included in this section:
•
Certificates overview
•
Managing X.509 certificates
•
Configuring certificate-based authentication
Certificates overview
Certificates always play a role in authentication of clients connecting via HTTPS, either as
administrators or SSL VPN users. Certificate authentication is optional for IPsec VPN
peers.
SSL, HTTPS, and certificates
The secure HTTP (HTTPS) protocol uses SSL security. Certificates are an integral part of
SSL. When a web browser connects to the FortiGate unit via HTTPS, a certificate is used
to verify the FortiGate unit’s identity to the client. Optionally, the FortiGate unit can require
the client to authenticate itself in return.
By default, the FortiGate unit uses a self-signed security certificate to authenticate itself to
HTTPS clients. When the certificate is offered, the client browser displays two security
messages.
•
The first message prompts users to accept and optionally install the FortiGate unit’s
self-signed security certificate. If the user does not accept the certificate, the FortiGate
unit refuses the connection. When the user accepts the certificate, the FortiGate login
page is displayed, and the credentials entered by the user are encrypted before they
are sent to the FortiGate unit. If the user chooses to install the certificate, the prompt is
not displayed again.
•
Just before the FortiGate login page is displayed, a second message informs users
that the FortiGate certificate distinguished name differs from the original request. This
message is displayed because the FortiGate unit redirects the connection (away from
the distinguished name recorded in the self-signed certificate) and can be ignored.
Optionally, you can install an X.509 server certificate issued by a certificate authority (CA)
on the FortiGate unit. You can then configure the FortiGate unit to identify itself using the
server certificate instead of the self-signed certificate.
This feature is supported for SSL VPN operation only and cannot be used to suppress the
two security messages during administrative log ins. For more information, see
“Authenticating SSL VPN users with security certificates” on page 766.
After successful certificate authentication, communication between the client browser and
the FortiGate unit is encrypted using SSL over the HTTPS link.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
757
�Managing X.509 certificates
Certificate-based authentication
IPsec VPNs and certificates
Certificate authentication is a more secure alternative to preshared key (shared secret)
authentication for IPsec VPN peers. Unlike administrators or SSL VPN users, IPsec peers
use HTTP to connect to the VPN gateway configured on the FortiGate unit. The VPN
gateway configuration can require certificate authentication before it permits an IPsec
tunnel to be established.
Managing X.509 certificates
The general process for handling certificates is as follows:
•
Generate a certificate signing request on the FortiGate unit.
•
Have the CA sign the server certificate.
•
Install the server certificate on the device that must authenticate itself.
•
Install the CA certificate and certificate revocation list (CRL) on the device that will
validate the certificate of the authenticating device.
This section provides procedures for generating certificate requests, installing signed
server certificates, and importing CA root certificates and CRLs at the FortiGate unit.
For information about how to install root certificates, CRLs, and personal or group
certificates on a remote client browser, refer to the browser documentation.
Generating a certificate signing request
Whether you create certificates locally with a software application or obtain them from an
external certificate service, you will need to generate a certificate signing request.
When you generate the request, a private and public key pair is created for the FortiGate
unit. The generated request includes the public key of the FortiGate unit and information
such as the FortiGate unit’s public static IP address, domain name, or email address. The
FortiGate unit’s private key remains confidential on the FortiGate unit.
After you submit the request to a CA, the CA will verify the information and register the
contact information on a digital certificate that contains a serial number, an expiration date,
and the public key of the CA. The CA will then sign the certificate. You then install the
certificate on the FortiGate unit.
To generate the certificate request
1 Go to System & gt; Certificates & gt; Local Certificates.
758
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Certificate-based authentication
Managing X.509 certificates
2 Select Generate.
3 In the Certificate Name field, type a name for the certificate request. Typically, this
would be the name of the FortiGate unit.
Note: To enable the export of a signed certificate as a PKCS12 file later on if required, do
not include spaces in the name.
4 Enter values in the Subject Information area to identify the FortiGate unit:
•
If the FortiGate unit has a static IP address, select Host IP and enter the public IP
address of the FortiGate unit. If the FortiGate unit does not have a public IP address,
use an email address (or domain name if available) instead.
•
If the FortiGate unit has a static IP address and subscribes to a dynamic DNS service,
use a domain name if available to identify the FortiGate unit. If you select
Domain Name, enter the fully qualified domain name of the FortiGate unit. Do not
include the protocol specification (http://) or any port number or path names.
Note: If a domain name is not available and the FortiGate unit subscribes to a dynamic
DNS service, an “unable to verify certificate” type message may be displayed in the user’s
browser whenever the public IP address of the FortiGate unit changes.
•
If you select E-Mail, enter the email address of the owner of the FortiGate unit.
5 Enter values in the Optional Information area to further identify the FortiGate unit.
Organization Unit
Name of your department. You can enter a maximum of 5 Organization
Units. To add or remove a unit, use the plus (+) or minus (-) icon.
Organization
Legal name of your company or organization.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
759
�Managing X.509 certificates
Certificate-based authentication
Locality (City)
Name of the city or town where the FortiGate unit is installed.
State/Province
Name of the state or province where the FortiGate unit is installed.
Country
Select the country where the FortiGate unit is installed.
e-mail
Contact email address.
6 From the Key Size list, select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to
generate but more secure.
7 In Enrollment Method, you have two methods to choose from. Select File Based to
generate the certificate request, or Online SCEP to obtain a signed SCEP-based
certificate automatically over the network. For the SCEP method, enter the URL of the
SCEP server from which to retrieve the CA certificate, and the CA server challenge
password.
8 Select OK.
The request is generated and displayed in the Local Certificates list with a status of
PENDING.
9 Select the Download button to download the request to the management computer.
10 In the File Download dialog box, select Save and save the Certificate Signing Request
on the local file system of the management computer.
11 Name the file and save it on the local file system of the management computer.
Generating certificates with CA software
1 Install the CA software as a stand-alone root CA.
2 Provide identifying information for your self-administered CA
Server certificate
1 Generate a Certificate Signing Request (CSR) on the FortiGate unit.
2 Copy the CSR base-64 encoded text (PKCS#10 or PKCS#7) into the CA software and
generate the certificate.
3 Export the certificate as a X.509 DER encoded binary file with .CER extension
4 Upload the certificate file to the FortiGate unit Local Certificates page (type is
Certificate).
CA certificate
1 Retrieve the CA Certificate from the CA software as a DER encoded file.
2 Upload the CA certificate file to the FortiGate unit CA Certificates page.
PKI certificate
1 Generate a Certificate Signing Request (CSR) on the FortiGate unit.
2 Copy the CSR base-64 encoded text (PKCS#10 or PKCS#7) into the CA software and
generate the certificate.
3 Export the certificate as a X.509 DER encoded binary file with .CER extension.
4 Install the certificate in the user’s web browser or IPsec VPN client as needed.
760
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Certificate-based authentication
Managing X.509 certificates
Obtaining a signed server certificate from an external CA
To obtain a signed server certificate for a FortiGate unit, you must send a request to a CA
that provides digital certificates that adhere to the X.509 standard. The FortiGate unit
provides a way for you to generate the request.
To submit the certificate signing request (file-based enrollment)
1 Using the web browser on the management computer, browse to the CA web site.
2 Follow the CA instructions for a base-64 encoded PKCS#10 certificate request and
upload your certificate request.
3 Follow the CA instructions to download their root certificate and CRL.
When you receive the signed server certificate from the CA, install the certificate on the
FortiGate unit. See “To install the signed server certificate” below.
To install the signed server certificate
1 On the FortiGate unit, go to System & gt; Certificates & gt; Local Certificates.
2 Select Import.
3 From Type, select Local Certificate.
4 Select Browse, browse to the location on the management computer where the
certificate was saved, select the certificate, and then select Open.
5 Select OK, and then select Return.
Installing a CA root certificate and CRL to authenticate remote clients
When you apply for a signed personal or group certificate to install on remote clients, you
can obtain the corresponding root certificate and CRL from the issuing CA. When you
receive the signed personal or group certificate, install the signed certificate on the remote
client(s) according to the browser documentation. Install the corresponding root certificate
(and CRL) from the issuing CA on the FortiGate unit according to the procedures given
below.
To install a CA root certificate
1 After you download the root certificate of the CA, save the certificate on the
management computer. Or, you can use online SCEP to retrieve the certificate.
2 On the FortiGate unit, go to System & gt; Certificates & gt; CA Certificates.
3 Select Import.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
761
�Managing X.509 certificates
Certificate-based authentication
4 Do one of the following:
• To import using SCEP, select SCEP. Enter the URL of the SCEP server from which
to retrieve the CA certificate. Optionally, enter identifying information of the CA, such
as the file name.
• To import from a file, select Local PC, then select Browse and find the location on
the management computer where the certificate has been saved. Select the
certificate, and then select Open.
5 Select OK, and then select Return.
The system assigns a unique name to each CA certificate. The names are numbered
consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
To import a certificate revocation list
A Certificate Revocation List (CRL) is a list of the CA certificate subscribers paired with
certificate status information. The list contains the revoked certificates and the reason(s)
for revocation. It also records the certificate issue dates and the CAs that issued them.
When configured to support SSL VPNs, the FortiGate unit uses the CRL to ensure that the
certificates belonging to the CA and remote peers or clients are valid. You must download
the CRL from the CA web site on a regular basis.
1 After you download the CRL from the CA web site, save the CRL on the management
computer.
2 Go to System & gt; Certificates & gt; CRL.
3 Select Import.
4 Do one of the following:
• To import using an HTTP server, select HTTP and enter the URL of the HTTP
server.
• To import using an LDAP server, select LDAP and select the LDAP server from the
list.
• To import using an SCEP server, select SCEP and select the Local Certificate from
the list. Enter the URL of the SCEP server from which the CRL can be retrieved.
• To import from a file, select Local PC, then select Browse and find the location on
the management computer where the CRL has been saved. Select the CRL and
then select Open.
5 Select OK, and then select Return.
Online updates to certificates and CRLs
If you obtained your local or CA certificate using SCEP, you can configure online renewal
of the certificate before it expires. Similarly, you can receive online updates to CRLs.
762
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Certificate-based authentication
Managing X.509 certificates
Local certificates
In the config vpn certificate local command, you can specify automatic
certificate renewal. The relevant fields are:
scep-url & lt; URL_str & gt;
The URL of the SCEP server. This can be HTTP or HTTPS.
scep-password
& lt; password_str & gt;
The password for the SCEP server.
auto-regenerate-days
& lt; days_int & gt;
How many days before expiry the FortiGate unit requests an
updated local certificate. The default is 0, no auto-update.
auto-regenerate-dayswarning & lt; days_int & gt;
How many days before local certificate expiry the FortiGate
generates a warning message. The default is 0,no warning.
In this example, an updated certificate is requested three days before it expires.
config vpn certificate local
edit mycert
set scep-url http://scep.example.com/scep
set scep-server-password my_pass_123
set auto-regenerate-days 3
set auto-regenerate-days-warning 2
end
CA certificates
In the config vpn certificate ca command, you can specify automatic certificate
renewal. The relevant fields are:
scep-url & lt; URL_str & gt;
The URL of the SCEP server. This can be HTTP or HTTPS.
auto-update-days
& lt; days_int & gt;
How many days before expiry the FortiGate unit requests an
updated CA certificate. The default is 0, no auto-update.
auto-update-dayswarning & lt; days_int & gt;
How many days before CA certificate expiry the FortiGate
generates a warning message. The default is 0,no warning.
In this example, an updated certificate is requested three days before it expires.
config vpn certificate ca
edit mycert
set scep-url http://scep.example.com/scep
set auto-update-days 3
set auto-update-days-warning 2
end
Certificate Revocation Lists
If you obtained your CRL using SCEP, you can configure online updates to the CRL using
the config vpn certificate crl command. The relevant fields are:
Variable
Description
http-url
& lt; http_url & gt;
URL of the server used for automatic CRL certificate updates. This can
be HTTP or HTTPS.
scep-cert
Local certificate used for SCEP communication for CRL auto-update.
& lt; scep_certificate & gt;
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
763
�Managing X.509 certificates
Certificate-based authentication
Variable
Description
scep-url
& lt; scep_url & gt;
URL of the SCEP CA server used for automatic CRL certificate updates.
This can be HTTP or HTTPS.
update-interval
& lt; seconds & gt;
How frequently, in seconds, the FortiGate unit checks for an updated
CRL. Enter 0 to update the CRL only when it expires.
update-vdom
& lt; update_vdom & gt;
VDOM used to communicate with remote SCEP server for CRL autoupdate.
In this example, an updated CRL is requested only when it expires.
config vpn certificate crl
edit cert_crl
set http-url http://scep.example.com/scep
set scep-cert my-scep-cert
set scep-url http://scep.ca.example.com/scep
set update-interval 0
set update-vdom root
end
Backing up and restoring local certificates
The FortiGate unit provides a way to export a server certificate and the FortiGate unit’s
personal key through the CLI. If required (to restore the FortiGate unit configuration), you
can import the exported file through the System & gt; Certificates & gt; Local Certificates page of
the web-based manager.
Note: As an alternative, you can back up and restore the entire FortiGate configuration
through the System & gt; Maintenance & gt; Backup & Restore page of the web-based manager.
The backup file is created in a FortiGate-proprietary format. For more information, see the
“System Maintenance” chapter of the FortiGate Administration Guide.
To export a server certificate and private key
This procedure exports a server (local) certificate and private key together as a password
protected PKCS12 file. The export file is created through a customer-supplied TFTP
server. Ensure that your TFTP server is running and accessible to the FortiGate unit
before you enter the command.
1 Connect to the FortiGate unit through the CLI.
2 Type the following command:
execute vpn certificate local export tftp & lt; cert_name & gt; & lt; exp_filename & gt;
& lt; tftp_ip & gt;
where:
•
& lt; cert_name & gt; is the name of the server certificate; typing ? displays a list of installed
server certificates.
•
& lt; exp_filename & gt; is a name for the output file.
•
& lt; tftp_ip & gt; is the IP address assigned to the TFTP server host interface.
3 Move the output file from the TFTP server location to the management computer for
future reference.
764
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Certificate-based authentication
Managing X.509 certificates
To import a previously exported server certificate and private key
1 Go to VPN & gt; Certificates & gt; Local Certificates and select Import.
2 In Type, select PKCS12 Certificate.
3 Select Browse. Browse to the location on the management computer where the
exported file has been saved, select the file, and then select Open.
4 In the Password field, type the password needed to upload the exported file.
5 Select OK, and then select Return.
To import separate server certificate and private key files
Use the following procedure to import a server certificate and the associated private key
file when the server certificate request and private key were not generated by the
FortiGate unit. The two files to import must be available on the management computer.
1 Go to VPN & gt; Certificates & gt; Local Certificates and select Import.
2 In Type, select Certificate.
3 Select the Browse button beside the Certificate file field. Browse to the location on the
management computer where the certificate file has been saved, select the file, and
then select Open.
4 Select the Browse button beside the Key file field. Browse to the location on the
management computer where the key file has been saved, select the file, and then
select Open.
5 If required, in the Password field, type the associated password, and then select OK.
6 Select Return.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
765
�Configuring certificate-based authentication
Certificate-based authentication
Configuring certificate-based authentication
You can configure certificate-based authentication for FortiGate administrators, SSL VPN
users, and IPsec VPN users.
Authenticating administrators with security certificates
You can install a certificate on the management computer to support strong authentication
for administrators. When a personal certificate is installed on the management computer,
the FortiGate unit processes the certificate after the administrator supplies a user name
and password.
To enable strong administrative authentication:
•
Obtain a signed personal certificate for the administrator from a CA and load the
signed personal certificate into the web browser on the management computer
according to the browser documentation.
•
Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see
“Installing a CA root certificate and CRL to authenticate remote clients” on page 761).
•
Create a PKI user account for the administrator.
•
Add the PKI user account to a firewall user group dedicated to PKI-authenticated
administrators.
•
In the administrator account configuration, select PKI as the account Type and select
the User Group to which the administrator belongs.
Authenticating SSL VPN users with security certificates
X.509 certificates can be used to authenticate IPSec VPN peers or clients, or SSL VPN
clients. When configured to authenticate a VPN peer or client, the FortiGate unit prompts
the VPN peer or client to authenticate itself using the X.509 certificate. The certificate
supplied by the VPN peer or client must be verifiable using the root CA certificate installed
on the FortiGate unit in order for a VPN tunnel to be established.
Note: The FortiGate unit is shipped with a self-signed certificate to authenticate itself to
SSL VPN clients. This causes two security messages to be displayed to SSL VPN users
when they log in. For more information, see “SSL, HTTPS, and certificates” on page 757.
Optionally, you can install a CA-issued server certificate on the FortiGate unit.
To enable certificate authentication for an SSL VPN user group
1 Install a signed server certificate on the FortiGate unit and install the corresponding
root certificate (and CRL) from the issuing CA on the remote peer or client.
2 Obtain a signed group certificate from a CA and load the signed group certificate into
the web browser used by each user. Follow the browser documentation to load the
certificates.
3 Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see
“Installing a CA root certificate and CRL to authenticate remote clients” on page 761).
4 Create a PKI user for each SSL VPN user. For each user, specify the text string that
appears in the Subject field of the user’s certificate and then select the corresponding
CA certificate.
5 Use the config user peergrp CLI command to create a peer user group. Add to
this group all of the SSL VPN users who are authenticated by certificate.
6 Go to VPN & gt; SSL & gt; Config.
7 Select Enable SSL-VPN.
766
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Certificate-based authentication
Configuring certificate-based authentication
8 Select Require Client Certificate, and then select Apply.
9 Go to Firewall & gt; Policy.
10 Select the Edit icon in the row that corresponds to the SSL-VPN firewall policy for
traffic generated by holders of the group certificate.
11 Select SSL Client Certificate Restrictive.
12 Select OK.
Authenticating IPsec VPN users with security certificates
To require VPN peers to authenticate by means of a certificate, the FortiGate unit must
offer a certificate to authenticate itself to the peer.
To enable the FortiGate unit to authenticate itself with a certificate:
1 Install a signed server certificate on the FortiGate unit.
See “To install the signed server certificate” on page 761.
2 Install the corresponding CA root certificate on the remote peer or client. If the remote
peer is a FortiGate unit, see “To install a CA root certificate” on page 761.
3 Install the certificate revocation list (CRL) from the issuing CA on the remote peer or
client. If the remote peer is a FortiGate unit, see “To import a certificate revocation list”
on page 762.
4 In the VPN phase 1 configuration, set Authentication Method to RSA Signature and
from the Certificate Name list select the certificate that you installed in Step 1.
To authenticate a VPN peer using a certificate, you must install a signed server certificate
on the peer. Then, on the FortiGate unit, the configuration depends on whether there is
only one VPN peer or if this is a dialup VPN that can he multiple peers.
To configure certificate authentication of a single peer
1 Install the CA root certificate and CRL.
2 Create a PKI user to represent the peer. Specify the text string that appears in the
Subject field of the user’s certificate and then select the corresponding CA certificate.
3 In the VPN phase 1 Peer Options, select Accept this peer certificate only and select
the PKI user that you created.
To configure certificate authentication of multiple peers (dialup VPN)
1 Install the corresponding CA root certificate and CRL.
2 Create a PKI user for each remote VPN peer. For each user, specify the text string that
appears in the Subject field of the user’s certificate and then select the corresponding
CA certificate.
3 Use the config user peergrp CLI command to create a peer user group. Add to
this group all of the PKI users who will use the IPsec VPN.
4 In the VPN phase 1 Peer Options, select Accept this peer certificate group only and
select the peer group that you created.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
767
�Configuring certificate-based authentication
768
Certificate-based authentication
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Monitoring authenticated users
This section describes how to view lists of currently logged-in firewall and VPN users. It
also describes how to disconnect users.
The following topics are included in this section:
•
Monitoring firewall users
•
Monitoring SSL VPN users
•
Monitoring IPsec VPN users
Monitoring firewall users
Go to User & gt; Monitor & gt; Firewall to view current authenticated users.
Figure 94: Firewall users listed in monitor
You can de-authenticate a user by selecting their Delete icon.
Monitoring SSL VPN users
You can monitor web-mode and tunnel-mode SSL VPN users by user name and IP
address.
To monitor SSL VPN users - web-based manager
1 Go to VPN & gt; SSL & gt; Monitor.
2 To disconnect a user, selecting the user and then select the Delete icon.
Figure 95: Monitoring SSL VPN users
The first line, listing the user name and IP address, is present for a user with either a webmode or tunnel-mode connection. The Subsession line is present only if the user has a
tunnel mode connection. The Description column displays the virtual IP address assigned
to the user’s tunnel-mode connection.
To monitor SSL VPN users - CLI
To list all of the SSL VPN sessions and their index numbers:
execute vpn sslvpn list
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
769
�Monitoring IPsec VPN users
Monitoring authenticated users
The output looks like this:
SSL-VPN Login Users:
Index
User
Auth Type
0
user1 1
Timeout
From
256
172.20.120.51
SSL-VPN sessions:
Index
User
Source IP
0
user2
172.20.120.51
HTTPS in/out
0/0
Tunnel/Dest IP
10.0.0.1
You can use the Index value in the following commands to disconnect user sessions:
To disconnect a tunnel-mode user
execute vpn sslvpn del-tunnel & lt; index & gt;
To disconnect a web-mode user
execute vpn sslvpn del-web & lt; index & gt;
You can also disconnect multiple users:
To disconnect all tunnel-mode SSL VPN users in this VDOM
execute vpn ssl del-all tunnel
To disconnect all SSL VPN users in this VDOM
execute vpn ssl del-all
Monitoring IPsec VPN users
To monitor IPsec VPN tunnels in the web-based manager, go to VPN & gt; IPsec & gt; Monitor.
User names are available only for users who authenticate with XAuth.
You can close a tunnel by selecting its Bring Down link in the Status column.
Figure 96: Monitoring dialup VPN users
For more information, see the IPsec VPN chapter of this Handbook.
770
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Example
This chapter provides an example of a FortiGate unit providing authenticated access to
the Internet for both Windows network users and local users.
The following topics are included in this section:
•
Firewall authentication example
Firewall authentication example
Figure 97: Example configuration
Windows
network
10.11.101.0/24
FortiGate_1
Port 2
10.11.101.100
Internet
Port 1
172.20.120.141
Port 3
10.11.102.100
Windows AD
domain controller
with FSAE
10.11.101.160
Network_1
10.11.102.0/24
Overview
In this example, there is a Windows network connected to Port 2 on the FortiGate unit and
another LAN, Network_1, connected to Port 3.
All Windows network users authenticate when they log on to their network. Members of
the Engineering and Sales groups can access the Internet without entering their
authentication credentials again. The example assumes that the Fortinet Server
Authentication Extension (FSAE) has already been installed and configured on the
domain controller.
LAN users who belong to the Internet_users group can access the Internet after entering
their user name and password to authenticate. This example shows only two users, User1
is authenticated by a password stored on the FortiGate unit, User2 is authenticated on an
external authentication server. Both of these users are referred to as local users because
the user account is created on the FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
771
�Firewall authentication example
Example
Creating a locally-authenticated user account
User1 is authenticated by a password stored on the FortiGate unit. It is very simple to
create this type of account.
To create a local user - web-based manager
1 Go to User & gt; User and select Create New.
2 Enter the following information: User name, Password.
User Name
User1
Password
hardtoguess
3 Select OK.
To create a local user - CLI
config user local
edit user1
set type password
set passwd hardtoguess
end
Creating a RADIUS-authenticated user account
To authenticate users using an external authentication server, you must first configure the
FortiGate unit to access the server.
To configure the remote authentication server - web-based manager
1 Go to User & gt; Remote & gt; RADIUS and select Create New.
2 Enter the following information and select OK:
Name
OurRADIUSsrv
Primary Server Name/IP
10.11.101.15
Primary Server Secret
OurSecret
Authentication Scheme
Select Use Default Authentication Scheme.
To configure the remote authentication server - CLI
config user radius
edit OurRADIUSsrv
set server 10.11.102.15
set secret OurSecret
set auth-type auto
end
Creation of the user account is similar to the locally-authenticated account, except that
you specify the RADIUS authentication server instead of the user’s password.
To configure a remote user - web-based manager
1 Go to User & gt; User and select Create New.
2 Enter the following information and select OK:
User Name
772
User2
RADIUS
Select Match user on RADIUS server and then select OurRADIUSsrv
from the list.
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Example
Firewall authentication example
To configure a remote user - CLI
config user local
edit User2
set name User2
set type radius
set radius-server OurRADIUSsrv
end
Creating user groups
There are two user groups: a Directory Services user group for FSAE users and a firewall
user group for other users. It is not possible to combine these two types of users in the
same user group.
Creating the Directory Services user group
For this example, assume that FSAE has already been set up on the Windows network
and that it uses Advanced mode, meaning that it uses LDAP to access user group
information. You need to
•
configure LDAP access to the Windows AD global catalog
•
specify the collector agent that sends user logon information to the FortiGate unit
•
select Windows user groups to monitor
•
select and add the Engineering and Sales groups to a Directory Services user group
To configure LDAP for Directory Services - web-based manager
1 Go to User & gt; Remote & gt; LDAP and select Create New.
2 Enter the following information:
Name
ADserver
Server Name / IP
10.11.101.160
Distinguished Name
dc=office,dc=example,dc=com
Bind Type
Regular
User DN
cn=FSAE_Admin,cn=users,dc=office,dc=example,dc=com
Password
set_a_secure_password
Leave other fields at their default values.
3 Select OK.
To configure LDAP for Directory Services - CLI
config user ldap
edit " ADserver "
set server " 10.11.101.160 "
set dn " cn=users,dc=office,dc=example,dc=com "
set type regular
set username
" cn=administrator,cn=users,dc=office,dc=example,dc=com "
set password set_a_secure_password
next
end
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
773
�Firewall authentication example
Example
To specify the collector agent for Directory Services - web-based manager
1 Go to User & gt; Directory Service and select Create New.
2 Enter the following information and select OK:
Name
WinGroups
Enter on one line
FSAE Collector 10.11.101.160
IP/Name
Port
8000
Password
fortinet_canada
LDAP Server
ADserver
To specify the collector agent for Directory Services - CLI
config user fsae
edit " WinGroups "
set ldap-server " ADserver "
set password ENC
G7GQV7NEqilCM9jKmVmJJFVvhQ2+wtNEe9T0iYA5Sa+EqT2J8zhOrbkJFD
r0RmY3c4LaoXdsoBczA1dONmcGfthTxxwGsigzGpbJdC71spFlQYtj
set server " 10.11.101.160 "
end
To select Windows user groups to monitor - web-based manager
1 Go to User & gt; Directory Service.
2 Expand WinGroups, then select the Edit Users/Groups icon.
3 Select the Engineering and Sales groups and then select OK.
To create the FSAE_Internet-users user group - web-based manager
1 Go to User & gt; User Group and select Create New.
2 Enter the group name, FSAE_Internet_users.
3 Select Directory Service.
4 In the Available Members list, select the Engineering and Sales groups and then select
the right arrow button to move them to the Members list.
5 Select OK.
To create the FSAE_Internet-users user group - CLI
config user group
edit FSAE_Internet_users
set group-type directory-service
set member
CN=Engineering,cn=users,dc=office,dc=example,dc=com
CN=Sales,cn=users,dc=office,dc=example,dc=com
end
774
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Example
Firewall authentication example
Creating the Firewall user group
The non-FSAE users need a user group too. In this example, only two users are shown,
but additional members can be added easily.
To create the firewall user group - web-based manager
1 Go to User & gt; User Group and select Create New.
2 Enter the following information and then select OK:
Name
Internet_users
Type
Firewall
Members
User1, User2
To create the firewall user group - CLI
config user group
edit Internet_users
set group-type firewall
set member User1 User2
end
Defining firewall addresses
Go to Firewall & gt; Address and create the following addresses:
Address Name
Internal_net
Type
Subnet / IP Range
Subnet / IP Range
10.11.102.0/24
Interface
Port 3
Address Name
Windows_net
Type
Subnet / IP Range
Subnet / IP Range
10.11.101.0/24
Interface
Port 2
Creating firewall policies
Two firewall policies are needed: one for firewall group who connect through port3 and
one for FSAE group who connect through port2.
To create a firewall policy for FSAE authentication - web-based manager
1 Go to Firewall & gt; Policy and select Create New.
2 Enter the following information:
Source interface
Port2
Source address
Windows_net
Destination interface
Port1
Destination address
all
Action
ACCEPT
NAT
Enable
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
775
�Firewall authentication example
Example
3 Select Enable Identity Based Policy and then select Add.
In the New Authentication Rule window, enter the following information, and then
select OK:
User Group
FSAE_Internet_users
Service
ANY
Schedule
always
UTM
Optionally, enable UTM options.
4 Select OK.
To create a firewall policy for FSAE authentication - CLI
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr Windows_net
set dstaddr all
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule always
set groups FSAE_Internet_users
set service ANY
end
end
To create a firewall policy for local user authentication - web-based manager
1 Go to Firewall & gt; Policy and select Create New.
2 Enter the following information:
Source interface
Port3
Source address
Internal_net
Destination interface
Port1
Destination address
all
Action
ACCEPT
NAT
Enable
3 Select Enable Identity Based Policy and then select Add.
In the New Authentication Rule window, enter the following information, and then
select OK:
User Group
Internet_users
Service
ANY
Schedule
always
UTM
Optionally, enable UTM options.
4 Select OK.
776
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Example
Firewall authentication example
To create a firewall policy for local user authentication - CLI
config firewall policy
edit 0
set srcintf port3
set dstintf port1
set srcaddr internal_net
set dstaddr all
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule always
set groups Internet_users
set service ANY
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
777
�Firewall authentication example
778
Example
FortiOS™ Handbook FortiOS 4.0 MR2 User Authentication
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 7 IPsec VPNs
This FortiOS Handbook chapter contains the following sections:
•
IPsec VPN concepts explains the basic concepts that you need to understand about
virtual private networks (VPNs).
•
FortiGate IPsec VPN Overview provides a brief overview of IPsec technology and
includes general information about how to configure IPsec VPNs using this guide.
•
Gateway-to-gateway configurations explains how to set up a basic gateway-togateway (site-to-site) IPsec VPN. In a gateway-to-gateway configuration, two FortiGate
units create a VPN tunnel between two separate private networks.
•
Hub-and-spoke configurations describes how to set up hub-and-spoke IPsec VPNs. In
a hub-and-spoke configuration, connections to a number of remote peers and/or
clients radiate from a single, central FortiGate hub.
•
Dynamic DNS configurations describes how to configure a site-to-site VPN, in which
one FortiGate unit has a static IP address and the other FortiGate unit has a static
domain name and a dynamic IP address.
•
FortiClient dialup-client configurations guides you through configuring a FortiClient
dialup-client IPsec VPN. In a FortiClient dialup-client configuration, the FortiGate unit
acts as a dialup server and VPN client functionality is provided by the FortiClient
Endpoint Security application installed on a remote host.
•
FortiGate dialup-client configurations explains how to set up a FortiGate dialup-client
IPsec VPN. In a FortiGate dialup-client configuration, a FortiGate unit with a static IP
address acts as a dialup server and a FortiGate unit having a dynamic IP address
initiates a VPN tunnel with the FortiGate dialup server.
•
Supporting IKE Mode config clients explains how to set up a FortiGate unit as either an
IKE Mode Config server or client. IKE Mode Config is an alternative to DHCP over
IPsec.
•
Internet-browsing configuration explains how to support secure web browsing
performed by dialup VPN clients, and/or hosts behind a remote VPN peer. Remote
users can access the private network behind the local FortiGate unit and browse the
Internet securely. All traffic generated remotely is subject to the firewall policy that
controls traffic on the private network behind the local FortiGate unit.
•
Redundant VPN configurations discusses the options for supporting redundant and
partially redundant tunnels in an IPsec VPN configuration. A FortiGate unit can be
configured to support redundant tunnels to the same remote peer if the FortiGate unit
has more than one interface to the Internet.
•
Transparent mode VPNs describes transparent VPN configurations, in which two
FortiGate units create a VPN tunnel between two separate private networks
transparently. In Transparent mode, all interfaces of the FortiGate unit except the
management interface are invisible at the network layer.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
779
�•
•
IPv6 IPsec VPNs describes FortiGate unit VPN capabilities for networks based on IPv6
addressing. This includes IPv4-over-IPv6 and IPv6-over-IPv4 tunnelling configurations.
IPv6 IPsec VPNs are available in FortiOS 3.0 MR5 and later.
•
L2TP and IPsec (Microsoft VPN) configurations explains how to support Microsoft
Windows native VPN clients.
•
GRE over IPsec (Cisco VPN) configurations explains how to interoperate with Cisco
VPNs that use Generic Routing Encapsulation (GRE) protocol with IPsec.
•
Protecting OSPF with IPsec provides an example of protecting OSPF links with IPsec.
•
Auto Key phase 1 parameters provides detailed step-by-step procedures for
configuring a FortiGate unit to accept a connection from a remote peer or dialup client.
The basic phase 1 parameters identify the remote peer or clients and support
authentication through preshared keys or digital certificates. You can increase VPN
connection security further using peer identifiers, certificate distinguished names,
group names, or the FortiGate extended authentication (XAuth) option for
authentication purposes.
•
Phase 2 parameters provides detailed step-by-step procedures for configuring an
IPsec VPN tunnel. During phase 2, the specific IPsec security associations needed to
implement security services are selected and a tunnel is established.
•
Defining firewall policies explains how to specify the source and destination IP
addresses of traffic transmitted through an IPsec VPN tunnel, and how to define a
firewall encryption policy. Firewall policies control all IP traffic passing between a
source address and a destination address.
•
Hardware offloading and acceleration explains how to make use of FortiASIC network
processor IPsec accelerated processing capabilities.
•
780
Manual-key configurations explains how to manually define cryptographic keys to
establish an IPsec VPN tunnel. If one VPN peer uses specific authentication and
encryption keys to establish a tunnel, both VPN peers must be configured to use the
same encryption and authentication algorithms and keys.
Monitoring and troubleshooting VPNs provides some general monitoring and testing
procedures for VPNs.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPsec VPN concepts
Virtual Private Network (VPN) technology enables users to connect to private networks in
a secure way. For example, an employee traveling or working from home can access the
office network through the Internet. The use of a VPN ensures that unauthorized parties
cannot access the office network and cannot intercept any of the information that is
exchanged with the employee. It is also common to use a VPN to connect the private
networks of two or more offices.
Fortinet offers VPN capabilities in the FortiGate Unified Threat Management appliance
and in the FortiClient Endpoint Security application. A FortiGate unit can be installed on a
private network, and FortiClient software is installed on the user’s computer. It is also
possible to use a FortiGate unit to connect to the private network instead of FortiClient
software.
This chapter discusses terms and concepts you are likely to encounter while working with
VPNs:
•
IP packets
•
VPN tunnels
•
VPN gateways
•
Clients, servers, and peers
•
Encryption
•
Authentication
•
Phase 1 and Phase 2 settings
•
Security Association
IP packets
In network terminology, data is sent in something called an IP packet. Packets have a
fixed size, typically about 1500 bytes. Larger amounts of data are sent and received as a
sequence of packets.
Figure 98: IP addresses can be compared to street addresses
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
781
�VPN tunnels
IPsec VPN concepts
An IP packet contains data, a source address, and a destination address. Conceptually,
source and destination addresses can be compared to street and/or apartment addresses
(see Figure 98). When a letter is mailed, it is delivered to a street and/or apartment
address (destination address). The return address (source address) is printed on the
envelope.
The source address corresponds to the computer that sent the data, and the destination
address corresponds to the computer that will use the data. Computers use source and
destination addresses to determine where a packet came from and where it is going.
Figure 99 shows a network version of the street-address analogy.
Figure 99: Network version of street-address analogy
IP addresses can be static or dynamic. A static IP address is fixed, like the street address
of a home or business. Your Internet Service Provider (ISP) might provide a dynamic
address instead. In that case, you are assigned an IP address only when you connect to
the network. The address can be different each time you connect. Whether your IP
address is static or dynamic determines the types of VPN configurations that you can
support.
Packets exchanged over an insecure network can be intercepted. A VPN encrypts data to
secure it. Encryption transforms the data so that it appears random and meaningless to
anyone who does not have the correct key to decrypt it. See “Encryption” on page 785.
VPNs also address the issue of authentication. You want to ensure that only authorized
users can connect to your private network. See “Authentication” on page 785.
There are several types of VPN. This guide discusses only Internet Protocol Security
(IPsec) VPN technology.
VPN tunnels
The data path between a user’s computer and a private network through a VPN is often
referred to as a tunnel. Like a tunnel, the route is accessible only at the ends. In the
telecommuting scenario, the tunnel runs between the FortiClient application on the user’s
PC and the FortiGate unit that connects the office private network to the Internet.
What makes this possible is encapsulation. The IPsec packets that pass from one end of
the tunnel to the other contain the data packets that are exchanged between the remote
user and the private network. Encryption of the data packets ensures that any third-party
intercepting the IPsec packets has no access to the data. This idea is shown conceptually
in Figure 100.
782
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPsec VPN concepts
VPN gateways
Figure 100: Encoded data going through a VPN tunnel
You can create a VPN tunnel between:
•
a PC equipped with the FortiClient application and a FortiGate unit
•
two FortiGate units
It is also possible to create a VPN tunnel with some types of third-party VPN software or
hardware and either a FortiGate unit or the FortiClient application. The Fortinet
Knowledge Base contains articles on this topic.
VPN gateways
A gateway is a router that connects the local network to other networks. The default
gateway setting in your computer’s TCP/IP properties specifies the gateway for your local
network.
A VPN gateway functions as one end of a VPN tunnel. It receives incoming IPsec packets,
decrypts the encapsulated data packets and passes the data packets to the local network.
Also, it encrypts data packets destined for the other end of the VPN tunnel, encapsulates
them, and sends the IPsec packets to the other VPN gateway.
The IP address of a VPN gateway is usually the IP address of the network interface that
connects to the Internet. Optionally, you can define a secondary IP address for the
interface and use that address as the local VPN gateway address.
The following diagram shows a VPN between two private networks with FortiGate units
acting as the VPN gateways.
Figure 101: VPN tunnel between two private networks
Although the IPsec traffic may actually pass through many Internet routers, you can think
of the VPN tunnel as a simple secure connection between the two FortiGate units.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
783
�Clients, servers, and peers
IPsec VPN concepts
Users on the two private networks do not need to be aware of the VPN tunnel. The
applications on their computers generate packets with the appropriate source and
destination addresses, as they normally do. The FortiGate units manage all the details of
encrypting, encapsulating and sending the packets to the remote VPN gateway.
The data is encapsulated in IPsec packets only in the VPN tunnel between the two VPN
gateways. Between the user’s computer and the gateway, the data is in regular IP
packets.
For example, User1 at Site A, IP address 10.10.1.7 sends packets with destination IP
address 192.168.10.8, the address of User2 at Site B. The Site A FortiGate unit is
configured to send packets with destinations on the 192.168.10.0 network through the
VPN, encrypted and encapsulated, of course. Similarly, the Site B FortiGate unit is
configured to send packets with destinations on the 10.10.1.0 network through the VPN
tunnel to the Site A VPN gateway.
In the site-to-site VPN shown in Figure 101, the FortiGate units have static (fixed) IP
addresses and either unit can initiate communication.
You can also create a VPN tunnel between an individual PC running the FortiClient
application and a FortiGate unit, as shown below:
Figure 102: VPN tunnel between a FortiClient PC and a FortiGate unit
On the PC, the FortiClient application acts as the local VPN gateway. Packets destined for
the office network are encrypted, encapsulated into IPsec packets, and sent through the
VPN tunnel to the FortiGate unit. Packets for other destinations are routed to the Internet
as usual. IPsec packets arriving through the tunnel are decrypted to recover the original IP
packets.
Clients, servers, and peers
A FortiGate unit in a VPN can have one of the following roles:
server
client
contacts a remote VPN gateway and requests a VPN tunnel
peer
784
responds to a request to establish a VPN tunnel
brings up a VPN tunnel or responds to a request to do so
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPsec VPN concepts
Encryption
The site-to-site VPN shown in Figure 101 is a peer-to-peer relationship. Either FortiGate
unit VPN gateway can establish the tunnel and initiate communications. The FortiClientto-FortiGate VPN shown in Figure 102 is a client-server relationship. The FortiGate unit
establishes a tunnel when the FortiClient PC requests one.
A FortiGate unit cannot be a VPN server if it has a dynamically-assigned IP address. VPN
clients need to be configured with a static IP address for the server.
A FortiGate unit acts only as a server when the remote VPN gateway has a dynamic IP
address or is a client-only device or application, such as the FortiClient application.
As a VPN server, a FortiGate unit can also offer automatic configuration for FortiClient
PCs. The user needs to know only the IP address of the FortiGate VPN server and a valid
user name/password. The FortiClient application downloads the VPN configuration
settings from the FortiGate VPN server. For information about configuring a FortiGate unit
as a VPN server, see the FortiClient Administration Guide.
Encryption
Encryption mathematically transforms data to look like meaningless random numbers. The
original data is called plaintext and the encrypted data is called ciphertext. The opposite
process, called decryption, performs the inverse operation of recovering the original
plaintext from the ciphertext.
The process by which the plaintext is transformed to ciphertext and back again is called an
algorithm. All algorithms use a small piece of information, known as a key, in the arithmetic
process of converted plaintext to ciphertext, or vice-versa. IPsec uses symmetrical
algorithms, in which the same key is used to both encrypt and decrypt the data.
The security of an encryption algorithm is determined by the length of the key that it uses.
FortiGate IPsec VPNs offer the following encryption algorithms, in descending order of
security:
•
AES256 — a 128-bit block algorithm that uses a 256-bit key.
•
AES192 — a 128-bit block algorithm that uses a 192-bit key.
•
AES128 — a 128-bit block algorithm that uses a 128-bit key.
•
3DES — Triple-DES, in which plain text is DES-encrypted three times by three keys.
•
DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
The default encryption algorithms provided on FortiGate units make recovery of encrypted
data almost impossible without the proper encryption keys.
There is a human factor in the security of encryption. The key must be kept secret, known
only to the sender and receiver of the messages. Also, the key must not be something that
unauthorized parties might guess, such as the sender’s name or birthday or a simple
sequence like “123456”.
Authentication
In addition to protecting data through encryption, a VPN must ensure that only authorized
users can access the private network. You must use either a preshared key on both VPN
gateways or RSA X.509 security certificates. The examples in this guide use only
preshared key authentication.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
785
�Phase 1 and Phase 2 settings
IPsec VPN concepts
Preshared keys
A preshared key contains at least 6 randomly chosen alphanumeric characters. Users of
the VPN must obtain the preshared key from the person who manages the VPN server
and add the preshared key to their VPN client configuration.
Although it looks like a password, the preshared key, also known as a shared secret, is
never sent by either gateway. The preshared key is used in the calculations at each end
that generate the encryption keys. As soon as the VPN peers attempt to exchange
encrypted data, preshared keys that do not match will cause the process to fail.
Additional authentication
To increase security, you can use require additional means of authentication:
•
an identifier, called a peer ID or a local ID
•
extended authentication (XAUTH) which imposes an additional user name/password
requirement
A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The Local ID
of a peer is called a Peer ID.
Phase 1 and Phase 2 settings
A VPN tunnel is established in two phases: Phase 1 and Phase 2. Several parameters
determine how this is done. Except for IP addresses, the settings simply need to match at
both VPN gateways and there are defaults that are appropriate for most cases.
Note: The FortiClient application distinguishes between Phase 1 and Phase 2 only in the
VPN Advanced settings and uses different terms. Phase 1 is called the IKE Policy. Phase 2
is called the IPsec Policy.
Phase 1
In Phase 1, the two VPN gateways exchange information about the encryption algorithms
that they support and then establish a temporary secure connection to exchange
authentication information.
When you configure your FortiGate unit or FortiClient application, you must specify the
following settings for Phase 1:
Remote Gateway
the remote VPN gateway’s address.
FortiGate units also have the option of operating only as a
server by selecting the “Dialup User” option.
Preshared key
this must be the same at both ends. It is used to encrypt
phase 1 authentication information.
Local interface
the network interface that connects to the other VPN
gateway. This applies on a FortiGate unit only.
All other Phase 1 settings have default values. These settings mainly configure the types
of encryption to be used. The default settings on FortiGate units and in the FortiClient
application are compatible. The examples in this guide use these defaults.
For more detailed information about Phase 1 settings, see the “Auto Key phase 1
parameters” chapter of the FortiGate IPsec VPN User Guide.
786
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPsec VPN concepts
Security Association
Phase 2
Similar to the Phase 1 process, the two VPN gateways exchange information about the
encryption algorithms that they support for Phase 2. Phase 1 and Phase 2 can use
different encryption. If both gateways have at least one encryption algorithm in common, a
VPN tunnel is established.
To configure default Phase 2 settings on a FortiGate unit, you need only select the name
of the corresponding Phase 1 configuration. In the FortiClient application, no action is
required to enable default Phase 2 settings.
For more detailed information about Phase 2 settings, see the “Phase 2 parameters”
chapter of the FortiGate IPsec VPN User Guide.
Security Association
The establishment of a Security Association (SA) is the successful outcome of Phase 1
negotiations. Each peer maintains a database of information about VPN connections. The
information in each SA can include cryptographic algorithms and keys, keylife, and the
current packet sequence number. This information is kept synchronized as the VPN
operates. Each SA has a Security Parameter Index (SPI) that is provided to the remote
peer at the time the SA is established. Subsequent IPsec packets from the peer always
reference the relevant SPI. It is possible for peers to have multiple VPNs active
simultaneously.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
787
�Security Association
788
IPsec VPN concepts
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate IPsec VPN Overview
This section provides a brief overview of IPsec technology and includes general
information about how to configure IPsec VPNs using this guide.
The following topics are included in this section:
•
About FortiGate VPNs
•
Planning your VPN
•
General preparation steps
•
How to use this guide to configure an IPsec VPN
About FortiGate VPNs
VPN configurations interact with the firewall component of the FortiGate unit. There must
be a firewall policy in place to permit traffic to pass between the private network and the
VPN tunnel.
Firewall policies for VPNs specify:
•
the FortiGate interface that provides the connection to the remote VPN gateway,
usually an interface connected to the Internet
•
the FortiGate interface that connects to the private network
•
the IP addresses associated with data that has to be encrypted and decrypted
•
optionally, a schedule that restricts when the VPN can operate
•
optionally, the services (types of data) that can be sent
When the first packet of data meeting all of the conditions of the policy arrives at the
FortiGate unit, a VPN tunnel may be initiated and the encryption/decryption of data is
performed automatically afterward.
FortiGate unit VPNs can be policy-based or route-based. There is little functional
difference between the two types. In both cases, you specify phase 1 and phase 2
settings, but there is a difference in implementation. A route-based VPN creates a virtual
IPsec network interface that applies encryption or decryption as needed to any traffic that
it carries. That is why route-based VPNs are also known as interface-based VPNs. A
policy-based VPN is implemented through a special firewall policy that applies the
encryption you specified in the phase 1 and phase 2 settings.
For a route-based VPN, you need to create two firewall policies between the virtual IPsec
interface and the interface that connects to the private network. In one policy the virtual
interface is the source. In the other policy the virtual interface is the destination. The
Action for both policies is Accept.
For a policy-based VPN, one firewall policy enables communication in both directions. You
must select IPSEC as the Action and then select the VPN tunnel you defined in the
phase 1 settings. You can then enable inbound and outbound traffic as needed.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
789
�Planning your VPN
FortiGate IPsec VPN Overview
Planning your VPN
To save time later and be ready to configure a VPN correctly, it is a good idea to plan the
VPN configuration ahead of time. All VPN configurations comprise a number of required
and optional parameters. Before you begin, you need to determine:
•
where does the IP traffic originate, and where does it need to be delivered
•
which hosts, servers, or networks to include in the VPN
•
which VPN devices to include in the configuration
•
through which interfaces the VPN devices communicate
•
through which interfaces do private networks access the VPN gateways
Once you have this information, you can select a VPN topology that meets the
requirements of your situation. For more information, see “Network topologies” on
page 790.
Network topologies
The topology of your network will determine how remote peers and clients connect to the
VPN and how VPN traffic is routed. You can read about various network topologies and
find the high-level procedures needed to configure IPsec VPNs in one of these sections:
•
Gateway-to-gateway configurations
•
Hub-and-spoke configurations
•
Dynamic DNS configurations
•
FortiClient dialup-client configurations
•
FortiGate dialup-client configurations
•
Internet-browsing configuration
•
Redundant VPN configurations
•
Transparent mode VPNs
•
Manual-key configurations
These sections contain high-level configuration guidelines with cross-references to
detailed configuration procedures. If you need more detail to complete a step, select the
cross-reference in the step to drill-down to more detail. Return to the original procedure to
complete the procedure. For a general overview of how to configure a VPN, see “General
preparation steps” below.
Choosing policy-based or route-based VPNs
There are two broad types of IPsec VPNs available on FortiGate units: policy-based and
route-based.
For both of these VPN types you create phase 1 and phase 2 configurations. The main
difference is in the firewall policy.
You create a policy-based VPN by defining an IPSEC firewall policy between two network
interfaces and associating it with the VPN tunnel (phase 1) configuration.
You create a route-based VPN by enabling IPsec interface mode in the VPN phase 1
configuration. This creates a virtual IPsec interface. You then define a regular ACCEPT
firewall policy to permit traffic to flow between the virtual IPsec interface and another
network interface.
790
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate IPsec VPN Overview
General preparation steps
Where possible, create route-based VPNs. Generally, route-based VPNs are more flexible
and easier to configure than policy-based VPNs. However, the two types have different
requirements that limit where they can be used.
Table 71: Comparison of policy-based and route-based VPNs
Policy-based
Route-based
Available in NAT/Route or Transparent mode
Available only in NAT/Route mode
Requires a firewall policy with IPSEC action
that specifies the VPN tunnel. One policy
controls connections in both directions.
Requires only a simple firewall policy with
ACCEPT action. A separate policy is required for
connections in each direction.
Supports L2TP-over-IPsec configuration
Does not support L2TP-over-IPsec configuration
Doesn’t support GRE-over-IPsec configuration Supports GRE-over-IPsec configuration
General preparation steps
A VPN configuration defines relationships between the VPN devices and the private hosts,
servers, or networks making up the VPN. Configuring a VPN involves gathering and
recording the following information. You will need this information to configure the VPN.
•
Identify the private IP address(es) of traffic generated by participating hosts, servers,
and/or networks. These IP addresses represent the source addresses of traffic that is
permitted to pass through the VPN. A IP source address can be an individual IP
address, an address range, or a subnet address.
•
Identify the public IP addresses of the VPN end-point interfaces. The VPN devices
establish tunnels with each other through these interfaces.
•
Identify the private IP address(es) associated with the VPN-device interfaces to the
private networks. Computers on the private network(s) behind the VPN gateways will
connect to their VPN gateways through these interfaces.
How to use this guide to configure an IPsec VPN
This guide uses a task-based approach to provide all of the procedures needed to create
different types of VPN configurations. Follow the step-by-step configuration procedures in
this guide to set up the VPN.
The following configuration procedures are common to all IPsec VPNs:
1 Define the phase 1 parameters that the FortiGate unit needs to authenticate remote
peers or clients and establish a secure a connection. See “Auto Key phase 1
parameters” on page 929.
2 Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel
with a remote peer or dialup client. See “Phase 2 parameters” on page 945.
3 Specify the source and destination addresses of IP packets that are to be transported
through the VPN tunnel. See “Defining firewall addresses” on page 951.
4 Create an IPsec firewall policy to define the scope of permitted services between the
IP source and destination addresses. See “Defining firewall policies” on page 952.
Note: The steps given above assume that you will perform Steps 1 and 2 to have the
FortiGate unit generate unique IPsec encryption and authentication keys automatically. In
situations where a remote VPN peer or client requires a specific IPsec encryption and/or
authentication key, you must configure the FortiGate unit to use manual keys instead of
performing Steps 1 and 2. For more information, see “Manual-key configurations” on
page 887.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
791
�How to use this guide to configure an IPsec VPN
792
FortiGate IPsec VPN Overview
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Gateway-to-gateway configurations
This section explains how to set up a basic gateway-to-gateway (site-to-site) IPsec VPN.
The following topics are included in this section:
•
Configuration overview
•
General configuration steps
•
Configure the VPN peers
•
Configuration example
•
How to work with overlapping subnets
Configuration overview
In a gateway-to-gateway configuration, two FortiGate units create a VPN tunnel between
two separate private networks. All traffic between the two networks is encrypted and
protected by FortiGate firewall policies.
Figure 103: Example gateway-to-gateway configuration
Site_1
Site_2
Internet
FortiGate_1
FortiGate_2
Note: In some cases, computers on the private network behind one VPN peer may (by coincidence) have IP addresses that are already used by computers on the network behind
the other VPN peer. In this type of situation (ambiguous routing), conflicts may occur in one
or both of the FortiGate routing tables and traffic destined for the remote network through
the tunnel may not be sent. To resolve issues related to ambiguous routing, see “How to
work with overlapping subnets” on page 802.
In other cases, computers on the private network behind one VPN peer may obtain IP
addresses from a local DHCP server. However, unless the local and remote networks use
different private network address spaces, unintended ambiguous routing and/or IP-address
overlap issues may arise. For a discussion of the related issues, see “FortiGate dialupclient configurations” on page 843.
You can set up a fully meshed or partially meshed configuration (see Figure 104 and
Figure 105).
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
793
�Configuration overview
Gateway-to-gateway configurations
Figure 104: Fully meshed configuration
FortiGate_2
FortiGate_3
FortiGate_1
FortiGate_4
FortiGate_5
In a fully meshed network, all VPN peers are connected to each other, with one hop
between peers. This topology is the most fault-tolerant: if one peer goes down, the rest of
the network is not affected. This topology is difficult to scale because it requires
connections between all peers. In addition, unnecessary communication can occur
between peers. We recommend a hub-and-spoke configuration instead (see “Hub-andspoke configurations” on page 807).
Figure 105: Partially meshed configuration
FortiGate_2
FortiGate_3
FortiGate_1
FortiGate_4
FortiGate_5
A partially meshed network is similar to a fully meshed network, but instead of having
tunnels between all peers, tunnels are only configured between peers that communicate
with each other regularly.
Gateway-to-gateway infrastructure requirements
•
794
The FortiGate units at both ends of the tunnel must be operating in NAT/Route mode
and have static public IP addresses.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Gateway-to-gateway configurations
General configuration steps
General configuration steps
When a FortiGate unit receives a connection request from a remote VPN peer, it uses
IPsec phase 1 parameters to establish a secure connection and authenticate the VPN
peer. Then, if the firewall policy permits the connection, the FortiGate unit establishes the
tunnel using IPsec phase 2 parameters and applies the IPsec firewall policy. Key
management, authentication, and security services are negotiated dynamically through
the IKE protocol.
To support these functions, the following general configuration steps must be performed
both FortiGate units:
•
Define the phase 1 parameters that the FortiGate unit needs to authenticate the
remote peer and establish a secure connection.
•
Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel
with the remote peer.
•
Create firewall policies to control the permitted services and permitted direction of
traffic between the IP source and destination addresses.
For more information, see “Configure the VPN peers” below.
Configure the VPN peers
Configure the VPN peers as follows:
1 At the local FortiGate unit, define the phase 1 configuration needed to establish a
secure connection with the remote peer. See “Auto Key phase 1 parameters” on
page 929. Enter these settings in particular:
Name
Enter a name to identify the VPN tunnel. This name appears in phase 2
configurations, firewall policies and the VPN monitor.
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the remote peer public interface.
Local Interface
Select the FortiGate unit’s public interface.
Enable IPsec
Interface Mode
You must select Advanced to see this setting. If IPsec Interface Mode is
enabled, the FortiGate unit creates a virtual IPsec interface for a routebased VPN. Disable this option if you want to create a policy-based
VPN. For more information, see “Choosing policy-based or route-based
VPNs” on page 790.
After you select OK to create the phase 1 configuration, you cannot
change this setting.
2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
See “Phase 2 parameters” on page 945. Enter these settings in particular:
Name
Enter a name to identify this phase 2 configuration.
Phase 1
Select the name of the phase 1 configuration that you defined.
3 Define names for the addresses or address ranges of the private networks that the
VPN links. These addresses are used in the firewall policies that permit communication
between the networks. For more information, see “Defining firewall addresses” on
page 951.
Enter these settings in particular:
•
Define an address name for the IP address and netmask of the private network behind
the local FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
795
�Configure the VPN peers
Gateway-to-gateway configurations
•
Define an address name for the IP address and netmask of the private network behind
the remote peer.
4 Define firewall policies to permit communication between the private networks through
the VPN tunnel. Route-based and policy-based VPNs require different firewall policies.
For detailed information about creating firewall policies, see “Defining firewall policies”
on page 952.
Route-based VPN firewall policies
Define an ACCEPT firewall policy to permit communications between the source and
destination addresses. Enter these settings in particular:
Source Interface/Zone
Select the interface that connects to the private network behind
this FortiGate unit.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone
Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action
Select ACCEPT.
NAT
Disable.
To permit the remote client to initiate communication, you need to define a firewall
policy for communication in that direction. Enter these settings in particular:
Source Interface/Zone
Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Destination Interface/Zone
Select the interface that connects to the private network behind
this FortiGate unit.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Action
Select ACCEPT.
NAT
Disable.
Policy-based VPN firewall policy
Define an IPsec firewall policy to permit communications between the source and
destination addresses. Enter these settings in particular:
Source Interface/Zone
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone
Select the FortiGate unit’s public interface.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action
Select IPSEC.
VPN Tunnel
796
Select the interface that connects to the private network behind
this FortiGate unit.
Select the name of the phase 1 configuration that you created
in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Gateway-to-gateway configurations
Configuration example
5 Place VPN policies in the policy list above any other policies having similar source and
destination addresses.
6 Repeat this procedure at the remote FortiGate unit.
Configuration example
The following example demonstrates how to set up a basic gateway-to-gateway IPsec
VPN that uses preshared keys to authenticate the two VPN peers.
Figure 106: Example gateway-to-gateway configuration
FortiGate_1
FortiGate_2
Internet
Port1
Port 2
172.16.20.1
Port 2
172.16.30.1
Port1
Finance Network
10.21.101.0/24
HR Network
10.31.101.0/24
In this example, the network devices are assigned IP addresses as shown in Figure 106.
Define the phase 1 parameters on FortiGate_1
The phase 1 configuration defines the parameters that FortiGate_1 will use to authenticate
FortiGate_2 and establish a secure connection. For the purposes of this example, a
preshared key will be used to authenticate FortiGate_2. The same preshared key must be
specified at both FortiGate units.
Before you define the phase 1 parameters, you need to:
•
Reserve a name for the remote gateway.
•
Obtain the IP address of the public interface to the remote peer.
•
Reserve a unique value for the preshared key.
The key must contain at least 6 printable characters and should only be known by network
administrators. For optimum protection against currently known attacks, the key should
consist of a minimum of 16 randomly chosen alphanumeric characters.
To define the phase 1 parameters
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 1, enter the following information, and select OK:
Name
Type a name to identify the VPN tunnel (for example,
FG1toFG2_Tunnel).
Remote Gateway
Static IP Address
IP Address
172.16.30.1
Local Interface
Port 2
Mode
Main
Authentication Method
Preshared Key
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
797
�Configuration example
Gateway-to-gateway configurations
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec
Interface Mode
Enable to create a route-based VPN.
Disable to create a policy-based VPN.
This example shows both policy and route-based VPNs.
Define the phase 2 parameters on FortiGate_1
The basic phase 2 settings associate IPsec phase 2 parameters with the phase 1
configuration and specify the remote end point of the VPN tunnel. Before you define the
phase 2 parameters, you need to reserve a name for the tunnel.
To define the phase 2 parameters
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 2, enter the following information and select OK:
Name
Enter a name for the phase 2 configuration
(for example, FG1toFG2_phase2).
Phase 1
Select the Phase 1 configuration that you defined previously
(for example, FG1toFG2_Tunnel).
Define the firewall policy on FortiGate_1
Firewall policies control all IP traffic passing between a source address and a destination
address.
An IPsec firewall policy is needed to allow the transmission of encrypted packets, specify
the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the
policy. A single policy is needed to control both inbound and outbound IP traffic through a
VPN tunnel.
Before you define firewall policies, you must first specify the IP source and destination
addresses. In a gateway-to-gateway configuration:
•
The IP source address corresponds to the private network behind the local FortiGate
unit.
•
The IP destination address refers to the private network behind the remote VPN peer.
To define the IP address of the network behind FortiGate_1
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
Enter an address name
(for example, Finance_Network).
Subnet/IP Range
Enter the IP address of the private network behind FortiGate_1
(for example, 10.21.101.0/24).
To specify the address of the network behind FortiGate_2
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
798
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Gateway-to-gateway configurations
Configuration example
Address Name
Enter an address name (for example, HR_Network).
Subnet/IP Range
Enter the IP address of the private network behind
FortiGate_2 (for example, 10.31.101.0/24).
To define the firewall policy for a policy-based VPN
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Port 1
Source Address Name
Finance_Network
Destination Interface/Zone
Port 2
Destination Address Name
HR_Network
Schedule
As required.
Service
As required.
Action
IPSEC
VPN Tunnel
FG1toFG2_Tunnel
Allow Inbound
Enable
Allow Outbound
Enable
Inbound NAT
Disable
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.
To define firewall policies for a route-based VPN
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Port 1
Source Address Name
Finance_Network
Destination Interface/Zone
FG1toFG2_Tunnel
Destination Address Name
HR_Network
Schedule
As required.
Service
As required.
Action
ACCEPT
NAT
Disable
3 Select Create New, enter the following information, and select OK:
Source Interface/Zone
FG1toFG2_Tunnel
Source Address Name
HR_Network
Destination Interface/Zone
Port 1
Destination Address Name
Finance_Network
Schedule
As required.
Service
As required.
Action
ACCEPT
NAT
Disable
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
799
�Configuration example
Gateway-to-gateway configurations
4 Place the policies in the policy list above any other policies having similar source and
destination addresses.
To configure the route for a route-based VPN
1 Go to Router & gt; Static & gt; Static Route.
2 Select Create New, enter the following information, and then select OK:
Destination IP / Mask
10.31.101.0/24
Device
FG1toFG2_Tunnel
Gateway
Leave as default: 0.0.0.0.
Distance
Leave this at its default.
Configure FortiGate_2
The configuration of FortiGate_2 is similar to that of FortiGate_1. You must:
•
Define the phase 1 parameters that FortiGate_2 needs to authenticate FortiGate_1
and establish a secure connection.
•
Define the phase 2 parameters that FortiGate_2 needs to create a VPN tunnel with
FortiGate_1.
•
Create the firewall policy and define the scope of permitted services between the IP
source and destination addresses.
To define the phase 1 parameters
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 1, enter the following information, and select OK:
Name
Type a name for the VPN tunnel (for example,
FG2toFG1_Tunnel).
Remote Gateway
Static IP Address
IP Address
172.16.20.1
Local Interface
Port 2
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key. The value must be identical to the
preshared key that you specified previously in the FortiGate_1
configuration.
Peer Options
Accept any peer ID
Advanced
Enable IPsec
Interface Mode
Enable to create a route-based VPN.
Disable to create a policy-based VPN.
This example shows both policy and route-based VPNs.
To define the phase 2 parameters
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 2, enter the following information and select OK:
Name
Phase 1
800
Enter a name for the phase 2 configuration (for example,
FG2toFG1_phase2).
Select the gateway that you defined previously (for example,
FG2toFG1_Tunnel).
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Gateway-to-gateway configurations
Configuration example
To define the IP address of the network behind FortiGate_2
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
Enter an address name (for example, HR_Network).
Subnet/IP Range
10.31.101.0/24
This is the IP address of the private network behind
FortiGate_2.
To define the IP address of the network behind FortiGate_1
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
Enter an address name (for example, Finance_Network).
Subnet/IP Range
Enter the IP address of the private network behind
FortiGate_1 (for example, 10.21.101.0/24).
To define the firewall policy for a policy-based VPN
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Port 1
Source Address Name
HR_Network
Destination Interface/Zone
Port 2
Destination Address Name Finance_Network
Schedule
As required.
Service
As required.
Action
IPSEC
VPN Tunnel
FG2toFG1_Tunnel
Allow Inbound
Enable
Allow Outbound
Enable
Inbound NAT
Disable
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.
To define the firewall policies for a route-based VPN
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information to create an outbound policy, and
then select OK:
Source Interface/Zone
Port 1
Source Address Name
HR_Network
Destination Interface/Zone
FG2toFG1_Tunnel
Destination Address Name Finance_Network
Schedule
As required.
Service
As required.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
801
�How to work with overlapping subnets
Gateway-to-gateway configurations
Action
ACCEPT
NAT
Disable
3 Select Create New, enter the following information to create an inbound policy, and
then select OK:
Source Interface/Zone
FG2toFG1_Tunnel
Source Address Name
Finance_Network
Destination Interface/Zone
Port 1
Destination Address Name HR_Network
Schedule
As required.
Service
As required.
Action
ACCEPT
NAT
Disable
4 Place the policy in the policy list above any other policies having similar source and
destination addresses.
To configure the route for a route-based VPN
1 Go to Router & gt; Static & gt; Static Route.
2 Select Create New, enter the following information, and then select OK:
Destination IP / Mask
10.21.101.0/24
Device
FG2toFG1_Tunnel
Gateway
Leave as default: 0.0.0.0.
Distance
Usually you can leave this at its default.
How to work with overlapping subnets
A site-to-site VPN configuration sometimes has the problem that the private subnet
addresses at each end are the same. You can resolve this problem by remapping the
private addresses using virtual IP addresses (VIP).
Figure 107: Overlapped subnets example
PC2 10.11.101.10
PC1 10.11.101.10
Internet
Port1
10.11.101.0/24
(VIP 10.21.101.0/24)
802
Port 2
172.16.20.1
FortiGate_1
Port 2
172.16.30.1
Port1
FortiGate_2
10.11.101.0/24
(VIP 10.31.101.0/24)
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Gateway-to-gateway configurations
How to work with overlapping subnets
After the tunnel is established, hosts on each side can communicate with hosts on the
other side using the mapped IP addresses. For example, PC1 can communicate with PC2
using IP address 10.31.101.10. FortiGate_2 maps connections for IP address
10.31.101.10 to IP address 10.11.101.10.
Solution for route-based VPN
You need to:
•
Configure IPsec Phase 1 and Phase 2 as you usually would for a route-based VPN. In
this example, the resulting IPsec interface is named FG1toFG2.
•
Configure virtual IP (VIP) mapping:
•
the 10.21.101.0/24 network to the 10.11.101.0/24 network on FortiGate_1
•
the 10.31.101.0/24 network to the 10.11.101.0/24 network on FortiGate_2
•
Configure an outgoing firewall policy with ordinary source NAT.
•
Configure an incoming firewall policy with the VIP as the destination.
•
Configure a route to the remote private network over the IPsec interface.
To configure VIP mapping
1 Go to Firewall & gt; Virtual IP & gt; Virtual IP.
2 Select Create New, enter the following information, and select OK:
Name
Enter a name, for example, my-vip.
External Interface
Select the IPsec interface: FG1toFG2
Type
Static NAT
External IP Address/Range
In the first field, enter:
10.21.101.1 on FortiGate_1
10.31.101.1 on FortiGate_2.
Mapped IP Address/Range
Enter 10.11.101.1 and 10.11.101.254.
Port Forwarding
Disable
To configure the outbound firewall policy
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and then select OK:
Source Interface/Zone
Port 1
Source Address Name
all
Destination Interface/Zone
FG1toFG2
Destination Address Name all
Schedule
As required.
Service
As required.
Action
ACCEPT
NAT
Enable
To configure the inbound firewall policy
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and then select OK:
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
803
�How to work with overlapping subnets
Gateway-to-gateway configurations
Source Interface/Zone
FG1toFG2
Source Address Name
all
Destination Interface/Zone
Port 1
Destination Address Name my-vip
Schedule
As required.
Service
As required.
Action
ACCEPT
NAT
Disable
To configure the route
1 Go to Router & gt; Static & gt; Static Route.
2 Select Create New, enter the following information, and then select OK:
Destination IP / Mask
10.31.101.0/24 on FortiGate_1
10.21.101.0/24 on FortiGate_2
Device
FG1toFG2
Gateway
Leave as default: 0.0.0.0.
Distance
Usually you can leave this at its default.
Solution for policy-based VPN
As with the route-based solution, users contact hosts at the other end of the VPN using an
alternate subnet address. PC1 communicates with PC2 using IP address 10.31.101.10.
PC2 communicates with PC1 using IP address 10.21.101.10. In this solution however,
outbound NAT is used to translate the source address of packets from the 10.11.101.0/24
network to the alternate subnet address that hosts at the other end of the VPN use to
reply. Inbound packets from the remote end have their destination addresses translated
back to the 10.11.101.0/24 network.
For example, PC1 uses the destination address 10.31.101.10 to contact PC2. Outbound
NAT on FortiGate_1 translates the PC1 source address to 10.21.101.10. At the
FortiGate_2 end of the tunnel, the outbound NAT configuration translates the destination
address to the actual PC2 address of 10.11.101.10. Similarly, PC2 replies to PC1 using
destination address 10.21.101.10, with the PC2 source address translated to
10.31.101.10. PC1 and PC2 can communicate over the VPN even though they both have
the same IP address.
You need to:
•
Configure IPsec Phase 1 as you usually would for a policy-based VPN.
•
Configure IPsec Phase 2 with the use-natip disable CLI option.
•
Define a firewall address for the local private network, 10.11.101.0/24.
•
Define a firewall address for the remote private network:
•
•
804
define a firewall address for 10.31.101.0/24 on FortiGate_1
define a firewall address for 10.21.101.0/24 on FortiGate_2
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Gateway-to-gateway configurations
•
How to work with overlapping subnets
Configure an outgoing IPsec firewall policy with outbound NAT to map 10.11.101.0/24
source addresses:
•
to the 10.21.101.0/24 network on FortiGate_1
•
to the 10.31.101.0/24 network on FortiGate_2
To configure IPsec Phase 2
In the CLI, enter the following commands:
config vpn ipsec phase2
edit " FG1FG2_p2 "
set keepalive enable
set pfs enable
set phase1name FG1toFG2
set proposal 3des-sha1 3des-md5
set replay enable
set use-natip disable
end
In this example, your phase 1 definition is named FG1toFG2. Because use-natip is set
to disable, you can specify the source selector using the src-addr-type, srcstart-ip / src-end-ip or src-subnet keywords. This example leaves these
keywords at their default values, which specify the subnet 0.0.0.0/0.
To define the local private network firewall address
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New and enter the following information:
Address Name
Enter a name, vpn-local, for example.
Type
Subnet / IP Range
Subnet / IP Range
10.11.101.0 255.255.255.0
Interface
Any
To define the remote private network firewall address
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information and select OK:
Address Name
Enter a name, vpn-remote, for example.
Type
Subnet / IP Range
Subnet / IP Range
10.31.101.0 255.255.255.0 on FortiGate_1
10.21.101.0 255.255.255.0 on FortiGate_2
Interface
Any
To configure the IPsec firewall policy
In the CLI, enter the following commands:
config firewall policy
edit 1
set srcintf " port1 "
set dstintf " port2 "
set srcaddr " vpn-local "
set dstaddr " vpn-remote "
set action ipsec
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
805
�How to work with overlapping subnets
Gateway-to-gateway configurations
set
set
set
set
set
set
set
set
schedule " always "
service " ANY "
inbound enable
outbound enable
vpntunnel " FG1toFG2 "
natoutbound enable
natip 10.21.101.0 255.255.255.0 (on FortiGate_1)
natip 10.31.101.0 255.255.255.0 (on FortiGate_2)
end
Optionally, you can set everything except natip in the web-based manager and then use
the CLI to set natip.
806
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Hub-and-spoke configurations
This section describes how to set up hub-and-spoke IPsec VPNs. The following topics are
included in this section:
•
Configuration overview
•
Configure the hub
•
Configure the spokes
•
Dynamic spokes configuration example
Configuration overview
In a hub-and-spoke configuration, VPN connections radiate from a central FortiGate unit
(the hub) to a number of remote peers (the spokes). Traffic can pass between private
networks behind the hub and private networks behind the remote peers. Traffic can also
pass between remote peer private networks through the hub.
Figure 108: Example hub-and-spoke configuration
Site_1
Site_2
Internet
Spoke_1
Spoke_2
Hub
Subnet_1 (192.168.2.0/24)
Finance Network
HR Network
The actual implementation varies in complexity depending on
•
whether the spokes are statically or dynamically addressed
•
the addressing scheme of the protected subnets
•
how peers are authenticated
This guide discusses the issues involved in configuring a hub-and-spoke VPN and
provides some basic configuration examples.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
807
�Configuration overview
Hub-and-spoke configurations
Hub-and-spoke infrastructure requirements
•
The FortiGate hub must be operating in NAT/Route mode and have a static public IP
address.
•
Spokes may have static IP addresses, dynamic IP addresses (see “FortiGate dialupclient configurations” on page 843), or static domain names and dynamic IP addresses
(see “Dynamic DNS configurations” on page 821).
Spoke gateway addressing
The public IP address of the spoke is the VPN remote gateway as seen from the hub.
Statically addressed spokes each require a separate VPN phase 1 configuration on the
hub. When there are many spokes, this becomes rather cumbersome.
Using dynamic addressing for spokes simplifies the VPN configuration because then the
hub requires only a single phase 1 configuration with “dialup user” as the remote gateway.
You can use this configuration even if the remote peers have static IP addresses. A
remote peer can establish a VPN connection regardless of its IP address if its traffic
selectors match and it can authenticate to the hub. See “Dynamic spokes configuration
example” on page 816 for an example of this configuration.
Protected networks addressing
The addresses of the protected networks are needed to configure destination selectors
and sometimes for firewall policies and static routes. The larger the number of spokes, the
more addresses there are to manage. You can
•
assign spoke subnets as part of a larger subnet, usually on a new network
or
•
create address groups that contain all of the needed addresses
Using aggregated subnets
If you are creating a new network, where subnet IP addresses are not already assigned,
you can simplify the VPN configuration by assigning spoke subnets that are part of a large
subnet.
Figure 109: Aggregated subnets
large subnet
hub protected subnet:
10.1.0.0/24
spoke 1 protected subnet: 10.1.1.0/24
spoke 2 protected subnet: 10.1.2.0/24
spoke x protected subnet: 10.1.x.0/24
All spokes use the large subnet address, 10.1.0.0/16 for example, as
•
•
the destination of the firewall policy from the private subnet to the VPN (required for
policy-based VPN, optional for route-based VPN)
•
808
the IPsec destination selector
the destination of the static route to the VPN (route-based)
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Hub-and-spoke configurations
Configure the hub
Each spoke uses the address of its own protected subnet as the IPsec source selector
and as the source address in its VPN firewall policy. The remote gateway is the public IP
address of the hub FortiGate unit.
Using an address group
If you want to create a hub-and-spoke VPN between existing private networks, the subnet
addressing usually does not fit the aggregated subnet model discussed earlier. All of the
spokes and the hub will need to include the addresses of all the protected networks in
their configuration.
On FortiGate units, you can define a named firewall address for each of the remote
protected networks and add these addresses to a firewall address group. For a policybased VPN, you can then use this address group as the destination of the VPN firewall
policy.
For a route-based VPN, the destination of the VPN firewall policy can be set to All. You
need to specify appropriate routes for each of the remote subnets.
Authentication
Authentication is by a common preshared key or by certificates. For simplicity, the
examples in this chapter assume that all spokes use the same preshared key.
Configure the hub
At the FortiGate unit that acts as the hub, you need to
•
configure the VPN to each spoke
•
configure communication between spokes
You configure communication between spokes differently for a policy-based VPN than for
a route-based VPN. For a policy-based VPN, you configure a VPN concentrator. For a
route-based VPN, you must either define firewall policies or group the IPsec interfaces
into a zone
Define the hub-spoke VPNs
Perform these steps at the FortiGate unit that will act as the hub. Although this procedure
assumes that the spokes are all FortiGate units, a spoke could also be VPN client
software, such as FortiClient Endpoint Security.
To configure the VPN hub
1 At the hub, define the phase 1 configuration for each spoke. See “Auto Key phase 1
parameters” on page 929. Enter these settings in particular:
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
809
�Configure the hub
Hub-and-spoke configurations
Name
Enter a name to identify the VPN in phase 2 configurations, firewall policies
and the VPN monitor.
Remote Gateway
The remote gateway is the other end of the VPN tunnel. There are three
options:
Static IP Address — Enter the spoke’s public IP Address. You will need to
create a phase 1 configuration for each spoke. Either the hub or the spoke
can establish the VPN connection.
Dialup User — No additional information is needed. The hub accepts
connections from peers with appropriate encryption and authentication
settings. Only one phase 1 configuration is needed for multiple dialup
spokes. Only the spoke can establish the VPN tunnel.
Dynamic DNS — If the spoke subscribes to a dynamic DNS service, enter
the spoke’s Dynamic DNS domain name. Either the hub or the spoke can
establish the VPN connection. For more information, see “Dynamic DNS
configurations” on page 821.
Local Interface
Select the FortiGate interface that connects to the remote gateway. This is
usually the FortiGate unit’s public interface.
Enable IPsec
Interface Mode
You must select Advanced to see this setting. If IPsec Interface Mode is
enabled, the FortiGate unit creates a virtual IPsec interface for a routebased VPN. Disable this option if you want to create a policy-based VPN.
For more information, see “Choosing policy-based or route-based VPNs”
on page 790.
After you select OK to create the phase 1 configuration, you cannot change
this setting.
2 Define the phase 2 parameters needed to create a VPN tunnel with each spoke. See
“Phase 2 parameters” on page 945. Enter these settings in particular:
Name
Enter a name to identify this spoke phase 2 configuration.
Phase 1
Select the name of the phase 1 configuration that you defined for this
spoke.
Define the hub-spoke firewall policies
1 Define a name for the address of the private network behind the hub. For more
information, see “Defining firewall addresses” on page 951.
2 Define names for the addresses or address ranges of the private networks behind the
spokes. For more information, see “Defining firewall addresses” on page 951.
3 Define the VPN concentrator. See “To define the VPN concentrator” on page 811.
4 Define firewall policies to permit communication between the hub and the spokes. For
more information, see “Defining firewall policies” on page 952.
Route-based VPN firewall policies
Define ACCEPT firewall policies to permit communications between the hub and the
spoke. You need one policy for each direction. Enter these settings in particular:
Source Interface/Zone
Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Source Address Name
Select the address name you defined in Step 2 for the
private network behind the spoke FortiGate unit.
Destination Interface/Zone Select the hub’s interface to the internal (private) network.
Destination Address Name Select the source address that you defined in Step 1.
Action
NAT
810
Select ACCEPT.
Enable.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Hub-and-spoke configurations
Configure the hub
Source Interface/Zone
Select the address name you defined in Step 2 for the
private network behind the spoke FortiGate units.
Source Address Name
Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Destination Interface/Zone Select the source address that you defined in Step 1.
Destination Address Name Select the hub’s interface to the internal (private) network.
Action
Select ACCEPT.
NAT
Enable.
Policy-based VPN firewall policy
Define an IPsec firewall policy to permit communications between the hub and the
spoke. Enter these settings in particular:
Source Interface/Zone
Select the hub’s interface to the internal (private) network.
Source Address Name
Select the source address that you defined in Step 1.
Destination Interface/Zone
Select the hub’s public network interface.
Destination Address Name
Select the address name you defined in Step 2 for the private
network behind the spoke FortiGate unit.
Action
IPSEC
VPN Tunnel
Select the name of the phase 1 configuration that you created
for the spoke in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
5 In the policy list, arrange the policies in the following order:
• IPsec policies that control traffic between the hub and the spokes first
• the default firewall policy last
Configuring communication between spokes (policy-based VPN)
For a policy-based hub-and-spoke VPN, you define a concentrator to enable
communication between the spokes.
To define the VPN concentrator
1 At the hub, go to VPN & gt; IPSEC & gt; Concentrator and select Create New.
2 In the Concentrator Name field, type a name to identify the concentrator.
3 From the Available Tunnels list, select a VPN tunnel and then select the right-pointing
arrow.
Note: To remove tunnels from the VPN concentrator, select the tunnel in the Members list
and select the left-pointing arrow.
4 Repeat Step 3 until all of the tunnels associated with the spokes are included in the
concentrator.
5 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
811
�Configure the hub
Hub-and-spoke configurations
Configuring communication between spokes (route-based VPN)
For a route-based hub-and-spoke VPN, there are several ways you can enable
communication between the spokes:
•
put all of the IPsec interfaces into a zone and enable intra-zone traffic. This eliminates
the need for any firewall policy for the VPN, but you cannot apply UTM features to scan
the traffic for security threats.
•
put all of the IPsec interfaces into a zone and create a single zone-to-zone firewall
policy
•
create a firewall policy for each pair of spokes that are allowed to communicate with
each other. The number of policies required increases rapidly as the number of spokes
increases.
Using a zone as a concentrator
A simple way to provide communication among all of the spokes is to create a zone and
allow intra-zone communication. You cannot apply UTM features using this method.
1 Go to System & gt; Network & gt; Zone and select Create New.
2 In the Zone Name field, enter a name, such as Our_VPN_zone.
3 Clear Block intra-zone traffic.
4 In the Interface Members list, select the IPsec interfaces that are part of your VPN.
5 Select OK.
Using a zone with a policy as a concentrator
If you put all of the hub IPsec interfaces involved in the VPN into a zone, you can enable
communication among all of the spokes and apply UTM features with just one firewall
policy.
To create a zone for the VPN
1 Go to System & gt; Network & gt; Zone and select Create New.
2 In the Zone Name field, enter a name, such as Our_VPN_zone.
3 Select Block intra-zone traffic.
4 In the Interface Members list, select the IPsec interfaces that are part of your VPN.
5 Select OK.
To create a firewall policy for the zone
1 Go to Firewall & gt; Policy & gt; Policy. Select Create New and enter these settings:
Source Interface/Zone
Select the zone you created for your VPN.
Source Address Name
Select All.
Destination Interface/Zone Select the zone you created for your VPN.
Destination Address Name Select All.
Action
Select ACCEPT.
NAT
Enable.
UTM
If you want to apply UTM features to this traffic, select the
appropriate profiles.
2 Select OK.
812
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Hub-and-spoke configurations
Configure the spokes
Using firewall policies as a concentrator
To enable communication between two spokes, you need to define an ACCEPT firewall
policy for them. To allow either spoke to initiate communication, you must create a policy
for each direction. This procedure describes a firewall policy for communication from
Spoke 1 to Spoke 2. Others are similar.
1 Define names for the addresses or address ranges of the private networks behind
each spoke. For more information, see “Defining firewall addresses” on page 951.
2 Go to Firewall & gt; Policy & gt; Policy. Select Create New and enter these settings in
particular:
Source Interface/Zone
Select the IPsec interface that connects to Spoke 1.
Source Address Name
Select the address of the private network behind Spoke 1.
Destination Interface/Zone
Select the IPsec interface that connects to Spoke 2.
Destination Address Name
Select the address of the private network behind Spoke 2.
Action
Select ACCEPT.
NAT
Enable.
UTM
If you want to apply UTM features to this traffic, select the
appropriate profiles.
3 Select OK.
Configure the spokes
Although this procedure assumes that the spokes are all FortiGate units, a spoke could
also be VPN client software, such as FortiClient Endpoint Security.
Perform these steps at each FortiGate unit that will act as a spoke.
To create the phase 1 and phase_2 configurations
1 At the spoke, define the phase 1 parameters that the spoke will use to establish a
secure connection with the hub. See “Auto Key phase 1 parameters” on page 929.
Enter these settings in particular:
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the interface that connects to the hub.
Enable IPsec
Interface Mode
Enable if you are creating a route-based VPN.
Clear if you are creating a policy-based VPN.
2 Create the phase 2 tunnel definition. See “Phase 2 parameters” on page 945. Enter
these settings in particular:
Phase 1
Select the set of phase 1 parameters that you defined for the hub.
You can select the name of the hub from the Static IP Address part
of the list.
Configuring firewall policies for hub-to-spoke communication
1 Create an address for this spoke. See “Defining firewall addresses” on page 951. Enter
the IP address and netmask of the private network behind the spoke.
2 Create an address to represent the hub. See “Defining firewall addresses” on
page 951. Enter the IP address and netmask of the private network behind the hub.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
813
�Configure the spokes
Hub-and-spoke configurations
3 Define the firewall policy to enable communication with the hub.
Route-based VPN firewall policy
Define two firewall policies to permit communications to and from the hub. Enter these
settings in particular:
Source Interface/Zone
Select the virtual IPsec interface you created.
Source Address Name
Select the hub address you defined in Step 1.
Destination Interface/Zone
Select the spoke’s interface to the internal (private) network.
Destination Address Name
Select the spoke addresses you defined in Step 2.
Action
Select ACCEPT
NAT
Enable
Source Interface/Zone
Select the spoke’s interface to the internal (private) network.
Source Address Name
Select the spoke address you defined in Step 1.
Destination Interface/Zone
Select the virtual IPsec interface you created.
Destination Address Name
Select the hub destination addresses you defined in Step 2.
Action
Select ACCEPT
NAT
Enable
Policy-based VPN firewall policy
Define an IPsec firewall policy to permit communications with the hub. See “Defining
firewall policies” on page 952. Enter these settings in particular:
Source Interface/Zone
Select the spoke’s interface to the internal (private) network.
Source Address Name
Select the spoke address you defined in Step 1.
Destination Interface/Zone
Select the spoke’s interface to the external (public) network.
Destination Address Name
Select the hub address you defined in Step 2.
Action
Select IPSEC
VPN Tunnel
Select the name of the phase 1 configuration you defined.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network
to initiate the tunnel.
Configuring firewall policies for spoke-to-spoke communication
Each spoke requires firewall policies to enable communication with the other spokes.
Instead of creating separate firewall policies for each spoke, you can create an address
group that contains the addresses of the networks behind the other spokes. The firewall
policy then applies to all of the spokes in the group.
1 Define destination addresses to represent the networks behind each of the other
spokes. Add these addresses to an address group. For more information, see
“Configuring Address Groups” section in the “Firewall Address” chapter of the
FortiGate Administration Guide.
814
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Hub-and-spoke configurations
Configure the spokes
2 Define the firewall policy to enable communication between this spoke and the spokes
in the address group you created.
Policy-based VPN firewall policy
Define an IPsec firewall policy to permit communications with the other spokes. See
“Defining firewall policies” on page 952. Enter these settings in particular:
Route-based VPN firewall policy
Define two firewall policies to permit communications to and from the other spokes.
Enter these settings in particular:
Source Interface/Zone
Select the virtual IPsec interface you created.
Source Address Name
Select the spoke address group you defined in Step 1.
Destination Interface/Zone
Select the spoke’s interface to the internal (private) network.
Destination Address Name
Select this spoke’s address name.
Action
Select ACCEPT
NAT
Enable
Source Interface/Zone
Select the spoke’s interface to the internal (private) network.
Source Address Name
Select this spoke’s address name.
Destination Interface/Zone
Select the virtual IPsec interface you created.
Destination Address Name
Select the spoke address group you defined in Step 1.
Action
Select ACCEPT
NAT
Enable
Policy-based VPN firewall policy
Source Interface/Zone
Select this spoke’s internal (private) network interface.
Source Address Name
Select this spoke’s source address.
Destination Interface/Zone
Select the spoke’s interface to the external (public) network.
Destination Address Name
Select the spoke address group you defined in Step 1.
Action
Select IPSEC
VPN Tunnel
Select the name of the phase 1 configuration you defined.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
3 Place this policy or policies in the policy list above any other policies having similar
source and destination addresses.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
815
�Dynamic spokes configuration example
Hub-and-spoke configurations
Dynamic spokes configuration example
This example demonstrates how to set up a basic route-based hub-and-spoke IPsec VPN
that uses preshared keys to authenticate VPN peers.
Figure 110: Example hub-and-spoke configuration
Spoke_1
Spoke_2
Internet
172.16.10.1
Site_1
10.1.1.0/24
Site_2
10.1.2.0/24
FortiGate_1
Hub
HR Network
10.1.0.0/24
In the example configuration, the protected networks 10.1.0.0/24, 10.1.1.0/24 and
10.1.2.0/24 are all part of the larger subnet 10.1.0.0/16. The steps for setting up the
example hub-and-spoke configuration create a VPN among Site 1, Site 2, and the HR
Network.
The spokes are dialup. Their addresses are not part of the configuration on the hub, so
only one spoke definition is required no matter the number of spokes. For simplicity, only
two spokes are shown.
Configure the hub (FortiGate_1)
The phase 1 configuration defines the parameters that FortiGate_1 will use to authenticate
spokes and establish secure connections.
For the purposes of this example, one preshared key will be used to authenticate all of the
spokes. Each key must contain at least 6 printable characters and should only be known
by network administrators. For optimum protection against currently known attacks, each
key should consist of a minimum of 16 randomly chosen alphanumeric characters.
Define the IPsec configuration
To define the phase 1 parameters
1 At FortiGate_1, go to VPN & gt; IPSEC & gt; Auto Key.
2 Define the phase 1 parameters that the hub will use to establish a secure connection to
the spokes. Select Create Phase 1, enter the following information, and select OK:
816
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Hub-and-spoke configurations
Dynamic spokes configuration example
Name
Type a name (for example, toSpokes).
Remote Gateway
Dialup user
Local Interface
External
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
The basic phase 2 settings associate IPsec phase 2 parameters with the phase 1
configuration and specify the remote end points of the VPN tunnels.
To define the phase 2 parameters
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Create a phase 2 tunnel definition for the spokes. Select Create Phase 2, enter the
following information, and select OK:
Name
Enter a name for the phase 2 definition (for example, toSpokes_ph2).
Phase 1
Select the Phase 1 configuration that you defined previously (for example,
toSpokes).
Define the firewall policies
Firewall policies control all IP traffic passing between a source address and a destination
address. For a route-based VPN, the policies are simpler than for a policy-based VPN.
Instead of an IPSEC policy, you use an ACCEPT policy with the virtual IPsec interface as
the external interface.
Before you define firewall policies, you must first define firewall addresses to use in those
policies. You need addresses for:
•
the HR network behind FortiGate_1
•
the aggregate subnet address for the protected networks
To define the IP address of the HR network behind FortiGate_1
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
Enter an address name (for example, HR_Network).
Subnet/IP Range
Enter the IP address of the HR network behind FortiGate_1
(for example, 10.1.0.0/24).
To specify the IP address the aggregate protected subnet
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
Enter an address name (for example, Spoke_net).
Subnet/IP Range
Enter the IP address of the aggregate protected network,
10.1.0.0/16
To define the firewall policy for traffic from the hub to the spokes
1 Go to Firewall & gt; Policy & gt; Policy.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
817
�Dynamic spokes configuration example
Hub-and-spoke configurations
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Select the interface to the HR network, port 1.
Address Name
HR_Network
Destination Interface/Zone
Select the virtual IPsec interface that connects to the spokes,
toSpokes
Address Name
Spoke_net
Schedule
As required.
Service
As required.
Action
ACCEPT
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.
Configure communication between spokes
Spokes communicate with each other through the hub. You need to configure the hub to
allow this communication. An easy way to do this is to create a zone containing the virtual
IPsec interfaces (even if there is only one) and create a zone-to-zone firewall policy.
To create a zone for the VPN
1 Go to System & gt; Network & gt; Zone and select Create New.
2 In the Zone Name field, enter a name, such as Our_VPN_zone.
3 Select Block intra-zone traffic.
You could enable intra-zone traffic and then you would not need to create a firewall
policy. But, you would not be able to apply UTM features.
4 In Interface Members, select the virtual IPsec interface, toSpokes.
5 Select OK.
To create a firewall policy for the zone
1 Go to Firewall & gt; Policy & gt; Policy. Select Create New and enter these settings:
Source Interface/Zone
Select Our_VPN_zone.
Source Address Name
Select All.
Destination Interface/Zone
Select Our_VPN_zone.
Destination Address Name
Select All.
Action
Select ACCEPT.
NAT
Enable.
UTM
Select the appropriate UTM profiles.
2 Select OK.
Configure the spokes
In this example, all spokes have nearly identical configuration, requiring the following:
•
•
phase 2 tunnel creation parameters to establish a VPN tunnel with the hub
•
a source address that represents the network behind the spoke. This is the only part of
the configuration that is different for each spoke.
•
818
phase 1 authentication parameters to initiate a connection with the hub
a destination address that represents the aggregate protected network
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Hub-and-spoke configurations
•
Dynamic spokes configuration example
a firewall policy to enable communications between the spoke and the aggregate
protected network
Define the IPsec configuration
At each spoke, create the following configuration.
To define the phase 1 parameters
1 At the spoke, go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 1, enter the following information, and select OK:
Name
Type a name, for example, toHub).
Remote Gateway
Static IP Address
IP Address
172.16.10.1
Local Interface
Port2
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key. The value must be identical to the
preshared key that you specified previously in the FortiGate_1
configuration.
Peer Options
Accept any peer ID
Enable IPsec Interface
Mode
Select Advanced to see this option. Enable the option to create a
route-based VPN.
To define the phase 2 parameters
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 2, enter the following information, and select OK:
Name
Enter a name for the tunnel (for example, toHub_ph2).
Phase 1
Select the name of the phase 1 configuration that you defined previously,
for example, toHub.
Advanced
Select to show the following Quick Mode Selector settings.
Source
Enter the address of the protected network at this spoke.
For spoke_1, this is 10.1.1.0/24.
For spoke_2, this is 10.1.2.0/24.
Destination
Enter the aggregate protected subnet address, 10.1.0.0/16.
Define the firewall policies
You need to define firewall addresses for the spokes and the aggregate protected network
and then create a firewall policy to enable communication between them.
To define the IP address of the network behind the spoke
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
Enter an address name (for example, LocalNet).
Subnet/IP Range
Enter the IP address of the private network behind the spoke.
For spoke_1, this is 10.1.1.0/24.
For spoke_2, this is 10.1.2.0/24.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
819
�Dynamic spokes configuration example
Hub-and-spoke configurations
To specify the IP address of the aggregate protected network
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
Enter an address name (for example, Spoke_net).
Subnet/IP Range
Enter the IP address of the aggregate protected network,
10.1.0.0/16.
To define the firewall policy
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Select the virtual IPsec interface, toHub.
Address Name
Select the aggregate protected network address
Spoke_net
Destination Interface/Zone
Select the interface to the internal (private) network, port1.
Address Name
Select the address for this spoke’s protected network
LocalNet
Schedule
As required.
Service
As required.
Action
ACCEPT
3 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Select the interface to the internal (private) network, port1.
Address Name
Select the address for this spoke’s protected network, LocalNet
Destination Interface/Zone Select the virtual IPsec interface, toHub.
Address Name
Select the aggregate protected network address, Spoke_net
Schedule
As required.
Service
As required.
Action
ACCEPT
4 Place these policies in the policy list above any other policies having similar source
and destination addresses.
820
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic DNS configurations
This section describes how to configure a site-to-site VPN, in which one FortiGate unit has
a static IP address and the other FortiGate unit has a static domain name and a dynamic
IP address.
The following topics are included in this section:
•
Configuration overview
•
General configuration steps
•
Configure the dynamically-addressed VPN peer
•
Configure the fixed-address VPN peer
Configuration overview
In this type of scenario, one of the FortiGate units in a gateway-to-gateway configuration
has a static domain name (for example, example.com) and a dynamic IP address. See
FortiGate_2 in Figure 111. Whenever that FortiGate unit connects to the Internet (and
possibly also at predefined intervals set by the ISP), the ISP may assign a different IP
address to the FortiGate unit. Therefore, remote peers have to locate the FortiGate unit
through DNS lookup.
Figure 111: Example dynamic DNS configuration
Site_1
Site_2
FortiGate_1
FortiGate_2
Internet
example.com
172.16.20.1
DNS Server
Dynamic DNS
server
When a remote peer (such as FortiGate_1 in Figure 111) initiates a connection to the
domain name, a DNS server looks up and returns the IP address that matches the domain
name. The remote peer uses the retrieved IP address to establish a connection with the
FortiGate unit.
To ensure that DNS servers are able to discover the current IP address associated with a
FortiGate domain name, the FortiGate unit with the domain name subscribes to a dynamic
DNS service. A dynamic DNS service ensures that any changes to IP addresses are
propagated to all Internet DNS servers.
Whenever the FortiGate unit detects that its IP address has changed, it notifies the
dynamic DNS server and provides the new IP address to the server. The dynamic DNS
server makes the updated IP address available to all DNS servers and the new IP address
remains in effect until the FortiGate unit detects that its IP address has changed again.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
821
�General configuration steps
Dynamic DNS configurations
A FortiGate unit that has static domain name and a dynamic IP address can initiate VPN
connections anytime—the remote peer replies to the FortiGate unit using the source IP
address that was sent in the packet header. However, changes to a dynamic IP address
must be resolved before a remote peer can establish a VPN connection to the domain
name—the remote peer must request a DNS lookup for the matching IP address before
initiating the connection.
Dynamic DNS infrastructure requirements
•
A basic gateway-to-gateway configuration must be in place (see “Gateway-to-gateway
configurations” on page 793) except one of the FortiGate units has a static domain
name and a dynamic IP address instead of a static IP address.
•
A DNS server must be available to VPN peers that initiate connections to the domain
name. For instructions about how to configure FortiGate units to look up the IP address
of a domain name, see the “System Network DNS” section of the FortiGate
Administration Guide.
•
The FortiGate unit with the domain name must subscribe to one of the supported
dynamic DNS services. Contact one of the services to set up an account. For more
information and instructions about how to configure the FortiGate unit to push its
dynamic IP address to a dynamic DNS server, see the “System Network Interface”
section of the FortiGate Administration Guide.
General configuration steps
When a FortiGate unit receives a connection request from a remote VPN peer, it uses
IPsec phase 1 parameters to establish a secure connection and authenticate the VPN
peer. Then, if the firewall policy permits the connection, the FortiGate unit establishes the
tunnel using IPsec phase 2 parameters and applies the firewall policy. Key management,
authentication, and security services are negotiated dynamically through the IKE protocol.
To support these functions, the following general configuration steps must be performed:
•
Configure the FortiGate unit that has a domain name with a dynamic IP address. This
unit uses a Local ID string to identify itself to the remote peer. See “Configure the
dynamically-addressed VPN peer” on page 822.
•
Configure the fixed-address VPN peer. To initiate a VPN tunnel with the dynamicallyaddressed peer, this unit must retrieve the IP address for the domain from the dynamic
DNS service. See “Configure the fixed-address VPN peer” on page 824.
Configure the dynamically-addressed VPN peer
Configure the FortiGate unit that has a domain name as follows:
1 Define the phase 1 parameters needed to establish a secure connection with the
remote peer. See “Auto Key phase 1 parameters” on page 929. Select Advanced,
enter these settings and then select OK:
Name
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the public interface to the remote peer.
Mode
822
Enter a name to identify the VPN tunnel. This name appears in
phase 2 configurations, firewall policies and the VPN monitor.
Select Aggressive.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic DNS configurations
Configure the dynamically-addressed VPN peer
Enable IPsec Interface Enable for a route-based VPN.
Mode
Disable for a policy-based VPN.
Local ID
Type a character string that the local FortiGate unit can use to identify
itself to the remote peer (for example, you could type the fully qualified
domain name of the FortiGate unit, example.com). This value must
be identical to the value in the Accept this peer ID field of the phase 1
remote gateway configuration on the remote peer.
2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
See “Phase 2 parameters” on page 945. Enter these settings in particular:
Name
Enter a name to identify this phase 2 configuration.
Phase 1
Select the name of the phase 1 configuration that you defined.
3 Define names for the addresses or address ranges of the private networks that the
VPN links. These addresses are used in the firewall policies that permit communication
between the networks. For more information, see “Defining firewall addresses” on
page 951.
Enter these settings in particular:
• Define an address name for the IP address and netmask of the private network
behind the local FortiGate unit.
• Define an address name for the IP address and netmask of the private network
behind the remote peer.
4 Define firewall policies to permit communications between the private networks
through the VPN tunnel. Route-based and policy-based VPNs require different firewall
policies. For detailed information about creating firewall policies, see “Defining firewall
policies” on page 952.
Route-based VPN firewall policies
Define ACCEPT firewall policies to permit communication between the private
networks. To define a policy to permit the local FortiGate unit to initiate communication,
enter these settings in particular:
Source Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone
Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action
Select ACCEPT.
NAT
Disable.
To permit the remote peer to initiate communication, you need to define a firewall
policy for communication in that direction. Enter these settings in particular:
Source Interface/Zone
Select the VPN Tunnel (IPsec Interface) that you configured
in Step 1.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Destination Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
823
�Configure the fixed-address VPN peer
Dynamic DNS configurations
Action
Select ACCEPT.
NAT
Disable.
Policy-based VPN firewall policy
Define an IPsec policy to permit communication between the private networks. Enter
these settings in particular, and then select OK:
Source Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone
Select the FortiGate unit’s public interface.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action
Select IPSEC.
VPN Tunnel
Select the name of the phase 1 configuration that you created
in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network
to initiate the tunnel.
5 Place these policies in the policy list above any other policies having similar source
and destination addresses.
Configure the fixed-address VPN peer
The fixed-address VPN peer needs to retrieve the IP address from the dynamic DNS
service to initiate communication with the dynamically-addressed peer that has domain
name. Configure the fixed-address peer as follows:
1 Define the phase 1 parameters needed to establish a secure connection with the
remote peer. For more information, see “Auto Key phase 1 parameters” on page 929.
Select Advanced, enter these settings and then select OK:
Name
Enter a name to identify the VPN tunnel. This name appears in phase 2
configurations, firewall policies and the VPN monitor.
Remote Gateway
Select Dynamic DNS.
Dynamic DNS
Type the fully qualified domain name of the remote peer (for example,
example.com).
Mode
Select Aggressive.
Peer Options
Select Accept this peer ID, and type the identifier of the dynamicallyaddressed FortiGate unit. This is the value you entered in the Local ID
field of the other unit’s phase 1 remote gateway configuration.
Enable IPsec
Interface Mode
Enable for a route-based VPN.
Disable for a policy-based VPN.
2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
See “Phase 2 parameters” on page 945. Enter these settings in particular:
Name
Phase 1
824
Enter a name to identify this phase 2 configuration.
Select the name of the phase 1 configuration that you defined for the
remote peer. You can select the name of the remote gateway from the
Dynamic DNS part of the list.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic DNS configurations
Configure the fixed-address VPN peer
3 Define names for the addresses or address ranges of the private networks that the
VPN links. See “Defining firewall addresses” on page 951. Enter these settings in
particular:
• Define an address name for the IP address and netmask of the private network
behind the local FortiGate unit.
• Define an address name for the IP address and netmask of the private network
behind the remote peer.
4 Define the firewall policies to permit communications between the source and
destination addresses. See “Defining firewall policies” on page 952. Enter these
settings in particular and then select OK:
Route-based VPN firewall policies
Define an ACCEPT firewall policy to permit communications between the source and
destination addresses. Enter these settings in particular:
Source Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone
Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action
Select ACCEPT.
NAT
Disable.
To permit the remote client to initiate communication, you need to define a firewall
policy for communication in that direction. Enter these settings in particular:
Source Interface/Zone
Source Address Name
Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Destination Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Action
Select ACCEPT.
NAT
Disable.
Policy-based VPN firewall policy
Source Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone
Select the FortiGate unit’s public interface.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
825
�Configure the fixed-address VPN peer
Dynamic DNS configurations
Action
Select IPSEC.
VPN Tunnel
Select the name of the phase 1 configuration that you created
in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network
to initiate the tunnel.
5 Place these policies in the policy list above any other policies having similar source
and destination addresses.
826
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiClient dialup-client
configurations
The FortiClient Endpoint Security application is an IPsec VPN client with antivirus,
antispam and firewall capabilities. This section explains how to configure dialup VPN
connections between a FortiGate unit and one or more FortiClient Endpoint Security
applications.
FortiClient users are usually mobile or remote users who need to connect to a private
network behind a FortiGate unit. For example, the users might be employees who connect
to the office network while traveling or from their homes.
For greatest ease of use, the FortiClient application can download the VPN settings from
the FortiGate unit to configure itself automatically. This section covers both automatic and
manual configuration.
Note: The FortiClient configurations in this guide do not apply to the FortiClient Consumer
Edition, which does not include the IPsec VPN feature.
The following topics are included in this section:
•
Configuration overview
•
FortiClient-to-FortiGate VPN configuration steps
•
Configure the FortiGate unit
•
Configure the FortiClient Endpoint Security application
•
Adding XAuth authentication
•
FortiClient dialup-client configuration example
Configuration overview
Dialup users typically obtain dynamic IP addresses from an ISP through Dynamic Host
Configuration Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE). Then,
the FortiClient Endpoint Security application initiates a connection to a FortiGate dialup
server.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
827
�Configuration overview
FortiClient dialup-client configurations
Figure 112: Example FortiClient dialup-client configuration
Site_1
Dialup_1
Internet
Dialup_2
FortiGate_1
Dialup_3
By default the FortiClient dialup client has the same IP address as the host PC on which it
runs. If the host connects directly to the Internet, this is a public IP address. If the host is
behind a NAT device, such as a router, the IP address is a private IP address. The NAT
device must be NAT traversal (NAT-T) compatible to pass encrypted packets (see “NAT
traversal” on page 941). The FortiClient application also can be configured to use a virtual
IP address (VIP). For the duration of the connection, the FortiClient application and the
FortiGate unit both use the VIP address as the IP address of the FortiClient dialup client.
The FortiClient application sends its encrypted packets to the VPN remote gateway, which
is usually the public interface of the FortiGate unit. It also uses this interface to download
VPN settings from the FortiGate unit. See “Automatic configuration of FortiClient dialup
clients” on page 828.
Peer identification
The FortiClient application can establish an IPsec tunnel with a FortiGate unit configured
to act as a dialup server. When the FortiGate unit acts as a dialup server, it does not
identify the client using the phase 1 remote gateway address. The IPsec tunnel is
established if authentication is successful and the IPsec firewall policy associated with the
tunnel permits access. There are several different ways to authenticate dialup clients and
restrict access to private networks based on client credentials. For more information, see
“Authenticating remote peers and clients” on page 933.
Automatic configuration of FortiClient dialup clients
The FortiClient application can obtain its VPN settings from the FortiGate VPN server.
FortiClient users need to know only the FortiGate VPN server IP address and their user
name and password on the FortiGate unit.
The FortiGate unit listens for VPN policy requests from clients on TCP port 8900. When
the dialup client connects:
•
•
The FortiGate unit requests a user name and password from the FortiClient user.
Using these credentials, it authenticates the client and determines which VPN policy
applies to the client.
•
828
The client initiates a Secure Sockets Layer (SSL) connection to the FortiGate unit.
Provided that authentication is successful, the FortiGate unit downloads a VPN policy
to the client over the SSL connection. The information includes IPsec phase 1 and
phase 2 settings, and the IP addresses of the private networks that the client is
authorized to access.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiClient dialup-client configurations
•
Configuration overview
The client uses the VPN policy settings to establish an IPsec phase 1 connection and
phase 2 tunnel with the FortiGate unit.
How the FortiGate unit determines which settings to apply
The FortiGate unit follows these steps to determine the configuration information to send
to the FortiClient application:
1 Check the virtual domain associated with the connection to determine which VPN
policies might apply.
2 Select the VPN policy that matches the dialup client’s user group and determine which
tunnel (phase 1 configuration) is involved.
3 Check all IPsec firewall policies that use the specified tunnel to determine which
private network(s) the dialup clients may access.
4 Retrieve the rest of the VPN policy information from the existing IPsec phase 1 and
phase 2 parameters in the dialup-client configuration.
Using virtual IP addresses
When the FortiClient host PC is located behind a NAT device, unintended IP address
overlap issues may arise between the private networks at the two ends of the tunnel. For
example, the client’s host might receive a private IP address from a DHCP server on its
network that by co-incidence is the same as a private IP address on the network behind
the FortiGate unit. A conflict will occur in the host’s routing table and the FortiClient
Endpoint Security application will be unable to send traffic through the tunnel. Configuring
virtual IP (VIP) addresses for FortiClient applications prevents this problem.
Using VIPs ensures that client IP addresses are in a predictable range. You can then
define firewall policies that allow access only to that source address range. If you do not
use VIPs, the firewall policies must allow all source addresses because you cannot predict
the IP address for a remote mobile user.
The FortiClient application must not have the same IP address as any host on the private
network behind the FortiGate unit or any other connected FortiClient application. You can
ensure this by reserving a range of IP addresses on the private network for FortiClient
users. Or, you can assign FortiClient VIPs from an uncommonly used subnet such as
10.254.254.0/24 or 192.168.254.0/24.
You can reserve a VIP address for a particular client according to its device MAC address
and type of connection. The DHCP server then always assigns the reserved VIP address
to the client. For more information about this feature, see the “dhcp reserved-address”
section in the “system” chapter of the FortiGate CLI Reference.
Note: On the host computer, you can find out the VIP address that the FortiClient Endpoint
Security application is using. For example,
On Windows, type ipconfig /all at the Windows Command Prompt.
On Linux or Mac OS X, type ifconfig in a terminal window.
The output will also show the IP address that has been assigned to the host Network
Interface Card (NIC).
It is best to assign VIPs using DHCP over IPsec. The FortiGate dialup server can act as a
DHCP server or relay requests to an external DHCP server. You can also configure VIPs
manually on FortiClient applications, but it is more difficult to ensure that all clients use
unique addresses.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
829
�Configuration overview
FortiClient dialup-client configurations
Note: If you assign a VIP on the private network behind the FortiGate unit and enable
DHCP-IPsec (a phase 2 advanced option), the FortiGate unit acts as a proxy on the local
private network for the FortiClient dialup client. Whenever a host on the network behind the
dialup server issues an ARP request for the device MAC address of the FortiClient host, the
FortiGate unit answers the ARP request on behalf of the FortiClient host and forwards the
associated traffic to the FortiClient host through the tunnel. For more information, see
“DHCP-IPsec” on page 947.
Note: FortiGate units fully support RFC 3456. The FortiGate DHCP over IPsec feature can
be enabled to allocate VIP addresses to FortiClient dialup clients using a FortiGate DHCP
server.
Figure 113 shows an example of a FortiClient-to-FortiGate VPN where the FortiClient
application is assigned a VIP on an uncommonly used subnet. The diagram also shows
that while the destination for the information in the encrypted packets is the private
network behind the FortiGate unit, the destination of the IPsec packets themselves is the
public interface of the FortiGate unit that acts as the end of the VPN tunnel.
Figure 113: IP address assignments in a FortiClient dialup-client configuration
Traffic destination
10.11.101.2
Dialup client
3
1
3
2
VIP address
10.254.254.100
1
2
Internet
IPSec packets
Destination 172.20.120.141
IPSec packets
Destination 172.20.120.141
3
1
2
172.20.120.141
1
3
2
Traffic destination
10.11.101.2
FortiGate_1
10.11.101.2
Assigning VIPs by RADIUS user group
If you use XAuth authentication, you can assign users the virtual IP address stored in the
Framed-IP-Address field of their record on the RADIUS server. (See RFC 2865 and
RFC 2866 for more information about RADIUS fields.) To do this:
•
830
Set the DHCP server IP Assignment Mode to User-group defined method. This is an
Advanced setting. See “To configure a DHCP server on the FortiGate unit” on
page 834.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiClient dialup-client configurations
FortiClient-to-FortiGate VPN configuration steps
•
Create a new firewall user group and add the RADIUS server to it.
•
In your phase 1 settings, configure the FortiGate unit as an XAuth server and select
from User Group the new user group that you created. For more information, see
“Using the FortiGate unit as an XAuth server” on page 942.
•
Configure the FortiClient application to use XAuth. See “Adding XAuth authentication”
on page 837.
FortiClient dialup-client infrastructure requirements
•
To support policy-based VPNs, the FortiGate dialup server may operate in either
NAT/Route mode or Transparent mode. NAT/Route mode is required if you want to
create a route-based VPN.
•
If the FortiClient dialup clients will be configured to obtain VIP addresses through
FortiGate DHCP relay, a DHCP server must be available on the network behind the
FortiGate unit and the DHCP server must have a direct route to the FortiGate unit.
•
If the FortiGate interface to the private network is not the default gateway, the private
network behind the FortiGate unit must be configured to route IP traffic destined for
dialup clients back (through an appropriate gateway) to the FortiGate interface to the
private network. As an alternative, you can configure the IPsec firewall policy on the
FortiGate unit to perform inbound NAT on IP packets. Inbound NAT translates the
source addresses of inbound decrypted packets into the IP address of the FortiGate
interface to the local private network.
FortiClient-to-FortiGate VPN configuration steps
Configuring dialup client capability for FortiClient dialup clients involves the following
general configuration steps:
1 If you will be using VIP addresses to identify dialup clients, determine which VIP
addresses to use. As a precaution, consider using VIP addresses that are not
commonly used.
2 Configure the FortiGate unit to act as a dialup server. See “Configure the FortiGate
unit” on page 831.
3 If the dialup clients will be configured to obtain VIP addresses through DHCP over
IPsec, configure the FortiGate unit to act as a DHCP server or to relay DHCP requests
to an external DHCP server.
4 Configure the dialup clients. See “Configure the FortiClient Endpoint Security
application” on page 836.
Note: When a FortiGate unit has been configured to accept connections from FortiClient
dialup-clients, you can optionally arrange to have an IPsec VPN configuration downloaded
to FortiClient dialup clients automatically. For more information, see “Configuring the
FortiGate unit as a VPN policy server” on page 834.
Configure the FortiGate unit
Configuring the FortiGate unit to establish VPN connections with FortiClient Endpoint
Security users involves the following steps:
1 configure the VPN settings
2 if the dialup clients use automatic configuration, configure the FortiGate unit as a VPN
policy server
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
831
�Configure the FortiGate unit
FortiClient dialup-client configurations
3 if the dialup clients obtain VIP addresses by DHCP over IPsec, configure an IPsec
DHCP server or relay
The procedures in this section cover basic setup of policy-based and route-based VPNs
compatible with FortiClient Endpoint Security. A route-based VPN is simpler to configure.
Configuring FortiGate unit VPN settings
To configure FortiGate unit VPN settings to support FortiClient users, you need to:
•
configure the FortiGate Phase 1 VPN settings
•
configure the FortiGate Phase 2 VPN settings
•
add the firewall policy
1 At the local FortiGate unit, define the phase 1 configuration needed to establish a
secure connection with the FortiClient peer. See “Auto Key phase 1 parameters” on
page 929. Enter these settings in particular:
Name
Enter a name to identify the VPN tunnel. This name appears in
phase 2 configurations, firewall policies and the VPN monitor.
Remote Gateway
Select Dialup User.
Local Interface
Select the interface through which clients connect to the FortiGate
unit.
Mode
Select Main (ID Protection).
Authentication Method
Select Pre-shared Key.
Pre-shared Key
Enter the pre-shared key. This must be the same preshared key
provided to the FortiClient users.
Peer option
Select Accept any peer ID.
Enable IPsec Interface
Mode
You must select Advanced to see this setting. If IPsec Interface
Mode is enabled, the FortiGate unit creates a virtual IPsec
interface for a route-based VPN.
2 Define the phase 2 parameters needed to create a VPN tunnel with the FortiClient
peer. See “Phase 2 parameters” on page 945. Enter these settings in particular:
Name
Enter a name to identify this phase 2 configuration.
Phase 1
Select the name of the phase 1 configuration that you defined.
Advanced
Select to configure the following optional setting.
DHCP-IPsec
Select if you provide virtual IP addresses to clients using DHCP.
3 Define names for the addresses or address ranges of the private networks that the
VPN links. These addresses are used in the firewall policies that permit communication
between the networks. For more information, see “Defining firewall addresses” on
page 951.
Enter these settings in particular:
• Define an address name for the individual address or the subnet address that the
dialup users access through the VPN.
• If FortiClient users are assigned VIP addresses, define an address name for the
subnet to which these VIPs belong.
832
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiClient dialup-client configurations
Configure the FortiGate unit
4 Define firewall policies to permit communication between the private networks through
the VPN tunnel. Route-based and policy-based VPNs require different firewall policies.
For detailed information about creating firewall policies, see “Defining firewall policies”
on page 952.
Route-based VPN firewall policies
Define an ACCEPT firewall policy to permit communications between the source and
destination addresses. Enter these settings in particular:
Source Interface/Zone
Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Source Address Name
Select All.
Destination Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Destination Address Name
Select All.
Action
Select ACCEPT.
NAT
Disable.
If you want to allow hosts on the private network to initiate communications with the
FortiClient users after the tunnel is established, you need to define a firewall policy for
communication in that direction. Enter these settings in particular:
Source Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name
Select All.
Destination Interface/Zone
Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Destination Address Name
Select All.
Action
Select ACCEPT.
NAT
Disable.
Policy-based VPN firewall policy
Define an IPsec firewall policy to permit communications between the source and
destination addresses. Enter these settings in particular:
Source Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone
Select the FortiGate unit’s public interface.
Destination Address Name
If FortiClient users are assigned VIPs, select the address
name that you defined in Step 3 for the VIP subnet.
Otherwise, select All.
Action
Select IPSEC.
VPN Tunnel
Select the name of the phase 1 configuration that you created
in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound if you want to allow hosts on the private
network to initiate communications with the FortiClient users
after the tunnel is established.
5 Place VPN policies in the policy list above any other policies having similar source and
destination addresses.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
833
�Configure the FortiGate unit
FortiClient dialup-client configurations
Configuring the FortiGate unit as a VPN policy server
When a FortiClient application set to automatic configuration connects to the FortiGate
unit, the FortiGate unit requests a user name and password. If the user supplies valid
credentials, the FortiGate unit downloads the VPN settings to the FortiClient application.
You must do the following to configure the FortiGate unit to work as a VPN policy server
for FortiClient automatic configuration:
1 Create user accounts for FortiClient users.
2 Create a user group for FortiClient users and the user accounts that you created in
step 1.
3 Connect to the FortiGate unit CLI and configure VPN policy distribution as follows:
config vpn ipsec forticlient
edit & lt; policy_name & gt;
set phase2name & lt; tunnel_name & gt;
set usergroupname & lt; group_name & gt;
set status enable
end
& lt; tunnel_name & gt; must be the Name you specified in the step 2 of “Configure the
FortiGate unit” on page 831. & lt; group_name & gt; must be the name of the user group your
created for FortiClient users.
Configuring DHCP service on the FortiGate unit
If the FortiClient dialup clients are configured to obtain a VIP address using DHCP,
configure the FortiGate dialup server to either:
•
relay DHCP requests to a DHCP server behind the FortiGate unit (see “To configure
DHCP relay on the FortiGate unit” below).
•
act as a DHCP server (see “To configure a DHCP server on the FortiGate unit” on
page 834).
To configure DHCP relay on the FortiGate unit
1 Go to System & gt; DHCP Server & gt; Service and select Create New.
2 In Interface Name, select the interface that connects to the Internet (for example,
external or wan1).
3 In Mode, select Relay.
4 In Type select IPsec.
5 In the DHCP Server IP field, type the IP address of the DHCP server.
6 Select OK.
7 If a router is installed between the FortiGate unit and the DHCP server, define a static
route to the DHCP server.
To configure a DHCP server on the FortiGate unit
1 Go to System & gt; DHCP Server & gt; Service and select Create New.
2 In Interface Name, select the interface that connects to the Internet (for example,
external or wan1).
3 In Mode, select Server.
4 Select Enable.
834
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiClient dialup-client configurations
Configure the FortiGate unit
5 Enter the following information and select OK:
Type
IPsec
IP Range
Enter the range of VIP addresses that the DHCP server can
dynamically assign to dialup clients when they connect. As a
precaution, do not assign VIP addresses that match the private
network behind the FortiGate unit.
If you need to exclude specific IP addresses from the range, you can
define an exclusion range (see Advanced... below).
Note: If you will use a RADIUS server to assign VIP addresses, these
fields are not needed.
Network Mask
Enter the network mask of the IP addresses that you specified in the IP
Range fields (for example, 255.255.255.0 for a class C network).
Default Gateway
Enter the IP address of the default gateway that the DHCP server
assigns to DHCP clients.
DNS Service
Select Use System DNS Setting.
If you want to use a different DNS server for VPN clients, select
Specify and enter an IP address in DNS Server 0.
Advanced...
Select Advanced to configure any of the following options.
Domain
If you want the FortiGate unit to assign a domain name to dialup clients
when they connect, enter the registered domain name.
Lease Time
Specify a lease time:
• Select Unlimited to allow the dialup client to use the assigned IP
address for an unlimited amount of time (that is, until the client
disconnects).
• Enter the amount of time (in days, hours, and minutes) that the
dialup client may use the assigned IP address, after which the
dialup client must request new settings from the DHCP server. The
range is from 5 minutes to 100 days.
IP Assignment Mode
Server IP Range — assign addresses from IP Range (default)
User-group defined method — assign addresses from user’s record on
RADIUS server. See “Assigning VIPs by RADIUS user group” on
page 830.
WINS Server 0
WINS Server 1
Optionally, enter the IP addresses of one or two Windows Internet
Service (WINS) servers that dialup clients can access after the tunnel
has been established.
Options
Optionally, you can send up to three DHCP options to the dialup client.
Select Options and enter the option code in the Code field, and if
applicable, type any associated data in the Options field. For more
information, see RFC 2132.
Exclude Ranges
To specify any VIP addresses that must be excluded from the VIP
address range, select Exclude Ranges, select the + button and then
type the starting and ending IP addresses. You can add multiple
ranges to exclude.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
835
�Configure the FortiClient Endpoint Security application
FortiClient dialup-client configurations
Configure the FortiClient Endpoint Security application
The following procedure explains how to configure the FortiClient Endpoint Security
application to communicate with a remote FortiGate dialup server using the VIP address
that you specify manually.
Configuring FortiClient to work with VPN policy distribution
If the remote FortiGate gateway is configured as a VPN policy server, you can configure
the FortiClient software to download the VPN settings from the FortiGate gateway.
Note: For VPNs with automatic configuration, only preshared keys are supported.
Certificates are not supported.
To add a VPN with automatic configuration on the FortiClient PC
1 Go to VPN & gt; Connections.
2 Select Advanced and then select Add.
3 In the New Connection dialog box, enter a connection name.
4 For Configuration, select Automatic.
5 For Policy Server, enter the IP address or FQDN of the FortiGate gateway.
6 Select OK.
Configuring FortiClient manually
This procedure explains how to configure the FortiClient application manually using the
default IKE and IPsec settings. For more information, refer to the FortiClient Endpoint
Security User Guide.
This procedure includes instructions for configuring a virtual IP for the FortiClient
application, either manually or using DHCP over IPsec.
To create a FortiClient VPN configuration
1 Go to VPN & gt; Connections.
2 Select Advanced and then select Add.
3 Enter the following information:
Connection Name
Enter a descriptive name for the connection.
Configuration
Select Manual
Remote Gateway
Enter the IP address or the fully qualified domain name (FQDN)
of the remote gateway.
Remote Network
Enter the IP address and netmask of the network behind the
FortiGate unit.
Authentication Method
Select Pre-shared Key.
Pre-shared Key
Enter the pre-shared key.
4 Follow the remaining steps only if you want to configure a VIP. Otherwise, select OK.
5 Select Advanced.
6 Enable Acquire a virtual IP address and then select the adjacent Config button.
7 Enter the following information and select OK.
836
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiClient dialup-client configurations
Adding XAuth authentication
Options
Select one of these options:
DHCP
Obtain virtual IP address from the FortiGate unit using DHCP over
IPsec.
Manually Set
Assign the virtual IP address manually using the settings in the
Manual VIP section.
Manual VIP
These settings are available only if you select Manually Set in the
Options section.
IP
Enter the IP address that the FortiClient dialup client uses. This
address must not conflict with any IP address at either end of the VPN
tunnel.
Subnet Mask
Enter the subnet for the private network.
DNS Server
WINS Server
Optionally, enter the addresses of the DNS and WINS servers that the
FortiClient user can access through the VPN.
8 Select OK twice to close the dialog boxes.
9 Repeat this procedure for each FortiClient dialup client.
Adding XAuth authentication
Extended Authentication (XAuth) increases security by requiring additional user
authentication in a separate exchange at the end of the VPN phase 1 negotiation. The
FortiGate unit challenges the user for a user name and password. It then forwards the
user’s credentials to an external RADIUS or LDAP server for verification.
Implementation of XAuth requires configuration at both the FortiGate unit and the
FortiClient application. For information about configuring a FortiGate unit as an XAuth
server, see “Using the FortiGate unit as an XAuth server” on page 942. The following
procedure explains how to configure the FortiClient application.
Note: XAuth is not compatible with IKE version 2.
To configure the FortiClient Endpoint Security application
In the FortiClient Endpoint Security application, make the following changes to the VPN
configuration to enable XAuth authentication to the FortiGate unit.
1 Go to VPN & gt; Connections, select the VPN connection you want to modify, and then
select Advanced & gt; Edit.
2 Select Advanced.
3 Select the eXtended Authentication check box and then select the Config button to the
right of it.
4 In the Extended Authentication (XAuth) dialog box, either:
• Select Prompt to login. The FortiClient Endpoint Security application prompts the
user for a user name and password when it receives the XAuth challenge. This is
the default.
• Clear the Prompt to login check box and fill in the User Name and Password fields.
The FortiClient Endpoint Security application automatically responds to the XAuth
challenge with these values.
5 Select OK to close all dialog boxes.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
837
�FortiClient dialup-client configuration example
FortiClient dialup-client configurations
FortiClient dialup-client configuration example
This example demonstrates how to set up a FortiClient dialup-client IPsec VPN that uses
preshared keys for authentication purposes. In the example configuration, the DHCP over
IPsec feature is enabled in the FortiClient Endpoint Security application so that the
FortiClient Endpoint Security application can acquire a VIP address through FortiGate
DHCP server. Both route-based and policy-based solutions are covered.
Figure 114: Example FortiClient dialup-client configuration
LAN
10.11.101.0/24
Dialup_1
FortiGate_1
Port 2
Internet
VIP address
10.254.254.1
Port 1
172.20.120.141
Dialup_2
VIP address
10.254.254.2
In the example configuration:
•
VIP addresses that are not commonly used (in this case, 10.254.254.0/24) are
assigned to the FortiClient dialup clients using a DHCP server.
•
The dialup clients are provided access to the LAN behind FortiGate_1.
•
The other network devices are assigned IP addresses as shown in Figure 114.
Configuring FortiGate_1
When a FortiGate unit receives a connection request from a dialup client, it uses IPsec
phase 1 parameters to establish a secure connection and authenticate the client. Then, if
the firewall policy permits the connection, the FortiGate unit establishes the tunnel using
IPsec phase 2 parameters and applies the IPsec firewall policy. Key management,
authentication, and security services are negotiated dynamically through the IKE protocol.
To support these functions, the following general configuration steps must be performed at
the FortiGate unit:
•
•
Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel
and enable all dialup clients having VIP addresses on the 10.254.254.0/24 network to
connect using the same tunnel definition. See “To define the phase 2 parameters” on
page 839.
•
Create firewall policy to control the permitted services and permitted direction of traffic
between the IP source address and the dialup clients. See “To define the firewall
addresses” on page 839.
•
838
Define the phase 1 parameters that the FortiGate unit needs to authenticate the dialup
clients and establish a secure connection. See “To define the phase 1 parameters” on
page 839.
Configure the FortiGate unit to service DHCP requests from dialup clients. See “To
configure a DHCP server on the FortiGate unit” on page 840.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiClient dialup-client configurations
FortiClient dialup-client configuration example
To define the phase 1 parameters
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 1, enter the following information, and select OK:
Name
todialups
Remote Gateway
Dialup User
Local Interface
Port 1
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
hardtoguess
Peer Options
Accept any peer ID
Advanced
Select
Enable IPsec Interface Mode
Enable for route-based VPN.
Disable for policy-based VPN.
To define the phase 2 parameters
1 Go to VPN & gt; IPSEC & gt; Auto Key and select Create Phase 2.
2 Select Advanced, enter the following information, and select OK:
Name
td_2
Phase 1
todialups
Advanced
DHCP-IPsec
To define the firewall addresses
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
internal_net
Subnet/IP Range
10.11.101.0/24
Interface
Port 2
3 Select Create New, enter the following information, and select OK:
Address Name
dialups
Subnet/IP Range
10.254.254.[1-10]
Interface
Route-based VPN: todialups
Policy-based VPN: Any
The firewall policies for route-based and policy-based VPNs are described in separate
sections below.
To define firewall policies - route-based VPN
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
todialups
Source Address Name
dialups
Destination Interface/Zone
Port 2
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
839
�FortiClient dialup-client configuration example
FortiClient dialup-client configurations
Destination Address Name
internal_net
Schedule
As required.
Service
As required.
Action
ACCEPT
NAT
Disable
3 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Port 2
Source Address Name
internal_net
Destination Interface/Zone
todialups
Destination Address Name
dialups
Schedule
As required.
Service
As required.
Action
ACCEPT
NAT
Disable
4 Place these policies in the policy list above any other policies having similar source
and destination addresses.
To define the firewall policy - policy-based VPN
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Port 2
Source Address Name
internal_net
Destination Interface/Zone
Port 1
Destination Address Name
dialups
Schedule
As required.
Service
As required.
Action
IPSEC
VPN Tunnel
todialups.
Allow Inbound
Enable
Allow Outbound
Enable if you want to allow hosts on the private network
behind the FortiGate unit to initiate communications with the
FortiClient users after the tunnel is established.
Inbound NAT
Disable
Outbound NAT
Disable
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.
To configure a DHCP server on the FortiGate unit
1 Go to System & gt; DHCP Server & gt; Service and select Create New.
2 Enter the following information and select OK:
Interface Name
Mode
840
Route-based VPN: select virtual IPsec interface. For example, todialups.
Policy-based VPN: select the public interface. For example, Port 1.
Server
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiClient dialup-client configurations
FortiClient dialup-client configuration example
Type
IPSEC.
IP Range
10.254.254.1 - 10.254.254.10
Network Mask
255.255.255.0
Default Gateway
172.20.120.2
Configuring the FortiClient Endpoint Security application
The following procedure explains how to configure the FortiClient Endpoint Security
application to connect to FortiGate_1 and broadcast a DHCP request. The dialup client
uses the VIP address acquired through FortiGate DHCP relay as its IP source address for
the duration of the connection.
To configure FortiClient
1 At the remote host, start FortiClient.
2 Go to VPN & gt; Connections and select Advanced & gt; Add.
3 Enter the following settings:
Connection Name
Office
VPN Type
Manual IPsec
Remote Gateway
172.20.120.141
Remote Network
10.11.101.0 / 255.255.255.0
Authentication Method
Preshared Key
Preshared Key
hardtoguess
4 Select Advanced.
5 In the Advanced Settings dialog box, select Acquire virtual IP address and then select
Config.
6 Verify that the Dynamic Host Configuration Protocol (DHCP) over IPsec option is
selected, and then select OK.
7 Select OK twice to close the dialog boxes.
8 Exit FortiClient and repeat this procedure at all other remote hosts.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
841
�FortiClient dialup-client configuration example
842
FortiClient dialup-client configurations
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate dialup-client configurations
This section explains how to set up a FortiGate dialup-client IPsec VPN. In a FortiGate
dialup-client configuration, a FortiGate unit with a static IP address acts as a dialup server
and a FortiGate unit having a dynamic IP address initiates a VPN tunnel with the FortiGate
dialup server.
The following topics are included in this section:
•
Configuration overview
•
FortiGate dialup-client configuration steps
•
Configure the server to accept FortiGate dialup-client connections
•
Configure the FortiGate dialup client
Configuration overview
A dialup client can be a FortiGate unit—the FortiGate dialup client typically obtains a
dynamic IP address from an ISP through the Dynamic Host Configuration Protocol
(DHCP) or Point-to-Point Protocol over Ethernet (PPPoE) before initiating a connection to
a FortiGate dialup server.
Figure 115: Example FortiGate dialup-client configuration
Site_1
Internet
Site_2
FortiGate_1
FG_Dialup
In a dialup-client configuration, the FortiGate dialup server does not rely on a phase 1
remote gateway address to establish an IPsec VPN connection with dialup clients. As long
as authentication is successful and the IPsec firewall policy associated with the tunnel
permits access, the tunnel is established.
Several different ways to authenticate dialup clients and restrict access to private
networks based on client credentials are available. To authenticate FortiGate dialup clients
and help to distinguish them from FortiClient dialup clients when multiple clients will be
connecting to the VPN through the same tunnel, we recommend that you assign a unique
identifier (local ID) to each FortiGate dialup client. For more information, see
“Authenticating remote peers and clients” on page 933.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
843
�Configuration overview
FortiGate dialup-client configurations
Note: Whenever you add a unique identifier (local ID) to a FortiGate dialup client for
identification purposes, you must select Aggressive mode on the FortiGate dialup server
and also specify the identifier as a peer ID on the FortiGate dialup server. For more
information, see “Enabling VPN access using user accounts and pre-shared keys” on
page 937.
Users behind the FortiGate dialup server cannot initiate the tunnel because the FortiGate
dialup client does not have a static IP address. After the tunnel is initiated by users behind
the FortiGate dialup client, traffic from the private network behind the FortiGate dialup
server can be sent to the private network behind the FortiGate dialup client.
Encrypted packets from the FortiGate dialup client are addressed to the public interface of
the dialup server. Encrypted packets from the dialup server are addressed either to the
public IP address of the FortiGate dialup client (if the dialup client connects to the Internet
directly), or if the FortiGate dialup client is behind a NAT device, encrypted packets from
the dialup server are addressed to the public IP address of the NAT device.
Note: If a router with NAT capabilities is in front of the FortiGate dialup client, the router
must be NAT-T compatible for encrypted traffic to pass through the NAT device. For more
information, see “NAT traversal” on page 941.
When the FortiGate dialup server decrypts a packet from the FortiGate dialup client, the
source address in the IP header may be one of the following values, depending on the
configuration of the network at the far end of the tunnel:
•
If the FortiGate dialup client connects to the Internet directly, the source address will be
the private IP address of a host or server on the network behind the FortiGate dialup
client.
•
If the FortiGate dialup client is behind a NAT device, the source address will be the
public IP address of the NAT device.
In some cases, computers on the private network behind the FortiGate dialup client may
(by co-incidence) have IP addresses that are already used by computers on the network
behind the FortiGate dialup server. In this type of situation (ambiguous routing), conflicts
may occur in one or both of the FortiGate routing tables and traffic destined for the remote
network through the tunnel may not be sent.
In many cases, computers on the private network behind the FortiGate dialup client will
most likely obtain IP addresses from a local DHCP server behind the FortiGate dialup
client. However, unless the local and remote networks use different private network
address spaces, unintended ambiguous routing and/or IP-address overlap issues may
arise.
To avoid these issues, you can configure FortiGate DHCP relay on the dialup client
instead of using a DHCP server on the network behind the dialup client. The FortiGate
dialup client can be configured to relay DHCP requests from the local private network to a
DHCP server that resides on the network behind the FortiGate dialup server (see
Figure 116 on page 845). You configure the FortiGate dialup client to pass traffic from the
local private network to the remote network by enabling FortiGate DHCP relay on the
FortiGate dialup client interface that is connected to the local private network.
844
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate dialup-client configurations
Configuration overview
Figure 116: Preventing network overlap in a FortiGate dialup-client configuration
Site_1
FortiGate_1
Internet
DHCP discovery
message initiates
tunnel
Site_2
DHCP Server
FG_Dialup
Afterward, when a computer on the network behind the dialup client broadcasts a DHCP
request, the dialup client relays the message through the tunnel to the remote DHCP
server. The remote DHCP server responds with a private IP address for the computer. To
avoid ambiguous routing and network overlap issues, the IP addresses assigned to
computers behind the dialup client cannot match the network address space used by the
private network behind the FortiGate dialup server.
When the DHCP server resides on the private network behind the FortiGate dialup server
as shown in Figure 116, the IP destination address specified in the IPsec firewall policy on
the FortiGate dialup client must refer to that network.
Note: If the DHCP server is not directly connected to the private network behind the
FortiGate dialup server (that is, its IP address does not match the IP address of the private
network), you must add (to the FortiGate dialup client’s routing table) a static route to the
DHCP server, and the IP destination address specified in the IPsec firewall policy on the
FortiGate dialup client must refer to the DHCP server address. In this case, the DHCP
server must be configured to assign IP addresses that do not belong to the network on
which the DHCP server resides. In addition, the IP addresses cannot match the network
address space used by the private network behind the FortiGate dialup server.
FortiGate dialup-client infrastructure requirements
•
To support a policy-based VPN, the FortiGate dialup server may operate in either
NAT/Route mode or Transparent mode. NAT/Route mode is required if you want to
create a route-based VPN.
•
The FortiGate dialup server has a static public IP address.
•
Computers on the private network behind the FortiGate dialup client can obtain IP
addresses either from a DHCP server behind the FortiGate dialup client, or a DHCP
server behind the FortiGate dialup server.
•
If the DHCP server resides on the network behind the dialup client, the DHCP
server must be configured to assign IP addresses that do not match the private
network behind the FortiGate dialup server.
•
If the DHCP server resides on the network behind the FortiGate dialup server, the
DHCP server must be configured to assign IP addresses that do not match the
private network behind the FortiGate dialup client. In addition, the FortiGate dialup
client routing table must contain a static route to the DHCP server (see the “Router
Static” chapter of the FortiGate Administration Guide).
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
845
�FortiGate dialup-client configuration steps
FortiGate dialup-client configurations
FortiGate dialup-client configuration steps
The procedures in this section assume that computers on the private network behind the
FortiGate dialup client obtain IP addresses from a local DHCP server. The assigned IP
addresses do not match the private network behind the FortiGate dialup server.
Note: In situations where IP-address overlap between the local and remote private
networks is likely to occur, FortiGate DHCP relay can be configured on the FortiGate dialup
client to relay DHCP requests to a DHCP server behind the FortiGate dialup server. For
more information, see “To configure DHCP relay on the FortiGate unit” on page 834.
Configuring dialup client capability for FortiGate dialup clients involves the following
general configuration steps:
•
Determine which IP addresses to assign to the private network behind the FortiGate
dialup client, and add the IP addresses to the DHCP server behind the FortiGate dialup
client. Refer to the software supplier’s documentation to configure the DHCP server.
•
Configure the FortiGate dialup server. See “Configure the server to accept FortiGate
dialup-client connections” on page 846.
•
Configure the FortiGate dialup client. See “Configure the FortiGate dialup client” on
page 848.
Configure the server to accept FortiGate dialup-client connections
Before you begin, optionally reserve a unique identifier (peer ID) for the FortiGate dialup
client. The dialup client will supply this value to the FortiGate dialup server for
authentication purposes during the IPsec phase 1 exchange. In addition, the value will
enable you to distinguish FortiGate dialup-client connections from FortiClient dialup-client
connections. The same value must be specified on the dialup server and on the dialup
client.
1 At the FortiGate dialup server, define the phase 1 parameters needed to authenticate
the FortiGate dialup client and establish a secure connection. See “Auto Key phase 1
parameters” on page 929. Enter these settings in particular:
Name
Enter a name to identify the VPN tunnel. This name appears in phase
2 configurations, firewall policies and the VPN monitor.
Remote Gateway
Select Dialup User.
Local Interface
Select the interface through which clients connect to the FortiGate
unit.
Mode
If you will be assigning an ID to the FortiGate dialup client, select
Aggressive.
Peer Options
If you will be assigning an ID to the FortiGate dialup client, select
Accept this peer ID and type the identifier that you reserved for the
FortiGate dialup client into the adjacent field.
Enable IPsec Interface You must select Advanced to see this setting. If IPsec Interface Mode
is enabled, the FortiGate unit creates a virtual IPsec interface for a
Mode
route-based VPN. Disable this option if you want to create a policybased VPN.
After you select OK to create the phase 1 configuration, you cannot
change this setting.
2 Define the phase 2 parameters needed to create a VPN tunnel with the FortiGate
dialup client. See “Phase 2 parameters” on page 945. Enter these settings in particular:
846
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate dialup-client configurations
Configure the server to accept FortiGate dialup-client connections
Name
Enter a name to identify this phase 2 configuration.
Phase 1
Select the name of the phase 1 configuration that you defined.
3 Define names for the addresses or address ranges of the private networks that the
VPN links. See “Defining firewall addresses” on page 951. Enter these settings in
particular:
• Define an address name for the server, host, or network behind the FortiGate dialup
server.
• Define an address name for the private network behind the FortiGate dialup client.
4 Define the firewall policies to permit communications between the private networks
through the VPN tunnel. Route-based and policy-based VPNs require different firewall
policies. For detailed information about creating firewall policies, see “Defining firewall
policies” on page 952.
Route-based VPN firewall policy
Define an ACCEPT firewall policy to permit communications between hosts on the
private network behind the FortiGate dialup client and the private network behind this
FortiGate dialup server. Because communication cannot be initiated in the opposite
direction, there is only one policy. Enter these settings in particular:
Source Interface/Zone
Select the VPN tunnel (IPsec interface) created in Step 1.
Source Address Name
Select All.
Destination Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Destination Address Name
Select All.
Action
Select ACCEPT.
NAT
Disable
Policy-based VPN firewall policy
Define an IPsec firewall policy. Enter these settings in particular:
Source Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone
Select the FortiGate unit’s public interface.
Destination Address Name
Select the address name that you defined in Step 3.
Action
Select IPSEC.
VPN Tunnel
Select the name of the phase 1 configuration that you created
in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Clear Allow outbound to prevent traffic from the local network
from initiating the tunnel after the tunnel has been established.
5 Place the policy in the policy list above any other policies having similar source and
destination addresses.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
847
�Configure the FortiGate dialup client
FortiGate dialup-client configurations
Configure the FortiGate dialup client
Configure the FortiGate dialup client as follows:
1 At the FortiGate dialup client, define the phase 1 parameters needed to authenticate
the dialup server and establish a secure connection. See “Auto Key phase 1
parameters” on page 929. Enter these settings in particular:
Name
Enter a name to identify the VPN tunnel. This name appears in
phase 2 configurations, firewall policies and the VPN monitor.
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the dialup server’s public interface.
Local Interface
Select the interface that connects to the public network.
Mode
Because the FortiGate dialup client has a dynamic IP address,
select Aggressive.
Advanced
Select to view the following options.
Local ID
If you defined a peer ID for the dialup client in the FortiGate dialup
server configuration, enter the identifier of the dialup client. The
value must be identical to the peer ID that you specified previously
in the FortiGate dialup server configuration.
Enable IPsec
If IPsec Interface Mode is enabled, the FortiGate unit creates a
Interface Mode virtual IPsec interface for a route-based VPN. Disable this option if
you want to create a policy-based VPN.
After you select OK to create the phase 1 configuration, you
cannot change this setting.
2 Define the phase 2 parameters needed to create a VPN tunnel with the dialup server.
See “Phase 2 parameters” on page 945. Enter these settings in particular:
Name
Enter a name to identify this phase 2 configuration.
Phase 1
Select the set of phase 1 parameters that you defined in step 1.
3 Define names for the addresses or address ranges of the private networks that the
VPN links. See “Defining firewall addresses” on page 951. Enter these settings in
particular:
• Define an address name for the server, host, or network behind the FortiGate dialup
server.
• Define an address name for the private network behind the FortiGate dialup client.
4 Define firewall policies to permit communication between the private networks through
the VPN tunnel. Route-based and policy-based VPNs require different firewall policies.
For detailed information about creating firewall policies, see “Defining firewall policies”
on page 952.
Route-based VPN firewall policy
Define an ACCEPT firewall policy to permit communications between hosts on the
private network behind this FortiGate dialup client and the private network behind the
FortiGate dialup server. Because communication cannot be initiated in the opposite
direction, there is only one policy. Enter these settings in particular:
Source Interface/Zone
Source Address Name
Select All.
Destination Interface/Zone
Select the VPN tunnel (IPsec interface) created in Step 1.
Destination Address Name
848
Select the interface that connects to the private network
behind this FortiGate unit.
Select All.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate dialup-client configurations
Configure the FortiGate dialup client
Action
Select ACCEPT.
NAT
Disable
Policy-based VPN firewall policy
Define an IPsec firewall policy to permit communications between the source and
destination addresses. Enter these settings in particular:
Source Interface/Zone
Select the interface that connects to the private network behind
this FortiGate unit.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone
Select the FortiGate unit’s public interface.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind the dialup server.
Action
Select IPSEC.
VPN Tunnel
Select the name of the phase 1 configuration that you created in
Step 1.
Clear Allow inbound to prevent traffic from the remote network
from initiating the tunnel after the tunnel has been established.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
5 Place the policy in the policy list above any other policies having similar source and
destination addresses.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
849
�Configure the FortiGate dialup client
850
FortiGate dialup-client configurations
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Supporting IKE Mode config clients
IKE Mode Config is an alternative to DHCP over IPsec. A FortiGate unit can be configured
as either an IKE Mode Config server or client. This chapter contains the following sections:
•
Automatic configuration overview
•
IKE Mode Config overview
•
Configuring IKE Mode Config
•
Example: FortiGate unit as IKE Mode Config server
•
Example: FortiGate unit as IKE Mode Config client
Automatic configuration overview
VPN configuration for remote clients is simpler if it is automated. Several protocols support
automatic configuration:
•
The Fortinet FortiClient Endpoint Security application can completely configure a VPN
connection with a suitably configured FortiGate unit given only the FortiGate unit’s
address. This protocol is exclusive to Fortinet. For more information, see the
“FortiClient dialup-client configurations” chapter.
•
DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. The
user must first configure IPsec parameters such as gateway address, encryption and
authentication algorithms.
•
IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses.
The user must first configure IPsec parameters such as gateway address, encryption
and authentication algorithms. Several network equipment vendors support IKE Mode
Config, which is described in the ISAKMP Configuration Method document draftdukes-ike-mode-cfg-02.txt.
This chapter describes how to configure a FortiGate unit as either an IKE Mode Config
server or client.
IKE Mode Config overview
Dialup VPN clients connect to a FortiGate unit that acts as a VPN server, providing the
client the necessary configuration information to establish a VPN tunnel. The configuration
information typically includes a virtual IP address, netmask, and DNS server address.
IKE Mode Config is available only for VPNs that are route-based, also known as
interface-based. A FortiGate unit can function as either an IKE Configuration Method
server or client. IKE Mode Config is configurable only in the CLI.
Configuring IKE Mode Config
IKE Mode Config is configured with the CLI command vpn ipsec phase1-interface.
The mode-cfg variable enables IKE Mode Config. The type field determines whether
you are creating an IKE Mode Config server or a client. Setting type to dynamic
creates a server configuration, otherwise the configuration is a client.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
851
�Configuring IKE Mode Config
Supporting IKE Mode config clients
Configuring an IKE Mode Config client
If the FortiGate unit will connect as a dialup client to a remote gateway that supports IKE
Mode Config, the relevant vpn ipsec phase1-interface variables are as follows:
Variable
Description
ike-version 1
IKE v1 is the default for FortiGate IPsec VPNs.
IKE Mode Config is not compatible with IKE v2.
mode-cfg enable
Enable IKE Mode Config.
type {ddns | static}
Set to ddns or static as needed. If you set type to
dynamic, an IKE Mode Config server is created.
assign-ip
{enable | disable}
Enable to request an IP address from the server.
interface
& lt; interface_name & gt;
This is a regular IPsec VPN field. Specify the physical,
aggregate, or VLAN interface to which the IPsec tunnel will be
bound.
proposal
& lt; encryption_combination & gt;
This is a regular IPsec VPN field that determines the
encryption and authentication settings that the client will
accept. For more information, see “Defining IKE negotiation
parameters” on page 938.
mode-cfg-ip-version {4|6} Select whether an IKE Configuration Method client receives an
IPv4 or IPv6 IP address. The default is 4. This setting should
match the ip-version setting.
ip-version & lt; 4 | 6 & gt;
This is a regular IPsec VPN field. By default, IPsec VPNs use
IPv4 addressing. You can set ip-version to 6 to create a
VPN with IPv6 addressing.
Configuring an IKE Mode Config server
If the FortiGate unit will accept connection requests from dialup clients that support IKE
Mode Config, the following vpn ipsec phase1-interface settings are required
before any other configuration is attempted:
Variable
Description
ike-version 1
IKE v1 is the default for FortiGate IPsec VPNs.
IKE Mode Config is not compatible with IKE v2.
mode-cfg enable
Enable IKE Mode Config.
type dynamic
Any other setting creates an IKE Mode Config client.
interface
& lt; interface_name & gt;
This is a regular IPsec VPN field. Specify the physical,
aggregate, or VLAN interface to which the IPsec tunnel will be
bound.
proposal
& lt; encryption_combination & gt;
This is a regular IPsec VPN field that determines the
encryption and authentication settings that the server will
accept. For more information, see “Defining IKE negotiation
parameters” on page 938.
ip-version & lt; 4 | 6 & gt;
This is a regular IPsec VPN field. By default, IPsec VPNs use
IPv4 addressing. You can set ip-version to 6 to create a
VPN with IPv6 addressing.
After you have enabled the basic configuration, you can configure:
•
•
852
IP address assignment for clients
DNS and WINS server assignment
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Supporting IKE Mode config clients
Example: FortiGate unit as IKE Mode Config server
IP address assignment
Usually you will want to assign IP addresses to clients. The simplest method is to assign
addresses from a specific range, similar to a DHCP server.
If your clients are authenticated by a RADIUS server, you can obtain the user’s IP address
assignment from the Framed-IP-Address attribute. The user must be authenticated using
XAuth.
To assign IP addresses from an address range
If your VPN uses IPv4 addresses,
config vpn ipsec phase1-interface
edit vpn1
set mode-cfg-ipversion 4
set assign-ip enable
set assign-ip-type ip
set assign-ip-from range
set ipv4-start-ip & lt; range_start & gt;
set ipv4-end-ip & lt; range_end & gt;
set ipv4-netmask & lt; netmask & gt;
end
If your VPN uses IPv6 addresses,
config vpn ipsec phase1-interface
edit vpn1
set mode-cfg-ipversion 6
set assign-ip enable
set assign-ip-type ip
set assign-ip-from range
set ipv6-start-ip & lt; range_start & gt;
set ipv6-end-ip & lt; range_end & gt;
end
To assign IP addresses from a RADIUS server
The users must be authenticated by a RADIUS server and assigned to the FortiGate user
group & lt; grpname & gt; .
config vpn ipsec phase1-interface
edit vpn1
set assign-ip enable
set assign-ip-type ip
set assign-ip-from usrgrp
set xauthtype auto
set authusrgrp & lt; grpname & gt;
end
Example: FortiGate unit as IKE Mode Config server
In this example, the FortiGate unit assigns IKE Mode Config clients addresses in the
range of 10.11.101.160 through 10.11.101.180. DNS and WINS server addresses are also
provided. The public interface of the FortiGate unit is Port 1.
The ipv4-split-include variable specifies a firewall address that represents the
networks to which the clients will have access. This destination IP address information is
sent to the clients.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
853
�Example: FortiGate unit as IKE Mode Config client
Supporting IKE Mode config clients
Only the CLI fields required for IKE Mode Config are shown here. For detailed information
about these variables, see the FortiGate CLI Reference.
config vpn ipsec phase1-interface
edit vpn1
set ip-version 4
set type dynamic
set interface port1
set proposal 3des-sha1 aes128-sha1
set mode-cfg enable
set mode-cfg-ipversion 4
set assign-ip enable
set assign-ip-type ip
set assign-ip-from range
set ipv4-start-ip 10.11.101.160
set ipv4-end-ip 10.11.101.180
set ipv4-netmask 255.255.255.0
set dns-server1 10.11.101.199
set dns-server2 66.11.168.195
set wins-server1 10.11.101.191
set domain example
set ipv4-split-include OfficeLAN
end
Example: FortiGate unit as IKE Mode Config client
In this example, the FortiGate unit connects to a VPN gateway with a static IP address that
can be reached through Port 1. Only the port, gateway and proposal information needs to
be configured. All other configuration information will come from the IKE Mode Config
server.
config vpn ipsec phase1-interface
edit vpn1
set ip-version 4
set type static
set remote-gw & lt; gw_address & gt;
set interface port 1
set proposal 3des-sha1 aes128-sha1
set mode-cfg enable
set mode-cfg-ipversion 4
set assign-ip enable
end
854
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Internet-browsing configuration
This section explains how to support secure web browsing performed by dialup VPN
clients, and/or hosts behind a remote VPN peer. Remote users can access the private
network behind the local FortiGate unit and browse the Internet securely. All traffic
generated remotely is subject to the firewall policy that controls traffic on the private
network behind the local FortiGate unit.
The following topics are included in this section:
•
Configuration overview
•
Creating an Internet browsing firewall policy
•
Routing all remote traffic through the VPN tunnel
Configuration overview
A VPN provides secure access to a private network behind the FortiGate unit. You can
also enable VPN clients to access the Internet securely. The FortiGate unit inspects and
processes all traffic between the VPN clients and hosts on the Internet according to the
Internet browsing policy. This is accomplished even though the same FortiGate interface
is used for both encrypted VPN client traffic and unencrypted Internet traffic.
In Figure 117, FortiGate_1 enables secure Internet browsing for FortiClient Endpoint
Security users such as Dialup_1 and users on the Site_2 network behind FortiGate_2,
which could be a VPN peer or a dialup client.
Figure 117: Example Internet-browsing configuration
Site_2
FG_Dialup_2
Site_1
FortiGate_1
Dialup_1
Internet
Users browse Internet
through VPN tunnel
Web server
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
855
�Creating an Internet browsing firewall policy
Internet-browsing configuration
You can adapt any of the following configurations to provide secure Internet browsing:
•
a gateway-to-gateway configuration (see “Gateway-to-gateway configurations” on
page 793)
•
a FortiClient dialup-client configuration (see “FortiClient dialup-client configurations” on
page 827)
•
a FortiGate dialup-client configuration (see “FortiGate dialup-client configurations” on
page 843)
The procedures in this section assume that one of these configurations is in place, and
that it is operating properly.
To create an internet-browsing configuration based on an existing gateway-to-gateway
configuration, you must edit the gateway-to-gateway configuration as follows:
•
On the FortiGate unit that will provide Internet access, create an Internet browsing
firewall policy. See “Creating an Internet browsing firewall policy”, below.
•
Configure the remote peer or client to route all traffic through the VPN tunnel. You can
do this on a FortiGate unit or on a FortiClient Endpoint Security application. See
“Routing all remote traffic through the VPN tunnel” on page 857.
Creating an Internet browsing firewall policy
On the FortiGate unit that acts as a VPN server and will provide secure access to the
Internet, you must create an Internet browsing firewall policy. This policy differs depending
on whether your gateway-to-gateway configuration is policy-based or route-based.
To create an Internet browsing policy - policy-based VPN
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information and then select OK:
Source Interface
The interface to which the VPN tunnel is bound.
Source Address Name
All
Destination Interface
The interface to which the VPN tunnel is bound.
Destination Address Name
The internal range of address of the remote spoke site.
Schedule
As required.
Service
As required.
Action
IPSEC
VPN Tunnel
Select the tunnel that provides access to the private network
behind the FortiGate unit.
UTM
Select the UTM feature profiles that you want to apply to
Internet access.
Allow Inbound
Enable
Allow Outbound
Enable
Inbound NAT
Enable
Configure other settings as needed.
To create an Internet browsing policy - route-based VPN
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information and then select OK:
856
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Internet-browsing configuration
Routing all remote traffic through the VPN tunnel
Source Interface
The IPsec VPN interface.
Source Address Name
All
Destination Interface
The interface that connects to the Internet. The virtual IPsec
interface is configured on this physical interface.
Destination Address Name
All
Schedule
As required.
Service
As required.
Action
ACCEPT
NAT
Enable
UTM
Select the UTM features that you want to apply to Internet
access.
Configure other settings as needed.
The VPN clients must be configured to route all Internet traffic through the VPN tunnel.
Routing all remote traffic through the VPN tunnel
To make use of the Internet browsing configuration on the VPN server, the VPN peer or
client must route all traffic through the VPN tunnel. Usually, only the traffic destined for the
private network behind the FortiGate VPN server is sent through the tunnel.
The remote end of the VPN can be a FortiGate unit that acts as a peer in a gateway-togateway configuration or a FortiClient Endpoint Security application that protects an
individual client such as a notebook PC.
•
To configure a remote peer FortiGate unit for Internet browsing via VPN, see
“Configuring a FortiGate remote peer to support Internet browsing”.
•
To configure a FortiClient Endpoint Security application for Internet browsing via VPN,
see “Configuring a FortiClient application to support Internet browsing” on page 858.
These procedures assume that your VPN connection to the protected private network is
working and that you have configured the FortiGate VPN server for Internet browsing as
described in “Creating an Internet browsing firewall policy” on page 856.
Configuring a FortiGate remote peer to support Internet browsing
The configuration changes to send all traffic through the VPN differ for policy-based and
route-based VPNs.
To route all traffic through a policy-based VPN
1 At the FortiGate dialup client, go to Firewall & gt; Policy & gt; Policy.
2 Select the IPsec firewall policy and then select Edit.
3 From the Destination Address list, select all.
4 Select OK.
All packets are routed through the VPN tunnel, not just packets destined for the protected
private network.
To route all traffic through a route-based VPN
1 At the FortiGate dialup client, go to Router & gt; Static & gt; Static Route.
2 Select the default route (destination IP 0.0.0.0) and then select Edit. If there is no
default route, select Create New. Enter the following information and select OK:
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
857
�Routing all remote traffic through the VPN tunnel
Internet-browsing configuration
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
Select the IPsec virtual interface.
Distance
Leave at default.
All packets are routed through the VPN tunnel, not just packets destined for the protected
private network.
Configuring a FortiClient application to support Internet browsing
By default, the FortiClient application configures the PC so that traffic destined for the
remote protected network passes through the VPN tunnel but all other traffic is sent to the
default gateway. You need to modify the FortiClient settings so that it configures the PC to
route all outbound traffic through the VPN.
To route all traffic through VPN - FortiClient application
1 At the remote host, start FortiClient.
2 Go to VPN & gt; Connections.
3 Select the definition that connects FortiClient to the FortiGate dialup server.
4 Select Advanced and then select Edit.
5 In the Edit Connection dialog box, select Advanced.
6 In the Remote Network group, select Add.
7 In the IP and Subnet Mask fields, type 0.0.0.0/0.0.0.0 and select OK.
The address is added to the Remote Network list. The first destination IP address in
the list establishes a VPN tunnel. The second destination address
(0.0.0.0/0.0.0.0 in this case) forces all other traffic through the VPN tunnel.
8 Select OK twice to close the dialog boxes.
858
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Redundant VPN configurations
This section discusses the options for supporting redundant and partially redundant IPsec
VPNs, using route-based approaches.
The following topics are included in this section:
•
Configuration overview
•
General configuration steps
•
Configure the VPN peers - route-based VPN
•
Redundant route-based VPN configuration example
•
Partially-redundant route-based VPN example
•
Creating a backup IPsec interface
Configuration overview
A FortiGate unit with two interfaces to the Internet can be configured to support redundant
VPNs to the same remote peer. If the primary connection fails, the FortiGate unit can
establish a VPN using the other connection.
A fully-redundant configuration requires redundant connections to the Internet on both
peers. Figure 118 on page 860 shows an example of this. This is useful to create a reliable
connection between two FortiGate units with static IP addresses.
When only one peer has redundant connections, the configuration is partially-redundant.
For an example of this, see “Partially-redundant route-based VPN example” on page 873.
This is useful to provide reliable service from a FortiGate unit with static IP addresses that
accepts connections from dialup IPsec VPN clients.
In a fully-redundant VPN configuration with two interfaces on each peer, four distinct paths
are possible for VPN traffic from end to end. Each interface on a peer can communicate
with both interfaces on the other peer. This ensures that a VPN will be available as long as
each peer has one working connection to the Internet.
You configure a VPN and an entry in the routing table for each of the four paths. All of
these VPNs are ready to carry data. You set different routing distances for each route and
only the shortest distance route is used. If this route fails, the route with the next shortest
distance is used.
The redundant configurations described in this chapter use route-based VPNs, otherwise
known as virtual IPsec interfaces. This means that the FortiGate unit must operate in
NAT/Route mode. You must use auto-keying. A VPN that is created using manual keys
(see “Manual-key configurations” on page 887) cannot be included in a redundant-tunnel
configuration.
The configuration described here assumes that your redundant VPNs are essentially
equal in cost and capability. When the original VPN returns to service, traffic continues to
use the replacement VPN until the replacement VPN fails. If your redundant VPN uses
more expensive facilities, you want to use it only as a backup while the main VPN is down.
For information on how to do this, see “Creating a backup IPsec interface” on page 879.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
859
�Configuration overview
Redundant VPN configurations
Figure 118: Example redundant-tunnel configuration
Site_1
Redundant tunnel
Primary tunnel
FortiGate_1
Internet
Site_2
FortiGate_2
Primary tunnel
Redundant tunnel
Note: A VPN that is created using manual keys (see “Manual-key configurations” on
page 887) cannot be included in a redundant-tunnel configuration.
General configuration steps
A redundant configuration at each VPN peer includes:
•
one phase 1 configuration (virtual IPsec interface) for each path between the two
peers. In a fully-meshed redundant configuration, each network interface on one peer
can communicate with each network interface on the remote peer. If both peers have
two public interfaces, this means that each peer has four paths, for example.
•
one phase 2 definition for each phase 1 configuration
•
one static route for each IPsec interface, with different distance values to prioritize the
routes
•
two Accept firewall policies per IPsec interface, one for each direction of traffic
•
dead peer detection enabled in each phase 1 definition
The procedures in this section assume that two separate interfaces to the Internet are
available on each VPN peer.
860
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Redundant VPN configurations
Configure the VPN peers - route-based VPN
Configure the VPN peers - route-based VPN
Configure each VPN peer as follows:
1 Ensure that the interfaces used in the VPN have static IP addresses.
2 Create a phase 1 configuration for each of the paths between the peers. Enable IPsec
Interface mode so that this creates a virtual IPsec interface. Enable dead peer
detection so that one of the other paths is activated if this path fails.
Enter these settings in particular:
Path 1
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the primary interface of the remote
peer.
Local Interface
Select the primary public interface of this peer.
Enable IPsec Interface Mode
Enable
Dead Peer Detection
Enable
Other settings as required by VPN.
Path 2
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the secondary interface of the
remote peer.
Local Interface
Select the primary public interface of this peer.
Enable IPsec Interface Mode
Enable
Dead Peer Detection
Enable
Other settings as required by VPN.
Path 3
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the primary interface of the remote
peer.
Local Interface
Select the secondary public interface of this peer.
Enable IPsec Interface Mode
Enable
Dead Peer Detection
Enable
Other settings as required by VPN.
Path 4
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the secondary interface of the
remote peer.
Local Interface
Select the secondary public interface of this peer.
Enable IPsec Interface Mode
Enable
Dead Peer Detection
Enable
Other settings as required by VPN.
For more information, see “Auto Key phase 1 parameters” on page 929.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
861
�Redundant route-based VPN configuration example
Redundant VPN configurations
3 Create a phase 2 definition for each path. See “Phase 2 parameters” on page 945.
Enter these settings in particular:
Phase 1
Select the phase 1 configuration (virtual IPsec interface) that you
defined for this path. You can select the name from the Static IP
Address part of the list.
4 Create a route for each path to the other peer. If there are two ports on each peer, there
are four possible paths between the peer devices.
Destination IP/Mask
The IP address and netmask of the private network behind the remote
peer.
Device
One of the virtual IPsec interfaces on the local peer.
Distance
For each path, enter a different value to prioritize the paths.
5 Define the firewall policy for the local primary interface. See “Defining firewall policies”
on page 952. You need to create two policies for each path to enable communication in
both directions. Enter these settings in particular:
Source Interface/Zone
Select the local interface to the internal (private) network
Source Address Name
All
Destination Interface/Zone
Select one of the virtual IPsec interfaces you created in
Step 2.
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
Source Interface/Zone
Select one of the virtual IPsec interfaces you created in
Step 2.
Source Address Name
All
Destination Interface/Zone
Select the local interface to the internal (private) network.
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
6 Place the policy in the policy list above any other policies having similar source and
destination addresses.
7 Repeat this procedure at the remote FortiGate unit.
Redundant route-based VPN configuration example
This example demonstrates a fully redundant site-to-site VPN configuration using routebased VPNs. At each site, the FortiGate unit has two interfaces connected to the Internet
through different ISPs. This means that there are four possible paths for communication
between the two units. In this example, these paths, listed in descending priority, are:
•
•
FortiGate_1 WAN 1 to FortiGate_2 WAN 2
•
FortiGate_1 WAN 2 to FortiGate_2 WAN 1
•
862
FortiGate_1 WAN 1 to FortiGate_2 WAN 1
FortiGate_1 WAN 2 to FortiGate_2 WAN 2
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Redundant VPN configurations
Redundant route-based VPN configuration example
Figure 119: Example redundant route-based VPN configuration
WAN2 172.16.20.2
WAN1 192.168.10.2
FortiGate_1
Finance Network
10.21.101.0/24
Internet
FortiGate_2
WAN1 192.168.20.2
WAN2 172.16.30.2
HR Network
10.31.101.0/24
For each path, VPN configuration, firewall policies and routing are defined. By specifying a
different routing distance for each path, the paths are prioritized. A VPN tunnel is
established on each path, but only the highest priority one is used. If the highest priority
path goes down, the traffic is automatically routed over the next highest priority path. You
could use dynamic routing, but to keep this example simple, static routing is used.
Configuring FortiGate_1
You must
•
configure the interfaces involved in the VPN
•
define the phase 1 configuration for each of the four possible paths, creating a virtual
IPsec interface for each one
•
define the phase 2 configuration for each of the four possible paths
•
configure routes for the four IPsec interfaces, assigning the appropriate priorities
•
configure incoming and outgoing firewall policies between the internal interface and
each of the virtual IPsec interfaces
To configure the network interfaces
1 Go to System & gt; Network & gt; Interface.
2 Select the Edit icon for the Internal interface, enter the following information and then
select OK:
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
863
�Redundant route-based VPN configuration example
Addressing mode
IP/Netmask
Redundant VPN configurations
Manual
10.21.101.0/255.255.255.0
3 Select the Edit icon for the WAN1 interface, enter the following information and then
select OK:
Addressing mode
IP/Netmask
Manual
192.168.10.2/255.255.255.0
4 Select the Edit icon for the WAN2 interface, enter the following information and then
select OK:
Addressing mode
IP/Netmask
Manual
172.16.20.2/255.255.255.0
To configure the IPsec interfaces (phase 1 configurations)
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 1, enter the following information, and select OK:
Name
Site_1_A
Remote Gateway
Static IP Address
IP Address
192.168.20.2
Local Interface
WAN1
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
3 Select Create Phase 1, enter the following information, and select OK:
Name
Site_1_B
Remote Gateway
Static IP Address
IP Address
172.16.30.2
Local Interface
WAN1
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
4 Select Create Phase 1, enter the following information, and select OK:
864
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Redundant VPN configurations
Redundant route-based VPN configuration example
Name
Site_1_C
Remote Gateway
Static IP Address
IP Address
192.168.20.2
Local Interface
WAN2
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
5 Select Create Phase 1, enter the following information, and select OK:
Name
Site_1_D
Remote Gateway
Static IP Address
IP Address
172.16.30.2
Local Interface
WAN2
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
To define the phase 2 configurations for the four VPNs
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 2, enter the following information and select OK:
Name
Route_A.
Phase 1
Site_1_A
3 Select Create Phase 2, enter the following information and select OK:
Name
Route_B.
Phase 1
Site_1_B
4 Select Create Phase 2, enter the following information and select OK:
Name
Route_C.
Phase 1
Site_1_C
5 Select Create Phase 2, enter the following information and select OK:
Name
Route_D.
Phase 1
Site_1_D
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
865
�Redundant route-based VPN configuration example
Redundant VPN configurations
To configure routes
1 Go to Router & gt; Static & gt; Static Route.
2 Select Create New, enter the following default gateway information and then select
OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
WAN1
Gateway
192.168.10.1
Distance
10
3 Select Create New, enter the following information and then select OK:
Destination IP/Mask
10.31.101.0/255.255.255.0
Device
Site_1_A
Distance
1
4 Select Create New, enter the following information and then select OK:
Destination IP/Mask
10.31.101.0/255.255.255.0
Device
Site_1_B
Distance
2
5 Select Create New, enter the following information and then select OK:
Destination IP/Mask
10.31.101.0/255.255.255.0
Device
Site_1_C
Distance
3
6 Select Create New, enter the following information and then select OK:
Destination IP/Mask
10.31.101.0/255.255.255.0
Device
Site_1_D
Distance
4
To configure firewall policies
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and then select OK:
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_1_A
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
3 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Source Address Name
866
Site_1_A
All
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Redundant VPN configurations
Redundant route-based VPN configuration example
Destination Interface/Zone
Internal
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
4 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_1_B
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
5 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Site_1_B
Source Address Name
All
Destination Interface/Zone
Internal
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
6 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_1_C
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
7 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Site_1_C
Source Address Name
All
Destination Interface/Zone
Internal
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
8 Select Create New, enter the following information, and select OK:
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
867
�Redundant route-based VPN configuration example
Redundant VPN configurations
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_1_D
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
9 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Site_1_D
Source Address Name
All
Destination Interface/Zone
Internal
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
Configuring FortiGate_2
The configuration for FortiGate_2 is very similar that of FortiGate_1. You must
•
configure the interfaces involved in the VPN
•
define the phase 1 configuration for each of the four possible paths, creating a virtual
IPsec interface for each one
•
define the phase 2 configuration for each of the four possible paths
•
configure routes for the four IPsec interfaces, assigning the appropriate priorities
•
configure incoming and outgoing firewall policies between the internal interface and
each of the virtual IPsec interfaces
To configure the network interfaces
1 Go to System & gt; Network & gt; Interface.
2 Select the Internal interface and then select Edit. Enter the following information and
then select OK:
Addressing mode
IP/Netmask
Manual
10.31.101.0/255.255.255.0
3 Select the WAN1 interface and then select Edit. Enter the following information and
then select OK:
Addressing mode
IP/Netmask
Manual
192.168.20.2/255.255.255.0
4 Select the WAN2 interface and then select Edit. Enter the following information and
then select OK:
Addressing mode
IP/Netmask
868
Manual
172.16.30.2/255.255.255.0
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Redundant VPN configurations
Redundant route-based VPN configuration example
To configure the IPsec interfaces (phase 1 configurations)
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 1, enter the following information, and select OK:
Name
Site_2_A
Remote Gateway
Static IP Address
IP Address
192.168.10.2
Local Interface
WAN1
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
3 Select Create Phase 1, enter the following information, and select OK:
Name
Site_2_B
Remote Gateway
Static IP Address
IP Address
172.16.20.2
Local Interface
WAN1
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
4 Select Create Phase 1, enter the following information, and select OK:
Name
Site_2_C
Remote Gateway
Static IP Address
IP Address
192.168.10.2
Local Interface
WAN2
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
869
�Redundant route-based VPN configuration example
Redundant VPN configurations
5 Select Create Phase 1, enter the following information, and select OK:
Name
Site_2_D
Remote Gateway
Static IP Address
IP Address
172.16.20.2
Local Interface
WAN1
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
To define the phase 2 configurations for the four VPNs
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 2, enter the following information and select OK:
Name
Route_A.
Phase 1
Site_2_A
3 Select Create Phase 2, enter the following information and select OK:
Name
Route_B.
Phase 1
Site_2_B
4 Select Create Phase 2, enter the following information and select OK:
Name
Route_C.
Phase 1
Site_2_C
5 Select Create Phase 2, enter the following information and select OK:
Name
Route_D.
Phase 1
Site_2_D
To configure routes
1 Go to Router & gt; Static & gt; Static Route.
2 Select Create New, enter the following default gateway information and then select
OK:
Destination IP/Mask
WAN1
Gateway
192.168.10.1
Distance
870
0.0.0.0/0.0.0.0
Device
10
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Redundant VPN configurations
Redundant route-based VPN configuration example
3 Select Create New, enter the following information and then select OK:
Destination IP/Mask
10.21.101.0/255.255.255.0
Device
Site_2_A
Distance
1
4 Select Create New, enter the following information and then select OK:
Destination IP/Mask
10.21.101.0/255.255.255.0
Device
Site_2_B
Distance
2
5 Select Create New, enter the following information and then select OK:
Destination IP/Mask
10.21.101.0/255.255.255.0
Device
Site_2_C
Distance
3
6 Select Create New, enter the following information and then select OK:
Destination IP/Mask
10.21.101.0/255.255.255.0
Device
Site_2_D
Distance
4
To configure firewall policies
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_2_A
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
3 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Site_2_A
Source Address Name
All
Destination Interface/Zone
Internal
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
4 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_2_B
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
871
�Redundant route-based VPN configuration example
Redundant VPN configurations
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
5 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Site_2_B
Source Address Name
All
Destination Interface/Zone
Internal
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
6 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_2_C
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
7 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Site_2_C
Source Address Name
All
Destination Interface/Zone
Internal
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
8 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_2_D
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
9 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Source Address Name
872
Site_2_D
All
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Redundant VPN configurations
Partially-redundant route-based VPN example
Destination Interface/Zone
Internal
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
Partially-redundant route-based VPN example
This example demonstrates how to set up a partially redundant IPsec VPN between a
local FortiGate unit and a remote VPN peer that receives a dynamic IP address from an
ISP before it connects to the FortiGate unit. For more information about FortiGate dialupclient configurations, see “FortiGate dialup-client configurations” on page 843.
When a FortiGate unit has more than one interface to the Internet (see FortiGate_1 in
Figure 120), you can configure redundant routes—if the primary connection fails, the
FortiGate unit can establish a VPN using the redundant connection.
In this case, FortiGate_2 has only one connection to the Internet. If the link to the ISP were
to go down, the connection to FortiGate_1 would be lost, and the tunnel would be taken
down. The tunnel is said to be partially redundant because FortiGate_2 does not support a
redundant connection.
In the configuration example:
•
Both FortiGate units operate in NAT/Route mode.
•
Two separate interfaces to the Internet (192.168.10.2 and 172.16.20.2) are available
on FortiGate_1. Each interface has a static public IP address.
•
FortiGate_2 has a single connection to the Internet and obtains a dynamic public IP
address (for example, 172.16.30.1) when it connects to the Internet.
•
FortiGate_2 forwards IP packets from the SOHO network (10.31.101.0/24) to the
corporate network (10.21.101.0/24) behind FortiGate_1 through a partially redundant
IPsec VPN. Encrypted packets from FortiGate_2 are addressed to the public interface
of FortiGate_1. Encrypted packets from FortiGate_1 are addressed to the public IP
address of FortiGate_2.
There are two possible paths for communication between the two units. In this example,
these paths, listed in descending priority, are:
•
FortiGate_1 WAN 1 to FortiGate_2 WAN 1
•
FortiGate_1 WAN 2 to FortiGate_2 WAN 1
For each path, VPN configuration, firewall policies and routing are defined. By specifying a
different routing distance for each path, the paths are prioritized. A VPN tunnel is
established on each path, but only the highest priority one is used. If the highest priority
path goes down, the traffic is automatically routed over the next highest priority path. You
could use dynamic routing, but to keep this example simple, static routing is used.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
873
�Partially-redundant route-based VPN example
Redundant VPN configurations
Figure 120: Example partially redundant route-based configuration
172.16.20.2
192.168.10.1
Redundant tunnel
Primary tunnel
FortiGate_1
Corporate Network
10.21.101.0/24
Internet
VPN tunnel
FortiGate_2
172.16.30.1
SOHO Network
10.31.101.0/24
Configuring FortiGate_1
You must
•
configure the interfaces involved in the VPN
•
define the phase 1 configuration for each of the two possible paths, creating a virtual
IPsec interface for each one
•
define the phase 2 configuration for each of the two possible paths
•
configure incoming and outgoing firewall policies between the internal interface and
each of the virtual IPsec interfaces
To configure the network interfaces
1 Go to System & gt; Network & gt; Interface.
2 Select the Internal interface and then select Edit. Enter the following information and
then select OK:
Addressing mode
IP/Netmask
Manual
10.21.101.2/255.255.255.0
3 Select the WAN1 interface and then select Edit. Enter the following information and
then select OK:
Addressing mode
IP/Netmask
874
Manual
192.168.10.2/255.255.255.0
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Redundant VPN configurations
Partially-redundant route-based VPN example
4 Select the WAN2 interface and then select Edit. Enter the following information and
then select OK:
Addressing mode
IP/Netmask
Manual
172.16.20.2/255.255.255.0
To configure the IPsec interfaces (phase 1 configurations)
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 1, enter the following information, and select OK:
Name
Site_1_A
Remote Gateway
Dialup User
Local Interface
WAN1
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
3 Select Create Phase 1, enter the following information, and select OK:
Name
Site_1_B
Remote Gateway
Dialup User
Local Interface
WAN2
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
To define the phase 2 configurations for the two VPNs
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 2, enter the following information and select OK:
Name
Route_A.
Phase 1
Site_1_A
3 Select Create Phase 2, enter the following information and select OK:
Name
Route_B.
Phase 1
Site_1_B
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
875
�Partially-redundant route-based VPN example
Redundant VPN configurations
To configure routes
1 Go to Router & gt; Static & gt; Static Route.
2 Select Create New, enter the following default gateway information and then select
OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
WAN1
Gateway
192.168.10.1
Distance
10
To configure firewall policies
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_1_A
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
3 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_1_B
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
Configuring FortiGate_2
The configuration for FortiGate_2 is similar to that of FortiGate_1. You must
•
•
define the phase 1 configuration for the primary and redundant paths, creating a virtual
IPsec interface for each one
•
define the phase 2 configurations for the primary and redundant paths, defining the
internal network as the source address so that FortiGate_1 can automatically configure
routing
•
configure the routes for the two IPsec interfaces, assigning the appropriate priorities
•
876
configure the interface involved in the VPN
configure firewall policies between the internal interface and each of the virtual IPsec
interfaces
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Redundant VPN configurations
Partially-redundant route-based VPN example
To configure the network interfaces
1 Go to System & gt; Network & gt; Interface.
2 Select the Internal interface and then select Edit. Enter the following information and
then select OK:
Addressing mode
IP/Netmask
Manual
10.31.101.2/255.255.255.0
3 Select the WAN1 interface and then select Edit. Enter the following information and
then select OK:
Addressing mode
DHCP
To configure the two IPsec interfaces (phase 1 configurations)
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 1, enter the following information, and select OK:
Name
Site_2_A
Remote Gateway
Static IP Address
IP Address
192.168.10.2
Local Interface
WAN1
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
3 Select Create Phase 1, enter the following information, and select OK:
Name
Site_2_B
Remote Gateway
Static IP Address
IP Address
172.16.20.2
Local Interface
WAN1
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID
Advanced
Enable IPsec Interface Mode
Select
Dead Peer Detection
Select
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
877
�Partially-redundant route-based VPN example
Redundant VPN configurations
To define the phase 2 configurations for the two VPNs
1 Go to VPN & gt; IPSEC & gt; Auto Key.
2 Select Create Phase 2, enter the following information and select OK:
Name
Route_A.
Phase 1
Site_2_A
Advanced
Source Address
10.31.101.0/24
3 Select Create Phase 2, enter the following information and select OK:
Name
Route_B.
Phase 1
Site_2_B
Advanced
Source Address
10.31.101.0/24
To configure routes
1 Go to Router & gt; Static & gt; Static Route.
2 Select Create New, enter the following information and then select OK:
Destination IP/Mask
10.21.101.0/255.255.255.0
Device
Site_2_A
Distance
1
3 Select Create New, enter the following information and then select OK:
Destination IP/Mask
10.21.101.0/255.255.255.0
Device
Site_2_B
Distance
2
To configure firewall policies
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_2_A
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
3 Select Create New, enter the following information, and select OK:
878
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Redundant VPN configurations
Creating a backup IPsec interface
Source Interface/Zone
Internal
Source Address Name
All
Destination Interface/Zone
Site_2_B
Destination Address Name
All
Schedule
Always
Service
Any
Action
ACCEPT
Creating a backup IPsec interface
Starting in FortiOS 3.0 MR4, you can configure a route-based VPN that acts as a backup
facility to another VPN. It is used only while your main VPN is out of service. This is
desirable when the redundant VPN uses a more expensive facility.
In FortiOS releases prior to 3.0 MR4, a backup VPN configuration is possible only if the
backup connection is a modem in a Redundant mode configuration.
You can configure a backup IPsec interface only in the CLI. The backup feature works
only on interfaces with static addresses that have dead peer detection enabled. The
monitor-phase1 option creates a backup VPN for the specified phase 1 configuration.
In the following example, backup_vpn is a backup for main_vpn.
config vpn ipsec phase1-interface
edit main_vpn
set dpd on
set interface port1
set nattraversal enable
set psksecret " hard-to-guess "
set remote-gw 192.168.10.8
set type static
end
edit backup_vpn
set dpd on
set interface port2
set monitor-phase1 main_vpn
set nattraversal enable
set psksecret " hard-to-guess "
set remote-gw 192.168.10.8
set type static
end
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
879
�Creating a backup IPsec interface
880
Redundant VPN configurations
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Transparent mode VPNs
This section describes transparent VPN configurations, in which two FortiGate units
create a VPN tunnel between two separate private networks transparently.
The following topics are included in this section:
•
Configuration overview
•
Configure the VPN peers
Configuration overview
In Transparent mode, all interfaces of the FortiGate unit except the management interface
(which by default is assigned IP address 10.10.10.1/255.255.255.0) are invisible at the
network layer. Typically, when a FortiGate unit runs in Transparent mode, different network
segments are connected to the FortiGate interfaces. Figure 121 shows the management
station on the same subnet. The management station can connect to the FortiGate unit
directly through the web-based manager.
Figure 121: Management station on internal network
Site_1
10.10.10.0/24
Management
station
Internet
10.10.10.1
Edge router
FortiGate_1
An edge router typically provides a public connection to the Internet and one interface of
the FortiGate unit is connected to the router. If the FortiGate unit is managed from an
external address (see Figure 122 on page 882), the router must translate (NAT) a routable
address to direct management traffic to the FortiGate management interface.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
881
�Configuration overview
Transparent mode VPNs
Figure 122: Management station on external network
Site_1
10.10.10.0/24
Management
station
10.10.10.1 & lt; - NAT & lt; -172.16.10.100
Internet
10.10.10.1
Edge router
FortiGate_1
VPN
Remote Sites
In a transparent VPN configuration, two FortiGate units create a VPN tunnel between two
separate private networks transparently. All traffic between the two networks is encrypted
and protected by FortiGate firewall policies.
Both FortiGate units may be running in Transparent mode, or one could be running in
Transparent mode and the other running in NAT/Route mode. If the remote peer is running
in NAT/Route mode, it must have a static public IP address.
Note: VPNs between two FortiGate units running in Transparent mode do not support
inbound/outbound NAT (supported through CLI commands) within the tunnel. In addition, a
FortiGate unit running in Transparent mode cannot be used in a hub-and-spoke
configuration.
Encrypted packets from the remote VPN peer are addressed to the management interface
of the local FortiGate unit. If the local FortiGate unit can reach the VPN peer locally, a
static route to the VPN peer must be added to the routing table on the local FortiGate unit.
If the VPN peer connects through the Internet, encrypted packets from the local FortiGate
unit must be routed to the edge router instead. For information about how to add a static
route to the FortiGate routing table, see the “Router Static” chapter of the FortiGate
Administration Guide.
In the example configuration shown in Figure 122, Network Address Translation (NAT) is
enabled on the router. When an encrypted packet from the remote VPN peer arrives at the
router through the Internet, the router performs inbound NAT and forwards the packet to
the FortiGate unit. Refer to the software supplier’s documentation to configure the router.
If you want to configure a VPN between two FortiGate units running in Transparent mode,
each unit must have an independent connection to a router that acts as a gateway to the
Internet, and both units must be on separate networks that have a different address
space. When the two networks linked by the VPN tunnel have different address spaces
(see Figure 123 on page 883), at least one router must separate the two FortiGate units,
unless the packets can be redirected using ICMP (see Figure 124 on page 883).
882
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Transparent mode VPNs
Configuration overview
Figure 123: Link between two FortiGate units running in Transparent mode
Internet
FortiGate_2
FortiGate_1
Network_1
Network_2
Router
Network_1
Network_2
In Figure 124, interface C behind the router is the default gateway for both FortiGate units.
Packets that cannot be delivered on Network_1 are routed to interface C by default.
Similarly, packets that cannot be delivered on Network_2 are routed to interface C. In this
case, the router must be configured to redirect packets destined for Network_1 to interface
A and redirect packets destined for Network_2 to interface B.
Figure 124: ICMP redirecting packets to two FortiGate units running in Transparent mode
Internet
Router
C
FortiGate_2
FortiGate_1
A
B
Network_3
ICMP
Network_1
Network_2
If there are additional routers behind the FortiGate unit (see Figure 125 on page 884) and
the destination IP address of an inbound packet is on a network behind one of those
routers, the FortiGate routing table must include routes to those networks. For example, in
Figure 125, the FortiGate unit must be configured with static routes to interfaces A and B
in order to forward packets to Network_1 and Network_2 respectively.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
883
�Configuration overview
Transparent mode VPNs
Figure 125: Destinations on remote networks behind internal routers
Internet
FortiGate_1
Router_1
Router_2
A
Network_3
B
Network_1
Network_2
Transparent VPN infrastructure requirements
•
The local FortiGate unit must be operating in Transparent mode.
•
The management IP address of the local FortiGate unit specifies the local VPN
gateway. The management IP address is considered a static IP address for the local
VPN peer.
•
If the local FortiGate unit is managed through the Internet, or if the VPN peer connects
through the Internet, the edge router must be configured to perform inbound NAT and
forward management traffic and/or encrypted packets to the FortiGate unit.
•
If the remote peer is operating in NAT/Route mode, it must have a static public IP
address.
A FortiGate unit operating in Transparent mode requires the following basic configuration
to operate as a node on the IP network:
•
The unit must have sufficient routing information to reach the management station.
•
For any traffic to reach external destinations, a default static route to an edge router
that forwards packets to the Internet must be present in the FortiGate routing table.
•
When all of the destinations are located on the external network, the FortiGate unit
may route packets using a single default static route. If the network topology is more
complex, one or more static routes in addition to the default static route may be
required in the FortiGate routing table.
Only policy-based VPN configurations are possible in Transparent mode.
Before you begin
An IPsec VPN definition links a gateway with a tunnel and an IPsec policy. If your network
topology includes more than one virtual domain, you must choose components that were
created in the same virtual domain. Therefore, before you define a transparent VPN
configuration, choose an appropriate virtual domain in which to create the required
interfaces, firewall policies, and VPN components. For more information, see the “Using
virtual domains” chapter of the FortiGate Administration Guide.
884
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Transparent mode VPNs
Configure the VPN peers
Configure the VPN peers
The following procedure assumes that the local VPN peer operates in Transparent mode.
The remote VPN peer may operate in NAT/Route mode or Transparent mode.
1 At the local FortiGate unit, define the phase 1 parameters needed to establish a secure
connection with the remote peer. See “Auto Key phase 1 parameters” on page 929.
Select Advanced and enter these settings in particular:
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the public interface to the remote peer. If the
remote peer is a FortiGate unit running in Transparent mode, type the IP
address of the remote management interface.
Advanced
Select Nat-traversal, and type a value into the Keepalive Frequency field.
These settings protect the headers of encrypted packets from being
altered by external NAT devices and ensure that NAT address mappings
do not change while the VPN tunnel is open. For more information, see
“NAT traversal” on page 941 and “NAT keepalive frequency” on page 941.
2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
See “Phase 2 parameters” on page 945. Enter these settings in particular:
Phase 1
Select the set of phase 1 parameters that you defined for the remote peer. The
name of the remote peer can be selected from the Static IP Address list.
3 Define the source and destination addresses of the IP packets that are to be
transported through the VPN tunnel. See “Defining firewall addresses” on page 951.
Enter these settings in particular:
• For the originating address (source address), enter the IP address of the local
management interface (for example, 10.10.10.1/32).
• For the remote address (destination address), enter the IP address and netmask of
the private network behind the remote peer (for example, 192.168.10.0/24). If
the remote peer is a FortiGate unit running in Transparent mode, enter the IP
address of the remote management interface instead.
4 Define an IPsec firewall policy to permit communications between the source and
destination addresses. See “Defining firewall policies” on page 952. Enter these
settings in particular:
Source Interface/Zone
Select the local interface to the internal (private) network.
Source Address Name
Select the source address that you defined in Step 3.
Destination Interface/Zone
Select the interface to the edge router. When you configure the
IPsec firewall policy on a remote peer that operates in
NAT/Route mode, you select the public interface to the external
(public) network instead.
Destination Address Name
Select the destination address that you defined in Step 3.
Action
IPSEC
VPN Tunnel
Select the name of the phase 2 tunnel configuration that you
created in Step 2.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
5 Place the policy in the policy list above any other policies having similar source and
destination addresses.
6 Repeat this procedure at the remote FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
885
�For more information
Transparent mode VPNs
For more information
The FortiGate Transparent Mode Technical Guide provides examples and troubleshooting
information concerning several FortiGate features, including IPsec VPN.
886
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Manual-key configurations
This section explains how to manually define cryptographic keys to establish an IPsec
VPN, either policy-based or route-based.
The following topics are included in this section:
•
Configuration overview
•
Specify the manual keys for creating a tunnel
Configuration overview
You can manually define cryptographic keys for the FortiGate unit to establish an IPsec
VPN.
You define manual keys where prior knowledge of the encryption and/or authentication
key is required (that is, one of the VPN peers requires a specific IPsec encryption and/or
authentication key). In this case, you do not specify IPsec phase 1 and phase 2
parameters; you define manual keys on the VPN & gt; IPSEC & gt; Manual Key tab instead.
If one VPN peer uses specific authentication and encryption keys to establish a tunnel,
both VPN peers must be configured to use the same encryption and authentication
algorithms and keys.
Note: It may not be safe or practical to define manual keys because network administrators
must be trusted to keep the keys confidential, and propagating changes to remote VPN
peers in a secure manner may be difficult.
It is essential that both VPN peers be configured with matching encryption and
authentication algorithms, matching authentication and encryption keys, and
complementary Security Parameter Index (SPI) settings.
You can define either the encryption or the authentication as NULL (disabled), but not
both.
Each SPI identifies a Security Association (SA). The value is placed in ESP datagrams to
link the datagrams to the SA. When an ESP datagram is received, the recipient refers to
the SPI to determine which SA applies to the datagram. An SPI must be specified
manually for each SA. Because an SA applies to communication in one direction only, you
must specify two SPIs per configuration (a local SPI and a remote SPI) to cover
bidirectional communications between two VPN peers.
Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases
for your particular installation, do not attempt the following procedure without qualified
assistance.
Specify the manual keys for creating a tunnel
Specify the manual keys for creating a tunnel as follows:
1 Go to VPN & gt; IPSEC & gt; Manual Key and select Create New.
2 Include appropriate entries as follows:
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
887
�Specify the manual keys for creating a tunnel
Manual-key configurations
Name
Type a name for the VPN tunnel.
Local SPI
Type a hexadecimal number (up to 8 characters, 0-9, a-f) that
represents the SA that handles outbound traffic on the local
FortiGate unit. The valid range is from 0x100 to 0xffffffff. This
value must match the Remote SPI value in the manual key
configuration at the remote peer.
Remote SPI
Type a hexadecimal number (up to 8 characters, 0-9, a-f) that
represents the SA that handles inbound traffic on the local FortiGate
unit. The valid range is from 0x100 to 0xffffffff. This value must
match the Local SPI value in the manual key configuration at the
remote peer.
Remote Gateway
Type the IP address of the public interface to the remote peer. The
address identifies the recipient of ESP datagrams.
Local Interface
Select the name of the physical, aggregate, or VLAN interface to
which the IPsec tunnel will be bound. The FortiGate unit obtains the
IP address of the interface from System & gt; Network & gt; Interface
settings. This is available in NAT/Route mode only.
Encryption
Algorithm
Select one of the following symmetric-key encryption algorithms:
• DES — Digital Encryption Standard, a 64-bit block algorithm that
uses a 56-bit key.
• 3DES — Triple-DES, in which plain text is encrypted three times
by three keys.
• AES128 — A 128-bit block algorithm that uses a 128-bit key.
• AES192 — A 128-bit block algorithm that uses a 192-bit key.
• AES256 — A 128-bit block algorithm that uses a 256-bit key.
Encryption Key
If you selected:
• DES, type a 16-character hexadecimal number (0-9, a-f).
• 3DES, type a 48-character hexadecimal number (0-9, a-f)
separated into three segments of 16 characters.
• AES128, type a 32-character hexadecimal number (0-9, a-f)
separated into two segments of 16 characters.
• AES192, type a 48-character hexadecimal number (0-9, a-f)
separated into three segments of 16 characters.
• AES256, type a 64-character hexadecimal number (0-9, a-f)
separated into four segments of 16 characters.
Authentication
Algorithm
Select one of the following message digests:
• MD5 — Message Digest 5 algorithm, which produces a 128bit message digest.
• SHA1 — Secure Hash Algorithm 1, which produces a 160-bit
message digest.
Authentication Key
If you selected:
• MD5, type a 32-character hexadecimal number (0-9, a-f)
separated into two segments of 16 characters.
• SHA1, type 40-character hexadecimal number (0-9, a-f)
separated into one segment of 16 characters and a second
segment of 24 characters.
IPsec Interface Mode
Select to create a route-based VPN. A virtual IPsec interface is
created on the Local Interface that you selected. This option is
available only in NAT/Route mode.
3 Select OK.
888
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6 IPsec VPNs
This chapter describes how to configure your FortiGate unit’s IPv6 IPsec VPN
functionality. This feature is available starting in FortiOS 3.0 MR5.
The following topics are included in this section:
•
Overview of IPv6 IPsec support
•
Configuring IPv6 IPsec VPNs
•
Site-to-site IPv6 over IPv6 VPN example
•
Site-to-site IPv4 over IPv6 VPN example
•
Site-to-site IPv6 over IPv4 VPN example
Overview of IPv6 IPsec support
The FortiGate unit supports route-based IPv6 IPsec, but not policy-based. This section
describes only how IPv6 IPsec support differs from IPv4 IPsec support.
Where both the gateways and the protected networks use IPv6 addresses, sometimes
called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You
can combine IPv6 and IPv4 addressing in an auto-keyed VPN in the following ways:
IPv4 over IPv6
The VPN gateways have IPv6 addresses.
The protected networks have IPv4 addresses. The phase 2 configurations at
either end use IPv4 selectors.
IPv6 over IPv4
The VPN gateways have IPv4 addresses.
The protected networks use IPv6 addresses. The phase 2 configurations at
either end use IPv6 selectors.
Compared with IPv4 IPsec VPN functionality, there are some limitations:
•
Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
This is because FortiOS 3.0 does not support IPv6 DNS.
•
You cannot use RSA certificates in which the common name (cn) is a domain name
that resolves to an IPv6 address. This is because FortiOS 3.0 does not support IPv6
DNS.
•
DHCP over IPsec is not supported, because FortiOS 3.0 does not support IPv6 DHCP.
•
Selectors cannot be firewall address names. Only IP address, address range and
subnet are supported.
•
Redundant IPv6 tunnels are not supported.
Certificates
On a VPN with IPv6 phase 1 configuration, you can authenticate using VPN certificates in
which the common name (cn) is an IPv6 address. The cn-type keyword of the user
peer command has an option, ipv6, to support this.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
889
�Configuring IPv6 IPsec VPNs
IPv6 IPsec VPNs
Configuring IPv6 IPsec VPNs
Configuration of an IPv6 IPsec VPN follows the same sequence as for an IPv4 routebased VPN: phase 1 settings, phase 2 settings, firewall policies and routing.
To access IPv6 functionality through the web-based manager, go to System Admin & gt;
Settings and enable IPv6 Support on GUI.
Phase 1 configuration
In the web-based manager, you define the Phase 1 as IPv6 in the Advanced settings.
Enable the IPv6 Version check box. You can then enter an IPv6 address for the remote
gateway.
In the CLI, you define an IPsec phase 1 configuration as IPv6 by setting ip-version
to 6. Its default value is 4. Then, the local-gw and remote-gw keywords are hidden
and the corresponding local-gw6 and remote-gw6 keywords are available. The values
for local-gw6 and remote-gw6 must be IPv6 addresses. For example:
config vpn ipsec phase1-interface
edit tunnel6
set ip-version 6
set remote-gw6 0:123:4567::1234
set interface port3
set proposal 3des-md5
end
Phase 2 configuration
To create an IPv6 IPsec phase 2 configuration in the web-based manager, you need to
define IPv6 selectors in the Advanced settings. Change the default “0.0.0.0/0” address for
Source address and Destination address to the IPv6 value “::/0”. If needed, enter specific
IPv6 addresses, address ranges or subnet addresses in these fields.
In the CLI, set src-addr-type and dst-addr-type to ip6, range6 or subnet6 to
specify IPv6 selectors. By default, zero selectors are entered, “::/0” for the subnet6
address type, for example. The simplest IPv6 phase 2 configuration looks like this:
config vpn ipsec phase2-interface
edit tunnel6_p2
set phase1name tunnel6
set proposal 3des-md5
set src-addr-type subnet6
set dst-addr-type subnet6
end
Firewall policies
To complete the VPN configuration, you need a firewall policy in each direction to permit
traffic between the protected network’s port and the IPsec interface. You need IPv6
policies unless the VPN is IPv4 over IPv6.
Routing
Appropriate routing is needed for both the IPsec packets and the encapsulated traffic
within them. You need a route, which could be the default route, to the remote VPN
gateway via the appropriate interface. You also need a route to the remote protected
network via the IPsec interface.
890
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6 IPsec VPNs
Site-to-site IPv6 over IPv6 VPN example
To create a static route in the web-based manager, go to Router & gt; Static. Select the dropdown arrow on the Create New button and select IPv6 Route. Enter the information and
select OK. In the CLI, use the router static6 command. For example, where the
remote network is fec0:0000:0000:0004::/64 and the IPsec interface is toB:
config router static6
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toB
set dst fec0:0000:0000:0004::/64
next
end
If the VPN is IPV4 over IPv6, the route to the remote protected network is an IPv4 route. If
the VPN is IPv6 over IPv4, the route to the remote VPN gateway is an IPv4 route.
Site-to-site IPv6 over IPv6 VPN example
In this example, computers on IPv6-addressed private networks communicate securely
over public IPv6 infrastructure.
Figure 126: Example IPv6-over-IPv6 VPN topology
FortiGate A
FortiGate B
Internet
Port3
Port 2
feco:0001:209:0fff:fe83:25f2
fec0:0000:0000:0000::/64
Port3
Port 2
feco:0001:209:0fff:fe83:25C7
fec0:0000:0000:0004::/64
Configure FortiGate A interfaces
Port 2 connects to the public network and port 3 connects to the local network.
config system interface
edit port2
config ipv6
set ip6-address fec0::0001:209:0fff:fe83:25f2/64
end
next
edit port3
config ipv6
set ip6-address fec0::0000:209:0fff:fe83:25f3/64
end
next
end
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
891
�Site-to-site IPv6 over IPv6 VPN example
IPv6 IPsec VPNs
Configure FortiGate A IPsec settings
The phase 1 configuration creates a virtual IPsec interface on port 2 and sets the remote
gateway to the public IP address FortiGate B. This configuration is the same as for an
IPv4 route-based VPN, except that ip-version is set to 6 and the remote-gw6
keyword is used to specify an IPv6 remote gateway address.
config vpn ipsec phase1-interface
edit toB
set ip-version 6
set interface port2
set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
By default, phase 2 selectors are set to accept all subnet addresses for source and
destination. The default setting for src-addr-type and dst-addr-type is subnet.
The IPv6 equivalent is subnet6. The default subnet addresses are 0.0.0.0/0 for IPv4,
::/0 for IPv6.
config vpn ipsec phase2-interface
edit toB2
set phase1name toB
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end
Configure FortiGate A firewall policies
Firewall policies are required to allow traffic between port3 and the IPsec interface toB in
each direction. The address all6 must be defined using the firewall address6
command as ::/0.
config firewall policy6
edit 1
set srcintf port3
set dstintf toB
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toB
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
892
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6 IPsec VPNs
Site-to-site IPv6 over IPv6 VPN example
Configure FortiGate A routing
This simple example requires just two static routes. Traffic to the protected network behind
FortiGate B is routed via the virtual IPsec interface toB. A default route sends all IPv6
traffic out on port2.
config router static6
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toB
set dst fec0:0000:0000:0004::/64
end
Configure FortiGate B
The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec
interface toA is configured on port2 and its remote gateway is the public IP address of
FortiGate A. Firewall policies enable traffic to pass between the private network and the
IPsec interface. Routing ensures traffic for the private network behind FortiGate A goes
through the VPN and that all IPv6 packets are routed to the public network.
config system interface
edit port2
config ipv6
set ip6-address fec0::0003:209:0fff:fe83:25c7/64
end
next
edit port3
config ipv6
set ip6-address fec0::0004:209:0fff:fe83:2569/64
end
end
config vpn ipsec phase1-interface
edit toA
set ip-version 6
set interface port2
set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
config vpn ipsec phase2-interface
edit toA2
set phase1name toA
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end
config firewall policy6
edit 1
set srcintf port3
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
893
�Site-to-site IPv4 over IPv6 VPN example
IPv6 IPsec VPNs
set dstintf toA
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toA
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
config router static6
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toA
set dst fec0:0000:0000:0000::/64
end
Site-to-site IPv4 over IPv6 VPN example
In this example, two private networks with IPv4 addressing communicate securely over
IPv6 infrastructure.
Figure 127: Example IPv4-over-IPv6 VPN topology
FortiGate A
FortiGate B
Internet
Port3
Port 2
feco:0001:209:0fff:fe83:25f2
192.168.2.0/24
Port3
Port 2
feco:0001:209:0fff:fe83:25C7
192.168.3.0/24
Configure FortiGate A interfaces
Port 2 connects to the IPv6 public network and port 3 connects to the IPv4 LAN.
config system interface
edit port2
config ipv6
set ip6-address fec0::0001:209:0fff:fe83:25f2/64
end
next
edit port3
set 192.168.2.1/24
end
894
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6 IPsec VPNs
Site-to-site IPv4 over IPv6 VPN example
Configure FortiGate A IPsec settings
The phase 1 configuration is the same as in the IPv6 over IPv6 example.
config vpn ipsec phase1-interface
edit toB
set ip-version 6
set interface port2
set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
The phase 2 configuration is the same as you would use for an IPv4 VPN. By default,
phase 2 selectors are set to accept all subnet addresses for source and destination.
config vpn ipsec phase2-interface
edit toB2
set phase1name toB
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
end
Configure FortiGate A firewall policies
Firewall policies are required to allow traffic between port3 and the IPsec interface toB in
each direction. These are IPv4 firewall policies.
config firewall policy
edit 1
set srcintf port3
set dstintf toB
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toB
set dstintf port3
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
end
Configure FortiGate A routing
This simple example requires just two static routes. Traffic to the protected network behind
FortiGate B is routed via the virtual IPsec interface toB using an IPv4 static route. A
default route sends all IPv6 traffic, including the IPv6 IPsec packets, out on port2.
config router static6
edit 1
set device port2
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
895
�Site-to-site IPv4 over IPv6 VPN example
IPv6 IPsec VPNs
set dst 0::/0
next
edit 2
set device toB
set dst 192.168.3.0/24
end
Configure FortiGate B
The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec
interface toA is configured on port2 and its remote gateway is the public IP address of
FortiGate A. The IPsec phase 2 configuration has IPv4 selectors.
IPv4 firewall policies enable traffic to pass between the private network and the IPsec
interface. An IPv4 static route ensures traffic for the private network behind FortiGate A
goes through the VPN and an IPv6 static route ensures that all IPv6 packets are routed to
the public network.
config system interface
edit port2
config ipv6
set ip6-address fec0::0003:fe83:25c7/64
end
next
edit port3
set 192.168.3.1/24
end
config vpn ipsec phase1-interface
edit toA
set ip-version 6
set interface port2
set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
config vpn ipsec phase2-interface
edit toA2
set phase1name toA
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
end
config firewall policy
edit 1
set srcintf port3
set dstintf toA
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toA
set dstintf port3
896
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6 IPsec VPNs
Site-to-site IPv6 over IPv4 VPN example
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
end
config router static6
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toA
set dst 192.168.2.0/24
end
Site-to-site IPv6 over IPv4 VPN example
In this example, IPv6-addressed private networks communicate securely over IPv4 public
infrastructure.
Figure 128: Example IPv6-over-IPv4 VPN topology
FortiGate A
FortiGate B
Internet
Port3
Port 2
10.0.0.1/24
Port 2
10.0.1.1/24
Port3
fec0:0000:0000:0000::/64
fec0:0000:0000:0004::/64
Configure FortiGate A interfaces
Port 2 connects to the IPv4 public network and port 3 connects to the IPv6 LAN.
config system interface
edit port2
set 10.0.0.1/24
next
edit port3
config ipv6
set ip6-address fec0::0001:209:0fff:fe83:25f3/64
end
Configure FortiGate A IPsec settings
The phase 1 configuration uses IPv4 addressing.
config vpn ipsec phase1-interface
edit toB
set interface port2
set remote-gw 10.0.1.1
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
897
�Site-to-site IPv6 over IPv4 VPN example
IPv6 IPsec VPNs
The phase 2 configuration uses IPv6 selectors. By default, phase 2 selectors are set to
accept all subnet addresses for source and destination. The default setting for srcaddr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet6. The
default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.
config vpn ipsec phase2-interface
edit toB2
set phase1name toB
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end
Configure FortiGate A firewall policies
IPv6 firewall policies are required to allow traffic between port3 and the IPsec interface toB
in each direction. The address all6 must be defined using the firewall address6
command as ::/0.
config firewall policy6
edit 1
set srcintf port3
set dstintf toB
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toB
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
Configure FortiGate A routing
This simple example requires just two static routes. Traffic to the protected network behind
FortiGate B is routed via the virtual IPsec interface toB using an IPv6 static route. A
default route sends all IPv4 traffic, including the IPv4 IPsec packets, out on port2.
config router static6
edit 1
set device toB
set dst fec0:0000:0000:0004::/64
end
config router static
edit 1
set device port2
set dst 0.0.0.0/0
set gateway 10.0.0.254
898
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6 IPsec VPNs
Site-to-site IPv6 over IPv4 VPN example
end
Configure FortiGate B
The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec
interface toA is configured on port2 and its remote gateway is the IPv4 public IP address
of FortiGate A. The IPsec phase 2 configuration has IPv6 selectors.
IPv6 firewall policies enable traffic to pass between the private network and the IPsec
interface. An IPv6 static route ensures traffic for the private network behind FortiGate A
goes through the VPN and an IPv4 static route ensures that all IPv4 packets are routed to
the public network.
config system interface
edit port2
set 10.0.1.1/24
next
edit port3
config ipv6
set ip6-address fec0::0004:209:0fff:fe83:2569/64
end
config vpn ipsec phase1-interface
edit toA
set interface port2
set remote-gw 10.0.0.1
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
config vpn ipsec phase2-interface
edit toA2
set phase1name toA
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end
config firewall policy6
edit 1
set srcintf port3
set dstintf toA
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toA
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
899
�Site-to-site IPv6 over IPv4 VPN example
IPv6 IPsec VPNs
end
config router static6
edit 1
set device toA
set dst fec0:0000:0000:0000::/64
end
config router static
edit 1
set device port2
set gateway 10.0.1.254
end
900
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�L2TP and IPsec (Microsoft VPN)
configurations
This section describes how to set up a VPN that is compatible with the Microsoft Windows
native VPN, which is L2TP with IPsec encryption.
The following topics are included in this section:
•
Overview
•
Configuring the FortiGate unit
•
Configuring the Windows PC
•
Troubleshooting
Overview
The topology of a VPN for Microsoft Windows dialup clients is very similar to that for
FortiClient Endpoint Security clients.
Figure 129: Example FortiGate VPN configuration with Microsoft clients
OfficeLAN
10.11.101.0/24
Remote client
Internet
HTTP/HTTPS
10.11.101.120
port 1
172.20.120.141
DNS
10.11.101.160
port 2
10.11.101.100
Remote client
FortiGate_1
FTP
10.11.101.170
Samba
10.11.101.180
For users, the difference is only that instead of installing and using the FortiClient
application, they configure a network connection using the software built into their
operating system. Starting in FortiOS 4.0 MR2, you can configure a FortiGate unit to work
with unmodified Microsoft VPN client software.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
901
�Configuring the FortiGate unit
L2TP and IPsec (Microsoft VPN) configurations
Configuring the FortiGate unit
To configure the FortiGate unit, you need to:
•
Configure L2TP users and a firewall user group.
•
Configure the L2TP VPN, including the IP address range it assigns to clients.
•
Configure an IPsec VPN with encryption and authentication settings that match the
Microsoft VPN client.
•
Configure firewall policies.
Configuring users and user group
Remote users must be authenticated before they can request services and/or access
network resources through the VPN. The authentication process can use a password
defined on the FortiGate unit or an established external authentication mechanism such
as RADIUS or LDAP.
Creating user accounts
You need to create user accounts and then add these users to a firewall user group to be
used for L2TP authentication. The Microsoft VPN client can automatically send the user’s
Window network logon credentials. You might want to use these for their L2TP user name
and password.
To create a user account - web-based manager
1 Go to User & gt; Local & gt; Local and select Create New.
2 Enter the User Name.
3 Do one of the following:
• Select Password and enter the user’s assigned password.
• Select LDAP, RADIUS, or TACACS+ and select the authentication server from the
list. The authentication server must be already configured on the FortiGate unit.
4 Select OK.
To create a user account - CLI
If you want to create a user account, for example user1 with the password “123_user”, you
would enter:
config user local
edit user1
set type password
set passwd " 123_user "
set status enable
end
Creating a user group
When clients connect using the L2TP-over-IPsec VPN, the FortiGate unit checks their
credentials against the user group you specify for L2TP authentication. You need to create
a firewall user group to use for this purpose.
To create a user group - web-based manager
1 Go to User & gt; User Group & gt; User Group, select Create New, and enter the following
information:
902
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�L2TP and IPsec (Microsoft VPN) configurations
Configuring the FortiGate unit
Name
Type or edit the user group name (for example, L2TP_group).
Type
Select Firewall.
Available
Users/Groups
The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers,
or PKI users that can be added to the user group. To add a member to this
list, select the name and then select the right arrow button.
Members
The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers,
or PKI users that belong to the user group. To remove a member, select the
name and then select the left arrow button.
2 Select OK.
To create a user group - CLI
To create the user group L2TP_group and add members User_1, User_2, and User_3,
you would enter:
config user group
edit L2TP_group
set group-type firewall
set member User_1 User_2 User_3
end
Configuring L2TP
You can configure L2TP settings only in the CLI. As well as enabling L2TP, you set the
range of IP address values that are assigned to L2TP clients and specify the user group
that can access the VPN. For example, to allow access to users in the L2TP_group and
assign them addresses in the range 192.168.0.50 to 192.168.0.59, you would enter
config vpn l2tp
set sip 192.168.0.50
set eip 192.168.0.59
set status enable
set usrgrp " L2TP_group "
end
One of the firewall policies for the L2TP over IPsec VPN uses the client address range, so
you need also need to create a firewall address for that range. For example,
config firewall address
edit L2TPclients
set type iprange
set end-ip 192.168.6.88
set start-ip 192.168.6.85
end
Alternatively, you could define this range in the web-based manager.
Configuring IPsec
The Microsoft VPN client uses IPsec for encryption. The configuration needed on the
FortiGate unit is substantially the same as for any other IPsec VPN except that
•
transport mode is used instead of tunnel mode
•
the encryption and authentication proposals must be compatible with the Microsoft
client
L2TP over IPsec is supported on the FortiGate unit using policy-based, not route-based
configurations.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
903
�Configuring the FortiGate unit
L2TP and IPsec (Microsoft VPN) configurations
Configuring phase 1 - web-based manager
1 Go to VPN & gt; IPsec & gt; Auto Key (IKE) and select Create Phase 1.
2 Enter the following information and then select OK.
Name
Enter a name for this VPN, dialup_p1 for example.
Remote Gateway
Dialup User
Local Interface
Select the network interface that connects to the Internet. For
example, port1.
Mode
Main (ID protection)
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key. This key must also be entered in the
Microsoft VPN client.
Advanced
Select Advanced to enter the following information.
Enable IPsec Interface
Mode
This must not be selected.
P1 Proposal
Enter the following Encryption/Authentication pairs:
AES256-MD5, 3DES-SHA1, AES192-SHA1
DH Group
2
NAT Traversal
Enable
Dead Peer Detection
Enable
Leave other settings at default values.
Configuring phase 1 - CLI
To create a phase 1 configuration called dialup_p1 on a FortiGate unit that has port1
connected to the Internet, you would enter:
config vpn ipsec phase1
edit dialup_p1
set type dynamic
set interface port1
set mode main
set psksecret ********
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set nattraversal enable
set dpd enable
end
Configuring phase 2 - web-based manager
1 Go to VPN & gt; IPsec & gt; Auto Key (IKE) and select Create Phase 2.
2 Enter the following information and then select OK.
Name
Phase 1
Select the name of the phase 1 configuration.
Advanced
Select Advanced to enter the following information.
P2 Proposal
Enter the following Encryption/Authentication pairs:
AES256-MD5, 3DES-SHA1, AES192-SHA1
Enable replay detection
Enable
Enable perfect forward
secrecy (PFS)
904
Enter a name for this phase 2 configuration.
Disable
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�L2TP and IPsec (Microsoft VPN) configurations
Configuring the FortiGate unit
Keylife
3600 seconds
Leave other settings at default values.
3 Make this a transport-mode VPN. You must use the CLI to do this. If your phase 2
name is dialup_p2, you would enter:
config vpn ipsec phase2
edit dialup_p2
set encapsulation transport-mode
end
Configuring phase 2 - CLI
To configure a phase 2 to work with your phase_1 configuration, you would enter:
config vpn ipsec phase2
edit dialup_p2
set phase1name dialup_p1
set proposal aes256-md5 3des-sha1 aes192-sha1
set replay enable
set pfs disable
set keylifeseconds 3600
set encapsulation transport-mode
end
Configuring firewall policies
The firewall policies required for L2TP over IPsec VPN are:
•
an IPSEC policy, as you would create for any policy-based IPsec VPN
•
a regular ACCEPT policy to allow traffic from the L2TP clients to access the protected
network
Configuring the IPSEC firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following information and then select OK:
Source
Interface/Zone
Select the interface that connects to the private network behind this
FortiGate unit.
Source Address
all
Destination
Interface/Zone
Select the FortiGate unit’s public interface.
Destination Address all
Action
IPSEC
VPN Tunnel
Select the name of the phase 1 configuration that you created. For
example, dialup_p1. See “Configuring IPsec” on page 903.
Allow inbound
Enable
Allow outbound
Enable
UTM
Optional settings for UTM features.
Leave other settings at default values.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
905
�Configuring the FortiGate unit
L2TP and IPsec (Microsoft VPN) configurations
Configuring the IPSEC firewall policy - CLI
If your VPN tunnel (phase 1) is called dialup_p1, your protected network is on port2, and
your public interface is port1, you would enter:
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr all
set dstaddr all
set action ipsec
set schedule always
set service ANY
set inbound enable
set outbound enable
set vpntunnel dialup_p1
end
Configuring the ACCEPT firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following information and then select OK:
Source
Interface/Zone
Select the FortiGate unit’s public interface.
Source Address
Select the firewall address that you defined for the L2TP clients.
Destination
Interface/Zone
Select the interface that connects to the private network behind this
FortiGate unit.
Destination Address all
Action
ACCEPT
UTM
Optionally, select UTM feature profiles.
Leave other settings at default values.
Configuring the ACCEPT firewall policy - CLI
If your public interface is port1, your protected network is on port2, and L2TPclients is the
address range that L2TP clients use, you would enter:
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr L2TPclients
set dstaddr all
set action accept
set schedule always
set service ANY
end
906
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�L2TP and IPsec (Microsoft VPN) configurations
Configuring the Windows PC
Configuring the Windows PC
Configuration of the Windows PC for a VPN connection to the FortiGate unit consists of
the following:
•
In Network Connections, configure a Virtual Private Network connection to the
FortiGate unit.
•
Ensure that the IPSEC service is running.
•
Ensure that IPsec has not been disabled for the VPN client. It may have been disabled
to make the Microsoft VPN compatible with an earlier version of FortiOS.
The instructions in this section are based on Windows XP SP3. Other versions of
Windows may vary slightly.
To configure the network connection
1 Open Network Connections.
This is available through the Control Panel.
2 Double-click New Connection Wizard.
3 Select Next.
4 Select Connect to the network at my workplace and then select Next.
5 Select Virtual Private Network connection and then select Next.
6 In the Company Name field, enter a name for the connection and then select Next.
7 Select Do not dial the initial connection and then select Next.
8 Enter the public IP address or FQDN of the FortiGate unit and then select Next.
9 Optionally, select Add a shortcut to this connection to my desktop.
10 Select Finish.
The Connect dialog opens on the desktop.
11 Select Properties and then select the Security tab.
12 Select IPSec Settings.
13 Select Use pre-shared key for authentication, enter the preshared key that you
configured for your VPN, and select OK.
14 Select OK.
To check that the IPSEC service is running
1 Open Administrative Tools.
This is available through the Control Panel.
2 Double-click Services.
3 Look for IPSEC Services. The Startup Type should be Automatic and Status should be
Started. If needed, double-click IPSEC Services to change the settings.
To check that IPsec has not been disabled
1 Select Start & gt; Run.
2 Enter regedit and select OK.
3 Find the Registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
4 If there is a ProhibitIPSec value, it must be set to 0.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
907
�Troubleshooting
L2TP and IPsec (Microsoft VPN) configurations
Troubleshooting
This section describes some checks and tools you can use to resolve issues with L2TPover-IPsec VPNs.
Quick checks
Here is a list of common L2TP over IPsec VPN problems and the likely solutions.
Problem
What to check
IPsec tunnel does not come up.
Check the logs to determine whether the failure is in
Phase 1 or Phase 2.
Check the settings, including encapsulation setting, which
must be transport-mode.
Check the user password.
Confirm that the user is a member of the user group
assigned to L2TP.
On the Windows PC, check that the IPsec service is running
and has not been disabled. See “Configuring the Windows
PC” on page 907.
Tunnel connects, but there is no
communication.
Did you create an ACCEPT firewall policy from the public
network to the protected network for the L2TP clients? See
“Configuring firewall policies” on page 905.
Setting up logging
To configure FortiGate logging for L2TP over IPsec
1 Go to Log & Report & gt; Log Config & gt; Event Log.
2 Select the Enable check box.
3 Select the L2TP/PPTP/PPPoE service event and IPsec negotiation event check boxes.
4 Select Apply.
To configure FortiGate logging level
1 Go to Log & Report & gt; Log Config & gt; Log Setting.
2 Select the Local Logging & Archiving check box.
3 Select the Memory check box.
4 Set Minimum log level to Information.
5 Optionally, enable and configure disk logging.
6 Select Apply.
To view FortiGate logs
1 Go to Log & Report & gt; Log Access & gt; Event.
2 Select the Memory log type.
3 After each attempt to start the L2TP over IPsec VPN, select Refresh to view any
logged events.
Understanding the log messages
Successful startup of an L2TP over IPsec VPN follows a well-defined sequence. If you
compare your logs to the sequence shown in Table 72, you will be able to determine at
what stage your configuration is failing.
908
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�L2TP and IPsec (Microsoft VPN) configurations
Troubleshooting
Table 72: Typical sequence of log messages for L2TP over IPsec VPN connection startup
ID
Sub Type
Action
Message
1
37127
ipsec
negotiate
progress IPsec phase 1
2
37127
ipsec
negotiate
progress IPsec phase 1
3
37127
ipsec
negotiate
progress IPsec phase 1
4
37127
ipsec
negotiate
progress IPsec phase 1
5
37129
ipsec
negotiate
progress IPsec phase 2
6
37133
ipsec
install_sa
install IPsec SA
7
37139
ipsec
phase2-up
IPsec phase 2 status change
8
37138
ipsec
tunnel-up
IPsec connection status change
9
37129
ipsec
negotiate
progress IPsec phase 2
10 37122
ipsec
negotiate
negotiate IPsec phase 2
11 31008
ppp
connect
Client 172.20.120.151 control connection started
(id 743), assigned ip 192.168.6.85
12 29013
ppp
13 29002
ppp
auth_success User 'user1' using l2tp with authentication protocol
MSCHAP_V2, succeeded
14 31101
ppp
tunnel-up
L2TP tunnel established
Note: This table lists messages in top down chronological order. In the web-based
manager log viewer, you need to read the messages from the bottom up. The newest
message appears at the top of that list.
In Table 72, messages 1 through 4 show the IKE phase 1 negotiation stages that result in
the creation of the Security Association (SA) shown in message 6. Phase 2 negotiation in
messages 5, 9, 10 produce the tunnel-up condition reported in message 8.
With IPsec communication established, the L2TP connection is established (message 11),
the pppd daemon starts (message 12), the user is authenticated (message 13), and the
L2TP tunnel is now ready to use.
Using the FortiGate unit debug commands
To view debug output for IKE and L2TP
1 Start an SSH or Telnet session to your FortiGate unit.
2 Enter the following CLI commands
diagnose debug application ike -1
diagnose debug application l2tp -1
diagnose debug enable
3 Attempt to use the VPN and note the debug output in the SSH or Telnet session.
4 Enter the following command to reset debug settings to default:
diagnose debug reset
To use the packet sniffer
1 Start an SSH or Telnet session to your FortiGate unit.
2 Enter the following CLI command
diagnose sniffer packet any icmp 4
3 Attempt to use the VPN and note the debug output.
4 Enter Ctrl-C to end sniffer operation.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
909
�Troubleshooting
L2TP and IPsec (Microsoft VPN) configurations
Typical L2TP over IPsec session startup log entries - raw format
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd= " root "
msg= " progress IPsec phase 1 " action= " negotiate " rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf= " port1 "
cookies= " 5f6da1c0e4bbf680/d6a1009eb1dde780 " user= " N/A " group= " N/A "
xauth_user= " N/A " xauth_group= " N/A " vpn_tunnel= " dialup_p1 " status=success
init=remote mode=main dir=outbound stage=1 role=responder result=OK
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd= " root "
msg= " progress IPsec phase 1 " action= " negotiate " rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf= " port1 "
cookies= " 5f6da1c0e4bbf680/d6a1009eb1dde780 " user= " N/A " group= " N/A "
xauth_user= " N/A " xauth_group= " N/A " vpn_tunnel= " dialup_p1 " status=success
init=remote mode=main dir=outbound stage=2 role=responder result=OK
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd= " root "
msg= " progress IPsec phase 1 " action= " negotiate " rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf= " port1 "
cookies= " 5f6da1c0e4bbf680/d6a1009eb1dde780 " user= " N/A " group= " N/A "
xauth_user= " N/A " xauth_group= " N/A " vpn_tunnel= " dialup_p1 " status=success
init=remote mode=main dir=inbound stage=3 role=responder result=DONE
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd= " root "
msg= " progress IPsec phase 1 " action= " negotiate " rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf= " port1 "
cookies= " 5f6da1c0e4bbf680/d6a1009eb1dde780 " user= " N/A " group= " N/A "
xauth_user= " N/A " xauth_group= " N/A " vpn_tunnel= " dialup_p1_0 " status=success
init=remote mode=main dir=outbound stage=3 role=responder result=DONE
2010-01-11 16:39:58 log_id=0101037129 type=event subtype=ipsec pri=notice vd= " root "
msg= " progress IPsec phase 2 " action= " negotiate " rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf= " port1 "
cookies= " 5f6da1c0e4bbf680/d6a1009eb1dde780 " user= " N/A " group= " N/A "
xauth_user= " N/A " xauth_group= " N/A " vpn_tunnel= " dialup_p1_0 " status=success
init=remote mode=quick dir=outbound stage=1 role=responder result=OK
2010-01-11 16:39:58 log_id=0101037133 type=event subtype=ipsec pri=notice vd= " root "
msg= " install IPsec SA " action= " install_sa " rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf= " port1 "
cookies= " 5f6da1c0e4bbf680/d6a1009eb1dde780 " user= " N/A " group= " N/A "
xauth_user= " N/A " xauth_group= " N/A " vpn_tunnel= " dialup_p1_0 " role=responder
in_spi=61100fe2 out_spi=bd70fca1
2010-01-11 16:39:58 log_id=0101037139 type=event subtype=ipsec pri=notice vd= " root "
msg= " IPsec phase 2 status change " action= " phase2-up " rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf= " port1 "
cookies= " 5f6da1c0e4bbf680/d6a1009eb1dde780 " user= " N/A " group= " N/A "
xauth_user= " N/A " xauth_group= " N/A " vpn_tunnel= " dialup_p1_0 "
phase2_name=dialup_p2
2010-01-11 16:39:58 log_id=0101037138 type=event subtype=ipsec pri=notice vd= " root "
msg= " IPsec connection status change " action= " tunnel-up " rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf= " port1 "
cookies= " 5f6da1c0e4bbf680/d6a1009eb1dde780 " user= " N/A " group= " N/A "
xauth_user= " N/A " xauth_group= " N/A " vpn_tunnel= " dialup_p1_0 "
tunnel_ip=172.20.120.151 tunnel_id=1552003005 tunnel_type=ipsec duration=0 sent=0
rcvd=0 next_stat=0 tunnel=dialup_p1_0
910
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�L2TP and IPsec (Microsoft VPN) configurations
Troubleshooting
2010-01-11 16:39:58 log_id=0101037129 type=event subtype=ipsec pri=notice vd= " root "
msg= " progress IPsec phase 2 " action= " negotiate " rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf= " port1 "
cookies= " 5f6da1c0e4bbf680/d6a1009eb1dde780 " user= " N/A " group= " N/A "
xauth_user= " N/A " xauth_group= " N/A " vpn_tunnel= " dialup_p1_0 " status=success
init=remote mode=quick dir=inbound stage=2 role=responder result=DONE
2010-01-11 16:39:58 log_id=0101037122 type=event subtype=ipsec pri=notice vd= " root "
msg= " negotiate IPsec phase 2 " action= " negotiate " rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf= " port1 "
cookies= " 5f6da1c0e4bbf680/d6a1009eb1dde780 " user= " N/A " group= " N/A "
xauth_user= " N/A " xauth_group= " N/A " vpn_tunnel= " dialup_p1_0 " status=success
role=responder esp_transform=ESP_3DES esp_auth=HMAC_SHA1
2010-01-11 16:39:58 log_id=0103031008 type=event subtype=ppp vd=root
pri=information action=connect status=success msg= " Client 172.20.120.151 control
connection started (id 805), assigned ip 192.168.6.85 "
2010-01-11 16:39:58 log_id=0103029013 type=event subtype=ppp vd=root pri=notice
pppd is started
2010-01-11 16:39:58 log_id=0103029002 type=event subtype=ppp vd=root pri=notice
user= " user1 " local=172.20.120.141 remote=172.20.120.151 assigned=192.168.6.85
action=auth_success msg= " User 'user1' using l2tp with authentication protocol
MSCHAP_V2, succeeded "
2010-01-11 16:39:58 log_id=0103031101 type=event subtype=ppp vd=root
pri=information action=tunnel-up tunnel_id=1645784497 tunnel_type=l2tp
remote_ip=172.20.120.151 tunnel_ip=192.168.6.85 user= " user1 " group= " L2TPusers "
msg= " L2TP tunnel established "
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
911
�Troubleshooting
912
L2TP and IPsec (Microsoft VPN) configurations
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�GRE over IPsec (Cisco VPN)
configurations
This section describes how to configure a FortiGate VPN that is compatible with Ciscostyle VPNs that use GRE in an IPsec tunnel.
The following topics are included in this section:
•
Overview
•
Configuring the FortiGate unit
•
Configuring the Cisco router
•
Troubleshooting
Overview
Cisco products that include VPN support often use Generic Routing Encapsulation (GRE)
protocol tunnel over IPsec encryption. This chapter describes how to configure a
FortiGate unit to work with this type of Cisco VPN.
Cisco VPNs can use either transport mode or tunnel mode IPsec. Before FortiOS 4.0
MR2, the FortiGate unit was compatible only with tunnel mode IPsec.
Figure 130: Example FortiGate to Cisco GRE-over-IPsec VPN
FortiGate
Cisco Router
Internet
Port 2
10.11.101.100
Port 1
172.20.120.141
192.168.5.113
LAN-1
10.11.101.0/24
LAN-2
10.21.101.0/24
In this example, users on LAN-1 are provided access to LAN-2.
Configuring the FortiGate unit
There are several steps to the GRE-over-IPsec configuration:
•
Enable overlapping subnets. This is needed because the IPsec and GRE tunnels will
use the same addresses.
•
Configure a route-based IPsec VPN on the external interface.
•
Configure a GRE tunnel on the virtual IPsec interface. Set its local gateway and remote
gateway addresses to match the local and remote gateways of the IPsec tunnel.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
913
�Configuring the FortiGate unit
GRE over IPsec (Cisco VPN) configurations
•
Configure firewall policies to allow traffic to pass in both directions between the GRE
virtual interface and the IPsec virtual interface.
•
Configure firewall policies to allow traffic to pass in both directions between the
protected network interface and the GRE virtual interface.
•
Configure a static route to direct traffic destined for the network behind the Cisco router
into the GRE-over-IPsec tunnel.
Enabling overlapping subnets
By default, each FortiGate unit network interface must be on a separate network. The
configuration described in this chapter assigns an IPsec tunnel end point and the external
interface to the same network. Enable subnet overlap as follows:
config system settings
set allow-subnet-overlap enable
end
Configuring the IPsec VPN
A route-based VPN is required. It must use encryption and authentication algorithms
compatible with the Cisco equipment to which it connects. In this chapter, preshared key
authentication is shown.
To configure the IPsec VPN - web-based manager
1 Define the phase 1 configuration needed to establish a secure connection with the
remote Cisco device. Enter these settings in particular:
Name
Enter a name to identify the VPN tunnel, tocisco for example. This
is the name of the virtual IPsec interface. It appears in phase 2
configurations, firewall policies and the VPN monitor.
Remote Gateway
Select Static IP Address.
IP Address
Enter the IP address of the Cisco device public interface. For
example, 192.168.5.113
Local Interface
Select the FortiGate unit’s public interface. For example,
172.20.120.141
Mode
Select Main (ID Protection).
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key. It must match the preshared key on the
Cisco device.
Advanced
Select the Advanced button to see the following settings.
Enable IPsec Interface
Mode
Enable.
P1 Proposal
3DES-MD5
At least one proposal must match the settings on the Cisco unit.
Leave other settings at default values.
For more information about these settings, see “Auto Key phase 1 parameters” on
page 929.
2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
For compatibility with the Cisco router, Quick Mode Selectors must be entered, which
includes specifying protocol 47, the GRE protocol. Enter these settings in particular:
914
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�GRE over IPsec (Cisco VPN) configurations
Configuring the FortiGate unit
Name
Enter a name to identify this phase 2 configuration.
Phase 1
Select the name of the phase 1 configuration that you defined in
Step 1.
Advanced
Select Advanced to view the following fields.
P2 Proposal
3DES-MD5
At least one proposal must match the settings on the Cisco unit.
Quick Mode Selector
Source Address
Enter the GRE local tunnel end IP address.
For example 172.20.120.141
Source Port
0
Destination Address
Enter the GRE remote tunnel end IP address.
For example 192.168.5.113
Destination Port
0
Protocol
47
Leave other settings at default values.
For more information about these settings, see “Phase 2 parameters” on page 945.
3 If the Cisco device is configured to use transport mode IPsec, you need to use
transport mode on the FortiGate VPN. You can configure this only in the CLI. In your
phase 2 configuration, set encapsulation to transport-mode (default is
tunnel-mode) as follows:
config vpn phase2-interface
edit to_cisco_p2
set encapsulation transport-mode
end
To configure the IPsec VPN - CLI
config vpn ipsec phase1-interface
edit tocisco
set interface port1
set proposal 3des-sha1 aes128-sha1
set remote-gw 192.168.5.113
set psksecret xxxxxxxxxxxxxxxx
end
config vpn ipsec phase2-interface
edit tocisco_p2
set phase1name " tocisco "
set proposal 3des-md5
set encapsulation tunnel-mode
// if tunnel mode
set encapsulation transport-mode // if transport mode
set protocol 47
set src-addr-type ip
set dst-start-ip 192.168.5.113
set src-start-ip 172.20.120.141
end
Adding IPsec tunnel end addresses
The Cisco configuration requires an address for its end of the IPsec tunnel. The addresses
are set to match the GRE gateway addresses. Use the CLI to set the addresses, like this:
config system interface
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
915
�Configuring the FortiGate unit
GRE over IPsec (Cisco VPN) configurations
edit gre1
set ip 172.20.120.141 255.255.255.255
set remote-ip 192.168.5.113
end
Configuring the GRE tunnel
The GRE tunnel runs between the virtual IPsec public interface on the FortiGate unit and
the Cisco router. You must use the CLI to configure a GRE tunnel. In the example, you
would enter:
config system gre-tunnel
edit gre1
set interface tocisco
set local-gw 172.20.120.141
set remote-gw 192.168.5.113
end
interface is the virtual IPsec interface
local-gw is the FortiGate unit public IP address
remote-gw is the remote Cisco device public IP address
Adding GRE tunnel end addresses
You will also need to add tunnel end addresses. The Cisco router configuration requires
an address for its end of the GRE tunnel. Using the CLI, enter tunnel end addresses that
are not used elsewhere on the FortiGate unit, like this:
config system interface
edit gre1
set ip 10.0.1.1 255.255.255.255
set remote-ip 10.0.1.2
end
Configuring firewall policies
Two sets of firewall policies are required:
•
policies to allow traffic to pass in both directions between the GRE virtual interface and
the IPsec virtual interface.
•
policies to allow traffic to pass in both directions between the protected network
interface and the GRE virtual interface.
To configure firewall policies - web-based manager
1 Define an ACCEPT firewall policy to permit communications between the protected
network and the GRE tunnel:
Source Interface/Zone
Select the interface that connects to the private network behind
this FortiGate unit.
Source Address Name
All
Destination Interface/Zone
Select the GRE tunnel virtual interface you configured.
Destination Address Name
All
Action
ACCEPT
NAT
Disable.
2 To permit the remote client to initiate communication, you need to define a firewall
policy for communication in that direction:
916
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�GRE over IPsec (Cisco VPN) configurations
Configuring the FortiGate unit
Source Interface/Zone
Select the GRE tunnel virtual interface you configured.
Source Address Name
All
Destination Interface/Zone
Select the interface that connects to the private network behind
this FortiGate unit.
Destination Address Name
All
Action
ACCEPT.
NAT
Disable.
3 Define a pair of ACCEPT firewall policies to permit traffic to flow between the GRE
virtual interface and the IPsec virtual interface:
Source Interface/Zone
Select the GRE virtual interface. See “Configuring the GRE
tunnel” on page 916.
Source Address Name
All
Destination Interface/Zone
Select the virtual IPsec interface you created. See “Configuring
the IPsec VPN” on page 914.
Destination Address Name
All
Action
ACCEPT.
NAT
Disable.
Source Interface/Zone
Select the virtual IPsec interface you created. See “Configuring
the IPsec VPN” on page 914.
Source Address Name
All
Destination Interface/Zone
Select the GRE virtual interface. See “Configuring the GRE
tunnel” on page 916.
Destination Address Name
All
Action
Select ACCEPT.
NAT
Disable.
To configure firewall policies - CLI
config firewall policy
edit 1
set srcintf port2
set dstintf gre1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 2
set srcintf gre1
set dstintf port2
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
// LAN to GRE tunnel
// GRE tunnel to LAN
917
�Configuring the Cisco router
GRE over IPsec (Cisco VPN) configurations
edit 3
set srcintf " gre1 "
set dstintf " tocisco "
set srcaddr " all "
set dstaddr " all "
set action accept
set schedule " always "
set service " ANY "
next
edit 4
set srcintf " tocisco "
set dstintf " gre1 "
set srcaddr " all "
set dstaddr " all "
set action accept
set schedule " always "
set service " ANY "
end
// GRE tunnel to IPsec interface
// IPsec interface to GRE tunnel
Configuring routing
Traffic destined for the network behind the Cisco router must be routed to the GRE tunnel.
To do this, create a static route as follows:
Destination IP/Mask Enter the IP address and netmask for the network behind the Cisco
router. For example 10.21.101.0 255.255.255.0
Device
Select the GRE virtual interface.
Distance
Leave setting at default value.
In the CLI, using the example values, you would enter
config router static
edit 0
set device gre1
set dst 10.21.101.0 255.255.255.0
end
Configuring the Cisco router
Using Cisco IOS, you would configure the Cisco router as follows, using the addresses
from the example:
config ter
crypto ipsec transform-set myset esp-3des esp-md5-hmac
no mode
exit
no ip access-list extended tunnel
ip access-list extended tunnel
permit gre host 192.168.5.113 host 172.20.120.141
exit
interface Tunnel1
ip address 10.0.1.2 255.255.255.0
tunnel source 192.168.5.113
tunnel destination 172.20.120.141
!
ip route 10.11.101.0 255.255.255.0 Tunnel1
918
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�GRE over IPsec (Cisco VPN) configurations
Troubleshooting
end
clea crypto sa
clea crypto isakmp
For transport mode, change no mode to mode transport.
This is only the portion of the Cisco router configuration that applies to the GRE-overIPsec tunnel. For more information, refer to the Cisco documentation.
Troubleshooting
This section describes some checks and tools you can use to resolve issues with the
GRE-over-IPsec VPN.
Quick checks
Here is a list of common problems and what to verify.
Problem
What to check
No communication with remote
network.
Use the execute ping command to ping the Cisco
device public interface.
Use the FortiGate VPN Monitor page to see whether the
IPsec tunnel is up or can be brought up.
IPsec tunnel does not come up.
Check the logs to determine whether the failure is in
Phase 1 or Phase 2.
Check that the encryption and authentication settings
match those on the Cisco device.
Check the encapsulation setting: tunnel-mode or
transport-mode. Both devices must use the same mode.
Tunnel connects, but there is no
communication.
Check the firewall policies. See “Configuring firewall
policies” on page 916.
Check routing. See “Configuring routing” on page 918.
Setting up logging
To configure FortiGate logging for IPsec
1 Go to Log & Report & gt; Log Config & gt; Event Log.
2 Select the Enable check box.
3 Select the IPsec negotiation event check box.
4 Select Apply.
To configure FortiGate logging level
1 Go to Log & Report & gt; Log Config & gt; Log Setting.
2 Select the Local Logging & Archiving check box.
3 Select the Memory check box.
4 Set Minimum log level to Information.
5 Optionally, enable and configure disk logging.
6 Select Apply.
To view FortiGate logs
1 Go to Log & Report & gt; Log Access & gt; Event.
2 Select the Memory log type.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
919
�Troubleshooting
GRE over IPsec (Cisco VPN) configurations
3 Select Refresh to view any logged events.
Understanding the log messages
Successful startup of an IPsec VPN follows a well-defined sequence. If you compare your
logs to the sequence shown in Table 73, you will be able to determine at what stage your
configuration is failing.
Table 73: Typical sequence of log messages for IPsec VPN connection startup
ID
Sub Type
Action
Message
1
37127
ipsec
negotiate
progress IPsec phase 1
2
37127
ipsec
negotiate
progress IPsec phase 1
3
37127
ipsec
negotiate
progress IPsec phase 1
4
37127
ipsec
negotiate
progress IPsec phase 1
5
37129
ipsec
negotiate
progress IPsec phase 2
6
37133
ipsec
install_sa
install IPsec SA
7
37139
ipsec
phase2-up
IPsec phase 2 status change
8
37138
ipsec
tunnel-up
IPsec connection status change
Note: This table lists messages in top down chronological order. In the web-based
manager log viewer, you need to read the messages from the bottom up. The newest
message appears at the top of that list.
Using diagnostic commands
There are some diagnostic commands that can provide useful information.
To use the packet sniffer
1 Enter the following CLI command:
diag sniff packet any icmp 4
2 Ping an address on the network behind the FortiGate unit from the network behind the
Cisco router.
The output should show packets coming in from the GRE interface going out of the
interface that connects to the protected network (LAN) and vice versa. For example:
114.124303 gre1 in 10.0.1.2 - & gt; 10.11.101.10: icmp: echo request
114.124367 port2 out 10.0.1.2 - & gt; 10.11.101.10: icmp: echo request
114.124466 port2 in 10.11.101.10 - & gt; 10.0.1.2: icmp: echo reply
114.124476 gre1 out 10.11.101.10 - & gt; 10.0.1.2: icmp: echo reply
3 Enter CTRL-C to stop the sniffer.
To view debug output for IKE
1 Enter the following CLI commands
diagnose debug application ike -1
diagnose debug enable
2 Attempt to use the VPN and note the debug output.
3 Enter the following command to reset debug settings to default:
diagnose debug reset
920
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Protecting OSPF with IPsec
For enhanced security, OSPF dynamic routing can be carried over IPsec VPN links.
The following topics are included in this section:
•
Overview
•
OSPF over IPsec configuration
•
Creating a redundant configuration
Overview
This chapter shows an example of OSPF routing conducted over an IPsec tunnel between
two FortiGate units. The network shown in Figure 131 is a single OSPF area. FortiGate_1
is an Area border router that advertises a static route to 10.22.10.0/24 in OSPF.
FortiGate_2 advertises its local LAN as an OSPF internal route.
Figure 131: OSPF over an IPsec VPN tunnel
FortiGate_1
FortiGate_2
10.22.10.0/24
Port 2
172.20.120.141
Port 2
192.168.0.131
Internet
Port1
Port1
Port3
10.1.1.1
Port3
VPN tunnel
“tunnel_wan1”
OSPF cost 10
10.1.1.2
Local LAN
10.21.101.0/24
Local LAN
10.31.101.0/24
10.1.2.1
VPN tunnel
“tunnel_wan2”
OSPF cost 200
10.1.2.2
The section “OSPF over IPsec configuration” describes the configuration with only one
IPsec VPN tunnel, tunnel_wan1. Then, the section “Creating a redundant configuration”
on page 927 describes how you can add a second tunnel to provide a redundant backup
path. This is shown in Figure 131 as VPN tunnel “tunnel_wan2”.
Only the parts of the configuration concerned with creating the IPsec tunnel and
integrating it into the OSPF network are described. It is assumed that firewall policies are
already in place to allow traffic to flow between the interfaces on each FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
921
�OSPF over IPsec configuration
Protecting OSPF with IPsec
OSPF over IPsec configuration
There are several steps to the OSPF-over-IPsec configuration:
•
Configure a route-based IPsec VPN on an external interface. It will connect to a
corresponding interface on the other FortiGate unit. Define the two tunnel-end
addresses.
•
Configure a static route to the other FortiGate unit.
•
Configure the tunnel network as part of the OSPF network and define the virtual IPsec
interface as an OSPF interface.
This section describes the configuration with only one VPN, tunnel_wan1. The other VPN
is added in the section “Creating a redundant configuration” on page 927.
Configuring the IPsec VPN
A route-based VPN is required. In this chapter, preshared key authentication is shown.
Certificate authentication is also possible. Both FortiGate units need this configuration.
To configure Phase 1
1 Define the phase 1 configuration needed to establish a secure connection with the
other FortiGate unit. For more information, see “Auto Key phase 1 parameters” on
page 929. Enter these settings in particular:
Name
Enter a name to identify the VPN tunnel, tunnel_wan1 for
example. This becomes the name of the virtual IPsec interface.
Remote Gateway
Select Static IP Address.
IP Address
Enter the IP address of the other FortiGate unit’s public (Port 2)
interface.
Local Interface
Select this FortiGate unit’s public (Port 2) interface.
Mode
Select Main (ID Protection).
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key. It must match the preshared key on the
other FortiGate unit.
Advanced
Select Advanced.
Enable IPsec Interface
Mode
Enable
Leave other settings at default values.
To assign the tunnel end IP addresses
1 Go to System & gt; Network & gt; Interface and select the Edit icon for the virtual IPsec
interface that you just created on Port 2.
2 In the IP and Remote IP fields, enter the following tunnel end addresses:
FortiGate_1
FortiGate_2
IP
10.1.1.1
10.1.1.2
Remote_IP
10.1.1.2
10.1.1.1
These addresses are from a network that is not used for anything else.
922
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Protecting OSPF with IPsec
OSPF over IPsec configuration
To configure Phase 2
1 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
For more information, see “Phase 2 parameters” on page 945. Enter these settings in
particular:
Name
Enter a name to identify this phase 2 configuration, twan1_p2, for example.
Phase 1
Select the name of the phase 1 configuration that you defined in Step 1,
tunnel_wan1 for example.
Leave other settings at default values.
Configuring static routing
You need to define the route for traffic leaving the external interface. Go to Router & gt; Static
& gt; Static Route, select Create New, and enter the following information.
Destination IP/Mask Leave as 0.0.0.0 0.0.0.0.
Device
Select the external interface.
Gateway
Enter the IP address of the next hop router.
Distance
Leave setting at default value.
Configuring OSPF
This section does not attempt to explain OSPF router configuration. It focusses on the
integration of the IPsec tunnel into the OSPF network. This is accomplished by assigning
the tunnel as an OSPF interface, creating an OSPF route to the other FortiGate unit.
This configuration uses loopback interfaces to ease OSPF troubleshooting. The OSPF
router ID is set to the loopback interface address.The loopback interface ensures the
router is always up. Even though technically the router ID doesn’t have to match a valid IP
address on the FortiGate unit, having an IP that matches the router ID makes
troubleshooting a lot easier.
The two FortiGate units have slightly different configurations. FortiGate_1 is an AS border
router that advertises its static default route. FortiGate_2 advertises its local LAN as an
OSPF internal route.
Setting the router ID for each FortiGate unit to the lowest possible value is useful if you
want the FortiGate units to be the designated router (DR) for their respective ASes. This is
the router that broadcasts the updates for the AS.
Leaving the IP address on the OSPF interface at 0.0.0.0 indicates that all potential routes
will be advertised, and it will not be limited to any specific subnet. For example if this IP
address was 10.1.0.0, then only routes that match that subnet will be advertised through
this interface in OSPF.
FortiGate_1 OSPF configuration
When configuring FortiGate_1 for OSPF, the loopback interface is created, and then you
configure OSPF area networks and interfaces.
With the exception of creating the loopback interface, OSPF for this example can all be
configured in either the web-based manager or CLI.
To create the loopback interface
A loopback interface can be configured in the CLI only. For example, if the interface will
have an IP address of 10.0.0.1, you would enter:
config system interface
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
923
�OSPF over IPsec configuration
Protecting OSPF with IPsec
edit lback1
set vdom root
set ip 10.0.0.1 255.255.255.255
set type loopback
end
The loopback addresses and corresponding router IDs on the two FortiGate units must be
different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2
loopback to 10.0.0.2.
To configure OSPF area, networks, and interfaces - web-based manager
1 On FortiGate_1, go to Router & gt; Dynamic & gt; OSPF and enter the following information to
define the router, area, and interface information.
Router ID
Enter 10.0.0.1.
Select Apply before entering the remaining information.
Advanced Options
Redistribute
Select the Connected and Static check boxes. Use their default metric
values.
Areas
Select Create New, enter the Area and Type and then select OK.
Area
0.0.0.0
Type
Regular
Interfaces
Name
Enter a name for the OSPF interface, ospf_wan1 for example.
Interface
Select the virtual IPsec interface, tunnel_wan1.
IP
0.0.0.0
2 For Networks, select Create New.
3 Enter the following information.
IP/Netmask
10.1.1.0/255.255.255.0.
Area
0.0.0.0
4 For Networks, select Create New.
5 Enter the following information:
IP/Netmask
10.0.0.1/255.255.255.255
Area
0.0.0.0
6 Select Apply.
To configure OSPF area and interfaces - CLI
Your loopback interface is 10.0.0.1, your tunnel ends are on the 10.1.1.0/24 network, and
your virtual IPsec interface is named tunnel_wan1. Enter the following CLI commands:
config router ospf
set router-id 10.0.0.1
config area
edit 0.0.0.0
end
config network
edit 4
set prefix 10.1.1.0 255.255.255.0
924
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Protecting OSPF with IPsec
OSPF over IPsec configuration
next
edit 2
set prefix 10.0.0.1 255.255.255.255
end
config ospf-interface
edit ospf_wan1
set cost 10
set interface tunnel_wan1
set network-type point-to-point
end
config redistribute connected
set status enable
end
config redistribute static
set status enable
end
end
FortiGate_2 OSPF configuration
When configuring FortiGate_2 for OSPF, the loopback interface is created, and then you
configure OSPF area networks and interfaces.
Configuring FortiGate_2 differs from FortiGate_1 in that three interfaces are defined
instead of two. The third interface is the local LAN that will be advertised into OSPF.
With the exception of creating the loopback interface, OSPF for this example can all be
configured in either the web-based manager or CLI.
To create the loopback interface
A loopback interface can be configured in the CLI only. For example, if the interface will
have an IP address of 10.0.0.2, you would enter:
config system interface
edit lback1
set vdom root
set ip 10.0.0.2 255.255.255.255
set type loopback
end
The loopback addresses on the two FortiGate units must be different. For example, set the
FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2 loopback to 10.0.0.2.
To configure OSPF area and interfaces - web-based manager
1 On FortiGate_2, go to Router & gt; Dynamic & gt; OSPF.
2 For Router ID, enter 10.0.0.2.
Router ID
10.0.0.2
Areas
Select Create New, enter the Area and Type and then select OK.
Area
0.0.0.0
Type
Regular
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
925
�OSPF over IPsec configuration
Protecting OSPF with IPsec
Interfaces
Name
Enter a name for the OSPF interface, ospf_wan1 for example.
Interface
Select the virtual IPsec interface, tunnel_wan1
IP
0.0.0.0
3 For Networks, select Create New.
4 Enter the following information for the loopback interface:
IP/Netmask
10.0.0.2/255.255.255.255
Area
0.0.0.0
5 For Networks, select Create New.
6 Enter the following information for the tunnel interface:
IP/Netmask
10.1.1.0/255.255.255.0
Area
0.0.0.0
7 For Networks, select Create New.
8 Enter the following information for the local LAN interface:
IP/Netmask
10.31.101.0/255.255.255.0
Area
0.0.0.0
9 Select Apply.
To configure OSPF area and interfaces - CLI
If for example, your loopback interface is 10.0.0.2, your tunnel ends are on the 10.1.1.0/24
network, your local LAN is 10.31.101.0/24, and your virtual IPsec interface is named
tunnel_wan1, you would enter:
config router ospf
set router-id 10.0.0.2
config area
edit 0.0.0.0
end
config network
edit 1
set prefix 10.1.1.0 255.255.255.0
next
edit 2
set prefix 10.31.101.0 255.255.255.0
next
edit 2
set prefix 10.0.0.2 255.255.255.255
end
config ospf-interface
edit ospf_wan1
set interface tunnel_wan1
set network-type point-to-point
end
end
926
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Protecting OSPF with IPsec
Creating a redundant configuration
Creating a redundant configuration
You can improve the reliability of the OSPF over IPsec configuration described in the
previous section by adding a second IPsec tunnel to use if the default one goes down.
Redundancy in this case is not controlled by the IPsec VPN configuration but by the OSPF
routing protocol.
To do this you:
•
Create a second route-based IPsec tunnel on a different interface and define tunnel
end addresses for it.
•
Add the tunnel network as part of the OSPF network and define the virtual IPsec
interface as an additional OSPF interface.
•
Set the OSPF cost for the added OSPF interface to be significantly higher than the cost
of the default route.
Adding the second IPsec tunnel
The configuration is the same as in “Configuring the IPsec VPN” on page 922, but the
interface and addresses will be different. Ideally, the network interface you use is
connected to a different Internet service provider for added redundancy.
When adding the second tunnel to the OSPF network, choose another unused subnet for
the tunnel ends, 10.1.2.1 and 10.1.2.2 for example.
Adding the OSPF interface
OSPF uses the metric called cost when determining the best route, with lower costs being
preferred. Up to now in this example, only the default cost of 10 has been used. Cost can
be set only in the CLI.
The new IPsec tunnel will have its OSPF cost set higher than that of the default tunnel to
ensure that it is only used if the first tunnel goes down. The new tunnel could be set to a
cost of 200 compared to the default cost is 10. Such a large difference in cost will ensure
this new tunnel will only be used as a last resort.
If the new tunnel is called tunnel_wan2, you would enter the following on both FortiGate
units:
config router ospf
config ospf-interface
edit ospf_wan2
set cost 200
set interface tunnel_wan2
set network-type point-to-point
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
927
�Creating a redundant configuration
928
Protecting OSPF with IPsec
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Auto Key phase 1 parameters
This chapter provides detailed step-by-step procedures for configuring a FortiGate unit to
accept a connection from a remote peer or dialup client. The phase 1 parameters identify
the remote peer or clients and support authentication through preshared keys or digital
certificates. You can increase access security further using peer identifiers, certificate
distinguished names, group names, or the FortiGate extended authentication (XAuth)
option for authentication purposes.
Note: The information and procedures in this section do not apply to VPN peers that
perform negotiations using manual keys. Refer to “Manual-key configurations” on page 887
instead.
The following topics are included in this section:
•
Overview
•
Defining the tunnel ends
•
Choosing main mode or aggressive mode
•
Authenticating the FortiGate unit
•
Authenticating remote peers and clients
•
Defining IKE negotiation parameters
•
Defining the remaining phase 1 options
•
Using XAuth authentication
Overview
IPsec phase 1 settings define:
•
the ends of the IPsec tunnel, remote and local
•
whether the various phase 1 parameters are exchanged in multiple rounds with
encrypted authentication information (main mode) or in a single message with
authentication information that is not encrypted (aggressive mode)
•
whether a preshared key or digital certificates will be used to authenticate the
FortiGate unit to the VPN peer or dialup client
•
whether the VPN peer or dialup client is required to authenticate to the FortiGate unit.
A remote peer or dialup client can authenticate by peer ID or, if the FortiGate unit
authenticates by certificate, it can authenticate by peer certificate.
•
the IKE negotiation proposals for encryption and authentication
•
optional XAuth authentication, which requires the remote user to enter a user name
and password. A FortiGate VPN server can act as an XAuth server to authenticate
dialup users. A FortiGate unit that is a dialup client can also be configured as an XAuth
client to authenticate itself to the VPN server.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
929
�Defining the tunnel ends
Auto Key phase 1 parameters
Defining the tunnel ends
To begin defining the phase 1 configuration, go to VPN & gt; IPSEC & gt; Auto Key (IKE) and
select Create Phase 1. Enter a descriptive name for the VPN tunnel. This is particularly
important if you will create several tunnels.
The phase 1 configuration mainly defines the ends of the IPsec tunnel. The remote end is
the remote gateway with which the FortiGate unit exchanges IPsec packets. The local end
is FortiGate interface that sends and receives IPsec packets.
The remote gateway can be:
•
a static IP address
•
a domain name with a dynamic IP address
•
a dialup client
A statically addressed remote gateway is the simplest to configure. You specify the IP
address. Unless restricted in the firewall policy, either the remote peer or a peer on the
network behind the FortiGate unit can bring up the tunnel.
If the remote peer has a domain name and subscribes to a dynamic DNS service, you
need to specify only the domain name. The FortiGate unit performs a DNS query to
determine the appropriate IP address. Unless restricted in the firewall policy, either the
remote peer or a peer on the network behind the FortiGate unit can bring up the tunnel.
If the remote peer is a dialup client, only the dialup client can bring up the tunnel. The IP
address of the client is not known until it connects to the FortiGate unit. This configuration
is a typical way to provide a VPN for client PCs running VPN client software such as the
FortiClient Endpoint Security application.
The local end of the VPN tunnel, the Local Interface, is the FortiGate interface that sends
and receives the IPsec packets. This is usually the public interface of the FortiGate unit
that is connected to the Internet. Packets from this interface pass to the private network
through a firewall policy.
By default, the local VPN gateway is the IP address of the selected Local Interface. If you
are configuring an interface mode VPN, you can optionally specify a secondary IP address
of the Local Interface as the local gateway.
Choosing main mode or aggressive mode
The FortiGate unit and the remote peer or dialup client exchange phase 1 parameters in
either Main mode or Aggressive mode. This choice does not apply if you use IKE
version 2, which is available only for route-based configurations.
•
In Main mode, the phase 1 parameters are exchanged in multiple rounds with
encrypted authentication information
•
In Aggressive mode, the phase 1 parameters are exchanged in single message with
authentication information that is not encrypted.
Although Main mode is more secure, you must select Aggressive mode if there is more
than one dialup phase 1 configuration for the interface IP address, and the remote VPN
peer or client is authenticated using an identifier (local ID). Descriptions of the peer
options in this guide indicate whether Main or Aggressive mode is required.
930
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Auto Key phase 1 parameters
Choosing the IKE version
Choosing the IKE version
If you create a route-based VPN, you have the option of selecting the IKE version 2.
Otherwise, IKE version 1 is used.
IKEv2, defined in RFC 4306, simplifies the negotiation process that creates the security
association (SA).
If you select IKEv2:
•
There is no choice in Phase 1 of Aggressive or Main mode.
•
FortiOS does not support Peer Options or Local ID.
•
Extended Authentication (XAUTH) is not available.
•
You can select only one DH Group.
Authenticating the FortiGate unit
The FortiGate unit can authenticate itself to remote peers or dialup clients using either a
pre-shared key or an RSA Signature (certificate).
Authenticating the FortiGate unit with digital certificates
To authenticate the FortiGate unit using digital certificates, you must have the required
certificates installed on the remote peer and on the FortiGate unit. The signed server
certificate on one peer is validated by the presence of the root certificate installed on the
other peer. If you use certificates to authenticate the FortiGate unit, you can also require
the remote peers or dialup clients to authenticate using certificates.
For more information about obtaining and installing certificates, see the FortiGate
Certificate Management User Guide.
To authenticate the FortiGate unit using digital certificates
1 Go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 Create a new phase 1 configuration or edit an existing phase 1 configuration.
3 Include appropriate entries as follows:
Name
Enter a name that reflects the origination of the remote connection.
Remote Gateway
Select the nature of the remote connection:
• Static IP Address
• Dialup User
• Dynamic DNS
For more information, see “Defining the tunnel ends” on page 930.
Local Interface
Select the interface that is the local end of the IPsec tunnel. For
more information, see “Defining the tunnel ends” on page 930.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
931
�Authenticating the FortiGate unit
Auto Key phase 1 parameters
Mode
Select Main or Aggressive mode.
• In Main mode, the phase 1 parameters are exchanged in
multiple rounds with encrypted authentication information.
• In Aggressive mode, the phase 1 parameters are exchanged in
single message with authentication information that is not
encrypted.
When the remote VPN peer or client has a dynamic IP address, or
the remote VPN peer or client will be authenticated using an
identifier (local ID), you must select Aggressive mode if there is
more than one dialup phase 1 configuration for the interface IP
address.
For more information, see “Choosing main mode or aggressive
mode” on page 930.
Authentication Method
Select RSA Signature.
Certificate Name
Select the name of the server certificate that the FortiGate unit will
use to authenticate itself to the remote peer or dialup client during
phase 1 negotiations. To obtain and load the required server
certificate, see the FortiGate Certificate Management User Guide.
Peer Options
Peer options define the authentication requirements for remote
peers or dialup clients, not for the FortiGate unit itself. For more
information, see “Authenticating remote peers and clients” on
page 933.
Advanced
You can retain the default settings unless changes are needed to
meet your specific requirements. See “Defining IKE negotiation
parameters” on page 938.
4 If you are configuring authentication parameters for a dialup user group, optionally
define extended authentication (XAuth) parameters. See “Using the FortiGate unit as
an XAuth server” on page 942.
5 Select OK.
Authenticating the FortiGate unit with a pre-shared key
The simplest way to authenticate a FortiGate unit to its remote peers or dialup clients is by
means of a pre-shared key. This is less secure than using certificates, especially if it used
alone, without requiring peer IDs or extended authentication (XAuth). Also, you need to
have a secure way to distribute the pre-shared key to the peers.
If you use pre-shared key authentication alone, all remote peers and dialup clients must
be configured with the same pre-shared key. Optionally, you can configure remote peers
and dialup clients with unique pre-shared keys. On the FortiGate unit, these are
configured in user accounts, not in the phase_1 settings. For more information, see
“Enabling VPN access using user accounts and pre-shared keys” on page 937.
The pre-shared key must contain at least 6 printable characters and should be known only
to network administrators. For optimum protection against currently known attacks, the
key should consist of a minimum of 16 randomly chosen alphanumeric characters.
If you authenticate the FortiGate unit using a pre-shared key, you can require remote
peers or dialup clients to authenticate using peer IDs, but not client certificates.
To authenticate the FortiGate unit with a pre-shared key
1 Go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 Create a new phase 1 configuration or edit an existing phase 1 configuration.
3 Include appropriate entries as follows:
932
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Auto Key phase 1 parameters
Authenticating remote peers and clients
Name
Enter a name that reflects the origination of the remote
connection.
Remote Gateway
Select the nature of the remote connection:
• Static IP Address.
• Dialup User.
• Dynamic DNS.
For more information, see “Defining the tunnel ends” on
page 930.
Local Interface
Select the interface that is the local end of the IPsec tunnel. For
more information, see “Defining the tunnel ends” on page 930.
Mode
Select Main or Aggressive mode.
• In Main mode, the phase 1 parameters are exchanged in
multiple rounds with encrypted authentication information.
• In Aggressive mode, the phase 1 parameters are exchanged
in single message with authentication information that is not
encrypted.
When the remote VPN peer or client has a dynamic IP address,
or the remote VPN peer or client will be authenticated using an
identifier (local ID), you must select Aggressive mode if there is
more than one dialup phase 1 configuration for the interface IP
address.
For more information, see “Choosing main mode or aggressive
mode” on page 930.
Authentication Method
Select Pre-shared Key.
Pre-shared Key
Enter the preshared key that the FortiGate unit will use to
authenticate itself to the remote peer or dialup client during
phase 1 negotiations. You must define the same value at the
remote peer or client. The key must contain at least 6 printable
characters and should only be known by network administrators.
For optimum protection against currently known attacks, the key
should consist of a minimum of 16 randomly chosen
alphanumeric characters.
Peer options
Peer options define the authentication requirements for remote
peers or dialup clients, not for the FortiGate unit itself. You can
require the use of peer IDs, but not client certificates. For more
information, see “Authenticating remote peers and clients” on
page 933.
Advanced
You can retain the default settings unless changes are needed to
meet your specific requirements. See “Defining IKE negotiation
parameters” on page 938.
4 If you are configuring authentication parameters for a dialup user group, optionally
define extended authentication (XAuth) parameters. See “Using the FortiGate unit as
an XAuth server” on page 942.
5 Select OK.
Authenticating remote peers and clients
Certificates or pre-shared keys restrict who can access the VPN tunnel, but they do not
identify or authenticate the remote peers or dialup clients. You have the following options
for authentication:
•
You can permit access only for remote peers or clients who use certificates that you
recognize. This is available only if the FortiGate unit authenticates using certificates.
See “Enabling VPN access for specific certificate holders” on page 934.
•
You can permit access only for remote peers or clients that have certain peer identifier
(local ID) value configured. This is available with both certificate and preshared key
authentication. See “Enabling VPN access by peer identifier” on page 936.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
933
�Authenticating remote peers and clients
Auto Key phase 1 parameters
•
You can permit access to remote peers or dialup clients who each have a unique
preshared key. Each peer or client must have a user account on the FortiGate unit.
See “Enabling VPN access using user accounts and pre-shared keys” on page 937.
•
You can permit access to remote peers or dialup clients who each have a unique peer
ID and a unique preshared key. Each peer or client must have a user account on the
FortiGate unit. See “Enabling VPN access using user accounts and pre-shared keys”
on page 937.
For authentication of users of the remote peer or dialup client device, see “Using XAuth
authentication” on page 942.
Enabling VPN access for specific certificate holders
When a VPN peer or dialup client is configured to authenticate using digital certificates, it
sends the DN of its certificate to the FortiGate unit. This DN can be used to allow VPN
access for the certificate holder. That is, a FortiGate unit can be configured to deny
connections to all remote peers and dialup clients except the one having the specified DN.
Before you begin
The following procedures assume that you already have an existing phase 1 configuration
(see “Authenticating the FortiGate unit with digital certificates” on page 931). Follow the
procedures below to add certificate-based authentication parameters to the existing
configuration.
Before you begin, you must obtain the certificate DN of the remote peer or dialup client. If
you are using the FortiClient Endpoint Security application as a dialup client, refer to
FortiClient online Help for information about how to view the certificate DN. To view the
certificate DN of a FortiGate unit, see “To view server certificate information and obtain the
local DN” on page 935.
Use the config user peer CLI command to load the DN value into the FortiGate
configuration. For example, if a remote VPN peer uses server certificates issued by your
own organization, you would enter information similar to the following:
config user peer
edit DN_FG1000
set cn 192.168.2.160
set cn-type ipv4
end
The value that you specify to identify the entry (for example, DN_FG1000) is displayed in
the Accept this peer certificate only list in the IPsec phase 1 configuration when you return
to the web-based manager.
If the remote VPN peer has a CA-issued certificate to support a higher level of credibility,
you would enter information similar to the following:
config user peer
edit CA_FG1000
set ca CA_Cert_1
set subject FG1000_at_site1
end
The value that you specify to identify the entry (for example, CA_FG1000) is displayed in
the Accept this peer certificate only list in the IPsec phase 1 configuration when you return
to the web-based manager. For more information about these CLI commands, see the
“user” chapter of the FortiGate CLI Reference.
934
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Auto Key phase 1 parameters
Authenticating remote peers and clients
A group of certificate holders can be created based on existing user accounts for dialup
clients. To create the user accounts for dialup clients, see the “User” chapter of the
FortiGate Administration Guide. To create the certificate group afterward, use the config
user peergrp CLI command. See the “user” chapter of the FortiGate CLI Reference.
To view server certificate information and obtain the local DN
1 Go to System & gt; Certificates & gt; Local Certificates.
2 Note the CN value in the Subject field (for example, CN = 172.16.10.125,
CN = info@fortinet.com, or CN = www.example.com).
To view CA root certificate information and obtain the CA certificate name
1 Go to System & gt; Certificates & gt; CA Certificates.
2 Note the value in the Name column (for example, CA_Cert_1).
Configuring certificate authentication for a VPN
With peer certificates loaded, peer users and peer groups defined, you can configure your
VPN to authenticate users by certificate.
To enable access for a specific certificate holder or a group of certificate holders
1 At the FortiGate VPN server, go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 In the list of defined configurations, select the phase 1 configuration and edit it.
3 From the Authentication Method list, select RSA Signature.
4 From the Certificate Name list, select the name of the server certificate that the
FortiGate unit will use to authenticate itself to the remote peer or dialup client
5 Under Peer Options, select one of these options:
• To accept a specific certificate holder, select Accept this peer certificate only and
select the name of the certificate that belongs to the remote peer or dialup client.
The certificate DN must be added to the FortiGate configuration through CLI
commands before it can be selected here. See “Before you begin” on page 934.
• To accept dialup clients who are members of a certificate group, select Accept this
peer certificate group only and select the name of the group. The group must be
added to the FortiGate configuration through CLI commands before it can be
selected here. See “Before you begin” on page 934.
6 If you want the FortiGate VPN server to supply the DN of a local server certificate for
authentication purposes, select Advanced and then from the Local ID list, select the
DN of the certificate that the FortiGate VPN server is to use.
7 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
935
�Authenticating remote peers and clients
Auto Key phase 1 parameters
Enabling VPN access by peer identifier
Whether you use certificates or pre-shared keys to authenticate the FortiGate unit, you
can require that remote peers or clients have a particular peer ID. This adds another piece
of information that is required to gain access to the VPN. More than one
FortiGate/FortiClient dialup client may connect through the same VPN tunnel when the
dialup clients share a preshared key and assume the same identifier.
You cannot require a peer ID for a remote peer or client that uses a pre-shared key and
has a static IP address.
To authenticate remote peers or dialup clients using one peer ID
1 At the FortiGate VPN server, go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 In the list, select a phase 1 configuration and edit its parameters.
3 Select Aggressive mode in any of the following cases:
• the FortiGate VPN server authenticates a FortiGate dialup client that uses a
dedicated tunnel
• a FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS
service
• FortiGate/FortiClient dialup clients sharing the same preshared key and local ID
connect through the same VPN tunnel
4 Select Accept this peer ID and type the identifier into the corresponding field.
5 Select OK.
To assign an identifier (local ID) to a FortiGate unit
Use this procedure to assign a peer ID to a FortiGate unit that acts as a remote peer or
dialup client.
1 Go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 In the list, select a phase 1 configuration and edit its parameters.
3 Select Advanced.
4 In the Local ID field, type the identifier that the FortiGate unit will use to identify itself.
5 Set Mode to Aggressive if any of the following conditions apply:
• The FortiGate unit is a dialup client that will use a unique ID to connect to a
FortiGate dialup server through a dedicated tunnel.
• The FortiGate unit has a dynamic IP address, subscribes to a dynamic DNS service,
and will use a unique ID to connect to the remote VPN peer through a dedicated
tunnel.
• The FortiGate unit is a dialup client that shares the specified ID with multiple dialup
clients to connect to a FortiGate dialup server through the same tunnel.
6 Select OK.
To configure the FortiClient Endpoint Security application
Follow this procedure to add a peer ID to an existing FortiClient configuration:
1 Start the FortiClient Endpoint Security application.
2 Go to VPN & gt; Connections, select the existing configuration
3 Select Advanced & gt; Edit & gt; Advanced.
4 Under Policy, select Config.
936
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Auto Key phase 1 parameters
Authenticating remote peers and clients
5 In the Local ID field, type the identifier that will be shared by all dialup clients. This
value must match the Accept this peer ID value that you specified previously in the
phase 1 gateway configuration on the FortiGate unit.
6 Select OK to close all dialog boxes.
7 Configure all dialup clients the same way using the same preshared key and local ID.
Enabling VPN access using user accounts and pre-shared keys
You can permit access only to remote peers or dialup clients that have pre-shared keys
and/or peer IDs configured in user accounts on the FortiGate unit.
If you want two VPN peers (or a FortiGate unit and a dialup client) to accept reciprocal
connections based on peer IDs, you must enable the exchange of their identifiers when
you define the phase 1 parameters.
The following procedures assume that you already have an existing phase 1 configuration
(see “Authenticating the FortiGate unit with digital certificates” on page 931). Follow the
procedures below to add ID checking to the existing configuration.
Before you begin, you must obtain the identifier (local ID) of the remote peer or dialup
client. If you are using the FortiClient Endpoint Security application as a dialup client, refer
to the Authenticating FortiClient Dialup Clients Technical Note to view or assign an
identifier. To assign an identifier to a FortiGate dialup client or a FortiGate unit that has a
dynamic IP address and subscribes to a dynamic DNS service, see “To assign an
identifier (local ID) to a FortiGate unit” on page 936.
If required, a dialup user group can be created from existing user accounts for dialup
clients. To create the user accounts and user groups, see the “User” chapter of the
FortiGate Administration Guide.
The following procedure supports FortiGate/FortiClient dialup clients that use unique
preshared keys and/or peer IDs. The client must have an account on the FortiGate unit
and be a member of the dialup user group.
The dialup user group must be added to the FortiGate configuration before it can be
selected (see the “User” chapter of the FortiGate Administration Guide).
The FortiGate dialup server compares the local ID that you specify at each dialup client to
the FortiGate user-account user name. The dialup-client preshared key is compared to a
FortiGate user-account password.
To authenticate dialup clients using unique preshared keys and/or peer IDs
1 At the FortiGate VPN server, go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 In the list, select the Edit icon of a phase 1 configuration to edit its parameters.
3 If the clients have unique peer IDs, set Mode to Aggressive.
4 Clear the Pre-shared Key field.
The user account password will be used as the preshared key.
5 Select Accept peer ID in dialup group and then select the group name from the list of
user groups.
6 Select OK.
Follow this procedure to add a unique pre-shared key and unique peer ID to an existing
FortiClient configuration.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
937
�Defining IKE negotiation parameters
Auto Key phase 1 parameters
To configure FortiClient dialup clients - pre-shared key and peer ID
1 Start the FortiClient Endpoint Security application.
2 Go to VPN & gt; Connections, select the existing configuration.
3 Select Advanced & gt; Edit.
4 In the Preshared Key field, type the FortiGate password that belongs to the dialup
client (for example, 1234546).
The user account password will be used as the preshared key.
5 Select Advanced.
6 Under Policy, select Config.
7 In the Local ID field, type the FortiGate user name that you assigned previously to the
dialup client (for example, FortiC1ient1).
8 Select OK to close all dialog boxes.
Configure all FortiClient dialup clients this way using unique preshared keys and local IDs.
Follow this procedure to add a unique pre-shared key to an existing FortiClient
configuration.
To configure FortiClient dialup clients - preshared key only
1 Start the FortiClient Endpoint Security application.
2 Go to VPN & gt; Connections, select the existing configuration
3 Select Advanced & gt; Edit.
4 In the Preshared Key field, type the user name, followed by a “+” sign, followed by the
password that you specified previously in the user account settings on the FortiGate
unit (for example, FC2+1FG6LK)
5 Select OK to close all dialog boxes.
Configure all the FortiClient dialup clients this way using their unique peer ID and preshared key values.
Defining IKE negotiation parameters
In phase 1, the two peers exchange keys to establish a secure communication channel
between them. As part of the phase 1 process, the two peers authenticate each other and
negotiate a way to encrypt further communications for the duration of the session. For
more information see “Authenticating remote peers and clients” on page 933. The P1
Proposal parameters select the encryption and authentication algorithms that are used to
generate keys for protecting negotiations.
The IKE negotiation parameters determine:
•
•
which authentication hash may be used for creating a keyed hash from a preshared or
private key
•
938
which encryption algorithms may be applied for converting messages into a form that
only the intended recipient can read
which Diffie-Hellman group will be used to generate a secret session key
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Auto Key phase 1 parameters
Defining IKE negotiation parameters
Phase 1 negotiations (in main mode or aggressive mode) begin as soon as a remote VPN
peer or client attempts to establish a connection with the FortiGate unit. Initially, the
remote peer or dialup client sends the FortiGate unit a list of potential cryptographic
parameters along with a session ID. The FortiGate unit compares those parameters to its
own list of advanced phase 1 parameters and responds with its choice of matching
parameters to use for authenticating and encrypting packets. The two peers handle the
exchange of encryption keys between them, and authenticate the exchange through a
preshared key or a digital signature.
Generating keys to authenticate an exchange
The FortiGate unit supports the generation of secret session keys automatically using a
Diffie-Hellman algorithm. The Keylife setting in the P1 Proposal area determines the
amount of time before the phase 1 key expires. Phase 1 negotiations are rekeyed
automatically when there is an active security association. See “Dead peer detection” on
page 941.
Note: You can enable or disable automatic rekeying between IKE peers through the
phase1-rekey attribute of the config system global CLI command. For more
information, see the “system” chapter of the FortiGate CLI Reference.
When you use a preshared key (shared secret) to set up two-party authentication, the
remote VPN peer or client and the FortiGate unit must both be configured with the same
preshared key. Each party uses a session key derived from the Diffie-Hellman exchange
to create an authentication key, which is used to sign a known combination of inputs using
an authentication algorithm (such as HMAC-MD5 or HMAC-SHA-1). Each party signs a
different combination of inputs and the other party verifies that the same result can be
computed.
Note: When you use preshared keys to authenticate VPN peers or clients, you must
distribute matching information to all VPN peers and/or clients whenever the preshared key
changes.
As an alternative, the remote peer or dialup client and FortiGate unit can exchange digital
signatures to validate each other’s identity with respect to their public keys. In this case,
the required digital certificates must be installed on the remote peer and on the FortiGate
unit. By exchanging certificate DNs, the signed server certificate on one peer is validated
by the presence of the root certificate installed on the other peer. For more information see
the FortiGate Certificate Management User Guide.
The following procedure assumes that you already have a phase 1 definition that
describes how remote VPN peers and clients will be authenticated when they attempt to
connect to a local FortiGate unit. For information about the Local ID and XAuth options,
see “Enabling VPN access using user accounts and pre-shared keys” on page 937 and
“Using the FortiGate unit as an XAuth server” on page 942. Follow this procedure to add
IKE negotiation parameters to the existing definition.
Defining IKE negotiation parameters
1 Go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 In the list, select the Edit button to edit the phase 1 parameters for a particular remote
gateway.
3 Select Advanced and include appropriate entries as follows:
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
939
�Defining the remaining phase 1 options
Auto Key phase 1 parameters
P1 Proposal
Select the encryption and authentication algorithms that will be used
to generate keys for protecting negotiations.
Add or delete encryption and authentication algorithms as required.
Select a minimum of one and a maximum of three combinations. The
remote peer must be configured to use at least one of the proposals
that you define.
You can select any of the following symmetric-key algorithms:
• DES-Digital Encryption Standard, a 64-bit block algorithm that
uses a 56-bit key.
• 3DES-Triple-DES, in which plain text is encrypted three times by
three keys.
• AES128-A 128-bit block algorithm that uses a 128-bit key.
• AES192-A 128-bit block algorithm that uses a 192-bit key.
• AES256-A 128-bit block algorithm that uses a 256-bit key.
You can select either of the following message digests to check the
authenticity of messages during phase 1 negotiations:
• MD5-Message Digest 5, the hash algorithm developed by RSA
Data Security.
• SHA1-Secure Hash Algorithm 1, which produces a 160-bit
message digest.
To specify a third combination, use the add button beside the fields for
the second combination.
DH Group
Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
When using aggressive mode, DH groups cannot be negotiated.
• If both VPN peers (or a VPN server and its client) have static IP
addresses and use aggressive mode, select a single DH group.
The setting on the FortiGate unit must be identical to the setting on
the remote peer or dialup client.
• When the remote VPN peer or client has a dynamic IP address
and uses aggressive mode, select up to three DH groups on the
FortiGate unit and one DH group on the remote peer or dialup
client. The setting on the remote peer or dialup client must be
identical to one of the selections on the FortiGate unit.
• If the VPN peer or client employs main mode, you can select
multiple DH groups. At least one of the settings on the remote peer
or dialup client must be identical to the selections on the FortiGate
unit.
Keylife
Type the amount of time (in seconds) that will be allowed to pass
before the IKE encryption key expires. When the key expires, a new
key is generated without interrupting service. The keylife can be from
120 to 172800 seconds.
Nat-traversal
Enable this option if a NAT device exists between the local FortiGate
unit and the VPN peer or client. The local FortiGate unit and the VPN
peer or client must have the same NAT traversal setting (both selected
or both cleared).
Keepalive Frequency
If you enabled NAT traversal, enter a keepalive frequency setting. The
value represents an interval from 0 to 900 seconds.
Dead Peer Detection
Enable this option to reestablish VPN tunnels on idle connections and
clean up dead IKE peers if required.
4 Select OK.
Defining the remaining phase 1 options
Additional advanced phase 1 settings are available to ensure the smooth operation of
phase 1 negotiations:
•
940
Nat-traversal—If outbound encrypted packets will be subjected to NAT, this option
determines whether the packet will be wrapped in a UDP IP header to protect the
encrypted packet from modification. See “NAT traversal” below.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Auto Key phase 1 parameters
Defining the remaining phase 1 options
•
Keepalive Frequency—If outbound encrypted packets will be subjected to NAT, this
option determines how frequently empty UDP packets will be sent through the NAT
device to prevent NAT address mapping from changing before the lifetime of a session
expires. See “NAT keepalive frequency” below.
•
Dead Peer Detection—This option determines whether the FortiGate unit will detect
dead IKE peers and terminate a session between the time when a VPN connection
becomes idle and the phase 1 encryption key expires. See “Dead peer detection” on
page 941.
NAT traversal
Network Address Translation (NAT) is a way to convert private IP addresses to publicly
routable Internet addresses and vise versa. When an IP packet passes through a NAT
device, the source or destination address in the IP header is modified. FortiGate units
support NAT version 1 (encapsulate on port 500 with non-IKE marker), version 3
(encapsulate on port 4500 with non-ESP marker), and compatible versions.
NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do
not contain a port number. As a result, the packets cannot be demultiplexed. To work
around this, the FortiGate unit provides a way to protect IPsec packet headers from NAT
modifications. When the Nat-traversal option is enabled, outbound encrypted packets are
wrapped inside a UDP IP header that contains a port number. This extra encapsulation
allows NAT devices to change the port number without modifying the IPsec packet directly.
To provide the extra layer of encapsulation on IPsec packets, the Nat-traversal option
must be enabled whenever a NAT device exists between two FortiGate VPN peers or a
FortiGate unit and a dialup client such as FortiClient. On the receiving end, the FortiGate
unit or FortiClient removes the extra layer of encapsulation before decrypting the packet.
NAT keepalive frequency
When a NAT device performs network address translation on a flow of packets, the NAT
device determines how long the new address will remain valid if the flow of traffic stops
(for example, the connected VPN peer may be idle). The device may reclaim and reuse a
NAT address when a connection remains idle for too long. To work around this, when you
enable NAT traversal, you can specify how often the FortiGate unit should send periodic
keepalive packets through the NAT device in order to ensure that the NAT address
mapping does not change during the lifetime of a session. The keepalive interval should
be smaller than the session lifetime value used by the NAT device.
Dead peer detection
Sometimes, due to routing issues or other difficulties, the communication link between a
FortiGate unit and a VPN peer or client may go down—packets could be lost if the
connection is left to time out on its own. The FortiGate unit provides a mechanism called
Dead Peer Detection (DPD) to prevent this situation and reestablish IKE negotiations
automatically before a connection times out: the active phase 1 security associations are
caught and renegotiated (rekeyed) before the phase 1 encryption key expires. By default,
DPD send probe messages every five seconds (see dpd-retryinterval in the FortiGate
CLI Reference).
In the web-based manager, the Dead Peer Detection option can be enabled when you
define advanced phase 1 options. The config vpn ipsec phase1 CLI command
supports additional options for specifying a retry count and a retry interval. For more
information about these CLI commands, see the FortiGate CLI Reference.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
941
�Using XAuth authentication
Auto Key phase 1 parameters
Using XAuth authentication
Extended authentication (XAuth) increases security by requiring authentication of the user
of the remote dialup client in a separate exchange at the end of phase 1. XAuth draws on
existing FortiGate user group definitions and uses established authentication mechanisms
such as PAP, CHAP, RADIUS and LDAP to authenticate dialup clients. You can configure
a FortiGate unit to function either as an XAuth server or an XAuth client.
Using the FortiGate unit as an XAuth server
A FortiGate unit can act as an XAuth server for dialup clients. When the phase 1
negotiation completes, the FortiGate unit challenges the user for a user name and
password. It then forwards the user’s credentials to an external RADIUS or LDAP server
for verification.
If the user records on the RADIUS server have suitably configured Framed-IP-Address
fields, you can assign client virtual IP addresses by XAuth instead of from a DHCP
address range. See “Assigning VIPs by RADIUS user group” on page 830.
The authentication protocol to use for XAuth depends on the capabilities of the
authentication server and the XAuth client:
•
Select PAP whenever possible. Select CHAP instead if applicable.
•
You must select PAP for all implementations of LDAP and some implementations of
Microsoft RADIUS.
•
Select AUTO when the authentication server supports CHAP but the XAuth client does
not. The FortiGate unit will use PAP to communicate with the XAuth client and CHAP to
communicate with the authentication server.
To authenticate a dialup user group using XAuth settings
Before you begin, create user accounts and user groups to identify the dialup clients that
need to access the network behind the FortiGate dialup server. If password protection will
be provided through an external RADIUS or LDAP server, you must configure the
FortiGate dialup server to forward authentication requests to the authentication server. For
information about these topics, see the “User” chapter of the FortiGate Administration
Guide.
1 At the FortiGate dialup server, go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 In the list, select the Edit icon of a phase 1 configuration to edit its parameters for a
particular remote gateway.
3 Select Advanced.
4 Under XAuth, select Enable as Server.
5 The Server Type setting determines the type of encryption method to use between the
XAuth client, the FortiGate unit and the authentication server. Select one of the
following options:
• PAP—Password Authentication Protocol.
• CHAP— Challenge-Handshake Authentication Protocol.
• AUTO—Use PAP between the XAuth client and the FortiGate unit, and CHAP
between the FortiGate unit and the authentication server.
6 From the User Group list, select the user group that needs to access the private
network behind the FortiGate unit. The group must be added to the FortiGate
configuration before it can be selected here.
7 Select OK.
942
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Auto Key phase 1 parameters
Using XAuth authentication
Authenticating the FortiGate unit as a client with XAuth
If the FortiGate unit acts as a dialup client, the remote peer, acting as an XAuth server,
might require a user name and password. You can configure the FortiGate unit as an
XAuth client, with its own user name and password, which it provides when challenged.
To configure the FortiGate dialup client as an XAuth client
1 At the FortiGate dialup client, go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 In the list, select the Edit icon of a phase 1 configuration to edit its parameters for a
particular remote gateway.
3 Select Advanced.
4 Under XAuth, select Enable as Client.
5 In the Username field, type the FortiGate PAP, CHAP, RADIUS, or LDAP user name
that the FortiGate XAuth server will compare to its records when the FortiGate XAuth
client attempts to connect.
6 In the Password field, type the password to associate with the user name.
7 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
943
�Using XAuth authentication
944
Auto Key phase 1 parameters
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Phase 2 parameters
This section describes the phase 2 parameters that are required to establish
communication through a VPN.
The following topics are included in this section:
•
Basic phase 2 settings
•
Advanced phase 2 settings
•
Configure the phase 2 parameters
Basic phase 2 settings
After phase 1 negotiations complete successfully, phase 2 begins. The phase 2
parameters define the algorithms that the FortiGate unit can use to encrypt and transfer
data for the remainder of the session. The basic phase 2 settings associate IPsec phase 2
parameters with a phase 1 configuration.
When you define phase 2 parameters, you can choose any set of phase 1 parameters to
set up a secure connection and authenticate the remote peer.
Figure 132: Basic Phase 2 settings (VPN & gt; IPSEC & gt; Auto Key (IKE) & gt; Create Phase 2
The information and procedures in this section do not apply to VPN peers that perform
negotiations using manual keys. Refer to “Manual-key configurations” on page 887
instead.
Advanced phase 2 settings
The following additional advanced phase 2 settings are available to enhance the operation
of the tunnel:
•
P2 proposal
•
Enable replay detection
•
Enable perfect forward secrecy (PFS)
•
Quick Mode Identities
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
945
�Advanced phase 2 settings
Phase 2 parameters
Figure 133: Advanced phase 2 settings
P2 Proposal
In phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish
a secure communication channel between them. The P2 Proposal parameters select the
encryption and authentication algorithms needed to generate keys for protecting the
implementation details of Security Associations (SAs). The keys are generated
automatically using a Diffie-Hellman algorithm.
Replay detection
IPsec tunnels can be vulnerable to replay attacks. Replay detection enables the FortiGate
unit to check all IPsec packets to see if they have been received before. If any encrypted
packets arrive out of order, the FortiGate unit discards them.
Perfect forward secrecy
By default, phase 2 keys are derived from the session key created in phase 1. Perfect
forward secrecy forces a new Diffie-Hellman exchange when the tunnel starts and
whenever the phase 2 keylife expires, causing a new key to be generated each time. This
exchange ensures that the keys created in phase 2 are unrelated to the phase 1 keys or
any other keys generated automatically in phase 2.
Keylife
The Keylife setting sets a limit on the length of time that a phase 2 key can be used.
Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or
both. If you select both, the key expires when either the time has passed or the number of
KB have been processed. When the phase 2 key expires, a new key is generated without
interrupting service.
Auto-negotiate
By default, the phase 2 security association (SA) is not negotiated until a peer attempts to
send data. The triggering packet and some subsequent packets are dropped until the SA
is established. Applications normally resend this data, so there is no loss, but there might
be a noticeable delay in response to the user.
Automatically establishing the SA can also be important on a dialup peer. This ensures
that the VPN tunnel is available for peers at the server end to initiate traffic to the dialup
peer. Otherwise, the VPN tunnel does not exist until the dialup peer initiates traffic.
946
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Phase 2 parameters
Advanced phase 2 settings
When enabled, auto-negotiate initiates the phase 2 SA negotiation automatically,
repeating every five seconds until the SA is established.
The auto-negotiate feature is available only through the Command Line Interface (CLI).
Use the following commands to enable it.
config vpn ipsec phase2
edit & lt; phase2_name & gt;
set auto-negotiate enable
end
If the tunnel ever goes down, the auto-negotiate feature will try to re-establish it. However,
the Autokey Keep Alive feature is a better way to keep your VPN up.
Autokey Keep Alive
The phase 2 security association (SA) has a fixed duration. If there is traffic on the VPN as
the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA with no
interruption. If there is no traffic, the SA expires and the VPN tunnel goes down.
The Autokey Keep Alive option ensures that a new SA is negotiated even if there is no
traffic so that the VPN tunnel stays up.
DHCP-IPsec
Select this option if the FortiGate unit assigns VIP addresses to FortiClient dialup clients
through a DHCP server or relay. This option is available only if the Remote Gateway in the
phase 1 configuration is set to Dialup User and it works only on policy-based VPNs.
The DHCP-IPsec option causes the FortiGate dialup server to act as a proxy for
FortiClient dialup clients that have VIP addresses on the subnet of the private network
behind the FortiGate unit. In this case, the FortiGate dialup server acts as a proxy on the
local private network for the FortiClient dialup client. When a host on the network behind
the dialup server issues an ARP request that corresponds to the device MAC address of
the FortiClient host, the FortiGate unit answers the ARP request on behalf of the
FortiClient host and forwards the associated traffic to the FortiClient host through the
tunnel.
Quick mode selectors
The Quick Mode selectors determine who (which IP addresses) can perform IKE
negotiations to establish a tunnel. The default settings are as broad as possible: any IP
address, using any protocol, on any port. This enables configurations in which multiple
subnets at each end of the tunnel can communicate, limited only by the firewall policies at
each end.
There are some configurations that require specific selectors:
•
the VPN peer is a third-party device that uses specific phase2 selectors
•
the FortiGate unit connects as a dialup client to another FortiGate unit, in which case
you must specify a source IP address, IP address range or subnet
The quick mode selectors allow IKE negotiations only for peers that match the specified
configuration. This does not control traffic on the VPN. Access to IPsec VPN tunnels is
controlled through firewall policies.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
947
�Configure the phase 2 parameters
Phase 2 parameters
Configure the phase 2 parameters
Follow this procedure to create an IPsec phase 2 definition.
Note: If you are creating a hub-and-spoke configuration or an Internet-browsing
configuration, you may have already started defining some of the required phase 2
parameters. If so, edit the existing definition to complete the configuration.
Specifying the phase 2 parameters
1 Go to VPN & gt; IPSEC & gt; Auto Key (IKE).
2 Select Create Phase 2 to add a new phase 2 configuration or select the Edit button
beside an existing phase 2 configuration.
3 Include appropriate entries as follows:
Name
Enter a name to identify the phase 2 configuration.
Phase 1
Select the phase 1 configuration that describes how remote peers or dialup
clients will be authenticated on this tunnel, and how the connection to the
remote peer or dialup client will be secured.
4 Select Advanced.
5 Include appropriate entries as follows:
P2 Proposal
Select the encryption and authentication algorithms that will be used to
change data into encrypted code.
Add or delete encryption and authentication algorithms as required. Select a
minimum of one and a maximum of three combinations. The remote peer
must be configured to use at least one of the proposals that you define.
It is invalid to set both Encryption and Authentication to null.
Encryption
You can select any of the following symmetric-key algorithms:
• NULL — Do not use an encryption algorithm.
• DES — Digital Encryption Standard, a 64-bit block algorithm that uses a
56-bit key.
• 3DES — Triple-DES, in which plain text is encrypted three times by three
keys.
• AES128 — A 128-bit block algorithm that uses a 128-bit key.
• AES192 — A 128-bit block algorithm that uses a 192-bit key.
• AES256 — A 128-bit block algorithm that uses a 256-bit key.
Authentication
You can select either of the following message digests to check the
authenticity of messages during an encrypted session:
• NULL — Do not use a message digest.
• MD5 — Message Digest 5, the hash algorithm developed by RSA Data
Security.
• SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message
digest.
To specify one combination only, set the Encryption and Authentication
options of the second combination to NULL. To specify a third combination,
use the Add button beside the fields for the second combination.
Enable replay
detection
Optionally enable or disable replay detection. Replay attacks occur when an
unauthorized party intercepts a series of IPsec packets and replays them
back into the tunnel.
Enable perfect
Enable or disable PFS. Perfect forward secrecy (PFS) improves security by
forward secrecy forcing a new Diffie-Hellman exchange whenever keylife expires.
(PFS)
DH Group
948
Select one Diffie-Hellman group (1, 2, 5, or 14). The remote peer or dialup
client must be configured to use the same group.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Phase 2 parameters
Configure the phase 2 parameters
Keylife
Select the method for determining when the phase 2 key expires: Seconds,
KBytes, or Both. If you select Both, the key expires when either the time has
passed or the number of KB have been processed. The range is from 120 to
172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep
Alive
Enable the option if you want the tunnel to remain active when no data is
being processed.
DHCP-IPsec
Select Enable if the FortiGate unit acts as a dialup server and FortiGate
DHCP server or relay will be used to assign VIP addresses to FortiClient
dialup clients. The DHCP server or relay parameters must be configured
separately.
If the FortiGate unit acts as a dialup server and the FortiClient dialup client
VIP addresses match the network behind the dialup server, select Enable to
cause the FortiGate unit to act as a proxy for the dialup clients.
This is available only for phase 2 configurations associated with a dialup
phase 1 configuration. It works only on policy-based VPNs.
Quick Mode
Selector
Optionally specify the source and destination IP addresses to be used as
selectors for IKE negotiations. If the FortiGate unit is a dialup server, the
default value 0.0.0.0/0 should be kept unless you need to circumvent
problems caused by ambiguous IP addresses between one or more of the
private networks making up the VPN. You can specify a single host IP
address, an IP address range, or a network address. You may optionally
specify source and destination port numbers and/or a protocol number.
If you are editing an existing phase 2 configuration, the Source address and
Destination address fields are unavailable if the tunnel has been configured
to use firewall addresses as selectors. This option exists only in the CLI. See
the dst-addr-type, dst-name, src-addr-type and src-name
keywords for the vpn ipsec phase2 command in the FortiGate CLI
Reference.
Source
address
If the FortiGate unit is a dialup server, type the source IP address that
corresponds to the local sender(s) or network behind the local VPN peer (for
example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet,
or 172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a server or
host, or 192.168.10.[80-100] or 192.168.10.80-192.168.10.100
for an address range). A value of 0.0.0.0/0 means all IP addresses
behind the local VPN peer.
If the FortiGate unit is a dialup client, source address must refer to the
private network behind the FortiGate dialup client.
Source port Type the port number that the local VPN peer uses to transport traffic related
to the specified service (protocol number). The range is 0 to 65535. To
specify all ports, type 0.
Destination
address
Type the destination IP address that corresponds to the recipient(s) or
network behind the remote VPN peer (for example, 192.168.20.0/24 for
a subnet, or 172.16.5.1/32 for a server or host, or 192.168.10.[80100] for an address range). A value of 0.0.0.0/0 means all IP addresses
behind the remote VPN peer.
Destination
port
Type the port number that the remote VPN peer uses to transport traffic
related to the specified service (protocol number). The range is 0 to 65535.
To specify all ports, type 0.
Protocol
Type the IP protocol number of the service. The range is 1 to 255. To specify
all services, type 0.
6 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
949
�Configure the phase 2 parameters
950
Phase 2 parameters
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Defining firewall policies
This section explains how to specify the source and destination IP addresses of traffic
transmitted through an IPsec VPN, and how to define appropriate firewall policies.
The following topics are included in this section:
•
Defining firewall addresses
•
Defining firewall policies
Defining firewall addresses
A VPN tunnel has two end points. These end points may be VPN peers such as two
FortiGate gateways. Encrypted packets are transmitted between the end points. At each
end of the VPN tunnel, a VPN peer intercepts encrypted packets, decrypts the packets,
and forwards the decrypted IP packets to the intended destination.
You need to define firewall addresses for the private networks behind each peer. You will
use these addresses as the source or destination address depending on the firewall
policy.
In general:
•
In a gateway-to-gateway, hub-and-spoke, dynamic DNS, redundant-tunnel, or
transparent configuration, you need to define a firewall address for the private IP
address of the network behind the remote VPN peer (for example,
192.168.10.0/255.255.255.0 or 192.168.10.0/24).
•
In a peer-to-peer configuration, you need to define a firewall address for the private IP
address of a server or host behind the remote VPN peer (for example,
172.16.5.1/255.255.255.255 or 172.16.5.1/32 or 172.16.5.1).
•
For a FortiGate dialup server in a dialup-client or Internet-browsing configuration:
•
If you are not using VIP addresses, or if the FortiGate dialup server assigns VIP
addresses to FortiClient dialup clients through FortiGate DHCP relay, select the
predefined destination address “all” in the firewall policy to refer to the dialup clients.
•
If you assign VIP addresses to FortiClient dialup clients manually, you need to define a
firewall address for the VIP address assigned to the dialup client (for example,
10.254.254.1/32), or a subnet address from which the VIP addresses are assigned
(for example, 10.254.254.0/24 or 10.254.254.0/255.255.255.0).
•
For a FortiGate dialup client in a dialup-client or Internet-browsing configuration, you
need to define a firewall address for the private IP address of a host, server, or network
behind the FortiGate dialup server.
To define an IP address
1 Go to Firewall & gt; Address & gt; Address and select Create New.
2 In the Address Name field, type a descriptive name that represents the network,
server(s), or host(s).
3 In Type, select Subnet / IP Range.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
951
�Defining firewall policies
Defining firewall policies
4 In the Subnet/IP Range field, type the corresponding IP address and subnet mask (for
example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or
172.16.5.1/32 for a server or host) or IP address range (for example,
192.168.10.[80-100] or 192.168.10.80-192.168.10.100).
5 Select OK.
Defining firewall policies
Firewall policies allow IP traffic to pass between interfaces on a FortiGate unit. You can
limit communication to particular traffic by specifying source address and destination
addresses.
Policy-based and route-based VPNs require different firewall policies.
•
A policy-based VPN requires an IPsec firewall policy. You specify the interface to the
private network, the interface to the remote peer and the VPN tunnel. A single policy
can enable traffic inbound, outbound, or in both directions.
•
A route-based VPN requires an Accept firewall policy for each direction. As source and
destination interfaces, you specify the interface to the private network and the virtual
IPsec interface (phase 1 configuration) of the VPN. The IPsec interface is the
destination interface for the outbound policy and the source interface for the inbound
policy.
There are examples of firewall policies for both policy-based and route-based VPNs
throughout this guide.
Defining an IPsec firewall policy for a policy-based VPN
An IPsec firewall policy enables the transmission and reception of encrypted packets,
specifies the permitted direction of VPN traffic, and selects the VPN tunnel. In most cases,
a single policy is needed to control both inbound and outbound IP traffic through a VPN
tunnel.
In addition to these operations, firewall policies specify which IP addresses can initiate a
tunnel. Traffic from computers on the local private network initiates the tunnel when the
Allow outbound option is selected. Traffic from a dialup client or computers on the remote
network initiates the tunnel when the Allow inbound option is selected.
When a FortiGate unit runs in NAT/Route mode, you can also enable inbound or outbound
NAT. Outbound NAT may be performed on outbound encrypted packets, or on IP packets
before they are sent through the tunnel. Inbound NAT is performed on IP packets
emerging from the tunnel. These options are not selected by default in firewall policies.
When used in conjunction with the natip CLI attribute (see the “config firewall” chapter of
the FortiGate CLI Reference), outbound NAT enables you to change the source
addresses of IP packets before they go into the tunnel. This feature is often used to
resolve ambiguous routing when two or more of the private networks making up a VPN
have the same or overlapping IP addresses. For examples of how to use these two
features together, see the FortiGate Outbound NAT for IPsec VIP Technical Note and the
FortiGate IPsec VPN Subnet-address Translation Technical Note.
952
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Defining firewall policies
Defining firewall policies
When inbound NAT is enabled, inbound encrypted packets are intercepted and decrypted,
and the source IP addresses of the decrypted packets are translated into the IP address of
the FortiGate interface to the local private network before they are routed to the private
network. If the computers on the local private network can communicate only with devices
on the local private network (that is, the FortiGate interface to the private network is not
the default gateway) and the remote client (or remote private network) does not have an
IP address in the same network address space as the local private network, enable
inbound NAT.
Most firewall policies control outbound IP traffic. An outbound policy usually has a source
address originating on the private network behind the local FortiGate unit, and a
destination address belonging to a dialup VPN client or a network behind the remote VPN
peer. The source address that you choose for the firewall policy identifies from where
outbound cleartext IP packets may originate, and also defines the local IP address or
addresses that a remote server or client will be allowed to access through the VPN tunnel.
The destination address that you choose for the firewall policy identifies where IP packets
must be forwarded after they are decrypted at the far end of the tunnel, and determines
the IP address or addresses that the local network will be able to access at the far end of
the tunnel.
You can fine-tune a policy for services such as HTTP, FTP, and POP3; enable logging,
traffic shaping, antivirus protection, web filtering, email filtering, file transfer, and email
services throughout the VPN; and optionally allow connections according to a predefined
schedule. For more information, see the “Firewall Policy” chapter of the FortiGate
Administration Guide.
Note: As an option, differentiated services can be enabled in the firewall policy through CLI
commands. For more information, see the “firewall” chapter of the FortiGate CLI Reference.
When a remote server or client attempts to connect to the private network behind a
FortiGate gateway, the firewall policy intercepts the connection attempt and starts the VPN
tunnel. The FortiGate unit uses the remote gateway specified in its phase 1 tunnel
configuration to reply to the remote peer. When the remote peer receives a reply, it checks
its own firewall policy, including the tunnel configuration, to determine which
communications are permitted. As long as one or more services are allowed through the
VPN tunnel, the two peers begin to negotiate the tunnel.
Before you begin
Before you define the IPsec policy, you must:
•
Define the IP source and destination addresses. See “Defining firewall addresses” on
page 951.
•
Specify the phase 1 authentication parameters. See “Auto Key phase 1 parameters” on
page 929.
•
Specify the phase 2 parameters. See “Phase 2 parameters” on page 945.
To define an IPsec firewall policy
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Include appropriate entries as follows:
Source Interface/Zone
Select the local interface to the internal (private) network.
Source Address Name
Select the name that corresponds to the local network,
server(s), or host(s) from which IP packets may originate.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
953
�Defining firewall policies
Defining firewall policies
Destination Interface/Zone
Select the local interface to the external (public) network.
Destination Address Name
Select the name that corresponds to the remote network,
server(s), or host(s) to which IP packets may be delivered.
Schedule
Keep the default setting (always) unless changes are needed
to meet specific requirements.
Service
Keep the default setting (ANY) unless changes are needed to
meet your specific requirements.
Action
Select IPSEC.
VPN Tunnel
Select the name of the phase 1 tunnel configuration to which
this policy will apply.
Allow Inbound
Select if traffic from the remote network will be allowed to
initiate the tunnel.
Allow Outbound
Select if traffic from the local network will be allowed to initiate
the tunnel.
Inbound NAT
Select if you want to translate the source IP addresses of
inbound decrypted packets into the IP address of the FortiGate
interface to the local private network.
Outbound NAT
Select in combination with a natip CLI value to translate the
source addresses of outbound cleartext packets into the IP
address that you specify. Do not select Outbound NAT unless
you specify a natip value through the CLI. When a natip
value is specified, the source addresses of outbound IP
packets are replaced before the packets are sent through the
tunnel. For more information, see the “firewall” chapter of the
FortiGate CLI Reference.
3 You may enable UTM features, and/or event logging, or select advanced settings to
authenticate a user group, or shape traffic. For more information, see the “Firewall
Policy” chapter of the FortiGate Administration Guide.
4 Select OK.
5 Place the policy in the policy list above any other policies having similar source and
destination addresses.
Defining multiple IPsec policies for the same tunnel
You must define at least one IPsec policy for each VPN tunnel. If the same remote server
or client requires access to more than one network behind a local FortiGate unit, the
FortiGate unit must be configured with an IPsec policy for each network. Multiple policies
may be required to configure redundant connections to a remote destination or control
access to different services at different times.
To ensure a secure connection, the FortiGate unit must evaluate IPSEC policies before
ACCEPT and DENY firewall policies. Because the FortiGate unit reads policies starting at
the top of the list, you must move all IPsec policies to the top of the list. When you define
multiple IPsec policies for the same tunnel, you must reorder the IPsec policies that apply
to the tunnel so that specific constraints can be evaluated before general constraints.
Note: Adding multiple IPsec policies for the same VPN tunnel can cause conflicts if the
policies specify similar source and destination addresses but have different settings for the
same service. When policies overlap in this manner, the system may apply the wrong IPsec
policy or the tunnel may fail.
For example, if you create two equivalent IPsec policies for two different tunnels, it does
not matter which one comes first in the list of IPsec policies—the system will select the
correct policy based on the specified source and destination addresses. If you create two
different IPsec policies for the same tunnel (that is, the two policies treat traffic differently
depending on the nature of the connection request), you might have to reorder the IPsec
954
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Defining firewall policies
Defining firewall policies
policies to ensure that the system selects the correct IPsec policy. Reordering is especially
important when the source and destination addresses in both policies are similar (for
example, if one policy specifies a subset of the IP addresses in another policy). In this
case, place the IPsec policy having the most specific constraints at the top of the list so
that it can be evaluated first.
Defining firewall policies for a route-based VPN
When you define a route-based VPN, you create a virtual IPsec interface on the physical
interface that connects to the remote peer. You create ordinary Accept firewall policies to
enable traffic between the IPsec interface and the interface that connects to the private
network. This makes configuration simpler than for policy-based VPNs, which require
IPsec firewall policies.
To define firewall policies for a route-based VPN
1 Define an ACCEPT firewall policy to permit communications between the local private
network and the private network behind the remote peer. Enter these settings in
particular:
Source Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name
Select the address name that you defined for the private
network behind this FortiGate unit.
Destination Interface/Zone
Select the IPsec Interface you configured.
Destination Address Name
Select the address name that you defined for the private
network behind the remote peer.
Action
Select ACCEPT.
NAT
Disable.
2 To permit the remote client to initiate communication, you need to define a firewall
policy for communication in that direction. Enter these settings in particular:
Source Interface/Zone
Select the IPsec Interface you configured.
Source Address Name
Select the address name that you defined for the private
network behind the remote peer.
Destination Interface/Zone
Select the interface that connects to the private network
behind this FortiGate unit.
Destination Address Name
Select the address name that you defined for the private
network behind this FortiGate unit.
Action
Select ACCEPT.
NAT
Disable.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
955
�Defining firewall policies
956
Defining firewall policies
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Hardware offloading and acceleration
FortiGate units incorporate proprietary FortiASIC NP2 network processors that can
provide accelerated processing for IPsec VPN traffic. This section describes how to
configure offloading and acceleration.
The following topics are included in this section:
•
Overview
•
IPsec offloading configuration examples
Overview
Fortinet’s NP2 network processors contain features to improve IPsec tunnel performance.
For example, network processors can encrypt and decrypt packets, offloading
cryptographic load on the FortiGate unit’s main processing resources.
On FortiGate units with the appropriate hardware, you can configure offloading of both
IPsec sessions and HMAC checking.
IPsec session offloading requirements
Sessions must be fast path ready. Fast path ready session requirements are:
•
Layer 2 type/length must be 0x0800 (IEEE 802.1q VLAN specification is supported);
link aggregation between any network interfaces sharing the same network
processor(s) may be used (IEEE 802.3ad specification is supported)
•
Layer 3 protocol must be IPv4
•
Layer 4 protocol must be UDP, TCP or ICMP
•
Layer 3 / Layer 4 header or content modification must not require a session helper (for
example, SNAT, DNAT, and TTL reduction are supported, but application layer content
modification is not supported)
•
FortiGate unit firewall policy must not require antivirus or IPS inspection, although
hardware accelerated anomaly checks are acceptable.
•
The session must not use an aggregated link or require QoS, including rate limits and
bandwidth guarantees (NP1 processor only).
•
Ingress and egress network interfaces are both attached to the same network
processor(s)
•
In Phase I configuration, Local Gateway IP must be specified as an IP address of a
network interface attached to a network processor
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
957
�Overview
Hardware offloading and acceleration
•
In Phase II configuration:
•
•
•
encryption algorithm must be DES, 3DES, AES-128, AES-192, AES-256, or null
(for NP1 processor, only 3DES is supported)
authentication must be MD5, SHA1, or null
(for NP1 processor, only MD5 is supported)
if replay detection is enabled, encryption and decryption options must be enabled in
the CLI (see “IPsec encryption offloading”, below)
If the IPsec session meets the above requirements, the FortiGate unit sends the IPsec
security association (SA) and configured processing actions to the network processor(s).
Packet requirements
In addition to the session requirements, the packets themselves must meet fast-path
requirements:
•
Incoming packets must not be fragmented.
•
Outgoing packets must not require fragmentation to a size less than 385 bytes.
Because of this requirement, the configured MTU (Maximum Transmission Unit) for
network processors’ network interfaces must also meet or exceed the network
processors’ supported minimum MTU of 385 bytes.
If packet requirements are not met, an individual packet will use FortiGate unit main
processing resources, regardless of whether other packets in the session are offloaded to
the specialized network processor(s).
IPsec encryption offloading
Network processing unit (NPU) settings configure offloading behavior for IPsec VPNs.
Configured behavior applies to all network processors contained by the FortiGate unit
itself or any installed AMC modules.
If replay detection is not enabled (IPsec Phase 2 settings), encryption is always offloaded.
To enable offloading of encryption even when replay detection is enabled:
config system npu
set enc-offload-antireplay enable
end
To enable offloading of decryption even when replay detection is enabled:
config system npu
set dec-offload-antireplay {enable | disable}
end
HMAC check offloading
To enable HMAC check offloading, enter
configure system global
set ipsec-hmac-offload (enable|disable)
end
958
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Hardware offloading and acceleration
IPsec offloading configuration examples
IPsec offloading configuration examples
The following examples configure two FortiASIC NP2 accelerated VPNs, one routebased, the other policy based. In both cases, the network topology is as shown in
Figure 134.
Figure 134: Hardware accelerated IPsec VPN topology
Internet
FortiGate-ASM-FB4
port 2
(IPsec)
3.3.3.2/24
FortiGate-ASM-FB4
port 2
(IPsec)
3.3.3.1/24
Protected
network
FortiGate_1
Protected
network
FortiGate_2
FortiGate-ASM-FB4
port 1
1.1.1.0/24
FortiGate-ASM-FB4
port 1
2.2.2.0/24
Accelerated route-based VPN configuration
To configure FortiGate_1
1 Go to VPN & gt; IPsec & gt; Auto Key (IKE) and select Create Phase 1.
2 Configure Phase 1 settings (name FGT_1_IPsec), plus
• Select Advanced.
• Select the Enable IPsec Interface Mode check box.
• In Local Gateway IP, select Specify and enter the VPN IP address 3.3.3.1, which is
the IP address of FortiGate_1’s FortiGate-ASM-FB4 module on port 2.
3 Select OK.
4 Select Create Phase 2 and configure Phase 2 settings, including
• Select the Enable replay detection check box.
• set enc-offload-antireplay to enable using the config system npu CLI
command.
5 Go to Firewall & gt; Policy & gt; Policy.
6 Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration
you configured in step 2 to traffic leaving from or arriving on FortiGate-ASM-FB4
module port 1.
7 Go to Router & gt; Static & gt; Static Route.
8 Configure a static route to route traffic destined for FortiGate_2’s protected network to
the virtual IPsec interface, FGT_1_IPsec.
To add the static route from the CLI:
config router static
edit 2
set device " FGT_1_IPsec "
set dst 2.2.2.0 255.255.255.0
end
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
959
�IPsec offloading configuration examples
Hardware offloading and acceleration
To configure FortiGate_2
1 Go to VPN & gt; IPsec & gt; Auto Key (IKE) and select Create Phase 1.
2 Configure Phase 1 settings (name FGT_2_IPsec), plus
• Select Advanced.
• Select the Enable IPsec Interface Mode check box.
• In Local Gateway IP, select Specify and enter the VPN IP address 3.3.3.2, which is
the IP address of FortiGate_2’s FortiGate-ASM-FB4 module on port 2.
3 Select OK.
4 Select Create Phase 2 and configure Phase 2 settings, including
• Select the Enable replay detection check box.
• set enc-offload-antireplay to enable using the config system npu CLI
command.
5 Go to Firewall & gt; Policy & gt; Policy.
6 Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration
you configured in step 2 to traffic leaving from or arriving on FortiGate-ASM-FB4
module port 1.
7 Go to Router & gt; Static & gt; Static Route.
8 Configure a static route to route traffic destined for FortiGate_1’s protected network to
the virtual IPsec interface, FGT_2_IPsec.
To add the static route from the CLI:
config router static
edit 2
set device " FGT_2_IPsec "
set dst 1.1.1.0 255.255.255.0
end
To test the VPN
1 Activate the IPsec tunnel by sending traffic between the two protected networks.
2 To verify tunnel activation, go to VPN & gt; IPSEC & gt; Monitor.
Accelerated policy-based VPN configuration
To configure FortiGate_1
1 Go to VPN & gt; IPsec & gt; Auto Key (IKE) and select Create Phase 1.
2 Configure Phase 1 settings (name FGT_1_IPsec), plus
• Select Advanced.
• Ensure that the Enable IPsec Interface Mode check box is not selected.
• In Local Gateway IP, select Specify and enter the VPN IP address 3.3.3.1, which is
the IP address of FortiGate_1’s FortiGate-ASM-FB4 module on port 2.
3 Select OK.
4 Select Create Phase 2 and configure Phase 2 settings, including
• Select the Enable replay detection check box.
• set enc-offload-antireplay to enable using the config system npu CLI
command.
5 Go to Firewall & gt; Policy & gt; Policy.
960
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Hardware offloading and acceleration
IPsec offloading configuration examples
6 Configure an IPSEC policy to apply the Phase 1 IPsec tunnel you configured in step 2
to traffic between FortiGate-ASM-FB4 module ports 1 and 2.
7 Go to Router & gt; Static & gt; Static Route.
8 Configure a static route to route traffic destined for FortiGate_2’s protected network to
FortiGate_2’s VPN gateway, 3.3.3.2, through the FortiGate-ASM-FB4 module’s port 2
(device).
To add the static route from the CLI:
config router static
edit 0
set device " AMC-SW1/2 "
set dst 2.2.2.0 255.255.255.0
set gateway 3.3.3.1
end
To configure FortiGate_2
1 Go to VPN & gt; IPsec & gt; Auto Key (IKE) and select Create Phase 1.
2 Configure Phase 1 settings (name FGT_2_IPsec), plus
• Select Advanced.
• Select the Enable IPsec Interface Mode check box.
• In Local Gateway IP, select Specify and enter the VPN IP address 3.3.3.2, which is
the IP address of FortiGate_2’s FortiGate-ASM-FB4 module on port 2.
3 Select OK.
4 Select Create Phase 2 and configure Phase 2 settings, including
• Select the Enable replay detection check box.
• set enc-offload-antireplay to enable using the config system npu CLI
command.
5 Go to Firewall & gt; Policy & gt; Policy.
6 Configure an IPSEC policy to apply the Phase 1 IPsec tunnel you configured in step 2
to traffic between FortiGate-ASM-FB4 module ports 1 and 2.
7 Go to Router & gt; Static & gt; Static Route.
8 Configure a static route to route traffic destined for FortiGate_1’s protected network to
FortiGate_2’s VPN gateway, 3.3.3.2, through the FortiGate-ASM-FB4 module’s port 2
(device).
To add the static route from the CLI:
config router static
edit 0
set device " AMC-SW1/2 "
set dst 1.1.1.0 255.255.255.0
set gateway 3.3.3.2
end
To test the VPN
1 Activate the IPsec tunnel by sending traffic between the two protected networks.
2 To verify tunnel activation, go to VPN & gt; IPSEC & gt; Monitor.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
961
�IPsec offloading configuration examples
962
Hardware offloading and acceleration
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Monitoring and troubleshooting VPNs
This section provides some general maintenance and monitoring procedures for VPNs.
The following topics are included in this section:
•
Monitoring VPN connections
•
Monitoring IKE sessions
•
Testing VPN connections
•
Logging VPN events
•
VPN troubleshooting tips
Monitoring VPN connections
You can use the monitor to view activity on IPsec VPN tunnels and to start or stop those
tunnels. The display provides a list of addresses, proxy IDs, and timeout information for all
active tunnels.
Monitoring connections to remote peers
The list of tunnels provides information about VPN connections to remote peers that have
static IP addresses or domain names. You can use this list to view status and IP
addressing information for each tunnel configuration. You can also start and stop
individual tunnels from the list.
To view the list of static-IP and dynamic-DNS tunnels
1 Go to VPN & gt; IPSEC & gt; Monitor.
Figure 135: List of static-IP and dynamic-DNS tunnels
Bring up tunnel
To establish or take down a VPN tunnel
1 Go to VPN & gt; IPSEC & gt; Monitor.
2 In the list of tunnels, select Bring down tunnel or Bring up tunnel in the row that
corresponds to the tunnel that you want to bring down or up.
Monitoring dialup IPsec connections
The list of dialup tunnels provides information about the status of tunnels that have been
established for dialup clients. The list displays the IP addresses of dialup clients and the
names of all active tunnels. The number of tunnels shown in the list can change as dialup
clients connect and disconnect.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
963
�Monitoring VPN connections
Monitoring and troubleshooting VPNs
To view the list of dialup tunnels
1 Go to VPN & gt; IPSEC & gt; Monitor.
Figure 136: List of dialup tunnels
Note: If you take down an active tunnel while a dialup client such as FortiClient is still
connected, FortiClient will continue to show the tunnel connected and idle. The dialup client
must disconnect before another tunnel can be initiated.
The list of dialup tunnels displays the following statistics:
•
The Name column displays the name of the tunnel.
•
The meaning of the value in the Remote gateway column changes, depending on the
configuration of the network at the far end:
•
When a FortiClient dialup client establishes a tunnel, the Remote gateway column
displays either the public IP address and UDP port of the remote host device (on
which the FortiClient Endpoint Security application is installed), or if a NAT device
exists in front of the remote host, the Remote gateway column displays the public IP
address and UDP port of the remote host.
•
When a FortiGate dialup client establishes a tunnel, the Remote gateway column
displays the public IP address and UDP port of the FortiGate dialup client.
•
The Username column displays the peer ID, certificate name, or XAuth user name of
the dialup client (if a peer ID, certificate name, or XAuth user name was assigned to
the dialup client for authentication purposes).
•
The Timeout column displays the time before the next key exchange. The time is
calculated by subtracting the time elapsed since the last key exchange from the keylife.
•
The Proxy ID Source column displays the IP addresses of the hosts, servers, or private
networks behind the FortiGate unit. A network range may be displayed if the source
address in the firewall encryption policy was expressed as a range of IP addresses.
•
The meaning of the value in the Proxy ID Destination column changes, depending on
the configuration of the network at the far end:
•
When a FortiClient dialup client establishes a tunnel:
•
•
964
If VIP addresses are not used and the remote host is behind a NAT device, the
Proxy ID Destination field displays the private IP address of the NIC in the
remote host.
•
•
If VIP addresses are not used and the remote host connects to the Internet
directly, the Proxy ID Destination field displays the public IP address of the
Network Interface Card (NIC) in the remote host.
If VIP addresses were configured (manually or through FortiGate DHCP relay),
the Proxy ID Destination field displays either the VIP address belonging to a
FortiClient dialup client, or a subnet address from which VIP addresses were
assigned.
When a FortiGate dialup client establishes a tunnel, the Proxy ID Destination field
displays the IP address of the remote private network.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Monitoring and troubleshooting VPNs
Monitoring IKE sessions
Monitoring IKE sessions
You can display a list of all active sessions and view activity by port number. If required,
active sessions can be stopped from this view. For more information, see the “System
Status” chapter of the FortiGate Administration Guide.
To view the list of active sessions
1 Go to System & gt; Dashboard & gt; Dashboard.
2 In the Top Sessions widget, select Details on the Total Current Sessions line.
IPsec VPN-related sessions can be identified by the following port numbers:
• port numbers 500 and 4500 for IPsec IKE activity
• port number 4500 for NAT traversal activity
Figure 137: Session list
Testing VPN connections
To confirm whether a VPN has been configured correctly, issue a ping or traceroute
command on the network behind the FortiGate unit to test the connection to a computer
on the remote network. A VPN tunnel will be established automatically when the first data
packet destined for the remote network is intercepted by the FortiGate unit.
To confirm that a VPN between a local network and a dialup client has been configured
correctly, at the dialup client, issue a ping command to test the connection to the local
network. The VPN tunnel initializes when the dialup client attempts to connect.
Logging VPN events
You can configure the FortiGate unit to log VPN events. For IPsec VPNs, phase 1 and
phase 2 authentication and encryption events are logged. For information about how to
interpret log messages, see the FortiGate Log Message Reference.
To log VPN events
1 Go to Log & Report & gt; Log Config & gt; Log Setting.
2 Enable the storage of log messages to one or more of the following locations:
• a FortiLog unit
• the FortiGate system memory
• a remote computer running a syslog server
Note: If available on your FortiGate unit, you can enable the storage of log messages to a
system hard disk. In addition, as an alternative to the options listed above, you may choose
to forward log messages to a remote computer running a WebTrends firewall reporting
server. For more information about enabling either of these options through CLI
commands, see the “log” chapter of the FortiGate CLI Reference.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
965
�Logging VPN events
Monitoring and troubleshooting VPNs
3 If the options are concealed, select the blue arrow beside each option to reveal and
configure associated settings.
4 If logs will be written to system memory, from the Log Level list, select Information. For
more information, see the “Log & Report” chapter of the FortiGate Administration Guide.
5 Select Apply.
To filter VPN events
1 Go to Log & Report & gt; Log Config & gt; Event Log.
2 Verify that the IPsec negotiation event option is selected.
3 Select Apply.
To view event logs
1 Go to Log & Report & gt; Log Access & gt; Event.
2 If the option is available from the Type list, select the log file from disk or memory.
Entries similar to the following indicate that a tunnel has been established. The following
log messages concern a VPN tunnel called vpn_test on port2 interface in the root
VDOM. Pay attention to the status and msg values.
2005-03-31 15:38:29 log_id=0101023004 type=event subtype=ipsec pri=notice
vd=root loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=vpn_test cookies=151c3a5c6dd93c54/0000000000000000
action=negotiate init=local mode=main stage=1 dir=outbound status=success
msg= " Initiator: sent 172.16.62.11 main mode message #1 (OK) "
2005-03-31 15:38:29 log_id=0101023004 type=event subtype=ipsec pri=notice
vd=root loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=vpn_test cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate init=local mode=main stage=2 dir=outbound status=success
msg= " Initiator: sent 172.16.62.11 main mode message #2 (OK) "
2005-03-31 15:38:29 log_id=0101023004 type=event subtype=ipsec pri=notice
vd=root loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=vpn_test cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate init=local mode=main stage=3 dir=outbound status=success
msg= " Initiator: sent 172.16.62.11 main mode message #3 (OK) "
2005-03-31 15:38:29 log_id=0101023004 type=event subtype=ipsec pri=notice
vd=root loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=vpn_test cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate init=local mode=main stage=3 dir=inbound status=success
msg= " Initiator: parsed 172.16.62.11 main mode message #3 (DONE) "
2005-03-31 15:38:29 log_id=0101023004 type=event subtype=ipsec pri=notice
vd=root loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=vpn_test cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate init=local mode=quick stage=1 dir=outbound status=success
msg= " Initiator: sent 172.16.62.11 quick mode message #1 (OK) "
2005-03-31 15:38:29 log_id=0101023006 type=event subtype=ipsec pri=notice
vd=root loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=vpn_test cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=install_sa in_spi=66867f2b out_spi=e22de275 msg= " Initiator: tunnel
172.16.62.10/172.16.62.11 install ipsec sa "
966
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Monitoring and troubleshooting VPNs
VPN troubleshooting tips
2005-03-31 15:38:29 log_id=0101023004 type=event subtype=ipsec pri=notice
vd=root loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=vpn_test cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate init=local mode=quick stage=2 dir=outbound status=success
msg= " Initiator: sent 172.16.62.11 quick mode message #2 (DONE) "
2005-03-31 15:38:29 log_id=0101023002 type=event subtype=ipsec pri=notice
vd=root loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=vpn_test cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate status=success msg= " Initiator: tunnel 172.16.62.11,
transform=ESP_3DES, HMAC_SHA1 "
Entries similar to the following indicate that phase 1 negotiations broke down because the
preshared keys belonging to the VPN peers were not identical. A tunnel was not
established. Pay attention to the status and msg values.
2005-03-31 16:06:39 log_id=0101023003 type=event subtype=ipsec pri=error vd=root
loc_ip=192.168.70.2 loc_port=500 rem_ip=192.168.80.2 rem_port=500 out_if=port2
vpn_tunnel=vpn_test2 cookies=3896343ae575f210/0a7ba199149e31e9
action=negotiate status=negotiate_error msg= " Negotiate SA Error: probable preshared secret mismatch "
For more information about how to interpret error log messages, see the FortiGate Log
Message Reference.
VPN troubleshooting tips
Most connection failures are due to a configuration mismatch between the FortiGate unit
and the remote peer. In general, begin troubleshooting an IPsec VPN connection failure
as follows:
1 Ping the remote network or client to verify whether the connection is up. See “Testing
VPN connections” on page 965.
2 Traceroute the remote network or client. If DNS is working, you can use domain
names. Otherwise use IP addresses.
3 Verify the configuration of the FortiGate unit and the remote peer. Check the following
IPsec parameters:
• The mode setting for ID protection (main or aggressive) on both VPN peers must be
identical.
• The authentication method (preshared keys or certificates) used by the client must
be supported on the FortiGate unit and configured properly.
• If preshared keys are being used for authentication purposes, both VPN peers must
have identical preshared keys.
• The remote client must have at least one set of phase 1 encryption, authentication,
and Diffie-Hellman settings that match corresponding settings on the FortiGate unit.
• Both VPN peers must have the same NAT traversal setting (enabled or disabled).
• The remote client must have at least one set of phase 2 encryption and
authentication algorithm settings that match the corresponding settings on the
FortiGate unit.
• If you are using manual keys to establish a tunnel, the Remote SPI setting on the
FortiGate unit must be identical to the Local SPI setting on the remote peer, and vise
versa.
4 Refer to Table 74 on page 968 to correct the problem.
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
967
�VPN troubleshooting tips
Monitoring and troubleshooting VPNs
Table 74: VPN trouble-shooting tips
Configuration problem
Correction
Mode settings do not match.
Select complementary mode settings. See “Choosing main
mode or aggressive mode” on page 930.
Peer ID or certificate name of
the remote peer or dialup client
is not recognized by FortiGate
VPN server.
Check Phase 1 configuration. Depending on the Remote
Gateway and Authentication Method settings, you have a
choice of options to authenticate FortiGate dialup clients or
VPN peers by ID or certificate name (see “Authenticating
remote peers and clients” on page 933).
If you are configuring authentication parameters for FortiClient
dialup clients, refer to the Authenticating FortiClient Dialup
Clients Technical Note.
Preshared keys do not match.
Reenter the preshared key. See “Authenticating remote peers
and clients” on page 933.
Phase 1 or phase 2 key
exchange proposals are
mismatched.
Make sure that both VPN peers have at least one set of
proposals in common for each phase. See “Defining IKE
negotiation parameters” on page 938 and “Configure the phase
2 parameters” on page 948.
NAT traversal settings are
mismatched.
Select or clear both options as required. See “NAT traversal”
on page 941 and “NAT keepalive frequency” on page 941.
SPI settings for manual key
tunnels are mismatched.
Enter complementary SPI settings. See “Manual-key
configurations” on page 887.
A word about NAT devices
When a device with NAT capabilities is located between two VPN peers or a VPN peer
and a dialup client, that device must be NAT traversal (NAT-T) compatible for encrypted
traffic to pass through the NAT device. For more information, see “NAT traversal” on
page 941.
968
FortiOS™ Handbook FortiOS 4.0 MR2 IPsec VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 8 SSL VPNs
This FortiOS Handbook chapter contains the following sections:
“Introduction to SSL VPN” provides useful general information about VPN and SSL, how
the FortiGate unit implements them, and gives guidance on how to choose between SSL
and IPsec.
“Setting up the FortiGate unit” explains how to configure the FortiGate unit and the web
portal. Along with these configuration details, this chapter also explains how to grant
unique access permissions, configure the SSL virtual interface (ssl.root), and
describes the SSL VPN OS Patch Check feature that allows a client with a specific OS
patch to access SSL VPN services.
“Working with the web portal” explains how to use a web portal and its widgets. Access to
different network resource types, such as SMB, FTP, RDP is covered.
“Using the SSL VPN tunnel client” explains how to install and use the tunnel mode clients
for Windows, Linux, and Mac OS X.
“Examples” explores several configuration scenarios with step-by-step instructions. While
the information provided is enough to set up the described SSL VPN configurations, these
scenarios are not the only possible SSL VPN setups.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
969
�970
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to SSL VPN
This section provides information about setting up the SSL VPN client for use in an SSL
VPN tunnel or web-mode operation.
The following topics are included in this section:
•
History
•
What is a VPN?
•
What is SSL?
•
Choosing between SSL and IPsec VPN
•
General topology
•
SSL VPN modes of operation
•
Single Sign-on (SSO)
History
Over the past several years, as organizations have grown and become more complex,
secure remote access to network resources has become critical for day-to-day operations.
In addition, businesses are expected to provide clients with efficient, convenient services
including knowledge bases and customer portals, and employees travelling across the
country or around the world require timely and comprehensive access to network
resources. Initial access to network resources used private networks and leased lines options that were inflexible and costly. As a result of the growing need for providing
remote/mobile clients with easy, cost-effective and secure access to a multitude of
resources, the concept of a Virtual Private Network was developed.
In the past, VPN tunneling was performed generally at the Network Layer (Layer 3) or
lower, as is the case with IPsec. To enable remote access, encrypted network connectivity
was established between a remote node and the internal network, thereby making the
remoteness of the connection invisible to all layers above Layer 4. The applications
functioned identically when users were in the office or when they were remote, except that
when requests filtered to the network level, they were relayed over the network connection
tied to the user’s specific location. These connections required the installation and
configuration of complicated client software on user’s computers.
SSL VPNs establish connectivity using SSL, which functions at Levels 4 - 5 (Transport
and Session). Information is encapsulated at Levels 6 - 7 (Presentation and Application),
and SSL VPNs communicate at the highest levels in the OSI model. SSL is not strictly a
web protocol - it is possible to use SSL to encrypt any application-level protocol.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
971
�What is a VPN?
Introduction to SSL VPN
What is a VPN?
Virtual Private Network (VPN) technology allows clients to connect to remote networks in a
secure way. A VPN is a secure logical network created from physically separate networks.
VPNs use encryption and other security methods to ensure that only authorized users can
access the network. VPNs also ensure that the data transmitted between computers
cannot be intercepted by unauthorized users. When data is encoded and transmitted over
the Internet, the data is said to be sent through a “VPN tunnel”. A VPN tunnel is a nonapplication oriented tunnel that allows the users and networks to exchange a wide range
of traffic regardless of application or protocol.
Figure 138: Encoded data going through a VPN tunnel
The advantages of a VPN over an actual physical private network are two-fold. Rather
than utilizing expensive leased lines or other infrastructure, you use the relatively
inexpensive, high-bandwidth Internet. Perhaps more important though is the universal
availability of the Internet - in most areas, access to the Internet is readily obtainable
without any special arrangements or long wait times.
What is SSL?
SSL (Secure Sockets Layer) as HTTPS is supported by most web browsers for
exchanging sensitive information securely between a web server and a client. SSL
establishes an encrypted link, ensuring that all data passed between the web server and
the browser remains private and secure. SSL protection is initiated automatically when a
user (client) connects to a web server that is SSL-enabled. Once the successful
connection is established, the browser encrypts all the information before it leaves the
computer. When the information reaches its destination, it is decrypted using a secret
(private) key. Any data sent back is first encrypted, and is decrypted when it reaches the
client.
Goals of SSL
SSL has four main goals:
1 Confidentiality of communications
2 Integrity of data
3 Authentication of server
4 Authentication of client (non-repudiation)
Good security for a VPN requires confirming the identity of all communicating parties. You
can ensure identity using password authentication (shared secrets) or digital certificates. A
shared secret is a passphrase or password that is the same on both ends of a tunnel. The
data is encrypted using a session key, which is derived from the shared secret. The
gateways can encrypt and decrypt the data correctly only if they share the same secret.
972
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to SSL VPN
What is SSL?
Digital certificates use public key-based cryptography to provide identification and
authentication of end gateways. Cryptography, the art of protecting information by
transforming it into an unreadable format, is an integral part of VPN technology. The basic
building blocks of cryptographic configurations are cryptographic primitives. Cryptographic
primitives are low-level cryptographic algorithms or routines that are used to configure
computer security systems, such as SSL, SSH, and TLS. Each primitive is designed to do
one very specific task, such as encryption of data or a digital signature on a set of data.
There are four cryptographic primitives that are specific to VPNs:
1 Symmetric ciphers (confidentiality) — Symmetric encryption uses a very fast blocklevel algorithm to encrypt and decrypt data, and is the primary primitive used to protect
data confidentiality. Both sides of the tunnel will use the same encrypt/decrypt key,
which is the primary weakness of symmetric ciphers. A key is usually a large number
that is fed to a cryptographic algorithm to encrypt plaintext data into ciphertext or to
decrypt ciphertext data into plaintext.
2 Asymmetric ciphers (authenticity and non-repudiation) — To guarantee the identities
of both parties in a transaction, SSL VPN uses asymmetric encryption. This involves
the creation of a key pair for each party. The keys are related mathematically - data
encrypted with one key can be decrypted only with the other key in the pair, and vice
versa. One key is labeled the public key and can be freely distributed. The other key is
the private key and it must be kept secret. The SSL VPN authenticates each party by
checking that it has something that no other party should have - its private key.
If the SSL VPN can decrypt a message from a party using that party’s public key, the
message must have been encrypted with that party’s private key. As the private key is
known only to the sending party, the sender’s identity is proven. This proof of identity
also makes it impossible for the sending party to later repudiate (deny sending) the
message.
3 Message digests (integrity) — VPNs send sensitive data over the public Internet. To
make sure that what is sent is the same as what is received, and vice versa, SSL VPN
uses message digests. A message digest is an irreversible mathematical function that
takes a message of any size and encodes it as a fixed length block of cipher text. The
fixed length cipher is called the digest. It is essentially a cryptographic “summary” of
the message. Every message has only one digest and no two messages should ever
create the same digest — if only a single letter of our message is changed, the entire
message digest will be different.
4 Digital signatures (authenticity and non-repudiation) — A digital signature or digital
signature scheme is a type of asymmetric cryptography. For messages sent through an
insecure channel, a correctly implemented digital signature gives the receiver reason
to believe the message was sent by the claimed sender. The signer cannot claim they
did not sign a message, while also claiming their private key remains secret. In some
cases, a non-repudiation scheme offers a time stamp for the digital signature, so that
even if the private key is exposed, the signature is still valid.
In addition to identifying the user, authentication also defines the resources a user can
access. A user must present specified credentials before being allowed access to certain
locations on the network. Authentication can either take place through a firewall or through
an external authentication server such as Remote Authentication Dial-In User Service
(RADIUS). An authentication server is a trusted third party that provides authentication
services to other systems on a network.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
973
�Choosing between SSL and IPsec VPN
Introduction to SSL VPN
SSL certificates
SSL certificates are a mechanism by which a web server can prove to users that the
public key that it offers them for use with the SSL is in fact the public key of the
organization with which the user intends to communicate. A trusted third-party signs the
certificate thereby assuring users that the public key contained within the certificate
belongs to the organization whose name appears in the certificate. Upon receiving a
certificate from Your Company, a user can know for sure that the key within the certificate
is Your Company’s key and it is safe to use to encrypt any communications related to
establishment of a session key. The web server transmits their public key to users at the
beginning of an SSL session using an SSL certificate.
Encryption level is determined by the length of the encryption key. The longer the key, the
stronger the encryption level, and the greater the security provided. Within a VPN, after
the end points on a tunnel agree upon an encryption scheme, the tunnel initiator encrypts
the packet and encapsulates it in an IP packet. The tunnel terminator recovers the packet,
removes the IP information, and then decrypts the packet.
Choosing the level of security for your SSL VPN tunnel
Performance and security requirements will dictate the level of encryption used in a
particular configuration. Stronger encryption provides a greater level of security but
impacts performance levels. For general-purpose tunnels, over which no sensitive data is
to be passed, base encryption provides adequate security with good performance. For
administrative and transactional connections, where exposure of data carries a high risk,
strong encryption is recommended.
Choosing between SSL and IPsec VPN
The FortiGate unit supports both SSL and IPsec VPN technologies. Each combines
encryption and VPN gateway functions to create private communication channels over the
Internet. Both enable you to define and deploy network access and firewall policies using
a single management tool. In addition, both support a simple client/user authentication
process (including optional X.509 security certificates). You have the freedom to use both
technologies; however, one may be better suited to the requirements of your situation.
In general, IPsec VPNs are a good choice for site-to-site connections where appliancebased firewalls or routers are used to provide network protection, and
company-sanctioned client computers are issued to users. SSL VPNs are a good choice
for roaming users who depend on a wide variety of thin-client computers to access
enterprise applications and/or company resources from a remote location.
SSL and IPsec VPN tunnels may operate simultaneously on the same FortiGate unit.
Legacy versus web-enabled applications
IPsec is well suited to network-based legacy applications that are not web-based. As a
Layer 3 technology, IPsec creates a secure tunnel between two host devices. IP packets
are encapsulated by the VPN client and server software running on the hosts.
SSL is typically used for secure web transactions in order to take advantage of webenabled IP applications. After a secure HTTPS link has been established between the
web browser and web server, application data is transmitted directly between selected
client and server applications through the tunnel.
974
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to SSL VPN
Choosing between SSL and IPsec VPN
Authentication differences
IPsec is a well-established technology with robust features that support many legacy
products such as smart cards and biometrics.
SSL supports a web single sign-on to a web portal front-end, from which a number of
different enterprise applications may be accessed. The Fortinet implementation enables
you to assign a specific port for the web portal and to customize the login page if desired.
Connectivity considerations
IPsec supports multiple connections to the same VPN tunnel—a number of remote VPN
devices effectively become part of the same network.
SSL forms a connection between two end points such as a remote client and an enterprise
network. Transactions involving three (or more) parties are not supported because traffic
passes between client and server applications only.
Relative ease of use
Although managing IPsec VPNs has become easier, configuring SSL VPNs is simple in
comparison. IPsec protocols may be blocked or restricted by some companies, hotels,
and other public places, whereas the SSL protocol is usually unrestricted.
Client software requirements
Dedicated IPsec VPN software must be installed on all IPsec VPN peers and clients and
the software has to be configured with compatible settings.
To access server-side applications with SSL VPN, the remote user must have a web
browser (Internet Explorer, Netscape, or Mozilla/Firefox), and if Telnet//RDP are used, Sun
Java runtime environment. Tunnel-mode client computers must also have ActiveX (IE) or
Java Platform (Mozilla/Firefox) enabled.
Access control
IPsec VPNs provide secure network access only. Access to the network resources on a
corporate IPsec VPN can be enabled for specific IPsec peers and/or clients. The amount
of security that can be applied to users is limited.
SSL VPNs provide secure access to certain applications. Web-only mode provides remote
users with access to server applications from any thin client computer equipped with a
web browser. Tunnel-mode provides remote users with the ability to connect to the internal
network from laptop computers as well as airport kiosks, Internet cafes, and hotels.
Access to SSL VPN applications is controlled through user groups.
Session failover support
In a FortiGate high availability (HA) cluster with session pickup enabled, session failover is
supported for IPsec VPN tunnels. After an HA failover, IPsec VPN tunnel sessions will
continue with no loss of data.
Session failover is not supported by SSL VPN tunnels, however cookie failover is
supported for communication between the SSL VPN client and the FortiGate unit. This
means that after a failover, the SSL VPN client can re-establish the SSL VPN session
without having to authenticate again. However, all sessions inside the SSL VPN tunnel
with resources behind the FortiGate unit will stop, and will therefore have to be restarted.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
975
�General topology
Introduction to SSL VPN
General topology
In the most common SSL VPN Internet scenario, the remote client connects to the Internet
through an ISP that offers connections with dynamically assigned IP addresses. The
client’s packets are routed to the public interface of the FortiGate unit. For example,
Figure 139 shows a FortiGate gateway that can be reached by a mobile user.
Figure 139: Example SSL VPN configuration
Subnet_1
10.11.101.0/24
Remote client
Internet
HTTP/HTTPS
10.11.101.120
port 1
172.20.120.141
DNS
10.11.101.160
FTP
10.11.101.170
FortiGate_1
port 2
10.11.101.100
port 3
10.11.201.100
Samba
10.11.101.180
Subnet_2
10.11.201.0.24
At the FortiGate unit, you configure a user group for SSL VPN authentication and define
firewall policies for each network resource that users are permitted to access.
You can easily expand the resources available to your users by adding or changing
firewall policies. If you want to provide different resource access to different users, you can
create multiple user groups.
The general infrastructure requirements are quite simple:
•
The FortiGate unit must be operating in NAT/Route mode and have a static public IP
address.
•
The ISP assigns IP addresses to remote clients before they connect to the FortiGate
unit.
SSL VPN modes of operation
When a remote client connects to the FortiGate unit, the FortiGate unit authenticates the
user based on user name, password, and authentication domain. A successful login
determines the access rights of remote users according to user group. The user group
settings specify whether the connection will operate in web-only mode (see “Web-only
mode” on page 977) or tunnel mode (see “Tunnel mode” on page 977).
976
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to SSL VPN
SSL VPN modes of operation
You can enable a host integrity checker to scan the remote client. The integrity checker
probes the remote client computer to verify that it is safe before access is granted.
Security attributes recorded on the client computer (for example, in the Windows registry,
in specific files, or held in memory due to running processes) are examined and uploaded
to the FortiGate unit.
You can enable a cache cleaner to remove any sensitive data that would otherwise remain
on the remote computer after the session ends. For example, all cache entries, browser
history, cookies, encrypted information related to user authentication, and any temporary
data generated during the session are removed from the remote computer. If the client’s
browser cannot install and run the cache cleaner, the user is not allowed to access the
SSL-VPN portal.
Web-only mode
Web-only mode provides remote users with a fast and efficient way to access server
applications from any thin client computer equipped with a web browser. Web-only mode
offers true clientless network access using any web browser that has built-in SSL
encryption and the Sun Java runtime environment.
Support for SSL VPN web-only mode is built into the FortiOS operating system. The
feature comprises an SSL daemon running on the FortiGate unit, and a web portal, which
provides users with access to network services and resources including HTTP/HTTPS,
telnet, FTP, SMB/CIFS, VNC, RDP and SSH.
In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and
authenticates remote users as members of a user group. After successful authentication,
the FortiGate unit redirects the web browser to the web portal home page and the user
can access the server applications behind the FortiGate unit.
When the FortiGate unit provides services in web-only mode, a secure connection
between the remote client and the FortiGate unit is established through the SSL VPN
security in the FortiGate unit and the SSL security in the web browser. After the
connection has been established, the FortiGate unit provides access to selected services
and network resources through a web portal.
FortiGate SSL VPN web portals have a 1- or 2-column page layout with selectable color
schemes. Portal functionality is provided through small applets called widgets. Widget
windows can be moved or minimized. The controls within each widget depend on its
function. There are pre-defined web portals and the administrator can create additional
portals.
Configuring the FortiGate unit involves enabling the SSL VPN feature and selecting the
appropriate web portal configuration in the user group settings. These configuration
settings determine which server applications can be accessed. SSL encryption is used to
ensure traffic confidentiality.
For information about client operating system and browser requirements, see the Release
Notes for your FortiGate firmware.
Tunnel mode
Tunnel mode offers remote users the freedom to connect to the internal network using the
traditional means of web-based access from laptop computers, as well as from airport
kiosks, hotel business centers, and Internet cafés. If the applications on the client
computers used by your user community vary greatly, you can deploy a dedicated SSL
VPN client to any remote client through its web browser. The SSL VPN client encrypts all
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
977
�Single Sign-on (SSO)
Introduction to SSL VPN
traffic from the remote client computer and sends it to the FortiGate unit through an SSL
VPN tunnel over the HTTPS link between the web browser and the FortiGate unit. Also
available is split tunneling, which ensures that only the traffic for the private network is
sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route.
This conserves bandwidth and alleviates bottlenecks.
In tunnel mode, remote clients connect to the FortiGate unit and the web portal login page
using Microsoft Internet Explorer, Mozilla Foundation/Firefox, Mac OS, or Linux. The
FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as
members of a user group. After successful authentication, the FortiGate unit redirects the
web browser to the web portal home page dictated by the user group settings. If the user
does not have the SSL VPN client installed, they will be prompted to download the SSL
VPN client (an ActiveX or Java plugin) and install it using controls provided through the
web portal. SSL VPN tunnel mode can also be initiated from a standalone application on
Windows, Mac OS, and Linux.
When the user initiates a VPN connection with the FortiGate unit through the SSL VPN
client, the FortiGate unit establishes a tunnel with the client and assigns the client a virtual
IP address from a range of reserved addresses. The client uses the assigned IP address
as its source address for the duration of the connection. After the tunnel has been
established, the user can access the network behind the FortiGate unit.
Configuring the FortiGate unit to establish a tunnel with remote clients involves enabling
the feature through SSL VPN configuration settings and selecting the appropriate web
portal configuration for tunnel-mode access in the user group settings. The firewall policy
and protection profiles on the FortiGate unit ensure that inbound traffic is screened and
processed securely.
Note: The user account used to install the SSL VPN client on the remote computer must
have administrator privileges.
Note: If you are using Windows Vista, you must disable UAC (User Account Control) before
installing the SSL VPN tunnel client. This UAC setting must be disabled before the SSL
VPN tunnel client is installed. IE7 in Windows Vista runs in Protected Mode by default. To
install SSL VPN client ActiveX, you need to launch IE7 by using 'Run as administrator'
(right-click the IE7 icon and select 'Run as administrator').
For information about client operating system requirements, see the Release Notes for
your FortiGate firmware.
Single Sign-on (SSO)
The web portal can provide bookmarks to connect to network resources. A web
(HTTP/HTTPS) bookmark can include login credentials so that the FortiGate unit
automatically logs the user into the web site. This means that the user logs into the SSL
VPN and then does not have to enter any more credentials to visit preconfigured web
sites.
Both the administrator and the end user can configure bookmarks, including SSO
bookmarks.
To add bookmarks as an administrator, see “Adding, editing, or deleting bookmarks” on
page 996. To add bookmarks as a web portal user, see “Adding bookmarks” on
page 1022.
978
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
This section describes how to configure the FortiGate unit as an SSL VPN server. The
following topics are included in this section:
•
Before you begin
•
General configuration steps
•
Configuring SSL VPN settings
•
Configuring SSL VPN web portals
•
Configuring user accounts and user groups for SSL VPN
•
Configuring firewall policies
•
Viewing SSL VPN logs
•
Monitoring active SSL VPN sessions
•
Troubleshooting
Before you begin
Before you begin, install your choice of HTTP/HTTPS, telnet, SSH, FTP, SMB/CIFS, VNC,
and/or RDP server applications on the internal network. As an alternative, these services
may be accessed remotely through the Internet. All services must be running to be
accessible. Users must have individual user accounts to access the servers (these user
accounts are not related to FortiGate user accounts or FortiGate user groups). For
information about creating such user accounts, refer to the documentation for the server
applications or Internet-based services.
You can configure and manage the FortiGate unit through a secure HTTP (HTTPS)
connection from any computer running a web browser. For information about how to
connect to the web-based manager, see “Connecting to the web-based manager” in the
FortiGate Installation Guide.
Note: As an alternative, you can connect the management computer to the Console
connector of the FortiGate unit directly using a serial cable and configure the FortiGate unit
through the Command Line Interface (CLI). The CLI can also be launched from within the
web-based manager. For more information, see “Connecting to the FortiGate console” in
the FortiGate CLI Reference.
Refer to the FortiGate Installation Guide and FortiGate Administration Guide to change the
password, configure the interfaces of the FortiGate unit, and assign basic operating
parameters, including a default gateway.
Refer also to the “Examples” chapter for example SSL VPN configurations.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
979
�General configuration steps
Setting up the FortiGate unit
General configuration steps
For best results in configuring FortiGate SSL VPN technology, follow the procedures in the
order given. Also, note that if you perform any additional actions between procedures,
your configuration may have different results.
1 Enable SSL VPN connections and set the basic options needed to support SSL VPN
configurations. See “Configuring SSL VPN settings” on page 980.
2 Create a web portal to define user access to network resources. If you want to provide
different types of access to different groups of users, you need to create multiple web
portals. See “Configuring SSL VPN web portals” on page 987.
3 Create user accounts for the remote clients. Create SSL VPN user groups and
associate them with the web portal or portals that you created. Assign users to the
appropriate SSL VPN user groups. See “Configuring user accounts and user groups
for SSL VPN” on page 1005.
4 Configure the firewall policies and the remaining parameters needed to support the
VPN mode of operation. See “Configuring firewall policies” on page 1007.
5 For tunnel-mode operation, add routing to ensure that client tunnel-mode packets
reach the SSL VPN interface. see “Configuring routing for tunnel mode” on page 1012.
6 Optionally, define SSL VPN event-logging parameters, and monitor active SSL VPN
sessions. See “Viewing SSL VPN logs” on page 1015, and “Monitoring active SSL
VPN sessions” on page 1017.
If you have problems during SSL VPN configuration in this chapter, see “Troubleshooting”
on page 1018 for assistance.
Configuring SSL VPN settings
To configure SSL VPN operation, you must at minimum perform the following procedures:
•
“Enabling SSL VPN operation” on page 981.
•
“Specifying an IP address range for tunnel-mode clients” on page 981
(required only for tunnel-mode).
As part of the SSL VPN configuration, you can also make the modifications described in
the following sections:
•
“Adding WINS and DNS services for clients” on page 982.
•
“Setting the idle timeout setting” on page 983.
•
“Setting the client authentication timeout” on page 983.
•
“Specifying the cipher suite for SSL negotiations” on page 983.
The cipher suite determines the level of data security, but it must be compatible with
the capabilities of the clients’ browsers.
•
“Enabling strong authentication through X.509 security certificates” on page 984.
•
“Changing the port number for web portal connections” on page 985.
By default, SSL VPN connections use port 10443.
•
“Customizing the web portal login page” on page 986.
Most of these settings are on the VPN & gt; SSL & gt; Config page in the web-based manager
and config vpn ssl settings in the CLI. You can configure multiple settings at the
same time.
980
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN settings
Figure 140: SSL VPN Settings
Enabling SSL VPN operation
You must enable SSL VPN operation so that the FortiGate unit will respond to SSL VPN
connection requests. Also, some elements of SSL VPN configuration are not available
unless SSL VPN is enabled. Selecting the default SSL VPN settings will be sufficient for
our purposes here.
To enable SSL VPN operation - web-based manager
1 Go to VPN & gt; SSL & gt; Config.
2 Select Enable SSL-VPN.
3 Select Apply.
To enable SSL VPN operation - CLI
config vpn ssl settings
set sslvpn-enable enable
end
Specifying an IP address range for tunnel-mode clients
After the FortiGate unit authenticates a request for a tunnel-mode connection, the
FortiGate unit assigns the SSL VPN client an IP address that it uses for the session. The
address is assigned from an “IP Pool” which is a firewall address that defines an IP
address range.
You can specify tunnel-mode IP Pools in two places:
•
The VPN & gt; SSL & gt; Config page IP Pools setting applies to all web portals that do not
specify their own IP Pools.
•
The web portal Tunnel Mode widget IP Pools setting, if used, applies only to the web
portal and overrides the setting in VPN & gt; SSL & gt; Config. See “Configuring tunnel mode
settings” on page 993.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
981
�Configuring SSL VPN settings
Setting up the FortiGate unit
Caution: Take care to prevent overlapping IP addresses. Do not assign to clients any IP
addresses that are already in use on the private network. As a precaution, consider
assigning IP addresses from a network that is not commonly used (for example,
10.254.254.0/24).
To set tunnel-mode client IP address range - web-based manager
1 Go to Firewall & gt; Address & gt; Address and select Create New.
2 Enter an Address Name, for example, SSL_VPN_tunnel_range.
3 In the Subnet/IP Range field, enter the starting and ending IP addresses that you want
to assign to SSL VPN clients, for example 10.254.254.[80-100].
4 In Interface, select Any.
5 Select OK.
6 Go to VPN & gt; SSL & gt; Config.
7 In IP Pools, select Edit.
Note: When you select Edit, a popup window will open. If your browser blocks popup
windows, you will have to unblock it to continue with the following steps.
8 In the Available list, select the address you created for the SSL VPN tunnel range and
then select the down arrow button to move it to the Selected list. Select OK.
9 Select Apply.
To set tunnel-mode client IP address range - CLI
If your SSL VPN tunnel range is for example 10.254.254.80 - 10.254.254.100, you could
enter
config firewall address
edit SSL_tunnel_users
set type iprange
set end-ip 10.254.254.100
set start-ip 10.254.254.80
end
end
config vpn ssl settings
set tunnel-ip-pools SSL_tunnel_users
end
Adding WINS and DNS services for clients
You can specify the WINS or DNS servers that are made available to SSL-VPN clients.
DNS servers provide the IP addresses that browsers need to access web sites. For
Internet sites, you can specify the DNS server that your FortiGate unit uses. If SSL VPN
users will access intranet sites using URLs, you need to provide them access to the
intranet’s DNS server. You specify a primary and a secondary DNS server.
A WINS server provides IP addresses for named servers in a Windows domain. If SSL
VPN users will access a Windows network, you need to provide them access to the
domain WINS server. You specify a primary and a secondary WINS server.
To specify WINS and DNS services for clients - web-based manager
1 Go to VPN & gt; SSL & gt; Config.
982
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN settings
2 Select the Expand Arrow to display the Advanced section.
3 Enter the IP addresses of DNS servers in the DNS Server fields as needed.
4 Enter the IP addresses of WINS servers in the WINS Server fields as needed.
5 Select Apply.
To specify WINS and DNS services for clients - CLI
config vpn ssl settings
set dns-server1 & lt; address_ipv4 & gt;
set dns-server2 & lt; address_ipv4 & gt;
set wins-server1 & lt; address_ipv4 & gt;
set wins-server2 & lt; address_ipv4 & gt;
end
Setting the idle timeout setting
The idle timeout setting controls how long the connection can remain idle before the
system forces the remote user to log in again. For security, keep the default value of 300
seconds or less.
To set the idle timeout - web-based manager
1 Go to VPN & gt; SSL & gt; Config.
2 In the Idle Timeout field, enter the timeout value.
The valid range is from 10 to 28800 seconds.
3 Select Apply.
To set the idle timeout - CLI
config vpn ssl settings
set idle-timeout & lt; seconds_int & gt;
end
Setting the client authentication timeout
The client authentication timeout controls how long an authenticated connection will
remain connected. When this time expires, the system forces the remote client to
authenticate again. As with the idle timeout, a shorter period of time is more secure.
Note: The default value is 28800 seconds (8 hours). You can only modify this timeout value
in the CLI.
For example, to change the authentication timeout to 18 000 seconds, enter the following
commands:
config vpn ssl settings
set auth-timeout 18000
end
Specifying the cipher suite for SSL negotiations
The FortiGate unit supports a range of cryptographic cipher suites to match the
capabilities of various web browsers. The web browser and the FortiGate unit negotiate a
cipher suite before any information (for example, a user name and password) is
transmitted over the SSL link.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
983
�Configuring SSL VPN settings
Setting up the FortiGate unit
To set the encryption algorithm - web-based manager
1 Go to VPN & gt; SSL & gt; Config.
2 In Encryption Key Algorithm, select one of the following options:
• If the web browser on the remote client is capable of matching a 128-bit or greater
cipher suite, select Default - RC4(128 bits) and higher.
• If the web browser on the remote client is capable of matching a high level of SSL
encryption, select High - AES(128/256 bits) and 3DES. This option enables cipher
suites that use more than 128 bits to encrypt data.
• If you are not sure which level of SSL encryption the remote client web browser
supports, select Low - RC4(64 bits), DES and higher. The web browser must at least
support a 64-bit cipher length.
3 Select Apply.
To set the encryption algorithm - CLI
config vpn ssl settings
set algorithm {default | high | low}
end
Enabling strong authentication through X.509 security certificates
The FortiGate unit supports strong (two-factor) authentication through X.509 security
certificates (version 1 or 3). The FortiGate unit can require clients to authenticate using a
certificate. Similarly, the client can require the FortiGate unit to authenticate using a
certificate.
For information about obtaining and installing certificates, see the FortiGate Certificate
Management User Guide.
Configuring the FortiGate unit to require strong client authentication
To require clients to authenticate using certificates, select the Require Client Certificate
option in SSL VPN settings. The client browser must have a local certificate installed, and
the FortiGate unit must have the corresponding CA certificate installed.
When the remote client initiates a connection, the FortiOS™ Handbook unit prompts the
client browser for its client-side certificate as part of the authentication process.
To require client authentication by security certificates - web-based manager
1 Go to VPN & gt; SSL & gt; Config.
2 Select Require Client Certificate.
3 Select Apply.
To require client authentication by security certificates - CLI
config vpn ssl settings
set reqclientcert enable
end
Configuring the FortiGate unit to provide strong authentication
If your SSL VPN clients require strong authentication, the FortiGate unit must offer a
certificate for which the client browser has the CA certificate installed.
984
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN settings
In the FortiGate unit SSL VPN settings, you can select which certificate the FortiGate
offers to authenticate itself. By default, the FortiOS™ Handbook unit offers its factory
installed (self-signed) certificate from Fortinet to remote clients when they connect.
To enable FortiGate unit authentication by certificate - web-based manager
1 Go to VPN & gt; SSL & gt; Config.
2 From the Server Certificate list, select the certificate that the FortiGate unit uses to
identify itself to SSL VPN clients.
3 Select Apply.
To enable FortiGate unit authentication by certificate - CLI
For example, to use the example_cert certificate
config vpn ssl settings
set servercert example_cert
end
Changing the port number for web portal connections
You can optionally specify a different TCP port number for users to access the web portal
login page through the HTTPS link. By default, the port number is 10443 and users can
access the web portal login page using the following default URL:
https:// & lt; FortiGate_IP_address & gt; :10443/remote/login
where & lt; FortiGate_IP_address & gt; is the IP address of the FortiGate interface that accepts
connections from remote users.
Note: If you change the TCP port number, remember to notify your SSL VPN clients. They
must use the new port number to connect to the FortiGate unit.
To change the SSL VPN port - web-based manager
1 If Current VDOM appears at the bottom left of the screen, select Global from the list of
VDOMs.
2 Go to System & gt; Admin & gt; Settings.
3 Type an unused port number in SSLVPN Login Port, and select Apply.
Note: Do not select port number 443 for user access to the web portal login page. Port
number 443 is reserved to support administrative connections to the FortiGate unit through
the web-based manager.
To change the SSL VPN port - CLI
This is a global setting. For example, to set the SSL VPN port to 10443, enter:
config global
config system global
set sslvpn-sport 10443
end
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
985
�Configuring SSL VPN settings
Setting up the FortiGate unit
Customizing the web portal login page
The default web portal login page shows only the Name and Password fields and the
Login button, centred in the web browser window. You can customize the page with your
company name or other information.
Figure 141: Default SSL VPN web portal login page
The login page is a replacement message composed of HTML code, which you can
modify. Global replacement messages apply to all VDOMs by default, but individual
VDOMs can define their own messages.
To configure the SSL VPN login page - web-based manager
1 If you want to edit the global login page and Current VDOM appears at the bottom left
of the screen, select Global from the list of VDOMs.
2 Go to System & gt; Config & gt; Replacement Messages.
3 Expand the SSL VPN row and select the Edit icon for the SSL VPN login message.
Caution: Before you begin, copy the default web portal login page text to a separate
text file for safe-keeping. Afterward, if needed you can restore the text to the original
version.
4 Edit the HTML text, subject to the following restrictions:
• The login page must be an HTML page containing a form with
ACTION= " %%SSL_ACT%% " and METHOD= " %%SSL_METHOD%% "
• The form must contain the %%SSL_LOGIN%% tag to provide the login form.
• The form must contain the %%SSL_HIDDEN%% tag.
986
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN web portals
5 Select OK.
To configure the SSL VPN login page - CLI
Do one of the following:
•
If VDOMs are enabled and you want to modify the global login page, enter:
config global
config system replacemsg sslvpn sslvpn-login
•
If you want to modify the login page for a VDOM, enter:
config vdom
edit & lt; vdom_name & gt;
config system replacemsg-group
edit default
config sslvpn
edit sslvpn-login
To change the login page content, enter the modified page content as a string. In this
example, the page title is changed to “Secure Portal login” and headings are added above
the login dialog which say “example.com Secure Portal”:
set buffer " & lt; html & gt; & lt; head & gt; & lt; title & gt; Secure Portal login & lt; /title & gt;
& lt; meta http-equiv= " Pragma " content= " no-cache " & gt; & lt; meta httpequiv= " cache-control " content= " no-cache " & gt; & lt; meta httpequiv= " cache-control " content= " must-revalidate " & gt; & lt; link
href= " /sslvpn/css/login.css " rel= " stylesheet "
type= " text/css " & gt; & lt; script type= " text/javascript " & gt; if (top & &
top.location != window.location) top.location =
top.location;if (window.opener & & window.opener.top) {
window.opener.top.location = window.opener.top.location;
self.close(); } & lt; /script & gt; & lt; /head & gt; & lt; body class= " main " & gt;
& lt; center & gt; & lt; table width= " 100% " height= " 100% " align= " center "
class= " container " valign= " middle " cellpadding= " 0 "
cellspacing= " 0 " & gt; & lt; tr valign=top & gt; & lt; td align=center & gt;
& lt; h1 & gt; example.com & lt; /h1 & gt; & lt; h3 & gt; Secure Portal & lt; /h3 & gt; & lt; /td & gt; & lt; /tr & gt; & lt; tr
valign=top & gt; & lt; td & gt; & lt; form action= " %%SSL_ACT%% "
method= " %%SSL_METHOD%% " name= " f " & gt; & lt; table class= " list "
cellpadding=10 cellspacing=0 align=center width=400
height=180 & gt; %%SSL_LOGIN%% & lt; /table & gt; %%SSL_HIDDEN%% & lt; /td & gt; & lt; /tr & gt; & lt; /
table & gt; & lt; /form & gt; & lt; /center & gt; & lt; /body & gt; & lt; script & gt; document.forms[0].use
rname.focus(); & lt; /script & gt; & lt; /html & gt; "
end
Your console application determines how the text wraps. It is easier to edit the code in a
separate text editor and then paste the finished code into the set buffer command. Be
sure to enclose the entire string in quotation ( " ) marks.
Configuring SSL VPN web portals
A web portal defines SSL VPN user access to network resources, such as HTTP/HTTPS,
telnet, FTP, SMB/CIFS, VNC, RDP and SSH. The portal configuration determines what
SSL VPN users see when they log in to the FortiGate. Both the FortiGate administrator
and the SSL VPN user have the ability to customize the web portal.
At minimum, you need to set up one web portal. See “Configuring basic web portal
settings” on page 990. For each portal, you can configure additional security features:
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
987
�Configuring SSL VPN web portals
Setting up the FortiGate unit
•
“Configuring host checking” on page 1000
Check that client computers are running security software.
•
“Configuring cache cleaning” on page 1002
Remove session information from the client’s computer after logout.
•
“Configuring virtual desktop” on page 1002
Provide a separate Windows desktop environment while connected to the VPN.
Control which applications users can run on their virtual desktop using virtual desktop
application control.
•
“Configuring client OS Check” on page 1004
Check that the client’s Windows operating system is up-to-date.
Before you begin
To begin configuring web portals, you need to know how many distinct sets of user access
privileges you need. For example, you might have users who are allowed only RDP
access to their desktop PCs, other users who have access to office file shares, and a third
category of users who will have both types of access. In this case, you need to create a
web portal for each of these access types. Later, you will create SSL VPN user groups that
assign the users to the appropriate portal.
One of the pre-defined web portals might meet your needs. See “Default web portal
configurations”. If needed, you can modify these portals using the procedures in this
section.
Default web portal configurations
There are three pre-defined default web portal configurations available:
•
•
tunnel-access: Includes Session Information and Tunnel Mode widgets.
•
988
full-access: Includes all widgets available to the user - Session Information,
Connection Tool, Bookmarks, and Tunnel Mode.
web-access: Includes Session Information and Bookmarks widgets.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN web portals
Figure 142: Default web portals
Default full-access web portal
Figure 143: Default tunnel-access web portal
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
989
�Configuring SSL VPN web portals
Setting up the FortiGate unit
Figure 144: Default web access web portal
You can modify a default portal or a portal that you have already defined. Select the Edit
icon next to the web portal in the Portal list. The SSL VPN web portal you select will open.
Configuring basic web portal settings
This section describes the basic configuration to enable users to access web resources
through the portal.
To configure basic web portal settings - web-based manager
1 Go to VPN & gt; SSL & gt; Portal and do one of the following:
• Select Create New.
• Select an existing portal, select Edit, then select Settings.
The web portal settings dialog box opens.
Figure 145: Web portal settings
2 Enter the following information:
Name
Enter a name to identify this web portal.
Applications
Select the applications that users can access through this web portal.
Portal Message
Enter the text that will appear at the top of the web portal window.
Theme
Select the color scheme for this web portal.
Page Layout
Select either the single-column or two-column layout.
Redirect URL
The web portal can display a second HTML page in a popup window
when the web portal home page is displayed. Enter the URL.
3 Optionally, you can select the Virtual Desktop tab to configure the Virtual Desktop
feature. See “Configuring virtual desktop” on page 1002. Or, you can leave this
configuration for later.
990
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN web portals
4 Optionally, you can select the Security Control tab to configure cache cleaning and
client check. Or, you can leave this configuration for later.
For information on these features, see “Configuring cache cleaning” on page 1002 and
“Configuring host checking” on page 1000.
5 Select OK.
The web portal is displayed.
6 Select Apply to save the settings.
To configure basic web portal settings - CLI
To use the orange theme with a two-column layout and allow users all types of access with
the full-access portal, you could enter:
config vpn ssl web portal
edit full-access
set allow-access ftp ping rdp smb ssh telnet vnc web
set heading " Welcome to the example.com web portal "
set theme orange
set page-layout double-column
end
In the config vpn ssl web portal command, you can also configure client check,
client OS check, cache cleaning, and virtual desktop. Or, you can leave this configuration
for later. These features are described later in this chapter.
Configuring the web portal page layout
You can determine which widgets are displayed on the web portal page and adjust the
layout.
Figure 146: Configuring the SSL VPN web portal page
Log out (for user only)
Help icon (for user only)
Edit Remove
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Add Widget list
991
�Configuring SSL VPN web portals
Setting up the FortiGate unit
To configure the web portal page - web-based manager
On the web portal page itself, you, as administrator, can make several adjustments to the
appearance of the portal:
•
Arrange widgets on the page by dragged them by their title bar.
•
Add a widget by choosing a widget from the Add Widget list.
•
Remove a widget by selecting the Remove icon in the widget title bar.
•
Configure a widget by selecting the Edit icon in the widget title bar. For configuration
information about each widget type, see the following sections:
•
•
“Configuring the Session Information widget” on page 995
•
“Configuring the Connection Tool widget” on page 999
•
•
“Configuring tunnel mode settings” on page 993
“Adding, editing, or deleting bookmarks” on page 996
To modify the color scheme and other basic settings, select the Settings button. See
“Configuring basic web portal settings” on page 990. You can also configure several
advanced features. For more information, see
•
“Configuring host checking” on page 1000
•
“Configuring cache cleaning” on page 1002
•
“Configuring virtual desktop” on page 1002
•
“Configuring client OS Check” on page 1004 (CLI only)
When you have finished configuring the web portal page, select Apply to save the
modifications.
To configure the web portal page - CLI
You can also define a portal layout using CLI commands. Unlike configuring with the webbased manager, a new portal created in the CLI has by default no heading and no widgets.
Also, the widgets do not have default names. You must specify all of this information.
For example, to create the portal layout shown in Figure 146 on page 991, you would
enter:
config vpn ssl web portal
set heading " Welcome to SSL VPN Service "
set page-layout double-column
set theme blue
edit myportal
config widget
edit 0
set type info
set name " Session Information "
set column one
next
edit 0
set type bookmark
set name " Bookmarks "
set column one
next
edit 0
set type tunnel
set name " Tunnel Mode "
set column two
992
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN web portals
next
edit 0
set type tool
set name " Connection Tool "
set column two
end
Note: When you use edit 0, as in this example, the CLI automatically assigns an unused
index value when you exit the edit shell by typing end.
Adding a custom caption to the web portal home page
You can add a custom caption (maximum 31 characters) to the top of the web portal home
page.
To add a custom web portal caption - web-based manager
1 Go to VPN & gt; SSL & gt; Portal.
2 Select the portal and then select Edit.
3 Select Settings.
4 Type the caption in the Portal Message field, and select OK.
To add a custom web portal caption - CLI
For example, to apply a custom caption to portal2, you could enter:
config vpn ssl web portal
edit portal2
set heading " Welcome to the example.com portal "
end
Configuring tunnel mode settings
If your web portal provides tunnel mode access, you need to configure the Tunnel Mode
widget. These settings determine how tunnel mode clients are assigned IP addresses.
If this web portal will assign a different range of IP addresses to clients than the IP Pools
you specified on the VPN & gt; SSL & gt; Config page, you need to define a firewall address for
the IP address range that you want to use. You will then need to specify this address in the
Tunnel Mode widget IP Pools setting.
Optionally, you can enable a split tunneling configuration so that the VPN carries only the
traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal
route.
To configure tunnel mode settings - web-based manager
1 Do one of the following:
• Create a new web portal and complete the basic configuration. See “Configuring
basic web portal settings” on page 990.
• Go to VPN & gt; SSL & gt; Portal and select an existing portal and then select Edit.
2 If the Tunnel Mode widget is missing, add it by selecting Tunnel Mode from the Add
Widget list in the top right corner of the window.
3 Select the Edit icon in the Tunnel Mode widget title bar.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
993
�Configuring SSL VPN web portals
Setting up the FortiGate unit
Figure 147: Tunnel Mode widget - edit mode
Tunnel mode settings
Tunnel controls
(for users only)
4 Enter the following information:
Name
Enter a name for the Tunnel Mode widget. The default is “Tunnel Mode”.
IP Mode
Select the mode by which the IP address is assigned to the user.
Range
The user IP address is allocated from the IP address ranges specified by
IP Pools.
User Group
The user is assigned the IP address specified in the Framed-IP-Address
field of the user’s record on the RADIUS server. This option is valid only for
users authenticated by a RADIUS server.
IP Pools
Leave this field empty to use the IP address range specified by the IP Pools
field on the VPN & gt; SSL & gt; Config page.
If you want to specify an IP address range for clients of this portal only,
select Edit. From the Available list, select the appropriate firewall address.
You must configure the desired IP address range as a firewall address
before you can select it here.
Split Tunneling
Select to enable split tunneling. When enabled, only traffic that requires the
SSL VPN is sent through the tunnel. Other traffic follows the user’s regular
routing. When disabled, all the user’s traffic passes through the tunnel.
The remaining items in the widget are controls that are available to the user during an
SSL VPN session.
5 Select OK in the Tunnel Mode widget.
6 Select Apply.
To configure tunnel mode settings - CLI
To enable tunnel mode operation for portal2 portal users and assign them addresses from
the SSLVPN_TUNNEL_ADDR2 range, you would enter:
config vpn ssl web portal
edit portal2
config widget
edit 0
set type tunnel
set tunnel-status enable
set ip-mode range
set ip-pools SSLVPN_TUNNEL_ADDR2
end
end
The preceding example applies to a web portal that does not already have a tunnel mode
widget. To modify the settings on an existing tunnel mode widget, you need to determine
the widget’s number. Enter:
994
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN web portals
config vpn ssl web portal
edit portal1
config widget
show
In the output, you will see, for example,
edit 3
set name " Tunnel Mode "
set type tunnel
...
You can now enter edit 3 and modify the tunnel mode widget’s settings.
Configuring the Session Information widget
The Session Information widget displays the login name of the user, the amount of time
the user has been logged in, and the inbound and outbound traffic statistics of HTTP and
HTTPS. You can change the widget name.
To edit the session information, in the Session Information widget select Edit.
Figure 148: Session Information widget - Edit
Remove widget
Edit
1
2
Edit
Select to edit the information in the widget.
Remove widget
Select to close the widget and remove it from the web portal home
page.
OK
Select to save the Session Information configuration.
Cancel
Select to exit the Session Information widget without saving any
changes.
Name
Enter a customized name for the Session Information widget.
To configure Session Information settings - CLI
To change the name of the web-access Session Information widget to “My Session”, you
would enter:
config vpn ssl web portal
edit web-access
config widget
edit 4
set name " My Session "
end
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
995
�Configuring SSL VPN web portals
Setting up the FortiGate unit
Configuring the Bookmarks widget
Bookmarks are used as links to specific resources on the network. When a bookmark is
selected from a bookmark list, a pop-up window appears with the requested web page.
Telnet, VNC, and RDP all pop up a window that requires a browser plug-in. FTP and
Samba replace the bookmarks page with an HTML file-browser.
To configure the Bookmarks widget
1 Do one of the following:
• Create a new web portal and complete the basic configuration. See “Configuring
basic web portal settings” on page 990.
• Go to VPN & gt; SSL & gt; Portal, select an existing portal and then select Edit.
2 If the Bookmarks widget is missing, add it by selecting Bookmarks from the Add Widget
list in the top right corner of the web portal window.
3 Select the Edit icon in the Bookmarks widget title bar.
Widget configuration
Bookmarks list
4 Optionally, you can change the Name of the Bookmarks widget.
5 Select the Applications check boxes for the types of bookmarks that you want to
support.
6 Select OK.
Adding, editing, or deleting bookmarks
You can add bookmarks to the Bookmarks widget. These bookmarks are available to
users of the SSL VPN web portal. If needed, you can also modify existing bookmarks.
To delete bookmarks
1 Open the web portal.
2 In the Bookmarks widget, select the Edit button.
Figure 149: Deleting bookmarks
Delete
3 Select the X to the right of the bookmark that you want to delete.
4 Select Done.
996
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN web portals
To add or edit bookmarks - web-based manager
1 Open the web portal.
2 In the Bookmarks widget, do one of the following:
• To add a bookmark, select Add.
• To edit an existing bookmark, select the Edit button and then select the bookmark.
3 Enter or edit the following information:
Adding
Editing
Name
Enter a name for the bookmark.
Type
Select the type of application to which the bookmark links. For example, select
HTTP/HTTPS for a web site.
Only the application types that you configured for this widget are in the list. You
can select Edit in the widget title bar to enable additional application types. See
“Configuring the Bookmarks widget” on page 996.
Location
Enter the destination of the bookmark.
For HTTP, enter the URL or just the hostname.
For HTTPS, enter the URL.
For RDP, VNC, Telnet or SSH, enter the hostname.
For FTP or SMB, enter hostname or // & lt; hostname & gt; / & lt; path & gt; .
Description
Optionally, enter a descriptive tooltip for the bookmark.
SSO
A Single Sign-On (SSO) bookmark automatically enters the login credentials
for the bookmark destination. Select one of:
Disabled — This is not an SSO bookmark.
Automatic — Use the user’s SSL VPN credentials for login.
Static — Use the login credentials defined below.
Single Sign-On settings available when SSO is Static
Field Name
Enter a required login page field name, “User Name” for example.
Value
Enter the value to enter in the field identified by Field Name.
If you are an administrator configuring a bookmark for users:
• Enter %usrname% to represent the user’s SSL VPN user name.
• Enter %passwd% to represent the user’s SSL VPN password.
Add
Enter another Field Name / Value pair, for the password for example.
A new set of Field Name / Value fields is added. Fill them in.
4 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
997
�Configuring SSL VPN web portals
Setting up the FortiGate unit
5 If there is a Done button, you can select another bookmark to edit or select Done to
leave the edit mode.
6 Select Apply at the top of the web portal page to save the changes that you made.
To configure the Bookmarks widget and add/edit bookmarks - CLI
To allow only FTP and web connections on the web-access portal and to configure a
bookmark to example.com, you would enter:
config vpn ssl web portal
edit web-access
config widget
edit 1
set type bookmark
set allow-apps ftp web
config bookmarks
edit " example "
set apptype web
set description " example bookmark "
set url " http://example.com "
end
end
end
To delete bookmarks - CLI
To delete the bookmark added above, you would enter:
config vpn ssl web portal
edit web-access
config widget
edit 1
config bookmarks
delete example
end
end
end
998
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN web portals
Configuring the Connection Tool widget
The Connection Tool enables a user to connect to resources for which there are no
bookmarks.
To configure the Connection Tool widget
1 Do one of the following:
• Create a new web portal and complete the basic configuration. See “Configuring
basic web portal settings” on page 990.
• Go to VPN & gt; SSL & gt; Portal, select an existing portal and then select Edit.
2 If the Connection Tool widget is missing, add it by selecting Connection Tool from the
Add Widget list in the top right corner of the web portal window.
3 Select the Edit icon in the Connection Tool widget title bar.
Widget configuration
Connection controls
(for user only)
4 Optionally, enter a new Name for the widget.
5 Select the types of Applications (protocols and services) that the Connection Tool is
enabled to access.
6 Select OK.
To configure the Connection Tool widget - CLI
To change, for example, the full-access portal Connection Tool widget to allow all
application types except Telnet, you would enter:
config vpn ssl web portal
edit full-access
config widget
edit 3
set allow-apps ftp rdp smb ssh vnc web}
end
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
999
�Configuring SSL VPN web portals
Setting up the FortiGate unit
Configuring host checking
To increase the security of your network, you can require your SSL VPN clients to have
antivirus or firewall software installed on their computers. Only clients that meet the
requirements are permitted to log on.
To configure host checking - web-based manager
1 Go to VPN & gt; SSL & gt; Portal.
2 Select the web portal and then select Edit.
3 Select the Settings button.
4 Select the Security Control tab and enter the following information:
Host Check
Select the type of host check to perform.
AV
Check for a running antivirus application recognized by the Windows
Security Center.
FW
Check for a running firewall application recognized by the Windows
Security Center.
AV-FW
Check for both an antivirus application and a firewall application
recognized by the Windows Security Center.
Custom
Check for security applications that you choose from the VPN & gt; SSL & gt;
Host Check page. See the Policy field.
None
Select to disable host checking.
Interval
Select how often to recheck the host. Range is every 120 seconds to
259 200 seconds. Enter 0 to not recheck the host during the session.
Policy
This field is available if Host Check is Custom. It lists the acceptable
security applications for clients.
Select Edit to choose the acceptable security applications. Use the arrow
buttons to move applications between the Available and Selected lists.
Clients will be checked for the applications in the Selected list. Select OK.
The Available list contains the applications from VPN & gt; SSL & gt; Host Check
page. You can add or remove applications from the Host Check list. See
“Configuring the custom host check list” on page 1001.
5 Select OK.
To configure host checking - CLI
To configure the full-access portal to check for AV and firewall software on client Windows
computers, you would enter the following:
config vpn ssl web portal
edit full-access
set host-check av-fw
end
To configure the full-access portal to perform a custom host check for FortiClient Host
Security AV and firewall software, you would enter the following:
config vpn ssl web portal
edit full-access
set host-check custom
set host-check-policy FortiClient-AV FortiClient-FW
end
1000
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN web portals
Configuring the custom host check list
If you configure a custom host check for your web portal (see “Configuring host checking”
on page 1000), you choose security applications from the list on the VPN & gt; SSL & gt;
Host Check page. The Host Check list includes default entries for many security software
products. You can add, remove, or modify entries in this list.
To add an entry to the Host Check list - web-based manager
1 Go to VPN & gt; SSL & gt; Host Check.
2 Select Create New and enter the following information:
Name
Enter a name for the application. The name does not need to match the
actual application name.
Type
Select the type of security application. Can be AV for antivirus or FW for
firewall.
GUID
Enter the Globally Unique IDentifier (GUID) for the host check application,
if known.
The GUID is usually in the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx,
where each x is a hexadecimal digit. Windows uses GUIDs to identify
applications in the Windows Registry.
Version
The version of the security application.
Add button
If you do not know the GUID, add alternative checks for the application.
The security software is considered found only if all checks succeed.
Check Item entry
These fields are available when you select the Add button.
Type
Select how to check for the application:
• File — Look for a file. This could be the application’s executable file or
any other file that would confirm the presence of the application. In
File/Path, enter the full path to the file. Where applicable, you can use
environment variables enclosed in percent (%) marks. For example,
%ProgramFiles%\Fortinet\FortiClient\FortiClient.exe
• Process — Look for the application as a running process. In Process,
enter the application’s executable file name.
• Registry — Search for a Windows Registry entry. In Registry, enter a
registry item, for example
HKLM\SOFTWARE\Fortinet\FortiClient\Misc
Action
Select one of
Require — If the item is found, the client meets the check item condition.
Deny — If the item is found, the client is considered to not meet the check
item condition. Use this option if it is necessary to prevent use of a
particular security product.
MD5 Signatures
If Type is File or Process, enter one or more known MD5 signatures for
the application executable file.You can use a third-party utility to calculate
MD5 signatures or hashes for any file. You can enter multiple signatures
to match multiple versions of the application.
3 Select OK.
4 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1001
�Configuring SSL VPN web portals
Setting up the FortiGate unit
Configuring cache cleaning
When the SSL VPN session ends, the client browser cache may retain some information.
To enhance security, cache cleaning clears this information just before the SSL VPN
session ends.
Note: The cache cleaner is effective only if the session terminates normally. The cache is
not cleaned if the session ends due to a malfunction, such as a power failure.
To enable cache cleaning - web-based manager
1 Go to VPN & gt; SSL & gt; Portal, select the web portal and then select Edit.
2 Select the Settings button.
3 Select the Security Control tab.
4 Select Clean Cache.
5 Select OK.
6 Select Apply.
To enable cache cleaning - CLI
To enable cache cleaning on the full-access portal, you would enter:
config vpn ssl web portal
edit full-access
set cache-cleaner enable
end
Cache cleaning requires a browser plugin. If the user does not have the plugin, it is
automatically downloaded to the client computer.
Configuring virtual desktop
Available for Windows XP, Windows Vista, and Windows 7 client PCs, the virtual desktop
feature completely isolates the SSL VPN session from the client computer’s desktop
environment. All data is encrypted, including cached user credentials, browser history,
cookies, temporary files, and user files created during the session. When the SSL VPN
session ends normally, the files are deleted. If the session ends due to a malfunction, files
might remain, but they are encrypted, so the information is protected.
When the user starts an SSL VPN session which has virtual desktop enabled, the virtual
desktop replaces the user’s normal desktop. When the virtual desktop exits, the user’s
normal desktop is restored.
Virtual desktop requires the Fortinet cache cleaner plugin. If the plugin is not present, it is
automatically downloaded to the client computer.
To enable virtual desktop - web-based manager
1 Go to VPN & gt; SSL & gt; Portal, select the web portal and then select Edit.
2 Select the Settings button.
3 Select the Virtual Desktop tab.
4 Select Enable Virtual Desktop.
5 Enable the other options as needed.
6 Optionally, select an Application Control List.
See “Configuring virtual desktop application control”.
1002
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring SSL VPN web portals
7 Select OK.
8 Select Apply.
To enable virtual desktop - CLI
To enable virtual desktop on the full-access portal and apply the application control list
List1, for example, you would enter:
config vpn ssl web portal
edit full-access
set virtual-desktop enable
set virtual-desktop-app-list List1
end
Configuring virtual desktop application control
You can control which applications users can run on their virtual desktop. To do this, you
create an Application Control List of either allowed or blocked applications. When you
configure the web portal, you select the list to use.
There are two types of application control list:
•
allow the listed applications and block all others
or
•
block the listed applications and allow all others.
You can create multiple application control lists, but each in web portal you can select only
one list to use.
To create an Application Control List - web-based manager
1 Go to VPN & gt; SSL & gt; Virtual Desktop Application Control and select Create New.
2 Enter a Name for the list.
3 Select one of the following:
• Allow the applications on this list and block all others
• Block the applications on this list and allow all others
4 Select Add.
5 Enter a Name for the application.
This can be any name and does not have to match the official name of the application.
6 Enter one or more known MD5 Signatures for the application executable file.
You can use a third-party utility to calculate MD5 signatures or hashes for any file. You
can enter multiple signatures to match multiple versions of the application.
7 Select OK.
8 Repeat steps 4 through 7 for each additional application.
9 Select OK.
To create an Application Control List - CLI
If, for example, you want to add BannedApp to List1, a list of blocked applications, you
would enter:
config vpn ssl web virtual-desktop-app-list
edit " List1 "
set action block
config apps
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1003
�Configuring SSL VPN web portals
Setting up the FortiGate unit
edit " BannedApp "
set md5s " 06321103A343B04DF9283B80D1E00F6B "
end
end
Configuring client OS Check
The SSLVPN client OS Check feature can determine if clients are running the
Windows 2000, Windows XP, Windows Vista or Windows 7 operating system. You can
configure the OS Check to do any of the following:
•
allow the client access
•
allow the client access only if the operating system has been updated to a specified
patch (service pack) version
•
deny the client access
The OS Check has no effect on clients running other operating systems.
To configure OS Check - CLI
OS Check is configurable only in the CLI.
config vpn ssl web portal
edit & lt; portal_name & gt;
set os-check enable
config os-check-list {windows-2000 | windows-xp
| windows-vista | windows-7}
set action {allow | check-up-to-date | deny}
set latest-patch-level {disable | 0 - 255}
set tolerance {tolerance_num}
end
end
Variable
Description
Default
set os-check
{disable | enable}
Enable or disable SSL VPN OS patch level
check. Default disable.
disable
config os-check-list
{windows-2000
| windows-xp
| windows-vista
| windows-7}
Configure the OS of the patch level check.
Available when os-check is set to enable.
No default.
set action {allow |
Specify how to perform the patch level check. allow
check-up-to-date | deny} • allow - any level is permitted
• check-up-to-date - some patch levels
are permitted. Make selections for latestpatch-level and tolerance.
• deny - OS version is not permitted access
Available when os-check is set to enable.
set latest-patch-level
{disable | 0 - 255}
2000: 4
XP, Vista: 2
set tolerance
{tolerance_num}
1004
Specify the latest allowed patch level.
Available when action is
check-up-to-date.
Specify the allowable patch level tolerance.
Lowest acceptable patch level equals
latest-patch-level minus tolerance.
Available when action is set to
check-up-to-date.
0
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring user accounts and user groups for SSL VPN
Configuring user accounts and user groups for SSL VPN
Remote users must be authenticated before they can request services and/or access
network resources through the web portal. The authentication process can use a
password defined on the FortiGate unit or optionally use established external
authentication mechanisms such as RADIUS or LDAP.
You need to create a user account for each user and then add the users to an SSL VPN
user group. The user group specifies the web portal that users can access after they
authenticate.
Creating user accounts
The following procedure explains how to create a user account. To authenticate users, you
can use a plain text password on the FortiGate unit (Local domain), forward authentication
requests to an external RADIUS, LDAP or TACACS+ server, or utilize PKI certificates.
For information about how to create RADIUS, LDAP, TACACS+ or PKI user accounts, see
the “User” chapter of the FortiGate Administration Guide. For information about importing
certificates, see the “System Certificates” chapter of the FortiGate Administration Guide.
For information about certificate authentication, see the FortiGate Certificate Management
User Guide.
To create a user account - web-based manager
1 Go to User & gt; User, select Create New, and enter the following information:
Figure 150: Creating a Local user
User Name
Type or edit the remote user name (for example, User_1).
Disable
Select to prevent this user from authenticating.
Password
Select to authenticate this user using a password stored on the FortiGate unit,
and then enter the password. The password should be at least six characters
long.
LDAP
Select to authenticate this user using a password stored on an LDAP server.
Select the LDAP server from the list. You can select only an LDAP server that
has been added to the FortiGate LDAP configuration.
RADIUS
Select to authenticate this user using a password stored on a RADIUS server.
Select the RADIUS server from the list. You can select only a RADIUS server
that has been added to the FortiGate configuration.
TACACS+
Select to authenticate this user using a password stored on a TACACS+ server.
Select the TACACS+ server from the list. You can select only a TACACS+ server
that has been added to the FortiGate TACACS+ configuration.
2 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1005
�Configuring user accounts and user groups for SSL VPN
Setting up the FortiGate unit
To create a user account - CLI
If you want to create a user account, for example User_1 with the password “1_user”, you
would enter:
config user local
edit User_1
set passwd " 1_User "
set status enable
set type password
end
Creating a user group for SSL VPN users
You must add users to a firewall user group. As part of configuring the user group, you
select the SSL VPN web portal that the members of this group access after authenticating.
To create an SSL VPN user group - web-based manager
1 Go to User & gt; User Group & gt; User Group, select Create New, and enter the following
information:
Figure 151: Configuring an SSL VPN user group
Name
Type or edit the user group name (for example, Web-only_group).
Type
Select Firewall.
Allow SSL-VPN
Access
Enable and select the SSL VPN web portal configuration to use with the
User Group. For more information, see “Configuring SSL VPN web portals”
on page 987.
Available
Users/Groups
The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers,
or PKI users that can be added to the user group. To add a member to this
list, select the name and then select the right arrow button.
Members
The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers,
or PKI users that belong to the user group. To remove a member, select the
name and then select the left arrow button.
2 Select OK.
1006
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring firewall policies
To create an SSL VPN user group - CLI
To create the user group web_only associated with the web-access portal and add
members User_1, User_2, and User_3, you would enter:
config user group
edit web_only
set group-type sslvpn
set member User_1 User_2 User_3
set sslvpn-portal web-access
end
Configuring firewall policies
This section contains the procedures needed to configure firewall policies for web-only
mode operation and tunnel-mode operation. These procedures assume that you have
already completed the procedures outlined in “Configuring user accounts and user groups
for SSL VPN” on page 1005.
Firewall policies permit traffic to pass through the FortiGate unit. The FortiGate unit checks
incoming connection attempts against the list of firewall policies, looking to match:
•
source and destination interfaces
•
source and destination firewall addresses
•
services
•
time/schedule
If no policy matches, the connection is dropped. You should order the firewall policy list top
to bottom from most specific to most general. Only the first matching firewall policy is
applied to a connection, and you want the best match to occur first.
You will need at least one SSL VPN firewall policy. This is an identity-based policy that
authenticates users and enables them to access the SSL VPN web portal. The SSL VPN
user groups named in the policy determine who can authenticate and which web portal
they will use. From the web portal, users can access protected resources or download the
SSL VPN tunnel client application.
If you will provide tunnel mode access, you will need a second firewall policy — an
ACCEPT tunnel mode policy to permit traffic to flow between the SSL VPN tunnel and the
protected networks.
Figure 152: Example of firewall policies for SSL VPN
SSL VPN
policy
Internet browsing policy
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Tunnel mode policy
1007
�Configuring firewall policies
Setting up the FortiGate unit
Configuring firewall addresses
Before you can create firewall policies, you need to define the firewall addresses you will
use in those policies. For both web-only and tunnel mode operation, you need to create
firewall addresses for all of the destination networks and servers to which the SSL VPN
client will be able to connect.
For tunnel mode, you will already have defined firewall addresses for the IP address
ranges that the FortiGate unit will assign to SSL VPN clients. See “Specifying an IP
address range for tunnel-mode clients” on page 981.
The source address for your SSL VPN firewall policies will be the pre-defined “all”
address. If this address is missing, you can add it. Both the address and the netmask are
0.0.0.0. The “all” address is used because VPN clients will be connecting from various
addresses, not just one or two known networks. For improved security, if clients will be
connecting from one or two known locations you should configure firewall addresses for
those locations, instead of using the “all” address.
To create a firewall address
1 Go to Firewall & gt; Address & gt; Address and select Create New.
2 Enter the following information and select OK.
Figure 153: Firewall address
Address Name
Enter a name to identify the firewall address. Addresses, address groups, and
virtual IPs must have unique names.
Type
Select Subnet/IP Range.
Subnet / IP
Range
Enter the firewall IP address in any of the following formats:
• an IP address and a subnet mask, separated by a slash, for example
172.16.10.0/255.255.255.0
• a CIDR-format IP address with netmask, for example 172.16.10.0/24
• a single address, for example 172.16.10.3
• an IP address range, for example 172.16.10.[4-5]
Interface
Select the interface, zone, or virtual domain (VDOM) link to which you want to
bind the IP address. Select Any if you want to bind the IP address to the
interface/zone when you create a firewall policy.
To create a firewall address - CLI
To create, for example, the address OfficeLAN for the protected network you would enter:
config firewall address
edit OfficeLAN
set type ipmask
set subnet 10.11.101.0/24
set associated-interface port2
end
1008
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring firewall policies
In the following example, there are firewall addresses defined for the protected network
OfficeLAN and the SSL VPN tunnel user IP address range SSL_tunnel_users. You can
also see the “all” preconfigured address.
Figure 154: Example firewall address list
Configuring the SSL VPN firewall policy
At minimum, you need one SSL VPN firewall policy to authenticate users and provide
access to the protected networks. You will need additional firewall policies only if you have
multiple web portals that provide access to different resources.
If you provide tunnel mode access, you will need a second firewall policy to permit traffic
between the SSL VPN tunnel and the protected networks. See “Configuring the tunnel
mode firewall policy” on page 1011.
The SSL VPN firewall policy is an identity-based policy that permits members of a
specified SSL VPN user group to access specified services according to a specified
schedule. The policy can also apply UTM features, traffic shaping and logging to SSL VPN
traffic.
The user group is associated with the web portal that the user sees after logging in. If you
have multiple portals, you will need multiple user groups. You can use one policy for
multiple groups, or multiple policies to handle differences between the groups such as
access to different services, or different schedules.
The SSL VPN firewall policy specifies:
•
the source address that corresponds to the IP address of the remote user.
•
the destination address that corresponds to the IP address or addresses that remote
clients need to access.
The destination address may correspond to an entire private network, a range of
private IP addresses, or the private IP address of a server or host.
Note: Do not use ALL as the destination address. If you do, you will see
the “Destination address of Split Tunneling policy is invalid” error when
you enable Split Tunneling.
•
the level of SSL encryption to use and the authentication method
•
which SSL VPN user groups can use the firewall policy
•
the times (schedule) and types of services that users can access
•
the UTM features and logging that are applied to the connection
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1009
�Configuring firewall policies
Setting up the FortiGate unit
To create an SSL-VPN firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following information:
Figure 155: Configuring a new SSL VPN firewall policy
Source
Interface/Zone
Select the name of the FortiGate network interface to that connects to
the Internet.
Source Address
Select all.
Destination
Interface/Zone
Select the FortiGate network interface that connects to the protected
network.
Destination Address Select the firewall address you created that represents the networks and
servers to which the SSL VPN clients will connect.
If you want to associate multiple firewall addresses or address groups
with the Destination Interface/Zone, from Destination Address, select
Multiple. In the dialog box, move the firewall addresses or address
groups from the Available Addresses section to the Members section,
then select OK.
Action
Select SSL-VPN. This option is available only if there is at least one
user group with SSL VPN access enabled.
SSL Client Certificate Allow access only to holders of a (shared) group certificate. The holders
of the group certificate must be members of an SSL VPN user group,
Restrictive
and the name of that user group must be present in the Allowed field.
See “Enabling strong authentication through X.509 security certificates”
on page 984.
Cipher Strength
1010
Select the bit level of SSL encryption. The web browser on the remote
client must be capable of matching the level that you select: Any,
High & gt; = 164, or Medium & gt; = 128.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring firewall policies
Configure SSL-VPN
Users
A firewall policy for an SSL VPN is automatically an identity-based
policy.
Add
Add a user group to the policy. The Edit Authentication Rule window
opens on top of the firewall policy. Enter the following information and
then select OK. You can select Add again to add more groups.
User Group
Select user groups in the left list and use the right arrow button to move
them to the right list.
Service
Select service in the left list and use the right arrow button to move them
to the right list. Select the ANY service to allow the user group access to
all services.
Schedule
Optionally, select a Schedule for allowed access. The default is always.
Log Allowed
Traffic
Optionally log the traffic.
UTM
Optionally, apply UTM features to SSL VPN traffic for this user group.
Comments
Optionally, add information about the policy. The maximum length is 63
characters.
3 Select OK.
Your identity-based policies are listed in the firewall policy table. The FortiGate unit
searches the table from the top down to find a policy to match the client’s user group.
Using the move icon in each row, you can change the order of the policies in the table
to ensure the best policy will be matched first. You can also use the icons to edit or
delete policies.
To create an SSL VPN firewall policy - CLI
To create the firewall policy shown in Figure 155 on page 1010, enter the following CLI
commands.
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr OfficeLAN
set action ssl-vpn
set nat enable
config identity-based-policy
edit 0
set groups SSL-VPN
set schedule always
set service ANY
end
end
Configuring the tunnel mode firewall policy
If your SSL VPN will provide tunnel mode operation, you need to create a firewall policy to
enable traffic to pass between the SSL VPN virtual interface and the protected networks.
This is in addition to the SSL VPN firewall policy that you created in the preceding section.
Similar to an IPsec virtual interface, the SSL VPN virtual interface is the FortiGate unit end
of the SSL tunnel that connects to the remote client. It is named ssl. & lt; vdom_name & gt; . In
the root VDOM, for example, it is named ssl.root. If VDOMs are not enabled on your
FortiGate unit, the SSL VPN virtual interface is also named ssl.root.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1011
�Configuring firewall policies
Setting up the FortiGate unit
To configure the tunnel mode firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following information and select OK.
Source Interface/Zone Select the virtual SSL VPN interface, such as ssl.root.
Source Address
Select the firewall address you created that represents the IP address
range assigned to SSL VPN clients, such as SSL_VPN_tunnel_users.
Destination
Interface/Zone
Select the FortiGate network interface that connects to the protected
network.
Destination Address
Select the firewall address you created that represents the networks
and servers to which the SSL VPN clients will connect.
To select multiple firewall addresses or address groups, select
Multiple. In the dialog box, move the firewall addresses or address
groups from the Available Addresses section to the Members section,
then select OK.
Action
Select Accept.
NAT
Enable or disable Network Address Translation (NAT) of the source
address and port of packets accepted by the policy. When NAT is
enabled, you can also configure Dynamic IP Pool and Fixed Port.
If you select a virtual IP as the Destination Address, but do not select
the NAT option, the FortiGate unit performs destination NAT (DNAT)
rather than full NAT. Source NAT (SNAT) is not performed.
Enable NAT to use the IP address of the outgoing interface of the
FortiGate unit as the source address for new sessions started by SSL
VPN. Otherwise, disable NAT.
Comments
Optionally, add information about the policy. The maximum length is 63
characters.
Leave other settings at their default values.
To configure the tunnel mode firewall policy - CLI
config firewall policy
edit & lt; id & gt;
set srcintf ssl.root
set dstintf & lt; dst_interface_name & gt;
set srcaddr & lt; tunnel_ip_address & gt;
set dstaddr & lt; protected_network_address_name & gt;
set schedule always
set service ANY
set nat enable
end
This policy enables the SSL VPN client to initiate communication with hosts on the
protected network. If you want to enable hosts on the protected network to initiate
communication with the SSL VPN client, you should create another Accept policy like the
preceding one but with the source and destination settings reversed.
You must also add a static route for tunnel mode operation. See the following section.
Configuring routing for tunnel mode
If you your SSL VPN operates in tunnel mode, you must add a static route so that replies
from the protected network can reach the remote SSL VPN client.
To add the tunnel mode route - web-based manager
1 Go to Router & gt; Static & gt; Static Route and select Create New.
2 Enter the following information and select OK.
1012
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Configuring firewall policies
Destination IP/Mask
Enter the Tunnel IP address range that you assigned to users of
the web portal. See “Configuring tunnel mode settings” on
page 993.
Device
Select the SSL VPN virtual interface, ssl.root for example.
Distance
Optionally you can set the distance on the SSL VPN higher than
the default route to ensure only SSL VPN traffic uses this route.
Leave other settings at their default values.
To add the tunnel mode route - CLI
If you assigned 10.11.254.0/24 as the tunnel IP range, you would enter:
config router static
edit & lt; id & gt;
set device ssl.root
set dst 10.11.254.0/24
end
Adding an Internet browsing policy
With split tunneling disabled, all of the SSL VPN client’s requests are sent through the
SSL VPN tunnel. But the tunnel mode firewall policy provides access only to the protected
networks behind the FortiGate unit. Clients will receive no response if they attempt to
access Internet resources. Optionally, you can enable clients to connect to the Internet
through the FortiGate unit.
To add an Internet browsing policy
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following information and select OK.
Source Interface/Zone
Select the virtual SSL VPN interface, ssl.root, for example.
Source Address
Select the firewall address you created that represents the IP
address range assigned to SSL VPN clients.
Destination
Interface/Zone
Select the FortiGate network interface that connects to the Internet.
Destination Address
Select all.
Action
Select Accept.
NAT
Enable.
Leave other settings at their default values.
To configure the Internet browsing firewall policy - CLI
To enable browsing the Internet through port1, you would enter:
config firewall policy
edit 0
set srcintf ssl.root
set dstintf port1
set srcaddr SSL_tunne_users
set dstaddr all
set schedule always
set service ANY
set nat enable
end
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1013
�Configuring firewall policies
Setting up the FortiGate unit
Enabling connection to an IPsec VPN
You might want to provide your SSL VPN clients access to another network, such as a
branch office, that is connected by an IPsec VPN. To do this, you need only to add the
appropriate firewall policy. For information about route-based and policy-based IPsec
VPNs, see the IPsec VPN Guide.
To configure interconnection with a route-based IPsec VPN - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following information and select OK.
Source Interface/Zone
Select the virtual SSL VPN interface, ssl.root, for example.
Source Address
Select the firewall address you created that represents the IP
address range assigned to SSL VPN clients.
Destination
Interface/Zone
Select the virtual IPsec interface for your IPsec VPN.
Destination Address
Select the address of the IPsec VPN remote protected subnet.
Action
Select ACCEPT.
NAT
Enable.
Leave other settings at their default values.
To configure interconnection with a route-based IPsec VPN - CLI
If, for example, you want to enable SSL VPN users to connect to the private network
(address name OfficeAnet) through the toOfficeA IPsec VPN, you would enter:
config firewall policy
edit 0
set srcintf ssl.root
set dstintf toOfficeA
set srcaddr SSL_tunnel_users
set dstaddr OfficeAnet
set action accept
set nat enable
set schedule always
set service ANY
end
To configure interconnection with a policy-based IPsec VPN - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and select Create New.
2 Enter the following information and select OK.
Source Interface/Zone
Source Address
Select the firewall address you created that represents the IP
address range assigned to SSL VPN clients.
Destination
Interface/Zone
Select the FortiGate network interface that connects to the Internet.
Destination Address
Select the address of the IPsec VPN remote protected subnet.
Action
Select IPSEC.
VPN tunnel
Select the Phase 1 configuration name of your IPsec VPN.
Allow inbound
Enable
Allow outbound
1014
Select the virtual SSL VPN interface, ssl.root, for example.
Enable
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Viewing SSL VPN logs
NAT inbound
Enable
Leave other settings at their default values.
To configure interconnection with a policy-based IPsec VPN - CLI
If, for example, you want to enable SSL VPN users to connect to the private network
(address name OfficeAnet) through the OfficeA IPsec VPN, you would enter:
config firewall policy
edit 0
set srcintf ssl.root
set dstintf port1
set srcaddr SSL_tunnel_users
set dstaddr OfficeAnet
set action ipsec
set schedule always
set service ANY
set inbound enable
set outbound enable
set natinbound enable
set vpntunnel toOfficeA
end
In this example, port1 is connected to the Internet.
Viewing SSL VPN logs
You can view SSL VPN logs on your FortiGate unit. For information about how to interpret
log messages, see the FortiGate Log Message Reference.
To enable logging - web-based manager
1 Go to Log & Report & gt; Log Config & gt; Log Setting.
2 Enable the storage of log messages to one or more of the following locations:
• a FortiAnalyzer unit
• the FortiGate system memory
• a remote computer running a syslog server
Note: If available on your FortiGate unit, you can enable the storage of log messages to a
system hard disk. In addition, as an alternative to the options listed above, you may choose
to forward log messages to a remote computer running a WebTrends firewall reporting
server. For more information about enabling either of these options through CLI commands,
see the “log” chapter of the FortiGate CLI Reference.
3 If the options are concealed, select the expand arrow beside each option to reveal and
configure associated settings.
4 If logs will be written to system memory, from the Log Level list, select Information. For
more information, see the “Log & Report” chapter of the FortiGate Administration
Guide.
5 Select Apply.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1015
�Viewing SSL VPN logs
Setting up the FortiGate unit
To enable logging - CLI
config log {fortianalyzer | memory | syslog} setting
set status enable
end
For some log locations, there are additional options that you can set.
To enable logging of SSL VPN events - web-based manager
1 Go to Log & Report & gt; Log Config & gt; Event Log.
2 Select Enable, and then select one or more of the following options:
• SSL VPN user authentication event
• SSL VPN administration event
• SSL VPN session event
3 Select Apply.
To enable logging of SSL VPN events - CLI
config log {fortianalyzer | memory | syslog} filter
set event enable
set sslvpn-log-adm enable
set sslvpn-log-auth enable
set sslvpn-log-session enable
end
To enable logging of SSL VPN traffic - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select your SSL VPN policy and then select Edit.
3 For each identity-based policy, select its Edit icon, select Log Allowed Traffic and then
select OK.
4 Select OK.
5 Select the Edit icon for your tunnel-mode policy.
6 Select Log Allowed Traffic and then select OK.
To enable logging of SSL VPN traffic - CLI
Your SSL VPN firewall policy is number 2 with a single identity-based policy, and your
tunnel-mode policy is number 5, you would enable traffic logging by entering:
config firewall policy
edit 2
config identity-based-policy
edit 1
set logtraffic enable
end
edit 5
set logtraffic enable
end
1016
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Setting up the FortiGate unit
Monitoring active SSL VPN sessions
To view SSL VPN logs - web-based manager
1 Go to Log & Report & gt; Log Access and select the Memory or Disk tab.
2 From the Log Type list select Event Log or Traffic Log, as needed.
In event log entries look for the sub-types “sslvpn-session” and “sslvpn-user”.
In the traffic logs, look for the sub-type “allowed”. For web-mode traffic, the source is
the host IP address. For tunnel-mode traffic, the source is the address assigned to the
host from the SSL VPN address pool.
To view SSL VPN logs - CLI
execute log filter category {event | traffic}
execute log filter device {fortianalyzer | memory | syslog}
execute log display
The console displays the first 10 log messages. To view more messages, run the
command again. You can do this until you have seen all of the selected log messages.
To restart viewing the list from the beginning, use the command
execute log filter start-line 1
Monitoring active SSL VPN sessions
You can go to User & gt; Monitor to view a list of active SSL VPN sessions. The list displays
the user name of the remote user, the IP address of the remote client, and the time the
connection was made. You can also see which services are being provided, and delete an
active web session from the FortiGate unit.
To monitor SSL VPNs - web-based manager
To view the list of active SSL VPN sessions, go to VPN & gt; SSL & gt; Monitor.
Figure 156: SSL VPN monitor list
No.
The connection identifier.
User
The user names of all connected remote users.
Source IP
The IP addresses of the host devices connected to the FortiGate unit.
Begin Time
The starting time of each connection.
Description
Information about the services provided by an SSL VPN tunnel session.
Subsession
Tunnel IP: IP address that the FortiGate unit assigned to the remote client.
Delete icon: Delete current subsession.
When a tunnel-mode user is connected, the Description field displays the IP address that
the FortiGate unit assigned to the remote host (see Figure 157).
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1017
�Troubleshooting
Setting up the FortiGate unit
Figure 157: SSL VPN monitor list - Tunnel-mode user
If required, you can end a session/connection by selecting its check box and then
selecting the Delete icon.
To monitor SSL VPNs - CLI
To list all of the SSL VPN sessions and their index numbers:
get vpn ssl monitor
To delete tunnel-mode or web-mode sessions:
execute vpn sslvpn del-tunnel & lt; index_int & gt;
execute vpn sslvpn del-web & lt; index_int & gt;
Troubleshooting
Here is a list of common SSL VPN problems and the likely solutions.
No response from SSL VPN URL
Check that SSL VPN is enabled.
Check SSL VPN port assignment (default 10443).
Check SSL VPN firewall policy.
Error: “The web page cannot be
found.”
Check URL:
https:// & lt; FortiGate_IP & gt; : & lt; SSLVPN_port & gt; /remote/login
Tunnel connects, but there is no
communication.
Check that there is a static route to direct packets
destined for the tunnel users to the SSL VPN interface.
See “Configuring routing for tunnel mode” on page 1012.
Tunnel-mode connection shuts down
after a few seconds
This issue occurs when there are multiple interfaces
connected to the Internet, for example, a dual WAN
configuration. Upgrade the FortiGate unit firmware to at
least v3.0 MR4 or higher, then use the following CLI
command:
config vpn ssl settings
set route-source-interface enable
end
Error: “Destination address of Split
Tunneling policy is invalid.”
1018
The SSL VPN firewall policy uses the ALL address as its
destination. Specify the address of the protected
network instead.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Working with the web portal
This section introduces the web portal features and explains how to configure them.
The following topics are included in this section:
•
Connecting to the FortiGate unit
•
Web portal overview
•
Using the Bookmarks widget
•
Using the Connection Tool
•
Tunnel-mode features
•
Using the SSL VPN Virtual Desktop
Connecting to the FortiGate unit
You can connect to the FortiGate unit using a web browser. The URL of the FortiGate
interface may vary from one installation to the next. If required, ask your FortiGate
administrator for the URL of the FortiGate unit, and obtain a user name and password.
In addition, if you will be using a personal or group security (X.509) certificate to connect
to the FortiGate unit, your web browser may prompt you for the name of the certificate.
Your FortiGate administrator can tell you which certificate to select.
To log in to the FortiGate secure HTTP gateway
1 Using the web browser on your computer, browse to the URL of the FortiGate unit (for
example, https:// & lt; FortiGate_IP_address & gt; :10443/remote/login).
The FortiGate unit may offer you a self-signed security certificate. If you are prompted
to proceed, select Yes.
A second message may be displayed to inform you that the FortiGate certificate
distinguished name differs from the original request. This message is displayed
because the FortiGate unit is attempting to redirect your web browser connection. You
can ignore the message.
2 When you are prompted for your user name and password:
• In the Name field, type your user name.
• In the Password field, type your password.
3 Select Login.
The FortiGate unit will redirect your web browser to the FortiGate SSL VPN web portal
home page automatically.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1019
�Web portal overview
Working with the web portal
Web portal overview
After you log in, you see a web portal page like the following:
Figure 158: FortiGate SSL VPN web portal page
Logout
Help
Four “widgets” provide the web portal’s features:
•
Session Information displays the elapsed time since login and the volume of HTTP and
HTTPS traffic, both inbound and outbound.
•
Bookmarks provides links to network resources. You can use the administrator-defined
bookmarks and you can add your own bookmarks. See “Using the Bookmarks widget”
on page 1021.
•
Connection Tool enables you to connect to network resources without using or creating
a bookmark.
•
Tunnel Mode connects and disconnects the tunnel mode SSL connection to the
FortiGate unit. While the tunnel is active, the widget displays the amount of data that is
sent and received. For more information, see “Tunnel-mode features” on page 1030.
Tunnel mode requires a downloadable client application. If your computer is running
Microsoft Windows, the Tunnel Mode widget provides a download link if you need to
install the client on your computer. If you are using Macintosh or Linux, you can obtain
and install an appropriate client application from the Fortinet Support site. For more
information, see “Downloading the SSL VPN tunnel mode client” on page 1034.
Depending on the web portal configuration and user group settings, some widgets might
not be present. For example, the predefined web-access portal contains only the Session
Information and Bookmarks widgets.
While using the web portal, you can select the Help button to get information to assist you
in using the portal features. This information displays in a separate browser window.
When you have finished using the web portal, select the Logout button in the top right
corner of the portal window.
Note: After making any changes to the web portal configuration, be sure to select Apply.
1020
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Working with the web portal
Using the Bookmarks widget
Applications available in the web portal
Depending on the web portal configuration and user group settings, one or more of the
following server applications are available to you through Bookmarks or the Connection
Tool:
•
Ping enables you to test whether a particular server or host is reachable on the
network.
•
HTTP/HTTPS accesses web pages.
•
Telnet (Teletype Network emulation) enables you to use your computer as a virtual
text-only terminal to log in to a remote host.
•
SSH (Secure Shell) enables you to exchange data between two computers using a
secure channel.
•
FTP (File Transfer Protocol) enables you to transfer files between your computer and a
remote host.
•
SMB/CIFS implements the Server Message Block (SMB) protocol to support file
sharing between your computer and a remote server host.
•
VNC (Virtual Network Computing) enables you to remotely control another computer,
for example, accessing your work computer from your home computer.
•
RDP (Remote Desktop Protocol), similar to VNC, enables you to remotely control a
computer running Microsoft Terminal Services.
Some server applications may prompt you for a user name and password. You must have
a user account created by the server administrator so that you can log in.
Note: Windows file sharing through SMB/CIFS is supported through shared directories.
Using the Bookmarks widget
The Bookmarks widget shows both administrator-configured and user-configured
bookmarks. Administrator bookmarks cannot be altered but you can add, edit or delete
user bookmarks.
Figure 159: Bookmarks widget
Administrator bookmarks
User bookmarks
The FortiGate unit forwards client requests to servers on the Internet or internal network.
To use the web-portal applications, you add the URL, IP address, or name of the server
application to the My Bookmarks list. For more information, see “Adding bookmarks”.
Note: If you want to access a web server or telnet server without first adding a bookmark to
the My Bookmarks list, use the Connection Tool instead. For more information, see “Using
the Connection Tool” on page 1023.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1021
�Using the Bookmarks widget
Working with the web portal
Adding bookmarks
You can add frequently used connections as bookmarks. Afterward, select any hyperlink
from the Bookmarks list to initiate a session.
To add a bookmark
1 In the Bookmarks widget, select Add.
2 Enter the following information:
Name
Enter the name to display in the Bookmarks list.
Type
Select the abbreviated name of the server application or network service
from the drop-down list.
Location
Enter the IP address or FQDN of the server application or network service.
For RDP connections, you can append some parameters to control screen
size and keyboard layout. See “To start an RDP session” on page 1026.
Description
Optionally enter a short description. The description displays when you
pause the mouse pointer over the hyperlink.
SSO
Single Sign On (SSO) is available for HTTP/HTTPS bookmarks only.
Disabled — This is not an SSO bookmark.
Automatic — Use your SSL VPN credentials or an alternate set. See the
SSO Credentials field.
Static — Supply credentials and other required information (such as an
account number) to a web site that uses an HTML form for authentication.
You provide a list of the form field names and the values to enter into them.
This method does not work for sites that use HTTP authentication, in which
the browser opens a pop-up dialog box requesting credentials.
SSO fields
SSO Credentials
SSL VPN Login — Use your SSL VPN login credentials.
Alternative — Enter Username and Password below.
Username
Alternative username. Available if SSO Credentials is Alternative.
Password
Alternative password. Available if SSO Credentials is Alternative.
Static SSO fields
These fields are available if SSO is Static.
Field Name
Enter the field name, as it appears in the HTML form.
Value
Enter the field value.
To use the values from SSO Credentials, enter %passwd% for password or
%username% for username.
Add
Add another Field Name / Value pair.
3 Select OK and then select Done.
•
1022
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Working with the web portal
Using the Connection Tool
Using the Connection Tool
You can connect to any type of server without adding a bookmark to the My Bookmarks
list. The fields in the Connection Tool enable you to specify the type of server and the URL
or IP address of the host computer.
See the following procedures:
•
“To connect to a web server” on page 1023
•
“To ping a host or server behind the FortiGate unit” on page 1023
•
“To start a telnet session” on page 1023
•
“To start an FTP session” on page 1024
•
“To start an SMB/CIFS session” on page 1025
•
“To start an SSH session” on page 1026
•
“To start an RDP session” on page 1026
•
“To start a VNC session” on page 1029
Except for ping, these services require that you have an account on the server to which
you connect.
Note: When you use the Connection Tool, the FortiGate unit may offer you its self-signed
security certificate. Select Yes to proceed. A second message may be displayed to inform
you of a host name mismatch. This message is displayed because the FortiGate unit is
attempting to redirect your web browser connection. Select Yes to proceed.
To connect to a web server
1 In Type, select HTTP/HTTPS.
2 In the Host field, type the URL of the web server.
For example: http://www.mywebexample.com or https://172.20.120.101
3 Select Go.
4 To end the session, close the browser window.
To ping a host or server behind the FortiGate unit
1 In Type, select Ping.
2 In the Host field, enter the IP address of the host or server that you want to reach.
For example: 10.11.101.22
3 Select Go.
A message stating whether the IP address can be reached or not is displayed.
To start a telnet session
1 In Type, select Telnet.
2 In the Host field, type the IP address of the telnet host.
For example: 10.11.101.12
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1023
�Using the Connection Tool
Working with the web portal
3 Select Go.
A Telnet window opens.
4 Select Connect.
5 A telnet session starts and you are prompted to log in to the remote host.
After you log in, you may enter any series of valid telnet commands at the system
prompt.
6 To end the session, select Disconnect (or type exit) and then close the TELNET
connection window.
To start an FTP session
1 In Type, select FTP.
2 In the Host field, type the IP address of the FTP server.
For example: 10.11.101.12
3 Select Go.
A login window opens.
4 Enter your user name and password and then select Login.
You must have a user account on the remote host to log in.
Figure 160: An FTP session
New Directory
Up
Upload
Logout
Delete
Rename
1024
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Working with the web portal
Using the Connection Tool
5 Manipulate the files in any of the following ways:
• To download a file, select the file link in the Name column.
• To access a subdirectory (Type is Folder), select the link in the Name column.
• To create a subdirectory in the current directory, select New directory.
• To delete a file or subdirectory from the current directory, select its Delete icon.
• To rename a file in the current directory, select its Rename icon.
• To upload a file to the current directory from your client computer, select Upload.
• When the current directory is a subdirectory, you can select Up to access the parent
directory.
6 To end the FTP session, select Logout.
To start an SMB/CIFS session
1 In Type, select SMB/CIFS.
2 In the Host field, type the IP address of the SMB or CIFS server.
For example: 10.11.101.12
3 Select Go.
A login window opens.
4 Enter your user name and password and then select Login.
You must have a user account on the remote host to log in.
New Directory
Up
Upload
Logout
Delete
Rename
5 Manipulate the files in any of the following ways:
• To download a file, select the file link in the Name column.
• To access a subdirectory (Type is Folder), select the file link in the Name column.
• To create a subdirectory in the current directory, select New Directory.
• To delete a file or subdirectory from the current directory, select its Delete icon.
• To rename a file, select its Rename icon.
• To upload a file from your client computer to the current directory, select Upload.
• When the current directory is a subdirectory, you can select Up to access the parent
directory.
6 To end the SMB/CIFS session, select Logout and then close the SMB/CIFS window.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1025
�Using the Connection Tool
Working with the web portal
To start an SSH session
1 In Type, select SSH.
2 In the Host field, type the IP address of the SSH host.
For example: 10.11.101.12
3 Select Go.
A login window opens.
4 Select Connect.
A SSH session starts and you are prompted to log in to the remote host. You must
have a user account to log in. After you log in, you may enter any series of valid
commands at the system prompt.
5 To end the session, select Disconnect (or type exit) and then close the SSH
connection window.
To start an RDP session
1 In Type, select RDP.
2 In the Host field, type the IP address of the RDP host.
For example: 10.11.101.12
3 Optionally, you can also specify language and locale by adding the -m parameter,
For example: 10.11.101.12 -m fr
Select the locale code that matches your local installation of Windows - for example, if
your local machine has the Turkish version of Windows installed, select ‘tr’,
regardless of the version of Windows installed on the server you connect to.
The codes are as follows:
ar: Arabic
da: Danish
de: German
de-ch: Swiss German
en-gb: English, Great Britain
en-us: English, US
es: Spanish
fi: Finnish
fr: French
fr-be: Belgian French
fr-ch: Swiss French
hr: Croatian
it: Italian
1026
ja: Japanese
lt: Lithuanian
lv: Latvian
mk: Macedonian
no: Norwegian
pl: Polish
pt: Portuguese
pt-br: Brazilian Portuguese
ru: Russian
sl: Slovenian
sv: Sudanese
tk: Turkmen
tr: Turkish
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Working with the web portal
Using the Connection Tool
4 Optionally, you can specify the screen resolution.
Add -f to run RDP full-screen. For example: 10.11.101.12 -f
Add -g & lt; width & gt; x & lt; height & gt; to specify the screen size in pixels.
For example: 10.11.101.12 -g 800x600
5 Select Go.
A login window opens.
6 When you see a screen configuration dialog, click OK.
The screen configuration dialog does not appear if you specified the screen resolution
with the host address.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1027
�Using the Connection Tool
Working with the web portal
7 When you are prompted to log in to the remote host, type your user name and
password. You must have a user account on the remote host to log in.
8 Select Login.
If you need to send Ctrl-Alt-Delete in your session, use Ctrl-Alt-End.
9 To end the RDP session, Log out of Windows or select Cancel from the Logon window.
1028
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Working with the web portal
Using the Connection Tool
To start a VNC session
1 In Type, select VNC.
2 In the Host field, type the IP address of the VNC host.
For example: 10.11.101.12
3 Select Go.
A login window opens.
4 Type your user name and password when prompted to log in to the remote host.
You must have a user account on the remote host to log in.
5 Select OK.
If you need to send Ctrl-Alt-Delete in your session, press F8, then select
Send Ctrl-Alt-Delete from the pop-up menu.
6 To end the VNC session, close the VNC window.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1029
�Tunnel-mode features
Working with the web portal
Tunnel-mode features
For Windows users, the web portal Tunnel Mode widget provides controls for your tunnel
mode connection and also provides status and statistics about its operation. You can also
control and monitor tunnel mode operation from the standalone client application. For
more information, see “Using the tunnel mode client” on page 1036.
Figure 161: Fortinet SSL VPN tunnel mode widget
Connect
Disconnect
End the session and close the tunnel to the FortiGate unit.
Refresh
Refresh the status and statistics immediately.
Link Status
The state of the SSL VPN tunnel:
• Up — an SSL VPN tunnel with the FortiGate unit has been established.
• Down — a tunnel connection has not been initiated.
Bytes Sent
The number of bytes of data transmitted from the client to the FortiGate unit
since the tunnel was established.
Bytes Received
1030
Initiate a session and establish an SSL VPN tunnel with the FortiGate unit.
The number of bytes of data received by the client from the FortiGate unit
since the tunnel was established.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Working with the web portal
Using the SSL VPN Virtual Desktop
Using the SSL VPN Virtual Desktop
The virtual desktop feature is available for Windows only. When you start an SSL VPN
session, the virtual desktop replaces your normal desktop. When the virtual desktop exits,
your regular desktop is restored. Virtual desktop information is encrypted so that no
information from it remains available after your session ends.
To use the SSL VPN virtual desktop, simply log in to an SSL VPN that requires the use of
the virtual desktop. Wait for the virtual desktop to initialize and replace your desktop with
the SSL VPN desktop, which has a Fortinet SSL VPN logo as wallpaper. Your web
browser will open to the web portal page.
You can use the virtual desktop just as you use your regular desktop, subject to the
limitations that virtual desktop application control imposes. See “Configuring virtual
desktop application control” on page 1003.
If it is enabled in the web portal virtual desktop settings, you can switch between the virtual
desktop and your regular desktop. Right-click the SSL VPN Virtual Desktop icon in the
taskbar and select Switch Desktop.
To see the web portal virtual desktop settings, right-click the SSL VPN Virtual Desktop
icon in the taskbar and select Virtual Desktop Option.
When you have finished working with the virtual desktop, right-click the SSL VPN Virtual
Desktop icon in the taskbar and select Exit. Select Yes to confirm. The virtual desktop
closes and your regular desktop is restored.
•
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1031
�Using the SSL VPN Virtual Desktop
1032
Working with the web portal
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the SSL VPN tunnel client
This section provides information about installing and using the SSL VPN tunnel client for
Windows, Linux, and Mac OS X.
The following topics are included in this section:
•
Client configurations
•
Downloading the SSL VPN tunnel mode client
•
Installing the tunnel mode client
•
Using the tunnel mode client
•
Uninstalling the tunnel mode client
Client configurations
There are several configurations of SSL VPN applications available.
•
web mode
•
tunnel mode
•
virtual desktop
Web mode
SSL VPN web mode requires nothing more than a web browser. Microsoft Internet
Explorer, Mozilla Firefox, and Apple Safari browsers are supported. For detailed
information about supported browsers see the Release Notes for your FortiOS firmware.
Tunnel mode
SSL VPN tunnel mode establishes a connection to the remote protected network that any
application can use. This requires a tunnel client application specific to your computer
operating system. The tunnel client application installs a network driver that sends and
receives data through the SSL VPN tunnel.
If your computer runs Microsoft Windows, you can download the tunnel mode client from
the web portal Tunnel Mode widget. After you install the client, you can start and stop
tunnel operation from the Tunnel Mode widget, or you can open the tunnel mode client as
a standalone application. You can find the tunnel mode client on the Start menu at
All Programs & gt; FortiClient & gt; FortiClient SSL VPN.
If your computer runs Linux or Mac OS X, you can obtain an appropriate tunnel mode
client application from the Fortinet Support web site. See the Release Notes for your
FortiOS firmware for the specific operating system versions that are supported. On Linux
and Mac OS X platforms, tunnel mode operation cannot be initiated from the web portal
Tunnel Mode widget. You must use the standalone tunnel client application.
When a system configuration must involve more secure disposal of cached data, the SSL
VPN Virtual Desktop should be used. (Available on Windows only).
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1033
�Downloading the SSL VPN tunnel mode client
Using the SSL VPN tunnel client
Virtual desktop application
The virtual desktop application creates a virtual desktop on a user's PC and monitors the
data read/write activity of the web browser running inside the virtual desktop. When the
application starts, it presents a ‘virtual desktop’ to the user. The user starts the web
browser from within the virtual desktop and connects to the SSL VPN web portal. The
browser file/directory operation is redirected to a new location, and the data is encrypted
before it is written to the local disk. When the virtual desktop application exits normally, all
the data written to the disk is removed. If the session terminates abnormally (power loss,
system failure), the data left behind is encrypted and unusable to the user. The next time
you start the virtual desktop, the encrypted data is removed.
Downloading the SSL VPN tunnel mode client
SSL VPN standalone tunnel client applications are available for Windows, Linux, and
Mac OS X systems (see the Release Notes for your FortiOS firmware for the specific
versions that are supported). There are separate download files for each operating
system.
Note: Windows users can also download the tunnel mode client from an SSL VPN web
portal that contains the Tunnel Mode widget.
The most recent version of the SSL VPN standalone client applications can be found at:
http://support.fortinet.com/
To download the SSL VPN tunnel client
1 Log in to Fortinet Support at http://support.fortinet.com/.
2 Select Firmware Images and then FortiGate.
The Support FTP site opens.
3 Select v4.00 and then select the latest firmware release, 4.0MR2, for example.
The list of firmware images opens.
4 Select SSL VPN Clients.
5 Select the appropriate client.
Windows: SslvpnClient.exe or SslvpnClient.msi
Linux: forticlientsslvpn_linux_ & lt; version & gt; .tar.gz
Mac OS X: forticlientsslvpn_macosx_ & lt; version & gt; .dmg
Note: The location of the SSL VPN tunnel client on the Support web site is subject to
change. If you have difficulty finding the appropriate file, contact Customer Support.
1034
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the SSL VPN tunnel client
Installing the tunnel mode client
Installing the tunnel mode client
Follow the instructions for your operating system.
Windows
Double-click the SslvpnClient.exe or SslvpnClient.msi file and follow the onscreen instructions.
Linux
1 Extract the forticlientsslvpn_linux_ & lt; version & gt; .tar.gz package file to a folder
and run the client program forticlientsslvpn.
When you run the install program for the first time, you will have to set up system
parameters (root privileges) before you run the program or before other users without
administrator privileges can use the application.
2 In the First Run dialog, select OK.
The command line terminal window opens.
3 If you are asked for your password, enter it.
The License Agreement dialog appears in the command line terminal window.
4 Read the License Agreement and enter Yes to accept it.
The FortiClient SSL VPN tunnel client (Linux) opens. You can begin using the
application immediately or close it.
After this initial setup is complete, a user with a normal (non-administrator) account can
establish an SSL VPN tunnel session.
MAC OS client
1 Double-click on the forticlientsslvpn_macosx_ & lt; version & gt; .dmg file.
The Mac mounts the disk image as forticlientsslvpn.
2 Double-click the forticlientsslvpn.pkg file inside the disk image and follow the
instructions.
The application installs the program forticlientsslvpn.app in the Applications
folder
3 Unmount the disk image by selecting the disk image file
forticlientsslvpn_macosx_ & lt; version & gt; .dmg and dragging it into the Trash.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1035
�Using the tunnel mode client
Using the SSL VPN tunnel client
Using the tunnel mode client
Follow the instructions for your operating system.
Windows client
To use the SSL VPN standalone tunnel client (Windows)
1 Go to Start & gt; All Programs & gt; FortiClient & gt; FortiClient SSL VPN.
2 Enter the following information. Use the Connect and Disconnect buttons to control the
tunnel connection.
Connection Name
Server Address
Enter the IP address or FQDN of the FortiGate unit that hosts the SSL
VPN.
Username
Enter your user name.
Password
Enter the password associated with your user account.
Client Certificate
Use this field if the SSL VPN requires a certificate for authentication.
Select the required certificate from the drop-down list. The certificate
must be installed in the Internet Explorer certificate store.
Connection
Status: Connected or Disconnected
Duration: Hours, minutes, seconds since session started
Bytes Sent / Bytes Received: amount of data transferred
Settings...
Select to open the Settings dialog. See “To configure tunnel client
settings (Windows)” on page 1037.
Connect
Start tunnel mode operation.
Disconnect
Stop tunnel mode operation.
Exit
1036
If you have pre-configured the connection settings, select the
connection from the list and then select Connect. Otherwise, enter the
settings in the fields below.
To pre-configure connection settings, see “To configure tunnel client
settings (Windows)” on page 1037.
Close the tunnel mode client application.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the SSL VPN tunnel client
Using the tunnel mode client
To configure tunnel client settings (Windows)
1 Go to Start & gt; All Programs & gt; FortiClient & gt; FortiClient SSL VPN.
2 Select Settings....
3 Select New Connection, or select an existing connection and then select Edit.
4 Enter the Connection Name.
5 Enter the connection information. You can also enter a Description. Select OK.
See “To use the SSL VPN standalone tunnel client (Windows)” on page 1036 for
information about the fields.
6 Optionally, select Keep connection alive until manually stopped to prevent tunnel
connections from closing due to inactivity.
7 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1037
�Using the tunnel mode client
Using the SSL VPN tunnel client
Linux client
To use the SSL VPN standalone tunnel client (Linux)
1 Go to the folder where you installed the Linux tunnel client application and double-click
on ‘forticlientsslvpn’.
The FortiClient SSL VPN tunnel client opens.
2 Enter the following information. Use the Connect and Stop buttons to control the tunnel
connection.
Connection
Server
Enter the IP address or FQDN of the FortiGate unit that hosts the SSL VPN.
In the smaller field, enter the SSL VPN port number (default 10443).
User
Enter your user name.
Password
Enter the password associated with your user account.
Certificate
Use this field if the SSL VPN requires a certificate for authentication.
Select the certificate file (PKCS#12) from the drop-down list, or select the
Browse (...) button and find it.
Password
Enter the password required for the certificate file.
Settings...
Select to open the Settings dialog. See “To configure tunnel client settings
(Linux)” on page 1039.
Connect
Start tunnel mode operation.
Stop
1038
If you have pre-configured the connection settings, select the connection
from the list and then select Connect. Otherwise, enter the settings in the
fields below.
To pre-configure connection settings, see “To configure tunnel client settings
(Windows)” on page 1037.
Stop tunnel mode operation.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the SSL VPN tunnel client
Using the tunnel mode client
To configure tunnel client settings (Linux)
1 Go to the folder where you installed the Linux tunnel client application and double-click
forticlientsslvpn.
2 Select Settings....
3 Optionally, select Keep connection alive until manually stopped to prevent tunnel
connections from closing due to inactivity.
4 Optionally, select Start connection automatically. The next time the tunnel mode
application starts, it will start the last selected connection.
5 If you use a proxy, enter in Proxy the proxy server IP address and port. Enter proxy
authentication credentials immediately below in User and Password.
6 Select the + button to define a new connection, or select from the list an existing
connection to modify.
For a new connection, the Connection window opens. For an existing connection, the
current settings appear in the Settings window and you can modify them.
7 Enter the connection information. If you are creating a new connection, select Create
when you are finished.
See “To use the SSL VPN standalone tunnel client (Linux)” on page 1038 for
information about the fields.
8 Select Done.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1039
�Using the tunnel mode client
Using the SSL VPN tunnel client
MAC OS X client
To use the SSL VPN standalone tunnel client (Mac OS X)
1 Go to the Applications folder and double-click on forticlientsslvpn.app.
The FortiClient SSL VPN tunnel client (Mac OS X) opens.
2 Enter the following information. Use the Connect and Stop buttons to control the tunnel
connection.
Connection
Server
Enter the IP address or FQDN of the FortiGate unit that hosts the SSL
VPN. In the smaller field, enter the SSL VPN port number
(default 10443).
User
Enter your user name.
Password
Enter the password associated with your user account.
Certificate
Use this field if the SSL VPN requires a certificate for authentication.
Select the certificate file (PKCS#12) from the drop-down list, or select
the Browse (...) button and find it.
Password
Enter the password required for the certificate file.
Settings...
Select to open the Settings dialog. See “To configure tunnel client
settings (Mac OS X)” on page 1041.
Connect
Start tunnel mode operation.
Stop
1040
If you have pre-configured the connection settings, select the
connection from the list and then select Connect. Otherwise, enter the
settings in the fields below.
To pre-configure connection settings, see “To configure tunnel client
settings (Mac OS X)” on page 1041.
Stop tunnel mode operation.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Using the SSL VPN tunnel client
Using the tunnel mode client
To configure tunnel client settings (Mac OS X)
1 Go to the Applications folder and double-click on forticlientsslvpn.app.
The FortiClient SSL VPN tunnel client (Mac OS X) opens.
2 Select Settings....
3 Optionally, select Keep connection alive until manually stopped to prevent tunnel
connections from closing due to inactivity.
4 Optionally, select Start connection automatically. The next time the tunnel mode
application starts, it will start the last selected connection.
5 If you use a proxy, enter in Proxy the proxy server IP address and port. Enter proxy
authentication credentials immediately below in User and Password.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1041
�Uninstalling the tunnel mode client
Using the SSL VPN tunnel client
6 Select the + button to define a new connection, or select from the list an existing
connection to modify.
7 Enter the connection information. If you are creating a new connection, select Create
when you are finished.
See “To use the SSL VPN standalone tunnel client (Mac OS X)” on page 1040 for
information about the fields.
8 Select Done.
Uninstalling the tunnel mode client
If you want to remove the tunnel mode client application, follow the instructions for your
operating system.
To uninstall from Windows
1 In the Control Panel, select Programs and Features (Add or Remove Programs in
Windows XP).
2 Select FortiClient SSL VPN and then Remove.
To uninstall from Linux
Remove/delete the folder containing all the SSL VPN client application files.
To uninstall from Mac OS X
In the Applications folder, select forticlientsslvpn.app and drag it into the Trash.
After you empty the Trash folder, the installed program is removed from the user
computer.
1042
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
In the most common Internet scenario, the remote client connects to an ISP that offers
connections with dynamically assigned IP addresses. The ISP forwards packets from the
remote client to the Internet, where they are routed to the public interface of the FortiGate
unit.
At the FortiGate unit, you configure user groups and firewall policies to define the server
applications and IP address range or network that remote clients will be able to access
behind the FortiGate unit.
This section contains the following topics:
•
Basic SSL VPN example
•
Multiple user groups with different access permissions example
Basic SSL VPN example
A common application for an SSL VPN is to provide access to the office network for
employees traveling or working from home. For example, Figure 162 shows a FortiGate
gateway (FortiGate_1) that connects the office network to the Internet. Users on the office
network have access to the Internet, but access to the office network from the Internet is
available only to authenticated users of the SSL VPN.
Figure 162: Example SSL VPN configuration
OfficeLAN
10.11.101.0/24
Remote client
Internet
HTTP/HTTPS
10.11.101.120
port 1
172.20.120.141
DNS
10.11.101.160
port 2
10.11.101.100
FortiGate_1
FTP
10.11.101.170
Samba
10.11.101.180
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1043
�Basic SSL VPN example
Examples
Infrastructure requirements
•
The FortiGate unit must be operating in NAT/Route mode and have a static public IP
address.
•
The ISP assigns IP addresses to remote clients before they connect to the FortiGate
unit.
For information about client operating system and browser requirements, see the Release
Notes for your FortiGate firmware.
General configuration steps
1 Create firewall addresses for
•
the destination networks
•
the IP address range that the FortiGate unit will assign to tunnel-mode clients
2 Create the web portal.
3 Create user accounts.
4 Create the SSL VPN user group and add the users. In the user group configuration,
you specify the web portal to which the users are directed.
5 Create the firewall policies:
•
The SSL VPN firewall policy enables web mode access to the protected network.
•
The tunnel-mode policy enables tunnel mode access to the protected network.
6 Create a static route to direct packets destined for tunnel users to the SSL VPN tunnel.
Creating the firewall addresses
In FortiOS 4.0, firewall policies do not accept direct entry of IP addresses and address
ranges. You must define firewall addresses in advance.
Creating the destination address
SSL VPN users in this example can access the office network on port 2. You need to
define a firewall address that represents the OfficeLAN subnet IP address.
To define destination addresses - web-based manager
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
OfficeLAN
Type
Subnet / IP Range
Subnet / IP Range
10.11.101.0/24
Interface
port2
To define destination addresses - CLI
config firewall address
edit OfficeLAN
set type ipmask
set subnet 10.11.101.0/24
set associated-interface port2
end
1044
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
Basic SSL VPN example
Creating the tunnel client range address
In this example, all SSL-VPN users are assigned a single range of IP addresses. The
tunnel client addresses must not conflict with each other or with other addresses in your
network. The best way to accomplish this is to assign addresses from a subnet that is not
used elsewhere in your network.
To define tunnel client addresses - web-based manager
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
SSL_tunnel_users
Type
Subnet / IP Range
Subnet / IP Range
10.11.254.0/24
Interface
Any
To define destination addresses - CLI
config firewall address
edit SSL_tunnel_users
set type ipmask
set subnet 10.11.254.0/24
end
Enabling SSL VPN and setting the tunnel user IP address range
By default, SSL VPN is not enabled. At the same time as you enable SSL VPN, you can
define the IP address range from which SSL VPN tunnel-mode clients are assigned their
virtual IP addresses.
To enable SSL VPN and set tunnel address range - web-based manager
1 Go to VPN & gt; SSL & gt; Config.
2 Select Enable SSL-VPN.
3 In IP Pools, select Edit.
4 In the Available list, select SSL_tunnel_users and then select the down arrow button to
move the address to the Selected list. Select OK.
5 Select Apply.
To enable SSL VPN and set tunnel address range - CLI
config vpn ssl settings
set sslvpn-enable enable
set tunnel-ip-pools SSL_tunnel_users
end
Creating the web portal
You need to create one web portal, portal1, for example.
To create the portal1 web portal
1 Go to VPN & gt; SSL & gt; Portal and select Create New.
2 In the Name field, enter portal1.
3 In Applications, select the application types to permit.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1045
�Basic SSL VPN example
Examples
4 Select OK, then select OK again.
To create the web portals - CLI
config vpn ssl web portal
edit portal1
config widget
edit 0
set type tunnel
set tunnel-status enable
end
end
Creating the user account and user group
After enabling SSL VPN and creating the web portal, you need to create the user account
and then the user group for the SSL VPN users. In the user group configuration, you
select the web portal to which the users are directed.
To create the user account - web-based manager
1 Go to User & gt; User and select Create New.
2 In User Name, enter user1.
3 Select Password and enter the password in the field on the right.
4 Select OK.
To create the user account - CLI
config user local
edit user1
set type password
set password user1_pass
end
To create the user group - web-based manager
1 Go to User & gt; User Group & gt; User Group.
2 Select Create New and enter the following information:
Name
group1
Type
SSL VPN
Portal
portal1
3 From the Available list, select user1 and move it to the Members list by selecting the
right arrow button.
4 Select OK.
To create the user group - CLI
config user group
edit group1
set group-type sslvpn
set member user1
set sslvpn-portal portal1
end
1046
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
Basic SSL VPN example
Creating the firewall policies
You need to define firewall policies to permit your SSL VPN clients, web-mode or
tunnel-mode, to connect to the protected network behind the FortiGate unit. Before you
create the firewall policies, you must define the source and destination addresses to
include in the policy. See “Creating the firewall addresses” on page 1044.
Two types of firewall policy are required:
•
An SSL VPN policy enables clients to authenticate and permits a web-mode
connection to the destination network.The authentication, ensures that only authorized
users access the destination network.
•
A tunnel-mode policy is a regular ACCEPT firewall policy that enables traffic to flow
between the SSL VPN tunnel interface and the protected network. A tunnel-mode
policy is required if you want to provide a tunnel-mode connection for your clients.
To create the SSL VPN firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New and enter the following information:
Source Interface/Zone
port1
Source Address
All
Destination Interface/Zone
port2
Destination Address
OfficeLAN
Action
SSL-VPN
User Authentication Method
Local
NAT
Enable
3 Select Add and enter the following information:
User Group
group1
Service
Any
Schedule
always
4 Select OK, and then select OK again.
To create the SSL VPN firewall policy - CLI
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr OfficeLAN
set action ssl-vpn
set nat enable
config identity-based-policy
edit 1
set groups group1
set schedule always
set service ANY
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1047
�Basic SSL VPN example
Examples
To create the tunnel-mode firewall policy - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
sslvpn tunnel interface (ssl.root)
Source Address
SSL_tunnel_users
Destination Interface/Zone
port2
Destination Address
OfficeLAN
Schedule
always
Service
ANY
Action
ACCEPT
NAT
Enable
To create the tunnel-mode firewall policy - CLI
config firewall policy
edit 0
set srcintf ssl.root
set dstintf port2
set srcaddr SSL_tunnel_users
set dstaddr OfficeLAN
set action accept
set schedule always
set service ANY
set nat enable
end
Add routing to tunnel mode clients
Reply packets destined for tunnel mode clients must pass through the SSL VPN tunnel.
You need to define a static route to accomplish this.
To add a route to SSL VPN tunnel mode clients - web-based manager
1 Go to Router & gt; Static & gt; Static Route and select Create New.
2 Enter the following information and select OK.
Destination IP/Mask
10.11.254.0/24
This is the IP address range that you assigned to users of the web
portal. See “Creating the tunnel client range address” on
page 1045.
Device
Select the SSL VPN virtual interface, ssl.root for example.
Leave other settings at their default values.
To add a route to SSL VPN tunnel mode clients - CLI
config router static
edit 0
set device ssl.root
set dst 10.11.254.0/24
end
1048
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
Multiple user groups with different access permissions example
Multiple user groups with different access permissions example
You might need to provide access to several user groups with different access
permissions. Consider the following example topology in which users on the Internet have
controlled access to servers and workstations on private networks behind a FortiGate unit.
Figure 163: SSL VPN configuration for different access permissions by user group
user1
user2
Internet
Subnet_1
10.11.101.0/24
port 1
172.20.120.141
HTTP/HTTPS
10.11.101.120
port 2
10.11.101.100
DNS
10.11.101.160
port 3
10.11.201.100
FTP
10.11.101.170
Samba
10.11.101.180
Subnet_2
10.11.201.0/24
In this example configuration, there are two users:
•
user1 can access the servers on Subnet_1
•
user2 can access the workstation PCs on Subnet_2
You could easily add more users to either user group to provide them access to the user
group’s assigned web portal.
General configuration steps
1 Create firewall addresses for
•
the destination networks
•
two non-overlapping tunnel IP address ranges that the FortiGate unit will assign to
tunnel clients in the two user groups
2 Create two web portals.
3 Create two user accounts, user1 and user2.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1049
�Multiple user groups with different access permissions example
Examples
4 Create two user groups. For each group, add a user as a member and select a web
portal. In this example, user1 will belong to group1, which will be assigned to portal1.
5 Create firewall policies:
•
two SSL VPN firewall policies, one to each destination
•
two tunnel-mode policies to allow each group of users to reach its permitted
destination network
6 Create the static route to direct packets for the users to the tunnel.
Creating the firewall addresses
In FortiOS 4.0, firewall policies do not accept direct entry of IP addresses and address
ranges. You must define firewall addresses in advance.
Creating the destination addresses
SSL VPN users in this example can access either Subnet_1 or Subnet_2.
To define destination addresses - web-based manager
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
Subnet_1
Type
Subnet / IP Range
Subnet / IP Range
10.11.101.0/24
Interface
port2
3 Select Create New, enter the following information, and select OK.
Address Name
Subnet_2
Type
Subnet / IP Range
Subnet / IP Range
10.11.201.0/24
Interface
port3
To define destination addresses - CLI
config firewall address
edit Subnet_1
set type ipmask
set subnet 10.11.101.0/24
set associated-interface port2
next
edit Subnet_2
set type ipmask
set subnet 10.11.201.0/24
set associated-interface port3
end
Creating the tunnel client range addresses
To accommodate the two groups of users, split an otherwise unused subnet into two
ranges. The tunnel client addresses must not conflict with each other or with other
addresses in your network.
1050
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
Multiple user groups with different access permissions example
To define tunnel client addresses - web-based manager
1 Go to Firewall & gt; Address & gt; Address.
2 Select Create New, enter the following information, and select OK:
Address Name
Tunnel_group1
Type
Subnet / IP Range
Subnet / IP Range
10.11.254.[1-50]
Interface
Any
3 Select Create New, enter the following information, and select OK.
Address Name
Tunnel_group2
Type
Subnet / IP Range
Subnet / IP Range
10.11.254.[51-100]
Interface
Any
To define tunnel client addresses - CLI
config firewall address
edit Tunnel_group1
set type iprange
set end-ip 10.11.254.50
set start-ip 10.11.254.1
next
edit Tunnel_group2
set type iprange
set end-ip 10.11.254.100
set start-ip 10.11.254.51
end
Creating the web portals
To accommodate two different sets of access permissions, you need to create two web
portals, portal1 and portal2, for example. Later, you will create two SSL VPN user groups,
one to assign to portal1 and the other to assign to portal2.
To create the portal1 web portal
1 Go to VPN & gt; SSL & gt; Portal and select Create New.
2 Enter portal1 in the Name field and select OK.
3 In Applications, select all of the application types that the users can access.
4 Select the Edit icon on the Tunnel Mode widget.
5 In IP Pools, select Edit.
6 In the Available list, select Tunnel_ group1 and then select the down arrow button.
Select OK.
7 Select OK in the Tunnel Mode widget.
8 Select OK.
To create the portal2 web portal
1 Go to VPN & gt; SSL & gt; Portal and select Create New.
2 Enter portal2 in the Name field and select OK.
3 In Applications, select all of the application types that the users can access.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1051
�Multiple user groups with different access permissions example
Examples
4 Select the Edit icon on the Tunnel Mode widget.
5 In IP Pools, select Edit.
6 In the Available list, select Tunnel_ group2 and then select the down arrow button.
Select OK.
7 Select OK in the Tunnel Mode widget.
8 Select OK.
To create the web portals - CLI
config vpn ssl web portal
edit portal1
set allow-access ftp ping rdp smb ssh telnet vnc web
config widget
edit 0
set type tunnel
set tunnel-status enable
set ip-pools " Tunnel_group1 "
end
next
edit portal2
set allow-access ftp ping rdp smb ssh telnet vnc web
config widget
edit 0
set type tunnel
set tunnel-status enable
set ip-pools " Tunnel_group2 "
end
end
end
Later, you can configure these portals with bookmarks and enable connection tool
capabilities for the convenience of your users.
Creating the user accounts and user groups
After enabling SSL VPN and creating the web portals that you need, you need to create
the user accounts and then the user groups that require SSL VPN access.
Go to User & gt; User and create user1 and user2 with password authentication. After you
create the users, create the SSL VPN user groups.
To create the user groups - web-based manager
1 Go to User & gt; User Group & gt; User Group.
2 Select Create New and enter the following information:
Name
group1
Type
SSL VPN
Portal
portal1
3 From the Available list, select user1 and move it to the Members list by selecting the
right arrow button.
1052
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
Multiple user groups with different access permissions example
Figure 164: group1 user group attributes
4 Select OK.
5 Repeat steps 2 through 4 to create group2, assigned to portal2, with user2 as its only
member.
To create the user groups - CLI
config user group
edit group1
set group-type sslvpn
set member user1
set sslvpn-portal portal1
next
edit group2
set group-type sslvpn
set member user2
set sslvpn-portal portal2
end
Creating the firewall policies
You need to define firewall policies to permit your SSL VPN clients, web-mode or tunnelmode, to connect to the protected networks behind the FortiGate unit. Before you create
the firewall policies, you must define the source and destination addresses to include in
the policy. See “Creating the firewall addresses” on page 1050.
Two types of firewall policy are required:
•
An SSL VPN policy enables clients to authenticate and permits a web-mode
connection to the destination network. In this example, there are two destination
networks, so there will be two SSL VPN policies. The authentication, ensures that only
authorized users access the destination network.
•
A tunnel-mode policy is a regular ACCEPT firewall policy that enables traffic to flow
between the SSL VPN tunnel interface and the protected network. Tunnel-mode
policies are required if you want to provide tunnel-mode connections for your clients. In
this example, there are two destination networks, so there will be two tunnel-mode
policies.
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1053
�Multiple user groups with different access permissions example
Examples
To create the SSL VPN firewall policies - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New and enter the following information:
Source Interface/Zone
port1
Source Address
All
Destination Interface/Zone
port2
Destination Address
Subnet_1
Action
SSL-VPN
3 Select Add and enter the following information:
User Group
group1
Service
Any
4 Select OK, and then select OK again.
5 Select Create New and enter the following information:
Source Interface/Zone
port1
Source Address
All
Destination Interface/Zone
port3
Destination Address
Subnet_2
Action
SSL-VPN
6 Select Add and enter the following information:
User Group
group2
Service
Any
7 Select OK, and then select OK again.
To create the SSL VPN firewall policies - CLI
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr Subnet_1
set action ssl-vpn
set nat enable
config identity-based-policy
edit 1
set groups group1
set schedule always
set service ANY
end
next
edit 0
set srcintf port1
set dstintf port3
set srcaddr all
set dstaddr Subnet_2
1054
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
Multiple user groups with different access permissions example
set action ssl-vpn
set nat enable
config identity-based-policy
edit 1
set groups group2
set schedule always
set service ANY
end
end
To create the tunnel-mode firewall policies - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Select Create New, enter the following information, and select OK:
Source Interface/Zone
sslvpn tunnel interface (ssl.root)
Source Address
Tunnel_group1
Destination Interface/Zone
port2
Destination Address
Subnet_1
Action
ACCEPT
NAT
Enable
3 Select Create New, enter the following information, and select OK:
Source Interface/Zone
sslvpn tunnel interface (ssl.root)
Source Address
Tunnel_group2
Destination Interface/Zone
port3
Destination Address
Subnet_2
Action
ACCEPT
NAT
Enable
To create the tunnel-mode firewall policies - CLI
config firewall policy
edit 0
set srcintf ssl.root
set dstintf port2
set srcaddr Tunnel_group1
set dstaddr Subnet_1
set action accept
set schedule always
set service ANY
set nat enable
next
edit 0
set srcintf ssl.root
set dstintf port3
set srcaddr Tunnel_group2
set dstaddr Subnet_2
set action accept
set schedule always
set service ANY
set nat enable
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1055
�Multiple user groups with different access permissions example
Examples
end
end
Create the static route to tunnel mode clients
Reply packets destined for tunnel mode clients must pass through the SSL VPN tunnel.
You need to define a static route to accomplish this.
To add a route to SSL VPN tunnel mode clients - web-based manager
1 Go to Router & gt; Static & gt; Static Route and select Create New.
2 Enter the following information and select OK.
Destination IP/Mask
10.11.254.0/24
This IP address range covers both ranges that you assigned to
SSL VPN tunnel-mode users. See “Creating the tunnel client
range addresses” on page 1050.
Device
Select the SSL VPN virtual interface, ssl.root for example.
Leave other settings at their default values.
To add a route to SSL VPN tunnel mode clients - CLI
config router static
edit 0
set device ssl.root
set dst 10.11.254.0/24
end
Enabling SSL VPN operation
By default, SSL VPN is not enabled.
To enable SSL VPN - web-based manager
1 Go to VPN & gt; SSL & gt; Config.
2 Ensure that Enable SSL-VPN is selected.
3 Select Apply.
Note: In this example, the IP Pools field on the VPN & gt; SSL & gt; Config page is not used
because each web portal specifies its own tunnel IP address range.
1056
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
OS patch check example
OS patch check example
The following example shows how you would add an OS check to the g1portal web portal.
This OS check accepts all Windows XP users and Windows 2000 users running patch
level 2.
To specify the acceptable patch level, you set the latest-patch-level and the
tolerance. The lowest acceptable patch level is latest-patch-level minus
tolerance. In this case, latest-patch-level is 3 and tolerance is 1, so 2 is the
lowest acceptable patch level.
config vpn ssl web portal
edit g1portal
set os-check enable
config os-check-list windows-2000
set action check-up-to-date
set latest-patch-level 3
set tolerance 1
end
config os-check-list windows-xp
set action allow
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1057
�OS patch check example
1058
Examples
FortiOS™ Handbook FortiOS 4.0 MR2 SSL VPNs
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 9 Dynamic Routing
This chapter describes how to implement dynamic routing on FortiGate units, and contains
the following chapters:
Dynamic Routing Overview provides some basic routing concepts needed to explain
dynamic routing, compares static and dynamic routing, and walks you through deciding
which dynamic routing protocol is best for you.
Routing Information Protocol (RIP), Border Gateway Protocol (BGP), and Open Shortest
Path First (OSPF) provide background on the protocol, explains the terms used, how the
protocol works, looks at some troubleshooting, and examples on configuring the protocols
in different situations.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1059
�1060
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
This section provides an overview of dynamic routing, and how it compares to static
routing. For details on various dynamic routing protocols, see the following chapters for
detailed information.
The following topics are included in this section:
•
Routing concepts
•
What is dynamic routing?
•
Comparison of dynamic routing protocols
•
Choosing a routing protocol
•
Dynamic routing terminology
•
IPv6 in dynamic routing
•
Troubleshooting
Routing concepts
Many routing concepts apply to static routing. However without first understanding these
basic concepts, it is difficult to understand the more complex dynamic routing.
This section includes:
•
Routing in VDOMs
•
The default route
•
The routing table
•
Building the routing table
•
Reverse path lookup
•
Multipath routing and determining the best route
•
Route priority
Routing in VDOMs
Routing on FortiGate units is configured per-VDOM. This means if VDOMs are enabled,
you must enter a VDOM to do any routing configuration. This allows each VDOM to
operate independently of each other, with their own default routes and routing
configuration.
In this guide, the procedures assume your FortiGate unit has VDOMs disabled. This is
stated in the assumptions for the examples. If you have VDOMs enabled you will need to
perform the following steps in addition to the procedure’s steps.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1061
�Routing concepts
Dynamic Routing Overview
To route in VDOMs - web-based manager
1 Look for the name of the current VDOM on the bottom of the left menu.
It will say “Current VDOM: root” or instead of root it will be the current VDOM.
2 If this is not the VDOM where you want to configure routing, you need to:
• Select & lt; & lt; Global.
• Select System & gt; VDOM.
• Select the Enter icon for your selected VDOM.
• Once in the VDOM, follow the procedures as normal.
To route in VDOMs - CLI
Before following any CLI routing procedures with VDOMs enabled, enter the following
commands. For this example, it is assumed you will be working in the root VDOM. Change
root to the name of your selected VDOM as needed.
config vdom
edit root
Following these commands, you can enter any routing CLI commands as normal.
The default route
The default route is used if either there are no other routes in the routing table or if none of
the other routes apply to a destination. Including the gateway in the default route gives all
traffic a next-hop address to use when leaving the local network. The gateway address is
normally another router on the edge of the local network.
All routers, including FortiGate units, are shipped with default routes in place. This allows
customers to set up and become operational more quickly. Beginner administrators can
use the default route settings until a more advanced configuration is warranted.
FortiGate units come with a default static route with an IPv4 address of 0.0.0.0, an
administration distance of 10, and a gateway IPv4 address .
The routing table
The routing table is used to store routes that are learned. The routing table for any device
on the network has a limited size. For this reason, routes that aren’t used are replaced by
new routes. This method ensures the routing table is always populated with the most
current and most used routes — the routes that have the best chance of being reused.
Another method used to maintain the routing table’s size is if a route in the table and a
new route are to the same destination, one of the routes is selected as the best route to
that destination and the other route is discarded.
The routing table includes information relevant to the route entries such as the routing
protocol used, the priority of the route, the preferred next hop, the gateway, the quality of
service (QoS), and the device or interface associated with the route. The VDOM is
included with the device if enabled. The device is the outgoing interface.
1062
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Routing concepts
This section includes:
•
Viewing the routing table in the web-based manager
•
Viewing the routing table in the CLI
•
Viewing the routing table with diagnose commands
•
Searching the routing table
Viewing the routing table in the web-based manager
By default, all routes are displayed in the Routing Monitor list. The default static route is
defined as 0.0.0.0/0, which matches the destination IP address of “any/all” packets.
To display the routes in the routing table, go to Router & gt; Monitor & gt; Routing Monitor.
Figure 165 shows the Routing Monitor list belonging to a FortiGate unit that has interfaces
named “port1”, “port4”, and “lan”. The names of the interfaces on your FortiGate unit may
be different.
Figure 166 shows the Routing Monitor list when IPv6 has been selected. Note that the
information available for IPv6 is limited.
Figure 165: Routing Monitor list - IPv4
Figure 166: Routing Monitor list - IPv6
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1063
�Routing concepts
Dynamic Routing Overview
IP version
Select IPv4 or IPv6 routes. Fields displayed vary depending on which IP version is
selected.
Displayed only if IPv6 display is enabled on the web-based manager
Type
Select one of the following route types to search the routing table and display routes
of the selected type only:
All — all routes recorded in the routing table.
Connected — all routes associated with direct connections to FortiGate unit
interfaces.
Static — the static routes that have been added to the routing table manually.
RIP — all routes learned through RIP. For more information see “Routing Information
Protocol (RIP)” on page 1095.
BGP — all routes learned through BGP. For more information see “Border Gateway
Protocol (BGP)” on page 1131.
OSPF — all routes learned through OSPF. For more information see “Open Shortest
Path First (OSPF)” on page 1169.
HA — RIP, OSPF, and BGP routes synchronized between the primary unit and the
subordinate units of a high availability (HA) cluster. HA routes are maintained on
subordinate units and are visible only if you are viewing the router monitor from a
virtual domain that is configured as a subordinate virtual domain in a virtual cluster.
Not displayed when IP version IPv6 is selected.
For details about HA routing synchronization, see the FortiGate HA User Guide.
Network
Enter an IP address and netmask (for example, 172.16.14.0/24) to search the
routing table and display routes that match the specified network.
Not displayed when IP version IPv6 is selected.
Gateway
Enter an IP address and netmask (for example, 192.168.12.1/32) to search the
routing table and display routes that match the specified gateway.
Not displayed when IP version IPv6 is selected.
Apply Filter Select to search the entries in the routing table based on the specified search criteria
and display any matching routes.
Not displayed when IP version IPv6 is selected.
Type
Subtype
If applicable, the subtype classification assigned to OSPF routes.
An empty string implies an intra-area route. The destination is in an area to which the
FortiGate unit is connected.
OSPF inter area — the destination is in the OSPF AS, but the FortiGate unit is not
connected to that area.
External 1 — the destination is outside the OSPF AS. This is known as OSPF E1
type. The metric of a redistributed route is calculated by adding the external cost and
the OSPF cost together.
External 2 — the destination is outside the OSPF AS. This is known as OSPF E2
type. In this case, the metric of the redistributed route is equivalent to the external
cost only, expressed as an OSPF cost.
OSPF NSSA 1 — same as External 1, but the route was received through a not-sostubby area (NSSA).
OSPF NSSA 2 — same as External 2, but the route was received through a not-sostubby area.
For more information on OSPF subtypes, see “OSPF Background and concepts” on
page 1169.
Not displayed when IP version 6 is selected.
Network
The IP addresses and network masks of destination networks that the FortiGate unit
can reach.
Distance
1064
The type values assigned to FortiGate unit routes (Static, Connected, RIP, OSPF, or
BGP).
Not displayed when IP version IPv6 is selected.
The administrative distance associated with the route. A value of 0 means the route is
preferable compared to routes to the same destination.
Modifying this distance for dynamic routes is route distribution.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Routing concepts
Metric
The metric associated with the route type. The metric of a route influences how the
FortiGate unit dynamically adds it to the routing table. The following are types of
metrics and the protocols they are applied to.
Hop count — routes learned through RIP.
Relative cost — routes learned through OSPF.
Multi-Exit Discriminator (MED) — routes learned through BGP. However, several
attributes in addition to MED determine the best path to a destination network. For
more information on BGP attributes, see “BGP attributes” on page 1138.
Gateway
The IP addresses of gateways to the destination networks.
Interface
The interface through which packets are forwarded to the gateway of the destination
network.
Up Time
The total accumulated amount of time that a route learned through RIP, OSPF, or
BGP has been reachable.
Not displayed when IP version IPv6 is selected.
Viewing the routing table in the CLI
In the CLI, you can easily view the static routing table just as in the web-based manager or
you can view the full routing table.
When viewing the list of static routes using the CLI command get route static, it is
the configured static routes that are displayed. When viewing the routing table using the
CLI command get router info routing-table all, it is the entire routing table
information that is displayed including configured and learned routes of all types. The two
are different information in different formats.
Note: If VDOMs are enabled on your FortiGate unit, all routing related CLI commands must
be performed within a VDOM and not in the global context.
To view the routing table
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default
S*
S
S
C
B
C
0.0.0.0/0 [10/0] via 192.168.183.254, port2
1.0.0.0/8 [10/0] via 192.168.183.254, port2
2.0.0.0/8 [10/0] via 192.168.183.254, port2
10.142.0.0/23 is directly connected, port3
10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m
192.168.182.0/23 is directly connected, port2
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1065
�Routing concepts
Dynamic Routing Overview
Examining an entry:
B
10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m
B
BGP. The routing protocol used.
10.160.0.0/23
The destination of this route including netmask.
[20/0]
20 indicates and administrative distance of 20 out of a range of 0
to 255.
0 is an additional metric associated with this route, such as in
OSPF
10.142.0.74
The gateway, or next hop.
port3
The interface used by this route.
2d18h02m
How old this route is, in this case almost three days old.
Viewing the routing table with diagnose commands
Diagnose commands can provide a wide variety of information about your FortiGate unit
that may otherwise be inaccessible. these commands generally provide extensive
information, but the output can be difficult to understand. You should only need to use
diagnose command when customer support tells you to do so during troubleshooting.
FortiOS documentation describes specific examples for using diagnose commands to
provide information that may be useful.
You can view the routing table using diagnostic commands. This has the benefits of being
able to be run from anywhere in the command line structure, and it is shorter. Also the
diagnose method will show localhost routes that the CLI and web-based methods will not
include.
To use diagnostic commands to view the routing table
# diag ip route list
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0 & gt; 10.11.201.0/24 pref=10.11.201.4 gwy=0.0.0.0 dev=5(external1)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0 & gt; 172.20.120.0/24 pref=172.20.120.146 gwy=0.0.0.0 dev=6(internal)
The parts of the routing table entry are:
tab
vf
virtual domain of the firewall. This is the vdom index number. If
vdoms are not enabled, this number will be 0.
type
1066
table number. This will be either 254 (unicast) or 255 (multicast).
type of routing connection. Valid values include:
• 0 - unspecific
• 1 - unicast
• 2 - local
• 3 - broadcast
• 4 - anycast
• 5 - multicast
• 6 - blackhole
• 7 - unreachable
• 8 - prohibited
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Routing concepts
proto
type of installation. This indicates where the route came from. Valid
values include:
• 0 - unspecific
• 2 - kernel
• 11 - ZebOS routing module
• 14 - FortiOS
• 15 - HA
• 16 - authentication based
• 17 - HA1
prio
priority of the route. Lower priorities are preferred.
- & gt; 10.11.201.0/24
(- & gt; x.x.x.x/mask)
the IP address and subnet mask of the destination
pref
preferred next hop along this route
gwy
gateway - the IPv4 address of the gateway this route will use
dev
outgoing interface index. This number is associated with the
interface for this route, and if VDOMs are enabled the VDOM
will be included here as well. If an interface alias is set for this
interface it will also be displayed here.
Searching the routing table
You can apply a filter to search the routing table and display certain routes only. For
example, you can display one or more static routes, connected routes, routes learned
through RIP, OSPF, or BGP, and routes associated with the network or gateway that you
specify.
If you want to search the routing table by route type and further limit the display according
to network or gateway, all of the values that you specify as search criteria must match
corresponding values in the same routing table entry in order for that entry to be displayed
— an implicit AND condition is applied to all of the search parameters you specify.
For example, if the FortiGate unit is connected to network 172.16.14.0/24 and you want to
display all directly connected routes to network 172.16.14.0/24, you must select
Connected from the Type list, type 172.16.14.0/24 in the Network field, and then
select Apply Filter to display the associated routing table entry or entries. Any entry that
contains the word “Connected” in its Type field and the specified value in the Gateway
field will be displayed.
In this example, you will apply a filter to search for an entry for static route to
10.10.10.10/24
To search the FortiGate unit routing table in the web-based manager
1 Go to Router & gt; Monitor & gt; Routing Monitor.
2 From the Type list, select the type of route to display. In our example, select Static.
3 If you want to display routes to a specific network, type the IP address and netmask of
the network in the Networks field. In our example, enter 10.10.10.10/24.
4 If you want to display routes to a specific gateway, type the IP address of the gateway
in the Gateway field.
5 Select Apply Filter.
Note: All of the values that you specify as search criteria must match corresponding values
in the same routing table entry in order for that entry to be displayed.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1067
�Routing concepts
Dynamic Routing Overview
To search the FortiGate unit routing table in the CLI
FGT # get router info routing-table details 10.10.10.10
Routing entry for 10.10.10.10/24
Known via " static " , distance 10, metric 0, best
If there are multiple routes that match your filter, they will all be listed, with the best match
at the top of the list as indicated by the word best.
Building the routing table
In the factory default configuration, the FortiGate unit routing table contains a single static
default route. You can add routing information to the routing table by defining additional
static routes.
It is possible that the routing table is faced with several different routes to the same
destination — the IP addresses of the next-hop router specified in those routes or the
FortiGate interfaces associated with those routes may vary. In this situation, the “best”
route is selected from the table.
The FortiGate unit selects the “best” route for a packet by evaluating the information in the
routing table. The “best” route to a destination is typically associated with the shortest
distance between the FortiGate unit and the closest gateway, also known as a next-hop
router. In some cases, the next best route may be selected if the best route is unavailable.
The FortiGate unit installs the best available routes in the unit’s forwarding table, which is
a subset of the unit’s routing table. Packets are forwarded according to the information in
the forwarding table.
Reverse path lookup
Whenever a packet arrives at one of the FortiGate unit’s interfaces, the unit determines
whether the packet was received on a legitimate interface by doing a reverse lookup using
the source IP address in the packet header. This is also called anti-spoofing. If the
FortiGate unit cannot communicate with the computer at the source IP address through
the interface on which the packet was received, the FortiGate unit drops the packet as it is
likely a hacking attempt.
If the destination address can be matched to a local address (and the local configuration
permits delivery), the FortiGate unit delivers the packet to the local network. If the packet
is destined for another network, the Fortigate unit forwards the packet to a next-hop router
according to a policy route and the information stored in the FortiGate forwarding table.
Multipath routing and determining the best route
Multipath routing occurs when more than one entry to the same destination is present in
the routing table. When multipath routing happens, the FortiGate unit may have several
possible destinations for an incoming packet, forcing the FortiGate unit to decide which
next-hop is the best one.
It should be noted that some IP addresses will be rejected by routing protocols. These are
called Martian addresses. They are typically IP addresses that are invalid and not routable
because they have been assigned an address by a misconfigured system, or are spoofed
addresses.
1068
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Routing concepts
Two methods to manually resolve multiple routes to the same destination are to lower the
administrative distance of one route or to set the priority of both routes. For the FortiGate
unit to select a primary (preferred) route, manually lower the administrative distance
associated with one of the possible routes. Setting the priority on the routes is a FortiGate
unit feature and may not be supported by non-Fortinet routers.
Administrative distance is based on the expected reliability of a given route. It is
determined through a combination of the number of hops from the source and the protocol
used. A hop is when traffic moves from one router to the next. More hops from the source
means more possible points of failure. The administrative distance can be from 1 to 255,
with lower numbers being preferred. A distance of 255 is seen as infinite and will not be
installed in the routing table.
Here is an example to illustrate how administration distance works — if there are two
possible routes traffic can take between two destinations with administration distances of
5 (always up) and 31 (sometimes not available), the traffic will use the route with an
administrative distance of 5. If for some reasons the preferred route (admin distance of 5)
is not available, the other route will be used as a backup.
Different routing protocols have different default administrative distances. These different
administrative distances are based on a number of factors of each protocol such as
reliability, speed, and so on. The default administrative distances for any of these routing
protocols are configurable.
Table 75: Default administrative distances for routing protocols and connections
Routing
protocol
Default administrative
distance
Direct physical
connection
1
Static
10
EBGP
20
OSPF
110
RIP
120
IBGP
200
Another method to determine the best route is to manually change the priority of both
routes in question. If the next-hop administrative distances of two routes on the FortiGate
unit are equal, it may not be clear which route the packet will take. Manually configuring
the priority for each of those routes will make it clear which next-hop will be used in the
case of a tie. The priority for a route can only be set from the CLI. Lower priorities are
preferred. Priority is a Fortinet value that may or may not be present in other brands of
routers.
All entries in the routing table are associated with an administrative distance. If the routing
table contains several entries that point to the same destination (the entries may have
different gateways or interface associations), the FortiGate unit compares the
administrative distances of those entries first, selects the entries having the lowest
distances, and installs them as routes in the FortiGate unit forwarding table. As a result,
the FortiGate unit forwarding table contains only those routes having the lowest distances
to every possible destination. While only static routing uses administrative distance as its
routing metric, other routing protocols such as RIP can use metrics that are similar to
administrative distance.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1069
�What is dynamic routing?
Dynamic Routing Overview
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing preference.
Priority is a Fortinet value that may or may not be present in other brands of routers.
You can only configure the priority field through the CLI. Priority values can range from 0
to 255. The route with the lowest value in the priority field is considered the best route, and
it is also the primary route.
For example, use the following command to change the priority of a route to 5 for a route
to the address 10.10.10.1 on the port1 interface.
config router static
edit 1
set device port1
set gateway 10.10.10.10
set dst 10.10.10.1
set priority 5
end
If there are other routes at priority 10, this route will be preferred. If there are routes at
priority less than 5, those other routes will be preferred instead.
In summary, because you can use the CLI to specify which sequence numbers or priority
field settings to use when defining static routes, you can prioritize routes to the same
destination according to their priority field settings. For a static route to be the preferred
route, you must create the route using the config router static CLI command and
specify a low priority for the route. If two routes have the same administrative distance and
the same priority, then they are equal cost multipath (ECMP) routes.
Since this means there is more than one route to the same destination, it can be confusing
which route or routes to install and use. However, if you have enabled load balancing with
ECMP routes, then different sessions will resolve this problem by using different routes to
the same address.
What is dynamic routing?
Dynamic routing uses a dynamic routing protocol to automatically select the best route to
put into the routing table. So instead of manually entering static routes in the routing table,
dynamic routing automatically receives routing updates, and dynamically decides which
routes are best to go into the routing table. Its this intelligent and hands-off approach that
makes dynamic routing so useful.
Dynamic routing protocols vary in many ways and this is reflected in the various
administrative distances assigned to routes learned from dynamic routing. These
variations take into account differences in reliability, speed of convergence, and other
similar factors. For more information on these administrative distances, see “Multipath
routing and determining the best route” on page 1068.
This section includes:
•
•
Dynamic routing protocols
•
1070
Comparing static and dynamic routing
Minimum configuration for dynamic routing
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
What is dynamic routing?
Comparing static and dynamic routing
A common term used to describe dynamic routing is convergence. Convergence is the
ability to work around a network problems and outages — for the routing to come together
despite obstacles. For example if the main router between two end points goes down,
convergence is the ability to find a way around that failed router and reach the destination.
Static routing has zero convergence beyond trying the next route in its limited local routing
table — if a network administrator doesn’t fix a routing problem manually, it will never be
fixed resulting in a downed network. Dynamic routing solves this problem by involving
routers along the route to the destination in decision making about the route, and using the
routing tables of these routes for potential routes around the outage. In general dynamic
routing has better scalability, robustness, and convergence. However, the cost of these
added benefits include more complexity and some overhead — bandwidth that is used by
the routing protocol for its own administration.
Table 76: Comparing static and dynamic routing
Feature
Static Routing
Dynamic Routing
Hardware
support
Supported by all routing hardware
May require special, more expensive
routers
Router Memory Minimal
Required
Can require considerable memory for
larger tables
Complexity
Simple
Complex
Overhead
None
Varying amounts of bandwidth used for
routing protocol updates
Scalability
Limited to small networks
Very scalable, better for larger networks
Robustness
None - if a route fails it has to be
fixed manually
Robust - traffic routed around failures
automatically
Convergence
None
Varies from good to execellent
Dynamic routing protocols
A dynamic routing protocol is an agreed on method of routing that the sender, reciever,
and all routers along the path (route) support. Typically the routing protocol involves a
process running on all comptuers and routers along that route to enable each router to
handle routes in the same way as the others. The routing protocol determines how the
routing tables are populated along that route, how the data is formatted for transmission,
and what information about a route is included with that route. For example RIP, and BGP
use distance vector algorithms, where OSPF uses a shortest path first algorithm. Each
routing protocol has different strengths and weaknesses — one protocol may have fast
convergence, while another may be very reliable, and a third is very popular for certain
businesses like Internet Service Providers (ISPs).
Dynamic routing protocols are different from each other in a number of ways, such as:
•
Classful versus classless routing protocols
•
Interior versus exterior routing protocols
•
Distance vector versus link-state protocols
Classful versus classless routing protocols
Classful or classless routing refers to how the routing protocol handes the IP addresses.
In classful addresses there is the specific address, and the host address of the server that
address is connected to. Classless addresses use a combination of IP address and
netmask.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1071
�What is dynamic routing?
Dynamic Routing Overview
Classless Inter-Domain Routing (CIDR) was introduced in 1993 (originally with RFC 1519
and most recently with RFC 4632) to keep routing tables from getting too large. With
Classful routing, each IP address requires its own entry in the routing table. With
Classless routing, a series of addresses can be combined into one entry potentially saving
vast amounts of space in routing tables.
Current routing protocols that support classless routing out of necessity include RIPv2,
BGP, IS-IS, and OSPF. Older protocols such as RIPv1 do not support CIDR addresses.
Interior versus exterior routing protocols
The names interior and exterior are very descriptive. Interior routing protocols are
designed for use within a contained network of limited size, where exterior routing
protocols are designed to link multiple networks together. For example, only border
routers of a network run the exterior routing protocol, where all the routers on the network
run the interior protocol. This overlap is required for the exterior routers to communicate
with the interior routers — border routers almost always run multiple routing protocols.
Nearly all routing protocols are interior routing protocols. Only BGP is commonly used as
an exterior routing protocol.
You may see interior gateway protocol (IGP) used to refer to interior routing protocols, and
exterior gateway protocol (EGP) used to refer to interior routing protocols.
Distance vector versus link-state protocols
Every routing protocol determines the best route between two addresses using a different
method. However, there are two main algorithms for determining the best route —
Distance vector and Link-state.
Distance vector protocols
In distance vector protocols, routers are told about remote networks through neighboring
routers. The distance part refers to the number of hops to the destination, and in more
advanced routing protocols these hops can be weighted by factors such as available
bandwidth and delay. The vector part determines which router is the next step along the
path for this route. This information is passed along from neighboring routers with routing
update packets that keep the routing tables up to date. Using this method, an outage
along a route is reported back along to the start of that route, ideally before the outage is
encountered.
On distance vector protocols, RFC 1058 which defines RIP v1 states the following:
Distance vector algorithms are based on the exchange of only a small amount of
information. Each entity (gateway or host) that participates in the routing protocol is
assumed to keep information about all of the destinations within the system.
Generally, information about all entities connected to one network is summarized by a
single entry, which describes the route to all destinations on that network.
There are four main weaknesses inherent in the distance vector method. Firstly, the
routing information is not discovered by the router itself, but is instead reported information
that must be relied on to be accurate and up-to-date. The second weakness is that it can
take a while for the information to make its way to all the routers who need the information
— in other words it can have slow convergence. The third weakness is the amount of
overhead involved in passing these updates all the time. The number of updates between
routers in a larger network can significantly reduce the available bandwidth. The fourth
1072
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Comparison of dynamic routing protocols
weakness is that distance vector protocols can end up with routing-loops. Routing loops
are when packets are routed for ever around a network, and often occur with slow
convergence. The bandwidth required by these infinite loops will slow your network to a
halt. There are methods of preventing these loops however, so this weakness is not as
serious as it may first appear.
Link-state protocols
Link-state protocols are also known as shortest path first protocols. Where distance vector
uses information passed along that may or may not be current and accurate, in link-state
protocols each router passes along only information about networks and devices directly
connected to it. This results in a more accurate picture of the network topology around
your router, allowing it to make better routing decisions. This information is passed
between routers using link-state advertisements (LSAs). To reduce the overhead, LSAs
are only sent out when information changes, compared to distance vector sending
updates at regular intervals even if no information has changed. The the more accurate
network picture in link-state protocols greatly speed up convergence and avoid problems
such as routing-loops.
Minimum configuration for dynamic routing
Dynamic routing protocols do not pay attention to routing updates from other sources,
unless you specifically configure them to do so using CLI redistribute commands within
each routing protocol.
The minimum configuration for any dynamic routing to function is dynamic routing
configured on one interface the FortiGate unit and one other router configured as well.
Some protocols require more
Table 77: Minimum configuration based on dynamic protocol
BGP
RIP
OSPF
Interface
yes
yes
yes
Network
yes
yes
yes
AS
local and neighbor
no
yes
Neighbors
at least one
at least one
at least one
Version
no
yes
no
Router ID
no
no
yes
Comparison of dynamic routing protocols
Each dynamic routing protocol was designed to meet a specific routing need. Each
protocol does some things well, and other things not so well. For this reason, choosing the
right dynamic routing protocol for your situation is not an easy task.
Features of dynamic routing protocols
Each protocol is better suited for some situations over others.
Choosing the best dynamic routing protocol depends on the size of your network, speed of
convergence required, the level of network maintenance resources available, what
protocols the networks you connect to are using, and so on. For more information on
these dynamic routing protocols, see “Routing Information Protocol (RIP)” on page 1095,
“Border Gateway Protocol (BGP)” on page 1131, or “Open Shortest Path First (OSPF)” on
page 1169.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1073
�Comparison of dynamic routing protocols
Dynamic Routing Overview
Table 78: Comparing RIP, BGP, and OSPF dynamic routing protocols
Protocol
RIP
BGP
OSPF
Routing
algorithm
Distance Vector,
basic
Distance Vector, advanced Link-state
Common uses
Small non-complex
networks
Network backbone, ties
multinational offices
together
Common in large, complex
enterprise networks
Strengths
Fast and simple to
implement
Near universal
support
Good when no
redundant paths
Graceful restart
BFD support
Only needed on border
routers
Summarize routes
Fast convergence
Robust
Little management
overhead
No hop count limitation
Scalable
Weaknesses
Frequent updates
can flood network
Slow convergence
Maximum 15 hops
may limit network
configuration
Required full mesh in large
networks can cause floods
Route flap
Load-balance multi-homed
networks
Not available on low end
routers
Complex
No support for unequal cost
multipath routing
Route summary can require
network changes
Authentication Optional authentication using text string or MD5 password.
(RIP v1 has no authentication)
IPv6 Support
Only in RIPng
Only in BGP4+
Only in OSPF6
Routing protocols
Routing Information Protocol (RIP) uses classful routing, as well as incorporating
various methods to stop incorrect route information from propagating, such as poisoned
horizon. However, on larger networks its frequent updates can flood the network and its
slow convergence can be a problem.
Border Gateway Protocol (BGP) has been the core Internet backbone routing protocol
since the mid 1990s, and is the most used interior gateway protocol (IGP). However, some
configurations require full mesh connections which flood the network, and there can be
route flap and load balancing issues for multihomed networks.
Open Shortest Path First (OSPF) is commonly used in large enterprise networks. It is
the protocol of choice mainly due to its fast convergence. However, it can be complicated
to setup properly.
Routing algorithm
Each protocol uses a slightly different algorithm for choosing the best route between two
addresses on the network. The algorithm is the “intelligent” part of a dynamic protocol
because the algorithm is responsible for deciding which route is best and should be added
to the local routing table. RIP and BGP use distance vector algorithms, where OSPF uses
link-state or a shortest path first algorithm.
Vector algorithms are essentially based on the number of hops between the originator and
the destination in a route, possibly weighting hops based on how reliable, fast, and errorfree they are.
The link-state algorithm used by OSPF is called the Dijkstra algorithm. Link-state treats
each interface as a link, and records information about the state of the interface. The
Dijkstra algorithm creates trees to find the shortest paths to the routes it needs based on
the total cost of the parts of the routes in the tree.
1074
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Comparison of dynamic routing protocols
For more information on the routing algorithm used, see “Distance vector versus link-state
protocols” on page 1072.
Authentication
If an attacker gains access to your network, they can masquerade as a router on your
network to either gain information about your network or disrupt network traffic. If you have
a high quality firewall configured, it will help your network security and stop many of this
type of threat. However, the main method for protecting your routing information is to use
authentication in your routing protocol. Using authentication on your FortiGate unit and
other routers prevents access by attackers — all routers must authenticate with
passwords, such as MD5 hash passwords, to ensure they are legitimate routers.
When configuring authentication on your network, ensure you configure it the same on all
devices on the network. Failure to do so will create errors and outages as those forgotten
devices fail to connect to the rest of the network.
For example, to configure an MD5 key of 123 on an OSPF interface called ospf_test,
enter the following CLI command:
config router ospf
config ospf-interface
edit ospf_test
set authentication md5
set md5-key 123
end
end
Convergence
Convergence is the ability of a networking protocol to re-route around network outages.
Static routing cannot do this. Dynamic routing protocols can all converge, but take various
amounts of time to do this. Slow convergence can cause problems such as network loops
which degrade network performance.
You may also hear robustness and redundancy used to describe networking protocols. In
many ways they are the same thing as convergence. Robustness is the ability to keep
working even though there are problems, including configuration problems as well as
network outages. Redundancy involves having duplicate parts that can continue to
function in the event of some malfunction, error, or outage. It is relatively easy to configure
dynamic routing protocols to have backup routers and configurations that will continue to
function no matter the network problem short of a total network failure.
IPv6 Support
IPv4 addressing is in common use everywhere around the world. IPv6 has much larger
addresses and it is used by many large companies and government departments. IPv6 is
not as common as IPv4 yet, but more companies are adopting it.
If your network uses IPv6, your dynamic routing protocol must support it. None of the
dynamic routing protocols originally supported IPv6, but they all have additions,
expansions, or new versions that do support IPv6. For more information, see “RIP and
IPv6” on page 1096, “BGP and IPv6” on page 1132, or “OSPF and IPv6” on page 1170.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1075
�Comparison of dynamic routing protocols
Dynamic Routing Overview
When to adopt dynamic routing
Static routing is more than enough to meet your networking needs when you have a small
network. However, as your network grows, the question you need to answer is at what
point do you adopt dynamic routing in your networking plan and start using it in your
network? The main factors in this decision are typically:
•
Budget
•
Current network size and topology
•
Expected network growth
•
Available resources for ongoing maintenance
Budget
When making any business decision, the budget must always be considered. Static
routing does not involve special hardware, fancy software, or expensive training courses.
Dynamic routing can include all of these extra expenses. Any new routing hardware such
as routers and switches need to support your chosen protocols. Network management
software to help configure and maintain your more complex network, and routing protocol
drivers may be necessary as well. If the network administrators are not well versed in
dynamic routing, either a training course or some hands on learning time must be
budgeted so they can administer the new network with confidence. Together, these
factors will use up your budget quickly.
Additionally people account for network starting costs in the budgets, but usually leave out
the ongoing cost of network maintenance. Any budget must provide for the hours that will
be spent on updating the network routing equipment, and fixing any problems. Without
that money in the budget, you may end up back at static routing before you know it.
Current network size and topology
As stated earlier static routing works well on small networks. At those networks get larger,
routing takes longer, routing tables get very large, and general performance isn’t what it
could be.
Topology is a concern as well. If all your computers are in one building, its much easier to
stay with static routing longer. However, connecting a number of locations will be easier
with the move to dynamic routing.
If you have a network of 20 computers, you can still likely use static routing. If those
computers are in two or three locations, static routing will still be a good choice for
connecting them. Also, if you just connect to your ISP and don’t worry about any special
routing to do that, you are likely safe with just static routing.
If you have a network of 100 computers in one location, you can use static routing but it
will be getting slower, more complex, and there won’t be much room for expansion. If
those 100 computers are spread across three or more locations, dynamic routing is the
way to go.
If you have 1000 comptuers, you definitely need to use dynamic routing no matter how
many locations you have.
Hopefully this section has given you an idea of what results you will likely experience from
different sized networks using different routing protocols. Your choice of which dynamic
routing protocol to use is partly determined by the network size, and topology.
1076
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Comparison of dynamic routing protocols
Expected network growth
You may not be sure if your current network is ready for dynamic routing. However, if you
are expecting rapid growth in the near future, it is a good idea to start planning for that
growth now so you are ready for the coming expansion.
Static routing is very labor intensive. Each network device’s routing table needs to be
configured and maintained manually. If there is a large number of new computers being
added to the network, they each need to have the static routing table configured and
maintained. If devices are being moved around the network frequently, they must also be
updated each time.
Instead, consider putting dynamic routing in place before those new computers are
installed on the network. The installation issues can be worked out with a smaller and less
complex network, and when those new computers or routers are added to the network
there will be nowhere near the level of manual configuration required. Depending on the
level of growth, this labor savings can be significant. For example, in an emergency you
can drop a new router into a network or AS wait for it to receive the routing updates from
its neighbors, and then remove one of the neighbors. While the routes will not be the most
effective possible, this method is much less work than static routing in the same situation
with less chance of mistakes.
Also as your network grows and you add more routers, those new routers can help share
the load in most dynamic routing configurations. For example if you have 4 OSPF routers
and 20,000 external routes those few routers will be overwhelmed. But in a network with
15 OSPF routers they will better be able to handle that number of routes. Be aware though
that adding more routers to your network will increase the amount of updates sent
between the routers, which will take up some of your bandwidth.
Available resources for ongoing maintenance
As touched on in the budget section, there must be resources dedicated to ongoing
network maintenance, upgrades, and troubleshooting. These resources include
administrator hours to configure and maintain the network, training for the administrator if
needed, extra hardware and software as needed, and possible extra staff to help the
administrator in emergencies. Without these resources, you will quickly find the network
reverting to static routing out of necessity. This is because:
•
Routing software updates will require time.
•
Routing hardware updates will require time.
•
Office reorganizations or significant personnel movement will require time from a
networking point of view.
•
Networking problems that occur, such as failed hardware, require time to locate and fix
the problem.
If the resources to accomplish these tasks are not budgeted, they will either not happen or
not happen at the required level to continue operation. This will result in both the network
administration staff and the network users being very frustrated.
A lack of maintenance budget will also result in increasingly heavy reliance on static
routing as the network administrators are forced to use quick fixes for problems that come
up. This invariably involves going to static routing, and dropping the more complex and
time consuming dynamic routing.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1077
�Comparison of dynamic routing protocols
Dynamic Routing Overview
Choosing a routing protocol
One of that hardest decisions in routing can be choosing which routing protocol to use on
your network. It can be easy to decide when static routing will not meet your needs, but
how can you tell which dynamic routing protocol is best for your network and situation?
Here is a brief look at the routing protocols including their strongest and weakest points.
The steps to choosing your routing protocol are:
1 Answer questions about your network
2 Dynamic routing terminology
3 Evaluate your chosen protocol
4 Implement your dynamic routing protocol
Answer questions about your network
Before you can decide what is best for your situation, you need to examine what the
details of your situation are such as what you have for budget, equipment, and users.
The following questions will help you form a clear idea of your routing needs:
How many computers or devices are on your network?
It matters if you only have a few computers, or if you have many and if they are all at one
location or not as well. All routing protocols can be run on any sized network, however it
can be inefficient to run some on very small networks. However, routers and network
hardware that support dynamic routing can be more expensive than more generic routers
for static routing.
What applications typically run over the network?
Finding out what application your users are running will help you determine their needs
and the needs of the network regarding bandwidth, quality of service, and other such
issues.
What level of service to the users expect from the network?
Different network users have different expectations of the network. Its not critical for
someone surfing the Internet to have 100% uptime, but it is required for a stock
exchange network or a hospital.
Is there network expansion in your near future?
You may have a small network now, but if it will be growing quickly, you should plan for
the expected size so you don’t have to chance technologies again down the road.
What routing protocols do your networks connect to?
This is most often how routing protocol decisions are made. You need to be able to
communicate easily with your service provider and neighbors, so often people simply
use what everyone else is using.
Is security a major concern?
Some routing protocols have levels of authentication and other security features built
in. Others do not. If security is important to you, be aware of this.
What is your budget — both initial and maintenance?
More robust and feature laden routing protocols generally mean more resources are
required to keep them working well. Also more secure configurations require still more
resources. This includes both set up costs, as well as ongoing maintenance costs.
Ignore these costs at the risk of having to drop the adoption of the new routing protocol
mid-change.
1078
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Dynamic routing terminology
Evaluate your chosen protocol
Once you have examined the features of the routing protocols listed above and chosen
the one that best meets your needs, you can set up an evaluation or test install of that
protocol.
The test install is generally set up in a sandbox configuration so it will not affect critical
network traffic. The aim of the test install is to prove that it will work on a larger scale on
your network. So be sure that the test install mirrors your larger network well enough for
you to discover any problems. If its too simplistic, these problems may not appear.
If your chosen protocol does not meet your goals choose a different protocol and repeat
the evaluation process until either a protocol meets your needs, or you change your
criteria.
Implement your dynamic routing protocol
You have examined your needs, selected the best matching dynamic routing protocol,
tested it, and now you are ready to implement it with confidence.
This guide will help you configure your FortiGate unit to support your chosen dynamic
routing protocol. Refer to the various sections in this guide as needed during your
implementation to help ensure a smooth transition. Examples for each protocol have been
included to show proper configurations for different types of networks.
Dynamic routing terminology
Dynamic routing is a complex subject. There are many routers on different networks and
all can be configured differently. It become even more complicated when you add to this
each routing protocol having slightly different names for similar features, and many
configurable features for each protocol.
To better understand dynamic routing, here are some explanations of common dynamic
routing terms.
•
Aggregated routes and addresses
•
Autonomous system (AS)
•
Area border router (ABR)
•
Neighbor routers
•
Route maps
•
Access lists
•
Bi-directional forwarding detection (BFD)
For more details on a term as it applies to a dynamic routing protocol, see one of “Border
Gateway Protocol (BGP)” on page 1131, “Routing Information Protocol (RIP)” on
page 1095, or “Open Shortest Path First (OSPF)” on page 1169.
Aggregated routes and addresses
Just as an aggregate interface combines multiple interfaces into one virtual interface, an
aggregate route combines multiple routes into one. This reduces the amount of space
those routes require in the routing tables of the routers along that route. The trade-off is a
small amount of processing to aggregate and de-aggregate the routes at either end.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1079
�Dynamic routing terminology
Dynamic Routing Overview
The benefit of this method is that you can combine many addresses into one, potentially
reducing the routing table size immensely. The weakness of this method is if there are
holes in the address range you are aggregating you need to decide if its better to break it
into multiple ranges, or accept the possibility of failed routes to the missing addresses.
To manually aggregate the range of IP addresses from 192.168.1.100 to
192.168.1.103
1 Convert the addresses to binary
192.168.1.100 = 11000000 10101000 00000001 01100100
192.168.1.101 = 11000000 10101000 00000001 01100101
192.168.1.102 = 11000000 10101000 00000001 01100110
192.168.1.103 = 11000000 10101000 00000001 01100111
2 Determine the maximum number of matching bits common to the addresses.
There are 30-bits in common, with only the last 2-bits being different.
3 Record the common part of the address.
11000000 10101000 00000001 0110010X = 192.168.1.100
4 For the netmask, assume all the bits in the netmask are 1 except those that are
different which are 0.
11111111 11111111 11111111 11111100 = 255.255.255.252
5 Combine the common address bits and the netmask.
192.168.1.100/255.255.255.252
Alternately the IP mask may be written as a single number:
192.168.1.100/2
6 As required, set variables and attributes to declare the routes have been aggregated,
and what router did the aggregating.
Autonomous system (AS)
An Autonomous System (AS) is one or more connected networks that use the same
routing protocol, and appear to be a single unit to any externally connected networks. For
example an ISP may have a number of customer networks connected to it, but to any
networks connected externally to the ISP it appears as one system or AS. An AS may also
be referred to as a routing domain.
It should be noted that while OSPF routing takes place within one AS, the only part of
OSPF that deals with the AS is the AS border router (ASBR).
There are multiple types of AS defined by how they are connected to other ASes. A
multihomed AS is connected to at least two other ASes and has the benefit of redundancy
— if one of those ASes goes down, your AS can still reach the Internet through its other
connection. A stub AS only has one connection, and can be useful in specific
configurations where limited access is desirable.
Each AS has a number assigned to it, known as an ASN. In an internal network, you can
assign any ASN you like (a private AS number), but for networks connected to the Internet
(public AS) you need to have an officially registered ASN from Internet Assigned Numbers
Authority (IANA). ASNs are typically 16-bit numbers — ASNs from 1 - 64,511 are
designated for public use.
1080
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Dynamic routing terminology
Note: As of January 2010, AS numbers will be 4-bytes long instead of the older 2-bytes.
RFC 4893 introduced 32-bit ASNs, which FortiGate units support.
Do you need your own AS?
The main factors in deciding if you need your own AS or if you should be part of someone
else’s are:
•
exchanging external routing information
•
many prefixes should exist in one AS as long as they use the same routing policy
•
when you use a different routing protocol than your border gateway peers (for example
your ISP uses BGP, and you use OSPF)
•
connected to multiple other AS (multi-homed)
You should not create an AS for each prefix on your network. Neither should you be
forced into an AS just so someone else can make AS-based policy decisions on your
traffic.
There can be only one AS for any prefix on the Internet. This is to prevent routing issues.
What AS number to use?
In addition to overseeing IP address allocation and Domain Name Systems (DNS), the
Internet Assigned Numbers Authority (IANA) assigns public AS numbers. The public AS
numbers are from 1 to 64,511. The ASNs 0, 54272–64511, and 65535 are reserved by the
IANA. These ASNs should not be used.
ASNs are assigned in blocks by the Internet Assigned Numbers Authority (IANA) to
Regional Internet Registries (RIRs) who then assign ASNs to companies within that RIRs
geographic area. Usually these companies are ISPs, and to receive an ASN you must
complete the application process of the local RIR and be approved before being assigned
an ASN. The RIRs names and regions are:
AFRINIC
Serves the African continent
APNIC
Asia-Pacific including China, India, and Japan
ARIN
American registry including Canada and United States
LACNIC
Latin America, including Mexico, Caribbean, Central and South
America
RIPE NCC
Europe, the Middle East, former USSR, and parts of Central Asia
AS numbers from 64512 to 65534 are reserved for private use. Private AS numbers can
be used for any internal networks with no outside connections to the Internet such as test
networks, classroom labs, or other internal-only networks that do not access the outside
world. You can also configure border routers to filter out any private ASNs before routing
traffic to the outside world. If you must use private ASNs with public networks, this is the
only way to configure them. However, it is risky because many other private networks
could be using the same ASNs and conflicts will happen. It would be very much like your
local 192.168.0.0 network being made public — the resulting problems would be
widespread.
In 1996, when RFC 1930 was written only 5,100 ASes had been allocated and a little
under 600 ASes were actively routed in the global Internet. Since that time many more
public ASNs have been assigned, leaving only a small number. For this reason 32-bit
ASNs (four-octet ASNs) were defined to provide more public ASNs. RFC 4893 defines 32bit ASNs, and FortiGate units support these larger ASNs as of FortiOS version 4.2
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1081
�Dynamic routing terminology
Dynamic Routing Overview
Area border router (ABR)
Routers within an AS advertise updates internally and only to each other. However,
routers on the edge of the AS must communicate both with routers inside their AS and
with routers external to their AS, often running a different routing protocol. These routers
are called Area Border Routers (ABRs) or edge routers. Often ABRs run multiple routing
protocols to be able to redistribute traffic between different ASes that are running different
protocols, such as the edge between an ISP’s IS-IS routing network and an large
company’s OSPF network.
OSPF defines ABRs differently from other routers. In OSPF, an ABR is an OSPF router
that connects another AS to the backbone AS, and is a member of all the areas it
connects to. An OSPF ABR maintains a LSA database for each area that it is connected
to. The concept of the edge router is present, but its the edge of the backbone instead of
the edge of the OSPF supported ASes.
Neighbor routers
Routing involves routers communicating with each other. To do this, routers need to know
information about each other. These routers are called neighbor routers, and are
configured in each routing protocol. Each neighbor has custom settings since some
routers may have functionality others routers lack. Neighbour routers are sometimes
called peers.
Generally neighbor routers must be configured, and discovered by the rest of the network
before they can be integrated to the routing calculations. This is a combination of the
network administrator configuring the new router with its neighbor router addresses, and
the routing network discovering the new router, such as the hello packets in OSPF. That
discovery initiates communication between the new router and the rest of the network.
Route maps
Route maps are a way for the FortiGate unit to evaluate optimum routes for forwarding
packets or suppressing the routing of packets to particular destinations. Compared to
access lists, route maps support enhanced packet-matching criteria. In addition, route
maps can be configured to permit or deny the addition of routes to the FortiGate unit
routing table and make changes to routing information dynamically as defined through
route-map rules.
Route maps can be used for limiting both received route updates, and sent route updates.
This can include the redistribution of routes learned from other types of routing. For
example if you don’t want to advertise local static routes to external networks, you could
use a route map to accomplish this.
The FortiGate unit compares the rules in a route map to the attributes of a route. The rules
are examined in ascending order until one or more of the rules in the route map are found
to match one or more of the route attributes.
As an administrator, route maps allow you to group a set of addresses together and assign
them a meaningful name. Then during your configuration, you can use these route-maps
to speed up configuration. The meaningful names ensure fewer mistakes during
configuration as well.
The default rule in the route map (which the FortiGate unit applies last) denies all routes.
For a route map to take effect, it must be called by a FortiGate unit routing process.
1082
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Dynamic routing terminology
The syntax for route maps are:
config router route-map
edit & lt; route_map_name & gt;
set comments
config rule
edit & lt; route_map_rule_id & gt;
set action
set match-*
set set-*
The match-* commands allow you to match various parts of a route. The set-*
commands allow you to set routing information once a route is matched.
For an example of how route maps can be used to create receiving or sending “groups” in
routing, see “Redistributing and blocking routes in BGP” on page 1162.
Access lists
Use this command to add, edit, or delete access lists. Access lists are filters used by
FortiGate unit routing processes. For an access list to take effect, it must be called by a
FortiGate unit routing process (for example, a process that supports RIP or OSPF). Use
access-list6 for IPv6 routing.
Access lists can be used to filter which updates are passed between routers, or which
routes are redistributed to different networks and routing protocols. You can create lists of
rules that will match all routes for a specific router or group of routers.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and whether to match the prefix exactly or to match the
prefix and any more specific prefix.
Note: If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route,
0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this
purpose.
The FortiGate unit attempts to match a packet against the rules in an access list starting at
the top of the list. If it finds a match for the prefix, it takes the action specified for that
prefix. If no match is found the default action is deny.
The syntax for access lists is:
config router access-list, access-list6
edit & lt; access_list_name & gt;
set comments
config rule
edit & lt; access_list_id & gt;
set action
set exact-match
set prefix
set prefix6
set wildcard
For an example of how access lists can be used to create receiving or sending “groups” in
routing, see “Redistributing and blocking routes in BGP” on page 1162.
Bi-directional forwarding detection (BFD)
Bi-directional Forwarding Detection (BFD) is a protocol used to quickly locate hardware
failures in the network. Routers running BFD communicate with each other, and if a timer
runs out on a connection then that router is declared down. BFD then communicates this
information to the routing protocol and the routing information is updated.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1083
�IPv6 in dynamic routing
Dynamic Routing Overview
The CLI commands associated with BFD include:
config router bgp
config neighbor
set bfd
config router ospf
set bfd
config system setting
set bfd
set
set
set
set
bfd-desired-min-tx
bfd-required-min-rx
bfd-detect-mult
bfd-dont-enforce-src-port
For more information about BFD in BGP, see “Bi-directional forwarding detection (BFD)”
on page 1147.
IPv6 in dynamic routing
Unless otherwise stated, routing protocols apply to IPv4 addressing. This is the standard
address format used. However, IPv6 is becoming popular and new versions of the
dynamic routing protocols have been introduced.
As of FortiOS v4.1, dynamic routing supports IPv6 on your FortiGate unit. The new
versions of these protocols and the corresponding RFCs are:
•
BGP4+ — RFC 2545, and RFC 2858 Multiprotocol Extensions for IPv6 Inter-Domain
Routing, and Multiprotocol Extensions for BGP-4 (MP-BGP) respectively. See “BGP
and IPv6” on page 1132
•
RIP next generation (RIPng) — RFC 2080 - Routing Information Protocol next generation
(RIPng). See “RIP and IPv6” on page 1096.
•
OSPFv3 — RFC 2740 Open Shortest Path First version 3 (OSPFv3) for IPv6 support.
See “OSPF and IPv6” on page 1170.
As with most advanced routing features on your Fortigate unit, IPv6 settings for dynamic
routing protocols are CLI-only. To configure IPv6 for RIP, BGP, or OSPF protocols you
must use the CLI commands.
1084
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Troubleshooting
Troubleshooting
These general troubleshooting tips provide a starting point for you to determine why your
network routing is behaving unexpectedly. This section includes general troubleshooting
methods, where each dynamic protocol chapter includes troubleshooting for specific
problems.
Some issues may be common to multiple routing protocols, but only be addressed in one
chapter. For that reason, when troubleshooting consult the various chapter
troubleshooting sections for possible solutions.
The general troubleshooting tips include, and can help answer the following questions.
1 “Verify the contents of the routing table (in NAT mode)” on page 1085
Are there routes in the routing table for default and static routes?
Do all connected subnets have a route in the routing table?
Does a route wrongly have a higher priority than it should?
2 “Perform a sniffer trace” on page 1086
Is traffic entering the FortiGate unit and does it arrive on the expected interface?
Is the ARP resolution correct for the next-hop destination?
Is the traffic exiting the FortiGate unit to the destination as expected?
Is the traffic being sent back to the originator?
3 “Debug the packet flow” on page 1087
Is the traffic entering the FortiGate unit as expected?
Is the traffic leaving the FortiGate unit as expected?
4 “Examine the firewall session list” on page 1088
Are there active firewall sessions?
If you are experiencing complete packet loss, you should “Run ping and traceroute” on
page 1089 to locate the cause of the packet loss.
In addition to these steps, you may find some diagnose commands useful. See “Common
diagnose commands” on page 1092.
Verify the contents of the routing table (in NAT mode)
The first place to look for information is the routing table. The routing table is where all the
currently used routes are stored for both static and dynamic protocols. If a route is in the
routing table, it saves the time and resources of a lookup. If a route isn’t used for a while
and a new route needs to be added, the oldest least used route is bumped if the routing
table is full. This ensures the most recently used routes stay in the table. Note that if your
FortiGate unit is in Transparent mode, you are unable to perform this step.
If the FortiGate is running in NAT mode, verify that all desired routes are in the routing
table : local subnets, default routes, specific static routes, and dynamic routing protocols.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1085
�Troubleshooting
Dynamic Routing Overview
To check the routing table in the web-based manager, use the Routing Monitor — go to
System & gt; Routing & gt; Monitor. In the CLI, use the command get router routingtable all. For more information on routing tables, see “The routing table” on
page 1062.
Perform a sniffer trace
When troubleshooting networks and routing in particular, it helps to look inside the
headers of packets to determine if they are traveling along the route you expect that they
are. Packet sniffing can also be called a network tap, packet capture, or logic analyzing.
Note: If your FortiGate unit has NP2 interfaces that are offloading traffic, this will change
the sniffer trace. Before performing a trace on any NP2 interfaces, you should disable
offloading on those interfaces.
What can sniffing packets tell you
If you are running a constant traffic application such as ping, packet sniffing can tell you if
the traffic is reaching the destination, what the port of entry is on the FortiGate unit, if the
ARP resolution is correct, and if the traffic is being sent back to the source as expected.
Sniffing packets can also tell you if the Fortigate unit is silently dropping packets for
reasons such as RPF (Reverse Path Forwarding), also called Anti Spoofing, which
prevents an IP packet from being forwarded if its Source IP does not either belong to a
locally attached subnet (local interface), or be part of the routing between the FortiGate
and another source (static route, RIP, OSPF, BGP). Note that RPF can be disabled by
turning on asymmetric routing in the CLI (config system setting, set asymetric
enable), however this will disable stateful inspection on the FortiGate unit and cause
many features to be turned off.
Note If you configure virtual IP addresses on your Fortigate unit, it will use those
addresses in preference to the physical IP addresses. You will notice this when you are
sniffing packets because all the traffic will be using the virtual IP addresses. This is due to
the ARP update that is sent out when the VIP address is configured.
How do you sniff packets
The general form of the internal FortiOS packet sniffer command is:
diag sniffer packet & lt; interface_name & gt; & lt; ‘filter’ & gt; & lt; verbose & gt;
& lt; count & gt;
To stop the sniffer, type CTRL+C.
& lt; interface_name & gt;
& lt; ‘filter’ & gt;
What to look for in the information the sniffer reads. “none”
indicates no filtering, and all packets will be displayed as the other
arguments indicate.
The filter must be inside single quotes (‘).
& lt; verbose & gt;
The level of verbosity as one of:
1 - print header of packets
2 - print header and data from IP of packets
3 - print header and data from Ethernet of packets
& lt; count & gt;
1086
The name of the interface to sniff, such as “port1” or “internal”.
This can also be “any” to sniff all interfaces.
The number of packets the sniffer reads before stopping. If you
don’t put a number here, the sniffer will run forever unit you stop it
with & lt; CTRL C & gt; .
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Troubleshooting
For a simple sniffing example, enter the CLI command diag sniffer packet port1
none 1 3. This will display the next 3 packets on the port1 interface using no filtering,
and using verbose level 1. At this verbosity level you can see the source IP and port, the
destination IP and port, action (such as ack), and sequence numbers.
In the output below, port 443 indicates these are HTTPS packets, and 172.20.120.17 is
both sending and receiving traffic.
Head_Office_620b # diag sniffer packet port1 none 1 3
interfaces=[port1]
filters=[none]
0.545306 172.20.120.17.52989 - & gt; 172.20.120.141.443: psh
3177924955 ack 1854307757
0.545963 172.20.120.141.443 - & gt; 172.20.120.17.52989: psh
1854307757 ack 3177925808
0.562409 172.20.120.17.52988 - & gt; 172.20.120.141.443: psh
4225311614 ack 3314279933
For a more advanced example of packet sniffing, the following commands will report
packets on any interface travelling between a computer with the host name of “PC1” and
the computer with the host name of “PC2”. With verbosity 4 and above, the sniffer trace
will display the interface names where traffic enters or leaves the FortiGate unit.
Remember to stop the sniffer, type CTRL+C.
FGT# diagnose sniffer packet any " host & lt; PC1 & gt; or host & lt; PC2 & gt; " 4
or
FGT# diagnose sniffer packet any " (host & lt; PC1 & gt; or host & lt; PC2 & gt; ) and
icmp " 4
The following sniffer CLI command includes the ARP protocol in the filter which may be
useful to troubleshoot a failure in the ARP resolution (for instance PC2 may be down and
not responding to the FortiGate ARP requests).
FGT# diagnose sniffer packet any " host & lt; PC1 & gt; or host & lt; PC2 & gt; or
arp " 4
Debug the packet flow
Traffic should come in and leave the FortiGate. If you have determined that network traffic
is not entering and leaving the FortiGate unit as expected, debug the packet flow.
Debugging can only be performed using CLI commands. Debugging the packet flow
requires a number of debug commands to be entered as each one configures part of the
debug action, with the final command starting the debug.
Note: If your FortiGate unit has NP2 interfaces that are offloading traffic, this will change
the packet flow. Before performing the debug on any NP2 interfaces, you should disable
offloading on those interfaces.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1087
�Troubleshooting
Dynamic Routing Overview
The following configuration assumes that PC1 is connected to the internal interface of the
FortiGate unit and has an IP address of 10.11.101.200. PC1 is the host name of the
computer.
To debug the packet flow in the CLI, enter the following commands:
FGT# diag debug enable
FGT# diag debug flow filter add & lt; PC1 & gt;
FGT# diag debug flow show console enable
FGT# diag debug flow trace start 100
FGT# diag debug enable
The start 100 argument in the above list of commands will limit the output to 100
packets from the flow. This is useful for looking at the flow without flooding your log or
display with too much information.
To stop all other debug activities, enter the command:
FGT# diag debug flow trace stop
The following is an example of debug flow output for traffic that has no matching Firewall
Policy, and is in turn blocked by the FortiGate unit. The denied message indicates the
traffic was blocked.
id=20085 trace_id=319 func=resolve_ip_tuple_fast line=2825
msg= " vd-root received a packet(proto=6,
192.168.129.136:2854- & gt; 192.168.96.153:1863) from port3. "
id=20085 trace_id=319 func=resolve_ip_tuple line=2924
msg= " allocate a new session-013004ac "
id=20085 trace_id=319 func=vf_ip4_route_input line=1597
msg= " find a route: gw-192.168.150.129 via port1 "
id=20085 trace_id=319 func=fw_forward_handler line=248 msg= "
Denied by forward policy check "
Examine the firewall session list
One further step is to examine the firewall session. The firewall session can
When examining the firewall session list in the CLI, filters may be used to reduce the
output. In the web-based manager, the filters are part of the interface.
To examine the firewall session list in the web-based manager
1 Go to System & gt; status & gt; Dashboard & gt; Top Sessions.
2 Select Detach, and then Details.
3 Expand the session window to full screen to display the information.
4 Change filters, view associated firewall policy, column ordering, and so on to analyze
the sessions in the table.
5 Select the delete icon to terminate the session.
1088
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Troubleshooting
To examine the firewall session list in the CLI
FGT# diag sys session filter src PC1
FGT# diag sys session list
or
FGT# diag sys session filter dst PC1
FGT# diag sys session list
To clear all sessions corresponding to a filter
FGT# diag sys session filter dst PC1
FGT# diag sys session clear
Run ping and traceroute
Ping and traceroute are useful tools in network troubleshooting. Alone either one can
determine network connectivity between two points. However, ping can be used to
generate simple network traffic to view with diagnose commands on the FortiGate unit.
This combination can be a very powerful one in locating network problems.
In addition to their normal uses, ping and traceroute can tell you if your computer or
network device has access to a name server (DNS). While both tools can use IP
addresses alone, they can also use domain names for devices. This is an added
troubleshooting feature that can be useful in determining why particular services, such as
email or web browsing, may not be working properly.
Both ping and traceroute require particular ports to be open on firewalls, or they cannot
function. Since you typically use these tools to troubleshoot, you can allow them in the
firewall policies and on interfaces only when you need them, and otherwise keep the ports
disabled for added security.
Ping
The ping command sends a very small packet to the destination, and waits for a response.
The response has a timer that may expire, indicating the destination is unreachable. The
behavior of ping is very much like a sonar ping from a submarine, where the command
gets its name.
Ping is part of Layer-3 on the OSI Networking Model. Ping sends Internet Control
Message Protocol (ICMP) “echo request” packets to the destination, and listens for “echo
response” packets in reply. However, many public networks block ICMP packets because
ping can be used in a denial of service (DoS) attack (such as Ping of Death or a smurf
attack), or by an attacker to find active locations on the network. By default, FortiGate
units have ping enabled and broadcast-forward is disabled on the external interface.
What ping can tell you
Beyond the basic connectivity information, ping can tell you the amount of packet loss (if
any), how long it takes the packet to make the round trip, and the variation in that time
from packet to packet.
If there is some packet loss detected, you should investigate:
•
possible ECMP, split horizon, network loops
•
cabling to ensure no loose connections
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1089
�Troubleshooting
Dynamic Routing Overview
If there is total packet loss, you should investigate:
•
hardware - ensure cabling is correct, and all equipment between the two locations is
accounted for
•
addresses and routes - ensure all IP addresses and routing information along the route
is configured as expected
•
firewalls - ensure all firewalls are set to allow PING to pass through
How to use ping
Ping syntax is the same for nearly every type of system on a network.
To ping from a Windows PC
1 Go to a DOS prompt. Typically you go to Start & gt; Run, enter cmd and select OK.
2 Enter ping 10.11.101.100 to ping the default internal interface of the FortiGate unit
with four packets.
Other options include:
• -t to send packets until you press “Control-C”
• -a to resolve addresses to domain names where possible
• -n X to send X ping packets and stop
Output appears as:
C:\ & gt; ping 10.11.101.101
Pinging 10.11.101.101 with 32 bytes of data:
Reply from 10.11.101.101: bytes=32 time=10ms TTL=255
Reply from 10.11.101.101: bytes=32 time & lt; 1ms TTL=255
Reply from 10.11.101.101: bytes=32 time=1ms TTL=255
Reply from 10.11.101.101: bytes=32 time=1ms TTL=255
Ping statistics for 10.11.101.101:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 10ms, Average = 3ms
To ping from a Linux PC
1 Go to a command line prompt.
2 Enter “/bin/etc/ping 10.11.101.101”.
Output appears as:
To ping from a FortiGate unit
1 Connect to the CLI either through telnet or through the CLI widget on the web-based
manager dashboard.
1090
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Troubleshooting
2 Enter exec ping 10.11.101.101 to send 5 ping packets to the destination. There
are no options.
Output appears as:
Head_Office_620b # exec ping 10.11.101.101
PING 10.11.101.101 (10.11.101.101): 56 data bytes
64 bytes from 10.11.101.101: icmp_seq=0 ttl=255 time=0.3
64 bytes from 10.11.101.101: icmp_seq=1 ttl=255 time=0.2
64 bytes from 10.11.101.101: icmp_seq=2 ttl=255 time=0.2
64 bytes from 10.11.101.101: icmp_seq=3 ttl=255 time=0.2
64 bytes from 10.11.101.101: icmp_seq=4 ttl=255 time=0.2
ms
ms
ms
ms
ms
--- 10.11.101.101 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.3 ms
Traceroute
Where ping will only tell you if it reached its destination and came back successfully,
traceroute will show each step of its journey to its destination and how long each step
takes. If ping finds an outage between two points, traceroute can be used to locate exactly
where the problem is.
What is traceroute
Traceroute works by sending ICMP packets to test each hop along the route. It will send
out three packets, and then increase the time to live (TTL) setting by one each time. This
effectively allows the packets to go one hop farther along the route. This is the reason why
most traceroute commands display their maximum hop count before they start tracing the
route — that is the maximum number of steps it will take before declaring the destination
unreachable. Also the TTL setting may result in steps along the route timing out due to
slow responses. There are many possible reasons for this to occur.
Traceroute by default uses UDP datagrams with destination ports numbered from 33434
to 33534. The traceroute utility usually has an option to specify use of ICMP echo request
(type 8) instead, as used by the Windows tracert utility. If you have a firewall and if you
want traceroute to work from both machines (Unix-like systems and Windows) you will
need to allow both protocols inbound through your FortiGate firewall policies (UDP with
ports from 33434 to 33534 and ICMP type 8).
How do you use traceroute
The traceroute command varies slightly between operating systems. Note that in MS
Windows the command name is shortened to “tracert”. Also note that your output will
list different domain names and IP addresses along your route.
To use traceroute on an MS Windows PC
1 Go to a DOS prompt. Typically you go to Start & gt; Run, enter “cmd” and select OK.
2 Enter “tracert fortinet.com” to trace the route from the PC to the Fortinet
website.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1091
�Troubleshooting
Dynamic Routing Overview
Output will appear as:
C:\ & gt; tracert fortinet.com
Tracing route to fortinet.com [208.70.202.225]
over a maximum of 30 hops:
1
& lt; 1 ms
& lt; 1 ms
& lt; 1 ms 172.20.120.2
2
66 ms
24 ms
31 ms 209-87-254-xxx.storm.ca [209.87.254.221]
3
52 ms
22 ms
18 ms core-2-g0-0-1104.storm.ca [209.87.239.129]
4
43 ms
36 ms
27 ms core-3-g0-0-1185.storm.ca [209.87.239.222]
5
46 ms
21 ms
16 ms te3-x.1156.mpd01.cogentco.com [38.104.158.69]
6
25 ms
45 ms
53 ms te8-7.mpd01.cogentco.com [154.54.27.249]
7
89 ms
70 ms
36 ms te3-x.mpd01.cogentco.com [154.54.6.206]
8
55 ms
77 ms
58 ms sl-st30-chi-.sprintlink.net [144.232.9.69]
9
53 ms
58 ms
46 ms sl-0-3-3-x.sprintlink.net [144.232.19.181]
10
82 ms
90 ms
75 ms sl-x-12-0-1.sprintlink.net [144.232.20.61]
11
122 ms
123 ms
132 ms sl-0-x-0-3.sprintlink.net [144.232.18.150]
12
129 ms
119 ms
139 ms 144.232.20.7
13
172 ms
164 ms
243 ms sl-321313-0.sprintlink.net [144.223.243.58]
14
99 ms
94 ms
93 ms 203.78.181.18
15
108 ms
102 ms
89 ms 203.78.176.2
16
98 ms
95 ms
97 ms 208.70.202.225
Trace complete.
The first, or leftmost column, is the hop count, which cannot go over 30 hops.
The second, third, and fourth columns are how long each of the three packets takes to
reach this stage of the route. These values are in milliseconds and normally vary quite a
bit. Typically a value of “ & lt; 1ms” indicates a local connection.
The fifth, or rightmost column, is the domain name of that device and its IP address or
possibly just the IP address.
To perform a traceroute on a Linux PC
1 Go to a command line prompt.
2 Enter “/bin/etc/traceroute fortinet.com”.
The Linux traceroute output is very similar to the MS Windows traceroute output.
Common diagnose commands
Diagnose commands are a series of commands available on all FortiGate units. These
commands can help you troubleshoot network activity. The packet sniffer mentioned
earlier is only one of many useful diagnose commands.
diag hardware deviceinfo nic & lt; interface_name & gt;
This command will display information about the network controller hardware such as
driver name and version, MAC address, packet counts such as transferred received and
errors, and more. & lt; interface_name & gt; is the name of the physical interface to be queried.
Useful information can include:
•
•
1092
Rx_FIFO_Errors, Rx_Missed_Errors - count of missed packets
Collisions, Tx_Aborted_Errors, Tx_Errors, Tx_Window_Errors,
Tx_Multiple_Collision_Frames - collisions of different sorts, only valid in halfduplex mode
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic Routing Overview
Troubleshooting
diag netlink interface list
This command displays a list of all the interfaces including information about them such as
MTU, type of interface (such as 1 for physical), and what flags are set on the interface.
This can be useful to determine if an interface is configured properly.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1093
�Troubleshooting
1094
Dynamic Routing Overview
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
This section describes the Routing Information Protocol (RIP).
The following topics are included in this section:
•
RIP background and concepts
•
Troubleshooting RIP
•
RIP routing examples
RIP background and concepts
This section contains:
•
Background
•
Parts and terminology of RIP
•
How RIP works
Background
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small,
relatively homogeneous networks. Its widespread use started when an early version of
RIP was included with BSD v4.3 Linux as the routed daemon. The routing algorithm used
by RIP, the Bellman–Ford algorithm, first saw widespread use as the initial routing
algorithm of the ARPANET.
RIP benefits include being well suited to smaller networks, is in widespread use, near
universal support on routing hardware, quick to configure, and works well if there are no
redundant paths. However, RIP updates are sent out node-by-node so it can be slow to
find a path around network outages. RIP also lacks good authentication, can not choose
routes based on different quality of service methods, and can create network loops if you
are not careful.
The FortiGate implementation of RIP supports RIP version 1 (see RFC 1058), RIP version
2 (see RFC 2453), and the IPv6 version RIPng (see RFC 2080).
RIP v1
In 1988 RIP version 1, defined in RFC 1058, was released. The RFC even states that RIP
v1 is based on Linux routed due to it being a “defacto standard”.
It uses classful addressing and uses broadcasting to send out updates to router
neighbors. There is no subnet information included in the routing updates in classful
routing, and it does not support CIDR addressing — subnets must all be the same size.
Also, route summarization is not possible.
RIP v1 has no router authentication method, so it is vulnerable to attacks through packet
sniffing, and spoofing.
RIP v2
In 1993, RIP version 2 was developed to deal with the limitations of RIP v1. It was not
standardized until 1998. This new version supports classless routing, and subnets of
various sizes.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1095
�RIP background and concepts
Routing Information Protocol (RIP)
Router authentication was added in RIP v2 — it supports MD5. MD5 hashes are an older
encryption method, but this is much improved over no security at all.
In RIP v2 the hop count remained at 15 to be backwards compatible with RIP v1.
RIP v2 uses multicasting to send the entire routing table to router neighbors, thereby
reducing the traffic for devices that are not participating in RIP routing.
Routing tags were added as well, which allow internal routes or redistributed routes to be
identified as such.
RIPng
RIPng, defined in RFC 2080, is an extension of RIP2 designed to support IPv6. However,
RIPng varies from RIPv2 in that it is not fully backwards compatible with RIPv1.
•
RIPng does not support RIPv1 update authentication (it relies on IPsec)
•
RIPng does not allow attaching tags to routes as in RIPv2
•
RIPng requires specific encoding of the next hop for a set of route entries, unlike RIPv2
that encodes the next-hop into each route entry .
Parts and terminology of RIP
Before you can understand how RIP functions, you need to understand some of the main
concepts and parts of RIP.
This section includes:
•
RIP and IPv6
•
Default information originate option
•
Garbage, timeout, and update timers
•
Authentication and key-chain
•
Access Lists
RIP and IPv6
RIP Next Generation (RIPng) is a new version of RIP was released that includes support
for IPv6.
The FortiGate unit command config router ripng is almost the same as config
router rip, except that IPv6 addresses are used. Also if you are going to use prefix or
access lists with RIPng, you must use the config router access-list6 or config
prefix-list6 versions of those commands.
If you want to troubleshoot RIPng, it is the same as with RIP but specify the different
protocol, and use IPv6 addresses. This applies to commands such as get router
info6 when you want to see the routing table, or other related information.
If you want to route IPv4 traffic over an IPv6 network, you can use the command config
system ip6-tunnel to configure the FortiGate unit to do this. The IPv6 interface is
configured under config system interface. All subnets between the source and
destination addresses must support IPv6. This command is not supported in Transparent
mode.
1096
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
RIP background and concepts
For example, you want to set up a tunnel on the port1 interface starting at
2002:C0A8:3201:: on your local network and tunnel it to address 2002:A0A:A01:: where it
will need access to an IPv4 network again. Use the following command:
config system ipv6-tunnel
edit test_tunnel
set destination 2002:A0A:A01::
set interface port1
set source 2002:C0A8:3201::
end
end
The CLI commands associated with RIPng include:
config router ripng
config router access-list6
config router prefix-list6
config system ipv6-tunnel
get router info6 *
Default information originate option
This is the second advanced option for RIP in the web-based manager, right after metric.
Enabling default-information-originate will generate and advertise a default route into the
FortiGate unit’s RIP-enabled networks. The generated route may be based on routes
learned through a dynamic routing protocol, routes in the routing table, or both. RIP does
not create the default route unless you use the always option.
Select Disable if you experience any issues or if you wish to advertise your own static
routes into RIP updates.
The CLI commands associated with default information originate include:
config router rip
set default-information-originate
end
Garbage, timeout, and update timers
RIP uses various timers to regulate its performance including a garbage timer, timeout
timer, and update timer. The FortiGate unit default timer settings (30, 180, and 120
seconds respectively) are effective in most configurations — if you change these settings,
ensure that the new settings are compatible with local routers and access servers.
Note: The Timeout period should be at least three times longer than the Update period. If
the Update timer is smaller than Timeout or Garbage timers, you will experience an error.
The CLI commands associated with garbage, timeout, and update timers include:
config router rip
set garbage-timer
set timeout-timer
set update-timer
end
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1097
�RIP background and concepts
Routing Information Protocol (RIP)
Garbage timer
The garbage timer is the amount of time (in seconds) that the FortiGate unit will advertise
a route as being unreachable before deleting the route from the routing table. If this timer
is shorter, it will keep more up to date routes in the routing table and remove old ones
faster. This will result in a smaller routing table which is useful if you have a very large
network, or if your network changes frequently.
Update timer
The update timer determines the interval between routing updates. Generally, this value is
set to 30 seconds. There is some randomness added to help prevent network traffic
congestion, which could result from all routers simultaneously attempting to update their
neighbors. The update timer should be at least three times smaller than the timeout timer,
otherwise you will experience an error.
If you are experiencing significant RIP traffic on your network, you can increase this
interval to send fewer updates per minute. However, ensure you increase the interval for
all the routers on your network or you will experience time outs that will degrade your
network speed.
Timeout timer
The timeout timer is the maximum amount of time (in seconds) that a route is considered
reachable while no updates are received for the route. This is the maximum time the
FortiGate unit will keep a reachable route in the routing table while no updates for that
route are received. If the FortiGate unit receives an update for the route before the timeout
period expires, the timer is restarted. The timeout period should be at least three times
longer than the depute period, otherwise you will experience an error.
If you are experiencing problems with routers not responding in time to updates, increase
this timer. However, remember that longer timeout intervals result in longer overall update
periods — it may be considerable time before the time the FortiGate unit is done waiting
for all the timers to expire on unresponsive routes.
Authentication and key-chain
RIP version 2 uses authentication keys to ensure that the routing information exchanged
between routers is reliable. RIP version 1 has no authentication. For authentication to
work both the sending and receiving routers must be set to use authentication, and must
be configured with the same keys.
The sending and receiving routers need to have their system dates and times
synchronized to ensure both ends are using the same keys at the proper times. However,
you can overlap the key lifetimes to ensure that a key is always available even if there is
some difference in the system times.
A key chain is a list of one or more authentication keys including the send and receive
lifetimes for each key. Keys are used for authenticating routing packets only during the
specified lifetimes. The FortiGate unit migrates from one key to the next according to the
scheduled send and receive lifetimes.
Key-chain is a CLI router command. You use this command to manage RIP version 2
authentication keys. You can add, edit or delete keys identified by the specified key
number.
1098
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
RIP background and concepts
This example shows how to configure a key-chain with two keys that are valid sequentially
in time. This example creates a key-chain called “rip_key” that has a password of
“fortinet”. The accepted and send lifetimes are both set to the same values — a start time
of 9:00am February 23, 2010 and an end time of 9:00am March 17, 2010. A second key is
configured with a password of “my_fortigate” that is valid from March 17, 2010 9:01am to
April 1 2010 9:00am. This “rip_key” keychain is then used on the port1 interface in RIP.
config router key-chain
edit " rip_key "
config key
edit 1
set accept-lifetime 09:00:00 23 02 2010 09:00:00 17 03 2010
set key-string " fortinet "
set send-lifetime 09:00:00 23 02 2010 09:00:00 17 03 2010
next
edit 2
set accept-lifetime 09:01:00 17 03 2010 09:00:00 1 04 2010
set key-string " my_fortigate "
set send-lifetime 09:01:00 17 03 2010 09:00:00 1 04 2010
next
end
end
config router rip
config interface
edit port1
set auth-keychain “rip_key”
end
end
The CLI commands associated with authentication keys include:
config router key-chain
config router rip
config interface
edit & lt; interface & gt;
set auth-keychain
set auth-mode
set auth-string
end
end
Access Lists
Access lists are filters used by FortiGate unit RIP and OSPF routing. An access list
provides a list of IP addresses and the action to take for them — essentially an access list
makes it easy to group addresses that will be treated the same into the same group,
independent of their subnets or other matching qualities. You add a rule for each address
or subnet that you want to include, specifying the action to take for it. For example if you
wanted all traffic from one department to be routed a particular way, even in different
buildings, you can add all the addresses to an access list and then handle that list all at
once.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and whether to match the prefix exactly or to match the
prefix and any more specific prefix.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1099
�RIP background and concepts
Routing Information Protocol (RIP)
The FortiGate unit attempts to match a packet against the rules in an access list starting at
the top of the list. If it finds a match for the prefix, it takes the action specified for that
prefix. If no match is found the default action is deny.
Access lists greatly speed up configuration and network management. When there is a
problem, you can check each list instead of individual addresses. Also its easier to
troubleshoot since if all addresses on one list have problems, it eliminates many possible
causes right away.
If you are using the RIPng or OSPF+ IPv6 protocols you will need to use access-list6, the
IPv6 version of access list. The only difference is that access-list6 uses IPv6 addresses.
For example, if you want to create an access list called test_list that only allows an
exact match of 10.10.10.10 and 11.11.11.11, enter the command:
config access-list
edit test_list
config rule
edit 1
set prefix 10.10.10.10 255.255.255.255
set action allow
set exact-match enable
next
edit 2
set prefix 11.11.11.11 255.255.255.255
set action allow
set exact-match enable
end
end
Another example is if you want to deny ranges of addresses in IPv6 that start with the IPv6
equivalents of 10.10.10.10 and 11.11.11.11, enter the command access-list6 as follows:
config router access-list6
edit test_list_ip6
config rule
edit 1
set prefix6 2002:A0A:A0A:0:0:0:0:0:/48
set action deny
next
edit 2
set prefix6 2002:B0B:B0B:0:0:0:0:0/48
set action deny
end
end
1100
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
RIP background and concepts
To use an access_list, you must call it from a routing protocol such as RIP. The following
example uses the access_list from the earlier example called test_list to match routes
coming in on the port1 interface. When there is a match, it will add 3 to the hop count
metric for those routes to artificially increase . Enter the following command:
config router rip
config offset-list
edit 5
set access-list test_list
set direction in
set interface port1
set offset 3
set status enable
end
end
If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route,
0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this
purpose
How RIP works
As one of the original modern dynamic routing protocols, RIP is straight forward. It’s
routing algorithm is not complex, there are some options to allow fine tuning, and its
straight forward to configure RIP on FortiGate units.
From RFC 1058:
Distance vector algorithms are based on the exchange of only a small amount of
information. Each entity (gateway or host) that participates in the routing protocol is
assumed to keep information about all of the destinations within the system.
Generally, information about all entities connected to one network is summarized by a
single entry, which describes the route to all destinations on that network.
This section includes:
•
RIP versus static routing
•
RIP metric — hop count
•
The Bellman–Ford routing algorithm
•
Passive versus active RIP interfaces
•
RIP packet structure
RIP versus static routing
RIP was one of the earliest dynamic routing protocols to work with IP addresses. As such,
it is not as complex as more recent protocols. However, RIP is a big step forward from
simple static routing.
While RIP may be slow in response to network outages, static routing has zero response.
The same is true for convergence — static routing has zero convergence. Both RIP and
static routing have the limited hop count, so its not a strength or a weakness. Count to
infinity can be a problem, but typically can be fixed as it happens or is the result of a
network outage that would cause even worse problems on static routing network.
Overall, RIP is a large step forward when compared to static routing.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1101
�RIP background and concepts
Routing Information Protocol (RIP)
RIP metric — hop count
RIP uses hop count as the metric for choosing the best route. A hop count of 1 represents
a network that is connected directly to the FortiGate unit, while a hop count of 16
represents a network that cannot be reached. Each network that a packet travels through
to reach its destination usually counts as one hop. When the FortiGate unit compares two
routes to the same destination, it adds the route having the lowest hop count to the routing
table. As you can see in “RIP packet structure” on page 1105, the hop count is part of a
RIP v2 packet making it very important.
Similarly, when RIP is enabled on an interface, the FortiGate unit sends RIP responses to
neighboring routers on a regular basis. The updates provide information about the routes
in the FortiGate unit’s routing table, subject to the rules that you specify for advertising
those routes. You can specify how often the FortiGate unit sends updates, the period of
time a route can be kept in the routing table without being updated, and for routes that are
not updated regularly you can specify the period of time that the unit advertises a route as
unreachable before it is removed from the routing table.
If hops are weighted higher than one, it becomes very easy to reach the upper limit. This
higher weighting will effectively limit the size of your network depending on the numbers
used. Merely changing from the default of 1.0 to 1.5 will lower the effective hop count from
15 to 10. This is acceptable for smaller networks, but can be a problem as your network
expands over time.
In RIP, you can use the offset command to artificially increase the hop count of a route.
Doing this will make this route less preferred, and in turn it will get less traffic. Offsetting
routes is useful when you have network connections of different bandwidths, different
levels of reliability, or different costs. In each of these situations you still want the
redundancy of multiple route access, but you don’t want the bulk of your traffic using these
less preferred routes. For an example of RIP offset, see “Access Lists” on page 1099.
The Bellman–Ford routing algorithm
The routing algorithm used by RIP was first used in 1967 as the initial routing algorithm of
the ARPANET. The Bellman–Ford algorithm is distributed because it involves a number of
nodes (routers) within an Autonomous system, and consists of the following steps:
1 Each node calculates the distances between itself and all other nodes within the AS
and stores this information as a table.
2 Each node sends its table to all neighboring nodes.
3 When a node receives distance tables from its neighbors, it calculates the shortest
routes to all other nodes and updates its own table to reflect any changes.
To examine how this algorithm functions let’s look at a network with 4 routers — routers 1
through 4. The distance from router1 to router2 is 2 hops, 1 to 3 is 3 hops, and 2 to 3 is 4
hops. Router4 is only connected to routers 2 and 3, each distance being 2 hops.
1 Router1 finds all the distance to the other three routers — router 2 is 2, router 3 is 3.
Router1 doesn’t have a route to router 4.
2 Routers 2 through 4 do the same calculations from their point of views.
3 Once router 1 gets an update from router 2 or 3, it will get their route to router 4. At that
point it now has a route to router 4 and installs that in its local table.
4 If router1 gets an update from router3 first, it has a hop count of 5 to reach router4. But
when router2 sends its update, router1 will go with router2’s shorter 4 hops to reach
router4. Future updates don’t change this unless they are shorter than 4 hops, or the
routing table route goes down.
1102
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
RIP background and concepts
Figure 167: RIP algorithm example in 4 steps
Router4
Step 1. Router1 finds the distance
to other routers. It has no route to router4.
Router1 table:
Distance to route2= 2 hops
Distance to router3 = 3 hops
hop count = 2
hop count = 2
Router3
Router2
hop count = 2
hop count = 3
Router1
Router4
Step 2. All routers do the same as
router1, and send out updates with
the table of routes.
Note that router1 and router4 do Router2
not update each other, but rely on
router2 and router3 to pass along
deputes.
hop count = 2
hop count = 2
Router3
hop count = 3
hop count = 2
Router1
Router4
Step 3. Each router looks at the
updates it receives, and adds any
new or shorter routes to its table.
Router3
Router2
hop count = 5
hop count = 4
Router1 updated table:
Distance to router2 = 2 hops
Distance to router3 = 3 hops
Distance to router4 = 4 hops
Distance to router4 = 5 hops
Router1
Router4
Step 4. The shortest route to router4
is installed, and the other routes to
router4 are removed from the table.
Router1 updated table:
Distance to router2 = 2 hops
Distance to router3 = 3 hops
Distance to router4 = 4 hops
Router3
Router2
hop count = 4
Router1
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1103
�RIP background and concepts
Routing Information Protocol (RIP)
The good part about the Bellman-Ford algorithm in RIP is that the router only uses the
information it needs from the update. If there are no newer, better routes than the ones the
router already has in its routing table, there is no need to change its routing table. And no
change means no additional update, so less traffic. But even when there is update traffic,
the RIP packets are very small so it takes many updates to affect overall network
bandwidth. For more information about RIP packets, see “RIP packet structure” on
page 1105.
The main disadvantage of the Bellman–Ford algorithm in RIP is that it doesn’t take
weightings into consideration. While it is possible to assign different weights to routes in
RIP, doing so severely limits the effective network size by reducing the hop count limit.
Also other dynamic routing protocols can take route qualities, such as reliability or delay,
into consideration to provide not only the physically shortest but also the fastest or more
reliable routes as you choose.
Another disadvantage of the Bellman-Ford algorithm is due to the slow updates passed
from one RIP router to the next. This results in a slow response to changes in the network
topology, which in turn results in more attempts to use routes that are down which wastes
time and network resources.
Passive versus active RIP interfaces
Normally the FortiGate unit’s routing table is kept up to date by periodically asking the
neighbors for routes, and sending your routing updates out . This has the downside of
generating a lot of extra traffic for large networks. The solution to this problem is passive
interfaces.
An standard interface that supports RIP is active by default — it both sends and receives
updates by actively communicating with its neighbors. A passive RIP interface does not
send out updates — it just listens to the updates of other routers. This is useful in reducing
network traffic, and if there are redundant routers in the network that would be sending out
essentially the same updates all the time.
The following example shows how to create a passive RIP v2 interface on port1, using
MD5 authentication and a key-chain called passiveRIPv2 that has already been
configured. Note that in the CLI, you enable passive by disabling send-version2broadcast.
To create a passive RIP interface - web-based manager
1 Go to Router & gt; Dynamic Routing & gt; RIP.
2 Under Interfaces, select Create New.
3 Select port1 as the Interface.
4 Select 2 as both the Send Version and Receive Version.
5 Select MD5 for Authentication.
6 Select the passiveRIPv2 Key-chain.
7 Select Passive Interface.
8 Select OK to accept this configuration, and return to the main RIP display page.
1104
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
RIP background and concepts
To create a passive RIP v2 interface on port1 using MD5 authentication- CLI
config router rip
config interface
edit port1
set send-version2-broadcast disable
set auth-keychain “passiveRIPv2”
set auth-mode md5
set receive-version 2
set send-version 2
end
end
The CLI commands associated with RIPng include:
config router rip
config interface
edit & lt; interface & gt;
set send-version2-broadcast disable
RIP packet structure
It is hard to fully understand a routing protocol without knowing what information is carried
in its packets. Knowing what information is exchanged between routers and how will help
you better understand the RIP protocol, and better configure your network for it.
This section provides information on the contents of RIP 1 and RIP 2 packets.
RIP version 1
RIP version 1, or RIP IP packets are 24 bytes in length. The empty areas were left for
future expansion.
Table 79: RIP IP packets
1-byte command
1-byte version
2-byte zero field
2-byte AFI
4-byte IP address
4-byte zero field
4-byte zero field
2-byte zero field
4-byte metric
The following descriptions summarize the RIP version 1 packet fields.
Command — Indicates whether the packet is a request or a response. The request asks
that a router send all or part of its routing table. The response can be an unsolicited
regular routing update or a reply to a request. Responses contain routing table entries.
Multiple RIP packets are used to convey information from large routing tables.
Version — Specifies the RIP version used. This field can signal different potentially
incompatible versions.
Zero field — This field defaults to zero, and is not used by RFC 1058 RIP.
Address-family identifier (AFI) — Specifies the address family used. RIP is designed to
carry routing information for several different protocols. Each entry has an address-family
identifier to indicate the type of address being specified. The AFI for IP is 2.
IP Address — Specifies the IP address for the entry.
Metric — This is the number of hops or routers traversed along the route on its trip to the
destination. The metric is between 1 and 15 for that number of hops. If the route is
unreachable the metric is 16.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1105
�Troubleshooting RIP
Routing Information Protocol (RIP)
RIP version 2
RIP version 2 has more features that RIP 1 and this is reflected in its packets. RIP 2
packets are similar in format to RIP 1, but carry more information. All but one of the empty
zero fields in RIP 1 packets now contain information.
Table 80: RIP 2 packets
1-byte
1-byte
command version
2-byte
unused
2-byte
AFI
2-byte
4-byte IP 4-byte
route tag address subnet
4-byte
4-byte
next hop metric
The following descriptions summarize the fields RIP 2 adds to the RIP IP header. The
other fields have been described above for RIP 1.
Unused — Has a value set to zero, and is intended for future use
Route tag — Provides a method for distinguishing between internal routes learned by RIP
and external routes learned from other protocols.
Subnet mask — Contains the subnet mask for the entry. If this field is zero, no subnet
mask has been specified for the entry.
Next hop — Indicates the IP address of the next hop to which packets for the entry should
be forwarded.
Troubleshooting RIP
This section is about troubleshooting RIP. For general troubleshooting information, see
“Troubleshooting” on page 1085.
This section includes:
•
Routing Loops
•
Split horizon and Poison reverse updates
•
Debugging IPv6 on RIPng
Routing Loops
Normally in routing, a path between two addresses is chosen and traffic is routed along
that path from one address to the other. When there is a routing loop, that normal path
doubles back on itself creating a loop. When there are loops, the network has problems.
A routing loop happens when a normally functioning network has an outage, and one or
more routers are offline. When packets encounter this, an alternate route is attempted to
maneuver around the outage. During this phase it is possible for a route to be attempted
that involves going back a hop, and trying a different hop forward. If that hop forward is
blocked by the outage as well, a hop back and possibly the original hop forward may be
selected. You can see if this continues, how it can consume not only network bandwidth
but also many resources on those routers affected. The worst part is this situation will
continue until the network administrator changes the router settings, or the downed
routers come back online.
Routing loops’ effect on the network
In addition to this “traffic jam” of routed packets, every time the routing table for a router
changes that router sends an update out to all of the RIP routers connected to it. In a
network loop, its possible for a router to change its routes very quickly as it tries and fails
along these new routes. This can quickly result in a flood of updates being sent out, which
can effectively grind the network to a halt until the problem is fixed.
1106
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
Troubleshooting RIP
How can you spot a routing loop
Any time network traffic slows down, you will be asking yourself if it is a network loop or
not. Often slowdowns are normal, they are not a full stoppage, and normal traffic resumes
in a short period of time.
If the slow down is a full halt of traffic or a major slowdown does not return to normal
quickly, you need to do serious troubleshooting quickly.
Some methods to troubleshoot your outage include:
•
Check your logs
•
Use SNMP network monitoring
•
Use dead gateway detection and e-mail alerts
•
Look at the packet flow
If you aren’t running SNMP, dead gateway detection, or you have non-Fortinet routers in
your network, you can use networking tools such as ping and traceroute to define the
outage on your network and begin to fix it. Ping, traceroute, and other basic
troubleshooting tools are covered in “Troubleshooting” on page 1085.
Check your logs
If your routers log events to a central location, it can be easy to check the logs for your
network for any outages.
On your FortiGate unit, go to Log & Report & gt; Log Access. You will want to look at both
event logs and traffic logs. Events to look for will generally fall under CPU and memory
usage, interfaces going offline (due to dead gateway detection), and other similar system
events.
Once you have found and fixed your network problem, you can go back to the logs and
create a report to better see how things developed during the problem. This type of
forensics analysis can better help you prepare for next time.
Use SNMP network monitoring
If your network had no problems one minute and slows to a halt the next, chances are
something changed to cause that problem. Most of the time an offline router is the cause,
and once you find that router and bring it back online, things will return to normal.
If you can enable a hardware monitoring system such as SNMP or sFlow on your routers,
you can be notified of the outage and where it is exactly as soon as it happens.
Ideally you can configure SNMP on all your FortiGate routers and be alerted to all outages
as they occur.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1107
�Troubleshooting RIP
Routing Information Protocol (RIP)
To use SNMP to detect potential routing loops
1 Go to System & gt; Config & gt; SNMP v1/v2c.
2 Select Enable SNMP, and Apply.
3 Optionally enter the Description, Location, and Contact information for this device for
easier location of the problem report.
4 Select Create New.
5 Enter a name for the community, such as routing loop monitor.
6 Select the IP addresses and interfaces where you will be monitoring the FortiGate. you
can add up to 8 different addresses and interfaces.
7 Ensure that ports 161 and 162 (SNMP queries and traps) are allowed through your
firewall policies.
8 Select the events you want to be notified of. For routing loops this should include CPU
Overusage, Memory Low, and possibly Log disk space low. If there are
problems the log will be filling up quickly, and the FortiGate unit’s resources will be
overused.
9 Configure SNMP host (manager) software on your administration computer. This will
monitor the SNMP information sent out by the FortiGate unit. Typically you can
configure this software to alert you to outages or CPU spikes that may indicate a
routing loop.
Use dead gateway detection and e-mail alerts
Another tool available to you on FortiGate units is the dead gateway detection. This
feature allows the FortiGate unit to ping a gateway at regular intervals to ensure it is online
and working. When the gateway is not accessible, that interface is marked as down.
To detect possible routing loops with dead gateway detection and e-mail alerts
1 To configure dead gateway detection, go to System & gt; Network & gt; Options .
2 Set the detection interval (how often to send a ping), and fail-over detection (how many
lost pings before bringing the interface down). A smaller interval and smaller number of
lost pings will result in faster detection, but will create more traffic on your network.
3 To configure interface status change notification, go to Log & Report & gt; Log Config & gt; Alert
E-mail.
4 After you enter your email details, select the events you want to be alerted about — in
our case Configuration changes. You may also want to log CPU and Memory usage as
a network outage will cause your CPU activity to spike.
Note: If you have VDOMs configured, you will have to enter the basic SMTP server
information in the Global section, and the rest of the configuration within the VDOM that
includes this interface.
After this configuration, when this interface on the FortiGate unit cannot connect to the
next router, the FortiGate unit will bring down the interface and alert you with an email to
the outage.
Look at the packet flow
If you want to see what is happening on your network, look at the packets travelling on the
network. This is same idea as police pulling over a car and asking the driver where they
have been, and what the conditions were like.
1108
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
Troubleshooting RIP
The method used in the troubleshooting sections “Debug the packet flow” on page 1087
and “Debugging IPv6 on RIPng” on page 1109 applies here as well. In this situation, you
are looking for routes that have metrics higher than 15 as that indicates they are
unreachable.
Ideally if you debug the flow of the packets, and record the routes that are unreachable,
you can create an accurate picture of the network outage.
Action to take on discovering a routing loop
Once you have mapped the problem on your network, and determined it is in fact a routing
loop there are a number of steps to take in correcting it.
1 Get any offline routers back online. This may be a simple reboot, or you may have to
replace hardware. Often this first step will restore your network to its normal operation,
once the routing tables finish being updated.
2 Change your routing configuration on the edges of the outage. Even if step 1 brought
your network back online, you should consider making changes to improve your
network before the next outage occurs. These changes can include configuring
features like holddowns and triggers for updates, split horizon, and poison reverse
updates.
Split horizon and Poison reverse updates
Split horizon is best explained with an example. You have three routers linked serially, let’s
call them A, B, and C. A is only linked to B, C is only linked to B, and B is linked to both A
and C. To get to C, A must go through B. If the link to C goes down, it is possible that B will
try to use A’s route to get to C. This route is A-B-C, so it will not work. However, if B tries to
use it this begins an endless loop.
This situation is called a split horizon because from B’s point of view the horizon stretches
out in each direction, but in reality it only is on one side.
Poison reverse is the method used to prevent routes from running into split horizon
problems. Poison reverse “poisons” routes away from the destination that use the current
router in their route to the destination. This “poisoned” route is marked as unreachable for
routers that cannot use it. In RIP this means that route is marked with a distance of 16.
Debugging IPv6 on RIPng
The debug commands are very useful to see what is happening on the network at the
packet level. The basic debug commands are covered in “Debug the packet flow” on
page 1087, but there are a few changes when debugging IPv6.
The following CLI commands specify both IPv6 and RIP, so only RIPng packets will be
reported. The output from these commands will show you the RIPng traffic on your
FortiGate unit including RECV, SEND, and UPDATE actions.
The addresses are in IPv6 format.
FGT# diagnose debug enable
FGT# diagnose ipv6 router rip level info
FGT# diagnose ipv6 router rip all enable
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1109
�RIP routing examples
Routing Information Protocol (RIP)
These three commands will:
•
turn on debugging in general
•
set the debug level to information, a verbose reporting level
•
turn on all rip router settings
Part of the information displayed from the debugging is the metric (hop count). If the metric
is 16, then that destination is unreachable since the maximum hop count is 15.
In general, you should see an update announcement, followed by the routing table being
sent out, and a received reply in response.
For more information, see “Testing the IPv6 RIPng information” on page 1129
RIP routing examples
The following examples for RIP:
•
Simple RIP example
•
RIPng — RIP and IPv6
Simple RIP example
This is an example of a typical medium sized network configuration using RIP routing.
Your company has 3 small local networks, one for each department. These networks are
connected by RIP, and then connected to the Internet. Each subnet has more than one
route, for redundancy. There are two central routers that are both connected to the
internet, and to the other networks. If one of those routers goes down, the whole network
can continue to function normally.
The ISP is running RIP, so no importing or exporting routes is required on the side of the
network. However, since the internal networks have static networking running those will
need to be redistributed through the RIP network.
To keep the example simple, there will be no authentication of router traffic.
With RIP properly configured, if the device fails or temporarily goes offline, the routes will
change and traffic will continue to flow. RIP is good for a smaller network due to its lack of
complex configurations.
This section includes the following topics:
•
Network layout and assumptions
•
General configuration steps
•
Configuring the FortiGate units system information
•
Configuring other networking devices
•
Testing network configuration
Network layout and assumptions
Basic network layout
Your company has 3 departments each with their own network — Sales, R & D, and
Accounting. Each network has routers that are not running RIP as well as FortiGate units
running RIP.
1110
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
Simple RIP example
The R & D network has two RIP routers, and each is connected to both other departments
as well as being connected to the Internet through the ISP router. The links to the Internet
are indicated in black.
The three internal networks do not run RIP. They use static routing because they are small
networks. This means the FortiGate units have to redistribute any static routes they learn
so that the internal networks can communicate with each other.
Where possible in this example, the default values will be used or the most general
settings. This is intended to provide an easier configuration that will require less
troubleshooting.
In this example the routers, networks, interfaces used, and IP addresses are as follows.
Note that the Interfaces that connect Router2 and Router3 also connect to the R & D
network.
Table 81: Rip example network topology
Network
Router
Interface & Alias
IP address
Sales
Router1
port1 (internal)
10.11.101.101
port2 (router2)
10.11.201.101
port3 (router3)
10.11.202.101
port1 (internal)
10.12.101.102
port2 (router1)
10.11.201.102
port3 (router4)
10.14.201.102
port4 (ISP)
172.20.120.102
port1 (internal)
10.12.101.103
port2 (router1)
10.11.201.103
port3 (router4)
10.14.202.103
port4 (ISP)
172.20.120.103
port1 (internal)
10.14.101.104
port2 (router2)
10.14.201.104
port3 (router3)
10.14.202.104
R & D
Router2
Router3
Accounting
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Router4
1111
�Simple RIP example
Routing Information Protocol (RIP)
Figure 168: Network topology for the simple RIP example
Internet
ISP router
(172.20.120.5)
RIP Router2
RIP Router4
RIP Router1
RIP Router3
Sales Network
R & D Network
Accounting
Network
Assumptions
The following assumptions have been made concerning this example.
•
All FortiGate units have 4.0 MR1 firmware, and are running factory default settings.
•
All CLI and web-based manager navigation assumes the unit is running in NAT/Route
operating mode, with VDOMs disabled.
•
All FortiGate units have interfaces labelled port1 through port4 as required.
•
All firewalls have been configured for each FortiGate unit to allow the required traffic to
flow across interfaces.
•
Only FortiGate units are running RIP on the internal networks.
•
Router2 and Router3 are connected through the internal network for R & D.
•
Router2 and Router3 each have their own connection to the Internet, indicated in black
on Figure 168 on page 1112.
General configuration steps
This example is very straight forward. The only steps involved are:
•
Configuring the FortiGate units system information
•
Configuring FortiGate unit RIP router information
•
Configuring other networking devices
•
Testing network configuration
Configuring the FortiGate units system information
Each FortiGate unit needs their hostname, and interfaces configured.
For IP numbering, Router2 and Router3 use the other routers numbering where needed.
1112
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
Simple RIP example
Router2 and Router3 have dead gateway detection enabled on the ISP interfaces using
Ping. Remember to contact the ISP and confirm their server has ping enabled.
Configure the hostname, interfaces, and default route
To configure Router1 system information - web-based manager
1 Go to System & gt; Status & gt; Dashboard & gt; System Information.
2 Next to Host Name select Change, and enter “Router1”.
3 Go to Router & gt; Static.
4 Edit the default route and enter the following information:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port2 (router2)
Gateway
172.20.120.5/255.255.255.0
Distance
40
5 Enter a second default route and enter the following information:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port3 (router3)
Gateway
172.20.120.5/255.255.255.0
Distance
40
6 Go to System & gt; Network & gt; Interface.
7 Edit port1 (internal) interface.
8 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.11.101.101/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Internal sales network
Administrative Status
Up
9 Edit port2 (router2) interface.
10 Set the following information, and select OK.
Alias
router2
IP/Netmask
10.11.201.101/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Link to R & D network & internet through Router2
Administrative Status
Up
11 Edit port3 (router3) interface.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1113
�Simple RIP example
Routing Information Protocol (RIP)
12 Set the following information, and select OK.
Alias
router3
IP/Netmask
10.11.202.101/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Link to R & D network and internet through Router3
Administrative Status
Up
To configure Router1 system information - CLI
config system global
set hostname Router1
end
config router static
edit 1
set device " port2 "
set distance 45
set gateway 10.11.201.102
next
edit 2
set device “port3”
set distance 45
set gateway 10.11.202.103
end
end
config system interface
edit port1
set alias internal
set ip 10.11.101.101/255.255.255.0
set allowaccess https ssh ping
set description “Internal sales network”
next
edit port2
set alias ISP
set allowaccess https ssh ping
set ip 10.11.201.101/255.255.255.0
set description “Link to R & D network & internet through Router2”
next
edit port3
set alias router3
set ip 10.11.202.101/255.255.255.0
set allowaccess https ssh ping
set description “Link to R & D network & internet through Router2”
end
end
To configure Router2 system information - web-based manager
1 Go to System & gt; Status & gt; Dashboard & gt; System Information.
2 Next to Host Name select Change, and enter “Router2”.
3 Go to Router & gt; Static.
1114
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
Simple RIP example
4 Edit the default route and enter the following information:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port4 (ISP)
Gateway
172.20.120.5/255.255.255.0
Distance
5
5 Go to System & gt; Network & gt; Interface.
6 Edit port1 (internal) interface.
7 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.12.101.102/255.255.255.0
Administrative Access HTTPS SSH PING
Description
R & D internal network and Router3
Administrative Status
Up
8 Edit port2 (router1) interface.
9 Set the following information, and select OK.
Alias
router1
IP/Netmask
10.12.201.102/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Link to Router1 and the Sales network
Administrative Status
Up
10 Edit port3 (router4) interface.
11 Set the following information, and select OK.
Alias
router4
IP/Netmask
10.12.301.102/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Link to Router4 and the accounting network
Administrative Status
Up
12 Edit port4 (ISP) interface.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1115
�Simple RIP example
Routing Information Protocol (RIP)
13 Set the following information, and select OK.
Alias
ISP
IP/Netmask
172.20.120.102/255.255.255.0
Administrative Access HTTPS SSH PING
Detect Interface Status enable
for Gateway Load
Balancing
Detect Server
172.20.120.5
Detect Protocol
Ping
Detect Interface Status enable
for Gateway Load
Balancing
Description
Internet through ISP
Administrative Status
Up
To configure Router2 system information - CLI
config system global
set hostname Router2
end
config router static
edit 1
set device " port4 "
set distance 5
set gateway 172.20.130.5
end
end
config system interface
edit port1
set alias internal
set ip 10.11.101.102/255.255.255.0
set allowaccess https ssh ping
set description “Internal RnD network and Router3”
next
edit port2
set alias router1
set allowaccess https ssh ping
set ip 10.11.201.102/255.255.255.0
set description “Link to Router1”
next
edit port3
set alias router3
set ip 10.14.202.102/255.255.255.0
set allowaccess https ssh ping
set description “Link to Router4”
next
edit port4
set alias ISP
set ip 172.20.120.102/255.255.255.0
set allowaccess https ssh ping
set description “ISP and internet”
end
1116
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
Simple RIP example
end
To configure Router3 system information - web-based manager
1 Go to System & gt; Status & gt; Dashboard & gt; System Information.
2 Next to Host Name select Change, and enter “Router3”.
3 Go to Router & gt; Static.
4 Edit the default route and enter the following information:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port4 (ISP)
Gateway
172.20.120.5/255.255.255.0
Distance
5
5 Go to System & gt; Network & gt; Interface.
6 Edit port1 (internal) interface.
7 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.12.101.103/255.255.255.0
Administrative Access HTTPS SSH PING
Description
R & D internal network and Router2
Administrative Status
Up
8 Edit port2 (router1) interface.
9 Set the following information, and select OK.
Alias
router1
IP/Netmask
10.13.201.103/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Link to Router1 and Sales network
Administrative Status
Up
10 Edit port3 (router4) interface.
11 Set the following information, and select OK.
Alias
router4
IP/Netmask
10.13.301.103/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Link to Router4 and accounting network
Administrative Status
Up
12 Edit port4 (ISP) interface.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1117
�Simple RIP example
Routing Information Protocol (RIP)
13 Set the following information, and select OK.
Alias
ISP
IP/Netmask
172.20.120.103/255.255.255.0
Administrative Access HTTPS SSH PING
Detect Interface Status enable
for Gateway Load
Balancing
Detect Server
172.20.120.5
Detect Protocol
Ping
Description
Internet and ISP
Administrative Status
Up
To configure Router3 system information - CLI
config system global
set hostname Router3
end
config router static
edit 1
set device " port4 "
set distance 5
set gateway 172.20.130.5
end
end
config system interface
edit port1
set alias internal
set ip 10.12.101.103/255.255.255.0
set allowaccess https ssh ping
set description “Internal RnD network and Router2”
next
edit port2
set alias ISP
set allowaccess https ssh ping
set ip 10.11.201.103/255.255.255.0
set description “Link to Router1”
next
edit port3
set alias router3
set ip 10.14.202.103/255.255.255.0
set allowaccess https ssh ping
set description “Link to Router4”
next
edit port4
set alias ISP
set ip 172.20.120.103/255.255.255.0
set allowaccess https ssh ping
set description “ISP and internet”
end
end
1118
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
Simple RIP example
To configure Router4 system information - web-based manager
1 Go to System & gt; Status & gt; Dashboard & gt; System Information.
2 Next to Host Name select Change, and enter “Router4”.
3 Go to Router & gt; Static.
4 Edit the default route and enter the following information:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port2 (router2)
Gateway
172.20.120.5/255.255.255.0
Distance
40
5 Enter a second default route and enter the following information:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port3 (router3)
Gateway
172.20.120.5/255.255.255.0
Distance
40
6 Go to System & gt; Network & gt; Interface.
7 Edit port 1 (internal) interface.
8 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.14.101.104/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Internal accounting network
Administrative Status
Up
9 Edit port 2 (router2) interface.
10 Set the following information, and select OK.
Alias
router2
IP/Netmask
10.14.201.104/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Link to R & D network & internet through Router2
Administrative Status
Up
11 Edit port 3 (router3) interface.
12 Set the following information, and select OK.
Alias
router3
IP/Netmask
10.14.301.104/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Link to R & D network and internet through Router3
Administrative Status
Up
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1119
�Simple RIP example
Routing Information Protocol (RIP)
To configure Router4 system information - CLI
config system global
set hostname Router4
end
config router static
edit 1
set device " port2 "
set distance 45
set gateway 10.14.201.102
next
edit 2
set device “port3”
set distance 45
set gateway 10.14.202.103
end
end
config system interface
edit port1
set alias internal
set ip 10.14.101.104/255.255.255.0
set allowaccess https ssh ping
set description “Internal sales network”
next
edit port2
set alias router2
set allowaccess https ssh ping
set ip 10.14.201.104/255.255.255.0
set description “Link to R & D network & internet through Router2”
next
edit port3
set alias router3
set ip 10.14.202.104/255.255.255.0
set allowaccess https ssh ping
set description “Link to R & D network & internet through Router2”
end
end
Configuring FortiGate unit RIP router information
With the interfaces configured, RIP can now be configured on the FortiGate units.
This includes the following steps:
•
configure RIP version used
•
redistribute static networks
•
add networks serviced by RIP
•
add interfaces that support RIP on the Fortigate unit
Router1 and Router4 are configured the same. Router2 and Router3 are configured the
same. These routers will be grouped accordingly for the following procedures — repeat
the procedures once for each FortiGate unit.
1120
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
Simple RIP example
Configure RIP settings on Router1 and Router4 - web-based manager
1 Go to Router & gt; Dynamic & gt; RIP.
2 Select 2 for RIP Version.
3 In Advanced Options, under Redistribute enable Static.
4 Leave the other Advanced Options at default values.
5 Enter the following networks, and select Add after each:
•
10.11.0.0/255.255.0.0
•
10.12.0.0/255.255.0.0
•
10.14.0.0/255.255.0.0
•
172.20.120.0/255.255.255.0
6 For interface, select Create New and set the following information.
Interface
port1 (internal)
Send Version
Both
Receive Version
Both
Authentication
None
Passive Interface
disabled
7 For interface, select Create New and set the following information.
Interface
port2 (router2)
Send Version
Both
Receive Version
Both
Authentication
None
Passive Interface
disabled
8 For interface, select Create New and set the following information.
Interface
port3 (router3)
Send Version
Both
Receive Version
Both
Authentication
None
Passive Interface
disabled
Configure RIP settings on Router1 and Router4 - CLI
config router rip
set version 2
config interface
edit " port1 "
set receive-version 1 2
set send-version 1 2
next
edit " port2 "
set receive-version 1 2
set send-version 1 2
next
edit " port3 "
set receive-version 1 2
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1121
�Simple RIP example
Routing Information Protocol (RIP)
set send-version 1 2
end
config network
edit 1
set prefix 10.11.0.0 255.255.0.0
next
edit 2
set prefix 10.12.0.0 255.255.0.0
next
edit 3
set prefix 10.14.0.0 255.255.0.0
next
edit 4
set prefix 172.20.120.0 255.255.255.0
end
config redistribute " static "
set status enable
end
end
Configure RIP settings on Router2 and Router3- web-based manager
1 Go to Router & gt; Dynamic & gt; RIP.
2 Select 2 for RIP Version.
3 In Advanced Options, under Redistribute enable Static.
4 Leave the other Advanced Options at default values.
5 Enter the following networks, and select Add after each:
•
10.11.0.0/255.255.0.0
•
10.12.0.0/255.255.0.0
•
10.14.0.0/255.255.0.0
•
172.20.120.0/255.255.255.0
6 For interface, select Create New and set the following information.
Interface
port1 (internal)
Send Version
Both
Receive Version
Both
Authentication
None
Passive Interface
disabled
7 For interface, select Create New and set the following information.
Interface
port2 (router1)
Send Version
Both
Receive Version
Both
Authentication
None
Passive Interface
disabled
8 For interface, select Create New and set the following information.
Interface
Send Version
1122
port3 (router4)
Both
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
Simple RIP example
Receive Version
Both
Authentication
None
Passive Interface
disabled
9 For interface, select Create New and set the following information.
Interface
port4 (ISP)
Send Version
Both
Receive Version
Both
Authentication
None
Passive Interface
disabled
Configure RIP settings on Router2 and Router3- web-based manager
config router rip
set version 2
config interface
edit " port1 "
set receive-version 1 2
set send-version 1 2
next
edit " port2 "
set receive-version 1 2
set send-version 1 2
next
edit " port3 "
set receive-version 1 2
set send-version 1 2
end
edit " port4 "
set receive-version 1 2
set send-version 1 2
end
config network
edit 1
set prefix 10.11.0.0 255.255.0.0
next
edit 2
set prefix 10.12.0.0 255.255.0.0
next
edit 3
set prefix 10.14.0.0 255.255.0.0
next
edit 4
set prefix 172.20.120.0 255.255.255.0
end
config redistribute " static "
set status enable
end
end
Configuring other networking devices
In this example there are two groups of other devices on the the network — internal
devices, and the ISP.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1123
�RIPng — RIP and IPv6
Routing Information Protocol (RIP)
The first is the internal network devices on the Sales, R & D, and Accounting networks. This
includes simple static routers, computers, printers and other network devices. Once the
FortiGate units are configured, the internal static routers need to be configured using the
internal network IP addresses. Otherwise there should be no configuration required.
The second group of devices is the ISP. This consists of the RIP router the FortiGate
routers 2 and 3 connect to. You need to contact your ISP and ensure they have your
information for your network such as the IP addresses of the connecting RIP routers, what
version of RIP your network supports, and what authentication (if any) is used.
Testing network configuration
Once the network has been configured, you need to test that it works as expected.
The two series of tests you need to run are to test the internal networks can communicate
with each other, and that the internal networks can reach the internet.
Use ping, traceroute, and other networking tools to run these tests.
If you encounter problems, for troubleshooting help consult “Troubleshooting RIP” on
page 1106, and the general “Troubleshooting” on page 1085.
RIPng — RIP and IPv6
RIP next generation, or RIPng, is the version of RIP that supports IPv6.
This is an example of a typical small network configuration using RIPng routing.
Your internal R & D network is working on a project for a large international telecom
company that uses IPv6. For this reason, you have to run IPv6 on your internal network
and you have decided to use only IPv6 addresses.
Your network has two FortiGate units running the RIPng dynamic routing protocol. Both
FortiGate units are connected to the ISP router and the internal network. This
configuration provides some redundancy for the R & D internal network enabling it to reach
the internet at all times..
This section includes the following topics:
•
Network layout and assumptions
•
General configuration steps
•
Configuring the FortiGate units system information
•
Configuring other networking devices
•
Testing network configuration
Network layout and assumptions
Basic network layout
Your internal R & D network is working on a project for a large international telecom
company that uses IPv6. For this reason, you have to run IPv6 on your internal network
and you have decided to use only IPv6 addresses.
Your network has two FortiGate units running the RIPng dynamic routing protocol. Both
FortiGate units are connected to the ISP router and the internal network. This
configuration provides some redundancy for the R & D internal network enabling it to reach
the internet at all times.
All internal computers use RIP routing, so no static routing is required. And all internal
computers use IPv6 addresses.
1124
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
RIPng — RIP and IPv6
Where possible in this example, the default values will be used or the most general
settings. This is intended to provide an easier configuration that will require less
troubleshooting.
In this example the routers, networks, interfaces used, and IP addresses are as follows.
Table 82: Rip example network topology
Network
Router
Interface & Alias
IPv6 address
R & D
Router1
port1 (internal)
2002:A0B:6565:0:0:0:0:0
port2 (ISP)
2002:AC14:7865:0:0:0:0:0
Router2
port1 (internal)
2002:A0B:6566:0:0:0:0:0
port2 (ISP)
2002:AC14:7866:0:0:0:0:0
Figure 169: Network topology for the IPV6 RIPng example
Internet
ISP router
(2002:AC14:7805::)
RIP Router2
RIP Router1
R & D Internal
Network
Assumptions
The following assumptions have been made concerning this example.
•
All FortiGate units have 4.0 MR1 firmware, and are running factory default settings.
•
All CLI and web-based manager navigation assumes the unit is running in NAT/Route
operating mode, with VDOMs disabled.
•
All FortiGate units have interfaces labelled port1 and port2 as required.
•
All firewalls have been configured for each FortiGate unit to allow the required traffic to
flow across interfaces.
•
All network devices are support IPv6 and are running RIPng.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1125
�RIPng — RIP and IPv6
Routing Information Protocol (RIP)
General configuration steps
This example is very straight forward. The only steps involved are:
•
Configuring the FortiGate units system information
•
Configuring RIPng on FortiGate units
•
Configuring other network devices
•
Testing the configuration
Configuring the FortiGate units system information
Each FortiGate unit needs IPv6 enabled, a new hostname, and interfaces configured.
To configure system information on Router1 - web-based manager
1 Go to System & gt; Status & gt; Dashboard.
2 For Host name, select Change.
3 Enter “Router1”.
4 Go to System & gt; Admin & gt; Settings.
5 Enable IPv6 Support on GUI, and select Apply.
6 Go to System & gt; Network & gt; Interface.
7 Edit port1 (internal) interface.
8 Set the following information, and select OK.
Alias
internal
IP/Netmask
2002:A0B:6565::/0
Administrative Access HTTPS SSH PING
Description
Internal RnD network
Administrative Status
Up
9 Edit port2 (ISP) interface.
10 Set the following information, and select OK.
Alias
ISP
IP/Netmask
2002:AC14:7865::/0
Administrative Access HTTPS SSH PING
Description
Administrative Status
1126
ISP and internet
Up
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
RIPng — RIP and IPv6
To configure system information on Router1 - CLI
config system global
set hostname Router1
set gui-ipv6 enable
end
config system interface
edit port1
set alias internal
set allow_access https ping ssh
set description “Internal RnD network”
config ipv6
set ip6-address 2002:a0b:6565::/0
end
next
edit port2
set alias ISP
set allow_access https ping ssh
set description “ISP and internet”
config ipv6
set ip6-address 2002:AC14:7865::
end
end
To configure system information on Router2 - web-based manager
1 Go to System & gt; Status & gt; Dashboard.
2 For Host name, select Change.
3 Enter “Router2”.
4 Go to System & gt; Admin & gt; Settings.
5 Enable IPv6 Support on GUI, and select Apply.
6 Go to System & gt; Network & gt; Interface.
7 Edit port1 (internal) interface.
8 Set the following information, and select OK.
Alias
internal
IP/Netmask
2002:A0B:6566::/0
Administrative Access HTTPS SSH PING
Description
Internal RnD network
Administrative Status
Up
9 Edit port2 (ISP) interface.
10 Set the following information, and select OK.
Alias
ISP
IP/Netmask
2002:AC14:7866::/0
Administrative Access HTTPS SSH PING
Description
ISP and internet
Administrative Status
Up
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1127
�RIPng — RIP and IPv6
Routing Information Protocol (RIP)
To configure system information on Router2 - CLI
config system global
set hostname Router2
set gui-ipv6 enable
end
config system interface
edit port1
set alias internal
set allow_access https ping ssh
set description “Internal RnD network”
config ipv6
set ip6-address 2002:a0b:6566::/0
end
next
edit port2
set alias ISP
set allow_access https ping ssh
set description “ISP and internet”
config ipv6
set ip6-address 2002:AC14:7866::
end
end
Configuring RIPng on FortiGate units
Now that the interfaces are configured, you can configure RIPng on the FortiGate units.
There are only two networks and two interfaces to include — the internal network, and the
ISP network. There is no redistribution, and no authentication. In RIPng there is no
specific command to include a subnet in the RIP broadcasts. There is also no information
required for the interfaces beyond including their name.
As this is a CLI only confirmation, configure the ISP router and the other FortiGate unit as
neighbors. This was not part of the previous example as this feature is not offered in the
web-based manager. Declaring neighbors in the configuration like this will reduce the
discovery traffic when the routers start up.
Since RIPng is not supported in the web-based manager, this section will only be entered
in the CLI.
To configure RIPng on Router1 - CLI
config router ripng
config interface
edit port1
next
edit port2
end
config neighbor
edit 1
set interface port1
set ipv6 2002:a0b:6566::/0
next
edit 2
set interface port2
set ipv6 2002:AC14:7805::/0
end
1128
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Routing Information Protocol (RIP)
RIPng — RIP and IPv6
To configure RIPng on Router2 - CLI
config router ripng
config interface
edit port1
next
edit port2
end
config neighbor
edit 1
set interface port1
set ipv6 2002:a0b:6565::/0
next
edit 2
set interface port2
set ipv6 2002:AC14:7805::/0
end
Configuring other network devices
The other devices on the internal network all support IPv6, and are running RIPng where
applicable. They only need to know the internal interface network addresses of the
FortiGate units.
The ISP routers need to know the FortiGate unit information such as IPv6 addresses.
Testing the configuration
In addition to normal testing of your network configuration, you must also test the IPv6 part
of this example.
For troubleshooting problems with your network, see “Troubleshooting” on page 1085.
For troubleshooting problems with RIP, see“Troubleshooting RIP” on page 1106.
Use the following section for testing and troubleshooting RIPng.
Testing the IPv6 RIPng information
There are some commands to use when checking that your RIPng information is correct
on your network. These are useful to check on your RIPng FortiGate units on your
network. Comparing the output between devices will help you understand your network
better, and also track down any problems.
FGT# diagnose ipv6 address list
View the local scope IPv6 addresses used as next-hops by RIPng on the FortiGate
unit.
FGT# diagnose ipv6 route list
View ipv6 addresses that are installed in the routing table.
FGT# get router info6 routing-table
View the routing table. This information is almost the same as the previous command
(diagnose ipv6 route list) however it is presented in an easier to read format.
FGT# get router info6 rip interface external
View brief output on the RIP information for the interface listed. The information
includes if the interface is up or down, what routing protocol is being used, if passive
interface or split horizon are enabled,
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1129
�RIPng — RIP and IPv6
Routing Information Protocol (RIP)
FGT# get router info6 neighbor-cache list
View the IPv6/MAC address mapping. This also displays the interface index and name
associated with the address.
1130
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
This section describes Border Gateway Protocol (BGP).
The following topics are included in this section:
•
BGP background and concepts
•
Troubleshooting BGP
•
BGP routing examples
BGP background and concepts
The border gateway protocol contains two distinct subsets — internal BGP (iBGP) and
external BGP (eBGP). iBGP is intended for use within your own networks. eBGP is used
to connect many different networks together, and is the main routing protocol for the
Internet backbone. FortiGate units support iBGP, and eBGP only for communities.
The following topics are included in this section:
•
Background
•
Parts and terminology of BGP
•
How BGP works
Background
BGP was first used in 1989. The current version, BGP-4, was released in 1995 and is
defined in RFC 1771. That RFC has since been replaced by the more recent RFC 4271.
The main benefits of BGP-4 are classless inter-domain routing, and aggregate routes.
BGP is the only routing protocol to use TCP for a transport protocol. Other routing
protocols use UDP.
BGP makes routing decisions based on path, network policies and rulesets instead of the
hop-count metric as RIP does, or cost-factor metrics as OSPF does.
BGP-4+ supports IPv6. It was introduced in RFC 2858 and RFC 2545. BGP-4+ also
supports
BGP is the routing protocol used on the Internet. It was designed to replace the old
Exterior Gateway Protocol (EGP) which had been around since 1982, and was very
limited. In doing so, BGP enabled more networks to take part in the Internet backbone to
effectively decentralize it and make the Internet more robust, and less dependent on a
single ISP or backbone network.
Parts and terminology of BGP
In a BGP network, there are some terms that need to be explained before going ahead.
Some parts of BGP are not explained here as they are common to other dynamic routing
protocols as well. For more information on parts of BGP that are not listed here, see
“Dynamic routing terminology” on page 1079.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1131
�Parts and terminology of BGP
Border Gateway Protocol (BGP)
The following topics are included in this section:
•
BGP and IPv6
•
Roles of routers in BGP networks
•
Network Layer Reachability Information (NLRI)
•
BGP attributes
•
Confederations
BGP and IPv6
FortiGate units support IPv6 over BGP using the same config router bgp command
as IPv4, but different subcommands.
The main CLI keywords have IPv6 equivalents that are identified by the “6” on the end of
the keyword, such as with config netowrk6 or set allowas-in6.
IPv6 BGP commands include:
config bgp
set allowas-in6 & lt; max_num_AS_integer & gt;
set allowas-in-enable6 {enable | disable}
set attribute-unchanged6 [as-path] [med] [next-hop]
set capability-default-originate6 {enable | disable}
set capability-graceful-restart6 {enable | disable}
set capability-orf6 {both | none | receive | send}
set default-originate-route-map6 & lt; routemap_str & gt;
set distribute-list-in6 & lt; access-list-name_str & gt;
set distribute-list-out6 & lt; access-list-name_str & gt;
set filter-list-in6 & lt; aspath-list-name_str & gt;
set filter-list-out6 & lt; aspath-list-name_str & gt;
set maximum-prefix6 & lt; prefix_integer & gt;
set maximum-prefix-threshold6 & lt; percentage_integer & gt;
set maximum-prefix-warning-only6 {enable | disable}
set next-hop-self6 {enable | disable}
set prefix-list-in6 & lt; prefix-list-name_str & gt;
set prefix-list-out6 & lt; prefix-list-name_str & gt;
set remove-private-as6 {enable | disable}
set route-map-in6 & lt; routemap-name_str & gt;
set route-map-out6 & lt; routemap-name_str & gt;
set route-reflector-client6 {enable | disable}
set route-server-client6 {enable | disable}
set send-community6 {both | disable | extended | standard}
set soft-reconfiguration6 {enable | disable}
set unsuppress-map6 & lt; route-map-name_str & gt;
config network6
config redistribute6
end
1132
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Parts and terminology of BGP
Roles of routers in BGP networks
Dynamic routing has a number of different roles routers can fill such as those covered in
“Dynamic routing terminology” on page 1079. BGP has a number of custom roles that
routers can fill. These include:
•
Speaker routers
•
Peer routers or neighbors
•
Route reflectors (RR)
Speaker routers
Any router configured for BGP is considered a BGP speaker. This means that a speaker
router advertises BGP routes to its peers.
Any routers on the network that are not speaker routers, are not treated as BGP routers.
Peer routers or neighbors
In a BGP network, all neighboring BGP routers or peer routers are routers that are
connected to your FortiGate unit. Your FortiGate unit learns about all other routers through
these peers.
You need to manually configure BGP peers on your FortiGate unit as neighbors.
Otherwise these routers will not be seen as peers, but instead as simply other routers on
the network that don’t support BGP. You can optionally use MD5 authentication to
password protect BGP sessions with those neighbors. (see RFC 2385).
You can configure up to 1000 BGP neighbors on your FortiGate unit. You can clear all or
some BGP neighbor connections (sessions) using the exec router clear bgp
command.
For example, if you have 10 routes in the BGP routing table and you want to clear the
specific route to IP address 10.10.10.1, enter the command:
FGT# exec router clear bgp ip 10.10.10.1
To remove all routes for AS number 650001, enter the command:
FGT# exec router clear bgp as 650001
To remove route flap dampening information for the 10.10.0.0/16 subnet, enter the
command:
FGT# exec router clear bgp dampening 10.10.0.0/16
In Figure 1, Router A is directly connected to five other routers in a network that contains
12 routers overall. These routers, the ones in the blue circle, are Router A’s peers or
neighbors.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1133
�Parts and terminology of BGP
Border Gateway Protocol (BGP)
Figure 170: Router A and its 5 peer routers
Border Router
Router A
Router A’s peer routers
As a minimum, when configuring BGP neighbors you must enter their IP address, and the
AS number (remote_as). This is all the information the web-based manager interface
allows you to enter for a neighbor.
The BGP commands related to neighbors are quite extensive and include:
config router bgp
config neighbor
edit & lt; neighbor_address_ipv4 & gt;
set activate {enable | disable}
set advertisement-interval & lt; seconds_integer & gt;
set allowas-in & lt; max_num_AS_integer & gt;
set allowas-in-enable {enable | disable}
set attribute-unchanged [as-path] [med] [next-hop]
set bfd {enable | disable}
set capability-default-originate {enable | disable}
set capability-dynamic {enable | disable}
set capability-graceful-restart {enable | disable}
set capability-orf {both | none | recieve | send}
set capability-route-refresh {enable | disable}
set connect-timer & lt; seconds_integer & gt;
set description & lt; text_str & gt;
set distribute-list-in & lt; access-list-name_str & gt;
set distribute-list-out & lt; access-list-name_str & gt;
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set ebgp-multihop {enable | disable}
set ebgp-multihop-ttl & lt; seconds_integer & gt;
set filter-list-in & lt; aspath-list-name_str & gt;
set filter-list-out & lt; aspath-list-name_str & gt;
set holdtime-timer & lt; seconds_integer & gt;
set interface & lt; interface-name_str & gt;
set keep-alive-timer & lt; seconds_integer & gt;
set maximum-prefix & lt; prefix_integer & gt;
set maximum-prefix-threshold & lt; percentage_integer & gt;
set maximum-prefix-warning-only {enable | disable}
set next-hop-self {enable | disable}
1134
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Parts and terminology of BGP
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
end
end
end
override-capability {enable | disable}
passive {enable | disable}
password & lt; string & gt;
prefix-list-in & lt; prefix-list-name_str & gt;
prefix-list-out & lt; prefix-list-name_str & gt;
remote-as & lt; id_integer & gt;
remove-private-as {enable | disable}
retain-stale-time & lt; seconds_integer & gt;
route-map-in & lt; routemap-name_str & gt;
route-map-out & lt; routemap-name_str & gt;
route-reflector-client {enable | disable}
route-server-client {enable | disable}
send-community {both | disable | extended | standard}
shutdown {enable | disable}
soft-reconfiguration {enable | disable}
strict-capability-match {enable | disable}
unsuppress-map & lt; route-map-name_str & gt;
update-source & lt; interface-name_str & gt;
weight & lt; weight_integer & gt;
Route reflectors (RR)
Route reflectors in BGP concentrate route updates so other routers need only talk to the
route reflectors to get all the updates. This results in smaller routing tables, fewer
connections between routers, faster responses to network topology changes, and less
administration bandwidth. BGP route reflectors are defined in RFC 1966.
In a BGP route reflector configuration, the AS is divided into different clusters that each
include client and reflector routers. The client routers supply the reflector routers with the
client’s route updates. The reflectors pass this information along to other route reflectors
and border routers. Only the reflectors need to be configured, not the clients — the clients
will find the closest reflector and communicate with it automatically. The reflectors
communicate with each other as peers. FortiGate units can be configured as either
reflectors or clients.
Since route reflectors are processing more than the client routers, the reflectors should
have more resources to handle the extra workload.
Smaller networks running BGP typically don’t require route reflectors (RR). However, RR
is a useful feature for large companies, where their AS may include 100 routers or more.
For example, for a full mesh 20 router configuration within an AS there would have to be
190 unique BGP sessions — just for routing updates within the AS. The number of
sessions jumps to 435 sessions for just 30 routers, or 4950 sessions for 100 routers. From
these numbers, its plain that updating this many sessions will quickly consume the limited
bandwidth and processing resources of the routers involved.
The following diagram illustrates how route reflectors can improve the situation when only
six routers are involved. The AS without route reflectors requires 15 sessions between the
routers. In the AS with route reflectors, the two route reflectors receive route updates from
the reflector clients (unlabeled routers in the diagram) in their cluster as well as other route
reflectors and pass them on to the border router. The RR configuration only require six
sessions. This example shows a reduction of 60% in the number of required sessions.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1135
�Parts and terminology of BGP
Border Gateway Protocol (BGP)
Figure 171: Required sessions within an AS with and without route reflectors
Border Router
Border Router
RR
RR
Cluster1
AS without Route Reflectors
Cluster2
AS with Route Reflectors (RR)
The BGP commands related to route reflectors includes:
config router bgp
config neighbor
set route-reflector-client {enable | disable}
set route-server-client {enable | disable}
end
end
Confederations
Confederations were introduced to reduce the number of BGP advertisements on a
segment of the network, and reduce the size of the routing tables. Confederations
essentially break up an AS into smaller units. Confederations are defined in RFC 3065
and RFC 1965.
Within a confederation, all routers communicate with each other in a full mesh
arrangement. Communications between confederations is more like inter-AS
communications in that many of the attributes are changed as they would be for BGP
communications leaving the AS, or eBGP.
Confederations are useful when merging ASs. Each AS being merged can easily become
a confederation, requiring few changes. Any additional permanent changes can then be
implemented over time as required. The figure below shows the group of ASs before
merging, and the corresponding confederations afterward as part of the single AS with the
addition of a new border router. It should be noted that after merging if the border router
becomes a route reflector, then each confederation only needs to communicate with one
other router, instead of five others.
1136
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Parts and terminology of BGP
Figure 172: AS merging using confederations
AS 1
AS 1
Confed1
(was AS1)
AS 2
Confed2
(was AS2)
Border Router
Border Router
AS 3
AS 4
Confed3
(was AS3)
Confed4
(was AS4)
Confed5
(was AS5)
AS 5
Multiple ASes before merging
Combined AS with confederations and new
FortiGate unit border router
Confederations and route reflectors perform similar functions — they both sub-divide large
ASes for more efficient operation. They differ in that route reflector clusters can include
routers that are not members of a cluster, where routers in a confederation must belong to
that confederation. Also, confederations place their confederation numbers in the
AS_PATH attribute making it easier to trace.
It is important to note that while confederations essentially create sub-ASs, all the
confederations within an AS appear as a single AS to external ASs.
Confederation related BGP commands include:
config router bgp
set confederation-identifier & lt; peerid_integer & gt;
end
Network Layer Reachability Information (NLRI)
Network Layer Reachability Information (NLRI) is unique to BGP-4. It is sent as part of the
update messages sent between BGP routers, and contains information necessary to
supernet, or aggregate route, information. The NLRI includes the length and prefix that
when combined are the address of the aggregated routes referred to.
There is only one NLRI entry per BGP update message.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1137
�Parts and terminology of BGP
Border Gateway Protocol (BGP)
BGP attributes
Each route in a BGP network has a set of attributes associated with it. These attributes
define the route, and are modified as required along the route.
BGP can work well with mostly default settings, but if you are going to change settings you
need to understand the roles of each attribute and how they affect those settings.
The BGP attributes include:
AS_PATH
A list of ASes a route has passed through.
See “AS_PATH” on page 1138.
MULTI_EXIT_DESC
(MED)
Which router to use to exit an AS with more than one
external connection.
See “MULTI_EXIT_DESC (MED)” on page 1139.
COMMUNITY
Used to apply attributes to a group of routes.
See “COMMUNITY” on page 1139.
NEXT_HOP
Where the IP packets should be forwarded to, like a
gateway in static routing. See “NEXT_HOP” on page 1140.
ATOMIC_AGGREGATE Used when routes have been summarized to tell
downstream routers not to de-aggregate the route. See
“ATOMIC_AGGREGATE” on page 1140.
ORIGIN
Used to determine if the route is from the local AS or not.
See“ORIGIN” on page 1140.
LOCAL_PREF
Used only within an AS to select the best route to a location (like
MED)
Note: Inbound policies on FortiGate units can change the NEXT-HOP,LOCAL-PREF, MED
and AS-PATH attributes of an internal BGP (iBGP) route for its local route selection
purposes. However, outbound policies on the unit cannot affect these attributes.
AS_PATH
AS_PATH is the BGP attribute that keeps track of each AS a route advertisement has
passed through. AS_PATH is used by confederations and by exterior BGP (EBGP) to help
prevent routing loops. A router knows there is a loop if it receives an AS_PATH with that
routers AS in it. The figure below shows the route between router A and router B. The
AS_PATH from A to B would read 701,702,703 for each AS the route passes through.
As of the start of 2010, the industry is upgrading from 2-byte to 4-byte AS_PATHs. This
upgrade was due to the imminent exhaustion of 2-byte AS_PATH numbers.
Figure 173: AS_PATH of 701,702, 703 between routers A and B
Network AS702
A
B
Network AS701
Network AS703
3
1
2
Direction of traffic across the networks
1138
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Parts and terminology of BGP
The BGP commands related to AS_PATH include:
config router bgp
set bestpath-as-path-ignore {enable | disable}
end
MULTI_EXIT_DESC (MED)
BGP AS systems can have one or more routers that connect them to other ASes. For
ASes with more than one connecting router, the Multi-Exit Discriminator (MED) lists which
router is best to use when leaving the AS. The MED is based on attributes such as delay.
It is a recommendation only, as some networks may have different priorities.
BGP updates advertise the best path to a destination network. When the FortiGate unit
receives a BGP update, the FortiGate unit examines the Multi-Exit Discriminator (MED)
attribute of potential routes to determine the best path to a destination network before
recording the path in the local FortiGate unit routing table.
FortiGate units have the option to treat any routes without an MED attribute as the worst
possible routing choice. This can be useful because a lack of MED information is a lack of
routing information which can be suspicious — possibly a hacking attempt or an attack on
the network. At best it is an unreliable route to select.
The BGP commands related to MED include:
config router bgp
set always-compare-med {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set deterministic-med {enable | disable}
config neighbor
set attribute-unchanged [as-path] [med] [next-hop]
end
end
COMMUNITY
A community is a group of routes that have the same routing policies applied to them. This
saves time and resources. A community is defined by the COMMUNITY attribute of a BGP
route.
The FortiGate unit can set the COMMUNITY attribute of a route to assign the route to
predefined paths (see RFC 1997). The FortiGate unit can examine the COMMUNITY
attribute of learned routes to perform local filtering and/or redistribution.
The BGP commands related to COMMUNITY include:
config router bgp
set send-community {both | disable | extended | standard}
end
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1139
�Parts and terminology of BGP
Border Gateway Protocol (BGP)
NEXT_HOP
The NEXT_HOP attribute says what IP address the packets should be forwarded to next.
Each time the route is advertised, this value is updated. The NEXT_HOP attribute is much
like a gateway in static routing.
FortiGate units allow you to to change the advertising of the FortiGate unit’s IP address
(instead of the neighbor’s IP address) in the NEXT_HOP information that is sent to IBGP
peers. This is changed with the config neighbor, set next-hop-self command.
The BGP commands related to NEXT_HOP include:
config router bgp
config neighbor
set attribute-unchanged [as-path] [med] [next-hop]
set next-hop-self {enable | disable}
end
end
ATOMIC_AGGREGATE
The ATOMIC_AGGREGATE attribute is used when routes have been summarized. It
indicates which AS and which router summarize the routes. It also tells downstream
routers not to de-aggregate the route. Summarized routes are routes with similar
information that have been combined, or aggregated, into one route that is easier to send
in updates. When it reaches its destination, the summarized routes are split back up into
the individual routes.
Your FortiGate unit doesn’t specifically set this attribute in the BGP router command, but it
is used in the route map command.
The commands related to ATOMIC_AGGREGATE include:
config router route-map
edit & lt; route_map_name & gt;
config rule
edit & lt; route_map_rule_id & gt;
set set-aggregator-as & lt; id_integer & gt;
set set-aggregator-ip & lt; address_ipv4 & gt;
set set-atomic-aggregate {enable | disable}
end
end
end
ORIGIN
The ORIGIN attribute records where the route came from. The options can be IBGP,
EBGP, or incomplete. This information is important because internal routes (IBGP) are
higher priority than external routes (EBGP). However incomplete ORIGINs are the lowest
priority of the three.
The commands related to ORIGIN include:
config router route-map
edit & lt; route_map_name & gt;
set comments & lt; string & gt;
config rule
edit & lt; route_map_rule_id & gt;
set match-origin {egp | igp |
end
end
end
1140
incomplete | none}
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
How BGP works
How BGP works
BGP is a link-state routing protocol and keeps link-state information about the status of
each network link it has connected. A BGP router receives information from its peer
routers that have been defined as neighbors. BGP routers listen for updates from these
configured neighboring routers on TCP port 179.
A BGP router is a finite state machine with six various states for each connection. As two
BGP routers discover each other, and establish a connection they go from the idle state,
through the various states until they reach the established state. An error cancan cause
the connection to be dropped and the state of the router to be reset to either active or idle.
These errors can be caused by: TCP port 179 not being open, a random TCP port above
port 1023 not being open, the peer address being incorrect, or the AS number being
incorrect.
When BGP routers start a connection, they negotiate which (if any) optional features will
be used such as multiprotocol extensions that can include IPv6 and VPNs.
IBGP versus EBGP
When you read about BGP, often you see EBGP or IBGP mentioned. These are both BGP
routing, but BGP used in different roles. Exterior BGP (EBGP) involves packets crossing
multiple autonomous systems (ASes) where interior BGP (IBGP) involves packets that
stay within a single AS. For example the AS_PATH attribute is only useful for EBGP where
routes pass through multiple ASes.
These two modes are important because some features of BGP are only used for one of
EBGP or IBGP. For example confederations are used in EBGP, and route reflectors are
only used in IBGP. Also routes learned from IBGP have priority over EBGP learned routes.
FortiGate units have some commands specific to EBGP. These include:
•
automatically resetting the session information to external peers if the connection goes
down — set fast-external-failover {enable | disable}
•
setting an administrative distance for all routes learned from external peers (must also
configure local and internal distances if this is set) — set distance-external
& lt; distance_integer & gt;
•
enforcing EBGP multihops and their TTL (number of hops) — set ebgp-enforcemultihop {enable | disable} and set ebgp-multihop-ttl
& lt; seconds_integer & gt;
BGP path determination — which route to use
All learned routes and their attributes come into the BGP router in raw form. Before routes
are installed in the routing table or are advertised to other routers, three levels of decisions
must be made.
The three phases of BGP best path determination do not change. However, some
manufacturers have added more information to the process, such as Cisco’s WEIGHT
attribute to enable an administrator to force one route’s selection over another.
There is one Adj-RIB-IN and Adj-RIB-OUT for each configured neighbor. They are
updated when the FortiGate unit receives BGP updates, or when the FortiGate unit sends
out BGP updates.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1141
�How BGP works
Border Gateway Protocol (BGP)
Figure 174: Three phases of BGP routing decision
Adj-RIB-IN
(new routes)
Calculate:
iBGP or eBGP?
local route policies
LOCAL_PREF
Adj-RIB-IN
(with route
preferences)
3
9
11
6
2
5
2
2
Loc-RIB
(with new
routes)
Phase 1 - Calculate route
preferences on incoming
routes.
3
5
6
Phase 2 - Install the best
routes into the local
routing RIB
9
11
route map out?
iBGP or eBGP?
LOCAL_PREF? MED?
aggregation?
Phase 3 - Determine which
routes to advertise.
Adj-RIB-OUT
(with routes
to send)
Routes
sent in update
Decision phase 1
At this phase, the decision is to calculate how preferred each route and its NRLI are the
Adjacent Routing Information Base Incoming (Adj-RIBs-In) compared to the other routes.
For internal routes (IBGP), policy information or LOCAL_PREF is used. For external peer
learned routes, it is based strictly on policy. These rules set up a list of which routes are
most preferred going into Phase 2.
1142
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
How BGP works
Decision phase 2
Phase 2 involves installing the best route to each destination into the local Routing
Information Base (Loc-RIB). Effectively, the Loc-RIB is the master routing table. Each
route from Phase 1 has their NEXT_HOP checked to ensure the destination is reachable.
If it is reachable, the AS_PATH is checked for loops. After that, routes are installed based
on the following decision process:
•
If there is only one route to a location, it is installed.
•
If multiple routes to the same location, use the most preferred route from Level 1.
•
If there is a tie, break the tie based on the following in descending order of importance:
shortest AS_PATH, smallest ORIGIN number, smallest MED, EBGP over IBGP,
smallest metric or cost for reaching the NEXT_HOP, BGP identifier, and lowest IP
address.
Note that the new routes that are installed into the Loc-RIB are in addition to any existing
routes in the table. Once Phase 2 is completed the Loc-RIB will consist of the best of both
the new and older routes.
Decision phase 3
Phase 3 is route distribution or dissemination. This is the process of deciding which routes
the router will advertise. If there is any route aggregation or summarizing, it happens here.
Also any route filtering from route maps happens here.
Once Phase 3 is complete, an update can be sent out to update the neighbor of new
routes.
Aggregate routes and addresses
BGP4 allows classless routing, which uses netmasks as well as IP addresses. This
classless routing enables the configuration of aggregate routes by stating the address bits
the aggregated addresses have in common. For more information, see “Aggregated
routes and addresses” on page 1079.
In BGP there is an ATOMIC_AGGREGATE attribute that when set informs routers that the
route has been aggregated, and should not be de-aggregated. An associated
AGGREGATOR attribute include the information about the router that did the aggregating
including its AS.
The BGP commands associated with aggregate routes and addresses are:
config router bgp
config aggregate-address
edit & lt; aggr_addr_id & gt;
set as-set {enable | disable}
set prefix & lt; address_ipv4mask & gt;
set summary-only {enable | disable}
end
config aggregate-address6
edit & lt; aggr_addr_id & gt;
set as-set {enable | disable}
set prefix6 & lt; address_ipv6mask & gt;
set summary-only {enable | disable}
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1143
�Troubleshooting BGP
Border Gateway Protocol (BGP)
Troubleshooting BGP
There are some features in BGP that are used to deal with problems that may arise.
Typically the problems with a BGP network that has been configured, involve routes going
offline frequently. This is called route flap and causes problems for the routers using that
route.
This section includes:
•
Clearing routing table entries
•
Route flap
Clearing routing table entries
To see if a new route is being properly added to the routing table, you can clear all or
some BGP neighbor connections (sessions) using the exec router clear bgp
command.
For example, if you have 10 routes in the BGP routing table and you want to clear the
specific route to IP address 10.10.10.1, enter the command:
FGT# exec router clear bgp ip 10.10.10.1
To remove all routes for AS number 650001, enter the command:
FGT# exec router clear bgp as 650001
Route flap
When routers or hardware along a route go offline and back online that is called a route
flap. Flapping is the term if these outages continue, especially if they occur frequently.
Route flap is a problem in BGP because each time a peer or a route goes down, all the
peer routers that are connected to that out-of-service router advertise the change in their
routing tables which creates a lot of administration traffic on the network. And the same
traffic happens again when that router comes back online. If the problem is something like
a faulty network cable that wobbles on and offline every 10 seconds, there could easily be
overwhelming amounts of routing updates sent out unnecessarily.
Another possible reason for route flap occurs with multiple FortiGate units in HA mode.
When an HA cluster fails over to the secondary unit, other routers on the network may see
the HA cluster as being offline resulting in route flap. While this doesn’t occur often, or
more than once at a time, it can still result in an interruption in traffic which is unpleasant
for network users. The easy solution for this problem is to increase the timers on the HA
cluster, such as TTL timers, so they do not expire during the failover process. Also
configuring graceful restart on the HA cluster will help with a smooth failover.
The first method of dealing with router flap should be to check your hardware. If a cable is
loose or bad, it can easily be replaced and eliminate the problem. If an interface on the
router is bad, either don’t use that interface or swap in a good router. If the power source is
bad on a router either replace the power supply or use a power conditioning backup power
supply. These quick and easy fixes can save you from configuring more complex BGP
options. However if the route flap is from another source, configuring BGP to deal with the
outages will ensure your network users uninterrupted service.
Some methods of dealing with route flap in BGP include:
•
•
Dampening
•
Graceful restart
•
1144
Holddown timer
Bi-directional forwarding detection (BFD)
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Troubleshooting BGP
Holddown timer
The first line of defence to a flapping route is the hold down timer. This timer reduces how
frequently a route going down will cause a routing update to be broadcast.
Once activated, the holddown timer won’t allow the FortiGate unit to accept any changes
to that route for the duration of the timer. If the route flaps five times during the timer
period, only the first outage will be recognized by the FortiGate unit — for the duration of
the other outages there will be no changes because the Fortigate unit is essentially
treating this router as down. After the timer expires, if the route is still flapping it will
happen all over again.
Even if the route isn’t flapping — if it goes down, comes up, and stays back up — the timer
still counts down and the route is ignored for the duration of the timer. In this situation the
route will be seen as down longer than it really is, but there will be only the one set of route
updates. This is not a problem in normal operation because updates are not frequent.
Also the potential for a route to be treated as down when it is really up can be viewed as a
robustness feature. Typically you do not want most of your traffic being routed over an
unreliable route. So if there is route flap going on, it is best to avoid that route if you can.
This is enforced by the holddown timer.
How to configure the holddown timer
There are three different route flapping situations that can occur: the route goes up and
down frequently, the route goes down and back up once over a long period of time, or the
route goes down and stays down for a long period of time. These can all be handled using
the holddown timer.
For example, your network has two routes that you want to set the holddown timer for.
One is your main route ( to 10.12.101.4) that all your Internet traffic goes through, and it
can’t be down for long if its down. The second is a low speed connection to a custom
network that is used infrequently ( to 10.13.101.4). The holddown timer for the main route
should be fairly short, lets say 60 seconds instead of the default 180 seconds. The second
route timer can be left at the default or even longer since it is rarely used. In your BGP
configuration this looks like:
config router bgp
config neighbor
edit 10.12.101.4
set holddown-timer 60
next
edit 10.13.101.4
set holddown-timer 180
next
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1145
�Troubleshooting BGP
Border Gateway Protocol (BGP)
Dampening
Dampening is a method used to limit the amount of network problems due to flapping
routes. With dampening the flapping still occurs, but the peer routers pay less and less
attention to that route as it flaps more often. One flap doesn’t start dampening, but the
second starts a timer where the router will not use that route — it is considered unstable. If
the route flaps again before the timer expires, the timer continues to increase. There is a
period of time called the reachability half-life after which a route flap will only be
suppressed for half the time. This half-life comes into effect when a route has been stable
for a while but not long enough to clear all the dampening completely. For the flapping
route to be included in the routing table again, the suppression time must expire.
If the route flapping was temporary, you can clear the flapping or dampening from the
FortiGate units cache by using one of the execute router clear bgp commands:
execute router clear bgp dampening {ip_address | ip/netmask}
or
execute router clear bgp flap-statistics {ip_address |
ip/netmask}
For example, to remove route flap dampening information for the 10.10.0.0/16 subnet,
enter the command:
FGT# exec router clear bgp dampening 10.10.0.0/16
The BGP commands related to route dampening are:
config router bgp
set dampening {enable | disable}
set dampening-max-suppress-time & lt; minutes_integer & gt;
set dampening-reachability-half-life & lt; minutes_integer & gt;
set dampening-reuse & lt; reuse_integer & gt;
set dampening-route-map & lt; routemap-name_str & gt;
set dampening-suppress & lt; limit_integer & gt;
set dampening-unreachability-half-life & lt; minutes_integer & gt; end
end
Graceful restart
BGP4 has the capability to gracefully restart.
In some situations, route flap is caused by routers that appear to be offline but the
hardware portion of the router (control plane) can continue to function normally. One
example of this is when some software is restarting or being upgraded, but the hardware
can still function normally.
Graceful restart is best used for these situations where routing will not be interrupted, but
the router is unresponsive to routing update advertisements. Graceful restart does not
have to be supported by all routers in a network, but the network will benefit when more
routers support it.
Note: FortiGate HA clusters can benefit from graceful restart. When a failover takes place,
the HA cluster will advertise it is going offline, and will not appear as a route flap. It will also
enable the new HA main unit to come online with an updated and usable routing table — if
there is a flap the HA cluster routing table will be out of date.
1146
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Troubleshooting BGP
Scheduled time offline
Graceful restart is a means for a router to advertise it is going to have a scheduled
shutdown for a very short period of time. When neighboring routers receive this notice,
they will not remove that router from their routing table until after a set time elapses.
During that time if the router comes back online, everything continues to function as
normal. If that router remains offline longer than expected, then the neighboring routers
will update their routing tables as they assume that router will be offline for a long time.
FortiGate units support both graceful restart of their own BGP routing software, and also
neighboring BGP routers.
For example, if a neighbor of your FortiGate unit, with an IP address of 172.20.120.120,
supports graceful restart, enter the command:
config router bgp
config neighbor
edit 172.20.120.120
set capapbility-graceful-restart enable
end
end
If you want to configure graceful restart on your FortiGate unit where you expect the
Fortigate unit to be offline for no more than 2 minutes, and after 3 minutes the BGP
network should consider the FortiGate unit offline, enter the command:
config router bgp
set graceful-restart enable
set graceful-restart-time 120
set graceful-stalepath-time 180
end
.
Note: You can configure graceful restarting and other advanced settings only through CLI
commands. For more information on advanced BGP settings, see the “router” chapter of
the FortiGate CLI Reference.
The BGP commands related to BGP graceful restart are:
config router bgp
set graceful-restart { disable| enable}
set graceful-restart-time & lt; seconds_integer & gt;
set graceful-stalepath-time & lt; seconds_integer & gt;
config neighbor
set capability-graceful-restart {enable | disable}
end
end
execute router restart
Bi-directional forwarding detection (BFD)
Bi-directional Forwarding Detection (BFD) is a protocol used to quickly locate hardware
failures in the network. Routers running BFD communicate with each other, and if a timer
runs out on a connection then that router is declared down. BFD then communicates this
information to the routing protocol and the routing information is updated.
While BGP can detect route failures, BFD can be configured to detect these failures more
quickly allowing faster responses and improved convergence. This can be balanced with
the bandwidth BFD uses in its frequent route checking.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1147
�BGP routing examples
Border Gateway Protocol (BGP)
Configurable granularity
BFD can run on the entire FortiGate unit, selected interfaces, or on BGP for all configured
interfaces. The hierarchy allows each lower level to override the upper level’s BFD setting.
For example, if BFD was enabled for the FortiGate unit, it could be disabled only for a
single interface or for BGP. For information about FortiGate-wide BFD options, see config
system settings in the FortiGate CLI Reference.
BFD support was added in FortiOS v3.0 MR4, and can only be configured through the
CLI.
The BGP commands related to BFD are:
config router bgp
config neighbor
edit & lt; neighbor_address_ipv4 & gt;
set bfd {enable | disable}
end
end
execute router clear bfd session & lt; src_ipv4 & gt; & lt; dst_ipv4 & gt;
& lt; interface & gt;
BGP routing examples
BGP is a complex dynamic routing protocol. There are many BGP configurations and
features that can benefit from in-depth examples.
This section includes:
•
Dual-homed BGP example
•
Redistributing and blocking routes in BGP
Dual-homed BGP example
This is an example of a small network that uses BGP routing connections to two ISPs.
This is a common configuration for companies that need redundant connections to the
Internet for their business.
This configuration is for a small company connected to two ISPs. The company has one
main office, the Head Office, and uses static routing for internal routing on that network.
Both ISPs use BGP routing, and connect to the Internet directly. They want the company
to connect to the ISP networks using BGP. They also use graceful restart to prevent
unneeded updates, and use smaller timer values to detect network failures faster.
As can be expected, the company wants to keep their BGP configuration relatively simple
and easy to manage. The current configuration has only 3 routers to worry about — the 2
ISP border routers, and the FortiGate unit. This means the FortiGate unit will only have
two neighbour routers to configure.
This configuration has the added benefit of being easy to expand if the Company wants to
add a remote office in the future.
To keep the configuration simple, the Company is allowing only HTTP, HTTPS, FTP, and
DNS traffic out of the local network. This will allow employees access to the Internet and
their web-mail.
1148
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Dual-homed BGP example
This section includes the following topics:
•
Network layout and assumptions
•
General configuration steps
•
Configuring the FortiGate unit
•
Configuring other networking devices
•
Testing this configuration
Why dual home?
Dual homing means having two separate independent connections to the Internet.
Servers in this configuration have also been called bastion hosts and can include DNS
servers which require multiple connections.
Benefits of dual homing can include:
•
redundant Internet connection that essentially never fails
•
faster connections through one ISP or the other for some destinations, such as other
clients of those ISPs
•
load balancing traffic to your Company network
•
easier to enable more traffic through two connections than upgrading one connection
to bigger bandwidth
•
easier to create protection policies for different traffic through a specific ISP
Some companies require reliable internet access at all times as part of their business.
Consider a doctor operating remotely who has their Internet connection fail — the
consequences could easily be life or death.
Dual homing is extra expense for the second ISP connection, and more work to configure
and maintain the more complex network topology.
Potential dual homing issues
BGP comes with load balancing issues, and dual homing is the same category. BGP does
not inherently deal well with load balancing, or getting default routes through BGP. Ideally
one connect may be best for certain destinations, but it may not have that traffic routed to
it making the load balancing less than perfect. This kind of fine tuning can be very time
consuming, and usually results in a best effort situation.
When dual coming is not configured properly, your network may become a link between
your ISPs and result in very high traffic between the ISPs that does not originate from your
network. The problems with this situation are that your traffic may not have the bandwidth
it needs, and you will be paying for a large volume of traffic that is not yours. This problem
can be solved by not broadcasting or redistributing BGP routes between the ISPs.
If you learn your default routes from the ISPs in this example, you may run into an
asymmetric routing problem where your traffic loops out one ISP and back to you through
the other ISP. If you think this may be happening you can turn on asymmetric routing on
the FortiGate unit (config system settings, set asymmetric enable) to verify that really is
the problem. Turn this feature off once this is established since it disables many features
on the FortiGate by disabling stateful inspection. Solutions for this problem can include
using static routes for default routes instead of learning them through BGP, or configuring
VDOMs on your FortiGate unit to provide a slightly different path back that is not a true
loop.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1149
�Dual-homed BGP example
Border Gateway Protocol (BGP)
Network layout and assumptions
This section includes:
•
Network layout
•
Assumptions
Network layout
The network layout for the basic BGP example involves the company network being
connected to both ISPs as shown below. In this configuration the FortiGate unit is the BGP
border router between the Company AS, ISP1’s AS, and ISP2’s AS.
The components of the layout include:
•
•
The Company has one internal network — the Head Office network at 10.11.101.0/24.
•
The FortiGate unit internal interface is on the the Company internal network with an IP
address of 10.11.101.110.
•
The FortiGate unit external1 interface is connected to ISP1’s network with an IP
address of 172.21.111.5, an address supplied by the ISP.
•
ISP1 AS has an AS number of 6501, and ISP2 has an AS number of 6502
•
Both ISPs are connected to the Internet.
•
The ISP1 border router is a neighbor (peer) of the FortiGate unit. It has an address of
172.21.111.4.
•
The ISP2 border router is a neighbor (peer) of the FortiGate unit. It has an address of
172.22.222.4.
•
1150
The Company AS (AS number 1) is connected to ISP1 and ISP2 through the FortiGate
unit.
Apart from graceful restart, and shorter timers (holdtimer, and keepalive) default
settings are to be used whenever possible.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Dual-homed BGP example
Figure 175: Basic BGP network topology
Internet
ISP2 AS 650002
ISP1 AS 650001
ISP BGP
Border Routers
172.22.222.4
172.21.111.4
external1
172.20.111.5
internal
10.11.101.110
external2
172.20.222.5
Head Office BGP Border Router
Company AS (ASN 1)
Head Office Network
10.11.101.0/24
Assumptions
The basic BGP configuration procedure follows these assumptions:
•
ISP1 is the preferred route, and ISP2 is the secondary route
•
all basic configuration can be completed in both GUI and CLI
•
only one AS is used for the Company
For these reasons this example configuration does not include:
•
Bi-directional forwarding detection (BFD)
•
Route maps
•
Access lists
•
changing redistribution defaults — make link when example is set up
•
IPv6
For more information on these features, see the corresponding section.
General configuration steps
In this basic example, only two routers need to be configured — the FortiGate unit, and
the ISP BGP router. After they are configured, the network configuration should be tested
to ensure its working as expected.
To configure a simple BGP network
1 Configuring the FortiGate unit
2 Configuring other networking devices
3 Testing this configuration
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1151
�Dual-homed BGP example
Border Gateway Protocol (BGP)
Configuring the FortiGate unit
In this topology, the FortiGate unit is the link between the Company Network and the ISP
network. The FortiGate unit is the only BGP router on the Company Network, but there is
at least one other BGP router on the ISP Network — there may be more but we don’t have
that information.
As mentioned in the general configuration steps, the ISP must be notified of the
Company’s BGP router configuration when complete as it will need to add the FortiGate
BGP router as a neighbor router on its domain. This step is required for the FortiGate unit
to receive BGP routing updates from the ISP network and outside networks.
If the ISP has any special BGP features enabled such as graceful restart, or route
dampening that should be determined up front so those features can be enabled on the
FortiGate unit.
To configure the FortiGate unit as a BGP router
1 Configure interfaces and default routes
2 Configure firewall services, addresses, and policies
3 Set the FortiGate BGP information
4 Add the internal network to the AS
5 Additional FortiGate BGP configuration
Configure interfaces and default routes
The FortiGate unit is connected to three networks — Company Network on the internal
interface, ISP1 Network on external1interface, and ISP2 on external2 interface.
This example uses basic interface settings. Check with your ISP to determine if additional
settings are required such as setting the maximum MTU size, or if gateway detection is
supported.
High end FortiGate units do not have interfaces labeled Internal, or External. Instead, for
clarity’s sake, we are using the alias feature to name interfaces for these roles.
Default routes to both external interfaces are configured here as well. Both are needed in
case one goes offline. ISP1 is the primary connection and has a smaller administrative
distance so it will be preferred over ISP2. Both distances are set low so they will be
preferred over any learned routes.
To configure the FortiGate interfaces - web-based manager
1 Go to System & gt; Network.
2 Edit port 1 (internal) interface.
3 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.11.101.110/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Company internal network
Administrative Status
Up
4 Edit port 2 (external1) interface.
1152
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Dual-homed BGP example
5 Set the following information, and select OK.
Alias
external1
IP/Netmask
172.21.111.5/255.255.255.0
Administrative Access HTTPS SSH PING
Description
ISP1 External BGP network
Administrative Status
Up
6 Edit port 3 (external2) interface.
7 Set the following information, and select OK.
Alias
external2
IP/Netmask
172.22.222.5/255.255.255.0
Administrative Access HTTPS SSH PING
Description
ISP2 External BGP network
Administrative Status
Up
To configure the FortiGate interfaces (CLI)
config system interface
edit port1
set alias internal
set ip 10.11.101.110 255.255.255.0
set allowaccess http https ssh
set description “Company internal network”
set status up
next
edit port2
set alias external1
set ip 172.21.111.5 255.255.255.0
set allowaccess https ssh
set description “ISP1 External BGP network”
set status up
next
edit port3
set alias external2
set ip 172.22.222.5 255.255.255.0
set allowaccess https ssh
set description “ISP2 External BGP network”
set status up
next
end
To configure default routes for both ISPs - CLI
1 Go to System & gt; Router.
2 Delete any existing routes with a IP/Mask of address of 0.0.0.0/0.0.0.0
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1153
�Dual-homed BGP example
Border Gateway Protocol (BGP)
3 Select Create New, and set the following information.
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port2
Gateway
172.21.111.5
Distance
10
4 Select OK.
5 Select Create New, and set the following information.
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port3
Gateway
172.22.222.5
Distance
15
6 Select OK.
To configure default routes for both ISPs - CLI
config router static
edit 1
set device " port2 "
set distance 10
set gateway 172.21.111.5
next
edit 2
set device " port3 "
set distance 15
set gateway 172.22.222.5
next
end
Configure firewall services, addresses, and policies
To create the firewall policies, first you must create the firewall services group that will
include all the services that will be allowed, then you must define the addresses that will
be used in the firewall policies, and lastly you configure the firewall policies themselves.
To keep the configuration simple, the Company is allowing only HTTP traffic out of the
local network. This will allow employees access to the Internet and their web-mail. DNS
services will also be allowed through the firewall.
The firewall policies will allow HTTP traffic (port 80 and port 8080), HTTPS traffic (port
443) , FTP traffic (port 21), and DNS traffic (port 53 and port 953) in both directions. Also
BGP (port 179) may need access through the firewall.
Note: For added security, you may want to define a smaller range of addresses for the
internal network. For example if only 20 addresses are used, only allow those addresses in
the range.
In the interest of keeping things simple, a zone will be used to group the two ISP interfaces
together. This will allow using one firewall policy to apply to both ISPs at the same time.
Remember to block intra-zone traffic as this will help prevent one ISP sending traffic to the
other ISP through your FortiGate unit using your bandwidth. The zone keeps configuration
simple, and in the future if there is a need for separate policies for each ISP, they can be
created and the zone can be deleted.
1154
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Dual-homed BGP example
The addresses that will be used are the addresses of the FortiGate unit internal and
external ports, and the internal network.
More policies or services can be added in the future as applications are added to the
network. For more information on firewall policies, see the firewall chapter of the FortiGate
Administration Guide.
Note: When configuring firewall policies always enable logging to help you track and debug
your traffic flow.
To create a firewall services group - web-based manager
1 Go to Firewall & gt; Service & gt; Group, and select Create New.
2 For Group Name, enter “Basic_Services”.
3 From Available Services, move the following six services over to the Member list —
BGP, FTP, FTP_GET, FTP_PUT, DNS, HTTP, and HTTPS.
4 Select OK.
To create a firewall services group - CLI
config firewall service group
edit " Basic_Services "
set member " BGP " " DNS " " FTP " " FTP_GET " " FTP_PUT " " HTTP "
" HTTPS "
next
end
To create a zone for the ISP interfaces - web-based manager
1 Go to Status & gt; Network & gt; Zone.
2 Select Create New, and set the following information.
Zone Name
ISPs
Block Intra-zone traffic
enable
interface members
port2 port3
3 Select OK.
To create a zone for the ISP interfaces - CLI
config system zone
edit " ISPs "
set interface " dmz1 " " dmz2 "
set intrazone block
next
end
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1155
�Dual-homed BGP example
Border Gateway Protocol (BGP)
To add the firewall addresses - web-based manager
1 Go to Firewall & gt; Address.
2 Select Create New, and set the following information.
Address Name
Internal_network
Type
Subnet / IP Range
Subnet / IP Range
10.11.101.0 255.255.255.0
Interface
port1
3 Select OK.
To add the firewall addresses - CLI
config firewall address
edit " Internal_network "
set associated-interface " port1 "
set subnet 10.11.101.0 255.255.255.0
next
end
To add the HTTP and DNS firewall policies - web-based manager
1 Go to Firewall & gt; Policy, and select Create New.
2 Set the following information.
Source
Interface/Zone
port1(internal)
Source Address
Internal_network
Destination
Interface/Zone
ISPs
Destination Address All
Schedule
always
Service
Basic_services
Action
ACCEPT
NAT
Enable
Protection Profile
scan
Log Allowed Traffic
enable
Comments
ISP1 basic services out policy
3 Select OK.
1156
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Dual-homed BGP example
4 Create new, and set the following information.
Source
Interface/Zone
ISPs
Source Address
all
Destination
Interface/Zone
port1(internal)
Destination Address Internal_network
Schedule
always
Service
Basic_services
Action
ACCEPT
NAT
Enable
Protection Profile
scan
Log Allowed Traffic
enable
Comments
ISP1 basic services in policy
To add the firewall policies - CLI
config firewall policy
edit 1
set srcintf " port1 "
set srcaddr " Internal_network "
set dstintf " ISPs "
set dstaddr " all "
set schedule " always "
set service " Basic_services "
set action accept
set nat enable
set profile-status enable
set profile " scan "
set logtraffic enable
set comments " ISP1 basic services out policy "
next
edit 2
set srcintf " ISPs "
set srcaddr " all "
set dstintf " port1 "
set dstaddr " Internal_network "
set schedule " always "
set service " Basic_services "
set action accept
set nat enable
set profile-status enable
set profile " scan "
set logtraffic enable
set comments " ISP1 basic services in policy "
next
end
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1157
�Dual-homed BGP example
Border Gateway Protocol (BGP)
Set the FortiGate BGP information
When using the default information, there are only two fields to set to configure the
FortiGate unit as a BGP router.
For this configuration the FortiGate unit will be in a stub area with one route out — the ISP
BGP router. Until you configure the ISP router as a neighbour, even that route out is not
available. So while after this part of the configuration is complete your FortiGate unit will
be running BGP, it won’t know about any other routers running BGP until the next part of
the configuration is complete.
To set the BGP router information - web-based mananger
1 Go to System & gt; Router & gt; Dynamic & gt; BGP.
2 Set the following information, and select OK.
Local AS
1
Router ID
10.11.101.110
To set the BGP router information - CLI
config router BGP
set as 1
set router-id 10.11.101.110
end
Add the internal network to the AS
The Company is one AS with the FortiGate unit configured as the BGP border router
connecting that AS to the two ISPs ASes. The internal network in the Company’s AS must
be defined. If there were other networks in the company such as regional offices, they
would be added here as well.
To set the networks in the AS - web-based manager
1 Go to System & gt; Router & gt; Dynamic & gt; BGP.
2 Set the following information and select OK.
IP/Netmask
10.11.101.0 255.255.255.0
To set the networks in the AS (CLI)
config router bgp
config network
edit 1
set prefix 10.11.101.0 255.255.255.0
next
end
end
1158
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Dual-homed BGP example
Additional FortiGate BGP configuration
At this point that is all the settings that can be done in both the web-based manger and the
CLI. The remaining configuration must be completed in the CLI.
These additional settings are mainly determined by your ISP requirements. They will
determine your timers such as keep alive timers, if extended features like BFD and
graceful restart are being used, and so on. For this example, some common simply
features are being used to promote faster detections of network failures which will result in
better service for the Company’s internal network users.
The ISPs do not require authentication between peer routers.
These commands will enable or modify the following features on the FortiGate unit, and
where possible on neighboring routers as well:
•
bestpath-med-missing-as-worst — treats a route without an MED as the worst
possible available route due to expected unreliability
•
fast-external-failover — immediately reset the session information associated
with BGP external peers if the link used to reach them goes down
•
graceful_restart* — advertise reboots to neighbors so they do not see the router
as offline, wait before declaring them offline, and how long to wait when they reboot
before advertising updates. These commands applies to neighbors and are part of the
BGP capabilities. This prevents unneeded routing updates.
•
holdtime-timer — how long the router will wait for a keepalive message before
declaring a router offline. A shorter time will find an offline router faster.
•
keepalive-timer — how often the router sends out keepalive messages to
neighbor routers to maintain those sessions.
•
log-neighbor-changes — log changes to neighbor routers’ status. This can be
useful for troubleshooting from both internal and external networks.
•
connect-timer — how long in seconds the FortiGate unit will try to reach this
neighbor before declaring it offline.
•
weight — used to prefer routes from one neighbor over the other. In this example
ISP1 is the primary connection so it is weighted higher than ISP2
To configure additional BGP options - CLI
config router bgp
set bestpath-med-missing-as-worst enable
set fast-external-failover enable
set graceful_restart enable
set graceful-restart-time 120
set graceful-stalepath-time 180
set graceful-update-delay 180
set holdtime-timer 120
set keepalive-timer 45
set log-neighbor-changes enable
config neighbor
edit 172.21.111.4
set connect-timer 60
set description “ISP1”
set holdtime-timer 120
set keepalive-timer 45
set weight 250
next
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1159
�Dual-homed BGP example
Border Gateway Protocol (BGP)
edit 172.22.222.4
set connect-timer 60
set description “ISP2”
set holdtime-timer 120
set keepalive-timer 45
set weight 100
next
end
end
Configuring other networking devices
There are two other networking devices that need to be configured both ISPs’ BGP
routers.
The ISPs’ routers must add the FortiGate unit as a neighbor so route updates can be sent
in both directions. Note that ISP1 is not directly connected to ISP2 that we are aware of.
Inform both of your ISPs of your FortiGate unit’s BGP information. Once they have
configured their router, you can test your BGP connection to the internet.
They will require your FortiGate unit’s:
•
IP address of the connected interface
•
Router ID
•
your Company’s AS number
Testing this configuration
With the dual-homed BGP configuration in place, you should be able to send and receive
traffic, send and receive routes, and not have any routing loops. Testing the networks will
confirm things are working as expected.
In general for routing you need to look at the routing table on different routers to see what
routes are being installed. You also need to sniff packets to see how traffic is being routed
in real time. These two sources of information will normally tell you what you need to
know.
Basic networking tools and methods can be found in “Troubleshooting” on page 1085.
Testing of this example’s network configuration should be completed in two parts:
•
Testing network connectivity
•
Verifying the FortiGate unit’s routing tables
•
Verifying traffic routing
•
Verifying the dual-homed side of the configuration
Testing network connectivity
A common first step in testing a new network topology is to test if you can reach the
internet and other locations as you expect you should. If not, you may be prevented be
cabling issues, software or other issues.
The easiest way to test connections is to use ping, once you ensure that all the FortiGate
unit’s interfaces and ISP routers have ping support enabled. Also ensure that the firewall
policies allow ping through the firewall.
1160
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Dual-homed BGP example
Connections to test in this example are the internal network to ISP1’s router or the
internet, and the same for ISP2. If you can connect on the external side of the Fortinet
unit, try to ping the internal network. Those three tests should prove your basic network
connections are working.
Note: Once you have completed testing the network connectivity, turn off ping support on
the external interfaces for additional security.
Verifying the FortiGate unit’s routing tables
The FortiGate routing table contains the routes stored for future use. If you are expecting
certain routes to be there and they are not, that is a good indicator that your configuration
is not what you expected.
The CLI command get router info routing-table details will provide you with
every route’s routing protocol, destination address, gateway address, interface, weighting,
and if the address is directly connected or not.
If you want to limit the display to BGP routes only, use the CLI command get router
info routing-table bgp. If there are no BGP routes in the routing table, nothing will
be displayed. In the CLI command you can replace BGP with static, or other routing
protocols to only display those routes.
If you want to see the contents of the routing information database (RIB), use the CLI
command get router info routing-table database. This will display the
incoming routes that may or may not make it into the routing table.
Verifying traffic routing
Traffic may be reaching the internal network, but it may be using a different route than you
think to get there.
Use a browser to try and access the Internet.
If needed, allow traceroute and other diag ports to be opened until things are working
properly. Then remove access for them again.
Look for slow hops on the traceroute, or pings to a location, as they may indicate network
loops that need to be fixed.
Any locations that have an unresolved traceroute or ping must be examined and fixed.
Use network packet sniffing to ensure traffic is being routed as you expect.
Verifying the dual-homed side of the configuration
Since there are two connections to the internet in this example, theoretically you can pull
the plug on one of the ISP connections, and all traffic will go through the other connection.
Alternately, you may choose to remove a default route to one ISP, remove that ISP’s
neighbor settings, or change the weightings to prefer other other ISP. These alternate
ways to test dual-homing do not change physical cabling, which may be preferred in some
situations.
If this does not work as expected, things to check include:
•
default static routes — if these are wrong or don’t exist, the traffic can’t get out.
•
BGP neighbor information — If the ISP router information is incorrect, the FortiGate
unit won’t be able to talk to it.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1161
�Redistributing and blocking routes in BGP
Border Gateway Protocol (BGP)
Redistributing and blocking routes in BGP
During normal BGP operation, peer routers redistribute routes from each other. However,
in some specific situations it may be best to not advertise routes from one peer for various
reasons. Some reasons may be the peer is redundant with another peer (they share the
same routes exactly), it might be unreliable in some way, or some other reason.
The FortiGate can also take routes it learns from other protocols and advertise them in
BGP, for example OSPF or RIP. If your Company hosts its own web or email servers,
external locations will require routes to your networks to reach those services.
In this example the Company has a internal networks in an OSPF area, and is connected
to a BGP AS and two BGP peers. Company goes through these two peers to reach the
Internet. However, Peer 1 routes will not be advertised to Peer 2. The Company internal
user and server networks are running OSPF, and will redistribute those routes to BGP so
external locations can reach the web and email servers.
This section includes the following topics:
•
Network layout and assumptions
•
General configuration steps
•
Configuring the FortiGate unit
•
Configuring other networking devices
•
Testing this configuration
Network layout and assumptions
This section includes:
•
Network layout
•
Assumptions
Network layout
The network layout for the BGP redistributing routes example involves the company
network being connected to two BGP peers as shown below. In this configuration the
FortiGate unit is the BGP border router between the Company AS, and the peer routers.
The components of the layout include:
•
There is only one BGP AS in this example — AS 65001, shared by the FortiGate unit
and both peers.
•
The Company’s FortiGate unit connects to the Internet through two BGP peers.
•
The Company internal networks on the dmz interface of the FortiGate unit with an IP of
10.11.201.0/24.
•
The FortiGate units’ interfaces are connected as follows:
•
port1 (dmz) has IP 10.11.201.110 and is the internal user and server network
•
port2 (external1) has IP 172.21.111.4 and is connected to Peer 1’s network
•
port3 (external2) has IP 172.22.222.4 and is connected to Peer 2’s network
•
•
1162
Peer 1 has IP 172.21.111.5, and Peer 2 has IP 172.22.222.5.
OSPF Area 1 is configured on the dmz interface of the FortiGate unit, and is the routing
protocol used by the internal users and servers.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Redistributing and blocking routes in BGP
Figure 176: BGP network topology
Internet
Peer 1
172.21.111.5
Peer 2
172.22.222.5
external1
172.21.111.4
external2
172.22.222.4
BGP
AS 65001
dmz
10.11.201.110
http
OSPF
Area 1
email
Assumptions
The the BGP redistributing routes configuration procedure follows these assumptions:
•
the FortiGate unit has been configured following the Install Guide
•
interfaces port1, port2, and port 3 exist on the FortiGate unit
•
we don’t know the router manufacturers of Peer 1 and Peer 2
•
we don’t know what other devices are on the BGP AS or OSPF Area
•
all basic configuration can be completed in both GUI and CLI
•
access lists and route maps will only be configured in CLI
•
VDOMs are not enabled on the FortiGate unit
General Configuration Steps
1 Configuring the FortiGate unit — networks and firewalls
2 Configuring the FortiGate unit - BGP
3 Configuring the FortiGate unit - OSPF
4 Configuring other networking devices
5 Testing network configuration
Configuring the FortiGate unit — networks and firewalls
The FortiGate unit has three interfaces connected to networks — two external and one
dmz.
Firewall policies must be in place to allow traffic to flow between these networks.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1163
�Redistributing and blocking routes in BGP
Border Gateway Protocol (BGP)
Firewall services will change depending on which routing protocol is being used on that
network — either BGP or OSPF. Beyond that, all services that are allowed will be allowed
in both directions due to the internal servers. The services allowed are web-server
services (DNS, HTTP, HTTPS, SSH, NTP, FTP*, SYSLOG, and MYSQL), email services
(POP3, IMAP, and SMTP), and general troubleshooting services (PING, TRACEROUTE).
Those last two can be removed once the network is up and working properly to increase
security. Other services can be added later as needed.
To configure the interfaces - GUI
1 Go to System & gt; Network.
2 Edit port1 (dmz) interface.
3 Set the following information, and select OK.
Alias
dmz
IP/Netmask
10.11.201.110/255.255.255.0
Administrative Access HTTPS SSH PING
Description
OSPF internal networks
Administrative Status
Up
4 Edit port2 (external1) interface.
5 Set the following information, and select OK.
Alias
external1
IP/Netmask
172.21.111.4/255.255.255.0
Administrative Access HTTPS SSH
Description
BGP external Peer 1
Administrative Status
Up
6 Edit port3 (external2) interface.
7 Set the following information, and select OK.
Alias
external2
IP/Netmask
172.22.222.4/255.255.255.0
Administrative Access HTTPS SSH
Description
BGP external2 Peer2
Administrative Status
Up
To configure the FortiGate interfaces (CLI)
config system interface
edit port1
set alias dmz
set ip 10.11.101.110 255.255.255.0
set allowaccess https ssh ping
set description “OSPF internal networks”
set status up
next
edit port2
set alias external1
set ip 172.22.222.5 255.255.255.0
set allowaccess https ssh
1164
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Redistributing and blocking routes in BGP
set description “external1 Peer 1”
set status up
next
edit port3
set alias external2
set ip 172.22.222.5 255.255.255.0
set allowaccess https ssh
set description “external2 Peer 2”
set status up
next
end
To configure the firewall addresses - GUI
1 Go to Firewall & gt; Address.
2 Select Create New, and set the following information.
Address Name
Internal_networks
Type
Subnet / IP Range
Subnet / IP Range
10.11.201.0 255.255.255.0
Interface
port1
3 Select OK.
4 Select Create New, and enter the following information:
5 Select OK.
To configure the firewall addresses - CLI
config firewall address
edit " BGP_services "
To configure firewall service groups - GUI
1 Go to Firewall & gt; Service & gt; Group.
2 Select Create New.
3 Name the group OSPF_Services.
4 Move the following services to the right list: DNS, FTP, FTP_GET, FTP_PUT, HTTP,
HTTPS, IMAP, MYSQL, NTP, OSPF, PING, POP3, SMTP, SSH, SYSLOG, and
TRACEROUTE.
5 Select OK.
6 Select Create New.
7 Name the group BGP_Services.
8 Move the following services to the right list: BGP, DNS, FTP, FTP_GET, FTP_PUT,
HTTP, HTTPS, IMAP, MYSQL, NTP, PING, POP3, SMTP, SSH, SYSLOG, and
TRACEROUTE.
9 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1165
�Redistributing and blocking routes in BGP
Border Gateway Protocol (BGP)
To configure firewall service groups - CLI
config firewall service group
edit " BGP_services "
set member “BGP”, " DHCP " " DNS " " FTP " " FTP_GET " " FTP_PUT "
" HTTP " " HTTPS " " IMAP " " MYSQL " " NTP " " PING " " POP3 " " SMTP "
" SSH " " TRACEROUTE " " SYSLOG "
next
edit " OSPF_services "
set member " DHCP " " DNS " " FTP " " FTP_GET " " FTP_PUT " " HTTP "
" HTTPS " " IMAP " " MYSQL " " NTP " " PING " " POP3 " " SMTP " " SSH "
" TRACEROUTE " " SYSLOG " " OSPF "
next
end
Configuring the FortiGate unit - BGP
The only change from the standard BGP configuration for this example is configuring the
blocking Peer 1’s routes from being advertised to Peer 2. From the network topology you
can guess that both of these peers likely share many routes in common and it makes no
sense to advertise unneeded routes.
Blocking Peer 1’s routes to Peer 2 is done with distribute-list-out keyword. They allow you
to select which routes you will advertise to a neighbor using an access list. In this case we
will block all incoming routes from Peer 1 when we send updates to Peer 2. Otherwise
Peer 1 and Peer 2 are regular neighbors.
The FortiGate unit will redistribute routes learned from OSPF into BGP.
This is advanced configuration and the commands are only available in the CLI.
To create access list to block Peer 1 - CLI
config access-list
edit “block_peer1”
config rule
edit 1
set prefix 172.21.111.0 255.255.255.0
set action deny
set exact-match enable
end
end
end
1166
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Border Gateway Protocol (BGP)
Redistributing and blocking routes in BGP
To configure BGP on the FortiGate unit - CLI
config router bgp
set as 65001
set router-id 10.11.201.110
config redistribute ospf
set status enable
end
config neighbor
edit 172.22.222.5
set remote_as 65001
set distribute-list-out “block_peer1”
next
edit 172.21.111.5
set remote_as 65001
end
end
Configuring the FortiGate unit - OSPF
This configuration involves only one OSPF Area, so all traffic will be intra-area. If there
were two or more areas with traffic going between them it would be inter-area traffic.
These two types are comparable to BGP’s traffic within one AS (iBGP) or between
multiple ASes (eBPG). Redistributing routes from OSPF to BGP is considered external
because either the start or end point is a different routing protocol.
The OSPF configuration is basic apart from redistributing BGP routes learned.
To configure OSPF on the FortiGate unit - web-based manager
1 Go to Router & gt; Dynamic & gt; OSPF.
2 For Router ID enter 10.11.201.110.
3 Under Advanced Options and Redistribute, select BGP and set BGP metric to 1.
4 For Areas, select Create New.
5 Enter 0.0.0.0 for the IP.
6 Select Regular area Type.
7 Select none for Authentication, and select OK.
8 For Networks, select Create New.
9 Enter 10.11.201.0/255.255.255.0 for IP/Netmask, and select OK.
10 For Interfaces, select Create New.
11 Enter OSPF_dmz_network for Name.
12 Select port1(dmz) for Interface, and select OK.
To configure OSPF on the FortiGate unit - CLI
config router ospf
set router-id 10.11.201.110
config area
edit 0.0.0.0
set type regular
set authentication none
end
config network
edit 1
set area 0.0.0.0
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1167
�Redistributing and blocking routes in BGP
Border Gateway Protocol (BGP)
set prefix 10.11.201.0 255.255.255.0
end
config interface
edit “OSPF_dmz_network”
set interface port1(dmz)
set status enable
end
config redistribute bgp
set status enable
set metric 1
end
end
Configuring other networking devices
As with all BGP configurations, the peer routers will need to be updated with the FortiGate
unit’s BGP information including IP address, AS number, and what capabilities are being
used such as IPv6, graceful restart, BFD, and so on.
Testing network configuration
Testing this configuration involves the standard connectivity checks, but also ensuring that
routes are being passed between protocols as expected.
Check the routing table on the FortiGate unit to ensure that routes from both OSPF and
BGP are present.
Check the routing table on devices on the OSPF network for routes redistributed from
BGP. Also check those devices for connectivity to the Internet.
Check the routing table on Peer 2 to ensure no routes from Peer 1 are present, but routes
from the internal OSPF network are present.
For help with troubleshooting, see “Troubleshooting” on page 1085, or “Troubleshooting
BGP” on page 1144.
1168
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
This section describes how to . It also describes how to .
The following topics are included in this section:
•
OSPF Background and concepts
•
Troubleshooting OSPF
•
OSPF routing examples
OSPF Background and concepts
This section includes:
•
Background
•
The parts and terminology of OSPF
•
How OSPF works
Background
OSPF is a link-state interior routing protocol, that is widely used in large enterprise
organizations. It only routes packets within a single autonomous system (AS). This is
different from BGP as BGP can communicate between ASes.
The main benefit of OSPF is that it detects link failures in the network quickly and within
seconds has converged network traffic successfully without any networking loops. Also
OSPF has many features to control which routes are propagated and which are not,
maintaining smaller routing tables. OSPF can also provide better load-balancing on
external links than other interior routing protocols.
OSPF version 2 was defined in 1998 in RFC 2328. OSPF was designed to support
classless IP addressing, and variable subnet masks. This was a shortcoming of the earlier
RIP protocols.
Updates to OSPF version 2 are included in OSPF version 3 defined in 2008 in RFC 5340.
OSPF3 includes support for IPv6 addressing where previously OSPF2 only supports IPv4
addressing.
The parts and terminology of OSPF
Parts and terminology of OSPF includes:
•
OSPF and IPv6
•
Router ID
•
Adjacency
•
Designated router (DR) and backup router (BDR)
•
Area
•
Authentication
•
Hello and dead intervals
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1169
�OSPF Background and concepts
Open Shortest Path First (OSPF)
OSPF and IPv6
OSPF version 3 includes support for IPv6. Generally all IP addresses are in IPv6 format
instead of IPv4.
OSPF3 area numbers use the same 32-bit numbering system as OSPF2.
Router ID
In OSPF, each router has a unique 32-bit number called its Router ID. Often this 32-bit
number is written the same as a 32-bit IPv4 address would be written in dotted decimal
notation. However some brands of routers, such as Cisco routers, support a router ID
entered as an integer instead of an IP address.
It is a good idea to not use IP address in use on the router for the router ID number. The
router ID does not have to be a particular IP address on the router. By choosing a different
number, it will be harder to get confused which number you are looking at. A good idea
can be to use the as much of the area's number as possible. For example if you have 15
routers in area 0.0.0.0 they could be numbered from 0.0.0.1 to 0.0.0.15. If you have an
area 1.1.1.1, then routers in that area could start at 1.1.1.10 for example.
You can manually set the router ID on your FortiGate unit.
To manually set an OSPF router ID of 0.0.1.1 - web-based manager
1 Go to Router & gt; Dynamic & gt; OSPF.
2 For Router ID, enter 0.0.1.1.
3 Select OK.
To manually set an OSPF router ID of 0.0.1.1 - CLI
config router ospf
set router-id 0.0.1.1
end
Adjacency
In an OSPF routing network, when an OSPF router boots up it sends out OSPF Hello
packets to find any neighbors, or routers that have access to the same network as the
router booting up. Once neighbors are discovered and Hello packets are exchanged,
updates are sent, and the Link State databases of both neighbors are synchronized. At
this point these neighbors are said to be adjacent.
For two OSPF routers to become neighbors, the following conditions must be met.
•
The subnet mask used on both routers must be the same subnet.
•
The subnet number derived using the subnet mask and each router's interface IP
address must match.
•
The Hello interval & The Dead interval must match.
•
The routers must have the same OSPF area ID. If they are in different areas, they are
not neighbors.
•
If authentication is used, they must pass authentication checks.
If any of these parameters are different between the two routers, the routers do not
become OSPF neighbors and cannot be adjacent. If the routers become neighbors, they
are adjacent.
1170
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
OSPF Background and concepts
Adjacency and neighbors
Neighbor routers can be in a Two-Way state, and not be adjacent. Adjacent routers
normally have a neighbour state of FULL. Neighbors only exchange Hello packets, and do
not exchange routing updates. Adjacent routers exchange LSAs (LSDB information) as
well as Hello packets. A good example of an adjacent pair of routers is the DR and BDR.
You can check on the state of an OSPF neighbor using the CLI command get router
info ospf neighbor all. See “Checking the state of OSPF neighbors” on
page 1180.
Why adjacency is important
It is important to have adjacent pairs of routers in the OSPF routing domain because
routing protocol packets are only passed between adjacent routers. This means
adjacency is required for two OSPF routers to exchange routes. If there is no adjacency
between two routers, such as one on the 172.20.120.0 network and another on the
10.11.101.0 network, the routers do not exchange routes. This makes sense because if all
OSPF routers on the OSPF domain exchanged updates it would flood the network. Also
its better for updates to progress through adjacent routers to ensure there are no outages
along the way. Otherwise updates could skip over routers that are potentially offline,
causing longer routing outages and delays while the OSPF domain learns of this outage
later on.
If the OSPF network has multiple border routers and multiple connections to external
networks, the designated router (DR) determines which router pairs become adjacent.
The DR can accomplish this because it maintains the complete topology of the OSPF
domain, including which router pairs are adjacent. The BDR also has this information in
case the DR goes offline.
Designated router (DR) and backup router (BDR)
In OSPF a router can have a number of different roles to play.
A designated router (DR) is the designated broadcasting router interface for an AS. It
looks after all the initial contact and other routing administration traffic. Having only one
router do all this greatly reduces the network traffic and collisions.
If something happens and the designated router goes offline, the backup designated
router (BDR) takes over. An OSPF FortiGate unit interface can become either a DR or
BDR. Both the DR and the BDR cover the same area, and are elected at the same time.
The election process doesn’t have many rules, but the exceptions can become complex.
Benefits
The OSPF concept of the designated router is a big step above RIP. With all RIP routers
doing their own updates all the time, RIP suffers from frequent and sometimes
unnecessary updates that can slow down your network. With OSPF, not only do routing
changes only happen when a link-state changes instead of any tiny change to the routing
table, but the designated router reduces this overhead traffic even more.
However, smaller network topologies may only have a couple routers besides the
designated router. This may seem excessive, but it maintains the proper OSPF form and it
will still reduce the administration traffic but to a lesser extent than on a large network.
Also your network topology is ready for when you expand your network.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1171
�OSPF Background and concepts
Open Shortest Path First (OSPF)
DR and BDR election
An election chooses the DR and BDR from all the available routers. The election is
primarily based on the priority setting of the routers—the highest priority becomes the DR,
and the second highest becomes BDR. To resolve any ties, the router with the highest
router ID wins. For example 192.168.0.1 would win over 10.1.1.2.
The router priority can vary from 0 to 255, but at 0 a router will never become a DR or
BDR. If a router with a higher priority comes on line after the election, it must wait until
after the DR and BDR go offline before it would become the DR.
If the original DR goes offline, but then is available when the BDR goes offline later on, the
original DR will be promoted back to DR without an election leaving the new BDR as it is.
With your FortiGate unit, to configure the port1 interface to be a potential OSPF
designated router or backup designed router called ospf_DR on the network, you need to
raise the priority of the router to a very high number such as 250 out of 255. This will
ensure the interface has a chance to be a DR, but will not guarantee that it will be one.
Give the interface a low numbered IP address—such as 10.1.1.1 instead of 192.168.1.1—
to help ensure it becomes a DR, but that is not part of this example. Enter the following
command:
config router ospf
config ospf-interface
edit “ospf_DR”
set priority 250
end
end
Area
An OSPF area is a smaller part of the larger OSPF AS. Areas are used to limit the linkstate updates that are sent out. The flooding used for these updates would overwhelm a
large network, so it is divided into these smaller areas for manageability.
Within an area if there are two or more routers that are viable, there will always be a
designated router (DR) and a backup DR (BDR). For more on these router roles, see
“Designated router (DR) and backup router (BDR)” on page 1171.
Defining a private OSPF area, involves:
•
assigning a 32-bit number to the area that is unique on your network
•
defining the characteristics of one or more OSPF areas
•
creating associations between the OSPF areas that you defined and the local networks
to include in the OSPF area
•
if required, adjusting the settings of OSPF-enabled interfaces.
Note: IPv6 OSPF area numbers use the same 32-bit number notation as IPv4 OSPF.
If you are using the web-based manager to perform these tasks, follow the procedures
summarized below.
1172
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
OSPF Background and concepts
FortiGate units support the four main types of OSPF area:
•
Backbone area
•
NSSA
•
Stub area
•
Regular area
Backbone area
Every OSPF network has at least one AS, and every OSPF network has a backbone area.
The backbone is the main area, or possibly the only area. All other OSPF areas are
connected to a backbone area. This means if two areas want to pass routing information
back and forth, that routing information will go through the backbone on its way between
those areas. For this reason the backbone not only has to connect to all other areas in the
network, but also be uninterrupted to be able to pass traffic to all points of the network.
The backbone area is referred to as area 0 because it has an IP address of 0.0.0.0.
Stub area
A stub area is an OSPF area that receives no outside routes advertised into it, and all
routing in it is based on a default route. This essentially isolates it from outside areas.
Stub areas are useful for small networks that are part of a larger organization, especially if
the networking equipment can’t handle routing large amounts of traffic passing through, or
there are other reasons to prevent outside traffic, such as security. For example most
organizations don’t want their accounting department to be the center of their network with
everyone’s traffic passing through there. It would increase the security risks, slow down
their network, and it generally doesn’t make sense.
A variation on the stub area is the totally stubby area. It is a stub area that does not allow
summarized routes.
NSSA
A not-so-stubby-area (NSSA) is a stub area that allows for external routes to be injected
into it. While it still does not allow routes from external areas, it is not limited to only using
he default route for internal routing.
Regular area
A regular area is what all the other ASes are, all the non-backbone, non-stub, non-NSSA
areas. A regular area generally has a connection to the backbone, does receive
advertisements of outside routes, and does not have an area number of 0.0.0.0.
Authentication
In the OSPF packet header are two authentication related fields —AuType, and
Authentication.
All OSPF packet traffic is authenticated. Multiple types of authentication are supported in
OSPFv2. However in OSPFv3, there is no authentication built-in but it is assumed that
IPSec will be used for authentication instead.
Packets that fail authentication are discarded.
Null authentication
Null authentication indicates there is no authentication being used. In this case the 16-byte
Authentication field is not checked, and can be any value. However checksumming is still
used to locate errors. On your FortiGate this is the none option for authentication.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1173
�OSPF Background and concepts
Open Shortest Path First (OSPF)
Simple Password authentication
Simple password refers to a standard plain text string of characters. The same password
is used for all transactions on a network. The main use of this type of authentication is to
prevent routers from accidently joining the network. Simple password authentication is
vulnerable to many forms of attack, and is not recommended as a secure form of
authentication.
Cryptographic authentication
Cryptographic authentication involves the use of a shared secret key to authenticate all
router traffic on a network. The key is never sent over the network in the clear—a packet is
sent and a condensed and encrypted form of the packet is appended to the end of the
packet. A non-repeating sequence number is included in the OSPF packet to protect
against replay attacks that could try to use already sent packets to disrupt the network.
When a packet is accepted as authentic the authentication sequence number is set to the
packet sequence number. If a replay attack is attempted, the packet sent will be out of
sequence and ignored.
Your FortiGate unit supports all three levels of authentication through the authentication
keyword associated with creating an OSPF interface .
For example to create an OSPF interface called Accounting on the port1 interface that
is a broadcast interface, has a hello interval of 10 seconds, has a dead interval of 40
seconds, uses text authentication (simple password) with a password of “ospf_test”, enter
the command:
config router ospf
config ospf-interface
edit Accounting
set interface port1
set network_type broadcast
set hello_interval 10
set dead_interval 40
set authentication text
set authentication-key “ospf_test”
end
end
Hello and dead intervals
The OSPF Hello protocol is used to discover and maintain communications with
neighboring routers.
Hello packets are sent out at a regular interval for this purpose. The DR sends out the
Hello packets. In a broadcast network, the multicast address of 224.0.0.5 is used to send
out Hello packets. New routers on the network listen for and reply to these packets to join
the OSPF area. If a new router never receives a Hello packet, other routers will not know it
is there and will not communicate with it. However, once a new router is discovered the
DR adds it to the list of routers in that area and it is integrated into the routing calculations.
Dead interval is the time it takes when a router doesn’t respond before it is declared dead,
or offline. If this interval is too short routers will be declared offline when they aren’t and
the link-state updates will happen more than they need to. If the dead interval is too long,
it will slow down network traffic while that router it attempted to be contacted when it is
already offline.
1174
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
OSPF Background and concepts
How OSPF works
An OSPF network one or more areas. An OSPF area is typically divided into logical areas
linked by Area Border Routers. A group of contiguous networks form an area. An Area
Border Router (ABR) links one or more areas to the OSPF network backbone (area ID 0).
See “Area border router (ABR)” on page 1082.
OSPF is an interior routing protocol. It includes a backbone AS, and possibly additional
ASes. The DR and BDR are elected from potential routers with the highest priorities. The
DR handles much of the administration to lower the network traffic required. New routers
are discovered through hello packets sent from the DR using the multicast address of
224.0.0.5. If the DR goes offline at any time, the BDR has a complete table of routes that
is uses when it takes over as the DR router.
OSPF does not use UDP or TCP, but is encapsulated directly in IP datagrams as protocol
89. This is in contrast to RIP, or BGP. OSPF handles its own error detection and correction
functions.
The OSPF protocol, when running on IPv4, can operate securely between routers,
optionally using a variety of authentication methods to allow only trusted routers to
participate in routing. OSPFv3, running on IPv6, no longer supports protocol-internal
authentication. Instead, it relies on IPv6 protocol security (IPsec).
Other important parts of how OSPF works includes:
•
OSPF router discovery
•
How OSPF works on FortiGate units
•
External routes
•
Link-state Database (LSDB) and route updates
•
OSPF packets
OSPF router discovery
OSPF-enabled routers generate Link-State Advertisements (LSA) and send them to their
neighbors whenever the status of a neighbor changes or a new neighbor comes online. As
long as the OSPF network is stable, LSAs between OSPF neighbors do not occur. An LSA
identifies the interfaces of all OSPF-enabled routers in an area, and provides information
that enables OSPF-enabled routers to select the shortest path to a destination. All LSA
exchanges between OSPF-enabled routers are authenticated.
When a network of OSPF routers comes online, the follow steps occur.
1 When OSPF routers come online, they send out Hello packets to find other OSPF
routers on their network segment.
2 When they discover other routers on their network segment, generally they become
adjacent. Adjacent routers can exchange routing updates. See “Adjacency” on
page 1170.
3 A DR and BDR are elected from the available routers using priority settings, and router
ID. See “Designated router (DR) and backup router (BDR)” on page 1171, and “DR and
BDR election issues” on page 1182.
4 Link state updates are sent between adjacent routers to map the topology of the OSPF
area.
5 Once complete, the DR floods the network with the updates to ensure all OSPF routers
in the area have the same OSPF route database. After the initial update, there are very
few required updates if the network is stable..
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1175
�OSPF Background and concepts
Open Shortest Path First (OSPF)
How OSPF works on FortiGate units
When a FortiGate unit interface is connected to an OSPF area, that unit can participate in
OSPF communications. FortiGate units use the OSPF Hello protocol to acquire neighbors
in an area. A neighbor is any router that is directly connected to the same area as the
FortiGate unit, and ideally is adjacent with a state of Full. After initial contact, the FortiGate
unit exchanges Hello packets with its OSPF neighbors regularly to confirm that the
neighbors can be reached.
The number of routes that a FortiGate unit can learn through OSPF depends on the
network topology. A single unit can support tens of thousands of routes if the OSPF
network is configured properly.
External routes
OSPF is an internal routing protocol. OSPF external routes are routes with the destination
of the connection using a routing protocol other than OSPF. OSPF handles external routes
by adjusting the cost of the route to include the cost of the other routing protocol. There
are two methods of calculating this cost, used for OSPF E1 and OSPF E2.
OSPF external1 (E1)
In OSPF E1 the destination is outside of the OSPF domain. This requires a different metric
to be used beyond the normal OSPF metrics. The new metric of a redistributed route is
calculated by adding the external cost and the OSPF cost together.
OSPF external2 (E2)
OSPF E2 is the default external type when routes are redistributed outside of OSPF.
OSPF E2 is similar to E1, except in this case, the metric of the redistributed route is
equivalent to the external cost only, expressed as an OSPF cost. Dropping the OSPF
portion can be useful in a number of situations, on border routers that have no OSPF
portion for example or where the OSPF routing cost is negligible compared to the external
routing cost.
Comparing E1 and E2
The best way to understand OSPF E1 and E2 routes is to check routing tables on OSPF
routers. If you look at the routes on an OSPF border router, the redistributed routes will
have an associated cost that represents only the external route, as there is no OSPF cost
to the route due to it already being on the edge of the OSPF domain. However, if you look
at that same route on a different OSPF router inside the OSPF routing domain, it will have
a higher associated cost - essentially the external cost plus the cost over the OSPF
domain to that border router. The border router uses OSPF E2, where the internal OSPF
router uses OSPF E2 for the same route.
Viewing external routes
When you are trying to determine the costs for routes in your network to predict how traffic
will be routed, you need to see the external OSPF routes and their associated costs. On
your FortiGate unit, you find this information through your CLI.
To view external routes - CLI
You can view the whole routing table using get router info routing-table
all to see all the routes including the OSPF external routes, or for a shorter list you
can use the command get router info routing-table ospf. The letter at the
left will be either E1 or E2 for external OSPF routes. The output of will look similar to
the following, depending on what routes are in your routing table.
1176
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
OSPF Background and concepts
FGT620B# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default
O*E2
O
S
S
0.0.0.0/0 [110/10] via 10.1.1.3, tunnel_wan2, 00:02:11
10.0.0.1/32 [110/300] via 10.1.1.3, tunnel_wan2, 00:02:11
0.0.0.0/0 [10/0] via 192.168.183.254, port2
1.0.0.0/8 [10/0] via 192.168.183.254, port2
Link-state Database (LSDB) and route updates
OSPF is based on links. The links between adjacent neighbor routers allow updates to be
passed along the network. Network links allow the DR to flood the area with Link-state
database (LSDB) updates. External links allow the OSPF area to connect to destinations
outside the OSPF autonomous system. Information about these links is passed
throughout the OSPF network as link-state updates.
The LSDB contains the information that defines the complete OSPF area, but the LSDB is
not the routing table. It contains the information from all the link-state updates passed
along the network. When there are no more changes required, and the network is stable
then the LSDB on each router in the network will be the same. The DR will flood the LSDB
to the area to ensure each router has the same LSDB.
To calculate the best route (shortest path) to a destination, the FortiGate unit applies the
Shortest Path First (SPF) algorithm — based on Dijkstra’s algorithm — to the accumulated
link-state information. OSPF uses relative path cost metric for choosing the best route.
The path cost can be any metric, but is typically the bandwidth of the path—how fast traffic
will get from one point to another.
The path cost, similar to “distance” for RIP, imposes a penalty on the outgoing direction of
a FortiGate unit interface. The path cost of a route is calculated by adding together all of
the costs associated with the outgoing interfaces along the path to the destination. The
lowest overall path cost indicates the best route, and generally the fastest route. Some
brands of OSPF routers, such as Cisco, implement cost as a direct result of bandwidth
between the routers. Generally this is a good cost metric because larger bandwidth means
more traffic can travel without slowing down. To achieve this type of cost metric on
FortiGate units, you need to set the cost for each interface manually in the CLI.
Note: The inter-area routes may not be calculated when a Cisco type ABR has no fully
adjacent neighbor in the backbone area. In this situation, the router considers summaryLSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1177
�OSPF Background and concepts
Open Shortest Path First (OSPF)
The FortiGate unit dynamically updates its routing table based on the results of the SPF
calculation to ensure that an OSPF packet will be routed using the shortest path to its
destination. Depending on the network topology, the entries in the FortiGate unit routing
table may include:
•
the addresses of networks in the local OSPF area (to which packets are sent directly)
•
routes to OSPF area border routers (to which packets destined for another area are
sent)
•
if the network contains OSPF areas and non-OSPF domains, routes to area boundary
routers, which reside on the OSPF network backbone and are configured to forward
packets to destinations outside the OSPF AS.
OSPF Route updates
Once the OSPF domain is established, there should be few updates required on a stable
network. When updates occur and a decision is required concerning a new route, this is
the general procedure.
1 Our router gets a new route, and needs to decide if it should go in the routing table.
2 The router has an up to date LSDB of the entire area, containing information about
each router, the next hop to it, and most importantly the cost to get there.
3 Our router, turns the LSDB into a shortest path first (SPF) tree using Dijkstra’s
algorithm. It doesn’t matter if there is more than one path to a router on the network,
the SPF tree only cares about the shortest path to that router.
4 Once the SPF tree has been created, and shows the shortest paths to all the OSPF
routers on the network, the work is done. If the new route is the best route, it will be
part of that tree. If it is not the shortest route, it will not be included in the LSDB.
5 If there has been a change from the initial LSDB to the new SPF tree, a link state
update will be sent out to let the other routers know about the change so they can
update their LSDBs as well. This is vital since all routers on the OSPF area must have
the same LSDB.
6 If there was no change between the LSDB and the SPF tree, no action is taken.
OSPF packets
Every OSPF packet starts with a standard 24-byte header, and another 24 bytes of
information or more. The header contains all the information necessary to determine
whether the packet should be accepted for further processing.
Table 83: OSPF packet
1-byte Version field
1-byte Type field
2-byte Packet length
3-byte Router ID
4-byte Area ID
2-byte Checksum
2-byte Auth Type
8-byte Authentication
4-byte Network Mask
2-bye Hello interval
1-byte Options field
1-byte Router Priority
4-byte Dead Router
interval
4-byte DR field
4-byte BDR field
4-byte Neighbor ID
The following descriptions summarize the OSPF packet header fields.
Version field— The OSPF version number. This specification documents version 2 of the
protocol.
1178
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
OSPF Background and concepts
Type field—There are 5 OSPF packet types. From one to five, respectively, they are
Hello, Database Description, Link State Request, Link State Update, and Link State
Acknowledgment.
Packet length—The length of the OSPF protocol packet in bytes. This length includes
the standard OSPF 24-byte header, so all OSPF packets are at 24-bytes long.
Router ID—The Router ID of the packet's source.
Area ID—A 32-bit number identifying the area that this packet belongs to. All OSPF
packets are associated with a single area. Most travel a single hop only. Packets
travelling over a virtual link are labelled with the backbone Area ID of 0.0.0.0.
Checksum—The standard IP checksum of the entire contents of the packet, starting with
the OSPF packet header but excluding the 64-bit authentication field. This checksum is
calculated as the 16-bit one's complement of the one's complement sum of all the 16-bit
words in the packet, excepting the authentication field. If the packet's length is not an
integral number of 16-bit words, the packet is padded with a byte of zero before
checksumming. The checksum is considered to be part of the packet authentication
procedure; for some authentication types the checksum calculation is omitted.
Auth Type—Identifies the authentication procedure to be used for the packet.
Authentication types include Null authentication (0), Simple password (1), Cryptographic
authentication (2), and all others are reserved for future use.
Authentication—A 64-bit field for use by the authentication scheme. When AuType
indicates no authentication is being used, the Authentication fields is not checked and can
be any value. When AuType is set to 2 (Cryptographic authentication), the 64-bit
authentication field is split into the following four fields: Zero field, Key ID field,
Authentication data length field, and Cryptographic sequence field.
The Key ID field indicates the key and algorithm used to create the message digest
appended to the packet. The authentication data length field indicates how many bytes
long the message digest is, and the cryptographic sequence number is at non-decreasing
number that is set when the packet is received and authenticated to prevent replay
attacks.
Network Mask—The subnet where this packet is valid.
Hello interval—The period of time between sending out Hello packets. See “Hello and
dead intervals” on page 1174.
Options field— The OSPF protocol defines several optional capabilities. A router
indicates the optional capabilities that it supports in its OSPF Hello packets, Database
Description packets and in its LSAs. This enables routers supporting a mix of optional
capabilities to coexist in a single Autonomous System.
Router priority—The priority between 0 and 255 that determines which routers become
the DR and BDR. See “Designated router (DR) and backup router (BDR)” on page 1171.
Dead router interval—The period of time when there is no response from a router before
it is declared dead. See “Hello and dead intervals” on page 1174.
DR and BDR fields—The DR and BDR fields each list the router that fills that role on this
network, generally the routers with the highest priorities. See “Designated router (DR) and
backup router (BDR)” on page 1171.
Neighbor ID—The ID number of a neighboring router. This ID is used to discover new
routers and respond to them.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1179
�Troubleshooting OSPF
Open Shortest Path First (OSPF)
Troubleshooting OSPF
As with other dynamic routing protocols, OSPF has some issues that may need
troubleshooting from time to time. For basic troubleshooting, see “Troubleshooting” on
page 1085.
The more common issues include:
•
Clearing OSPF routes from the routing table
•
Checking the state of OSPF neighbors
•
Passive interface problems
•
Timer problems
•
Authentication issues
•
DR and BDR election issues
Clearing OSPF routes from the routing table
If you think the wrong route has been added to your routing table and you want to check it
out, you first have to remove that route from your table before seeing if it is added back in
or not. You can clear all or some OSPF neighbor connections (sessions) using the exec
router clear OSPF command. The exec router clear command is much more limiting
for OSPF than it is for BGP. See “Clearing routing table entries” on page 1144.
For example, if you have routes in the OSPF routing table and you want to clear the
specific route to IP address 10.10.10.1, you will have to clear all the OSPF entries. Enter
the command:
FGT# exec router clear ospf process
Checking the state of OSPF neighbors
In OSPF each router sends out link state advertisements to find other routers on its
network segment, and to create adjacencies with some of those routers. This is important
because routing updates are only passed between adjacent routers. If two routers you
believe to be adjacent are not, that can be the source of routing failures.
To identify this problem, you need to check the state of the OSPF neighbors of your
FortiGate unit. Use the CLI command get router info ospf neighbor all to see
all the neighbors for your FortiGate unit. You will see output in the form of:
FGT1 # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State
Dead Time
Address
Interface
10.0.0.2
1
Full/ - 00:00:39
10.1.1.2
tunnel_wan1
10.0.0.2
1
Full/ - 00:00:34
10.1.1.4
tunnel_wan2
The important information here is the State column. Any neighbors that are not adjacent
to your FortiGate unit will be reported in this column as something other than Full. If the
state is Down, that router is offline.
Passive interface problems
A passive OSPF interface doesn’t send out any updates. This means it can’t be a DR,
BDR, or an area border router among other things. It will depend on other neighbor routers
to update its link-state table.
1180
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Troubleshooting OSPF
Passive interfaces can cause problems when they aren’t receiving the routing updates
you expect from their neighbors. This will result in the passive OSPF FortiGate unit
interface having an incomplete or out of date link-state database, and it will not be able to
properly route its traffic. It is possible that the passive interface is causing a hole in the
network where no routers are passing updates to each other, however this is a rare
situation.
If a passive interface is causing problems, there are some easy methods to determine it is
the cause. The easiest method is to make it an active interface, and if the issues
disappear that was the cause. Another method is to examine the OSPF routing table and
related information to see if it is incomplete compared to other neighbor routers. If this is
the case.
If you cannot make the interface active for some reason, you will have to change your
network to fix the “hole” by adding more routers, or changing the relationship between the
passive router’s neighbors to provide better coverage.
Timer problems
A timer mismatch is when two routers have different values set for the same timer. For
example if one router declares a router dead after 45 seconds and another waits for 4
minutes that difference in time will result in those two routers being out of synch for that
period of time—one will still see that offline router as being online.
The easiest method to check the timers is to check the configuration on each router.
Another method is to sniff some packets, and read the timer values in the packets
themselves from different routers. Each packet contains the hello interval, and dead
interval periods, so you can compare them easily enough.
Bi-directional Forwarding Detection (BFD)
Bi-directional Forwarding Detection (BFD) is a protocol used to quickly locate hardware
failures in the network. Routers running BFD communicate with each other, and if a timer
runs out on a connection then that router is declared down. BFD then communicates this
information to the routing protocol and the routing information is updated.
Authentication issues
OSPF has a number of authentication methods you can choose from. You may encounter
problems with routers not authenticating as you expect. This will likely appear simply as
one or more routers that have a blind spot in their routing - they won’t acknowledge a
router. This can be a problem if that router connects areas to the backbone as it will
appear to be offline and unusable.
To confirm this is the issue, the easiest method is to turn off authentication on the
neighboring routers. With no authentication between any routers, everything should flow
normally.
Another method to confirm that authentication is the problem is to sniff packets, and look
at their contents. The authentication type and password are right in the packets which
makes it easy to confirm they are what you expect during real time. Its possible one or
more routers is not configured as you expect and may be using the wrong authentication.
This method is especially useful if there are a group of routers with these problems—it
may only be one router causing the problem that is seen in multiple routers.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1181
�OSPF routing examples
Open Shortest Path First (OSPF)
Once you have confirmed the problem is authentication related, you can decide how to
handle it. You can turn off authentication and take your time to determine how to get your
preferred authentication type back online. You can try another type of authentication, text
instead of md5 for example, which may have more success and still provide some level of
protection. The important part is that once you confirm the problem, you can decide how to
fix it properly.
DR and BDR election issues
You can force a particular router to become the DR and BDR by setting their priorities
higher than any other OSPF routers in the area. This is a good idea when those routers
have more resources to handle the traffic and extra work of the DR and BDR roles, since
not all routers may be able to handle all that traffic.
However, if you set all the other routers to not have a chance at being elected, a priority of
zero, you can run into problems if the DR and BDR go offline. The good part is that you will
have some warning generally as the DR goes offline and the BDR is promoted to the DR
position. But if the network segment with both the DR and BDR goes down, your network
will have no way to send hello packets, send updates, or the other tasks the DR performs.
The solution to this is to always allow routers to have a chance at being promoted, even if
you set their priority to one. In that case they would be the last choice, but if there are no
other candidates you want that router to become the DR. Most networks would have
already alerted you to the equipment problems, so this would be a temporary measure to
keep the network traffic moving until you can find and fix the problem to get the real DR
back online.
OSPF routing examples
This section includes:
•
Basic OSPF example
•
Advanced inter-area OSPF example
•
configuring an ABR that redistributes routes from RIP into OSPF and vice versa
Basic OSPF example
This example sets up an OSPF network at a small office. There are 3 routers, all running
OSPF v2. The border router connects to a BGP network.
All three routers in this example are FortiGate units. Router1 will be the designated router
(DR) and router2 will be the backup DR (BDR) due to their priorities. Router3 will not be
considered for either the DR or BDR elections. Instead, Router3 is the area border router
(ASBR) routing all traffic to the ISP’s BGP router on its way to the Internet.
Router2 has a modem connected that provides dialup access to the Internet as well, at a
reduced bandwidth. This is a PPPoE connection to a DSL modem. This provides an
alternate route to the Internet if the other route goes down. The DSL connection is slow,
and is charged by the amount of traffic. For these reasons OSPF will highly favor
Router3’s Internet access.
The DSL connection connects to an OSPF network with the ISP, so no redistribution of
routes is required. The ISP network does have to be added to that router’s configuration
however.
1182
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Basic OSPF example
This section includes the following topics:
•
Network layout and assumptions
•
General configuration steps
•
Configuring the FortiGate units
•
Configuring other networking devices
•
Testing network configuration
Network layout and assumptions
This section includes:
•
Network layout
•
Assumptions
Network layout
There are three FortiGate units acting as OSPF v2 routers on the network—Router1,
Router2, and Router3. Router1 will be the designated router (DR), and Router 2 the BDR.
Router3 is the area border router (ASBR) that connects to the external ISP router running
BGP. Router2 has a PPPoE DSL connection that can access the Internet.
The Head Office network is connected to Router1 and Router2 on the 10.11.101.0 subnet.
Router1 and Router3 are connected over the 10.11.103.0 subnet.
Router2 and Router3 are connected over the 10.11.102.0 subnet.
The following table lists the router, interface, address, and role it is assigned.
Table 84: Routers, interfaces, and IP addresses for basic OSPF example network
Router name
Interface
IP address
Interface is connected to:
Router1 (DR)
Internal (port1)
10.11.101.1
Head office network, and Router2
External (port2)
10.11.102.1
Router3
Internal (port1)
10.11.101.2
Head office network, and Router1
External (port2)
10.11.103.2
Router3
DSL (port3)
10.12.101.2
PPPoE DSL access
Internal1 (port1)
10.11.102.3
Router1
Internal2 (port2)
10.11.103.3
Router2
External (port3)
172.20.120.3
ISP’s BGP network
Router2 (BDR)
Router3 (ASBR)
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1183
�Basic OSPF example
Open Shortest Path First (OSPF)
Figure 177: Basic OSPF network topology
Internet
ISP BGP router (172.20.120.5)
external
172.20.120.3
Router3 (ASBR)
DSL Internet
Access
Router2 (BDR)
Router1 (DR)
Company AS
(AS 0.0.0.0)
Head Office Network
10.11.101.0/24
Note that other subnets can be added to the internal interfaces without changing the
configuration.
Assumptions
•
The FortiGate units used in this example have interfaces named port1, port2, and
port3.
•
All FortiGate units in this example have factory default configuration with FortiOS 4.0
MR2 firmware installed, and are in NAT/Route operation mode.
•
Basic firewalls are in place to allow unfiltered traffic between all connected interfaces in
both directions.
•
This OSPF network is not connected to any other OSPF networks.
•
Both Internet connections are always available.
•
The modem connection is very slow and expensive.
•
Other devices may be on the network, but do not affect this basic configuration.
•
Router3 is responsible for redistributing all routes into and out of the OSPF AS.
General configuration steps
The general configuration steps involved are:
1 Configuring the FortiGate units
• basic interface configuration
• general system configuration
1184
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Basic OSPF example
2 Configuring OSPF on the FortiGate units
• configure OSPF for each interface
• configure general OSPF settings for each router
• Configure each router as one of DR, BDR, or ASBR
• Configure route redistribution between BGP and OSPF
3 Configuring other networking devices
4 Testing network configuration
Configuring the FortiGate units
Each FortiGate unit needs the interfaces, and basic system information such as hostname
configured.
This section includes:
•
Configuring Router1
•
Configuring Router2
•
Configuring Router3
Configuring Router1
Router1 has two interfaces connected to the network—internal (port1) and external
(port2). Its host name must be changed to Router1.
To configure Router1 interfaces - web-based manager
1 Go to System & gt; Status & gt; Dashboard.
2 Next to hostname, select Change.
3 Enter a hostname of Router1, and select OK.
1 Go to System & gt; Network & gt; Interface.
2 Edit port1.
3 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.11.101.1/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Head office and Router2
Administrative Status
Up
4 Edit port2.
5 Set the following information, and select OK.
Alias
External
IP/Netmask
10.11.102.1/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Router3
Administrative Status
Up
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1185
�Basic OSPF example
Open Shortest Path First (OSPF)
Configuring Router2
Router2 configuration is the same as Router1, except Router2 also has the DSL interface
to configure.
The DSL interface is configured with a username of “user1” and a password of
“ospf_example”. The default gateway will be retrieved from the ISP, and the defaults will
be used for the rest of the PPPoE settings.
To configure Router2 interfaces - web-based manager
1 Go to System & gt; Status & gt; Dashboard.
2 Next to hostname, select Change.
3 Enter a hostname of Router2, and select OK.
1 Go to System & gt; Network & gt; Interface.
2 Edit port1.
3 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.11.101.2/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Head office and Router1
Administrative Status
Up
4 Edit port2.
5 Set the following information, and select OK.
Alias
External
IP/Netmask
10.11.103.2/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Router3
Administrative Status
Up
6 Edit DSL (port3).
7 Set the following information, and select OK.
Alias
DSL
Addressing Mode
PPPoE
Username
user1
Password
ospf_example
Unnumbered IP
address
10.12.101.2/255.255.255.0
Retrieve default
gateway from server
Enable
Administrative Access HTTPS SSH PING
Description
Administrative Status
1186
DSL
Up
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Basic OSPF example
Configuring Router3
Router3 is similar to Router1 and Router2 configurations. The main difference is the
External (port3) interface connected to the ISP BGP network which has no administration
access enabled for security reasons.
To configure Router3 interfaces - web-based manager
1 Go to System & gt; Status & gt; Dashboard.
2 Next to hostname, select Change.
3 Enter a hostname of Router3, and select OK.
1 Go to System & gt; Network & gt; Interface.
2 Edit port1.
3 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.11.102.3/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Router1
Administrative Status
Up
4 Edit port2.
5 Set the following information, and select OK.
Alias
Internal2
IP/Netmask
10.11.103.3/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Router2
Administrative Status
Up
6 Edit port3.
7 Set the following information, and select OK.
Alias
External
IP/Netmask
172.20.120.3/255.255.255.0
Administrative Access
Description
ISP BGP
Administrative Status
Up
Configuring OSPF on the FortiGate units
With the interfaces configured, now the FortiGate units can be configured for OSPF on
those interfaces. All routers are part of the backbone 0.0.0.0 area, so there is no inter-area
communications needed.
For a simple configuration there will be no authentication, no graceful restart or other
advanced features, and timers will be left at their defaults. Also the costs for all interfaces
will be left at 10, except for the modem and ISP interfaces where cost will be used to load
balance traffic. Nearly all advanced features of OSPF are only available from the CLI.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1187
�Basic OSPF example
Open Shortest Path First (OSPF)
The network that is defined covers all the subnets used in this example - 10.11.101.0,
10.11.102.0, and 10.11.103.0. All routes for these subnets will be advertised. If there are
other interfaces on the FortiGate units that you do not want included in the OSPF routes,
ensure those interfaces use a different subnet outside of the 10.11.0.0 network. If you
want all interfaces to be advertised you can use an OSPF network of 0.0.0.0 .
Each router will configure:
•
router ID
•
area
•
network
•
two or three interfaces depending on the router
•
priority for DR (Router1) and BDR (Router2)
•
redistribute for ASBR (Router3)
This section includes:
•
Configuring OSPF on Router1
•
Configuring OSPF on Router2
•
Configuring OSPF on Router3
Configuring OSPF on Router1
Router1 has a very high priority to ensure it becomes the DR for this area. Also Router1
has the lowest IP address to help ensure it will win in case there is a tie at some point.
Otherwise it is a standard OSPF configuration.
Setting the priority can only be done in the CLI, and it is for a specific OSPF interface.
To configure OSPF on Router1 - web-based manager
1 Go to Router & gt; Dynamic & gt; OSPF.
2 Set Router ID to 10.11.101.1.
3 Next to Areas, select Create New.
4 Set the following information, and select OK.
Area
0.0.0.0
Type
Regular
Authentication
none
5 Next to Networks, select Create New.
6 Set the following information, and select OK.
IP/Netmask
10.11.0.0/255.255.0.0
Area
0.0.0.0
7 Next to Interfaces, select Create New.
1188
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Basic OSPF example
8 Set the following information, and select OK.
Name
Router1-Internal-DR
Interface
port1 (Internal)
IP
0.0.0.0
Authentication
none
Timers (seconds)
Hello Interval
10
Dead Interval
40
9 Next to Interfaces, select Create New.
10 Set the following information, and select OK.
Name
Router1-External
Interface
port2 (External)
IP
0.0.0.0
Authentication
none
Timers (seconds)
Hello Interval
10
Dead Interval
40
11 Using the CLI, enter the following commands to set the priority for the Router1-Internal
OSPF interface to maximum, ensuring this interface becomes the DR.
config router ospf
config ospf_interface
edit Router1-Internal-DR
set priority 255
next
end
To configure OSPF on Router1 - CLI
config router ospf
set router-id 10.11.101.1
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.11.0.0/255.255.255.0
next
end
config ospf-interface
edit " Router1-Internal "
set interface " port1 "
set priority 255
next
edit " Router1-External "
set interface " port2 "
next
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1189
�Basic OSPF example
Open Shortest Path First (OSPF)
end
end
Configuring OSPF on Router2
Router2 has a high priority to ensure it becomes the BDR for this area, and configures the
DSL interface slightly differently—assume this will be a slower connection resulting in the
need for longer timers, and a higher cost for this route.
Otherwise it is a standard OSPF configuration.
To configure OSPF on Router2 - web-based manager
1 Go to Router & gt; Dynamic & gt; OSPF.
2 Set Router ID to 10.11.101.2.
3 Next to Areas, select Create New.
4 Set the following information, and select OK.
Area
0.0.0.0
Type
Regular
Authentication
none
5 Next to Networks, select Create New.
6 Set the following information, and select OK.
IP/Netmask
10.11.0.0/255.255.0.0
Area
0.0.0.0
7 Next to Interfaces, select Create New.
8 Set the following information, and select OK.
Name
Router2-Internal
Interface
port1 (Internal)
IP
0.0.0.0
Authentication
none
Timers (seconds)
Hello Interval
10
Dead Interval
40
9 Next to Interfaces, select Create New.
10 Set the following information, and select OK.
Name
Router2-External
Interface
port2 (External)
IP
0.0.0.0
Authentication
none
Timers (seconds)
Hello Interval
10
Dead Interval
40
11 Next to Interfaces, select Create New.
12 Set the following information, and select OK.
1190
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Basic OSPF example
Name
Router2-DSL
Interface
port3 (DSL)
IP
0.0.0.0
Authentication
none
Timers (seconds)
Hello Interval
20
Dead Interval
80
13 Using the CLI, enter the following commands to set the priority for the Router2-Internal
OSPF interface to ensure this interface will become the BDR.
config router ospf
config ospf_interface
edit Router2-Internal
set priority 250
next
end
14 Using the CLI, enter the following commands to set the cost of the DSL interface higher
than the other routes to reflect its higher monetary cost, and slower speed.
config router ospf
config ospf_interface
edit DSL
set cost 50
next
end
To configure OSPF on Router2 - CLI
config router ospf
set router-id 10.11.101.2
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.11.0.0/255.255.0.0
next
end
config ospf-interface
edit " Router2-Internal "
set interface " port1 "
set priority 255
next
edit " Router2-External "
set interface " port2 "
next
edit “Router2-DSL”
set interface “port3”
set cost 50
next
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1191
�Basic OSPF example
Open Shortest Path First (OSPF)
Configuring OSPF on Router3
Router3 is more complex than the other two routers. The interfaces are straightforward,
but this router has to import and export routes between OSPF and BGP. That requirement
makes Router3 a border router or ASBR. Also Router3 needs a lower cost on its route to
encourage all traffic to the Internet to route through it.
In the advanced OSPF options, Redistribute is enabled for Router3. It allows different
types of routes, learned outside of OSPF, to be used in OSPF. Different metrics are
assigned to these other types of routes to make them more or less preferred to regular
OSPF routes.
To configure OSPF on Router3 - web-based manager
1 Go to Router & gt; Dynamic & gt; OSPF.
2 Set Router ID to 10.11.101.2.
3 Expand Advanced Options.
4 Set the following information, and select OK.
Route type
Redistribute
Metric
Connected
Enable
15
Static
Enable
15
RIP
Disable
n/a
BGP
Enable
5
5 Next to Areas, select Create New.
6 Set the following information, and select OK.
Area
0.0.0.0
Type
Regular
Authentication
none
7 Next to Networks, select Create New.
8 Set the following information, and select OK.
IP/Netmask
10.11.0.0/255.255.0.0
Area
0.0.0.0
9 Next to Interfaces, select Create New.
10 Set the following information, and select OK.
Name
Router3-Internal
Interface
port1 (Internal)
IP
0.0.0.0
Authentication
none
Timers (seconds)
Hello Interval
10
Dead Interval
40
11 Next to Interfaces, select Create New.
12 Set the following information, and select OK.
1192
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Basic OSPF example
Name
Router3-Internal2
Interface
port2 (Internal2)
IP
0.0.0.0
Authentication
none
Timers (seconds)
Hello Interval
10
Dead Interval
40
13 Next to Interfaces, select Create New.
14 Set the following information, and select OK.
Name
Router3-ISP-BGP
Interface
port3 (ISP-BGP)
IP
0.0.0.0
Authentication
none
Timers (seconds)
Hello Interval
20
Dead Interval
80
15 Using the CLI, enter the following commands to set the priority for the Router2-Internal
OSPF interface to ensure this interface will become the BDR.
config router ospf
config ospf_interface
edit Router3-Internal
set priority 250
next
end
16 Using the CLI, enter the following commands to set the cost of the DSL interface higher
than the other routes to reflect its higher monetary cost, and slower speed.
config router ospf
config ospf_interface
edit ISP_BGP
set cost 2
next
end
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1193
�Basic OSPF example
Open Shortest Path First (OSPF)
To configure OSPF on Router3 - CLI
config router ospf
set router-id 10.11.102.3
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.11.0.0/255.255.255.0
next
edit 2
set prefix 172.20.120.0/255.255.255.0
next
end
config ospf-interface
edit " Router3-Internal "
set interface " port1 "
set priority 255
next
edit " Router3-External "
set interface " port2 "
next
edit “Router3-ISP-BGP”
set interface “port3”
set cost 2
next
end
end
Configuring other networking devices
The other networking devices required in this configuration are on the two ISP networks the BGP network for the main Internet connection, and the DSL backup connection.
In both cases, the ISPs need to be notified of the OSPF network settings including router
IP addresses, timer settings, and so on. The ISP will use this information to configure its
routers that connect to this OSPF network.
Testing network configuration
Testing the network configuration involves two parts —testing the network connectivity,
and testing the OSPF routing.
To test the network connectivity use ping, traceroute, and other network tools as outlined
in “Troubleshooting” on page 1085.
To test the OSPF routing in this example, refer to the troubleshooting outlined in
“Troubleshooting OSPF” on page 1180.
1194
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Advanced inter-area OSPF example
Advanced inter-area OSPF example
This example sets up an OSPF network at a large office. There are 3 areas, each with 2
routers. Typically OSPF areas would not be this small, and if they were the areas would be
combined into one bigger area. However, the stub area services the accounting
department which is very sensitive about their network and do not want any of their
network information broadcast through the rest of the company. The backbone area
contains the bulk of the company network devices. The regular area was established by IT
for various reasons such as hosting the company servers on a separate area with extra
security
One area is a small stub area that has no independent Internet connection, and only one
connection to the backbone area. That connection between the stub area and the
backbone area is only through a default route - no routes outside the stub area are
advertised into that area.
Another area is the backbone, which is connected to the other two areas. The third area
has the Internet connection, and all traffic to and from the Internet must use that area’s
connection. If that traffic comes from the stub area, then that traffic is treating the
backbone like a transit area - an area it only uses to get to another area.
In the stub area, a subnet of computers is running the RIP routing protocol and those
routes must be redistributed into the OSPF areas.
This section includes the following topics:
•
Network layout and assumptions
•
General configuration steps
•
Configuring the FortiGate units
•
Configuring other networking devices
•
Testing network configuration
Network layout and assumptions
This section includes:
•
Network layout
•
Assumptions
Network layout
There are four FortiGate units in this network topology acting as OSPF routers.
Area 1.1.1.1 is a stub area with one FortiGate unit OSPF router called Router1 (DR). Its
only access outside of that area is a default route to the backbone area, which is how it
accesses the Internet—traffic must go from the stub area, through the backbone, to the
third area to reach the Internet. The backbone area in this configuration is called a transit
area. Also in area 1.1.1.1 there is a RIP router that will be providing routes to the OSPF
area through redistribution.
Area 0.0.0.0 is the backbone area, and has two FortiGate unit routers named Router2
(BDR) and Router3 (DR).
Area 2.2.2.2 is a regular area that has an Internet connection accessed by both the other
two OSPF areas. There is only one FortiGate unit router in this area called Router4 (DR).
This area is more secure and requires MD5 authentication by routers.
All areas have user networks attached, but they are not important for configuring the
network layout for this example.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1195
�Advanced inter-area OSPF example
Open Shortest Path First (OSPF)
Internal interfaces are connected to internal user networks only. External1 interfaces are
connected to the 10.11.110.0 network, joining Area 1.1.1.1 and Area 0.0.0.0.
External2 interfaces are connected to the 10.11.111.0 network, joining Area 0.0.0.0 and
Area 2.2.2.2. The ISP interface is called ISP.
Table 85: Routers, areas, interfaces, and IP addresses for advanced OSPF network
Router name
Area number and type
Interface
IP address
Router1 (DR)
1.1.1.1 - stub area
(Accounting)
port1 (internal)
10.11.101.1
port2 (external1)
10.11.110.1
Router2 (BDR)
0.0.0.0 - backbone area
( R & D Network)
Router3 (DR)
Router4 (DR)
0.0.0.0 - backbone area
(R & D Network)
2.2.2.2 - regular area
(Network Admin)
port1 (internal)
10.11.102.2
port2 (external1)
10.11.110.2
port3 (external2)
10.11.111.2
port1 (internal)
10.11.103.3
port2 (external1)
10.11.110.3
port3 (external2)
10.11.111.3
port1 (internal)
10.11.104.4
port2 (external2)
10.11.111.4
port3 (ISP)
172.20.120.4
Figure 178: Advanced inter-area OSPF network topology
User Network
Internet
Router3 (DR)
ISP router
(172.20.120.5)
Router1 (DR)
Router2 (BDR)
Router4 (DR)
User Network
User Network
Area 1.1.1.1
Accounting network
(stub area)
Area 0.0.0.0
R & D Network
(backbone area &
transit area)
User Network
Area 2.2.2.2
Network Administration
(regular area)
Note that other subnets can be added to the internal interfaces without changing the
configuration.
1196
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Advanced inter-area OSPF example
Assumptions
•
The FortiGate units used in this example have interfaces named port1, port2, and
port3.
•
All FortiGate units in this example have factory default configuration with FortiOS 4.0
MR2 firmware installed, and are in NAT/Route operation mode.
•
During configuration, if settings are not directly referred to they will be left at default
settings.
•
Basic firewalls are in place to allow unfiltered traffic between all connected interfaces in
both directions.
•
This OSPF network is not connected to any other OSPF areas outside of this example.
•
The Internet connection is always available.
•
Other devices may be on the network, but do not affect this configuration.
General configuration steps
The general configuration steps involved are:
1 Configuring the FortiGate units
• basic interface configuration
• general system configuration
2 Configuring OSPF on the FortiGate units
• configure OSPF for each interface
• configure general OSPF settings for each router
• Configure each router as one of DR, BDR, or ASBR
• Configure route redistribution between BGP and OSPF
3 Configuring other networking devices
4 Testing network configuration
Configuring the FortiGate units
This section configures the basic settings on the FortiGate units to be OSPF routers in this
example. These configurations include multiple interface settings, and hostname.
There are four FortiGate units in this example. The two units in the backbone area can be
configured exactly the same except for IP addresses, so only router3 (the DR)
configuration will be given with notes indicating router2 (the BDR) IP addresses. These
addresses can also be obtained from the “Network layout” on page 1195.
Configuring the FortiGate units includes:
•
Configuring Router1
•
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1197
�Advanced inter-area OSPF example
Open Shortest Path First (OSPF)
Configuring Router1
Router1 is part of the Accounting network stub area (1.1.1.1).
This section configures interfaces and hostname.
To configure Router1 interfaces - web-based manager
1 Go to System & gt; Status & gt; Dashboard.
2 Next to hostname, select Change.
3 Enter a hostname of Router1, and select OK.
1 Go to System & gt; Network & gt; Interface.
2 Edit port1.
3 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.11.101.1/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Accounting network
Administrative Status
Up
4 Edit port2.
5 Set the following information, and select OK.
Alias
External1
IP/Netmask
10.11.110.1/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Backbone network and internet
Administrative Status
Up
Configuring Router2
Router2 is part of the R & D network backbone area (0.0.0.0). Router2 and Router3 are in
this area. They provide a redundant connection between area 1.1.1.1 and area 2.2.2.2.
Router2 has three interfaces configured—one to the internal network, and two to Router3
for redundancy.
This section configures interfaces and hostname.
To configure Router2 interfaces - web-based manager
1 Go to System & gt; Status & gt; Dashboard.
2 Next to hostname, select Change.
3 Enter a hostname of Router2, and select OK.
1 Go to System & gt; Network & gt; Interface.
2 Edit port1 (internal).
1198
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Advanced inter-area OSPF example
3 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.11.102.2/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Internal RnD network
Administrative Status
Up
4 Edit port2 (external1).
5 Set the following information, and select OK.
Alias
external1
IP/Netmask
10.11.110.2/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Router3 first connection
Administrative Status
Up
6 Edit port3 (external2).
7 Set the following information, and select OK.
Alias
external2
IP/Netmask
10.11.111.2/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Router3 second connection
Administrative Status
Up
Configuring Router3
Router3 is part of the R & D network backbone area (0.0.0.0). Router2 and Router3 are in
this area. They provide a redundant connection between area 1.1.1.1 and area 2.2.2.2.
This section configures interfaces and hostname.
To configure Router3 interfaces - web-based manager
1 Go to System & gt; Status & gt; Dashboard.
2 Next to hostname, select Change.
3 Enter a hostname of Router3, and select OK.
1 Go to System & gt; Network & gt; Interface.
2 Edit port1 (internal).
3 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.11.103.3/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Internal RnD network
Administrative Status
Up
4 Edit port2 (external1).
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1199
�Advanced inter-area OSPF example
Open Shortest Path First (OSPF)
5 Set the following information, and select OK.
Alias
external1
IP/Netmask
10.11.110.3/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Router2 first connection
Administrative Status
Up
6 Edit port3 (external2).
7 Set the following information, and select OK.
Alias
external2
IP/Netmask
10.11.111.3/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Router2 second connection
Administrative Status
Up
Configuring Router4
Router4 is part of the Network Administration regular area (2.2.2.2). This area provides
internet access for both area 1.1.1.1 and the backbone area.
This section configures interfaces and hostname.
To configure Router4 interfaces - web-based manager
1 Go to System & gt; Status & gt; Dashboard.
2 Next to hostname, select Change.
3 Enter a hostname of Router4, and select OK.
1 Go to System & gt; Network & gt; Interface.
2 Edit port1 (internal).
3 Set the following information, and select OK.
Alias
internal
IP/Netmask
10.11.101.4/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Accounting network
Administrative Status
Up
4 Edit port2 (external2).
5 Set the following information, and select OK.
Alias
external2
IP/Netmask
10.11.110.4/255.255.255.0
Administrative Access HTTPS SSH PING
Description
Backbone and Accounting network
Administrative Status
Up
6 Edit port3 (ISP).
1200
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Advanced inter-area OSPF example
7 Set the following information, and select OK.
Alias
ISP
IP/Netmask
172.20.120.4/255.255.255.0
Administrative Access HTTPS SSH PING
Description
ISP and internet
Administrative Status
Up
Configuring OSPF on the FortiGate units
Three of the routers are designated routers (DR) and one is a backup DR (BDR). This is
achieved through the lowest router ID numbers, or OSPF priority settings.
Also each area needs to be configured as each respective type of area - stub, backbone,
or regular. This affects how routes are advertised into the area.
To configure OSPF on Router1 - web-based manager
1 Go to Router & gt; Dynamic & gt; OSPF.
2 Enter 10.11.101.1 for the Router ID.
3 Next to Areas, select Create New.
4 Set the following information, and select OK.
Area
1.1.1.1
Type
Stub
Authentication
None
5 Next to Networks, select Create New.
6 Set the following information, and select OK.
IP/Netmask
10.11.101.0/255.255.255.0
Area
1.1.1.1
7 Next to Interfaces, select Create New.
8 Set the following information, and select OK.
Name
Accounting
Interface
port1 (internal)
IP
10.11.101.1
Authentication
None
9 Next to Interfaces, select Create New.
10 Set the following information, and select OK.
Name
Backbone1
Interface
port2 (external1)
IP
10.11.110.1
Authentication
None
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1201
�Advanced inter-area OSPF example
Open Shortest Path First (OSPF)
To configure OSPF on Router2 - web-based manager
1 Go to Router & gt; Dynamic & gt; OSPF.
2 Enter 10.11.102.2 for the Router ID.
3 Next to Areas, select Create New.
4 Set the following information, and select OK.
Area
0.0.0.0
Type
Regular
Authentication
None
5 Next to Networks, select Create New.
6 Set the following information, and select OK.
IP/Netmask
10.11.102.2/255.255.255.0
Area
0.0.0.0
7 Next to Networks, select Create New.
8 Set the following information, and select OK.
IP/Netmask
10.11.110.2/255.255.255.0
Area
0.0.0.0
9 Next to Networks, select Create New.
10 Set the following information, and select OK.
IP/Netmask
10.11.111.2/255.255.255.0
Area
0.0.0.0
11 Next to Interfaces, select Create New.
12 Set the following information, and select OK.
Name
RnD network
Interface
port1 (internal)
IP
10.11.102.2
Authentication
None
13 Next to Interfaces, select Create New.
14 Set the following information, and select OK.
Name
Backbone1
Interface
port2 (external1)
IP
10.11.110.2
Authentication
None
15 Next to Interfaces, select Create New.
1202
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Advanced inter-area OSPF example
16 Set the following information, and select OK.
Name
Backbone2
Interface
port3 (external2)
IP
10.11.111.2
Authentication
None
To configure OSPF on Router3 - web-based manager
1 Go to Router & gt; Dynamic & gt; OSPF.
2 Enter 10.11.103.3 for the Router ID.
3 Next to Areas, select Create New.
4 Set the following information, and select OK.
Area
0.0.0.0
Type
Regular
Authentication
None
5 Next to Networks, select Create New.
6 Set the following information, and select OK.
IP/Netmask
10.11.102.3/255.255.255.0
Area
0.0.0.0
7 Next to Networks, select Create New.
8 Set the following information, and select OK.
IP/Netmask
10.11.110.3/255.255.255.0
Area
0.0.0.0
9 Next to Networks, select Create New.
10 Set the following information, and select OK.
IP/Netmask
10.11.111.3/255.255.255.0
Area
0.0.0.0
11 Next to Interfaces, select Create New.
12 Set the following information, and select OK.
Name
RnD network
Interface
port1 (internal)
IP
10.11.103.3
Authentication
None
13 Next to Interfaces, select Create New.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1203
�Advanced inter-area OSPF example
Open Shortest Path First (OSPF)
14 Set the following information, and select OK.
Name
Backbone1
Interface
port2 (external1)
IP
10.11.110.3
Authentication
None
15 Next to Interfaces, select Create New.
16 Set the following information, and select OK.
Name
Backbone2
Interface
port3 (external2)
IP
10.11.111.3
Authentication
None
To configure OSPF on Router4 - web-based manager
1 Go to Router & gt; Dynamic & gt; OSPF.
2 Enter 10.11.104.4 for the Router ID.
3 Next to Areas, select Create New.
4 Set the following information, and select OK.
Area
2.2.2.2
Type
Regular
Authentication
None
5 Next to Networks, select Create New.
6 Set the following information, and select OK.
IP/Netmask
10.11.104.0/255.255.255.0
Area
0.0.0.0
7 Next to Networks, select Create New.
8 Set the following information, and select OK.
IP/Netmask
10.11.111.0/255.255.255.0
Area
0.0.0.0
9 Next to Networks, select Create New.
10 Set the following information, and select OK.
IP/Netmask
172.20.120.0/255.255.255.0
Area
0.0.0.0
11 Next to Interfaces, select Create New.
1204
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Open Shortest Path First (OSPF)
Advanced inter-area OSPF example
12 Set the following information, and select OK.
Name
Network Admin network
Interface
port1 (internal)
IP
10.11.104.4
Authentication
None
13 Next to Interfaces, select Create New.
14 Set the following information, and select OK.
Name
Backbone2
Interface
port2 (external2)
IP
10.11.111.4
Authentication
None
15 Next to Interfaces, select Create New.
16 Set the following information, and select OK.
Name
ISP
Interface
port3 (ISP)
IP
172.20.120.4
Authentication
None
Configuring other networking devices
All network devices on this network are running OSPF routing. The user networks
(Accounting, R & D, and Network Administration) are part of one of the three areas.
The ISP needs to be notified of your network configuration for area 2.2.2.2. Your ISP will
not advertise your areas externally as they are intended as internal areas. External areas
have assigned unique numbers. The area numbers used in this example are similar to the
10.0.0.0 and 192.168.0.0 subnets used in internal networking.
Testing network configuration
There are two main areas to test in this network configuration —network connectivity, and
OSPF routing.
To test the network connectivity, see if computers on the Accounting or R & D networks can
access the internet. If you need to troubleshoot network connectivity, see
“Troubleshooting” on page 1085.
To test the OSPF routing, check the routing tables on the FortiGate units to ensure the
expected OSPF routes are present. If you need help troubleshooting OSPF routing, see
“Troubleshooting OSPF” on page 1180.
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1205
�Advanced inter-area OSPF example
1206
Open Shortest Path First (OSPF)
FortiOS™ Handbook FortiOS 4.0 MR2 Dynamic Routing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 10 Advanced System
Settings
This FortiOS Handbook chapter contains the following sections:
Advanced Static routing covers advanced routing concepts, ECMP and load balancing,
static routing in Transparent mode, troubleshooting static routing, and zones.
Virtual LANs explains VLAN concepts, how VLANs are configured, provides an example
VLAN configuration, and some VLAN troubleshooting.
IPv6 explains what Internet protocol version 6 is, how it is configured in various parts of
the ForitGate unit interface, how to troubleshoot it, and an example of how to configure a
connection to an IPv6 tunnel broker.
PPTP and L2TP describes how to configure PPTP and L2TP VPNs as well as PPTP pass
through.
Session helpers explains what session helpers are, how they are configured, and explains
the different types of session helpers available.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1207
�1208
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
Advanced static routing includes features and concepts that are used in more complex
networks. Dynamic routing is not addressed in this section.
This section includes:
•
Static routing concepts
•
ECMP route failover and load balancing
•
Policy Routing
•
Transparent mode static routing
•
Zones
Static routing concepts
While static routes are the basic form of routing, static routing can still be a complex topic.
There are a number of basic concepts that static routing is built upon that must be
understood before creating effective static routing networks.
This section includes:
•
Routing and VDOMs
•
The default route
•
Routing table
•
Static routing security
•
Multipath routing and determining the best route
•
Troubleshooting static routing
•
Static routing tips
Routing and VDOMs
Routing on FortiGate units is configured per-VDOM. This means if VDOMs are enabled on
your FortiGate unit, you must enter a VDOM to do any routing configuration. This allows
each VDOM to operate independently of each other, with their own default routes and
routing configuration.
The current VDOM
In the bottom left corner of the web-based manager display, the current VDOM is
displayed. If you are not in a VDOM, Global is displayed.
Changing VDOMs
1 Go to the Current VDOM display.
2 Select the arrow next to the current VDOM.
3 Select Global or a VDOM from the list.
You will enter the selected VDOM or Global
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1209
�Static routing concepts
Advanced Static routing
Tip: You only have access to multiple VDOMs if you are the super_admin administrator.
Other administrator accounts can only access one VDOM.
The default route
The default route is used if either there are no other routes in the routing table or if none of
the other routes apply to a destination. The default route can be considered the route of
last resort. Without a default route configured, network traffic that doesn’t match a known
route will be dropped.
Including the gateway in the default route gives all traffic a next-hop address to use when
leaving the local network. The gateway address is normally another router on the edge of
the local network. If this router is on the edge of your network, the gateway is typically an
address that your Internet service provider has given you.
All routers, including FortiGate units, are shipped with default routes in place. This allows
customers to set up and become operational more quickly. Beginner administrators can
use the default route settings until a more advanced configuration is warranted.
FortiGate units come with a default static route with an IPv4 address of 0.0.0.0, and an
administration distance of 10.
Routing table
When two computers are directly connected, there is no need for routing because each
computer knows exactly where to find the other computer. They communicate directly.
Networking computers allows many computers to communicate with each other. This
requires each computer to have an IP address to identify its location to the other
computers. This is much like a mailing address - you will not receive your postal mail at
home if you do not have an address for people to send mail to. The routing table on a
computer is much like an address book used to mail letters to people in that the routing
table maintains a list of how to reach computers. Routing tables may also include
information about the quality of service (QoS) of the route, and the interface associated
with the route if the device has multiple interfaces.
Routing tables are also used in unicast reverse path forwarding (uRPF). In uRPF, the
router not only looks up the destination information, but also the source information to
ensure that it exists. If there is no source to be found, then that packet is dropped because
the router assumes it to be an error or an attack on the network.
Looking at routing as delivering letters is more simple than reality. In reality, routers loose
power or have bad cabling, network equipment is moved without warning, and other such
events happen that prevent static routes from reaching their destinations. When any
changes such as these happen along a static route, traffic can no longer reach the
destination — the route goes down. Dynamic routing can address these changes to
ensure traffic still reaches its destination. The process of realizing there is a problem,
backtracking and finding a route that is operational is called convergence. If there is fast
convergence in a network, users won’t even know that re-routing is taking place.
The routing table for any device on the network has a limited size. For this reason, routes
that aren’t used are replaced by new routes. This method ensures the routing table is
always populated with the most current and most used routes—the routes that have the
best chance of being reused. Another method used to maintain the routing table’s size is if
a route in the table and a new route are to the same destination, one of the routes is
selected as the best route to that destination and the other route is discarded.
1210
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
Static routing concepts
Routing tables are also used in unicast reverse path forwarding (uRPF). In uRPF, the
router not only looks up the destination information, but also the source information to
ensure that it exists. If there is no source to be found, then that packet is dropped because
the router assumes it to be an error or an attack on the network.
The routing table is used to store routes that are learned. The routing table for any device
on the network has a limited size. For this reason, routes that aren’t used are replaced by
new routes. This method ensures the routing table is always populated with the most
current and most used routes — the routes that have the best chance of being reused.
Another method used to maintain the routing table’s size is if a route in the table and a
new route are to the same destination, one of the routes is selected as the best route to
that destination and the other route is discarded.
This section includes:
•
Viewing the routing table in the web-based manager
•
Viewing the routing table in the CLI
•
Viewing the routing table with diagnose commands
•
Searching the routing table
Viewing the routing table in the web-based manager
By default, all routes are displayed in the Routing Monitor list. The default static route is
defined as 0.0.0.0/0, which matches the destination IP address of “any/all” packets.
To display the routes in the routing table, go to Router & gt; Monitor & gt; Routing Monitor.
Table 86: Router Monitor list fields
IP version
Select IPv4 or IPv6 routes. Fields displayed vary depending on which IP version is
selected.
Displayed only if IPv6 display is enabled on the web-based manager
Type
Select one of the following route types to search the routing table and display routes
of the selected type only:
All — all routes recorded in the routing table.
Connected — all routes associated with direct connections to FortiGate unit
interfaces.
Static — the static routes that have been added to the routing table manually.
RIP — all routes learned through RIP.
RIPNG — displays all routes learned through RIP version 6 (which enables the
sharing of routes through IPv6 networks).
BGP — all routes learned through BGP.
OSPF — all routes learned through OSPF.
IS-IS — all routes learned through IS-IS.
OSPF6 — all routes learned through OSPF version 6 (which enables the sharing of
routes through IPv6 networks).
HA — RIP, OSPF, and BGP routes synchronized between the primary unit and the
subordinate units of a high availability (HA) cluster. HA routes are maintained on
subordinate units and are visible only if you are viewing the router monitor from a
virtual domain that is configured as a subordinate virtual domain in a virtual cluster.
For details about HA routing synchronization, see the FortiGate HA User Guide.
Network
Enter an IP address and netmask (for example, 172.16.14.0/24) to search the
routing table and display routes that match the specified network.
Not displayed when IP version IPv6 is selected.
Gateway
Enter an IP address and netmask (for example, 192.168.12.1/32) to search the
routing table and display routes that match the specified gateway.
Not displayed when IP version IPv6 is selected.
Apply Filter Select to search the entries in the routing table based on the specified search criteria
and display any matching routes.
Not displayed when IP version IPv6 is selected.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1211
�Static routing concepts
Advanced Static routing
Table 86: Router Monitor list fields
Type
The type values assigned to FortiGate unit routes (Static, Connected, RIP, OSPF, or
BGP).
Not displayed when IP version IPv6 is selected.
Subtype
If applicable, the subtype classification assigned to OSPF routes.
An empty string implies an intra-area route. The destination is in an area to which the
FortiGate unit is connected.
OSPF inter area — the destination is in the OSPF AS, but the FortiGate unit is not
connected to that area.
External 1 — the destination is outside the OSPF AS. This is known as OSPF E1
type. The metric of a redistributed route is calculated by adding the external cost and
the OSPF cost together.
External 2 — the destination is outside the OSPF AS. This is known as OSPF E2
type. In this case, the metric of the redistributed route is equivalent to the external
cost only, expressed as an OSPF cost.
OSPF NSSA 1 — same as External 1, but the route was received through a not-sostubby area (NSSA).
OSPF NSSA 2 — same as External 2, but the route was received through a not-sostubby area.
Not displayed when IP version 6 is selected.
Network
The IP addresses and network masks of destination networks that the FortiGate unit
can reach.
Distance
The administrative distance associated with the route. A value of 0 means the route is
preferable compared to routes to the same destination.
Modifying this distance for dynamic routes is route distribution.
Metric
The metric associated with the route type. The metric of a route influences how the
FortiGate unit dynamically adds it to the routing table. The following are types of
metrics and the protocols they are applied to.
Hop count — routes learned through RIP.
Relative cost — routes learned through OSPF.
Multi-Exit Discriminator (MED) — routes learned through BGP. However, several
attributes in addition to MED determine the best path to a destination network.
Gateway
The IP addresses of gateways to the destination networks.
Interface
The interface through which packets are forwarded to the gateway of the destination
network.
Up Time
The total accumulated amount of time that a route learned through RIP, OSPF, or
BGP has been reachable.
Not displayed when IP version IPv6 is selected.
Viewing the routing table in the CLI
In the CLI, you can easily view the static routing table just as in the web-based manager or
you can view the full routing table.
When viewing the list of static routes using the CLI command get route static, it is
the configured static routes that are displayed. When viewing the routing table using the
CLI command get router info routing-table all, it is the entire routing table
information that is displayed including configured and learned routes of all types. The two
are different information in different formats.
Note: If VDOMs are enabled on your FortiGate unit, all routing related CLI commands must
be performed within a VDOM and not in the global context.
To view the routing table
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
1212
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
Static routing concepts
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default
S*
S
S
C
B
C
0.0.0.0/0 [10/0] via 192.168.183.254, port2
1.0.0.0/8 [10/0] via 192.168.183.254, port2
2.0.0.0/8 [10/0] via 192.168.183.254, port2
10.142.0.0/23 is directly connected, port3
10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m
192.168.182.0/23 is directly connected, port2
Examining an entry:
B
10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m
B
BGP. The routing protocol used.
10.160.0.0/23
The destination of this route including netmask.
[20/0]
20 indicates and administrative distance of 20 out of a range of 0
to 255.
0 is an additional metric associated with this route, such as in
OSPF
10.142.0.74
The gateway, or next hop.
port3
The interface used by this route.
2d18h02m
How old this route is, in this case almost three days old.
Viewing the routing table with diagnose commands
Diagnose commands can provide a wide variety of information about your FortiGate unit
that may otherwise be inaccessible. these commands generally provide extensive
information, but the output can be difficult to understand. You should only need to use
diagnose command when customer support tells you to do so during troubleshooting.
FortiOS documentation describes specific examples for using diagnose commands to
provide information that may be useful.
You can view the routing table using diagnostic commands. This has the benefits of being
able to be run from anywhere in the command line structure, and it is shorter. Also the
diagnose method will show localhost routes that the CLI and web-based methods will not
include.
To use diagnostic commands to view the routing table
# diag ip route list
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0 & gt; 10.11.201.0/24 pref=10.11.201.4 gwy=0.0.0.0 dev=5(external1)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0 & gt; 172.20.120.0/24 pref=172.20.120.146 gwy=0.0.0.0 dev=6(internal)
The parts of the routing table entry are:
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1213
�Static routing concepts
Advanced Static routing
tab
table number. This will be either 254 (unicast) or 255 (multicast).
vf
virtual domain of the firewall. This is the vdom index number. If
vdoms are not enabled, this number will be 0.
type
type of routing connection. Valid values include:
• 0 - unspecific
• 1 - unicast
• 2 - local
• 3 - broadcast
• 4 - anycast
• 5 - multicast
• 6 - blackhole
• 7 - unreachable
• 8 - prohibited
proto
type of installation. This indicates where the route came from. Valid
values include:
• 0 - unspecific
• 2 - kernel
• 11 - ZebOS routing module
• 14 - FortiOS
• 15 - HA
• 16 - authentication based
• 17 - HA1
prio
priority of the route. Lower priorities are preferred.
- & gt; 10.11.201.0/24
(- & gt; x.x.x.x/mask)
the IP address and subnet mask of the destination
pref
preferred next hop along this route
gwy
gateway - the IPv4 address of the gateway this route will use
dev
outgoing interface index. This number is associated with the
interface for this route, and if VDOMs are enabled the VDOM
will be included here as well. If an interface alias is set for this
interface it will also be displayed here.
Searching the routing table
You can apply a filter to search the routing table and display certain routes only. For
example, you can display one or more static routes, connected routes, routes learned
through RIP, OSPF, or BGP, and routes associated with the network or gateway that you
specify.
If you want to search the routing table by route type and further limit the display according
to network or gateway, all of the values that you specify as search criteria must match
corresponding values in the same routing table entry in order for that entry to be displayed
— an implicit AND condition is applied to all of the search parameters you specify.
For example, if the FortiGate unit is connected to network 172.16.14.0/24 and you want to
display all directly connected routes to network 172.16.14.0/24, you must select
Connected from the Type list, type 172.16.14.0/24 in the Network field, and then select
Apply Filter to display the associated routing table entry or entries. Any entry that contains
the word “Connected” in its Type field and the specified value in the Gateway field will be
displayed.
In this example, you will apply a filter to search for an entry for static route to
10.10.10.10/24
To search the FortiGate unit routing table in the web-based manager
1 Go to Router & gt; Monitor & gt; Routing Monitor.
1214
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
Static routing concepts
2 From the Type list, select the type of route to display. In our example, select Static.
3 If you want to display routes to a specific network, type the IP address and netmask of
the network in the Networks field. In our example, enter 10.10.10.10/24.
4 If you want to display routes to a specific gateway, type the IP address of the gateway
in the Gateway field.
5 Select Apply Filter.
Note: All of the values that you specify as search criteria must match corresponding values
in the same routing table entry in order for that entry to be displayed.
To search the FortiGate unit routing table in the CLI
FGT # get router info routing-table details 10.10.10.10
Routing entry for 10.10.10.10/24
Known via " static " , distance 10, metric 0, best
If there are multiple routes that match your filter, they will all be listed, with the best match
at the top of the list as indicated by the word best.
Building the routing table
In the factory default configuration, the FortiGate unit routing table contains a single static
default route. You can add routing information to the routing table by defining additional
static routes.
It is possible that the routing table is faced with several different routes to the same
destination — the IP addresses of the next-hop router specified in those routes or the
FortiGate interfaces associated with those routes may vary. In this situation, the “best”
route is selected from the table.
The FortiGate unit selects the “best” route for a packet by evaluating the information in the
routing table. The “best” route to a destination is typically associated with the shortest
distance between the FortiGate unit and the closest gateway, also known as a next-hop
router. In some cases, the next best route may be selected if the best route is unavailable.
The FortiGate unit installs the best available routes in the unit’s forwarding table, which is
a subset of the unit’s routing table. Packets are forwarded according to the information in
the forwarding table.
Static routing security
Securing the information on your company network is a top priority for network
administrators. Security is also required as the routing protocols used are internationally
known standards that typically provide little or no inherent security by themselves.
The two reasons for securing your network are the sensitive and proprietary information
on your network, and also your external bandwidth. Hackers not only can steal your
information, but they can also steal your bandwidth. Routing is a good low level way to
secure your network, even before UTM features are applied.
Routing provides security to your network in a number of ways including obscuring internal
network addresses with NAT and blackhole routing, using RPF to validate traffic sources,
and maintaining an access control list (ACL) to limit access to the network.
This section includes:
•
Network Address Translation (NAT)
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1215
�Static routing concepts
Advanced Static routing
•
Access Control List (ACL)
•
Blackhole Route
•
Reverse path lookup
Network Address Translation (NAT)
Network address translation (NAT) is a method of changing the address traffic appears to
originate from. This practice is used to hide the IP address on company’s internal
networks, and helps prevent malicious attacks that use those specific addresses.
This is accomplished by the router connected to that local network changing all the IP
addresses to its externally connected IP address before sending the traffic out to the other
networks, such as the Internet. Incoming traffic uses the established sessions to
determine which traffic goes to which internal IP address. This also has the benefit of
requiring only the router to be very secure against external attacks, instead of the whole
internal network as would be the case without NAT. Securing one computer is much
cheaper and easier to maintain.
Configuring NAT on your FortiGate unit includes the following steps.
1 Configure your internal network. For example use the 10.11.101.0 subnet.
2 Connect your internal subnet to an interface on your FortiGate unit. For example use
port1.
3 Connect your external connection, for example an ISP gateway of 172.20.120.2, to
another interface on your Fortigate unit, for example port2.
4 Configure firewall policies to allow traffic between port1 and port2 on your FortiGate
unit, ensuring that the NAT feature is enabled.
The above steps show that traffic from your internal network will originate on the
10.11.101.0 subnet and pass on to the 172.20.120.0 network. The FortiGate unit moves
the traffic to the proper subnet. In doing that, the traffic appears to originate from the
FortiGate unit interface on that subnet — it does not appear to originate from where it
actually came from.
NAT “hides” the internal network from the external network. This provides security through
obscurity. If a hacker tries to directly access your network, they will find the Fortigate unit,
but will not know about your internal network. The hacker would have to get past the
security-hardened FortiGate unit to gain access to your internal network. NAT will not
prevent hacking attempts that piggy back on valid connections between the internal
network and the outside world. However other UTM security measures can deal with
these attempts.
Another security aspect of NAT is that many programs and services have problems with
NAT. Consider if someone on the Internet tries to initiate a chat with someone on the
internal network. The outsider only can access the FortiGate unit’s external interface
unless the firewall policy allows the traffic through to the internal network. If allowed in, the
proper internal user would respond to the chat. However if its not allowed, the request to
chat will be refused or time-out. This is accomplished in the firewall policy by allowing or
denying different protocols.
Access Control List (ACL)
An access control list (ACL) is a table of addresses that have permission to send and
receive data over a router’s interface or interfaces. The router maintains an ACL, and
when traffic comes in on a particular interface it is buffered, while the router looks up in the
ACL if that traffic is allowed over that port or not. If it is allowed on that incoming interface,
then the next step is to check the ACL for the destination interface. If the traffic passes that
1216
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
Static routing concepts
check as well the buffered traffic is delivered to its accentuation. If either of those steps fail
the ACL check, the traffic is dropped and an error message may be sent to the sender.
The ACL ensures that traffic follows expected paths, and any unexpected traffic is not
delivered. This stops many network attacks. However, to be effective the ACL must be
kept up to date —when employees or computers are removed from the internal network
their IP addresses must also be removed from the ACL. For more information on the ACL,
see the router chapter of the FortiGate CLI Reference.
Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like /dev/null in
Linux programming.
Blackhole routes are used to dispose of packets instead of responding to suspicious
inquiries. This provides added security since the originator will not discover any
information from the target network.
Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in
use, traffic to those addresses (traffic which may be valid or malicious) can be directed to
a blackhole for added security and to reduce traffic on the subnet.
The loopback interface, a virtual interface that does not forward traffic, was added to
enable easier configuration of blackhole routing. Similar to a normal interface, this
loopback interface has fewer parameters to configure, and all traffic sent to it stops there.
Since it cannot have hardware connection or link status problems, it is always available,
making it useful for other dynamic routing roles. Once configured, you can use a loopback
interface in firewall policies, routing, and other places that refer to interfaces. You
configure this feature only from the CLI. For more information, see the system chapter of
the FortiGate CLI Reference.
Reverse path lookup
Whenever a packet arrives at one of the FortiGate unit’s interfaces, the unit determines
whether the packet was received on a legitimate interface by doing a reverse lookup using
the source IP address in the packet header. This is also called anti-spoofing. If the
FortiGate unit cannot communicate with the computer at the source IP address through
the interface on which the packet was received, the FortiGate unit drops the packet as it is
likely a hacking attempt.
If the destination address can be matched to a local address (and the local configuration
permits delivery), the FortiGate unit delivers the packet to the local network. If the packet
is destined for another network, the Fortigate unit forwards the packet to a next-hop router
according to a policy route and the information stored in the FortiGate forwarding table.
Multipath routing and determining the best route
Multipath routing occurs when more than one entry to the same destination is present in
the routing table. When multipath routing happens, the FortiGate unit may have several
possible destinations for an incoming packet, forcing the FortiGate unit to decide which
next-hop is the best one.
It should be noted that some IP addresses will be rejected by routing protocols. These are
called Martian addresses. They are typically IP addresses that are invalid and not routable
because they have been assigned an address by a misconfigured system, or are spoofed
addresses.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1217
�Static routing concepts
Advanced Static routing
Two methods to manually resolve multiple routes to the same destination are to lower the
administrative distance of one route or to set the priority of both routes. For the FortiGate
unit to select a primary (preferred) route, manually lower the administrative distance
associated with one of the possible routes. Setting the priority on the routes is a FortiGate
unit feature and may not be supported by non-Fortinet routers.
Administrative distance is based on the expected reliability of a given route. It is
determined through a combination of the number of hops from the source and the protocol
used. A hop is when traffic moves from one router to the next. More hops from the source
means more possible points of failure. The administrative distance can be from 1 to 255,
with lower numbers being preferred. A distance of 255 is seen as infinite and will not be
installed in the routing table.
Here is an example to illustrate how administration distance works — if there are two
possible routes traffic can take between two destinations with administration distances of
5 (always up) and 31 (sometimes not available), the traffic will use the route with an
administrative distance of 5. If for some reasons the preferred route (admin distance of 5)
is not available, the other route will be used as a backup.
Different routing protocols have different default administrative distances. These different
administrative distances are based on a number of factors of each protocol such as
reliability, speed, and so on. The default administrative distances for any of these routing
protocols are configurable.
Table 87: Default administrative distances for routing protocols and connections
Routing
protocol
Default administrative
distance
Direct physical
connection
1
Static
10
EBGP
20
OSPF
110
RIP
120
IBGP
200
Another method to determine the best route is to manually change the priority of both
routes in question. If the next-hop administrative distances of two routes on the FortiGate
unit are equal, it may not be clear which route the packet will take. Manually configuring
the priority for each of those routes will make it clear which next-hop will be used in the
case of a tie. The priority for a route can only be set from the CLI. Lower priorities are
preferred. Priority is a Fortinet value that may or may not be present in other brands of
routers.
All entries in the routing table are associated with an administrative distance. If the routing
table contains several entries that point to the same destination (the entries may have
different gateways or interface associations), the FortiGate unit compares the
administrative distances of those entries first, selects the entries having the lowest
distances, and installs them as routes in the FortiGate unit forwarding table. As a result,
the FortiGate unit forwarding table contains only those routes having the lowest distances
to every possible destination. While only static routing uses administrative distance as its
routing metric, other routing protocols such as RIP can use metrics that are similar to
administrative distance.
1218
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
Static routing concepts
Troubleshooting static routing
When there are problems with your network that you believe to be static routing related,
there are a few basic tools available to locate the problem.
These tools include:
•
Ping
•
Traceroute
•
Examine routing table contents
•
Examine the firewall session list
Ping
The ping command sends a very small packet to the destination, and waits for a response.
The response has a timer that may expire, indicating the destination is unreachable. The
behavior of ping is very much like a sonar ping from a submarine, where the command
gets its name.
Ping is part of Layer-3 on the OSI Networking Model. Ping sends Internet Control
Message Protocol (ICMP) “echo request” packets to the destination, and listens for “echo
response” packets in reply. However, many public networks block ICMP packets because
ping can be used in a denial of service (DoS) attack (such as Ping of Death or a smurf
attack), or by an attacker to find active locations on the network. By default, FortiGate units
have ping enabled and broadcast-forward is disabled on the external interface.
What ping can tell you
Beyond the basic connectivity information, ping can tell you the amount of packet loss (if
any), how long it takes the packet to make the round trip, and the variation in that time
from packet to packet.
If there is no packet loss detected, your basic network connectivity is OK.
If there is some packet loss detected, you should investigate:
•
possible ECMP, split horizon, network loops
•
cabling to ensure no loose connections
If there is total packet loss, you should investigate:
•
hardware - ensure cabling is correct, and all equipment between the two locations is
accounted for
•
addresses and routes - ensure all IP addresses and routing information along the route
is configured as expected
•
firewalls - ensure all firewalls are set to allow PING to pass through
How to use ping
Ping syntax is the same for nearly every type of system on a network.
To ping from a Windows PC
1 Go to a DOS prompt. Typically you go to Start & gt; Run, enter cmd, and select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1219
�Static routing concepts
Advanced Static routing
2 Enter ping 10.11.101.100 to ping the internal interface of the FortiGate unit with
four packets. If your FortiGate unit is configured with a different IP address use it
instead.
Other ping options include:
• -t to send packets until you press “Control-C”
• -a to resolve addresses to domain names where possible
• -n X to send X ping packets and stop
Output appears as:
C:\ & gt; ping 10.11.101.101
Pinging 10.11.101.101 with 32 bytes of data:
Reply from 10.11.101.101: bytes=32 time=10ms TTL=255
Reply from 10.11.101.101: bytes=32 time & lt; 1ms TTL=255
Reply from 10.11.101.101: bytes=32 time=1ms TTL=255
Reply from 10.11.101.101: bytes=32 time=1ms TTL=255
Ping statistics for 10.11.101.101:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 10ms, Average = 3ms
To ping from a Linux PC
1 Go to a command line prompt.
2 Enter “/bin/etc/ping 10.11.101.101”.
Output appears as:
To ping from a FortiGate unit
1 Connect to the CLI either through telnet or through the CLI widget on the web-based
manager dashboard.
2 Enter exec ping 10.11.101.101 to send 5 ping packets to the destination. There
are no options.
Output appears as:
Head_Office_620b # exec ping 10.11.101.101
PING 10.11.101.101 (10.11.101.101): 56 data bytes
64 bytes from 10.11.101.101: icmp_seq=0 ttl=255 time=0.3
64 bytes from 10.11.101.101: icmp_seq=1 ttl=255 time=0.2
64 bytes from 10.11.101.101: icmp_seq=2 ttl=255 time=0.2
64 bytes from 10.11.101.101: icmp_seq=3 ttl=255 time=0.2
64 bytes from 10.11.101.101: icmp_seq=4 ttl=255 time=0.2
ms
ms
ms
ms
ms
--- 10.11.101.101 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.3 ms
Traceroute
Where ping will only tell you if it reached its destination and came back successfully,
traceroute will show each step of its journey to its destination and how long each step
takes. If ping finds an outage between two points, traceroute can be used to locate exactly
where the problem is.
1220
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
Static routing concepts
What is traceroute
Traceroute works by sending ICMP packets to test each hop along the route. It will send
out three packets, and then increase the time to live (TTL) setting by one each time. This
effectively allows the packets to go one hop farther along the route. This is the reason why
most traceroute commands display their maximum hop count before they start tracing the
route — that is the maximum number of steps it will take before declaring the destination
unreachable. Also the TTL setting may result in steps along the route timing out due to
slow responses. There are many possible reasons for this to occur.
Traceroute by default uses UDP datagrams with destination ports numbered from 33434
to 33534. The traceroute utility usually has an option to specify use of ICMP echo request
(type 8) instead, as used by the Windows tracert utility. If you have a firewall and if you
want traceroute to work from both machines (Unix-like systems and Windows) you will
need to allow both protocols inbound through your FortiGate firewall policies (UDP with
ports from 33434 to 33534 and ICMP type 8).
How do you use traceroute
The traceroute command varies slightly between operating systems. Note that in MS
Windows the command name is shortened to “tracert”. Also note that your output will
list different domain names and IP addresses along your route.
To use traceroute on an MS Windows PC
1 Go to a DOS prompt. Typically you go to Start & gt; Run, enter “cmd” and select OK.
2 Enter “tracert fortinet.com” to trace the route from the PC to the Fortinet
website.
Output will appear as:
C:\ & gt; tracert fortinet.com
Tracing route to fortinet.com [208.70.202.225]
over a maximum of 30 hops:
1
& lt; 1 ms
& lt; 1 ms
& lt; 1 ms 172.20.120.2
2
66 ms
24 ms
31 ms 209-87-254-xxx.storm.ca [209.87.254.221]
3
52 ms
22 ms
18 ms core-2-g0-0-1104.storm.ca [209.87.239.129]
4
43 ms
36 ms
27 ms core-3-g0-0-1185.storm.ca [209.87.239.222]
5
46 ms
21 ms
16 ms te3-x.1156.mpd01.cogentco.com [38.104.158.69]
6
25 ms
45 ms
53 ms te8-7.mpd01.cogentco.com [154.54.27.249]
7
89 ms
70 ms
36 ms te3-x.mpd01.cogentco.com [154.54.6.206]
8
55 ms
77 ms
58 ms sl-st30-chi-.sprintlink.net [144.232.9.69]
9
53 ms
58 ms
46 ms sl-0-3-3-x.sprintlink.net [144.232.19.181]
10
82 ms
90 ms
75 ms sl-x-12-0-1.sprintlink.net [144.232.20.61]
11
122 ms
123 ms
132 ms sl-0-x-0-3.sprintlink.net [144.232.18.150]
12
129 ms
119 ms
139 ms 144.232.20.7
13
172 ms
164 ms
243 ms sl-321313-0.sprintlink.net [144.223.243.58]
14
99 ms
94 ms
93 ms 203.78.181.18
15
108 ms
102 ms
89 ms 203.78.176.2
16
98 ms
95 ms
97 ms 208.70.202.225
Trace complete.
The first, or leftmost column, is the hop count, which cannot go over 30 hops.
The second, third, and fourth columns are how long each of the three packets takes to
reach this stage of the route. These values are in milliseconds and normally vary quite a
bit. Typically a value of “ & lt; 1ms” indicates a local connection.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1221
�Static routing concepts
Advanced Static routing
The fifth, or rightmost column, is the domain name of that device and its IP address or
possibly just the IP address.
To perform a traceroute on a Linux PC
1 Go to a command line prompt.
2 Enter “/bin/etc/traceroute fortinet.com”.
The Linux traceroute output is very similar to the MS Windows traceroute output.
Examine routing table contents
The first place to look for information is the routing table.
The routing table is where all the currently used routes are stored for both static and
dynamic protocols. If a route is in the routing table, it saves the time and resources of a
lookup. If a route isn’t used for a while and a new route needs to be added, the oldest least
used route is bumped if the routing table is full. This ensures the most recently used routes
stay in the table. Note that if your FortiGate unit is in Transparent mode, you are unable to
perform this step.
If the FortiGate is running in NAT mode, verify that all desired routes are in the routing
table: local subnets, default routes, specific static routes, and dynamic routing protocols.
To check the routing table in the web-based manager, use the Routing Monitor — go to
System & gt; Routing & gt; Monitor. In the CLI, use the command get router routingtable all. For more information on routing tables, see “Routing table” on page 1210.
Examine the firewall session list
One further step is to examine the firewall session list. When examining the firewall
session list in the CLI, filters may be used to reduce the output. In the web-based
manager, the filters are part of the interface.
To examine the firewall session list in the web-based manager
1 Go to System & gt; Status & gt; Dashboard & gt; Top Sessions.
2 Select Detach, and then Details.
3 Expand the session window to full screen to display the information.
4 Change filters, view associated firewall policy, column ordering, and so on to analyze
the sessions in the table.
5 Select the delete icon to terminate the session.
To examine the firewall session list in the CLI
In the CLI, you need to first set up the filter and then list the sessions. This will allow you to
only see sessions that are important to you. In the following examples the first pair of
commands creates a filter to see all sessions with a source of PC1. The second pair of
commands creates a filter to see all sessions with a destination of PC1.
FGT# diag sys session filter src PC1
FGT# diag sys session list
or
FGT# diag sys session filter dst PC1
FGT# diag sys session list
1222
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
Static routing concepts
To clear all sessions corresponding to a filter
FGT# diag sys session filter dst PC1
FGT# diag sys session clear
Static routing tips
When your network goes beyond basic static routing, here are some tips to help you plan
and manage your static routing.
Always configure a default route
The first thing configured on a router on your network should be the default route. And
where possible the default routes should point to either one or very few gateways. This
makes it easier to locate and correct problems in the network. By comparison, if one router
uses a second router as its gateway which uses a fourth for its gateway and so on, one
failure in that chain will appear as an outage for all the devices downstream. By using one
or very few addresses as gateways, if there is an outage on the network it will either be
very localized or network-wide — either is easy to troubleshoot.
Have a updated network plan
A network plan lists different subnets, user groups, and different servers. Essentially is
puts all your resources on the network, and shows how the parts of your network are
connected. Keeping your plan updated will also help you troubleshoot problems more
quickly when they arise.
The Fortinet Technical Documentation team has an example network configuration that is
used for example networks in FortiOS documentation. It is outlined in the Introduction and
includes a network diagram.
A network plan helps your static routing by eliminating potential bottlenecks, and helping
troubleshoot any routing problems that come up.
Plan for expansion
No network remains the same size. At some time, all networks grow. If you take future
growth into account, there will be less disruption to your existing network when that growth
happens. For example allocating a block of addresses for servers can easily prevent
having to re-assign IP addresses to multiple servers due to a new server.
With static routing, if you group parts of your network properly you can easily use network
masks to address each part of your network separately. This will reduce the amount of
administration required both to maintain the routing, and to troubleshoot any problems.
Configure as much security as possible
Securing your network through static routing methods is a good low level method to
defend both your important information and your network bandwidth. Simply implementing
NAT is a big step. Using black hole routing for unused addresses helps too. Configuring
and using ACL is good too. All three features limit access to the people who should be
using your network.
If you have these routing security features in place from the beginning, they will not be
noticed by your users as they would be noticed if implemented at a future date.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1223
�ECMP route failover and load balancing
Advanced Static routing
ECMP route failover and load balancing
Equal Cost Multi-Path (ECMP) load balancing, and failover are methods that extend the
basic static routing. They allow you to use your network bandwidth more effectively and
will less down time than if you just used basic static routing alone.
The concepts in this section include:
•
Route priority
•
Equal-Cost Multi-Path (ECMP)
•
Configuring spill-over or usage-based ECMP
•
Configuring weighted static route load balancing
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing preference.
Priority is a Fortinet value that may or may not be present in other brands of routers.
You can only configure the priority field through the CLI. Priority values can range from 0
to 255. The route with the lowest value in the priority field is considered the best route, and
it is also the primary route.
For example, use the following command to change the priority of a route to 5 for a route
to the address 10.10.10.1 on the port1 interface.
config router static
edit 1
set device port1
set gateway 10.10.10.10
set dst 10.10.10.1
set priority 5
end
If there are other routes at priority 10, this route will be preferred. If there are routes at
priority less than 5, those other routes will be preferred instead.
In summary, because you can use the CLI to specify which sequence numbers or priority
field settings to use when defining static routes, you can prioritize routes to the same
destination according to their priority field settings. For a static route to be the preferred
route, you must create the route using the config router static CLI command and
specify a low priority for the route. If two routes have the same administrative distance and
the same priority, then they are equal cost multipath (ECMP) routes.
Since this means there is more than one route to the same destination, it can be confusing
which route or routes to install and use. However, if you have enabled load balancing with
ECMP routes, then different sessions will resolve this problem by using different routes to
the same address.
Equal-Cost Multi-Path (ECMP)
FortiOS uses equal-cost multi-path (ECMP) to distribute traffic to the same destination
such as the Internet or another network. Using ECMP you can add multiple routes to the
destination and give each of those routes the same distance and priority.
1224
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
ECMP route failover and load balancing
Note: If multiple routes to the same destination have the same priority but different
distances, the route with the lowest distance is used. If multiple routes to the same
destination have the same distance but different priorities, the route with the lowest priority
is used. Distance takes precedence over priority. If multiple routes to the same destination
have different distances and different priorities, the route with the lowest distance is always
used even if it has the highest priority.
Using ECMP, if more than one ECMP route is available you can configure how the
FortiGate unit selects the route to be used for a communication session. If only one ECMP
route is available (for example, because an interface cannot process traffic because
interface status detection does not receive a reply from the configured server) then all
traffic uses this route.
Previous versions of FortiOS provided source IP-based load balancing for ECMP routes,
but now FortiOS includes three configuration options for ECMP route failover and load
balancing:
Source based (also
called source IP
based)
The FortiGate unit load balances sessions among ECMP routes
based on the source IP address of the sessions to be load
balanced. This is the default load balancing method. No
configuration changes are required to support source IP load
balancing.
Weighted (also called The FortiGate unit load balances sessions among ECMP routes
based on weights added to ECMP routes. More traffic is directed
weight-based)
to routes with higher weights.
After selecting weight-based you must add weights to static
routes.
Spill-over (also called The FortiGate unit distributes sessions among ECMP routes
based on how busy the FortiGate interfaces added to the routes
usage-based)
are.
After selecting spill-over you add route Spillover Thresholds to
interfaces added to ECMP routes. The FortiGate unit sends all
ECMP-routed sessions to the lowest numbered interface until the
bandwidth being processed by this interface reaches its spillover
threshold. The FortiGate unit then spills additional sessions over
to the next lowest numbered interface.
The Spillover Thresholds range is 0-2097000 KBps.
You can configure only one of these ECMP route failover and load balancing methods in a
single VDOM. If your FortiGate unit is configured for multiple VDOM operation, each
VDOM can have its own ECMP route failover and load balancing configuration.
To configure the ECMP route failover and load balancing method from the
web-based manager
1 Go to Router & gt; Static & gt; Static Route.
2 Set ECMP Route failover & Load Balance Method to source based, weighted, or
spill-over.
3 Select Apply.
To configure the ECMP route failover and load balancing method from the CLI
Enter the following command:
config system settings
set v4-ecmp-mode {source-ip-based | usage-based |
weight-based}
end
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1225
�ECMP route failover and load balancing
Advanced Static routing
ECMP routing of simultaneous sessions to the same destination IP
address
When the FortiGate unit selects an ECMP route for a session, a route cache is created
that matches the route with the destination IP address of the session. All new sessions to
the same destination IP address use the same route until the route is flushed from the
cache. Routes are flushed from the cache after a period of time when no new sessions to
the destination IP address are received.
The route cache improves FortiGate unit routing performance by reducing how often the
FortiGate unit looks up routes in the routing table.
If the FortiGate unit receives a large number of sessions with the same destination IP
address, because all of these sessions will be processed by the same route, it may appear
that sessions are not distributed according to the ECMP route failover and load balancing
configuration.
Configuring spill-over or usage-based ECMP
Spill-over or usage-based ECMP routes new sessions to interfaces that have not reached
a configured bandwidth limit (called the Spillover Threshold or a route-spillover threshold).
To configure spill-over or usage-based ECMP routing, you enable spill-over ECMP, add
ECMP routes, and add a Spillover Threshold to the interfaces used by the ECMP routes.
Set the Spillover Thresholds to limit the amount of bandwidth processed by each interface.
With spill-over ECMP routing configured, the FortiGate unit routes new sessions to an
interface used by an ECMP route until that interface reaches its Spillover Threshold. Then,
when the threshold of that interface is reached, new sessions are routed to one of the
other interfaces used by the ECMP routes.
To add Spillover Thresholds to interfaces from the web-based manager
Use the following steps to enable usage based ECMP routing, add Spillover Thresholds to
FortiGate interfaces port3 and port4, and then to configure EMCP routes with device set to
port3 and port4.
1 Go to Router & gt; Static & gt; Static Route.
2 Set ECMP Route failover & Load Balance Method to usage-based.
3 Go to Router & gt; Static & gt; Static Route.
4 Add ECMP routes for port3 and port4.
Destination IP/Mask
192.168.20.0/24
Device
port3
Gateway
172.20.130.3
Distance
10
Destination IP/Mask
192.168.20.0/24
Device
port4
Gateway
172.20.140.4
Distance
10
5 Go to System & gt; Network & gt; Interface.
6 Edit port3 and port4 and add the following spillover-thresholds:
Interface
Spillover Threshold (KBps)
1226
port3
100
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
ECMP route failover and load balancing
Interface
port4
Spillover Threshold (KBps)
200
Detailed description of how spill-over ECMP selects routes
When you add ECMP routes they are added to the routing table in the order displayed by
the routing monitor or by the get router info routing-table static command.
This order is independent of the configured bandwidth limit.
The FortiGate unit selects an ECMP route for a new session by finding the first route in the
routing table that sends the session out a FortiGate unit interface that is not processing
more traffic that its configured route spill-over limit.
Note: A new session to a destination IP address that already has an entry in the routing
cache is routed using the route already added to the cache for that destination address.
See “ECMP routing of simultaneous sessions to the same destination IP address” on
page 1226.
For example, consider a FortiGate unit with interfaces port3 and port4 both connected to
the Internet through different ISPs. ECMP routing is set to usage-based and route
spillover for to 100 KBps for port3 and 200 KBps for port4. Two ECMP default routes are
added, one for port3 and one for port4.
If the route to port3 is higher in the routing table than the route to port4, the FortiGate unit
sends all default route sessions out port3 until port3 is processing 10Mbps of data. When
port3 reaches its configured bandwidth limit, the FortiGate unit sends all default route
sessions out port4. When the bandwidth usage of port3 falls below 10Mbps, the FortiGate
again sends all default route sessions out port3.
New sessions to designating IP addresses that are already in the routing cache; however,
use the cached routes. This means that even of port3 is exceeding its bandwidth limit, new
sessions can continue to be sent out port3 if their destination addresses are already in the
routing cache. As a result, new sessions are sent out port4 only if port3 exceeds its
bandwidth limit and if the routing cache does not contain a route for the destination IP
address of the new session.
Also, the switch over to port4 does not occur as soon as port3 exceeds its bandwidth limit.
Bandwidth usage has to exceed the limit for a period of time before the switch over takes
place. If port3 bandwidth usage drops below the bandwidth limit during this time period,
sessions are not switched over to port4. This delay reduces route flapping.
FortiGate usage-based ECMP routing is not actually load balancing, since routes are not
distributed evenly among FortiGate interfaces. Depending on traffic volumes, most traffic
would usually be processed by the first interface with only spillover traffic being processed
by other interfaces.
If you are configuring usage-based ECMP in most cases you should add spillover
thresholds to all of the interfaces with ECMP routes. The default spillover threshold is 0
which means no bandwidth limiting. If any interface has a spillover threshold of 0, no
sessions will be routed to interfaces lower in the list unless the interface goes down or is
disconnected. An interface can go down if Detect interface status for Gateway Load
Balancing does not receive a response from the configured server.
Determining of an interface has exceeded its Spillover Threshold
You can use the diagnose netlink dstmac list CLI command to determine if an
interface is exceeding its Spillover Threshold. If the command displays over_bps=1 the
interface is exceeding its threshold. If over_bps=0 the interface has not exceeded its
threshold.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1227
�ECMP route failover and load balancing
Advanced Static routing
Configuring weighted static route load balancing
Configure weighted load balancing to control how the FortiGate unit distributes sessions
among ECMP routes by adding weights for each route. Add higher weights to routes that
you want to load balance more sessions to.
With the ECMP load balancing method set to weighted, the FortiGate unit distributes
sessions with different destination IPs by generating a random value to determine the
route to select. The probability of selecting one route over another is based on the weight
value of each route. Routes with higher weights are more likely to be selected.
Large numbers of sessions are evenly distributed among ECMP routes according to the
route weight values. If all weights are the same, sessions are distributed evenly. The
distribution of a small number of sessions; however, may not be even. For example, its
possible that if there are two ECMP routes with the same weight; two sessions to different
IP addresses could use the same route. On the other hand, 10,000 sessions with different
destination IPs should be load balanced evenly between two routes with equal rates. The
distribution could be 5000:5000 or 50001:4999. Also, 10 000 sessions with different
destination IP addresses should be load balanced as 3333:6667 if the weights for the two
routes are 100 and 200.
Weights only affect how routes are selected for sessions to new destination IP addresses.
New sessions to IP addresses already in the routing cache are routed using the route for
the session already in the cache. So in practice sessions will not always be distributed
according to the routing weight distribution.
To add weights to static routes from the web-based manager
1 Go to Router & gt; Static & gt; Static Route.
2 Set ECMP Route failover & Load Balance Method to weighted.
3 Go to Router & gt; Static & gt; Static Route.
4 Add new or edit static routes and add weights to them.
The following example shows two ECMP routes with weights added.
Destination IP/Mask
port1
Gateway
172.20.110.1
Distance
10
Weight
100
Destination IP/Mask
192.168.20.0/24
Device
port2
Gateway
172.20.120.2
Distance
10
Weight
1228
192.168.20.0/24
Device
200
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
Policy Routing
Policy Routing
Policy routing allows you to redirect traffic away from a static route. This can be useful if
you want to route certain types of network traffic differently. You can use incoming traffic’s
protocol, source address or interface, destination address, or port number to determine
where to send the traffic. For example, generally network traffic would go to the router of a
subnet, but you might want to direct SMTP or POP3 traffic directly to the mail server on
that subnet.
If you have configured the FortiGate unit with routing policies and a packet arrives at the
FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to
match the packet with a policy. If a match is found and the policy contains enough
information to route the packet (a minimum of the IP address of the next-hop router and
the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet
using the information in the policy. If no policy route matches the packet, the FortiGate unit
routes the packet using the routing table.
Note: Most policy settings are optional, so a matching policy alone might not provide
enough information for forwarding the packet. The FortiGate unit may refer to the routing
table in an attempt to match the information in the packet header with a route in the routing
table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit
looks up the IP address of the next-hop router in the routing table. This situation could
happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want
or are unable to specify the IP address of the next-hop router.
Policy route options define which attributes of a incoming packet cause policy routing to
occur. If the attributes of a packet match all the specified conditions, the FortiGate unit
routes the packet through the specified interface to the specified gateway.
Table 88 shows the policy route list belonging to a FortiGate unit that has interfaces
named external and internal. The names of the interfaces on your FortiGate unit
may be different.
To edit an existing policy route, see “Adding a policy route” on page 1229.
Table 88: Policy Routing list fields
Create New
Add a policy route. See “Adding a policy route” on page 1229.
#
The ID numbers of configured route policies. These numbers are sequential
unless policies have been moved within the table.
Incoming
The interfaces on which packets subjected to route policies are received.
Outgoing
The interfaces through which policy routed packets are routed.
Source
The IP source addresses and network masks that cause policy routing to occur.
Destination
The IP destination addresses and network masks that cause policy routing to
occur.
Delete icon
Delete a policy route.
Edit icon
Edit a policy route.
Move To icon
After selecting this icon, enter the destination position in the window that
appears, and select OK.
For more information, see “Moving a policy route” on page 1231.
Adding a policy route
To add a policy route, go to Router & gt; Static & gt; Policy Route and select Create New.
For more information on Type of Service, see “Type of Service” on page 1230.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1229
�Policy Routing
Advanced Static routing
Table 89 shows the New Routing Policy dialog box belonging to a FortiGate unit that has
interfaces named external and internal. The names of the interfaces on your
FortiGate unit may be different.
Table 89: New Routing Policy fields
Protocol
To perform policy routing based on the value in the protocol field of the
packet, enter the protocol number to match. The Internet Protocol Number is
found in the IP packet header. RFC 5237 describes protocol numbers and
you can find a list of the assigned protocol numbers here. The range is from 0
to 255. A value of 0 disables the feature.
Tip: Commonly used Protocol settings include 6 to route TCP sessions, 17
for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for
multicast sessions.
For protocols other than 6 and 17, the port number is ignored.
Incoming Interface Select the name of the interface through which incoming packets subjected to
the policy are received.
Source Address /
Mask
To perform policy routing based on the IP source address of the packet, type
the source address and network mask to match. A value of
0.0.0.0/0.0.0.0 disables the feature.
Destination
Address / Mask
To perform policy routing based on the IP destination address of the packet,
type the destination address and network mask to match. A value of
0.0.0.0/0.0.0.0 disables the feature.
Destination Ports
To perform policy routing based on the port on which the packet is received,
type the same port number in the From and To fields. To apply policy routing
to a range of ports, type the starting port number in the From field and the
ending port number in the To field. A value of 0 disables this feature.
The Destination Ports fields are only used for TCP and UDP protocols. The
ports are skipped over for all other protocols.
Type of Service
Use a two digit hexadecimal bit pattern to match the service, or use a two digit
hexadecimal bit mask to mask out. For more information, see “Type of
Service” on page 1230.
Outgoing Interface Select the name of the interface through which packets affected by the policy
will be routed.
Gateway Address
Type the IP address of the next-hop router that the FortiGate unit can access
through the specified interface. A value of 0.0.0.0 is not valid.
Example policy route
Configure the following policy route to send all FTP traffic received at port1 out the
port10 interface and to a next hop router at IP address 172.20.120.23. To route FTP
traffic set protocol to 6 (for TCP) and set both of the destination ports to 21, the FTP port.
Protocol
6
Incoming interface
port1
Source address / mask
0.0.0.0/0.0.0.0
Destination address / mask 0.0.0.0/0.0.0.0
Destination Ports
From 21 to 21
Type of Service
bit pattern: 00 (hex) bit mask: 00 (hex)
Outgoing interface
port10
Gateway Address
172.20.120.23
Type of Service
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how
the IP datagram should be delivered, with such qualities as delay, priority, reliability, and
minimum cost.
1230
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
Policy Routing
Each quality helps gateways determine the best way to route datagrams. A router
maintains a ToS value for each route in its routing table. The lowest priority TOS is 0, the
highest is 7 - when bits 3, 4, and 5 are all set to 1. The router tries to match the TOS of the
datagram to the TOS on one of the possible routes to the destination. If there is no match,
the datagram is sent over a zero TOS route.
Using increased quality may increase the cost of delivery because better performance
may consume limited network resources. For more information, see RFC 791 and RFC
1349.
Table 90: The role of each bit in the IP header TOS 8-bit field
bits 0, 1, 2
Precedence
Some networks treat high precedence traffic as more important
traffic. Precedence should only be used within a network, and
can be used differently in each network. Typically you do not
care about these bits.
bit 3
Delay
When set to 1, this bit indicates low delay is a priority. This is
useful for such services as VoIP where delays degrade the
quality of the sound.
bit 4
Throughput
When set to 1, this bit indicates high throughput is a priority.
This is useful for services that require lots of bandwidth such
as video conferencing.
bit 5
Reliability
When set to 1, this bit indicates high reliability is a priority. This
is useful when a service must always be available such as with
DNS servers.
bit 6
Cost
When set to 1, this bit indicates low cost is a priority. Generally
there is a higher delivery cost associated with enabling bits 3,4,
or 5, and bit 6 indicates to use the lowest cost route.
bit 7
Reserved for
future use
Not used at this time.
For example, if you want to assign low delay, and high reliability, say for a VoIP application
where delays are unacceptable, you would use a bit pattern of xxx1x1xx where an ‘x’
indicates that bit can be any value. Since all bits are not set, this is a good use for the bit
mask; if the mask is set to 0x14, it will match any TOS packets that are set to low delay
and high reliability.
Moving a policy route
A routing policy is added to the bottom of the routing table when it is created. If you prefer
to use one policy over another, you may want to move it to a different location in the
routing policy table.
The option to use one of two routes happens when both routes are a match, for example
172.20.0.0/255.255.0.0 and 172.20.120.0/255.255.255.0. If both of these
routes are in the policy table, both can match a route to 172.20.120.112 but you
consider the second one as a better match. In that case the best match route should be
positioned before the other route in the policy table.
In the case of two matches in the routing table, alternating sessions will use both routes in
a load balancing configuration. You can also manually assign priorities to routes. For two
matches in the routing table, the priority will determine which route is used. This feature is
available only through the CLI. For details, see the FortiGate CLI Reference.
To change the position of a policy route in the table, go to Router & gt; Static & gt; Policy Route
and select Move To for the policy route you want to move.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1231
�Transparent mode static routing
Advanced Static routing
Before/After
Select Before to place the selected Policy Route before the indicated route.
Select After to place it following the indicated route.
Policy route ID
Enter the Policy route ID of the route in the Policy route table to move the
selected route before or after.
Transparent mode static routing
FortiOS operating modes allow you to change the configuration of your FortiGate unit
depending on the role it needs to fill in your network.
NAT/Route operating mode is the standard mode where all interfaces are accessed
individually, and traffic can be routed between ports to travel from one network to another.
In transparent operating mode, all physical interfaces act like one interface. The FortiGate
unit essentially becomes a bridge — traffic coming in over any interface is broadcast back
out over all the interfaces on the FortiGate unit.
In transparent mode, there is no entry for routing at the main level of the menu on the webbased manager display as there is in NAT/Route mode. Routing is instead accessed
through the network menu option.
To view the routing table in transparent mode, go to Network & gt; Routing Table.
When viewing or creating a static route entry in transparent mode there are only three
fields available.
Destination IP/Mask
The destination of the traffic being routed. The first entry is
attempted first for a match, then the next, and so on until a match
is found or the last entry is reached. If no match is found, the traffic
will not be routed.
Use 0.0.0.0 to match all traffic destinations. This is the default
route.
Gateway
Specifies the next hop for the traffic. Generally the gateway is the
address of a router on the edge of your network.
Priority
The priority is used if there is more than one match for a route.
This allows multiple routes to be used, with one preferred. If the
preferred route is unavailable the other routes can be used
instead.
Valid range of priority can be from 0 to 4 294 967 295.
If more than one route matches and they have the same priority it
becomes an ECMP situation and traffic is shared among those
routes. See “Route priority” on page 1224.
When configuring routing on a FortiGate unit in transparent mode, remember that all
interfaces must be connected to the same subnet. That means all traffic will be coming
from and leaving on the same subnet. This is important because it limits your static routing
options to only the gateways attached to this subnet. For example, if you only have one
router connecting your network to the Internet then all static routing on the FortiGate unit
will use that gateway. For this reason static routing on FortiGate units in transparent mode
may be a bit different, but it is not as complex as routing in NAT/Route mode.
Zones
Zones allow you to group interfaces into zones to simplify firewall policy creation. By
grouping interfaces into a zone, you can add one set of firewall policies for the zone
instead of adding separate policies for each interface — what address groups do for
addresses in firewall policies, zones do for interfaces. Once you add interfaces to a zone
you cannot configure policies for the single interfaces, only for the entire zone.
1232
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced Static routing
Zones
You can add all types of interfaces to a zone (physical, VLAN, switch, and so on) and a
zone can consist of any combination of interface types. You can add zones, rename and
edit zones, and delete zones from the zone list. When you add a zone, you select the
names of the interfaces to add to the zone.
This section includes:
•
Creating or editing a zone
•
Blocking intra-zone traffic
•
IP pools and zones
•
Zones in VDOMs
•
Zones in transparent mode
Creating or editing a zone
To view the zone list, go to Network & gt; Zones. If VDOMs are enabled, ensure you are in the
correct VDOM first.
To create or edit a zone
1 If VDOMs are enabled, select the VDOM from the Current VDOM list.
Note: The VDOM must have at least two physical or virtual interfaces assigned to it.
2 Go to Network & gt; Zone.
3 Select Create New.
4 Enter the Zone Name, enable Block intra-zone traffic if desired, and select the
interfaces to include in this zone.
5 Select OK.
Blocking intra-zone traffic
Apart from grouping interfaces to allow them to be treated as one in a firewall policy, the
other feature of zones is the ability to block intra-zone traffic. This prevents traffic between
interfaces within the zone.
For example a FortiGate unit has an accounting department on one interface, sales
department on another interface, and marketing on a third interface. The office has a
common Internet policy, so all three interfaces can be grouped into a zone for easier
firewall policy management. However, the types of traffic for each department is very
different and it is potentially dangerous to the company for accounting information to be
accessed by other departments. In this case blocking intra-zone traffic would protect the
accounting data and not require extra firewall policies to accomplish it.
From this example you can see that blocking the intra-zone traffic can also be
accomplished with firewall policies. However, this method is much more complex and time
consuming especially if all traffic can be blocked. The firewall method must be used if
some traffic will be allowed but not other traffic.
The benefits of blocking intra-zone traffic are:
•
it automatically applies to all interfaces in the zone
•
you don’t have to update one or more firewall policies
•
it offloads work from the firewall which saves resources
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1233
�Zones
Advanced Static routing
IP pools and zones
You cannot use IP pools when using zones. An IP pool can only be associated with an
interface.
Zones in VDOMs
Zones are configured in virtual domains (VDOMs). If you have added multiple VDOMs to
your FortiGate unit configuration, make sure you are configuring the correct VDOM before
adding or editing zones. Zones do not appear on the Global level Network menu.
Zones in transparent mode
Up to this point, everything about zones only applies to NAT/Route operating mode. In
NAT/Route mode there are many interfaces making it easy to create zones.
In Transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide
services such as antivirus scanning, web filtering, spam filtering and intrusion protection to
traffic. There are some limitations in Transparent mode in that you cannot use SSL VPN,
PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic.
In transparent mode you can still select interfaces for a zone, but applying firewall policies
to them is problematic since all interfaces are on the same subnet, and any interfaces not
in the zone will spread the traffic the firewall policies would be trying to limit.
VLANs can still be grouped into zones so that firewall policies can be applied only to
VLANs. In Transparent mode, packets can not move between different VLANs — they are
limited to VLAN trunks which enter and leave the FortiGate unit with the same VLAN ID
tag.
1234
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
Virtual Local Area Networks (VLANs) multiply the capabilities of your FortiGate unit, and
can also provide added network security. All FortiGate models support VLANs.
This section includes:
•
VLAN overview
•
VLANs in NAT/Route mode
•
VLANs in Transparent mode
•
Troubleshooting VLAN problems
VLAN overview
Virtual LANs (VLANs) use ID tags to logically separate devices on a network into smaller
broadcast domains. These smaller domains forward packets only to devices that are part
of that VLAN domain. This reduces traffic and increases network security.
This section answers some common questions about VLANs:
•
What are VLANs?
•
How VLANs work
•
VLAN ID rules
•
VLAN switching and routing
What are VLANs?
A Local Area Network (LAN) is a group of connected computers and devices that are
arranged into network broadcast domains. A LAN broadcast domain includes all the
computers that receive a packet broadcast from any computer in that broadcast domain. A
switch will automatically forward the packets to all of its ports; in contrast, routers do not
automatically forward network broadcast packets. This means routers separate broadcast
domains. If a network has only switches and no routers, that network is considered one
broadcast domain, no matter how large or small it is. Smaller broadcast domains are more
efficient because fewer devices receive unnecessary packets. They are more secure as
well because a hacker reading traffic on the network will have access to only a small
portion of the network instead of the entire network’s traffic.
Virtual LANs (VLANs) use ID tags to logically separate a LAN into smaller broadcast
domains. Each VLAN is its own broadcast domain. Smaller broadcast domains reduce
traffic and increase network security. The IEEE 802.1Q standard defines VLANs. All layer2 and layer-3 devices along a route must be 802.1Q-compliant to support VLANs along
that route. For more information, see “VLAN switching and routing” on page 1237 and
“VLAN layer-3 routing” on page 1239.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1235
�VLAN overview
Virtual LANs
How VLANs work
VLANs reduce the size of the broadcast domains by only forwarding packets to interfaces
that are part of that VLAN or part of a VLAN trunk link. Trunk links form switch-to-switch or
switch-to-router connections, and forward traffic for all VLANs. This enables a VLAN to
include devices that are part of the same broadcast domain, but physically distant from
each other.
VLAN ID tags consist of a 4-byte frame extension that switches and routers apply to every
packet sent and received in the VLAN. Workstations and desktop computers, which are
commonly originators or destinations of network traffic, are not an active part of the VLAN
process—all the VLAN tagging and tag removal is done after the packet has left the
computer. For more information, see “VLAN ID rules” on page 1236.
Any FortiGate unit without VDOMs enabled can have a maximum of 255 interfaces in
Transparent operating mode. The same is true for any single VDOM. In NAT/Route
operating mode, the number can range from 255 to 8192 interfaces per VDOM, depending
on the FortiGate model. These numbers include VLANs, other virtual interfaces, and
physical interfaces. To have more than 255 interfaces configured in Transparent operating
mode, you need to configure multiple VDOMs that enable you to divide the total number of
interfaces over all the VDOMs.
One example of an application of VLANs is a company’s accounting department.
Accounting computers may be located at both main and branch offices. However,
accounting computers need to communicate with each other frequently and require
increased security. VLANs allow the accounting network traffic to be sent only to
accounting computers and to connect accounting computers in different locations as if
they were on the same physical subnet.
Note: This guide uses the term packet to refer to both layer-2 frames and layer-3 packets.
VLAN ID rules
Layer-2 switches and layer-3 devices add VLAN ID tags to the traffic as it arrives and
remove them before they deliver the traffic to its final destination. Devices such as PCs
and servers on the network do not require any special configuration for VLANs.
On a layer-2 switch, you can have only one VLAN subinterface per physical interface,
unless that interface is configured as a trunk link. Trunk links can transport traffic for
multiple VLANs to other parts of the network.
On a FortiGate unit, you can add multiple VLANs to the same physical interface. However,
VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID
or have IP addresses on the same subnet. You can add VLAN subinterfaces with the
same VLAN ID to different physical interfaces.
Twelve bits of the 4-byte VLAN tag are reserved for the VLAN ID number. Valid VLAN ID
numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.
Creating VLAN subinterfaces with the same VLAN ID does not create any internal
connection between them. For example a VLAN ID of 300 on port1 and VLAN ID of 300 on
port2 are allowed, but they are not connected. Their relationship is the same as between
any two FortiGate network interfaces.
1236
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
VLAN overview
VLAN switching and routing
VLAN switching takes place on the OSI model layer-2, just like other network switching.
VLAN routing takes place on the OSI model layer-3. The difference between them is that
during VLAN switching, VLAN packets are simply forwarded to their destination. This is
different from VLAN routing where devices can open the VLAN packets and change their
VLAN ID tags to route the packets to a new destination. See “VLAN layer-2 switching” on
page 1237, and “VLAN layer-3 routing” on page 1239
VLAN layer-2 switching
Ethernet switches are layer-2 devices, and generally are 802.1Q compliant. Layer 2 refers
to the second layer of the seven layer Open Systems Interconnect (OSI) basic networking
model—the Data Link layer. FortiGate units act as layer-2 switches or bridges when they
are in Transparent mode—the units simply tag and forward the VLAN traffic or receive and
remove the tags from the packets. A layer-2 device does not inspect incoming packets or
change their contents; it only adds or removes tags and routes the packet.
A VLAN can have any number of physical interfaces assigned to it. Multiple VLANs can be
assigned to the same physical interface. Typically two or more physical interfaces are
assigned to a VLAN, one for incoming and one for outgoing traffic. Multiple VLANs can be
configured on one FortiGate unit, including trunk links.
Layer-2 VLAN example
To better understand VLAN operation, let’s look at what happens to a data frame on a
network that uses VLANs.
The network topology consists of two 8-port switches that are configured to support
VLANs on a network. Both switches are connected through port 8 using an 802.1Q trunk
link. Subnet 1 is connected to switch A, and subnet 2 is connected to switch B. The ports
on the switches are configured as follows.
Table 91: How ports and VLANs are used on Switch A and B
Switch
Ports
VLAN
A
1-4
100
A
5-7
200
A & B
8
Trunk link
B
4-5
100
B
6
200
Let's follow the steps a data frame follows when it is sent from a computer on subnet 1 that
is part of VLAN 100. In this example, switch A is connected to the Branch Office and
switch B to the Main Office.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1237
�VLAN overview
Virtual LANs
1 A computer on port 1 of switch A sends a data frame over the network.
Switch A
Ports 1 - 4
Port 8
802.1Q trunk link
Switch B
Ports 4, 5
Port 8
Ports 5 - 7
Frame
Port 5
Port 1
VLAN 100
VLAN 200
VLAN 200
VLAN 100
Branch Office
Main Office
2 Switch A tags the data frame with a VLAN 100 ID tag upon arrival because port 1 is
part of VLAN 100.
3 Switch A forwards the tagged data frame to the other VLAN 100 ports—ports 2 through
4. Switch A also forwards the data frame to the 802.1Q trunk link (port 8) so other parts
of the network that may contain VLAN 100 groups will receive VLAN 100 traffic.
This data frame is not forwarded to the other ports on switch A because they are not part
of VLAN 100. This increases security and decreases network traffic.
Switch A
Ports 1 - 4
Switch B
802.1Q trunk link
Port 8
Ports 4, 5
Port 8
Ports 5 - 7
Port 1 Frame
VLAN 100
Port 5
VLAN 200
Frame with
VLAN ID tag
VLAN 200
Branch Office
VLAN 100
Main Office
4 Switch B receives the data frame over the trunk link (port 8).
5 Because there are VLAN 100 ports on switch B (ports 4 and 5), the data frame is
forwarded to those ports. As with switch A, the data frame is not delivered to VLAN
200.
1238
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
VLAN overview
If there were no VLAN 100 ports on switch B, the switch would not forward the data frame
and it would stop there.
Switch B
Switch A
Ports 1 - 4
Port 8
802.1Q trunk link
Ports 4, 5
Port 8
Ports 5 - 7
VLAN 100
Frame
Port 5
Port 1
VLAN 200
Branch Office
VLAN 200
VLAN 100
Main Office
6 The switch removes the VLAN 100 ID tag before it forwards the data frame to an end
destination.
The sending and receiving computers are not aware of any VLAN tagging on the data
frames that are being transmitted. When any computer receives that data frame, it
appears as a normal data frame.
VLAN layer-3 routing
Routers are layer-3 devices. Layer 3 refers to the third layer of the OSI networking
model—the Network layer. FortiGate units in NAT/Route mode act as layer-3 devices. As
with layer 2, FortiGate units acting as layer-3 devices are 802.1Q-compliant.
The main difference between layer-2 and layer-3 devices is how they process VLAN tags.
Layer-2 switches just add, read and remove the tags. They do not alter the tags or do any
other high-level actions. Layer-3 routers not only add, read and remove tags but also
analyze the data frame and its contents. This analysis allows layer-3 routers to change the
VLAN tag if it is appropriate and send the data frame out on a different VLAN.
In a layer-3 environment, the 802.1Q-compliant router receives the data frame and
assigns a VLAN ID. The router then forwards the data frame to other members of the
same VLAN broadcast domain. The broadcast domain can include local ports, layer-2
devices and layer-3 devices such as routers and firewalls. When a layer-3 device receives
the data frame, the device removes the VLAN tag and examines its contents to decide
what to do with the data frame. The layer-3 device considers:
•
source and destination addresses
•
protocol
•
port number.
The data frame may be forwarded to another VLAN, sent to a regular non-VLAN-tagged
network or just forwarded to the same VLAN as a layer-2 switch would do. Or, the data
frame may be discarded if the proper firewall policy has been configured to do so.
Layer-3 VLAN example
In the following example, switch A is connected to the Branch Office subnet, the same as
subnet 1 in the layer-2 example. In the Main Office subnet, VLAN 300 is on port 5 of switch
B. The FortiGate unit is connected to switch B on port 1 and the trunk link connects the
FortiGate unit’s port 3 to switch A. The other ports on switch B are unassigned.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1239
�VLAN overview
Virtual LANs
This example explains how traffic can change VLANs—originating on VLAN 100 and
arriving at a destination on VLAN 300. Layer-2 switches alone cannot accomplish this, but
a layer-3 router can.
1 The VLAN 100 computer at the Branch Office sends the data frame to switch A, where
the VLAN 100 tag is added.
FortiGate unit
Switch A
Frame
Port 8
Ports 1-4
802.1Q trunk link
Port 3
Ports 5 - 7
Port 1
Port 1
VLAN 300
Port 5
Port 1
Port 5
Switch B
VLAN 200
VLAN 200
VLAN 300
Branch Office
Main Office
2 Switch A forwards the tagged data frame to the FortiGate unit over the 802.1Q trunk
link, and to the VLAN 100 interfaces on Switch A.
Up to this point everything is the same as in the layer-2 example.
FortiGate unit
Switch A
Ports 1 - 4
Port 8
802.1Q trunk link
Port 3
Ports 5 - 7
Port 1
VLAN 300
Frame
Port 1
Port 1
Port 5
Switch B
VLAN 100
Branch Office
VLAN 200
VLAN 300
Main Office
3 The FortiGate unit removes the VLAN 100 tag, and inspects the content of the data
frame. The FortiGate unit uses the content to select the correct firewall policy and
routing options.
1240
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
VLANs in NAT/Route mode
4 The FortiGate unit’s firewall policy allows the data frame to go to VLAN 300 in this
example. The data frame will be sent to all VLAN 300 interfaces, but in the example
there is only one—port 1 on the FortiGate unit. Before the data frame leaves, the
FortiGate unit adds the VLAN ID 300 tag to the data frame.
This is the step that layer 2 cannot do. Only layer 3 can retag a data frame as a
different VLAN.
FortiGate unit
Switch A
Ports 1 - 4
Port 8
802.1Q trunk link
Port 3
Ports 5 - 7
Frame
Port 1
Port 1
VLAN 300
Port 1
Port 5
Switch B
VLAN 100
VLAN 300
VLAN 200
Branch Office
Main Office
5 Switch B receives the data frame, and removes the VLAN ID 300 tag, because this is
the last hop, and forwards the data frame to the computer on port 5.
FortiGate unit
Switch A
Ports 1 - 4
Port 8
802.1Q trunk link
Port 3
Ports 5 - 7
Port 1
VLAN 300
Port 1
Port 1
Port 5
Switch B
VLAN 100
VLAN 200
Branch Office
VLAN 300
Frame
Main Office
In this example, a data frame arrived at the FortiGate unit tagged as VLAN 100. After
checking its content, the FortiGate unit retagged the data frame for VLAN 300. It is this
change from VLAN 100 to VLAN 300 that requires a layer-3 routing device, in this case
the FortiGate unit. Layer-2 switches cannot perform this change.
VLANs in NAT/Route mode
In NAT/Route mode the FortiGate unit functions as a layer-3 device. In this mode, the unit
controls the flow of packets between VLANs, but can also remove VLAN tags from
incoming VLAN packets. The FortiGate unit can also forward untagged packets to other
networks, such as the Internet.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1241
�VLANs in NAT/Route mode
Virtual LANs
In NAT/Route mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Qcompliant switches, or routers. The trunk link transports VLAN-tagged packets between
physical subnets or networks. When you add VLAN sub-interfaces to the FortiGate unit
physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk
link. The FortiGate unit directs packets with VLAN IDs to sub-interfaces with matching IDs.
You can define VLAN sub-interfaces on all FortiGate physical interfaces. However, if
multiple virtual domains are configured on the FortiGate unit, you will have access to only
the physical interfaces on your virtual domain. The FortiGate unit can tag packets leaving
on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a
different VLAN tag to outgoing packets.
Normally in VLAN configurations, the FortiGate unit's internal interface is connected to a
VLAN trunk, and the external interface connects to an Internet router that is not configured
for VLANs. In this configuration the FortiGate unit can apply different policies for traffic on
each VLAN interface connected to the internal interface, which results in less network
traffic and better security.
This section includes:
•
Configuring your FortiGate unit
•
Example VLAN configuration in NAT/Route mode
Configuring your FortiGate unit
In NAT/Route mode, you can access the FortiGate unit's web-based manager (GUI) with a
supported web browser that connects to a FortiGate unit interface. The interface must be
configured for administrative access. Use HTTPS to access the address of the interface.
All FortiGate units have administrative access enabled by default on the default interface.
On the FortiGate-800 the default interface is the internal interface. For the examples
presented in this chapter, the default interface has an address of 192.168.1.99.
For more information, see the Quick Start Guide or the Installation Guide that came with
your FortiGate unit.
Configuring your FortiGate unit for VLANs includes:
•
Adding VLAN subinterfaces
•
Configuring firewall policies and routing
Adding VLAN subinterfaces
A VLAN subinterface, sometimes called a VLAN, is a virtual interface on a physical
interface. The subinterface allows routing of VLAN tagged packets using that physical
interface, but it is separate from any other traffic on the physical interface.
Adding a VLAN subinterface includes configuring the
•
•
IP address and netmask
•
VLAN ID
•
1242
Physical interface
VDOM
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
VLANs in NAT/Route mode
Physical interface
The term VLAN subinterface correctly implies the VLAN interface is not a complete
interface by itself. You add a VLAN subinterface to the physical interface that receives
VLAN-tagged packets. The physical interface can belong to a different VDOM than the
VLAN, but it must be connected to a network route that is configured for this VLAN.
Without that route, the VLAN will not be connected to the network, and VLAN traffic will not
be able to access this interface. The traffic on the VLAN is separate from any other traffic
on the physical interface.
When you are working with interfaces on your FortiGate unit, we recommend checking the
Column Settings on the Interface display to make sure the information you need is
displayed. Besides customizing this display, you can also re-order the columns to focus on
the important information for each interface. When working with VLANs, it is useful to
position the VLAN ID column close to the IP address. If you are working with VDOMs,
including the Virtual Domain column as well will help you troubleshoot problems more
quickly. To view the Interface display, go to System & gt; Network.
IP address and netmask
FortiGate unit interfaces cannot have overlapping IP addresses—the IP addresses of all
interfaces must be on different subnets. This rule applies to both physical interfaces and to
virtual interfaces such as VLAN subinterfaces. Each VLAN subinterface must be
configured with its own IP address and netmask pair. This rule helps prevent a broadcast
storm or other similar network problems.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter
the CLI command config system global and set ip-overlap enable to allow IP
address overlap. If you enter this command, multiple VLAN interfaces can have an IP
address that is part of a subnet used by another interface. This command is recommended
for advanced users only.
VLAN ID
The VLAN ID is part of the VLAN tag added to the packets by VLAN switches and routers.
The VLAN ID is a number between 1 and 4094 that allow groups of IP addresses with the
same VLAN ID to be associated together. VLAN ID 0 is used only for high priority frames,
and 4095 is reserved.
All devices along a route must support the VLAN ID of the traffic along that route.
Otherwise, the traffic will be discarded before reaching its destination. For example, if your
computer is part of VLAN_100 and a co-worker on a different floor of your building is also
on the same VLAN_100, you can communicate with each other over VLAN_100, only if all
the switches and routers support VLANs and are configured to pass along VLAN_100
traffic properly. Otherwise, any traffic you send your co-worker will be blocked or not
delivered.
VDOM
If VDOMs are enabled, each VLAN subinterface must belong to a VDOM. This rule also
applies for physical interfaces.
Note: Interface-related CLI commands require a VDOM to be specified, regardless of
whether the FortiGate unit has VDOMs enabled.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1243
�VLANs in NAT/Route mode
Virtual LANs
VLAN subinterfaces on separate VDOMs cannot communicate directly with each other. In
this situation, the VLAN traffic must exit the FortiGate unit and re-enter the unit again,
passing through firewalls in both directions. This situation is the same for physical
interfaces.
A VLAN subinterface can belong to a different VDOM than the physical interface it is part
of. This is because the traffic on the VLAN is handled separately from the other traffic on
that interface. This is one of the main strengths of VLANs.
The following procedure will add a VLAN subinterface called VLAN_100 to the FortiGate
internal interface with a VLAN ID of 100. It will have an IP address and netmask of
172.100.1.1/255.255.255.0, and allow HTTPS, PING, and TELNET administrative
access. Note that in the CLI, you must enter “set type vlan” before setting the vlanid,
and that the allowaccess protocols are lower case.
To add a VLAN subinterface in NAT/Route mode - web-based manager
1 If & lt; & lt; Global appears in the left menu, select it to enter global configuration.
2 Go to System & gt; Network & gt; Interface.
3 Select Create New to add a VLAN subinterface.
4 Enter the following:
VLAN Name
VLAN_100
Type
VLAN
Interface
internal
VLAN ID
100
Addressing Mode
Manual
IP/Netmask
172.100.1.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
5 Select OK.
To view the new VLAN subinterface, select the expand arrow next to the parent
physical interface (the internal interface). This will expand the display to show all VLAN
subinterfaces on this physical interface. If there is no expand arrow displayed, there
are no subinterfaces configured on that physical interface.
For each VLAN, the list displays the name of the VLAN, and, depending on column
settings, its IP address, the Administrative access you selected for it, the VLAN ID
number, and which VDOM it belongs to if VDOMs are enabled.
To add a VLAN subinterface in NAT/Route mode - CLI
config system interface
edit VLAN_100
set interface internal
set type vlan
set vlanid 100
set ip 172.100.1.1 255.255.255.0
set allowaccess https ping telnet
next
end
1244
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
VLANs in NAT/Route mode
Configuring firewall policies and routing
Once you have created a VLAN subinterface on the FortiGate unit, you need to configure
firewall policies and routing for that VLAN. Without these, the FortiGate unit will not pass
VLAN traffic to its intended destination.
Firewall policies direct traffic through the FortiGate unit between interfaces. Routing
directs traffic across the network.
This section includes the following topics:
•
Configuring firewall policies
•
Configuring routing
Configuring firewall policies
Firewall policies permit communication between the FortiGate unit’s network interfaces
based on source and destination IP addresses. Without firewall policies, traffic will not
pass through the FortiGate unit. Firewall policies also allow you to limit communication at
particular times and limit services to specific protocols. Interfaces that communicate with
the VLAN interface need firewall policies to permit traffic to pass between them and the
VLAN interface.
Each VLAN needs a firewall policy for each of the following connections the VLAN will be
using:
•
from this VLAN to an external network
•
from an external network to this VLAN
•
from this VLAN to another VLAN in the same virtual domain on the FortiGate unit
•
from another VLAN to this VLAN in the same virtual domain on the FortiGate unit.
The packets on each VLAN are subject to antivirus scans and other UTM measures as
they pass through the FortiGate unit.
For more information on firewall policies, see the firewall chapter of the FortiGate
Administration Guide.
Configuring routing
As a minimum, you need to configure a default static route to a gateway with access to an
external network for outbound packets. In more complex cases, you will have to configure
different static or dynamic routes based on packet source and destination addresses.
As with firewalls, you need to configure routes for VLAN traffic. VLANs need routing and a
gateway configured to send and receive packets outside their local subnet just as physical
interfaces do. The type of routing you configure, static or dynamic, will depend on the
routing used by the subnet and interfaces you are connecting to. Dynamic routing can be
routing information protocol (RIP), border gateway protocol (BGP), open shortest path first
(OSPF), or multicast.
If you enable SSH, PING, TELNET, HTTPS and HTTP on the VLAN, you can use those
protocols to troubleshoot your routing and test that it is properly configured. Enabling
logging on the interfaces and using CLI diag commands such as diag sniff packet
& lt; interface_name & gt; can also help locate any possible configuration or hardware issues.
Routing and logging are explained in the FortiGate Administration Guide and the
FortiGate CLI Reference.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1245
�Example VLAN configuration in NAT/Route mode
Virtual LANs
Example VLAN configuration in NAT/Route mode
In this example two different internal VLAN networks share one interface on the FortiGate
unit, and share the connection to the Internet.
This configuration could apply to two departments in a single company, or to different
companies. The main point is that the networks can keep their traffic separate while
sharing one FortiGate interface.
This section includes the following topics:
•
Network topology and assumptions
•
General configuration steps
•
Configuring the FortiGate unit
•
Configuring the VLAN switch
•
Testing the configuration
Network topology and assumptions
There are two different internal network VLANs in this example. VLAN_100 is on the
10.1.1.0/255.255.255.0 subnet, and VLAN_200 is on the 10.1.2.0/255.255.255.0 subnet.
These VLANs are connected to the VLAN switch, such as a Cisco 2950 Catalyst switch.
The FortiGate internal interface connects to the VLAN switch through an 802.1Q trunk.
The internal interface has an IP address of 192.168.110.126 and is configured with two
VLAN subinterfaces (VLAN_100 and VLAN_200). The external interface has an IP
address of 172.16.21.2 and connects to the Internet. The external interface has no VLAN
subinterfaces on it.
Figure 179 shows the configuration for this example.
Figure 179: FortiGate unit with VLANs in NAT/Route mode
Internet
Untagged
packets
External
172.16.21.2
Internal
192.168.110.126
802.1Q trunk
Fa 0/24
VL AN 100
VL AN 100 Network
10.1.1.0
1246
Fa 0/9
Fa 0/3
VLAN Switch
VL AN 200
VL AN 200 Network
10.1.2.0
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
Example VLAN configuration in NAT/Route mode
When the VLAN switch receives packets from VLAN_100 and VLAN_200, it applies VLAN
ID tags and forwards the packets of each VLAN both to local ports and to the FortiGate
unit across the trunk link. The FortiGate unit has policies that allow traffic to flow between
the VLANs, and from the VLANs to the external network.
This section describes how to configure a FortiGate-800 unit and a Cisco Catalyst 2950
switch for this example network topology. The Cisco configuration commands used in this
section are IOS commands.
It is assumed that both the FortiGate-800 and the Cisco 2950 switch are installed and
connected and that basic configuration has been completed. On the switch, you will need
to be able to access the CLI to enter commands. Refer to the manual for your FortiGate
model as well as the manual for the switch you select for more information.
It is also assumed that no VDOMs are enabled.
This section includes the following topics:
•
Configuring the FortiGate unit
•
Configuring the VLAN switch
•
Testing the configuration
General configuration steps
The following steps provide an overview of configuring and testing the hardware used in
this example. For best results in this configuration, follow the procedures in the order
given. Also, note that if you perform any additional actions between procedures, your
configuration may have different results.
1 Configuring the FortiGate unit
• Configuring the external interface
• Adding two VLAN subinterfaces to the internal network interface
• Adding firewall addresses and address ranges for the internal and external
networks
• Adding firewall policies to allow:
•
the VLAN networks to access each other
•
the VLAN networks to access the external network.
2 Configuring the VLAN switch
3 Testing the configuration.
Configuring the FortiGate unit
Configuring the FortiGate unit includes:
•
Configuring the external interface
•
Adding VLAN subinterfaces
•
Adding the firewall addresses
•
Adding the firewall policies
Configuring the external interface
The FortiGate unit’s external interface will provide access to the Internet for all internal
networks, including the two VLANs.
To configure the external interface - web-based manager
1 Go to System & gt; Network & gt; Interface.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1247
�Example VLAN configuration in NAT/Route mode
Virtual LANs
2 Select Edit for the external interface.
3 Enter the following information and select OK:
Addressing mode
Manual
IP/Netmask
172.16.21.2/255.255.255.0
To configure the external interface - CLI
config system interface
edit external
set mode static
set ip 172.16.21.2 255.255.255.0
end
Adding VLAN subinterfaces
This step creates the VLANs on the FortiGate unit internal physical interface. The IP
address of the internal interface does not matter to us, as long as it does not overlap with
the subnets of the VLAN subinterfaces we are configuring on it.
The rest of this example shows how to configure the VLAN behavior on the FortiGate unit,
configure the switches to direct VLAN traffic the same as the FortiGate unit, and test that
the configuration is correct.
Adding VLAN subinterfaces can be completed through the web-based manager, or the
CLI.
To add VLAN subinterfaces - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select Create New.
3 Enter the following information and select OK:
Name
VLAN_100
Interface
internal
VLAN ID
100
Addressing mode
Manual
IP/Netmask
10.1.1.1/255.255.255.0
Administrative
Access
HTTPS, PING, TELNET
4 Select Create New.
1248
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
Example VLAN configuration in NAT/Route mode
5 Enter the following information and select OK:
Name
VLAN_200
Interface
internal
VLAN ID
200
Addressing mode
Manual
IP/Netmask
10.1.2.1/255.255.255.0
Administrative
Access
HTTPS, PING, TELNET
To add VLAN subinterfaces - CLI
config system interface
edit VLAN_100
set vdom root
set interface internal
set type vlan
set vlanid 100
set mode static
set ip 10.1.1.1 255.255.255.0
set allowaccess https ping telnet
next
edit VLAN_200
set vdom root
set interface internal
set type vlan
set vlanid 200
set mode static
set ip 10.1.2.1 255.255.255.0
set allowaccess https ping telnet
end
Adding the firewall addresses
You need to define the addresses of the VLAN subnets for use in firewall policies. The
FortiGate unit provides one default address, “all”, that you can use when a firewall policy
applies to all addresses as a source or destination of a packet. However, using “all” is less
secure and should be avoided when possible.
In this example, the “_Net” part of the address name indicates a range of addresses
instead of a unique address. When choosing firewall address names, keep them
informative and unique.
To add the firewall addresses - web-based manager
1 Go to Firewall & gt; Address.
2 Select Create New.
3 Enter the following information and select OK:
Address Name
VLAN_100_Net
Type
Subnet / IP Range
Subnet / IP Range
10.1.1.0/255.255.255.0
4 Select Create New.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1249
�Example VLAN configuration in NAT/Route mode
Virtual LANs
5 Enter the following information and select OK:
Address Name
VLAN_200_Net
Type
Subnet / IP Range
Subnet / IP Range
10.1.2.0/255.255.255.0
To add the firewall addresses - CLI
config firewall address
edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
end
Adding the firewall policies
Once you have assigned addresses to the VLANs, you need to configure firewall policies
for them to allow valid packets to pass from one VLAN to another and to the Internet.
Note: You can customize the Firewall Policy display by including some or all columns, and
customize the column order onscreen. Due to this feature, firewall policy screenshots may
not appear the same as on your screen.
If you do not want to allow all services on a VLAN, you can create a firewall policy for each
service you want to allow. This example allows all services.
To add the firewall policies - web-based manager
1 Go to Firewall & gt; Policy.
2 Select Create New.
3 Enter the following information and select OK:
Source Interface/Zone
VLAN_100
Source Address
VLAN_100_Net
Destination Interface/Zone
VLAN_200
Destination Address
VLAN_200_Net
Schedule
Always
Service
ANY
Action
ACCEPT
Enable NAT
Enable
4 Select Create New.
5 Enter the following information and select OK:
Source Interface/Zone
VLAN_200_Net
Destination Interface/Zone
VLAN_100
Destination Address
VLAN_100_Net
Schedule
1250
VLAN_200
Source Address
Always
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
Example VLAN configuration in NAT/Route mode
Service
ANY
Action
ACCEPT
Enable NAT
Enable
6 Select Create New.
7 Enter the following information and select OK:
Source Interface/Zone
VLAN_100
Source Address
VLAN_100_Net
Destination Interface/Zone
external
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
Enable NAT
Enable
8 Select Create New.
9 Enter the following information and select OK:
Source Interface/Zone
VLAN_200
Source Address
VLAN_200_Net
Destination Interface/Zone
external
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
Enable NAT
Enable
To add the firewall policies - CLI
config firewall policy
edit 1
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf VLAN_200
set dstaddr VLAN_200_Net
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 2
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf VLAN_100
set dstaddr VLAN_100_Net
set schedule always
set service ANY
set action accept
set nat enable
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1251
�Example VLAN configuration in NAT/Route mode
Virtual LANs
set status enable
next
edit 3
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf external
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 4
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf external
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end
Configuring the VLAN switch
On the Cisco Catalyst 2950 Catalyst VLAN switch, you need to define VLANs 100 and 200
in the VLAN database, and then add a configuration file to define the VLAN subinterfaces
and the 802.1Q trunk interface.
One method to configure a Cisco switch is to connect over a serial connection to the
console port on the switch, and enter the commands at the CLI. Another method is to
designate one interface on the switch as the management interface and use a web
browser to connect to the switch’s graphical interface. For details on connecting and
configuring your Cisco switch, refer to the installation and configuration manuals for the
switch.
The switch used in this example is a Cisco Catalyst 2950 switch. The commands used are
IOS commands. Refer to the switch manual for help with these commands.
To configure the VLAN subinterfaces and the trunk interfaces
Add this file to the Cisco switch:
!
interface FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/9
switchport access vlan 200
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
1252
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
VLANs in Transparent mode
Port 0/3
VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24
802.1Q trunk
Note: To complete the setup, configure devices on VLAN_100 and VLAN_200 with default
gateways. The default gateway for VLAN_100 is the FortiGate VLAN_100 subinterface.
The default gateway for VLAN_200 is the FortiGate VLAN_200 subinterface.
Testing the configuration
See alsoUse diagnostic commands, such as tracert, to test traffic routed through the
FortiGate unit and the Cisco switch.
Testing traffic from VLAN_100 to VLAN_200
In this example, a route is traced between the two internal networks. The route target is a
host on VLAN_200.
Access a command prompt on a Windows computer on the VLAN_100 network, and enter
the following command:
C:\ & gt; tracert 10.1.2.2
Tracing route to 10.1.2.2 over a maximum of 30 hops:
1
& lt; 10 ms
& lt; 10 ms
& lt; 10 ms 10.1.1.1
2
& lt; 10 ms
& lt; 10 ms
& lt; 10 ms 10.1.2.2
Trace complete.
Testing traffic from VLAN_200 to the external network
In this example, a route is traced from an internal network to the external network. The
route target is the external network interface of the FortiGate-800 unit.
From VLAN_200, access a command prompt and enter this command:
C:\ & gt; tracert 172.16.21.2
Tracing route to 172.16.21.2 over a maximum of 30 hops:
1
& lt; 10 ms
& lt; 10 ms
& lt; 10 ms 10.1.2.1
2
& lt; 10 ms
& lt; 10 ms
& lt; 10 ms 172.16.21.2
Trace complete.
VLANs in Transparent mode
In Transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide
services such as antivirus scanning, web filtering, spam filtering and intrusion protection to
traffic. There are some limitations in Transparent mode in that you cannot use SSL VPN,
PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in Transparent
mode apply to IEEE 802.1Q VLAN trunks passing through the unit.
This section includes the following sections:
•
VLANs and Transparent mode
•
Example of VLANs in Transparent mode
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1253
�VLANs in Transparent mode
Virtual LANs
VLANs and Transparent mode
You can insert the FortiGate unit operating in Transparent mode into the VLAN trunk
without making changes to your network. In a typical configuration, the FortiGate unit
internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router
connected to internal network VLANs. The FortiGate unit external interface forwards
VLAN-tagged packets through another VLAN trunk to an external VLAN switch or router
and on to external networks such as the Internet. You can configure the unit to apply
different policies for traffic on each VLAN in the trunk.
To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the
same VLAN ID, one to the internal interface and the other to the external interface. You
then create a firewall policy to permit packets to flow from the internal VLAN interface to
the external VLAN interface. If required, you create another firewall policy to permit
packets to flow from the external VLAN interface to the internal VLAN interface. Typically
in Transparent mode, you do not permit packets to move between different VLANs.
Network protection features, such as spam filtering, web filtering and anti-virus scanning,
are applied through the protection profile specified in each firewall policy, enabling very
detailed control over traffic.
When the FortiGate unit receives a VLAN-tagged packet at a physical interface, it directs
the packet to the VLAN subinterface with the matching VLAN ID. The VLAN tag is
removed from the packet, and the FortiGate unit then applies firewall policies using the
same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through
a VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the
packet is sent to the corresponding physical interface. For a configuration example, see
“Example of VLANs in Transparent mode” on page 1256.
There are two essential steps to configure your FortiGate unit to work with VLANs in
Transparent mode:
•
Adding VLAN subinterfaces
•
Creating firewall policies.
You can also configure the protection profiles that manage antivirus scanning, web filtering
and spam filtering. Protection profiles are covered in the FortiGate Administration Guide.
In Transparent mode, you can access the FortiGate web-based manager by connecting to
an interface configured for administrative access and using HTTPS to access the
management IP address. On the FortiGate-800, the model used for examples in this
guide, administrative access is enabled by default on the internal interface and the default
management IP address is 10.10.10.1.
Adding VLAN subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the
IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and
4094, with 0 being used only for high priority frames and 4095 being reserved. You add
VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.
For this example, we are creating a VLAN called internal_v225 on the internal interface,
with a VLAN ID of 225. Administrative access is enabled for HTTPS and SSH. VDOMs are
not enabled.
To add VLAN subinterfaces in Transparent mode - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select Create New.
3 Enter the following information and select OK.
1254
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
VLANs in Transparent mode
Name
internal_v225
Type
VLAN
Interface
internal
VLAN ID
225
Ping Server
not enabled
Administrative
Access
Enable HTTPS, and SSH. These are very secure
access methods.
Description
VLAN 225 on internal interface
The FortiGate unit adds the new subinterface to the interface that you selected.
Repeat steps 2 and 3 to add additional VLANs. You will need to change the VLAN ID,
Name, and possibly Interface when adding additional VLANs.
To add VLAN subinterfaces in Transparent mode - CLI
config system interface
edit internal_v225
set interface internal
set vlanid 225
set allowaccess HTTPS SSH
set description “VLAN 225 on internal interface”
set vdom root
next
end
Creating firewall policies
Firewall policies permit communication between the FortiGate unit’s network interfaces
based on source and destination IP addresses. Optionally, you can limit communication to
particular times and services.
In Transparent mode, the FortiGate unit performs antivirus and antispam scanning on
each VLAN’s packets as they pass through the unit. You need firewall policies to permit
packets to pass from the VLAN interface where they enter the unit to the VLAN interface
where they exit the unit. If there are no firewall policies configured, no packets will be
allowed to pass from one interface to another.
To add firewall policies for VLAN subinterfaces - web based manager
1 Go to Firewall & gt; Address.
2 Select Create New to add firewall addresses that match the source and destination IP
addresses of VLAN packets.
3 Go to Firewall & gt; Policy.
4 Select Create New.
5 From the Source Interface/Zone list, select the VLAN interface where packets enter the
unit.
6 From the Destination Interface/Zone list, select the VLAN interface where packets exit
the unit.
7 Select the Source and Destination Address names that you added in step 2.
8 Select Protection Profile, and select the profile from the list.
9 Configure other settings as required.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1255
�VLANs in Transparent mode
Virtual LANs
10 Select OK.
To add firewall policies for VLAN subinterfaces - CLI
config firewall address
edit incoming_VLAN_address
set associated-interface & lt; incoming_VLAN_interface & gt;
set type ipmask
set subnet & lt; IPv4_address_mask)
next
edit outgoing_VLAN_address
set associated-interface & lt; outgoing_VLAN_interface & gt;
set type ipmask
set subnet & lt; IPv4_address_mask & gt;
next
end
config firewall policy
edit & lt; unused_policy_number & gt;
set srcintf & lt; VLAN_number & gt;
set srcaddr incoming_VLAN_address
set destintf & lt; VLAN_number & gt;
set destaddr outgoing_VLAN_address
set service & lt; protocol_to_allow_on VLAN & gt;
set action ACCEPT
set profile-status enable
set profile & lt; selected_profile & gt;
next
end
end
Example of VLANs in Transparent mode
In this example, the FortiGate unit is operating in Transparent mode and is configured with
two VLANs—one with an ID of 100 and the other with ID 200. The internal and external
physical interfaces each have two VLAN subinterfaces, one for VLAN_100 and one for
VLAN_200.
This section includes the following topics:
•
Network topology and assumptions
•
General configuration steps
•
Configuring the FortiGate unit
•
Configuring the Cisco switch and router
•
Testing the configuration
Network topology and assumptions
The network topology for this example is straightforward, with two internal networks
entering the FortiGate unit on one physical interface, and leaving on another physical
interface.
The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the
internal VLAN_200 network is 10.200.0.0/255.255.0.0.
1256
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
VLANs in Transparent mode
The internal networks are connected to a Cisco 2950 VLAN switch, which combines traffic
from the two VLANs onto one physical interface—the FortiGate unit internal interface. The
VLAN traffic leaves the FortiGate unit on the external network interface, goes on to the
VLAN switch, and on to the Internet. When the FortiGate units receives a tagged packet, it
directs it from the incoming VLAN subinterface to the outgoing VLAN subinterface for that
VLAN.
This section describes how to configure a FortiGate-800 unit, Cisco switch, and Cisco
router in the network topology shown in Figure 180.
Figure 180: VLAN Transparent network topology
Internet
VLAN router
10.100.0.1
10.200.0.1
802.1Q trunk
VLAN 1,2
External
in Transparent mode
Internal
802.1Q trunk
VL AN 1,2
Fa0/24
Fa0/9
Fa0/3
VLAN
switch
VL AN 100
10.100.0.0
VLAN 200
10.200.0.0
General configuration steps
The following steps summarize the configuration for this example. For best results, follow
the procedures in the order given. Also, note that if you perform any additional actions
between procedures, your configuration may have different results.
1 Configuring the FortiGate unit includes
• Adding VLAN subinterfaces
• Adding the firewall policies
2 Configuring the Cisco switch and router
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1257
�VLANs in Transparent mode
Virtual LANs
3 Testing the configuration
Configuring the FortiGate unit
The FortiGate unit must be configured with the VLAN subinterfaces and the proper firewall
policies to enable traffic to flow through the FortiGate unit.
This section includes the following topics:
•
Adding VLAN subinterfaces
•
Adding the firewall policies
Adding VLAN subinterfaces
For each VLAN, you need to create a VLAN subinterface on the internal interface and
another one on the external interface, both with the same VLAN ID.
To add VLAN subinterfaces - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select Create New.
3 Enter the following information and select OK:
Name
VLAN_100_int
Interface
internal
VLAN ID
100
4 Select Create New.
5 Enter the following information and select OK:
Name
VLAN_100_ext
Interface
external
VLAN ID
100
6 Select Create New.
7 Enter the following information and select OK:
Name
VLAN_200_int
Interface
internal
VLAN ID
200
8 Select Create New.
9 Enter the following information and select OK:
Name
VLAN_200_ext
Interface
external
VLAN ID
200
To add VLAN subinterfaces - CLI
config system interface
edit VLAN_100_int
set status down
set type vlan
set interface internal
set vlanid 100
1258
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
VLANs in Transparent mode
next
edit VLAN_100_ext
set status down
set type vlan
set interface external
set vlanid 100
next
edit VLAN_200_int
set status down
set type vlan
set interface internal
set vlanid 200
next
edit VLAN_200_ext
set status down
set type vlan
set interface external
set vlanid 200
end
Adding the firewall policies
Firewall policies allow packets to travel between the VLAN_100_int interface and the
VLAN_100_ext interface. Two policies are required—one for each direction of traffic. The
same is required between the VLAN_200_int interface and the VLAN_200_ext interface,
for a total of four required firewall policies.
To add the firewall policies - web-based manager
1 Go to Firewall & gt; Policy.
2 Select Create New.
3 Enter the following information and select OK:
Source Interface/Zone
VLAN_100_int
Source Address
all
Destination Interface/Zone
VLAN_100_ext
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
4 Select Create New.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1259
�VLANs in Transparent mode
Virtual LANs
5 Enter the following information and select OK:
Source Interface/Zone
VLAN_100_ext
Source Address
all
Destination Interface/Zone
VLAN_100_int
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
6 Go to Firewall & gt; Policy.
7 Select Create New.
8 Enter the following information and select OK:
Source Interface/Zone
VLAN_200_int
Source Address
all
Destination Interface/Zone
VLAN_200_ext
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
Enable NAT
enable
9 Select Create New.
10 Enter the following information and select OK:
Source Interface/Zone
VLAN_200_ext
Source Address
all
Destination Interface/Zone
VLAN_200_int
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
To add the firewall policies - CLI
config firewall policy
edit 1
set srcintf VLAN_100_int
set srcaddr all
set dstintf VLAN_100_ext
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 2
set srcintf VLAN_100_ext
set srcaddr all
set dstintf VLAN_100_int
1260
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
VLANs in Transparent mode
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 3
set srcintf VLAN_200_int
set srcaddr all
set dstintf VLAN_200_ext
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 4
set srcintf VLAN_200_ext
set srcaddr all
set dstintf VLAN_200_int
set dstaddr all
set action accept
set schedule always
set service ANY
end
Configuring the Cisco switch and router
This example includes configuration for the Cisco Catalyst 2900 ethernet switch, and for
the Cisco Multiservice 2620 ethernet router. If you have access to a different VLAN
enabled switch or VLAN router you can use them instead, however their configuration is
not included in this document.
This section includes the following topics:
•
Configuring the Cisco switch
•
Configuring the Cisco router
Configuring the Cisco switch
On the VLAN switch, you need to define VLAN_100 and VLAN_200 in the VLAN database
and then add a configuration file to define the VLAN subinterfaces and the 802.1Q trunk
interface.
Add this file to the Cisco switch:
interface FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/9
switchport access vlan 200
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1261
�Troubleshooting VLAN problems
Virtual LANs
Port 0/3
VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24
802.1Q trunk
Configuring the Cisco router
You need to add a configuration file to the Cisco Multiservice 2620 ethernet router. The file
defines the VLAN subinterfaces and the 802.1Q trunk interface on the router. The 802.1Q
trunk is the physical interface on the router.
The IP address for each VLAN on the router is the gateway for that VLAN. For example,
all devices on the internal VLAN_100 network will have 10.100.0.1 as their gateway.
Add this file to the Cisco router:
!
interface FastEthernet0/0
!
interface FastEthernet0/0.1
encapsulation dot1Q 100
ip address 10.100.0.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 200
ip address 10.200.0.1 255.255.255.0
!
The router has the following configuration:
Port 0/0.1
VLAN ID 100
Port 0/0.2
VLAN ID 200
Port 0/0
802.1Q trunk
Testing the configuration
Use diagnostic network commands such as traceroute (tracert) and ping to test traffic
routed through the network.
Testing traffic from VLAN_100 to VLAN_200
In this example, a route is traced between the two internal networks. The route target is a
host on VLAN_200. The Windows traceroute command tracert is used.
From VLAN_100, access a Windows command prompt and enter this command:
C:\ & gt; tracert 10.1.2.2
Tracing route to 10.1.2.2 over a maximum of 30 hops:
1
& lt; 10 ms
& lt; 10 ms
& lt; 10 ms 10.1.1.1
2
& lt; 10 ms
& lt; 10 ms
& lt; 10 ms 10.1.2.2
Trace complete.
Troubleshooting VLAN problems
Several problems can occur with your VLANs. Since VLANs are interfaces with IP
addresses, they behave as interfaces and can have similar problems with similar solutions
such as ping, traceroute, packet sniffing, and diag debug. For more information on these
basic troubleshooting methods, see “Troubleshooting static routing” on page 1219.
1262
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
Troubleshooting VLAN problems
However some problems are more specific to VLANs. This chapter provides solutions to
these problems, under the following topics:
•
Asymmetric routing
•
Layer-2 and Arp traffic
•
NetBIOS
•
STP forwarding
•
Too many VLAN interfaces
Asymmetric routing
You might discover unexpectedly that hosts on some networks are unable to reach certain
other networks. This occurs when request and response packets follow different paths. If
the FortiGate unit recognizes the response packets, but not the requests, it blocks the
packets as invalid. Also, if the FortiGate unit recognizes the same packets repeated on
multiple interfaces, it blocks the session as a potential attack.
This is asymmetric routing. By default, the FortiGate unit blocks packets or drops the
session when this happens. You can configure the FortiGate unit to permit asymmetric
routing by using the following CLI command:
config vdom
edit & lt; vdom_name & gt;
config system settings
set asymroute enable
end
end
If VDOMs are enabled, this command is per VDOM—you must set it for each VDOM that
has the problem.
If this solves your blocked traffic problem, you know that asymmetric routing is the cause.
But allowing asymmetric routing is not the best solution, because it reduces the security of
your network.
For a long-term solution, it is better to change your routing configuration or change how
your FortiGate unit connects to your network. The Asymmetric Routing and Other
FortiGate Layer-2 Installation Issues technical note provides detailed examples of
asymmetric routing situations and possible solutions.
Caution: If you enable asymmetric routing, antivirus and intrusion prevention systems will
not be effective. Your FortiGate unit will be unaware of connections and treat each packet
individually. It will become a stateless firewall.
Layer-2 and Arp traffic
By default, FortiGate units do not pass layer-2 traffic. If there are layer-2 protocols such as
IPX, PPTP or L2TP in use on your network, you need to configure your FortiGate unit
interfaces to pass these protocols without blocking. Another type of layer-2 traffic is ARP
traffic. For more information on ARP traffic, see “ARP traffic” on page 1264.
You can allow these layer-2 protocols using the CLI command:
config vdom
edit & lt; vdom_name & gt;
config system interface
edit & lt; name_str & gt;
set l2forward enable
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1263
�Troubleshooting VLAN problems
Virtual LANs
where & lt; name_str & gt; is the name of an interface.
If VDOMs are enabled, this command is per VDOM—you must set it for each VDOM that
has the problem.
If you enable layer-2 traffic, you may experience a problem if packets are allowed to
repeatedly loop through the network. This repeated looping, very similar to a broadcast
storm, happens when you have more than one layer-2 path to a destination—traffic may
overflow and bring your network to a halt. You can break the loop by enabling Spanning
Tree Protocol (STP) on your network’s switches and routers. For more information, see
“STP forwarding” on page 1267.
ARP traffic
Address Resolution Protocol (ARP) packets are vital to communication on a network, and
ARP support is enabled on FortiGate unit interfaces by default. Normally you want ARP
packets to pass through the FortiGate unit, especially if it is sitting between a client and a
server or between a client and a router.
ARP traffic can cause problems, especially in Transparent mode where ARP packets
arriving on one interface are sent to all other interfaces including VLAN subinterfaces.
Some layer-2 switches become unstable when they detect the same MAC address
originating on more than one switch interface or from more than one VLAN. This instability
can occur if the layer-2 switch does not maintain separate MAC address tables for each
VLAN. Unstable switches may reset and cause network traffic to slow down considerably.
Multiple VDOMs solution
By default, physical interfaces are in the root domain. If you do not configure any of your
VLANs in the root VDOM, it will not matter how many interfaces are in the root VDOM.
The multiple VDOMs solution is to configure multiple VDOMs on the FortiGate unit, one
for each VLAN. In this solution, you configure one inbound and one outbound VLAN
interface in each VDOM. ARP packets are not forwarded between VDOMs. This
configuration limits the VLANs in a VDOM and correspondingly reduces the administration
needed per VDOM.
As a result of this configuration, the switches do not receive multiple ARP packets with
duplicate MACs. Instead, the switches receive ARP packets with different VLAN IDs and
different MACs. Your switches are stable.
1264
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
Troubleshooting VLAN problems
However, you should not use the multiple VDOMs solution under any of the following
conditions:
•
you have more VLANs than licensed VDOMs
•
you do not have enough physical interfaces
•
your configuration needs VLAN grouping.
Instead, use one of two possible solutions, depending on which operation mode you are
using:
•
In NAT/Route mode, you can use the vlan forward CLI command.
•
In Transparent mode, you can use the forward-domain CLI command. But you still
need to be careful in some rare configurations.
Vlanforward solution
If you are using NAT/Route mode, the solution is to use the vlanforward CLI command
for the interface in question. By default, this command is enabled and will forward VLAN
traffic to all VLANs on this interface. When disabled, each VLAN on this physical interface
can send traffic only to the same VLAN—there is no ”cross-talk” between VLANs, and
ARP packets are forced to take one path along the network which prevents the multiple
paths problem.
In the following example, vlanforward is disabled on port1. All VLANs configured on
port1 will be separate and will not forward any traffic to each other.
config system interface
edit port1
set vlanforward disable
end
Forward-domain solution
If you are using Transparent mode, the solution is to use the forward-domain CLI
command. This command tags VLAN traffic as belonging to a particular collision group,
and only VLANs tagged as part of that collision group receive that traffic—it is like an
additional set of VLANs. By default, all interfaces and VLANs are part of forward-domain
collision group 0.
The many benefits of this solution include reduced administration, the need for fewer
physical interfaces, and the availability of more flexible network solutions.
In the following example, forward-domain collision group 340 includes VLAN 340 traffic on
port1 and untagged traffic on port2. Forward-domain collision group 341 includes VLAN
341 traffic on port1 and untagged traffic on port3. All other interfaces are part of forwarddomain collision group 0 by default. This configuration separates VLANs 340 and 341
from each other on port1, and prevents the ARP packet problems from before.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1265
�Troubleshooting VLAN problems
Virtual LANs
Use these CLI commands:
config system interface
edit port1
next
edit port2
set forward_domain 340
next
edit port3
set forward_domain 341
next
edit port1-340
set forward_domain 340
set interface port1
set vlanid 340
next
edit port1-341
set forward_domain 341
set interface port1
set vlanid 341
end
You may experience connection issues with layer-2 traffic, such as ping, if your network
configuration has:
•
packets going through the FortiGate unit in Transparent mode more than once
•
more than one forwarding domain (such as incoming on one forwarding domain and
outgoing on another)
•
IPS and AV enabled.
In releases prior to FortiOS v3.0 MR5, packets could go through IPS and AV checks each
time they passed through the FortiGate unit. In FortiOS v3.0 MR5 this problem was fixed.
Now IPS and AV is applied the first time packets go through the FortiGate unit, but not on
subsequent passes. Only applying IPS and AV to this first pass fixes the network layer-2related connection issues.
There is a more detailed discussion of this issue in the Asymmetric Routing and Other
FortiGate Layer-2 Installation Issues technical note.
NetBIOS
Computers running Microsoft Windows operating systems that are connected through a
network rely on a WINS server to resolve host names to IP addresses. The hosts
communicate with the WINS server by using the NetBIOS protocol.
To support this type of network, you need to enable the forwarding of NetBIOS requests to
a WINS server. The following example will forward NetBIOS requests on the internal
interface for the WINS server located at an IP address of 192.168.111.222.
config system interface
edit internal
set netbios_forward enable
set wins-ip 192.168.111.222
end
These commands apply only in NAT/Route mode. If VDOMs are enabled, these
commands are per VDOM—you must set them for each VDOM that has the problem.
1266
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual LANs
Troubleshooting VLAN problems
STP forwarding
The FortiGate unit does not participate in the Spanning Tree Protocol (STP). STP is an
IEEE 802.1 protocol that ensures there are no layer-2 loops on the network. Loops are
created when there is more than one route for traffic to take and that traffic is broadcast
back to the original switch. This loop floods the network with traffic, reducing available
bandwidth to nothing.
If you use your FortiGate unit in a network topology that relies on STP for network loop
protection, you need to make changes to your FortiGate configuration. Otherwise, STP
recognizes your FortiGate unit as a blocked link and forwards the data to another path. By
default, your FortiGate unit blocks STP as well as other non-IP protocol traffic.
Using the CLI, you can enable forwarding of STP and other layer-2 protocols through the
interface. In this example, layer-2 forwarding is enabled on the external interface:
config system interface
edit external
set l2forward enable
set stpforward enable
end
By substituting different commands for stpforward enable, you can also allow layer-2
protocols such as IPX, PPTP or L2TP to be used on the network. For more information,
see “Layer-2 and Arp traffic” on page 1263.
Too many VLAN interfaces
Any virtual domain can have a maximum of 255 interfaces in Transparent mode. This
includes VLANs, other virtual interfaces, and physical interfaces. NAT/Route mode
supports from 255 to 8192 depending on the FortiGate model. This total number of
interfaces includes VLANs, other virtual interfaces, and physical interfaces.
Your FortiGate unit may allow you to configure more interfaces than this. However, if you
configure more than 255 interfaces, your system will become unstable and, over time, will
not work properly. As all interfaces are used, they will overflow the routing table that stores
the interface information, and connections will fail. When you try to add more interfaces,
an error message will state that the maximum limit has already been reached.
If you see this error message, chances are you already have too many VLANs on your
system and your routing has become unstable. To verify, delete a VLAN and try to add it
back. If you have too many, you will not be able to add it back on to the system. In this
case, you will need to remove enough interfaces (including VLANs) so that the total
number of interfaces drops to 255 or less. After doing this, you should also reboot your
FortiGate unit to clean up its memory and buffers, or you will continue to experience
unstable behavior.
To configure more than 255 interfaces on your FortiGate unit in Transparent mode, you
have to configure multiple VDOMs, each with many VLANs. However, if you want to
create more than the default 10 VDOMs (or a maximum of 2550 interfaces), you must buy
a license for additional VDOMs. Only FortiGate models 3000 and higher support more
than 10 VDOMs.
With these extra licenses, you can configure up to 500 VDOMs, with each VDOM
containing up to 255 VLANs in Transparent mode. This is a theoretical maximum of over
127 500 interfaces. However, system resources will quickly get used up before reaching
that theoretical maximum. To achieve the maximum number of VDOMs, you need to have
top-end hardware with the most resources possible.
In NAT/Route mode, if you have a top-end model, the maximum interfaces per VDOM can
be as high as 8192, enough for all the VLANs in your configuration.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1267
�Troubleshooting VLAN problems
Virtual LANs
Note: Your FortiGate unit has limited resources, such as CPU load and memory, that are
divided between all configured VDOMs. When running 250 or more VDOMs, you cannot
run Unified Threat Management (UTM) features such as proxies, web filtering, or
antivirus—your FortiGate unit can only provide basic firewall functionality.
1268
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
Internet Protocol version 6 (IPv6) is an Internet Layer protocol for packet-switched
internetworks that has been designed to provide several advantages over Internet
Protocol version 4 (IPv4). The Internet Engineering Task Force (IETF) has designated
IPv6 as the successor of IPv4 for general use on the Internet. Both IPv6 and IPv4 define
network layer protocol (how data is sent from one computer to another over packetswitched networks), but IPv6 has a much larger address space than IPv4 — it can provide
billions more unique IP addresses.
This section includes:
•
IPv6 overview
•
FortiGate IPv6 configuration
•
Transition from IPv4 to IPv6
•
Configuring FortiOS to connect to an IPv6 tunnel provider
•
IPv6 Troubleshooting
•
Additional IPv6 resources
IPv6 overview
IP version 6 handles issues that weren't around decades ago when IPv4 was created —
running out of IP addresses, fair distributing of IP addresses, built-in quality of service
(QoS) features, better multimedia support, and improved handling of fragmentation. A
bigger address space, bigger default packet size, and more optional header extensions
provide these features with flexibility to customize them to any needs.
IPv6 has 128-bit addresses compared to IPv4's 32-bit addresses, effectively eliminating
address exhaustion. This new very large address space will likely make network address
translation (NAT) a thing of the past since IPv6 provides more than a billion IP addresses
for each person on Earth. All hardware and software network components must support
this new address size — an upgrade that may take a while to complete and will force IPv6
and IPv4 to work side-by-side during the transition period. During that time FortiOS and its
equal support IPv4 and IPv6 will ensure a smooth transition for networks.
This section includes:
•
Differences between IPv6 and IPv4
•
IPv6 MTU
•
IPv6 address format
•
IP address notation
•
Netmasks
•
Address scopes
•
Address types
•
IPv6 neighbor discovery
Differences between IPv6 and IPv4
The following list outlines the differences between IPv6 to IPv4.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1269
�IPv6 overview
IPv6
Larger address IPv4 addresses are 32 bits long while IPv6 addresses are 128 bits
space
long. This increase supports 2128 addresses, or more than ten billion
billion billion times as many addresses as IPv4 (232). IPv6 enables
more levels of addressing hierarchy and simplifies auto-configuration
of IP addresses. The IPv6 addressing scheme eliminates the need for
Network Address Translation (NAT) that causes networking problems
due to the end-to-end nature of the Internet, such as hiding multiple
hosts behind a pool of IP addresses.
Simplified
The IPv6 header format either drops or makes optional certain IPv4
header formats header fields. This limits the bandwidth cost of the IPv6 header - even
though the IPv6 addresses are four times longer than the IPv4
addresses, the IPv6 header is only twice the size of the IPv4 header.
Improved
Changes in the way IP header options are encoded and allows for
support for IP more efficient forwarding and less stringent limits on the length of
header options options. The changes also provide greater flexibility for introducing
new options in the future.
Prioritization
of packet
delivery using
flow labeling
The IPv6 packet header contains a new Flow Label field that allows
the sender to request special handling, such as “real-time service” or
non-default quality of service. The Flow Label field replaces Service
Type field in IPv4.
Supported
authentication
IPv6 extensions support authentication, data integrity, and (optional)
data confidentiality.
IPv6 addresses are assigned to interfaces rather than nodes, thereby recognizing that a
node can have more than one interface, and you can assign more than one IPv6 address
to an interface. In addition, the larger address space in IPv6 addresses allows flexibility in
allocating addresses and routing traffic, and simplifies some aspects of address
assignment and renumbering when changing Internet service providers.
With IPv4, complex Classless Inter-Domain Routing (CIDR) techniques were developed to
make the best use of the small address space. CIDR facilitates routing by allowing blocks
of addresses to be grouped together into a single routing table entry. With IPv4,
renumbering an existing network for a new connectivity provider with different routing
prefixes is a major effort (see RFC 2071, Network Renumbering Overview: Why would I
want it and what is it anyway? and RFC 2072, Router Renumbering Guide). With IPv6,
however, it is possible to renumber an entire network ad hoc by changing the prefix in a
few routers, as the host identifiers are decoupled from the subnet identifiers and the
network provider's routing prefix.
The size of each subnet in IPv6 is 264 addresses (64 bits), which is the square of the size
of the entire IPv4 Internet. The actual address space utilized by IPv6 applications will most
likely be small in IPv6, but both network management and routing will be more efficient.
IPv6 MTU
Maximum Transmission Unit (MTU) refers to the size (in bytes) of the largest packet or
frame that a given layer of a communications protocol can pass onwards. A higher MTU
brings higher bandwidth efficiency. IPv6 requires an MTU of at least 1280 bytes. With
encapsulations (for example, tunneling), an MTU of 1500 or more is recommended. For
more information, see RFC-2640, Internationalization of the File Transfer Protocol.
1270
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
IPv6 overview
IPv6 address format
The IPv6 address is 128 bits long and consists of eight, 16-bit fields. Each field is
separated by a colon and must contain a hexadecimal number. In Figure 181, an X
represents each field.
The IPv6 address is made up of two logical parts:
•
64-bit (sub)network prefix
•
64-bit host
The (sub)network prefix part contains the site prefix (first three fields, 48 bits) and the
subnet ID (next two fields, 16-bits), for a total of 64-bits. The information contained in
these fields is used for routing IPv6 packets. The (sub)network prefix defines the site
topology to a router by specifying the specific link to which the subnet has been assigned.
The site prefix details the public topology allocated (usually by an Internet Service
Provider, ISP) to your site. The subnet ID details the private topology (or site topology) to a
router that you assign to your site when you configure your IPv6 network.
The host part consists of the interface ID (or token) which is 64-bits in length and must be
unique within the subnet. The length of the interface ID allows for the mapping of existing
48-bit MAC addresses currently used by many local area network (LAN) technologies
such as Ethernet, and the mapping of 64-bit MAC addresses of IEEE 1394 (FireWire) and
other future LAN technologies. The host is either configured automatically from the MAC
address of the interface, or is manually configured.
Figure 181:IPv6 Address Format
IP address notation
IPv6 addresses are normally written as eight groups of 4 hexadecimal digits each,
separated by a colon, for example:
2001:db8:3c4d:0d82:1725:6a2f:0370:6234
is a valid IPv6 address.
There are several ways to shorten the presentation of an IPv6 address. Most IPv6
addresses do not occupy all of the possible 128 bits. This results in fields that are
“padded” with zeros or contain only zeros. If a 4-digit group is 0000, it may be replaced
with two colons (::), for example:
2001:db8:3c4d:0000:1725:6a2f:0370:6234
is the same IPv6 address as:
2001:db8:3c4d::1725:6a2f:0370:6234
Leading zeroes in a group may be omitted, for example (in the address above):
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1271
�IPv6 overview
IPv6
2001:db8:3c4d::1725:6a2f:370:6234
The double colon (::) must only be used once in an IP address, as multiple occurrences
lead to ambiguity in the address translation.
The following examples of shortened IP address presentations all resolve to the same
address.
19a4:0478:0000:0000:0000:0000:1a57:ac9e
19a4:0478:0000:0000:0000::1a57:ac9e
19a4:478:0:0:0:0:1a57:ac9e
19a4:478:0:0::1a57:ac9e
19a4:478::0:0:1a57:ac9e
19a4:478::1a57:ac9e
All of these address presentations are valid and represent the same address.
For IPv4-compatible or IPv4-mapped IPv6 addresses (see “Address types” on
page 1272), you can enter the IPv4 portion using either hexadecimal or dotted decimal,
but the FortiGate CLI always shows the IPv4 portion in dotted decimal format. For all other
IPv6 addresses, the CLI accepts and displays only hexadecimal.
Netmasks
As with IP addresses, hexadecimal notation replaces the dotted decimal notation of IPv4.
IPv4 Classless Inter-Domain Routing (CIDR) notation can also be used. This notation
appends a slash (“/”) to the IP address, followed by the number of bits in the network
portion of the address.
Table 92: IPv6 address notation
IP Address
3ffe:ffff:1011:f101:0210:a4ff:fee3:9566
Netmask
ffff:ffff:ffff:ffff:0000:0000:0000:0000
Network
3ffe:ffff:1011:f101:0000:0000:0000:0000
CIDR IP/Netmask
3ffe:ffff:1011:f101:0210:a4ff:fee3:9566/64
Address scopes
Address scopes define the region where an address may be defined as a unique identifier
of an interface. The regions are: local link (link-local), site network (site-local), and global
network. Each IPv6 address can only belong to one zone that corresponds to its scope.
Address types
IPv6 addresses are classified into three groups - Unicast, Multicast, and Anycast.
Unicast
Identifies an interface of an individual node. Packets sent to a unicast address are sent to
that specific interface. Unicast IPv6 addresses can have a scope reflected in more specific
address names - global unicast address, link-local address, and unique local unicast
address. For more information, see “Global (Unicast)” on page 1274, “Link-local (Unicast)”
on page 1274, and “Site-local (Unicast)” on page 1274.
1272
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
IPv6 overview
Multicast
Assigned to a group of interfaces that typically belong to different nodes. A packet that is
sent to a multicast address is delivered to all interfaces identified by the address. Multicast
addresses begin with the first octet one (1) bit. The four least significant bits of the second
address octet identify the address scope or the span over which the multicast address is
propagated. IPv6 multicast addresses have functionally replaced IPv4 broadcast
addresses.
Anycast
Assigned to a group of interfaces usually belonging to different nodes. A packet sent to an
anycast address is delivered to just one of the member interfaces, typically the ‘nearest’
according to the router protocols’ choice of distance. They cannot be identified easily as
their structure is the same as a normal unicast address, differ only by being injected into
the routing protocol at multiple points in the network. When a unicast address is assigned
to more than one interface (making it an anycast address), the address assigned to the
nodes must be configured in such as way as to indicate that it is an anycast address.
Interfaces configured for IPv6 must have at least one link-local unicast address and
additional ones for site-local or global addressing. Link-local addresses are often used in
network address autoconfiguration where no external source of network addressing
information is available.
Special addresses
The following are IPv6 special addresses:
•
Unspecified
•
Loopback
For more information about IPv6 addresses, see RFC 3513, Internet Protocol version 6
(IPv6) Addressing Architecture.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1273
�IPv6 overview
IPv6
Table 93: IPv6 addresses with prefix information
Address Type
IPv6 notation
Details
Prefix/prefix length
Unspecified
::/128
Indicates the absence of an address, so must
never be assigned to any node. Must not be
used as a source address for IPv6 router,
destination address of IPv6 packets, or in IPv6
routing headers.
Equivalent to 0.0.0.0 in IPv4.
Loopback
::1/128
Used as a node to send an IPv6 packet to itself.
Seen as link-local unicast address of a virtual
interface (loopback interface) to an imaginary
link that goes nowhere. Must never be assigned
to a physical interface, or as the source address
of IPv6 packets that are sent outside of the
single node. IPv6 destination address of
loopback should not be sent outside a single
node, and never forwarded by an IPv6 router.
Equivalent to 127.0.0.1 in IPv4.
IPv4-compatible ::/96
Lowest 32 bits can be in IPv6 hexadecimal or
IPv4 dotted decimal format.
IPv4-mapped
::FFFF/96
Lowest 32 bits can be in IPv6 hexadecimal or
IPv4 dotted decimal format.
6to4
2002::/16
Used for communication between two nodes
running both IPv4 and IPv6 over the Internet.
Formed by combining the IPv6 prefix with the
32-bits of the public IPv4 address of the node,
creating a 48-bit address prefix.
Multicast
::FF00/8
For more information, see “Multicast” on
page 1273.
Anycast
All prefixes except
those listed above
For more information, see “Anycast” on
page 1273.
Link-local
(Unicast)
FE80::/10
Used for addressing on a single link for
automatic address configuration, neighbor
discovery, or when no routers are present.
Routers must not forward packets with link-local
source or destination addresses.
Site-local
(Unicast)
FEC0::/10
Used for addressing inside of a site without
needing a global prefix.
Routers must not forward packets with site-local
source or destination addresses outside of the
site.
Global (Unicast) all other prefixes
Equivalent to public IPv4 addresses. Globally
routable and reachable on the IPv6 internet.
Addresses are designed to be summarized or
aggregated to create an efficient router
infrastructure.
IPv6 neighbor discovery
IPv6 Neighbor Discovery (ND) is a set of messages and processes that determine
relationships between neighboring nodes. Neighboring nodes are on the same link. The
IPv6 ND protocol replaces the IPv4 protocols Address Resolution Protocol (ARP), Internet
Control Message Protocol (ICMPv4), Router Discovery (RDISC), and ICMP Redirect, and
provides additional functionality. The IPv6 ND protocol facilitates the autoconfiguration of
IPv6 addresses. Autoconfiguration is the ability of an IPv6 host to automatically generate
its own IPv6 address, making address administration easier and less time-consuming.
1274
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
FortiGate IPv6 configuration
Hosts use ND to:
•
discover addresses, address prefixes, and other configuration parameters
•
discover neighboring routers.
Routers use ND to:
•
advertise their presence, host configuration parameters, and on-link prefixes
•
inform hosts of ‘better’ next-hop address to forward packets for a specified destination.
Nodes use ND to:
•
resolve link-layer address of a neighboring node to which an IPv6 packet is being
forwarded and determine whether the link-layer address of a neighboring node has
altered
•
determine whether IPv6 packets can be sent to and received from a neighbor
•
automatically configure IPv6 addresses for its interfaces.
To facilitate neighbor discovery, routers periodically send messages advertising their
availability. This communication includes lists of the address prefixes for destinations
available on each router’s interfaces.
ND defines five different Internet Control Message Protocol (ICMP) packet types: a pair of
Neighbor Solicitation and Neighbor Advertisement messages, a pair of Router Solicitation
and Router Advertisement messages, and a Redirect message.
A Neighbor Solicitation is sent by a node to determine the link-layer address of a neighbor,
or to verify that a neighbor is still reachable via a cached link-layer address. Also used for
Duplicate Address Detection (how a node determines that an address it wants to use is
not already in use by another node). The Neighbor Advertisement message is a response
to a Neighbor Solicitation message. A node may also announce a link-layer address
change by sending unsolicited Neighbor Advertisements.
A host may send a Router Solicitation when an interface becomes enabled, requesting
routers to generate a Router Advertisement immediately rather than at their next
scheduled time.
Routers advertise their presence together with various link and Internet parameters
according to a specific schedule or in response to a Router Solicitation message. A Router
Advertisement contains prefixes used for on-link determination and/or address
configuration, a suggested hop limit value, etc.
The Redirect message is used by routers to inform hosts of a better first-hop for a
destination.
For more information, see RFC 2461, Neighbor Discovery for IP Version 6 (IPv6).
FortiGate IPv6 configuration
FortiGate units support both IPv4 and IPv6 using a dual stack architecture. Dual stack
means that there is complete support for both protocols simultaneously.
Before configuring IPv6 using the web-based manager, you must first turn on IPv6 display.
Once enabled, network address fields will have the option of being either IPv4 or IPv6, or
both will be displayed.
To enable IPv6 display in the web-based manager
1 If VDOMs are enabled, go to the Current VDOM display on the lower left and select
Global.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1275
�FortiGate IPv6 configuration
IPv6
2 Go to System & gt; Admin & gt; Settings.
3 Under Display Settings, enable IPv6 Support on GUI.
Configuring IPv6 on FortiGate units includes:
•
Configuring IPv6 interfaces
•
Configuring IPv6 routing
•
Configuring IPv6 firewall policies
•
Configuring IPv6 over IPv4 tunneling
•
Configuring IPv6 IPSec VPNs
Configuring IPv6 interfaces
The dual stack architecture is most obvious when configuring IPv6 on interfaces on your
FortiGate unit.
IPv6 interfaces - web-based manager
In the Addressing mode section of the Create New or Edit screen, there are two fields
instead of just one. Without IPv6 enabled, there is only the IP/Netmask field for IPv4
addresses. With IPv6 enabled, there is an additional field called IPv6 Address.
With both addresses configured for an interface, that interface will accept both IPv4 and
IPv6 traffic. Each protocol will be handled differently, depending on the firewall policies
and routing in place for it. This allows traffic from IPv6 to be sent to other IPv6 devices,
and IPv4 traffic to be sent only to other IPv4 devices. This separation of the traffic is
required because if IPv6 traffic is sent to devices that don’t support it, that traffic will not
reach its destination.
Once the IPv6 address is configured, you need to set IPv6 Administrative Access.
Otherwise you will not have administrative access over this interface if you are using IPv6
to connect.
IPv6 interfaces - CLI
In the CLI, there are a number of IPv6 specific interface settings. These are found as part
of the config system interface command under config ipv6.
In the CLI there are many more settings available, although many are optional. The
settings that are required or recommended are bolded.
config system interface
edit & lt; interface_string & gt;
config ipv6
set ip6-address & lt; ipv6_addr & gt;
set ip6-allowaccess & lt; http https ping ssh telnet & gt;
set ip6-link-mtu & lt; bytes_int & gt;
set ip6-send-adv & lt; enable | disable & gt;
set autoconf & lt; enable | disable & gt;
set ip6-default-life & lt; seconds_int & gt;
set ip6-hop-limit & lt; count_int & gt;
set ip6-manage-flag & lt; enable | disable & gt;
set ip6-max-interval & lt; integer & gt;
set ip6-min-interval & lt; integer & gt;
set ip6-other-flag & lt; enable | disable & gt;
set ip6-reachable-time & lt; integer & gt;
set ip6-retrans-time & lt; integer & gt;
1276
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
FortiGate IPv6 configuration
config ip6-extra-addr
edit & lt; ipv6_addr & gt;
end
config ip6-prefix-list
set autonomous-flag & lt; enable | disable & gt;
set onlink-flag & lt; enable | disable & gt;
set preferred-life-time & lt; integer & gt;
set valid-life-time & lt; integer & gt;
end
end
next
end
config ipv6
ip6-address
& lt; ipv6_addr & gt;
Assigns an IPv6 address to this interface.
This field is required for IPv6 configuration.
ip6-allowaccess
& lt; http https ping
ssh telnet & gt;
Assigns administrative access types to this IPv6 interface.
If no access types are defined, administrator accounts cannot access
the FortiGate unit through this IPv6 address.
Note: Http, ping, and telnet are unsecure and should only be used if
required. Otherwise disable them for higher security.
ip6-link-mtu
& lt; bytes_int & gt;
Specify the Maximum Transmission Unit (MTU) size for IPv6 traffic
on this interface. The minimum MTU for IPv6 is 1280 bytes much
larger than the IPv4 minimum of 576.
Set ip6-link-mtu to the smallest supported size IPv6 packet
along the route the packet will travel. Larger MTUs are more efficient.
set ip6-send-adv
Sets FortiGate to autoadvertise it's Router capabilities so “Stateless
& lt; enable | disable & gt; Autoconfiguration” of LAN Clients, such as OSX, will work.
For more information on any commands not explained here, see the corresponding
command in the FortiGate CLI Reference.
Configuring IPv6 routing
IPv6 routing is supported in both static and dynamic routing. The main difference from a
configuration point of view is the difference in addresses.
This section includes:
•
Static routing
•
Dynamic routing
Static routing
Static routing for IPv6 is essentially the same as with IPv4. From a configuration point of
view, the only difference is the type of addresses used.
When both IPv4 and IPv6 static routes are configured, they are displayed under two
separate headings on the static routing page - Route and IPv6 Route. Use the arrows next
to each heading to expand or minimize that list of routes.
IPv6 static routing - web-based manager
To configure IPv6 static routes
1 If VDOMs are enabled, enter the VDOM.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1277
�FortiGate IPv6 configuration
IPv6
2 Go to Router & gt; Static.
3 Select arrow to expand Create New menu.
4 Select IPv6 Route.
5 Enter Destination IP/Mask, Device, Gateway, Distance, and Priority as with normal
static routing using IPv6 addresses.
6 Select OK.
IPv6 static routing - CLI
config vdom
edit & lt; vdom_name & gt;
config router static6
edit 1
set dst & lt; ipv6_addr & gt;
set gateway & lt; ipv6_addr & gt;
set device & lt; interface & gt;
set priority & lt; integer & gt;
next
end
end
Dynamic routing
As with static routing, the dynamic routing protocols all have IPv6 versions. Both IPv4 and
IPv6 dynamic routing can be running at the same time due to the dual stack architecture of
the FortiGate unit.
IPv6 dynamic routing must be configured using CLI commands.
Table 94: Dynamic routing protocols, IPv6 versions, CLI command, and RFCs
Dynamic
Routing
IPv6
CLI command
IPv6 RFC
RIP
RIP next
generation
(RIPng)
config router ripng
RFC 2080
BGP
BGP4+
config router bgp
All parts of bgp that include IP addresses
have IPv4 and IPv6 versions.
RFC 2545
and RFC
2858
OSPF
OSPFv3
config rotuer ospf6
RFC 2740
For more information on dynamic routing and IPv6, see the corresponding command in
the FortiGate CLI Reference.
Configuring IPv6 firewall policies
Maintaining security for both types of traffic will be crucial to the success of IPv6 and
mixed networks. Malware and network threats are independent of IPv4 or IPv6, so it is
critical that IPv6 solutions provide the same level of security as IPv4 solutions.
Using IPv6 firewall policies, FortiOS provides full UTM protection for IPv6 traffic. All
antivirus, intrusion protection (IPS), web filtering, FortiGuard Web Filtering, email filtering,
FortiGuard Email Filtering, data leak prevention (DLP), application control, and VoIP
protection features can be enabled in IPv6 firewall policies using normal FortiOS UTM
profiles for each UTM feature. This protection is transparent to IPv6 Users.
1278
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
FortiGate IPv6 configuration
Full UTM support for IPv6 makes the transitional mixed network phase easier, because
the level of security of transitional networks is extended to both IP protocols. Future
releases of FortiOS will extend IPv6 support even further.
Auto detect Protocol (Value 0) in the Protocol Options does not work well when used in an
IPv6 Firewall Policy.
For Proxy features such as URL-Filtering, AntiVirus, Data-Leak-Prevention or File filter
you must specify a Port for HTTP in Protocol Options.
To make IPS and Application-Control work you have to create a separate Interface Policy
through the CLI.
config firewall interface-policy6
edit 1
set interface port2
set srcaddr6 all
set dstaddr6 all
set service6 ANY
set application-list-status enable
set application-list monitor-all
set ips-sensor-status enable
set ips-sensor all_default
next
end
Note: srcaddr6, dstaddr6, application-list, and ips-sensor each has to refer to a configured object.
The objects used in the above example are all default values.
Configuring IPv6 over IPv4 tunneling
IPv6 over IPv4 tunneling can only be configured in the CLI using the sit-tunnel command.
When you configure an IPv6-over-IPv4 tunnel, you are creating a virtual interface that can
be used in configurations just like any other virtual interface such as VLANs.
The name of the command sit-tunnel comes from Simple Internet Transition (SIT)
tunneling. For the period while IPv6 hosts and routers co-exist with IPv4, a number of
transition mechanisms are needed to enable IPv6-only hosts to reach IPv4 services and to
allow isolated IPv6 hosts and networks to reach the IPv6 Internet over the IPv4
infrastructure.
These techniques, collectively called Simple Internet Transition, include:
•
dual-stack IP implementations for interoperating hosts and routers
•
embedding IPv4 addresses in IPv6 addresses
•
IPv6-over-IPv4 tunneling mechanisms
•
IPv4/IPv6 header translation
The syntax for the IPv6 over IPv4 tunneling CLI command is:
config system sit-tunnel
edit & lt; name_string & gt;
set destination & lt; ipv4_addr & gt;
set interface & lt; interface_string & gt;
set ip6 & lt; ipv6_addr & gt;
set source & lt; ipv4_addr & gt;
next
end
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1279
�FortiGate IPv6 configuration
IPv6
& lt; name_string & gt;
This will be the name of the tunnel, and appear in the network
interface list. It should be descriptive such as my_ip6_tunnel.
The maximum length allowed is 15 characters.
destination
& lt; ipv4_addr & gt;
This is the tunnel broker’s IPv4 server address. It is one of the two
ends of the tunnel.
This interface is the interface the tunnel piggy backs on. Generally
interface
& lt; interface_string & gt; this should be the external interface of the FortiGate unit.
This setting is optional if you don’t have a fixed IP address from
your ISP.
ip6 & lt; ipv6_addr & gt;
source & lt; ipv4_addr & gt; This is the FortiGate unit end of the tunnel. It is just like any other
FortiGate unit interface address.
If this address is DHCP-based, it will change. In that case you
should ensure the netmask covers the possible range of
addresses. It is possible to use 0.0.0.0 to cover all possible
addresses if you have a DDNS or PPoE connection where the
address changes.
Once the IPv6-toIPv4 tunnel is configured, you need to enable some extra settings on the
interface.
Configuring IPv6 IPSec VPNs
The FortiGate unit supports route-based IPv6 IPsec, but not policy-based.
Where both the gateways and the protected networks use IPv6 addresses, sometimes
called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You
can combine IPv6 and IPv4 addressing in an auto-keyed VPN in the following ways:
IPv4 over IPv6
The VPN gateways have IPv6 addresses.
The protected networks have IPv4 addresses. The phase 2 configurations at
either end use IPv4 selectors.
IPv6 over IPv4
The VPN gateways have IPv4 addresses.
The protected networks use IPv6 addresses. The phase 2 configurations at
either end use IPv6 selectors.
Compared with IPv4 IPsec VPN functionality, there are some limitations:
•
Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
This is because FortiOS 3.0 does not support IPv6 DNS.
•
You cannot use RSA certificates in which the common name (cn) is a domain name
that resolves to an IPv6 address. This is because FortiOS 3.0 does not support IPv6
DNS.
•
DHCP over IPsec is not supported, because FortiOS 3.0 does not support IPv6 DHCP.
•
Selectors cannot be firewall address names. Only IP address, address range and
subnet are supported.
•
Redundant IPv6 tunnels are not supported.
Certificates
On a VPN with IPv6 phase 1 configuration, you can authenticate using VPN certificates in
which the common name (cn) is an IPv6 address. The cn-type keyword of the user
peer command has an option, ipv6, to support this.
1280
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
FortiGate IPv6 configuration
Configuring IPv6 IPsec VPNs
Configuration of an IPv6 IPsec VPN follows the same sequence as for an IPv4 routebased VPN: phase 1 settings, phase 2 settings, firewall policies and routing.
To access IPv6 functionality through the web-based manager, go to System Admin & gt;
Settings and enable IPv6 Support on GUI.
Phase 1 configuration
In the web-based manager, you define the Phase 1 as IPv6 in the Advanced settings.
Enable the IPv6 Version check box. You can then enter an IPv6 address for the remote
gateway.
In the CLI, you define an IPsec phase 1 configuration as IPv6 by setting ip-version
to 6. Its default value is 4. Then, the local-gw and remote-gw keywords are hidden
and the corresponding local-gw6 and remote-gw6 keywords are available. The values
for local-gw6 and remote-gw6 must be IPv6 addresses. For example:
config vpn ipsec phase1-interface
edit tunnel6
set ip-version 6
set remote-gw6 0:123:4567::1234
set interface port3
set proposal 3des-md5
end
Phase 2 configuration
To create an IPv6 IPsec phase 2 configuration in the web-based manager, you need to
define IPv6 selectors in the Advanced settings. Change the default “0.0.0.0/0” address for
Source address and Destination address to the IPv6 value “::/0”. If needed, enter specific
IPv6 addresses, address ranges or subnet addresses in these fields.
In the CLI, set src-addr-type and dst-addr-type to ip6, range6 or subnet6 to
specify IPv6 selectors. By default, zero selectors are entered, “::/0” for the subnet6
address type, for example. The simplest IPv6 phase 2 configuration looks like this:
config vpn ipsec phase2-interface
edit tunnel6_p2
set phase1name tunnel6
set proposal 3des-md5
set src-addr-type subnet6
set dst-addr-type subnet6
end
Firewall policies
To complete the VPN configuration, you need a firewall policy in each direction to permit
traffic between the protected network’s port and the IPsec interface. You need IPv6
policies unless the VPN is IPv4 over IPv6.
Routing
Appropriate routing is needed for both the IPsec packets and the encapsulated traffic
within them. You need a route, which could be the default route, to the remote VPN
gateway via the appropriate interface. You also need a route to the remote protected
network via the IPsec interface.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1281
�Transition from IPv4 to IPv6
IPv6
To create a static route in the web-based manager, go to Router & gt; Static. Select the dropdown arrow on the Create New button and select IPv6 Route. Enter the information and
select OK. In the CLI, use the router static6 command. For example, where the
remote network is fec0:0000:0000:0004::/64 and the IPsec interface is toB:
config router static6
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toB
set dst fec0:0000:0000:0004::/64
next
end
If the VPN is IPV4 over IPv6, the route to the remote protected network is an IPv4 route. If
the VPN is IPv6 over IPv4, the route to the remote VPN gateway is an IPv4 route.
Transition from IPv4 to IPv6
If the Internet is to take full advantage of the benefits of IPv6, there must be a period of
transition to enable IPv6-only hosts to reach IPv4 services and to allow isolated IPv6 hosts
and networks to reach the IPv6 Internet over the IPv4 infrastructure.
RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers and RFC 2185, Routing
Aspects of IPv6 Transition define several mechanisms to ensure that IPv6 hosts and
routers maintain interoperability with the existing IPv4 infrastructure, and facilitate a
gradual transition that does not impact the functionality of the Internet. The mechanisms,
known collectively as Simple Internet Transition (SIT), include:
•
dual-stack IP implementations for hosts and routers that must interoperate between
IPv4 and IPv6
•
embedding of IPv4 addresses in IPv6 addresses. IPv6 hosts are assigned addresses
that are interoperable with IPv4, and IPv4 host addresses are mapped to IPv6
•
IPv6-over-IPv4 tunneling mechanisms to encapsulate IPv6 packets within IPv4
headers to carry them over IPv4 infrastructure
•
IPv4/IPv6 header translation, used when implementation of IPv6 is well-advanced and
few IPv4 systems remain.
FortiGate units are dual IP layer IPv6/IPv4 nodes and they support IPv6 over IPv4
tunneling.
For more information, see RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers
and RFC 2185, Routing Aspects of IPv6 Transition.
Configuring FortiOS to connect to an IPv6 tunnel provider
If an organization with a mixed network uses an Internet service provider that does not
support IPv6, they can use an IPv6 tunnel broker to connect to IPv6 addresses on the
Internet. FortiOS supports IPv6 tunnelling over service provider IPv4 networks to tunnel
brokers. The tunnel broker extracts the IPv6 packets from the tunnel and routes them to
their IPv6 destination.
1282
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
Configuring FortiOS to connect to an IPv6 tunnel provider
The internal network is running IPv6. The FortiGate unit creates an IPv6-over-IPv4 tunnel
to the IPv6 tunnel broker. From the tunnel broker, your network can access IPv6
addresses on the Internet.
In this example the internal network is small and directly connected to the FortiGate unit —
there is no need for routing on the internal network since everything is connected and on
the same subnet.
Assumptions
•
Before configuring your FortiGate unit for IPv6-over-IPv4 tunneling, you need to
choose an IPv6 tunnel broker and get their information. For this example, Hurricane
Electric (http://he.net) will be used.
•
The addresses used in this example are for example use only.
•
VDOMs are not enabled.
•
The tunnel broker IPv4 address is 78.35.24.124.
•
The tunnel broker IPv6 end of the tunnel is 2001:4dd0:ff00:15e::1/64
•
The FortiGate unit external IPv4 address is 172.20.120.17.
•
The FortiGate unit IPv6 address of the tunnel is 2001:4dd0:ff00:15e::2/64.
•
port1 of the FortiGate unit is connected to the internal network.
•
port2 of the FortiGate unit is connected to the external network (Internet).
Figure 182: Connecting to an IPv6 tunnel broker
IPv6 Internal
Network
Internet
Internet
IPv6-over
IPv4 tunnel
IPv6
IPv6 tunnel
broker
Steps to connect to an IPv6 tunnel broker
1 Create a SIT-Tunnel Interface
2 Create a static IPv6 Route into the Tunnel-Interface
3 Assign your IPv6 Network to your FortiGate
4 Create a Firewall-Policy to allow Traffic from LAN to the Tunnel-Interface
5 Test the connection
Create a SIT-Tunnel Interface
Creating the SIT-tunnel creates a virtual interface in the form of a tunnel, much like a VPN
tunnel. The end points of the tunnel are the FortiGate unit and the tunnel broker’s server
addresses.
In our example, the external address of the FortiGate unit is DHCP-based and may
change to any value on that subnet, so the source address allows for that.
config system sit-tunnel
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1283
�Configuring FortiOS to connect to an IPv6 tunnel provider
IPv6
edit HE_ip6_broker
set destination 78.35.24.124
set interface port2
set ip6 2001:4dd0:ff00:15e::2/64
set source 172.20.120.0
next
end
For more information on the sit-tunnel CLI command, see “Configuring IPv6 over IPv4
tunneling” on page 1279 or the FortiGate CLI Reference.
Now that the tunnel exists, some additional interface commands are required. Such as
enabling ping6 for troubleshooting.
config system interface
edit HE_ip6_broker
config ipv6
set ip6-allowaccess ping
end
next
end
Create a static IPv6 Route into the Tunnel-Interface
With the tunnel up and the firewall policies in place, all that remains is to add a default
route for IPv6 traffic to go over the tunnel. As there will only be one static routing entry,
there is no need for a priority. This may change in the future if other routes are added.
config router static6
edit 1
set device HE_ip6_broker
next
end
Assign your IPv6 Network to your FortiGate
This step assigns an IPv6 address to the internal interface on the FortiGate unit. That way
all IPv6 traffic entering on this interface will be routed to the tunnel. Systems with
addresses within this prefix are reachable on the subnet in question without help from a
router, so the onlink-flag is enabled. Hosts can create an address for themselves by
combining this prefix with an interface identifier, so the autonomous-flag is enabled.
config system interface
edit port1
config ipv6
set ip6-address 2001:4dd0:ff42:72::1/64
set ip6-allowaccess ping https ssh
config ip6-prefix-list
edit 2001:4dd0:ff42:72::/64
set autonomous-flag enable
set onlink-flag enable
set preferred-life-time 3600
set ip6-send-adv enable
next
end
next
end
1284
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
IPv6 Troubleshooting
At this point any PCs on your internal network that are set to auto-configure, should have
their addresses. To test this you can ping6 from the PC to the FortiGate unit. See “IPv6
ping description” on page 1286.
Create a Firewall-Policy to allow Traffic from port1 to the Tunnel-Interface
With the tunnel configured, it will appear as an interface in the Network interface list. That
means the next step is to add a firewall policies to allow traffic to and from the tunnel.
config firewall policy6
edit 2
set srcintf port1
set dstintf HE_ip6_broker
set srcaddr " ::/0 "
set dstaddr " ::/0 "
set action accept
set schedule " always "
set service " ANY "
set logtraffic enable
next
end
Test the connection
To test the tunnel, try to connect to an external IPv6 address such as
http://ipv6.google.com.
If you want to see the path the IPv6 traffic takes, do a traceroute from a PC on the internal
network to an external address. You will see the traffic enter the FortiGate unit, enter the
tunnel, pass through the tunnel broker server, and on out over the Internet.
If you are entering an IPv6 address into your web browser, you have to type:
https://[2001:4dd0:ff42:72::1]. The square brackets are to discriminate
between the address part and a port, like in
https://[2001:4dd0:ff42:72::1]:8080
IPv6 Troubleshooting
There are a number of troubleshooting methods that can be used with IPv6 issues.
This section includes:
•
ping6
•
diag sniffer packet
•
diag debug flow
•
IPv6 specific diag commands
ping6
The main method of troubleshooting IPv6 traffic is using the IPv6 version of ping.
You can use the IPv6 ping command to:
•
Send an ICMP echo request packet to the IPv6 address that you specify.
•
Specify a source interface other than the one from which the probe originates by using
the source interface keywords.
•
Specify a source IP address other than the one from which the probe originates by
using the source address keywords
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1285
�IPv6 Troubleshooting
IPv6
You can specify the following options:
packetCount
Number of packets to send to the destination IPv6 address. If
you specify a zero, echo requests packets are sent indefinitely.
data-pattern
Sets the type of bits contained in the packet to all ones, all
zeros, a random mixture of ones and zeros, or a specific
hexadecimal data pattern that can range from 0x0 to
0xFFFFFFFF. The default is all zeros.
extended
header
attributes
Set the interface type and specifier of a destination address on
the system that is configured for external loopback; the
command succeeds only if the specified interface is configured
for external loopback.
sweep interval
Specifies the change in the size of subsequent ping packets
while sweeping across a range of sizes. For example, you can
configure the sweep interval to sweep across the range of
packets from 100 bytes to 1000 bytes in increments specified by
the sweep interval. By default, the system increments packets
by one byte; for example, it sends 100, 101, 102, 103, ... 1000. If
the sweep interval is 5, the system sends 100, 105, 110, 115, ...
1000.
sweep sizes
Enables you to vary the sizes of the echo packets being sent.
Used to determine the minimum sizes of the MTUs configured
on the nodes along the path to the destination address. This
reduces packet fragmentation, which contributes to performance
problems. The default is to not sweep (all packets are the same
size).
timeout
Sets the number of seconds to wait for an ICMP echo reply
packet before the connection attempt times out.
hop limit
Sets the time-to-live hop count in the range 1-255; the default is
255.
The following characters may appear in the display after the ping command is issued:
! - reply received
. - timed out while waiting for a reply
? - unknown packet type
A - admin unreachable
b - packet too big
H - host unreachable
N - network unreachable
P - port unreachable
p - parameter problem
S - source beyond scope
t - hop limit expired (TTL expired)
IPv6 ping description
Ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP
ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams (''pings'') have
an IP and ICMP header, followed by a struct timeval and then an arbitrary number of ''pad''
bytes used to fill out the packet.
1286
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
IPv6 Troubleshooting
IPv6 ping options
-a
Audible ping.
-A
Adaptive ping. Interpacket interval adapts to round-trip time, so
effectively no more than one (or more, if preload is set) unanswered
probe is present in the network. Minimal interval is 200msec for any
user other than administrator. On networks with low rtt this mode is
essentially equivalent to flood mode.
-b
Allow pinging of a broadcast address.
-B
Do not allow ping to change source address of probes. The address is
bound to one selected when the ping starts.
-c count
Stop after sending count ECHO_REQUEST packets. With deadline
option, ping waits for count ECHO_REPLY packets, until the timeout
expires.
-d
Set the SO_DEBUG option on the socket being used.
This socket option is not used by a Linux kernel.
-F flow label
Allocate and set 20 bit flow label on echo request packets (only ping6).
If value is zero, kernel allocates random flow label.
-f
Flood ping. For every ECHO_REQUEST sent a period ''.'' is displayed,
while for ever ECHO_REPLY received a backspace is displayed. This
provides a rapid display of how many packets are being dropped. If
interval is not specified, it is set to zero and packets are output as fast
as they come back or one hundred times per second, whichever is
faster. Only the administrator may use this option with zero interval.
-i interval
Wait a specified interval of seconds between sending each packet. The
default is 1 second between each packet, or no wait in flood mode.
Only an administrator can set the interval to a value of less than 0.2
seconds.
-I interface
address
Set source address to specified interface address. Argument may be
numeric IP address or name of device. This option is required when you
ping an IPv6 link-local address.
-l preload
If preload is specified, ping sends this number of packets that are not
waiting for a reply. Only the administrator may select a preload of more
than 3.
-L
Suppress loopback of multicast packets. This flag only applies if the
ping destination is a multicast address.
-n
Numeric output only. No attempt will be made to look up symbolic
names for host addresses.
-p pattern
You may specify up to 16 ''pad'' bytes to fill out the packet you send.
This is useful for diagnosing data-dependent problems in a network.
For example, -p ff will cause the sent packet to be filled with all ones.
-Q tos
Set Quality of Service -related bits in ICMP datagrams. tos can be
either decimal or hex number. Traditionally (RFC1349), these have
been interpreted as: 0 for reserved (currently being redefined as
congestion control), 1-4 for Type of Service and 5-7 for Precedence.
Possible settings for Type of Service are: minimal cost: 0x02, reliability:
0x04, throughput: 0x08, low delay: 0x10. Multiple TOS bits should not
be set simultaneously. Possible settings for special Precedence range
from priority (0x20) to net control (0xe0). You must be root
(CAP_NET_ADMIN capability) to use Critical or higher precedence
value. You cannot set bit 0x01 (reserved) unless ECN has been
enabled in the kernel. In RFC 2474, these fields has been redefined as
8-bit Differentiated Services (DS), consisting of: bits 0-1 of separate
data (ECN will be used, here), and bits 2-7 of Differentiated Services
Codepoint (DSCP).
-q
Quiet output. Nothing is displayed except the summary lines at startup
time and when finished
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1287
�IPv6 Troubleshooting
IPv6
-R
Record route. (IPv4 only) Includes the RECORD_ROUTE option in the
ECHO_REQUEST packet and displays the route buffer on returned
packets. Note that the IP header is only large enough for nine such
routes. Many hosts ignore or discard this option.
-r
Bypass the normal routing tables and send directly to a host on an
attached interface. If the host is not on a directly-attached network, an
error is returned. This option can be used to ping a local host through
an interface that has no route through it provided the option -I is also
used.
-s packetsize
Specifies the number of data bytes to be sent. The default is 56, which
translates into 64 ICMP data bytes when combined with the 8 bytes of
ICMP header data.
-S sndbuf
Set socket sndbuf (send buffer). If not specified, it is selected to buffer
not more than one packet.
-t ttl
Set the IP Time to Live.
-T timestamp
option
Set special IP timestamp options. May be either tsonly (only
timestamps), tsandaddr (timestamps and addresses) or tsprespec
host1 [host2 [host3 [host4]]] (timestamp prespecified hops).
-M hint
Select Path MTU Discovery strategy. hint may be either do (prohibit
fragmentation, even local one), want (do PMTU discovery, fragment
locally when packet size is large), or don’t (do not set DF flag).
-U
Print full user-to-user latency (the old behavior). Normally ping prints
network round trip time, which can be different f.e. due to DNS failures.
-v
Verbose output.
-V
Show version and exit.
-w deadline
Specify a timeout, in seconds, before ping exits regardless of how many
packets have been sent or received. In this case ping does not stop
after count packet are sent, it waits either for deadline expire or until
count probes are answered or for some error notification from network.
-W timeout
Time to wait for a response, in seconds. The option affects only timeout
in absence of any responses, otherwise ping waits for two RTTs.
Examples
How to ping a global V6 address with a 1400 byte packet from FortiGate CLI:
Exec ping6 –s 1400 2001:480:332::10
How to ping Multicast group from Ping6 command on FortiGate CLI ( -I and port name
must be specified for CLI ping6 command to ping v6 multicast group):
Exec ping6 –I port1 ff02::1
How to ping localnet v6 address from FortiGate CLI:
Exec ping6 FE80:0:0:0:213:e8ff:fe9e:ccf7
This address would normally be written as FE80::213:e8ff:fe9e:ccf7.
diag sniffer packet
The FortiOS built in packet sniffer also works for IPv6. Here some examples using an
IPv6-over-IPv4 tunnel called test6.
# diag sniff pack test6 'none' 4
interfaces=[test6]
filters=[]
pcap_lookupnet: test6: no IPv4 address assigned
34.258651 test6 -- 2001:4dd0:ff00:15d::2 - & gt; 2001:4dd0:ff00:15d::1:
icmp6: echo request seq 1
1288
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
IPv6 Troubleshooting
34.324658 test6
icmp6: echo
35.268581 test6
icmp6: echo
35.334230 test6
icmp6: echo
-- 2001:4dd0:ff00:15d::1 - & gt; 2001:4dd0:ff00:15d::2:
reply seq 1
-- 2001:4dd0:ff00:15d::2 - & gt; 2001:4dd0:ff00:15d::1:
request seq 2
-- 2001:4dd0:ff00:15d::1 - & gt; 2001:4dd0:ff00:15d::2:
reply seq
# diag sniff pack any 'ip6 and tcp port 80' 4 10
interfaces=[any]
filters=[ip6 and tcp port 80]
1 LAN in 2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037 - & gt;
2a00:1450:8007::63.80: syn 2298823882
2 test6 out 2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037 - & gt;
2a00:1450:8007::63.80: syn 2298823882
3 test6 in 2a00:1450:8007::63.80 - & gt;
2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037: syn 4218782319
ack
4 LAN out 2a00:1450:8007::63.80 - & gt;
2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037: syn 4218782319
ack
5 LAN in 2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037 - & gt;
2a00:1450:8007::63.80: ack 4218782320
6 test6 out 2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037 - & gt;
2a00:1450:8007::63.80: ack 4218782320
diag debug flow
The diag debug flow command is the same for IPv6 or IPv4. The output format is the
same, but the command is only slightly different in that it uses filter6 and an IPv6
address.
To enable diag debug flow for IPv6 - CLI
#
#
#
#
#
diag
diag
diag
diag
diag
debug
debug
debug
debug
debug
enable
flow show console enable
flow show func enable
flow filter6 addr 2001:4dd0:ff42:12::24
flow trace start6
IPv6 specific diag commands
To list all the sit-tunnels that are configured:
diagnose ipv6 sit-tunnel list
total tunnel = 1:
devname=test6 devindex=4 ifindex=22 saddr=0.0.0.0
daddr=88.25.29.134 proto=41 vfid=0000 ref=2
To list all the IPv6 routes:
# diagnose ipv6 route list
vf=0 type=02 protocol=unspec flag=00200001 oif=8(root)
dst:::1/128 gwy::: prio=0
vf=0 type=02 protocol=unspec flag=00200001 oif=8(root)
dst:2001:4dd0:ff00:75d::2/128 gwy::: prio=0
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1289
�Additional IPv6 resources
IPv6
vf=0 type=01 protocol=kernel flag=00240021 oif=22(sixxs)
dst:2001:4dd0:ff00:75d::/64 gwy::: prio=100
vf=0 type=02 protocol=unspec flag=00200001 oif=8(root)
dst:2001:4dd0:ff42:68::1/128 gwy::: prio=0
vf=0 type=01 protocol=kernel flag=01040001 oif=19(LAN)
dst:2001:4dd0:ff42:68:225:ff:feee:5314/128
gwy:2001:4dd0:ff42:68:225:ff:feee:5314 prio=0
.....
Some other IPv6 diag commands include:
diagnose ipv6 neighbor- Add, delete, flush, or list the IPv6 ARP table or ARP table entry.
cache
diagnose sys session6
Clear, filter, full-stat, list, stat IPv6 sessions.
tree diagnose ipv6
View all the diagnose IPv6 commands.
Additional IPv6 resources
There are many RFCs available regarding IPv6. The following table lists the major IPv6
articles and their Internet Engineering Task Force (IETF) web locations.
Table 95: Additional IPv6 resources
RFC
Subject
Location
RFC 1933, Transition
Describes IPv4 compatibility
http://www.ietf.org/rfc/rfc1933
Mechanisms for IPv6 Hosts mechanisms that can be
and Routers
implemented by IPv6 hosts and
routers
RFC 2185, Routing
Provides an overview of the
Aspects of IPv6 Transition routing aspects of the IPv6
transition
http://www.ietf.org/rfc/rfc2185
RFC 2373, IP Version 6
Addressing Architecture
Defines the addressing
http://www.ietf.org/rfc/rfc2373
architecture of the IP Version 6
protocol [IPV6]
RFC 2402, IP
Authentication Header
Describes functionality and
implementation of IP
Authentication Headers (AH)
http://www.ietf.org/rfc/rfc2402
RFC 2460, Internet
Describes functionality,
Protocol, Version 6 (IPv6) configuration of IP version 6
Specification
(IPv6) and differences from
IPv4.
http://www.ietf.org/rfc/rfc2460
RFC 2461, Neighbor
Describes the features and
Discovery for IP Version 6 functions of IPv6 Neighbor
(IPv6)
Discovery protocol
http://www.ietf.org/rfc/rfc2461
RFC 2462, IPv6 Stateless Specifies the steps a host takes http://www.ietf.org/rfc/rfc2462
Address Autoconfiguration in deciding how to
autoconfigure its interfaces in
IPv6
RFC 2893, Transition
Specifies IPv4 compatibility
http://www.ietf.org/rfc/rfc2893
Mechanisms for IPv6 Hosts mechanisms that can be
and Routers
implemented by IPv6 hosts and
routers
RFC 3306, Unicast-Prefix- Describes the format and types http://www.ietf.org/rfc/rfc3306
Based IPv6 Multicast
of Ipv6 multicast addresses
Addresses
1290
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�IPv6
Additional IPv6 resources
Table 95: Additional IPv6 resources
RFC 3484, Default
Describes the algorithms used http://www.ietf.org/rfc/rfc3484
Address Selection for
in IPv6 default address
Internet protocol version 6 selection
(IPv6)
RFC 3513, Internet
Protocol version 6 (IPv6)
Addressing Architecture
Contains details about the types http://www.ietf.org/rfc/rfc3513
of IPv6 addresses and includes
examples
RFC 3587, IPv6 Global
Unicast Address Format
Defines the standard format for http://www.ietf.org/rfc/rfc3587
IPv6 unicast addresses
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1291
�Additional IPv6 resources
1292
IPv6
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�PPTP and L2TP
This section describes how to configure PPTP and L2TP VPNs as well as PPTP
passthrough. This section contains the following sections:
•
About FortiOS PPTP VPNs
•
How PPTP VPNs work
•
FortiGate PPTP topologies
•
Configuring the FortiGate unit for PPTP VPN
•
Configuring the FortiGate unit for PPTP pass through
•
Monitoring PPTP sessions
•
Configuring L2TP VPNs
•
L2TP configuration overview
•
Adding the firewall policy
About FortiOS PPTP VPNs
A virtual private network (VPN) is a way to use a public network, such as the Internet, to
provide remote offices or individual users with secure access to private networks. For
example, a company that has two offices in different cities, each with its own private
network, can use a VPN to create a secure tunnel between the offices. Similarly,
telecommuters can use VPN clients to access private data resources securely from a
remote location.
With FortiOS’S built-in VPN capabilities, small home offices, medium-sized businesses,
enterprises, and service providers can ensure the confidentiality and integrity of data
transmitted over the Internet. FortiOS provides enhanced authentication, strong
encryption, and restricted access to company network resources and services.
FortiOS supportS the Point-to-Point Tunneling Protocol (PPTP), which enables
interoperability between FortiGate units and Windows or Linux PPTP clients. Because
FortiGate units support industry standard PPTP VPN technologies, you can configure a
PPTP VPN between a FortiGate unit and most third-party PPTP VPN peers.
How PPTP VPNs work
A virtual private network (VPN) is a way to use a public network, such as the Internet, to
provide remote offices or individual users with secure access to private networks. The
Point-to-Point Tunneling Protocol allows you to create a VPN between a remote client and
your internal network. Because it is a Windows standard, PPTP does not require thirdparty software on the client computer. As long as the Internet Service Provider (ISP)
supports PPTP on its servers, you can create a secure connection by making relatively
simple configuration changes to the client computer and the FortiGate unit.
PPTP uses Point-to-Point (PPP) protocol authentication protocols so that standard PPP
software can operate on tunneled PPP links. PPTP packages data in PPP packets and
then encapsulates the PPP packets within IP packets for transmission through a VPN
tunnel.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1293
�How PPTP VPNs work
PPTP and L2TP
When the FortiGate unit acts as a PPTP server, a PPTP session and tunnel is created as
soon as the PPTP client connects to the FortiGate unit. More than one PPTP session can
be supported on the same tunnel. FortiGate units support PAP, CHAP, and plain text
authentication. PPTP clients are authenticated as members of a user group.
Traffic from one PPTP peer is encrypted using PPP before it is encapsulated using
Generic Routing Encapsulation (GRE) and routed to the other PPTP peer through an ISP
network. PPP packets from the remote client are addressed to a computer on the private
network behind the FortiGate unit. PPTP packets from the remote client are addressed to
the public interface of the FortiGate unit. See Figure 183 on page 1294.
Caution: PPTP control channel messages are not authenticated, and their integrity is not
protected. Furthermore, encapsulated PPP packets are not cryptographically protected and
may be read or modified unless appropriate encryption software such as Secure Shell
(SSH) or Secure File Transfer Protocol (SFTP) is used to transfer data after the tunnel has
been established.
As an alternative, you can use encryption software such as Microsoft Point-toPoint Encryption (MPPE) to secure the channel. MPPE is built into Windows
clients and can be installed on Linux clients. FortiGate units support MPPE.
Figure 183: Packet encapsulation
In Figure 183, traffic from the remote client is addressed to a computer on the network
behind the FortiGate unit. When the PPTP tunnel is established, packets from the remote
client are encapsulated and addressed to the FortiGate unit. The FortiGate unit forwards
disassembled packets to the computer on the internal network.
1294
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�PPTP and L2TP
FortiGate PPTP topologies
When the remote PPTP client connects, the FortiGate unit assigns an IP address from a
reserved range of IP addresses to the client PPTP interface. The PPTP client uses the
assigned IP address as its source address for the duration of the connection.
When the FortiGate unit receives a PPTP packet, the unit disassembles the PPTP packet
and forwards the packet to the correct computer on the internal network. The firewall
policy and protection profiles on the FortiGate unit ensure that inbound traffic is screened
and processed securely.
Note: PPTP clients must be authenticated before a tunnel is established. The
authentication process relies on FortiGate user group definitions, which can optionally use
established authentication mechanisms such as RADIUS or LDAP to authenticate PPTP
clients. All PPTP clients are challenged when a connection attempt is made.
FortiGate PPTP topologies
In a PPTP configuration, the FortiGate unit can act as a PPTP server or forward PPTP
packets to a PPTP server.
Infrastructure requirements
•
The FortiGate unit operates in NAT/Route mode and has a static public IP address.
•
The dialup client ISP account supports PPP connections with dynamically assigned IP
addresses and if the ISP runs a PPTP server, the server must be configured to forward
PPTP packets to the FortiGate unit.
The PPTP client includes PPP support (with MPPE if encryption is required).
FortiGate unit as a PPTP server
In the most common Internet scenario, the PPTP client connects to an ISP that offers PPP
connections with dynamically-assigned IP addresses. The ISP forwards PPTP packets to
the Internet, where they are routed to the FortiGate unit.
Figure 184: FortiGate unit as a PPTP server
FortiGate unit forwards traffic to a PPTP server
You may also configure the FortiGate unit to forward PPTP packets to a PPTP server on
the network behind the FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1295
�Configuring the FortiGate unit for PPTP VPN
PPTP and L2TP
Figure 185: FortiGate unit forwards traffic to PPTP server
Configuring the FortiGate unit for PPTP VPN
This section includes the following topics:
•
PPTP server configuration overview
•
PPTP pass through configuration overview
•
Configuring user authentication for PPTP clients
•
Configuring the FortiGate unit for PPTP pass through
PPTP server configuration overview
If the FortiGate unit will act as a PPTP server, perform the following tasks in the order
given:
•
Configure user authentication for PPTP clients. See “Configuring user authentication
for PPTP clients” on page 1296, “Configuring a user account” on page 1297, and
“Configuring a user group” on page 1297.
•
Enable PPTP on the FortiGate unit, specify the range of addresses that can be
assigned to PPTP clients when they connect, and configuring the firewall policy. See
“Enabling PPTP and specifying the PPTP IP address range” on page 1297 and
“Adding the firewall policy” on page 1298.
PPTP pass through configuration overview
To arrange for PPTP packets to pass through the FortiGate unit to an external PPTP
server, perform the following tasks in the order given:
•
Configure user authentication for PPTP clients. See “Configuring user authentication
for PPTP clients” on page 1296, “Configuring a user account” on page 1297, and
“Configuring a user group” on page 1297.
•
Enable PPTP on the FortiGate unit and specify the range of addresses that can be
assigned to PPTP clients when they connect. See “Enabling PPTP and specifying the
PPTP IP address range” on page 1297.
•
Configure PPTP pass through on the FortiGate unit. See “Configuring the FortiGate
unit for PPTP pass through” on page 1299.
Configuring user authentication for PPTP clients
To enable authentication for PPTP clients, you must create user accounts and a user
group to identify the PPTP clients that need access to the network behind the FortiGate
unit. Within the user group, you must add a user for each PPTP client.
1296
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�PPTP and L2TP
Configuring the FortiGate unit for PPTP VPN
You can choose to use a plain text password for authentication or forward authentication
requests to an external RADIUS, LDAP, or TACACS+ server. If password protection will be
provided through a RADIUS, LDAP, or TACACS+ server, you must configure the FortiGate
unit to forward authentication requests to the authentication server.
Configuring a user account
To add a Local user, go to User & gt; User & gt; User, select Create New, and enter or select the
following:
User Name
A name that identifies the user.
Disable
Select to prevent this user from authenticating.
Password
Select to authenticate this user using a password stored on the
FortiGate unit and then enter the password. The password should be at
least six characters.
LDAP
Select to authenticate this user using a password stored on an LDAP
server. Select the LDAP server from the list.
RADIUS
Select to authenticate this user using a password stored on a RADIUS
server. Select the RADIUS server from the list.
TACACS+
Select to authenticate this user using a password stored on a TACACS
server. Select the TACACS+ server from the list.
Configuring a user group
To add a new user group, go to User & gt; User Group & gt; User Group, select Create New, and
enter or select the following according to user group type:
Name
Enter the name of the user group.
Type
Firewall
Members
The list of Local users, RADIUS servers, LDAP servers,
TACACS+ servers, Directory Service users/user groups, or
PKI users that belong to the user group.
Enabling PPTP and specifying the PPTP IP address range
The PPTP address range specifies the range of addresses reserved for remote PPTP
clients. When a PPTP client connects to the FortiGate unit, the client is assigned an IP
address from this range. Afterward, the FortiGate unit uses the assigned address to
communicate with the PPTP client.
The address range that you reserve can be associated with private or routable IP
addresses. If you specify a private address range that matches a network behind the
FortiGate unit, the assigned address will make the PPTP client appear to be part of the
internal network.
PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address
range is the range of addresses reserved for remote PPTP clients. When the remote
PPTP client establishes a connection, the FortiGate unit assigns an IP address from the
reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP
address from the PPTP user group. If you use the PPTP user group, you must also define
the FortiGate end of the tunnel by entering the IP address of the unit in Local IP (webbased manager) or local-ip (CLI). The PPTP client uses the assigned IP address as its
source address for the duration of the connection.
To enable PPTP and specify the PPTP address range or specify the IP address for the
peer’s remote IP on the PPTP client side, go to the customized screen in the web-based
manager, select the required options, and then select Apply.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1297
�Configuring the FortiGate unit for PPTP VPN
PPTP and L2TP
Note: The start and end IPs in the PPTP address range must be in the same 24-bit
subnet, e.g. 192.168.1.1 - 192.168.1.254.
config vpn pptp
set eip & lt; address_ipv4 & gt;
set ip-mode {range | usrgrp}
set local-ip & lt; address_localip & gt;
set sip & lt; address_ipv4 & gt;
set status {disable | enable}
set usrgrp & lt; group_name & gt;
end
Variables
Description
eip & lt; address_ipv4 & gt;
The ending address of the PPTP address range.
ip-mode
{range | usrgrp}
Enable to have the PPTP client retrieve the IP address from the
PPTP user group or select an IP address from the pre-configured IP
address range.
local-ip
& lt; address_localip & gt;
PPTP server IP address from the PPTP user group.
sip & lt; address_ipv4 & gt;
The starting address of the PPTP IP address range.
status
{disable | enable}
Enable or disable PPTP VPN.
usrgrp & lt; group_name & gt;
This keyword is available when status is set to enable.
Enter the name of the user group for authenticating PPTP clients. The
user group must be added to the FortiGate configuration before it can
be specified here.
eip & lt; address_ipv4 & gt;
The ending address of the PPTP address range.
ip-mode
{range | usrgrp}
Enable to have the PPTP client retrieve the IP address from the
PPTP user group or select an IP address from the pre-configured IP
address range.
Adding the firewall policy
The firewall policy specifies the source and destination addresses that can generate traffic
inside the PPTP tunnel and defines the scope of services permitted through the tunnel. If a
selection of services are required, define a service group.
To define the traffic and services permitted inside the PPTP tunnel, go to Firewall & gt; Policy
& gt; Policy, select Create New and enter the following information in particular:
Source
Destination
1298
Interface/Zone
Select the FortiGate interface to the Internet.
Address Name
Select the name that corresponds to the range of addresses that
you reserved for PPTP clients (for example, Ext_PPTPrange).
Interface/Zone
Select the FortiGate interface to the internal (private) network.
Address Name
Select the name that corresponds to the IP addresses behind the
FortiGate unit (for example, Int_PPTPaccess).
Service
Select ANY, or if selected services are required instead, select the
service group that you defined previously.
Action
Select ACCEPT.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�PPTP and L2TP
Configuring the FortiGate unit for PPTP pass through
Note: Do not select identity-based policy, as this will cause the PPTP access to fail.
Authentication is configured in the PPTP configuration setup.
Configuring the FortiGate unit for PPTP pass through
To forward PPTP packets to a PPTP server on the network behind the FortiGate unit, you
perform the following configuration tasks on the FortiGate unit:
•
Define a virtual IP address that points to the PPTP server. The FortiGate unit will
forward PPTP packets to the address you specify.
•
Create a firewall policy that allows incoming PPTP packets to pass through to the
PPTP server.
Note: The address range is the external (public) ip address range which requires access to
the internal PPTP server through the FortiGate virtual port-forwarding firewall.
IP addresses used in this document are fictional and follow the technical documentation
guidelines specific to Fortinet. Real external IP addresses are not used.
Defining a virtual port-forwarding address
The IP address refers to the PPTP server host. The FortiGate unit will answer ARP
requests for the IP address that you specify.
To define a virtual port-forwarding address for PPTP pass through, go to Firewall & gt;
Virtual IP & gt; Virtual IP, select Create New and enter the following:
Name
Enter a name to identify the virtual IP address (for example,
External Interface
Select the FortiGate interface on which packets destined for
the PPTP server arrive. The IP address is bound to this
PPTP_server).
interface for the purpose of proxying ARP requests, for example,
wan2.
External IP Address/ Enter the IP address of the FortiGate interface to the Internet.
Range
Mapped IP Address/
Range
Enter the IP address of the PPTP server.
Port Forwarding
Select Port Forwarding to forward packets to the PPTP server.
Protocol
Select TCP.
External Service Port Enter 1723 (TCP port 1723 is the PPTP port).
Map to Port
Enter 1723.
Configuring a port-forwarding firewall policy
To create a port-forwarding firewall policy for PPTP pass through, go to Firewall & gt; Address
& gt; Address, select Create New and enter the following:
Address Name
Enter a name to identify the range of external addresses that you
reserved for PPTP clients (for example, External_PPTP).
Type
Select the type of address: Subnet/IP Range.
Subnet/IP Range Enter the IP address range reserved for PPTP clients separated by a
hyphen (for example, 10.3.3.[1-10]).
Interface
Select the interface to the internet.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1299
�Monitoring PPTP sessions
PPTP and L2TP
Adding the firewall policy
To add the firewall policy, go to Firewall & gt; Policy & gt; Policy, select Create New and enter the
following:
Source
Interface/Zone
Select the FortiGate interface to the Internet.
Address Name
Select the name that corresponds to the range of addresses that
you reserved for external PPTP clients (for example,
External_PPTP).
Destination
Interface/Zone
Select the FortiGate interface to the PPTP server.
Address Name
Select the name that corresponds to the virtual IP address that
you defined for the PPTP server (for example, PPTP_server).
Service
Select PPTP
Action
Select ACCEPT.
Monitoring PPTP sessions
You can display a list of all active sessions and view activity by port number. By default,
port 1723 is used for PPTP VPN-related communications.
To view the list of active sessions
1 Go to System & gt; Status.
2 In the Statistics section, select Details on the Sessions line.
Testing PPTP VPN connections
To confirm that a PPTP VPN between a local network and a dialup client has been
configured correctly, at the dialup client, issue a ping command to test the connection to
the local network. The PPTP VPN tunnel initializes when the dialup client attempts to
connect.
Logging VPN events
You can configure the FortiGate unit to log VPN events. For PPTP VPNs, connection
events and tunnel status (up/down) are logged.
To log VPN events
1 Go to Log & Report & gt; Log Config & gt; Log Setting.
2 Enable the storage of log messages to one or more of the following locations:
3 Select Apply.
To filter VPN events
1 Go to Log & Report & gt; Log Config & gt; Event Log.
2 Select Enable, and then select L2TP/PPTP/PPPoE service event.
3 Select Apply.
1300
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�PPTP and L2TP
Configuring L2TP VPNs
To view event logs
1 Go to Log & Report & gt; Log Access & gt; Memory.
2 If the option is available from the Log Type list, select the log file from disk or memory.
Configuring L2TP VPNs
This section describes how to configure a FortiGate unit to establish a Layer Two
Tunneling Protocol (L2TP) tunnel with a remote dialup client. The FortiGate
implementation of L2TP enables a remote dialup client to establish an L2TP tunnel with
the FortiGate unit directly.
According to RFC 2661, an Access Concentrator (LAC) can establish an L2TP tunnel with
an L2TP Network Server (LNS). In a typical scenario, the LAC is managed by an ISP and
located on the ISP premises; the LNS is the gateway to a private network. When a remote
dialup client connects to the Internet through the ISP, the ISP uses a local database to
establish the identity of the caller and determine whether the caller needs access to an
LNS through an L2TP tunnel. If the services registered to the caller indicate that an L2TP
connection to the LNS is required, the ISP LAC attempts to establish an L2TP tunnel with
the LNS.
A FortiGate unit can be configured to act as an LNS. The FortiGate implementation of
L2TP enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit
directly, bypassing any LAC managed by an ISP. The ISP must configure its network
access server to forward L2TP traffic from the remote client to the FortiGate unit directly
whenever the remote client requires an L2TP connection to the FortiGate unit.
When the FortiGate unit acts as an LNS, an L2TP session and tunnel is created as soon
as the remote client connects to the FortiGate unit. The FortiGate unit assigns an IP
address to the client from a reserved range of IP addresses. The remote client uses the
assigned IP address as its source address for the duration of the connection.
More than one L2TP session can be supported on the same tunnel. FortiGate units can be
configured to authenticate remote clients using a plain text user name and password, or
authentication can be forwarded to an external RADIUS or LDAP server. L2TP clients are
authenticated as members of a user group.
Caution: FortiGate units support L2TP with Microsoft Point-to-Point Encryption (MPPE)
encryption only. Later implementations of Microsoft L2TP for Windows use IPSec and
require certificates for authentication and encryption. If you want to use Microsoft L2TP with
IPSec to connect to a FortiGate unit, the IPSec and certificate elements must be disabled
on the remote client.
Traffic from the remote client must be encrypted using MPPE before it is encapsulated and
routed to the FortiGate unit. Packets originating at the remote client are addressed to a
computer on the private network behind the FortiGate unit. Encapsulated packets are
addressed to the public interface of the FortiGate unit. See Figure 186.
When the FortiGate unit receives an L2TP packet, the unit disassembles the packet and
forwards the packet to the correct computer on the internal network. The firewall policy
and protection profiles on the FortiGate unit ensure that inbound traffic is screened and
processed securely.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1301
�Configuring L2TP VPNs
PPTP and L2TP
Figure 186: L2TP encapsulation
L2TP packets
Destination 172.16.30.1
3
1
3
2
1
Internet
2
Traffic destination
is 192.168.20.2
L2TP packets
Destination 172.16.30.1
3
1
2
172.16.30.1
1
3
2
Traffic destination
is 192.168.20.2
FortiGate_1
192.168.20.2
Note: Fortinet units cannot deliver non-IP traffic such as Frame Relay or ATM frames
encapsulated in L2TP packets — FortiGate units support the IPv4 and IPv6 addressing
schemes only.
you cannot
Network topology
The remote client connects to an ISP that determines whether the client requires an L2TP
connection to the FortiGate unit. If an L2TP connection is required, the connection request
is forwarded to the FortiGate unit directly.
Figure 187: Example L2TP configuration
Internal
network
Remote_Client_1
Internet
Remote_Client_2
FortiGate_1
Remote_Client_3
1302
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�PPTP and L2TP
L2TP configuration overview
L2TP infrastructure requirements
•
The FortiGate unit must be operating in NAT/Route mode and have a static public IP
address.
•
The ISP must configure its network access server to forward L2TP traffic from remote
clients to the FortiGate unit directly.
•
The remote client must not generate non-IP traffic (Frame Relay or ATM frames).
•
The remote client includes L2TP support with MPPE encryption. If the remote client
includes Microsoft L2TP with IPSec, the IPSec and certificate components must be
disabled.
L2TP configuration overview
To configure a FortiGate unit to act as an LNS, you perform the following tasks on the
FortiGate unit:
•
Create an L2TP user group containing one user for each remote client. See
“Authenticating L2TP clients” on page 1303.
•
Enable L2TP on the FortiGate unit and specify the range of addresses that can be
assigned to remote clients when they connect. See “Enabling L2TP and specifying an
address range” on page 1303.
•
Define firewall source and destination addresses to indicate where packets transported
through the L2TP tunnel will originate and be delivered. See “Defining firewall source
and destination addresses” on page 1304.
•
Create the firewall policy and define the scope of permitted services between the
source and destination addresses. “Adding the firewall policy” on page 1298.
•
Configure the remote clients. For example, see “Configuring a Linux client” on
page 1305.
Authenticating L2TP clients
L2TP clients must be authenticated before a tunnel is established. The authentication
process relies on FortiGate user group definitions, which can optionally use established
authentication mechanisms such as RADIUS or LDAP to authenticate L2TP clients. All
L2TP clients are challenged when a connection attempt is made.
To enable authentication, you must create user accounts and a user group to identify the
L2TP clients that need access to the network behind the FortiGate unit.
You can choose to use a plain text password for authentication or forward authentication
requests to an external RADIUS or LDAP server. If password protection will be provided
through a RADIUS or LDAP server, you must configure the FortiGate unit to forward
authentication requests to the authentication server.
Enabling L2TP and specifying an address range
The L2TP address range specifies the range of addresses reserved for remote clients.
When a remote client connects to the FortiGate unit, the client is assigned an IP address
from this range. Afterward, the FortiGate unit uses the assigned address to communicate
with the remote client.
The address range that you reserve can be associated with private or routable IP
addresses. If you specify a private address range that matches a network behind the
FortiGate unit, the assigned address will make the remote client appear to be part of the
internal network.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1303
�Adding the firewall policy
PPTP and L2TP
To enable L2TP and specify the L2TP address range, use the config vpn l2tp CLI
command.
The following example shows how to enable L2TP and set the L2TP address range using
a starting address of 192.168.10.80 and an ending address of 192.168.10.100 for
an existing group of L2TP users named L2TP_users:
config vpn l2tp
set sip 192.168.10.80
set eip 192.168.10.100
set status enable
set usrgrp L2TP_users
end
Defining firewall source and destination addresses
Before you define the firewall policy, you must define the source and destination
addresses of packets that are to be transported through the L2TP tunnel:
•
For the source address, enter the range of addresses that you reserved for remote
L2TP clients (for example 192.168.10.[80-100]).
•
For the destination address, enter the IP addresses of the computers that the L2TP
clients need to access on the private network behind the FortiGate unit (for example,
172.16.5.0/24 for a subnet, or 172.16.5.1 for a server or host, or
192.168.10.[10-15] for an IP address range).
To define the firewall source address
1 Go to Firewall & gt; Address and select Create New.
2 In the Address Name field, type a name that represents the range of addresses that
you reserved for remote clients (for example, Ext_L2TPrange).
3 In Type, select Subnet / IP Range.
4 In the Subnet / IP Range field, type the corresponding IP address range.
5 In Interface, select the FortiGate interface that connects to the clients.
This is usually the interface that connects to the Internet.
6 Select OK.
To define the firewall destination address
1 Go to Firewall & gt; Address and select Create New.
2 In the Address Name field, type a name that represents a range of IP addresses on the
network behind the FortiGate unit (for example, Int_L2TPaccess).
3 In Type, select Subnet / IP Range.
4 In the Subnet / IP Range field, type the corresponding IP address range.
5 In Interface, select the FortiGate interface that connects to the network behind the
FortiGate unit.
6 Select OK.
Adding the firewall policy
The firewall policy specifies the source and destination addresses that can generate traffic
inside the L2TP tunnel and defines the scope of services permitted through the tunnel. If a
selection of services are required, define a service group.
1304
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�PPTP and L2TP
Adding the firewall policy
To define the traffic and services permitted inside the L2TP tunnel
1 Go to Firewall & gt; Policy and select Create New.
2 Enter these settings in particular:
Source Interface/Zone
Select the FortiGate interface to the Internet.
Source Address
Select the name that corresponds to the range of addresses that
you reserved for L2TP clients (for example, Ext_L2TPrange).
Destination Interface/Zone
Select the FortiGate interface to the internal (private) network.
Destination Address
Select the name that corresponds to the IP addresses behind
the FortiGate unit (for example, Int_L2TPaccess).
Service
Select ANY, or if selected services are required instead, select
the service group that you defined previously.
Action
Select ACCEPT.
3 You may enable NAT, a protection profile, and/or event logging, or select Enable
Identity Based Policy to add authentication or shape traffic. See the “Firewall Policy”
chapter of the FortiGate Administration Guide.
4 Select OK.
Configuring a Linux client
The following procedure outlines how to install L2TP client software and run an L2TP
tunnel on a Linux computer. Obtain an L2TP client package that meets your requirements
(for example, rp-l2tp). If needed to encrypt traffic, obtain L2TP client software that
supports encryption using MPPE.
To establish an L2TP tunnel with a FortiGate unit that has been set up to accept L2TP
connections, you can obtain and install the client software following these general
guidelines:
1 If encryption is required but MPPE support is not already present in the kernel,
download and install an MPPE kernel module and reboot your computer.
2 Download and install the L2TP client package.
3 Configure an L2TP connection to run the L2TP program.
4 Configure routes to determine whether all or some of your network traffic will be sent
through the tunnel. You must define a route to the remote network over the L2TP link
and a host route to the FortiGate unit.
5 Run l2tpd to start the tunnel.
Follow the software supplier’s documentation to complete the steps.
To configure the system, you need to know the public IP address of the FortiGate unit, and
the user name and password that has been set up on the FortiGate unit to authenticate
L2TP clients. Contact the FortiGate administrator if required to obtain this information.
Monitoring L2TP sessions
You can display a list of all active sessions and view activity by port number. By default,
port 1701 is used for L2TP VPN-related communications.
If required, active sessions can be stopped from this view. For more information, see the
“System Status” chapter of the FortiGate Administration Guide.
To view the list of active sessions
1 Go to System & gt; Status.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1305
�Adding the firewall policy
PPTP and L2TP
2 In the Top Sessions widget, select Details.
Testing L2TP VPN connections
To confirm that a VPN between a local network and a dialup client has been configured
correctly, at the dialup client, issue a ping command to test the connection to the local
network. The VPN tunnel initializes when the dialup client attempts to connect.
Logging L2TP VPN events
You can configure the FortiGate unit to log VPN events. For L2TP VPNs, connection
events and tunnel status (up/down) are logged.
To log VPN events
1 Go to Log & Report & gt; Log Config & gt; Log Setting.
2 Enable the storage of log messages to one or more locations:
3 Select Apply.
To filter VPN events
1 Go to Log & Report & gt; Log Config & gt; Event Log.
2 Select Enable, and then select L2TP/PPTP/PPPoE service event.
3 Select Apply.
To view event logs
1 Go to Log & Report & gt; Log Access.
2 If the option is available from the Log Type list, select the log file from disk or memory.
1306
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Session helpers
The FortiOS firewall can analyze by most TCP/IP protocol traffic by comparing packet
header information to firewall policies. This comparison determines whether to accept or
deny the packet and the session that the packet belongs to.
Some protocols include information in the packet body (or payload) that must be analyzed
to successfully process sessions for this protocol. For example, the SIP VoIP protocol
uses TCP control packets with a standard destination port to set up SIP calls. But the
packets that carry the actual conversation can use a variety of UDP protocols with a
variety of source and destination port numbers. The information about the protocols and
port numbers used for a SIP call is contained in the body of the SIP TCP control packets.
To successfully process SIP VoIP calls, FortiOS must be able to extract information from
the body of the SIP packet and use this information to allow the voice-carrying packets
through the firewall.
FortiOS uses session helpers to analyze the data in the packet bodies of some protocols
and adjust the firewall to allow those protocols to send packets through the firewall. This
section describes:
•
Viewing the session helper configuration
•
Changing the session helper configuration
•
DCE-RPC session helper (dcerpc)
•
DNS session helpers (dns-tcp and dns-udp)
•
File transfer protocol (FTP) session helper (ftp)
•
H.245 session helpers (h245I and h245O)
•
H.323 and RAS session helpers (h323 and ras)
•
Media Gateway Controller Protocol (MGCP) session helper (mgcp)
•
ONC-RPC portmapper session helper (pmap)
•
PPTP session helper for PPTP traffic (pptp)
•
Remote shell session helper (rsh)
•
Real-Time Streaming Protocol (RTSP) session helper (rtsp)
•
Session Initiation Protocol (SIP) session helper (sip)
•
Trivial File Transfer Protocol (TFTP) session helper (tftp)
•
Oracle TNS listener session helper (tns)
Viewing the session helper configuration
You can view the session helpers enabled on your FortiGate unit from the CLI using the
following command. The following output shows the first two session helpers. The number
of session helpers can vary to around 20.
show system session-helper
config system session-helper
edit 1
set name pptp
set port 1723
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1307
�Changing the session helper configuration
set
end
next
set
set
set
next
end
.
.
.
Session helpers
protocol 6
name h323
port 1720
protocol 6
The configuration for each session helper includes the name of the session helper and the
port and protocol number on which the session helper listens for sessions. Session
helpers listed on protocol number 6 (TCP) or 17 (UDP). For a complete list of protocol
numbers see: Assigned Internet Protocol Numbers.
For example, the output above shows that FortiOS listens for PPTP packets on TCP port
1723 and H.323 packets on port TCP port 1720.
If a session helper listens on more than one port or protocol the more than one entry for
the session helper appears in the config system session-helper list. For example,
the pmap session helper appears twice because it listens on TCP port 111 and UDP port
111. The rsh session helper appears twice because it listens on TCP ports 514 and 512.
Changing the session helper configuration
Normally you will not need to change the configuration of the session helpers. However in
some cases you may need to do the following:
Changing the protocol or port that a session helper listens on
Most session helpers are configured to listen for their sessions on the port and protocol
that they typically use. If your FortiGate unit receives sessions that should be handled by a
session helper on a non-standard port or protocol you can use the following procedure to
change the port and protocol used by a session helper.
To change the port that the pmap session helper listens on to TCP port 112
The following example shows how to change the port that the pmap session helper listens
on for Sun RPC portmapper TCP sessions. By default pmap listens on TCP port 111.
1 Begin by confirming that the TCP pmap session helper entry is 11 in the session-helper
list:
show system session-helper 11
config system session-helper
edit 11
set name pmap
set port 111
set protocol 6
next
end
2 Enter the following command to change the TCP port to 112.
config system session-helper
edit 11
set port 112
1308
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Session helpers
Changing the session helper configuration
end
3 The pmap session helper also listens on UDP port 111. Confirm that the UDP pmap
session helper entry is 12 in the session-helper list:
show system session-helper 12
config system session-helper
edit 12
set name pmap
set port 111
set protocol 17
next
end
4 Enter the following command to change the UDP port to 112.
config system session-helper
edit 12
set port 112
end
end
To change the protocol that the h323 session helper listens on
Use the following command to set the h323 session helper to listen for ports on the UDP
protocol:
1 Confirm that the h323 session helper entry is 2 in the session-helper list:
show system session-helper 2
config system session-helper
edit 2
set name h323
set port 1720
set protocol 6
next
end
2 Enter the following command to change the protocol to UDP.
config system session-helper
edit 2
set protocol 17
end
end
To configure a session helper to listen on a new port and protocol
If a session helper listens on more than one port or protocol, then multiple entries for the
session helper must be added to the session helper list, one for each port and protocol
combination. For example, the rtsp session helper listens on TCP ports 554, 7070, and
8554 so there are three rtsp entries in the session-helper list. If your FortiGate unit
receives rtsp packets on a different TCP port (for example, 6677) you can use the
following command to configure the rtsp session helper to listen on TCP port 6677.
config system session-helper
edit 0
set name rtsp
set port 6677
set protocol 6
end
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1309
�Changing the session helper configuration
Session helpers
Disabling a session helper
In some cases you may need to disable a session helper. Disabling a session helper just
means removing it from the session-helper list so that the session helper is not listening
on a port. You can completely disable a session helper by deleting all of its entries from
the session helper list. If there are multiple entries for a session helper on the list you can
delete one of the entries to prevent the session helper from listening on that port.
To disable the mgcp session helper from listening on UDP port 2427
1 Enter the following command to find the mgcp session helper entry that listens on UDP
port 2427:
show system session-helper
.
.
.
edit 19
set name mgcp
set port 2427
set protocol 17
next
.
.
.
2 Enter the following command to delete session-helper list entry number 19 to disable
the mgcp session helper from listening on UDP port 2427:
config system session-helper
delete 19
To completely disable the mgcp session helper
By default the mgcp session helper listens on UDP ports 2427 and 2727. The previous
procedure shows how to disable the mgcp protocol from listening on port 2427. The
following procedure completely disables the mgcp session helper by also disabling it from
listening on UDP port 2727.
1 Enter the following command to find the mgcp session helper entry that listens on UDP
port 2727:
show system session-helper
.
.
.
edit 20
set name mgcp
set port 2727
set protocol 17
next
.
.
.
2 Enter the following command to delete session-helper list entry number 20 to disable
the mgcp session helper from listening on UDP port 2727:
config system session-helper
delete 20
1310
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Session helpers
DCE-RPC session helper (dcerpc)
DCE-RPC session helper (dcerpc)
Distributed Computing Environment Remote Procedure Call (DCE-RPC) provides a way
for a program running on one host to call procedures in a program running on another
host. DCE-RPC (also called MS RPC for Microsoft RPC) is similar to ONC-RPC. Because
of the large number of RPC services, the transport address of an RPC service is
dynamically negotiated based on the service program's universal unique identifier (UUID).
The Endpoint Mapper (EPM) binding protocol in FortiOS maps the specific UUID to a
transport address.
To accept DCE-RPC sessions you must add a firewall policy with service set to any or to
the DEC-RPC pre-defined service (which listens on TCP and UDP ports 135). The dcerpc
session helper also listens on TCP and UDP ports 135.
The session allows FortiOS to handle DCE-RPC dynamic transport address negotiation
and to ensure UUID-based firewall policy enforcement. You can define a firewall policy to
permit all RPC requests or to permit by specific UUID number.
In addition, because a TCP segment in a DCE-RPC stream might be fragmented, it might
not include an intact RPC PDU. This fragmentation occurs in the RPC layer; so FortiOS
does not support parsing a fragmented packets.
DNS session helpers (dns-tcp and dns-udp)
FortiOS includes two DNS session helpers, dns-tcp, a session helper for DNS over TCP,
and dns-udp, a session helper for DNS over UDP. The DNS session helpers monitor DNS
query and reply packets and close sessions if the DNS flag indicates the packet is a reply
message.
To accept DNS sessions you must add a firewall policy with service set to any or to the
DNS pre-defined service (which listens on TCP and UDP ports 35). The dns-udp session
helper also listens on UDP port 53. By default the dns-tcp session helper is disabled. If
needed you can use the following command to enable the dns-tcp session helper to listen
for DNS sessions on TCP port 53:
config system session-helper
edit 0
set name dns-tcp
set port 53
set protocol 6
end
File transfer protocol (FTP) session helper (ftp)
The FTP session helper monitors PORT, PASV and 227 commands and NATs the IP
addresses and port numbers in the body of the FTP packets and opens ports on the
FortiGate unit as required.
To accept FTP sessions you must add a firewall policy with service set to any or to the
FTP, FTP_Put, and FTP_GET pre-defined services (which all listen on TCP port 21).
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1311
�H.245 session helpers (h245I and h245O)
Session helpers
H.245 session helpers (h245I and h245O)
H.245 is a control channel protocol used for H.323 and other similar communication
sessions. H.245 sessions transmit non-telephone signals. H.245 sessions carry
information needed for multimedia communication, such as encryption, flow control jitter
management and others.
FortiOS includes two H.245 sessions helpers, h245I which is for H.245 call in and h245O
which is for H.245 call out sessions. There is no standard port for H.245. By default the
H.245 sessions helpers are disabled. You can enable them as you would any other
session helper. When you enable them, you should specify the port and protocol on which
the FortiGate unit receives H.245 sessions.
H.323 and RAS session helpers (h323 and ras)
The H.323 session helper supports secure H.323 voice over IP (VoIP) sessions between
terminal endpoints such as IP phones and multimedia devices. In H.323 VoIP networks,
gatekeeper devices manage call registration, admission, and call status for VoIP calls. The
FortiOS h323 session helper supports gatekeepers installed on two different networks or
on the same network.
To accept H.323 sessions you must add a firewall policy with service set to any or to the
H323 pre-defined service (which listens on TCP port numbers 1720 and 1503 and on UDP
port number 1719). The h323 session helper listens on TCP port 1720.
The ras session helper is used with the h323 session helper for H.323 Registration,
Admission, and Status (RAS) services. The ras session helper listens on UDP port 1719.
Alternate H.323 gatekeepers
The h323 session helper supports using H.323 alternate gatekeepers. All the H.323 end
points must register with a gatekeeper through the Registration, Admission, and Status
(RAS) protocol before they make calls. During the registration process, the primary
gatekeeper sends Gatekeeper Confirm (GCF) and Registration Confirm (RCF) messages
to the H.323 end points that contain the list of available alternate gatekeepers.
The alternate gatekeeper provides redundancy and scalability for the H.323 end points. If
the primary gatekeeper fails the H.323 end points that have registered with that
gatekeeper are automatically registered with the alternate gatekeeper. To use the H.323
alternate gatekeeper, you need to configure firewall policies that allow H.323 end points to
reach the alternate gatekeeper.
Media Gateway Controller Protocol (MGCP) session helper (mgcp)
The Media Gateway Control Protocol (MGCP) is a text-based application layer protocol
used for VoIP call setup and control. MGCP uses a master-slave call control architecture
in which the media gateway controller uses a call agent to maintain call control
intelligence, while the media gateways perform the instructions of the call agent.
To accept MGCP sessions you must add a firewall policy with service set to any or to the
MGCP pre-defined service (which listens on UDP port numbers 2427 and 2727). The
h323 session helper also listens on UDP port numbers 2427 and 2727.
The MGCP session helper does the following:
•
1312
VoIP signalling payload inspection. The payload of the incoming VoIP signalling packet
is inspected and malformed packets are blocked.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Session helpers
ONC-RPC portmapper session helper (pmap)
•
Signaling packet body inspection. The payload of the incoming MGCP signaling packet
is inspected according to RFC 3435. Malformed packets are blocked.
•
Stateful processing of MGCP sessions. State machines are invoked to process the
parsed information. Any out-of-state or out-of-transaction packet is identified and
properly handled.
•
MGCP Network Address Translation (NAT). Embedded IP addresses and ports in
packet bodies is properly translated based on current routing information and network
topology, and is replaced with the translated IP address and port number, if necessary.
•
Manages pinholes for VoIP traffic. To keep the VoIP network secure, the IP address
and port information used for media or signalling is identified by the session helper,
and pinholes are dynamically created and closed during call setup.
ONC-RPC portmapper session helper (pmap)
Open Network Computing Remote Procedure Call (ONC-RPC) is a widely deployed
remote procedure call system. Also called Sun RPC, ONC-RPC allows a program running
on one host to call a program running on another. The transport address of an ONC-RPC
service is dynamically negotiated based on the service's program number and version
number. Several binding protocols are defined for mapping the RPC program number and
version number to a transport address.
To accept ONC-RPC sessions you must add a firewall policy with service set to any or to
the ONC-RPC pre-defined service (which listens on TCP and UDP port number 111). The
RPC portmapper session helper (called pmap) handles the dynamic transport address
negotiation mechanisms of ONC-RPC.
PPTP session helper for PPTP traffic (pptp)
The PPTP session help supports port address translation (PAT) for PPTP traffic. PPTP
provides IP security at the Network Layer. PPTP consists of a control session and a data
tunnel. The control session runs over TCP and helps in establishing and disconnecting the
data tunnel. The data tunnel handles encapsulated Point-to-Point Protocol (PPP) packets
carried over IP.
To accept PPTP sessions that pass through the FortiGate unit you must add a firewall
policy with service set to any or to the PPTP pre-defined service (which listens on IP port
47 and TCP port 1723). The pptp session helper listens on TCP port 1723.
PPTP uses TCP port 1723 for control sessions and Generic Routing Encapsulation (GRE)
(IP protocol 47) for tunneling the encapsulated PPP data. The GRE traffic carries no port
number, making it difficult to distinguish between two clients with the same public IP
address. PPTP uses the source IP address and the Call ID field in the GRE header to
identify a tunnel. When multiple clients sharing the same IP address establish tunnels with
the same PPTP server, they may get the same Call ID. The call ID value can be translated
in both the control message and the data traffic, but only when the client is in a private
network and the server is in a public network.
PPTP clients can either directly connect to the Internet or dial into a network access server
to reach the Internet. A FortiGate unit that protects PPTP clients can translate the clients’
private IP addresses to a pool of public IP addresses using NAT port translation (NAT-PT).
Because the GRE traffic carries no port number for address translation, the pptp session
helper treats the Call ID field as a port number as a way of distinguishing multiple clients.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1313
�Remote shell session helper (rsh)
Session helpers
After the PPTP establishing a TCP connection with the PPTP server, the client sends a
start control connection request message to establish a control connection. The server
replies with a start control connection reply message. The client then sends a request to
establish a call and sends an outgoing call request message. FortiOS assigns a Call ID
(bytes 12-13 of the control message) that is unique to each PPTP tunnel. The server
replies with an outgoing call reply message that carries its own Call ID in bytes 12-13 and
the client’s call ID in bytes 14-15. The pptp session helper parses the control connection
messages for the Call ID to identify the call to which a specific PPP packet belongs. The
session helper also identifies an outgoing call request message using the control
message type field (bytes 8-9) with the value 7. When the session helper receives this
message, it parses the control message for the call ID field (bytes 12-13). FortiOS
translates the call ID so that it is unique across multiple calls from the same translated
client IP. After receiving outgoing call response message, the session helper holds this
message and opens a port that accepts GRE traffic that the PPTP server sends. An
outgoing call request message contains the following parts:
•
The protocol used for the outgoing call request message (usually GRE)
•
Source IP address (PPTP server IP)
•
Destination IP address (translated client IP)
•
Destination port number (translated client call ID)
The session helper identifies an outgoing call reply message using the control message
type field (bytes 8-9) with the value 8. The session helper parses these control messages
for the call ID field (bytes 12-13) and the client’s call ID (bytes 14-15). The session helper
then uses the client’s call ID value to find the mapping created for the other direction, and
then opens a pinhole to accept the GRE traffic that the client sends. An outgoing call reply
message contains the following parts:
•
Protocol used for the outgoing call reply message (usually GRE)
•
Source IP address (PPTP client IP)
•
Destination IP address (PPTP server IP)
•
Destination port number (PPTP server Call ID)
Each port that the session opens creates a session for data traffic arriving in that direction.
The session helper opens the following two data sessions for each tunnel:
•
Traffic from the PPTP client to the server, using the server’s call ID as the destination
port
•
Traffic from the PPTP server to the client, using the client’s translated call ID as the
destination port
The default timeout value of the control connection is 30 minutes. The session helper
closes the pinhole when the data session exceeds the timeout value or is idle for an
extended period.
Remote shell session helper (rsh)
Using the remote shell program (RSH), authenticated users can run shell commands on
remote hosts. RSH sessions most often use TCP port 514. To accept RSH sessions you
must add a firewall policy with service set to any or to the RSH pre-defined service (which
listens on TCP port number 514).
1314
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Session helpers
Real-Time Streaming Protocol (RTSP) session helper (rtsp)
FortiOS automatically invokes the rsh session helper to process all RSH sessions on TCP
port 514. The rsh session helper opens ports required for the RSH service to operate
through a FortiGate unit running NAT/Route or Transparent and supports port translation
of RSH traffic.
Real-Time Streaming Protocol (RTSP) session helper (rtsp)
The Real-Time Streaming Protocol (RTSP) is an application layer protocol often used by
SIP to control the delivery of multiple synchronized multimedia streams, for example,
related audio and video streams. Although RTSP is capable of delivering the data streams
itself it is usually used like a network remote control for multimedia servers. The protocol is
intended for selecting delivery channels (like UDP, multicast UDP, and TCP) and for
selecting a delivery mechanism based on the Real-Time Protocol (RTP). RTSP may also
use the SIP Session Description Protocol (SDP) as a means of providing information to
clients for aggregate control of a presentation consisting of streams from one or more
servers, and non-aggregate control of a presentation consisting of multiple streams from a
single server.
To accept RTSP sessions you must add a firewall policy with service set to any or to the
RTSP pre-defined service (which listens on TCP ports 554, 770, and 8554 and on UDP
port 554). The rtsp session helper listens on TCP ports 554, 770, and 8554.
The rtsp session help is required because RTSP uses dynamically assigned port numbers
that are communicated in the packet body when end points establish a control connection.
The session helper keeps track of the port numbers and opens pinholes as required. In
Network Address Translation (NAT) mode, the session helper translates IP addresses and
port numbers as necessary.
In a typical RTSP session the client starts the session (for example, when the user selects
the Play button on a media player application) and establishes a TCP connection to the
RTSP server on port 554. The client then sends an OPTIONS message to find out what
audio and video features the server supports. The server responds to the OPTIONS
message by specifying the name and version of the server, and a session identifier, for
example, 24256-1.
The client then sends the DESCRIBE message with the URL of the actual media file the
client wants to play. The server responds to the DESCRIBE message with a description of
the media in the form of SDP code. The client then sends the SETUP message, which
specifies the transport mechanisms acceptable to the client for streamed media, for
example RTP/RTCP or RDT, and the ports on which it receives the media.
In a NAT configuration the rtsp session helper keeps track of these ports and addresses
translates them as necessary. The server responds to the SETUP message and selects
one of the transport protocols. When both client and server agree on a mechanism for
media transport the client sends the PLAY message, and the server begins streaming the
media.
Session Initiation Protocol (SIP) session helper (sip)
The sip session helper is described in “The SIP session helper” on page 1912.
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1315
�Trivial File Transfer Protocol (TFTP) session helper (tftp)
Session helpers
Trivial File Transfer Protocol (TFTP) session helper (tftp)
To accept TFTP sessions you must add a firewall policy with service set to any or to the
TFTP pre-defined service (which listens on UDP port number 69). The TFTP session
helper also listens on UTP port number 69.
TFTP initiates transfers on UDP port 69, but the actual data transfer ports are selected by
the server and client during initialization of the connection. The tftp session helper reads
the transfer ports selected by the TFTP client and server during negotiation and opens
these ports on the firewall so that the TFTP data transfer can be completed. When the
transfer is complete the tftp session helper closes the open ports.
Oracle TNS listener session helper (tns)
The Oracle Transparent Network Substrate (TNS) listener listens on port TCP port 1521
for network requests to be passed to a database instance. The Oracle TNS listener
session helper (tns) listens for TNS sessions on TCP port 1521. TNS is a foundation
technology built into the Oracle Net foundation layer and used by SQLNET.
1316
FortiOS™ Handbook FortiOS 4.0 MR2 Advanced System Settings
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 11 Virtual Domains
This FortiOS Handbook chapter contains the following sections:
Virtual Domains provides an overview of the VDOM technologies, and the basic concepts
and rules for using them. We recommend that you begin with this chapter before
attempting to configuring VDOMs on your FortiGate unit.
Virtual Domains in NAT/Route mode provides detailed explanations and examples for
configuring VDOM features in your FortiGate unit using the NAT/Route mode.
Virtual Domains in Transparent mode provides detailed explanations, as well as basic and
advanced examples for configuring these features in your FortiGate unit using
Transparent mode.
Inter-VDOM routing describes inter-VDOM routing concepts and scenarios, and gives
examples that illustrate them.
Troubleshooting Virtual Domains provides diagnostic and troubleshooting information for
some potential VDOM issues.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1317
�1318
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual
units that function as multiple independent units. VDOMs can provide separate firewall
policies and, in NAT/Route mode, completely separate configurations for routing and VPN
services for each connected network or organization.
This chapter will cover the basics of VDOMs, how they change your FortiGate unit, and
how to work with VDOMs.
VDOMs let you split your physical FortiGate unit into multiple virtual units. The resulting
benefits range from limiting Transparent mode ports to simplified administration, and
reduced space and power requirements.
When VDOMs are disabled on any FortiGate unit, there is still one VDOM active-the root
VDOM. It is always there in the background. When VDOMs are disabled, the root VDOM
is not visible but it is still there.
The root VDOM must be there because the FortiGate unit needs a management VDOM
for management traffic among other things. It is also why when you enable VDOMs, all
your configuration is preserved in the root VDOM-because that is where you originally
configured it.
This section includes:
•
Before you begin
•
Benefits of Virtual Domains
•
Enabling and accessing Virtual Domains
•
Configuring Virtual Domains
Before you begin
Before you begin using this guide, take a moment to note the following:
•
The information in this guide applies to all FortiGate units. All FortiGate models except
the FortiGate-30B model support VDOMs, and all FortiGate models support VLANs.
•
By default, your FortiGate unit supports a maximum of 10 VDOMs in any combination
of NAT/Route and Transparent operating modes. For FortiGate models numbered
3000 and higher, you can purchase a license key to increase the maximum number to
25, 50, 100 or 250 VDOMs.
•
This guide assumes you are using a FortiGate unit with interfaces labelled port1
through port4. If this is not the case, use aliases to label other interfaces to match the
examples.
•
Administrators are assumed to be super_admin administrators unless otherwise
specified. Some restrictions will apply to other administrators and are described in this
chapter.
Benefits of Virtual Domains
VDOMs provide the following benefits:
•
Improving Transparent mode configuration
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1319
�Benefits of Virtual Domains
Virtual Domains
•
Easier administration
•
Continued security
•
Savings in physical space and power
•
More flexible MSSP configurations
Improving Transparent mode configuration
When VDOMs are not enabled, and you put your FortiGate unit into Transparent mode all
the interfaces on your unit become broadcast interfaces. The problem is there are no
interfaces free to do anything else.
With multiple VDOMs you can have one of them configured in Transparent mode, and the
rest in NAT/Route mode. In this configuration, you have an available transparent mode
FortiGate unit you can drop into your network for troubleshooting, and you also have the
standard.
Easier administration
VDOMs provide separate security domains that allow separate zones, user authentication,
firewall policies, routing, and VPN configurations. VDOMs separate security domains and
simplify administration of complex configurations—you do not have to manage as many
settings at one time. For more information, see “Global and per-VDOM settings” on
page 1325.
By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the
unit’s physical interfaces, modem, VLAN subinterfaces, zones, firewall policies, routing
settings, and VPN settings.
Also, you can optionally assign an administrator account restricted to one VDOM. If the
VDOM is created to serve an organization, this feature enables the organization to
manage its own configuration. For more information, see “Administrators in Virtual
Domains” on page 1343.
Each physical FortiGate unit requires a FortiGuard license to access security updates.
VDOMs do not require any additional FortiGuard licenses, or updating — all the security
updates for all the VDOMs are performed once per update at the global level. Combined
this can be a potentially large money and time saving feature in your network.
Management systems such as SNMP, logging, alert email, FDN-based updates, and NTPbased time setting use addresses and routing in the management VDOM to communicate
with the network. They can connect only to network resources that communicate with the
management VDOM. Using a separate VDOM for management traffic enables easier
management of the FortiGate unit global settings, and VDOM administrators can also
manage their VDOMs more easily. For more information, see “Changing the management
virtual domain” on page 1347.
Continued security
When a packet enters a VDOM, it is confined to that VDOM and is subject to any firewall
policies for connections between VLAN subinterfaces or zones in that VDOM, just like
those interfaces on a FortiGate unit without VDOMs enabled.
To travel between VDOMs, a packet must first pass through a firewall policy on a physical
interface. The packet then arrives at another VDOM on that same FortiGate unit, but on a
different interface, where it must pass through another firewall before entering. It doesn’t
matter if the interface is physical or virtual — inter-VDOM packets still require the same
security measures as when passing through physical interfaces.
1320
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Enabling and accessing Virtual Domains
VDOMs provide an additional level of security because regular administrator accounts are
specific to one VDOM — an administrator restricted to one VDOM cannot change
information on other VDOMs. Any configuration changes and potential errors will apply
only to that VDOM and limit any potential down time. Using this concept, you can farther
split settings so that the management domain is only accessible by the super_admin and
does not share any settings with the other VDOMs.
Savings in physical space and power
To increase the number of physical FortiGate units, you need more rack space, cables,
and power to install the new units. You also need to change your network configuration to
accommodate the new physical units. In the future, if you need fewer physical units you
are left with expensive hardware that is idle.
Increasing VDOMs involves no additional hardware, no additional cabling, and very few
changes to existing networking configurations. VDOMs save physical space and power.
You are limited only by the size of the VDOM license you buy and the physical resources
on the FortiGate unit.
For example if you are using one FortiGate 620B with 10 VDOMs instead of 10 of those
units, over a year you will save an estimated 18,000 kWh. You could potentially save ten
times that amount with a 100 VDOM license.
By default, FortiGate units support a maximum of 10 VDOMs in any combination of
NAT/Route and Transparent modes. For FortiGate models numbered 3000 and higher,
you can purchase a license key to increase the maximum number of VDOMs to 25, 50,
100, or 250. For more information on VDOM licences, see “Virtual Domain Licensing” on
page 1336.
More flexible MSSP configurations
If you are a managed security and service provider (MSSP), VDOMs are fundamental to
your business. As a service provider you have multiple customers, each with their own
needs and service plans. VDOMs allow you to have a separate configuration for each
customer, or group of customers; you can have up to 250 VDOMs configured on a
FortiGate unit on high end models. See “Virtual Domain Licensing” on page 1336.
Not only does this provide the exact level of service needed by each customer, but
administration of the FortiGate unit is easier as well - you can provide uninterrupted
service generally with immediate changes as required. Most importantly, it allows you to
only use the resources that each customer needs. Inter-VDOM links allow you to
customize the level of interaction you need between each of your customers and your
administrators. See “Inter-VDOM routing” on page 1385.
Enabling and accessing Virtual Domains
While Virtual Domains are essentially the same as your regular FortiGate unit for menu
configuration, CLI command structure, and general task flow, there are some small
differences.
After first enabling VDOMs on your FortiGate unit, you should take the time to familiarize
yourself with the interface. This section will help walk you through virtual domains.
This section includes:
•
Enabling Virtual Domains
•
Viewing the VDOM list
•
Global and per-VDOM settings
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1321
�Enabling and accessing Virtual Domains
•
Resource settings
•
Virtual Domain Licensing
•
Virtual Domains
Logging in to VDOMs
Enabling Virtual Domains
When Virtual Domains are enabled, your FortiGate unit will change. The changes will be
visible in both the web-based manager and CLI, just the web-based manager, or just the
CLI.
When enabling VDOMs, the web-based manager and the CLI are changed as follows:
•
Global and per-VDOM configurations are separated. This is indicated in the Online
Help by Global and VDOM icons. See “Global and per-VDOM settings” on page 1325.
•
Only admin accounts using the super_admin profiles can view or configure global
options. See “Administrators in Virtual Domains” on page 1343.
•
Admin accounts using the super_admin profiles can configure all VDOM
configurations.
•
All other administrator accounts can configure only the VDOM to which they are
assigned.
The following changes are specific to the web-based manager:
•
The System & gt; Dashboard & gt; Status view is different for VDOMs.
•
A VDOM button is added to the System menu between the Global view and the perVDOM view.
•
A new control called Current VDOM is added at the bottom of the left menu. It indicates
which VDOM you are in, and allows you to easily select either another VDOM or Global
to move into. See Figure 188 on page 1323.
When VDOMs are enabled, the CLI is divided into VDOM specific and global areas. You
must specify one or the other before entering commands:
•
To change FortiGate unit system settings, from the top level you must first enter
config global
before entering commands.
•
To change VDOM settings, from the top level you must first enter
config vdom
edit & lt; vdom_name & gt;
before entering your commands for that VDOM. For information on which commands
are global and which are per-VDOM, see “Global and per-VDOM settings” on
page 1325.
1322
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Enabling and accessing Virtual Domains
Figure 188: Menu with VDOMs disabled, at the global level, and VDOM level
VDOMs disabled
VDOMs enabled (Global)
VDOMs enabled (per-vdom)
Current VDOM options
Using the default admin administration account, you can enable or disable VDOM
operation on the FortiGate unit.
To enable VDOM configuration - web-based manager
1 Log in with a super_admin account.
2 Go to System & gt; Dashboard & gt; Status.
3 Under System Information & gt; Virtual Domain, select Enable and confirm your selection.
The FortiGate unit logs off all sessions. You can now log in again as admin. For more
information, see “Administrators in Virtual Domains” on page 1343.
Figure 189: System Information
Serial Number
VDOMs are enabled
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1323
�Enabling and accessing Virtual Domains
Virtual Domains
To enable VDOM configuration - CLI
config system global
set vdom-admin enable
end
Changes to FortiGate unit settings
Settings configured outside of a VDOM are called global settings. These settings affect
the entire FortiGate unit and include areas such as interfaces, HA, maintenance, some
antivirus, and some logging. In general, any unit settings that should only be changed by
the top level administrator are global settings.
Settings configured within a VDOM are called VDOM settings. These settings affect only
that specific VDOM and include areas such as operating mode, routing, firewall, VPN,
some antivirus, some logging, and reporting.
For more information, see “Global and per-VDOM settings” on page 1325.
Viewing the VDOM list
The VDOM list shows all virtual domains, their status, and which VDOM is the
management VDOM. It is accessible if you are logged in on an administrator account with
the super_admin profile such as the “admin” administrator account.
In the VDOM list you can create or delete VDOMs, edit VDOMs, change the management
VDOM, and enable or disable VDOMs.
Note: The root domain may not be disabled, even if it is not the management VDOM.
To view the VDOM list
1 For Current VDOM, select Global.
2 Go to System & gt; VDOM & gt; VDOM.
Figure 190: List of VDOMs
Select All
Create New
Edit
Delete
Management VDOM
Disabled VDOM
Active VDOM
Create New
Edit
Select to change an existing selected VDOM.
Delete
1324
Select to add a new VDOM. See “Creating a Virtual Domain” on
page 1340.
Select to delete the selected VDOM. See “Deleting a VDOM” on
page 1342.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Enabling and accessing Virtual Domains
Switch Management
Select to switch the management VDOM. Also shows the current
management VDOM.
You must select an active non-management VDOM before this
option becomes available.
See “Changing the management virtual domain” on page 1347.
Disabled VDOM
A grey X indicated this VDOM is disabled. See “Disabling a Virtual
Domain” on page 1341.
Active VDOM
A green check indicates this VDOM is active. See “Disabling a
Virtual Domain” on page 1341.
Selected
When checked, this checkbox indicates this VDOM has been
selected. Nearly all operations such as Edit, Delete, and Switch
Management require a VDOM to first be selected.
VDOM Name
The name of the VDOM. VDOMs are listed in alphabetical order.
When the VDOM is active, you can select the VDOM name to
enter that VDOM. See “Enabling and accessing Virtual Domains”
on page 1321.
Operation Mode
Indicates the operation mode as either NAT (for NAT/Route mode)
or TP (for Transparent mode).
Interfaces
The interfaces associated with this VDOM. Each VDOM also
includes an interface that starts with “ssl.” that is created by
default.
Enable
Indicates if this VDOM is active, or disabled.
Comments
Comments entered when the VDOM was created are displayed
here.
Global and per-VDOM settings
Settings configured outside of a VDOM are called global settings. These settings affect
the entire FortiGate unit and include areas such as interfaces, HA, maintenance, some
antivirus, and some logging. In general, any unit settings that should only be changed by
the top level administrator are global settings.
Settings configured within a VDOM are called VDOM settings. These settings affect only
that specific VDOM and include areas such as operating mode, routing, firewall, VPN,
some antivirus, some logging, and reporting.
Some FortiGate unit documentation indicates which parts of the web-based manager, or
the CLI are global and which are per-VDOM using icons indicating such. These icons are
also present in the Online Help, available on your FortiGate unit.
Figure 191: Global and VDOM icons
For more information on CLI commands, see the FortiGate CLI Reference.
This section includes:
•
Global settings - web-based manager
•
Per-VDOM settings - web-based manager
•
Global settings - CLI
•
Per-VDOM settings - CLI
Global settings - web-based manager
The following table lists commands in the web-based manager that are considered global
settings when VDOMs are enabled.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1325
�Enabling and accessing Virtual Domains
Virtual Domains
The following configuration settings affect all virtual domains. When virtual domains are
enabled, only accounts with the default super_admin profile can access global settings.
Table 96: Global configuration settings
System
Dashboard Status System Time
Dashboard Status Host name
Dashboard Status Firmware version
VDOM VDOM list
VDOM per-VDOM resources
VDOM Global Resources
Network Interfaces and subinterfaces
Network Options DNS
Network Options Dead Gateway Detection
Config HA
Config SNMP
Config Replacement Message
Admin Administrators
Admin Profile
Admin Central Management configuration
Admin Settings Web Administration Ports, Password policy,
Display Settings, timeouts, LCD panel
Wireless Settings
Wireless MAC Filter
Wireless Monitor
WIreless Rogue AP
Certificates
Configuration backup and restore
Maintenance Revision Control
Maintenance Scripts
Maintenance FDN update configuration
Endpoint
Endpoint Vulnerability Scan
Log & Report
Log Config Log Setting
Log Config Alert E-mail
Per-VDOM settings - web-based manager
The following table lists commands in the web-based manager that are considered global
settings when VDOMs are enabled.
1326
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Enabling and accessing Virtual Domains
Table 97: VDOM configuration settings
System
Network Zone
Network DNS Server
Network Web Proxy
Network Routing Table
(Transparent mode)
Network Modem
Wireless Settings
Wireless MAC Filter
Wireless Monitor
Wireless Rogue AP
DHCP Server
Config Replacement Message
Config Operation mode
(NAT/Route or Transparent)
Config Management IP
(Transparent mode)
Router
Static
Dynamic
Monitor
Firewall
Policy
Address
Service
Schedule
Traffic Shaper
Virtual IP
Load Balance
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1327
�Enabling and accessing Virtual Domains
Virtual Domains
Table 97: VDOM configuration settings (Continued)
UTM
AntiVirus
Intrusion Protection
Web Filter
Email Filter
Data Leak Prevention
Application Control
VoIP
VPN
IPSec
SSL
User
Endpoint
Wireless Controller
Log & Report
Logging configuration
Alert E-mail
Event Log
Log access
DLP Archive
Global settings - CLI
The following table lists commands in the web-based manager that are considered global
settings when VDOMs are enabled.
From a super_admin profile account, use this command to configure features that apply to
the complete FortiGate unit including all virtual domains. Virtual domain configuration
(vdom-admin) must be enabled first.
This command syntax shows how you access the commands within config global. For
information on these commands, refer to the relevant sections in this Reference. If there
are multiple versions of the same command with a “2” or “3” added, the additional
commands are not listed but fall under the unnumbered command of the same name.
config global
config antivirus ...
config application
config endpoint-control
config firewall service
config firewall ssl
config gui console
config ips ...
config log {fortianalyzer | fortianalyzer2 | fortianalyzer3}
setting
config log fortiguard setting
config log memory setting
config log memory global-setting
config log {syslogd | syslogd2 | syslogd3} setting
config log webtrends setting
1328
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Enabling and accessing Virtual Domains
config spamfilter ...
config system accprofile
config system admin
config system alertemail
config system amc
config system auto-install
config system autoupdate clientoverride
config system autoupdate override
config system autoupdate push-update
config system autoupdate schedule
config system autoupdate tunneling
config system aux
config system bug-report
config system central-management
config system chassis-loadbalance
config system console
config system dns
config system fips-cc
config system fortiguard
conifg system fortiguard-log
config system global
config system ha
config system interface
config system npu
config system ntp
config system password-policy
config system replacemsg admin
config system replacemsg alertmail
config system replacemsg auth
config system replacemsg ec
config system replacemsg fortiguard-wf
config system replacemsg ftp
config system replacemsg http
config system replacemsg im
config system replacemsg mail
config system replacemsg nac-quar
config system replacemsg nntp
config system replacemsg spam
config system replacemsg sslvpn
config system resource-limits
config system session-helper
config system session-sync
config system sflow
config system snmp community
config system snmp sysinfo
config system switch-interface
conifg system tos-based-priority
config system vdom-link
config system vdom-property
config vpn certificate ...
config webfilter fortiguard
config wireless-controller
execute backup
execute batch
execute central-mgmt
execute cfg reload
execute cfg save
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1329
�Enabling and accessing Virtual Domains
Virtual Domains
execute cli check-template-status
execute cli status-msg-only
execute date
execute disconnect-admin-session
execute enter
execute factoryreset
execute firmware-list
execute formatlogdisk
execute fortiguard-log
execute ha disconnect
execute ha manage
execute ha synchronize
execute log delete-all
execute log delete-filtered
execute log delete-rolled
execute log display
execute log filter
execute log {fortianalyzer | fortianalyzer2 | fortianalyzer3}
setting
execute log list
execute log roll
execute reboot
execute restore
execute router
execute scsi-dev
execute send-fds-statistics
execute set-next-reboot
execute sfp-mode-sgmii
execute shutdown
execute tac
execute time
execute update-ase
execute update-av
execute update-ips
execute update-netscan
execute update-now
execute usb-disk
execute vpn certificate ...
execute wireless-controller
get firewall vip ...
end
Per-VDOM settings - CLI
The following table lists commands in the web-based manager that are considered global
settings when VDOMs are enabled.
From the super admin account, use this command to add and configure virtual domains.
The number of virtual domains you can add is dependent on the FortiGate model. Virtual
domain configuration (vdom-admin) must be enabled.
Once you add a virtual domain you can configure it by adding zones, firewall policies,
routing settings, and VPN settings. You can also move physical interfaces from the root
virtual domain to other virtual domains and move VLAN subinterfaces from one virtual
domain to another.
1330
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Enabling and accessing Virtual Domains
By default all physical interfaces are in the root virtual domain. You cannot remove an
interface from a virtual domain if the interface is part of any of the following configurations:
•
routing
•
proxy arp
•
DHCP server
•
zone
•
firewall policy
•
redundant pair
•
link aggregate (802.3ad) group
Delete these objects, or modify them, to be able to remove the interface.
This command syntax shows how you access the commands within a VDOM. Refer to the
relevant sections in this Reference for information on these commands.
config vdom
edit & lt; vdom_name & gt;
config alertemail
config antivirus
config application
config dlp
config endpoint-control
config firewall address, address6
config firewall addrgrp, addrgrp6
config firewall dnstranslation
config firewall ipmacbinding setting
config firewall ipmacbinding table
config firewall ippool
config firewall ldb-monitor
config firewall multicast-policy
config firewall policy, policy6
config firewall profile
config firewall schedule onetime
config firewall schedule recurring
config firewall service custom
config firewall service group
config firewall shaper per-ip-shaper
config firewall vip
config firewall vipgrp
config imp2p
config interface-policy
config interface-policy6
config ips
config log
config netscan
config router
config spamfilter
config system admin
config system arp-table
config system dhcp ...
config system gre-tunnel
config system interface
config system ipv6-tunnel
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1331
�Enabling and accessing Virtual Domains
Virtual Domains
config system modem
config system proxy-arp
config system session-ttl
config system settings
config system sit-tunnel
config system wccp
config system zone
config user ...
conifg voip
config vpn ...
config wanopt
config web-proxy
config webfilter
config wireless-controller
execute backup
execute clear system arp table
execute cli check-template-status
execute cli status-msg-only
execute dhcp lease-list
execute enter
execute fsae refresh
execute ha disconnect
execute ha manage
execute ha synchronize
execute interface dhcpclient-renew
execute log delete-all
execute log delete-filtered
execute log delete-rolled
execute log display
execute log filter
execute log list
execute log roll
execute modem dial
execute modem hangup
execute modem trigger
execute mrouter
execute netscan
execute ping, ping6
execute ping-options, ping6-options
execute restore
execute router clear bgp
execute router clear ospf process
execute router restart
execute sfp-mode-sgmii
execute ssh
execute tac
execute traceroute
execute usb-disk
execute vpn sslvpn del-tunnel
execute wireless-controller
next
edit & lt; another_vdom & gt;
config ...
execute ...
1332
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Enabling and accessing Virtual Domains
end
end
For more information, see “Global and per-VDOM settings” on page 1325.
Resource settings
Your FortiGate unit has a limited amount of hardware resources such as memory, disk
storage, CPU operations. When Virtual Domains are disabled, this limit is not a major
concern because all sessions, users, and other processes share all the resources equally.
When using Virtual Domains, hardware resources can be divided differently between
Virtual Domains as they are needed. Also minimum levels of resources can be set so that
no Virtual Domain will suffer a complete lack of resources.
For example if one VDOM has only a web server and logging server connected, and a
second VDOM has an internal network of 20 users these two VDOMs will require different
levels of resources. The first VDOM will require many sessions but no user accounts. This
compares to the second VDOM where user accounts and management resources are
required, but fewer sessions.
Using the global and per-VDOM resource settings, you can customize the resources
allocated to each VDOM to ensure the proper level of service is maintained on each
VDOM.
This section includes:
•
Global Resources
•
Per-VDOM resource settings
Global Resources
Global Resources apply to the whole FortiGate unit. They represent all of the hardware
capabilities of your unit. By default the values are set to their maximum values. These
values vary by your model due to each model having differing hardware capabilities.
It can be useful to change the maximum values for some resources to ensure there is
enough memory available for other resources that may be more important to your
configuration.
To use the earlier example, if your FortiGate unit is protecting a number of web servers
and other publicly accessible servers you would want to maximize the available sessions
and proxies while minimizing other settings that are unused such as user settings, VPNs,
and dial-up tunnels.
Global Resources are only configurable at the global level, and only the admin account
has access to these settings.
Note that global resources, such as the log disk quote resource, will only be visible if your
FortiGate unit hardware supports those resources, such as having a hard disk to support
thee log disk resource.
For additional information on the meaning of each resource, see the appropriate section of
the FortiGate Administration Guide.
To view global resource settings - web-based manager
1 For Current VDOM, select Global.
2 Select VDOM & gt; Global Resources.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1333
�Enabling and accessing Virtual Domains
Virtual Domains
To view global resource settings - CLI
config global
config system resource-limits
get
Figure 192: Global Resources- web-based manager
Edit
Select to edit the Configured Maximum value for a single selected
Resource.
If multiple Resources are selected, Edit is not available.
Reset to default value Select to return one or more selected Resources to factory default
settings.
Checkbox
Select a Resource for editing or resetting to default values.
Resource
The name of the available global resources.
Configured Maximum The currently configured maximum for this resource. This value
can be changed by selecting the Resource and editing it.
Default Maximum
The factory configured maximum value for this resource. You
cannot set the Configured Maximum higher than the Default
Maximum.
Current Usage
The amount of this resource that is currently being used. This
value is useful for determining when and if you may need to adjust
Configured Maximum values for some resources on your
FortiGate unit.
When viewing the global resource limits in the CLI, the output appears similar to:
FGT1000A (global) # config system resource-limits
FGT1000A (resource-limits) # get
session
ipsec-phase1
ipsec-phase2
dialup-tunnel
firewall-policy
firewall-address
1334
:
:
:
:
:
:
0
10000
10000
0
100000
20000
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Enabling and accessing Virtual Domains
firewall-addrgrp
custom-service
service-group
onetime-schedule
recurring-schedule
user
user-group
sslvpn
webproxy
:
:
:
:
:
:
:
:
:
10000
0
0
0
0
0
0
0
2000
Note: For explicit proxies when configuring limits on the number of concurrent users, you
need to allow for the number of users based on their authentication method. Otherwise you
may run out of user resources prematurely.
•
Each session-based authenticated user is counted as a single user using their
authentication membership ( RADIUS, LDAP, FSAE, local database etc.) to match users
in other sessions. So one authenticated user in multiple sessions is still one user.
•
For all other situations, the source IP address is used to determine a user. All sessions
from a single source address are assumed to be from the same user.
Per-VDOM resource settings
Global resources apply to resources shared by the whole FortiGate unit. Per-VDOM
resources are specific to only one Virtual Domain.
By default all the per-VDOM resource settings are set to no limits. This means that any
single VDOM can use up all the resources of the entire FortiGate unit if it needs to do so.
This would starve the other VDOMs for resources to the point where they would be unable
to function. For this reason, it is recommended that you set some maximums on resources
that are most vital to your customers.
Each Virtual Domain has its own resource settings. These settings include both maximum,
and minimum levels. The maximum level is the highest amount of that resource that this
VDOM can use if it is available on the FortiGate unit. Minimum levels are a guaranteed
level that this minimum level of the resource will always be available no matter what the
other VDOMs may be using.
For example your FortiGate unit has ten VDOMs configure. vdom1 has a maximum of
5000 sessions and a minimum of 1000 sessions. If the FortiGate unit has a global
maximum of 20,000 sessions, it is possible that vdom1 will not be able to reach its 5000
session upper limit. However, at all times vdom1 is guaranteed to have 1000 sessions
available that it can use. On the other hand, if the remaining nine VDOMs use only 1000
sessions each, vdom1 will be able to reach its maximum of 5000.
To view per-VDOM resource settings - web-based manager
1 For Current VDOM, select Global.
2 Select VDOM & gt; VDOM.
3 Select the root VDOM, and select Edit.
The per-VDOM resource settings are displayed at the bottom of the Edit page.
To view per-VDOM resource settings - CLI
config global
config system vdom-property
edit root
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1335
�Enabling and accessing Virtual Domains
Virtual Domains
get
Figure 193: per-VDOM resources - web-based manager
When viewing the per-VDOM resource limits in the CLI, the output appears similar to the
following. Note that the first two lines are not part of the resource limits. In the CLI, the first
number is the maximum value, and the second number is the guaranteed minimum.
FGT1KA3607500810 (vdom-property) # edit root
FGT1KA3607500810 (root) # get
name
description
session
ipsec-phase1
ipsec-phase2
dialup-tunnel
firewall-policy
firewall-address
firewall-addrgrp
custom-service
service-group
onetime-schedule
recurring-schedule
user
user-group
sslvpn
webproxy
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
root
property limits for vdom root
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
Virtual Domain Licensing
All FortiGate units, except the 30B, support 10 VDOMs by default.
1336
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Enabling and accessing Virtual Domains
High-end FortiGate models support the purchase of a VDOM license key from customer
support to increase their maximum allowed VDOMs to 25, 50, 100, 250, or 500.
Configuring 250 or more VDOMs will result in reduced system performance.
See“FortiGate unit running very slowly” on page 1421.
Table 98: VDOMs support by FortiGate model
FortiGate model
Support
VDOMs
Default VDOM
maximum
Maximum VDOM
license
30B
no
0
0
Low and mid-range models
yes
10
10
High-end models
yes
10
500
You can purchase a VDOM license key for FortiGate models numbered 3000 and higher
from customer support. This license will increase the maximum allowed VDOMs on your
FortiGate unit to one of 25, 50, 100, 250, or 500 as stated when you purchased the key.
Note: Your FortiGate unit has limited resources that are divided among all configured
VDOMs. These resources include system memory and CPU. You cannot run Unified Threat
Management (UTM) features when running 250 or more VDOMs. UTM features include
proxies, web filtering, and antivirus—your FortiGate unit can provide only basic firewall
functionality.
Note: It is important to backup your configuration before upgrading the VDOM license on
your FortiGate unit or units, especially with FortiGate units in HA mode.
To obtain a VDOM license key
1 Log in with a super_admin account.
2 Go to System & gt; Dashboard & gt; Status.
3 Record your FortiGate unit serial number as shown in “System Information” on
page 1323.
4 Under License Information & gt; Virtual Domains, select Purchase More.
Note: If you do not have a System & gt; Maintenance & gt; License tab or you do not see the
Purchase More option on the System Dashboard, your FortiGate model does not
support more than 10 VDOMs.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1337
�Enabling and accessing Virtual Domains
Virtual Domains
Figure 194: VDOM License Information
Purchase a larger VDOM license
5 You will be taken to the Fortinet customer support website where you can log in and
purchase a license key for 25, 50, 100, 250, or 500 VDOMs.
6 When you receive your license key, go to System & gt; Maintenance & gt; License.
7 In the Input License Key field, enter the 32-character license key you received from
Fortinet customer support.
8 Select Apply.
To verify the new VDOM license, in global configuration go to System & gt; Status. Under
License Information, Virtual Domains shows the maximum number of VDOMs allowed.
Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any
connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of
registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer
unit and they contain a total of four VDOMs, the total number of registered FortiGate units
on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer
Administration Guide.
Logging in to VDOMs
Only super_admin administrator accounts can access all global settings on the FortiGate
unit and all of the VDOMs as well. Other administrator accounts can access and configure
only their single VDOM and they must connect to an interface that is part of that VDOM.
For example, administratorB is the admin for vdomB. If he tries to log into vdomA, or an
interface that is part of vdomA he will not be able to log on. For more information on
administrators in VDOMs, see “Administrators in Virtual Domains” on page 1343.
Management services communicate using the management VDOM, which is the root
VDOM by default. For more information, see “Changing the management virtual domain”
on page 1347.
Note: Management traffic requires an interface that has access to the Internet. If there is no
interface assigned to the VDOM containing the management traffic, services including
updates will not function. For more information, see “Changing the management virtual
domain” on page 1347.
1338
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Enabling and accessing Virtual Domains
To access a VDOM with a super_admin account - web-based manager
1 Log in with a super_admin account.
2 Select System & gt; VDOM & gt; VDOM.
From here you can select a specific VDOM to configure. For more information, see
“List of VDOMs” on page 1324.
3 Select Enter for the active VDOM or management VDOM you want to change.
The system network page for that VDOM opens.
The bottom of the left menu displays the currently selected VDOM name, unless only
the root domain exists.
4 When you have finished configuring the VDOM, you can
• select & lt; & lt; Global to return to global configuration for the FortiGate unit
• log out.
To access a VDOM with a super_admin account - CLI
With the super_admin, logging into the CLI involves also logging into the specific VDOM. If
you need a reminder, use edit ? to see a list of existing VDOMs before you editing a
VDOM.
Note: If you misspell a VDOM you are trying to switch to, you will create a new VDOM by
that name. Any changes you make will be part of the new VDOM, and not the intended
VDOM. If you are having problems where your changes aren’t visible, back up to the top
level and use edit ? to see a list of VDOMs to ensure this has not happened. If it has
happened, see “Deleting a VDOM” on page 1342.
config vdom
edit ?
edit & lt; chosen_vdom & gt;
..
& lt; enter vdom related commands & gt;
..
end
exit
To access a VDOM with a non super_admin account - web-based manager
1 Connect to the FortiGate unit using an interface that belongs to the VDOM to be
configured.
2 Log in using an administrator account that has access to the VDOM.
The main web-based manager page opens. From here you can access VDOM-specific
settings.
To access a VDOM with a non-super_admin account - CLI
When a non-super_admin logs into the FortiGate, there is not logging into the VDOM as
this account only has access to one VDOM.
Login: regular_admin
Password: & lt; password & gt;
..
& lt; enter vdom related commands & gt;
..
exit
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1339
�Configuring Virtual Domains
Virtual Domains
Configuring Virtual Domains
Only a super_admin administrator account such as the default “admin” account can
create, disable, or delete VDOMs. That account can create additional administrators for
each VDOM.
This section includes:
•
Creating a Virtual Domain
•
Disabling a Virtual Domain
•
Deleting a VDOM
•
Administrators in Virtual Domains
Creating a Virtual Domain
Once you have enabled Virtual Domains on your FortiGate unit, you can create additional
Virtual Domains beyond the default root Virtual Domain.
By default new Virtual Domains are set to NAT/Route operation mode. If you want a Virtual
Domain to be in Transparent operation mode, you must manually change it. See “Virtual
Domains in Transparent mode” on page 1365.
You can name new Virtual Domains as you like with the following restrictions:
•
only letters, numbers, “-”, and “_” are allowed
•
no more than 11 characters are allowed
•
no spaces are allowed
•
VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other
VDOMs.
Note: When creating large numbers of VDOMs (up to 250), you cannot enable advanced
features such as proxies, web filtering, and antivirus due to limited FortiGate unit resources.
Also when creating large numbers of VDOMs, you may experience reduced performance
for the same reason.
To create a VDOM - web-based manager
1 Log in with a super_admin account.
2 Go to System & gt; Dashboard & gt; Status and ensure that Virtual Domains are enabled. If
not, see “Enabling and accessing Virtual Domains” on page 1321.
3 Select System & gt; VDOM & gt; VDOM.
4 Select Create New.
5 Enter a unique name for your new VDOM.
6 Enter a short and descriptive comment to identify this VDOM.
7 Select OK.
Repeat Steps 4 through to add additional VDOMs.
To create a VDOM - CLI
config vdom
edit & lt; new_vdom_name & gt;
end
1340
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Configuring Virtual Domains
Note: If you want to edit an existing Virtual Domain in the CLI, and mistype the name a new
Virtual Domain will be created with this new misspelled name. If you notice expected
configuration changes are not visible, this may be the reason. You should periodically
check your VDOM list to ensure there are none of these misspelled VDOMs present.
Disabling a Virtual Domain
The status of a VDOM can be Enabled, or Disabled.
Active status VDOMs can be configured. Active is the default status when a VDOM is
created. The management VDOM must be an Active VDOM. For more information on the
management VDOM, see “Changing the management virtual domain” on page 1347.
Disabled status VDOMs are considered “offline”. The configuration remains, but you
cannot use the VDOM, and only the super_admin administrator can view it. You cannot
delete a disabled VDOM without first enabling it, and removing references to it like
usual—there is no Delete icon for disabled status VDOMs. You can assign interfaces to a
disabled VDOM. See “Deleting a VDOM” on page 1342.
The following procedures show how to disable a VDOM called “test-vdom”.
To disable a VDOM - web-based manager
1 For Current VDOM, select Global.
2 Go to System & gt; VDOM & gt; VDOM.
3 Select test-vdom by either
• selecting the check box for test-vdom and selecting Edit
or
• double-click on the green check Enable icon for test-vdom.
4 Ensure Enabled is not selected, and select OK.
The test-vdom entry in the VDOM list is now greyed out, and the Enabled icon is a grey
X.
To disable a VDOM - CLI
config vdom
edit test-vdom
config system settings
set status disable
end
end
To enable a VDOM - web-based manager
1 For Current VDOM, select Global.
2 Go to System & gt; VDOM & gt; VDOM.
3 Select test-vdom by either
• selecting the check box for test-vdom and selecting Edit
or
• double-click on the grey X Enable icon for test-vdom.
4 Select Enabled, and select OK.
The test-vdom entry in the VDOM list is now active, and the Enabled icon is a green
check.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1341
�Configuring Virtual Domains
Virtual Domains
To disable a VDOM - CLI
config vdom
edit test-vdom
config system settings
set status enable
end
end
Deleting a VDOM
Deleting a VDOM removes it from the FortiGate unit configuration.
Before you can delete a VDOM, all references to it must be removed. This includes any
objects listed in “Per-VDOM settings - web-based manager” on page 1326. If there are
any references to the VDOM remaining, you will see an error message and not be able to
delete the VDOM.
The VDOM must also be enabled. A disabled VDOM cannot be deleted. You cannot
delete the root VDOM or the management VDOM.
Tip: Before deleting a VDOM, a good practice is to reset any interface referencing
that VDOM to its default configuration, with “root” selected as the Virtual Domain.
The following procedures show how to delete the test-vdom VDOM.
To delete a VDOM - web-based manager
1 For Current VDOM, select Global.
2 Go to System & gt; VDOM & gt; VDOM.
3 Select the Delete icon for test-vdom.
If there is no Delete icon, there are still references to the VDOM that must first be
removed. The Delete icon is visible for this VDOM when all the references are
removed.
4 Confirm the deletion.
To delete a VDOM - CLI
config vdom
delete test-vdom
end
Removing references to a VDOM
When you are doing to delete a VDOM, all references to that VDOM must first be
removed. It can be difficult to find all the references to the VDOM. This section provides a
list of common objects that must be removed before a VDOM can be deleted, and a CLI
command to help list the dependencies.
Interfaces are an important part of VDOMs. If you can move all the interfaces out of a
VDOM, generally you will be able to delete that VDOM.
Common objects that refer to VDOMs
When you are getting ready to delete a VDOM check for, and remove the following objects
that refer to that VDOM or its components:
1342
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Configuring Virtual Domains
Table 99: List of common VDOM object dependencies
Routing - both static and dynamic routes
Firewall addresses, policies, groups, or other settings
UTM
VPN configuration
Users or user groups
Logging
DHCP servers
Network interfaces, zones, custom DNS servers
VDOM Administrators
Administrators in Virtual Domains
When Virtual Domains are enabled, permissions change for administrators.
Administrators are now divided into per-VDOM administrators, and super_admin
administrators. Only super_admin administrator accounts can create other administrator
accounts and assign them to a VDOM.
This section includes:
•
Administrator VDOM permissions
•
Creating administrators for Virtual Domains
•
Virtual Domain administrator dashboard display
Administrator VDOM permissions
Different types of administrator accounts have different permissions within VDOMs. For
example, if your are using a super_admin profile account, you can perform all tasks.
However, if you are using a regular admin account, the tasks available to you depend on
whether you have read only or read/write permissions. The following table shows what
tasks can performed by which administrators.
Table 100: Administrator VDOM permissions
Tasks
Read only
permission
Read/write
permission
Super_admin
profile
administrator
account
View global settings
yes
yes
yes
Configure global settings
no
no
yes
Create or delete VDOMs
no
no
yes
Configure multiple VDOMs
no
no
yes
Assign interfaces to a VDOM
no
no
yes
Revision Control Backup and
Restore
no
no
yes
Create VLANs
no
yes - for 1 VDOM
yes - for all VDOMs
Assign an administrator to a VDOM
no
no
yes
Create additional admin accounts
no
yes - for 1 VDOM
yes - for all VDOMs
Create and edit protection profiles
no
yes - for 1 VDOM
yes - for all VDOMs
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Regular administrator account
1343
�Configuring Virtual Domains
Virtual Domains
The only difference in admin accounts when VDOMs are enabled is selecting which
VDOM the admin account belongs to. Otherwise, by default the administration accounts
are the same as when VDOMs are disabled and closely resemble the super_admin
account in their privileges.
Creating administrators for Virtual Domains
Using the admin administrator account, you can create additional administrator accounts
and assign them to VDOMs.
Note: The newly-created administrator can access the FortiGate unit only through network
interfaces that belong to their assigned VDOM or through the console interface. The
network interface must be configured to allow management access, such as HTTPS and
SSH. Without these in place, the new administrator will not be able to access the FortiGate
unit and will have to contact the super_admin administrator for access.
The following procedure creates a new Local administrator account called admin_sales
with a password of fortinet in the sales VDOM using the admin_prof default profile.
To create an administrator for a VDOM - web-based manager
1 Log in with a super_admin account.
2 Go to System & gt; Admin & gt; Administrators.
3 Select Create New.
4 Select Regular for Type, as you are creating a Local administrator account.
5 If this admin will be accessing the VDOM from a particular IP address or subnet, enter
it in Trusted Host #1. See “Using trusted hosts” on page 1344.
6 Select prof_admin for the Admin Profile.
7 Select sales from the list of Virtual Domains.
8 Select OK.
To create administrators for VDOMs - CLI
config global
config system admin
edit & lt; new_admin_name & gt;
set vdom & lt; vdom_for_this_account & gt;
set password & lt; pwd & gt;
set accprofile & lt; an_admin_profile & gt;
...
end
Using trusted hosts
Setting trusted hosts for all of your administrators increases the security of your network
by further restricting administrative access. In addition to knowing the password, an
administrator must connect only through the subnet or subnets you specify. You can even
restrict an administrator to a single IP address if you define only one trusted host IP
address with a netmask of 255.255.255.255.
1344
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains
Configuring Virtual Domains
When you set trusted hosts for all administrators, the FortiGate unit does not respond to
administrative access attempts from any other hosts. This provides the highest security. If
you leave even one administrator unrestricted, the unit accepts administrative access
attempts on any interface that has administrative access enabled, potentially exposing the
unit to attempts to gain unauthorized access.
The trusted hosts you define apply both to the web-based manager and to the CLI when
accessed through Telnet or SSH. CLI access through the console is not affected.
The trusted host addresses all default to 0.0.0.0/0.0.0.0 for IPv4, or ::/0 for IPv6. If you set
one of the zero addresses to a non-zero address, the other zero addresses will be
ignored. The only way to use a wildcard entry is to leave the trusted hosts at
0.0.0.0/0.0.0.0 or ::0. However, this configuration is less secure.
Virtual Domain administrator dashboard display
When administrators logs into their virtual domain, they see a different dashboard than the
global administrator will see. The VDOM dashboard displays information only relevant to
that VDOM — no global or other VDOM information is displayed.
Table 101: Information displayed on administrator dashboard
Information
per-VDOM
Global
System Information
read-only
yes
License Information
no
yes
CLI console
yes
yes
Unit Operation
read-only
yes
Alert Message Console
no
yes
Top Sessions
limited to VDOM sessions
yes
Traffic
limited to VDOM interfaces
yes
Statistics
yes
yes
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1345
�Configuring Virtual Domains
Virtual Domains
Figure 195: VDOM administrator dashboard
1346
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in NAT/Route mode
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual
units that each function as independent units. Each virtual domain has separate routing
and firewall policies. A single FortiGate unit with virtual domains is flexible enough to
serve multiple departments of an organization, separate organizations, or be the basis for
a service provider’s managed security service.
Note: The examples in this chapter are intended to be followed in order as procedures
build on previous procedures. If you do not complete the previous procedures, the
procedure you are working on may not work properly. If this happens, consult previous
procedures or FortiGate documentation.
This chapter contains the following sections:
•
Virtual domains in NAT/Route mode
•
WAN Optimization using VDOMs
•
Example NAT/Route VDOM configuration
Virtual domains in NAT/Route mode
Once you have enabled virtual domains and created one or more VDOMs, you need to
configure them. Configuring VDOMs on your FortiGate unit includes tasks such as the
ones listed here; while you may not require all for your network topology, it is
recommended that you perform them in the order given:
•
Changing the management virtual domain
•
Configuring interfaces in a NAT/Route VDOM
•
Configuring VDOM routing
•
Configuring firewall policies for NAT/Route VDOMs
•
Configuring UTM profiles for NAT/Route VDOMs
Changing the management virtual domain
The management virtual domain is the virtual domain where all the management traffic for
the FortiGate unit originates. This management traffic needs access to remote servers,
such as FortiGuard services and NTP, to perform its duties. It needs access to the Internet to
send and receive this traffic.
Management traffic includes, but is not limited to:
•
DNS lookups
•
logging to FortiAnalyzer or syslog
•
FortiGuard service
•
sending alert emails
•
Network time protocol traffic (NTP)
•
Sending SNMP traps
•
Quarantining suspicious files and email.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1347
�Virtual domains in NAT/Route mode
Virtual Domains in NAT/Route mode
By default the management VDOM is the root domain. When other VDOMs are configured
on your FortiGate unit, management traffic can be moved to one of these other VDOMs.
Reasons to move the management VDOM include selecting a non-root VDOM to be your
administration VDOM, or the root VDOM not having an interface with a connection to the
Internet.
Note: You cannot change the management VDOM if any administrators are using RADIUS
authentication.
The following procedure will change the management VDOM from the default root to a
VDOM named mgmt_vdom. It is assumed that mgmt_vdom has already been created and
has an interface that can access the Internet.
To change the management VDOM - web-based manager
1 In Current VDOM, select Global.
2 Select System & gt; VDOM.
3 Select the checkbox next to mgmt_vdom.
4 Select Switch Management [root].
To change the management VDOM - CLI
config global
config system global
set management-vdom mgmt_vdom
end
Management traffic will now originate from mgmt_vdom.
Configuring interfaces in a NAT/Route VDOM
A VDOM must contain at least two interfaces to be useful. These can be physical
interfaces or VLAN interfaces. By default, all physical interfaces are in the root VDOM.
When you create a new VLAN, it is in the root VDOM by default.
When there are VDOMs on the FortiGate unit in both NAT and Transparent operation
modes, some interface fields will be displayed as “-” on System & gt; Network & gt; Interface.
Only someone with a super_admin account can view all the VDOMs.
Note: When moving an interface to a different VDOM, firewall IP pools and virtual IPs for
this interface are deleted. You should manually delete any routes that refer to this interface.
Once the interface has been moved to the new VDOM, you can add these services to the
interface again.
Note: When configuring VDOMs on FortiGate units with accelerated interfaces, such as
NP2 or NP4 interfaces, you must assign both interfaces in the pair to the same VDOM for
those interfaces to retain their acceleration. Otherwise they will become normal interfaces.
This section includes the following topics:
•
•
Moving an interface to a VDOM
•
Deleting an interface
•
1348
Adding a VLAN to a NAT/Route VDOM
Adding a zone to a VDOM
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in NAT/Route mode
Virtual domains in NAT/Route mode
Adding a VLAN to a NAT/Route VDOM
The following example shows one way that multiple companies can maintain their security
when they are using one FortiGate unit with VLANs that share interfaces on the unit.
This procedure will add a VLAN interface called client1-v100 with a VLAN ID of 100 to
an existing VDOM called client1 using the physical interface called port2.
Note: The physical interface does not need to belong to the VDOM that the VLAN belongs
to.
To add a VLAN subinterface to a VDOM - web-based manager
1 In Current VDOM, select Global.
2 Go to System & gt; Network & gt; Interface.
3 Select Create New.
4 Enter the following information and select OK:
Name
client1-v100
Interface
port2
VLAN ID
100
Virtual Domain
Client1
Addressing mode
Manual
IP/Netmask
172.20.120.110/255.255.255.0
Administrative Access
HTTPS, SSH
You will see an expand arrow added to the port2 interface. When the arrow is
expanded, the interface shows the client1-v100 VLAN subinterface.
To add a VLAN subinterface to a VDOM - CLI
config global
config system interface
edit client1-v100
set type vlan
set vlanid 100
set vdom Client1
set interface port2
set ip 172.20.120.110 255.255.255.0
set allowaccess https ssh
next
end
end
Moving an interface to a VDOM
Interfaces belong to the root VDOM by default. Moving an interface is the same procedure
no matter if its moving from the root VDOM or a any other VDOM.
If you have an accelerated pair of physical interfaces, such as NP2 interfaces, both
interfaces must be in the same VDOM or you will loose their acceleration.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1349
�Virtual domains in NAT/Route mode
Virtual Domains in NAT/Route mode
The following procedure will move the port3 interface to the Client2 VDOM. This is a
common action when configuring a VDOM. It is assumed that the Client2 VDOM has
already been created. It is also assumed that your FortiGate unit has a port3 interface. If
you are using a different model, your physical interfaces may not be named port2,
external or port3.
To move an existing interface to a different VDOM - web-based manager
1 For Current VDOM, select Global.
2 Go to System & gt; Network & gt; Interface.
3 Select Edit for the port3 interface.
4 Enter Client2 as the new VDOM name.
5 Select OK.
To move an existing interface to a different VDOM - CLI
config global
config system interface
edit port3
set vdom Client2
next
end
Deleting an interface
Before you can delete a virtual interface, or move an interface from one VDOM to another,
all references to that interface must be removed. For a list of objects that can refer to an
interface see “Per-VDOM settings - web-based manager” on page 1326.
The easiest way to be sure an interface can be deleted is when the Delete icon is no
longer greyed out. If it remains greyed out when an interface is selected, that interface still
has objects referring to it, or it is a physical interface that cannot be deleted.
To delete a virtual interface - web-based manager
1 Ensure all objects referring to this interface have been removed.
2 In Current VDOM, select Global.
3 Select System & gt; Network & gt; Interface.
4 Select the interface to delete.
5 Select the delete icon.
Adding a zone to a VDOM
Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. You can
configure policies for connections to and from a zone, but not between interfaces in a
zone.
Zones are VDOM-specific. A zone cannot be moved to a different VDOM. Any interfaces
in a zone cannot be used in another zone. To move a zone to a new VDOM requires
deleting the current zone and re-creating a zone in the new VDOM. For more information,
see the Network chapter of the FortiGate Administration Guide.
The following procedure will create a zone called accounting in the client2 VDOM. It
will not allow intra-zone traffic, and both port3 and port2 interfaces belong to this zone.
This is a method of grouping and isolating traffic over particular interfaces—it is useful for
added security and control within a larger network.
1350
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in NAT/Route mode
Virtual domains in NAT/Route mode
To add a zone to a VDOM - web-based manager
1 For Current VDOM, select Global.
2 Go to System & gt; VDOM.
3 Select the client2 VDOM, and select Enter.
4 Go to System & gt; Network & gt; Zone.
5 Select Create New.
6 Enter the following information and select OK:
Zone Name
accounting
Block intra-zone traffic
Select
Interface Members
port3, port2
To add a zone to a VDOM - CLI
config vdom
edit client2
config system zone
edit accounting
set interface port3 port2
set intrazone deny
next
end
end
Configuring VDOM routing
Routing is VDOM-specific. Each VDOM should have a default static route configured as a
minimum. Within a VDOM, routing is the same as routing on your FortiGate unit without
VDOMs enabled.
When configuring dynamic routing on a VDOM, other VDOMs on the FortiGate unit can be
neighbors. The following topics give a brief introduction to the routing protocols, and show
specific examples of how to configure dynamic routing for VDOMs. Figures are included to
show the FortiGate unit configuration after the successful completion of the routing
example.
For more information, see the routing chapters in the FortiGate Administration Guide.
This section includes:
•
Default static route for a VDOM
•
Dynamic Routing in VDOMs
Default static route for a VDOM
The routing you define applies only to network traffic entering non-ssl interfaces belonging
to this VDOM. Set the administrative distance high enough, typically 20, so that
automatically configured routes will be preferred to the default.
In the following procedure, it is assumed that a VDOM called “Client2” exists. The
procedure will create a default static route for this VDOM. The route has a destination IP of
0.0.0.0, on the port3 interface. It has a gateway of 10.10.10.1, and an administrative
distance of 20.
The values used in this procedure are very standard, and this procedure should be part of
configuring all VDOMs.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1351
�Virtual domains in NAT/Route mode
Virtual Domains in NAT/Route mode
To add a default static route for a VDOM - web-based manager
1 For Current VDOM, select Global.
2 Go to System & gt; VDOM.
3 Select the Client2 VDOM and select Enter.
4 Go to Router & gt; Static.
5 Select Create New.
6 Enter the following information and select OK:
Destination
IP/Mask
0.0.0.0/0.0.0.0
Device
port2
Gateway
10.10.10.1
Distance
20
To add a default static route for a VDOM - CLI
config vdom
edit Client2
config router static
edit 4
set device port2
set dst 0.0.0.0 0.0.0.0
set gateway 10.10.10.1
set distance 20
end
end
Dynamic Routing in VDOMs
Dynamic routing is VDOM-specific, like all other routing. Dynamic routing configuration is
the same with VDOMs as with your FortiGate unit without VDOMs enabled, once you are
at the routing menu. If you have multiple VDOMs configured, the dynamic routing
configuration between them can become quite complex.
VDOMs provide some interesting changes to dynamic routing. Each VDOM can be a
neighbor to the other VDOMs. This is useful in simulating a dynamic routing area or AS or
network using only your FortiGate unit.
You can separate different types of routing to different VDOMs if required. This allows for
easier troubleshooting. This is very useful if your FortiGate unit is on the border of a
number of different routing domains.
For more information on dynamic routing in FortiOS, see the FortiOS Dynamic Routing
Guide.
Inter-VDOM links must have IP addresses assigned to them if they are part of a dynamic
routing configuration. Inter-VDOM links may or may not have IP addresses assigned to
them. Without IP addresses, you need to be careful how you configure routing. While the
default static route can be assigned an address of 0.0.0.0 and rely instead on the
interface, dynamic routing almost always requires an IP address.
1352
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in NAT/Route mode
Virtual domains in NAT/Route mode
RIP
The RIP dynamic routing protocol uses hop count to determine the best route, with a hop
count of 1 being directly attached to the interface and a hop count of 16 being
unreachable. For example if two VDOMs on the same FortiGate unit are RIP neighbors,
they have a hop count of 1.
OSPF
OSPF communicates the status of its network links to adjacent neighbor routers instead of
the complete routing table. When compared to RIP, OSPF is more suitable for large
networks, it is not limited by hop count, and is more complex to configure. For smaller
OSPF configurations its easiest to just use the backbone area, instead of multiple areas.
BGP
BGP is an Internet gateway protocol (IGP) used to connect autonomous systems (ASes)
and is used by Internet service providers (ISPs). BGP stores the full path, or path vector,
to a destination and its attributes which aid in proper routing.
Configuring firewall policies for NAT/Route VDOMs
Firewall policies are VDOM-specific. This means that all firewall settings for a VDOM,
such as firewall addresses and policies, are configured within the VDOM. For more
information about firewall settings, see the Firewall chapter of the FortiGate Administration
Guide.
In VDOMs, all firewall related objects are configured per-VDOM including addresses,
service groups, UTM profiles, schedules, traffic shaping, and so on. If you want firewall
addresses, you will have to create them on each VDOM separately. If you have many
addresses, and VDOMs this can be tedious and time consuming. Consider using a
FortiManager unit to manage your VDOM configuration — it can get firewall objects from a
configured VDOM or FortiGate unit, and push those objects to many other VDOMs or
FortiGate units. See FortiManager Administration Guide.
Note: You can customize the Firewall Policy display by including some or all columns, and
customize the column order onscreen. Due to this feature, firewall policy screenshots may
not appear the same as on your screen.
Configuring a firewall policy for a VDOM
Your firewall policies can involve only the interfaces, zones, and firewall addresses that
are part of the current VDOM, and they are only visible when you are viewing the current
VDOM. The firewall policies of this VDOM filter the network traffic on the interfaces and
VLAN subinterfaces in this VDOM.
A firewall service group can be configured to group multiple services into one service
group. When a descriptive name is used, service groups make it easier for an
administrator to quickly determine what services are allowed by a firewall policy.
In the following procedure, it is assumed that a VDOM called Client2 exists. The
procedure will configure an outgoing firewall policy. The firewall policy will allow all HTTPS
and SSH traffic for the SalesLocal address group on VLAN_200 going to all addresses
on port3. This traffic will be scanned and logged.
To configure a firewall policy for a VDOM - web-based manager
1 Go to System & gt; VDOM.
2 Select the Client2 VDOM and select Enter.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1353
�WAN Optimization using VDOMs
Virtual Domains in NAT/Route mode
3 Go to Firewall & gt; Policy.
4 Select Create New.
5 Enter the following information and select OK:
Source Interface/Zone
VLAN_200
Source Address
SalesLocal
Destination Interface/Zone port3
Destination Address
any
Schedule
always
Service
Multiple - HTTPS, SSH
Action
ACCEPT
Log Allowed Traffic
enable
To configure a firewall policy for a VDOM - CLI
config vdom
edit Client2
config firewall policy
edit 12
set srcintf VLAN_200
set srcaddr SlaesLocal
set dstintf port3(dmz)
set dstaddr any
set schedule always
set service HTTPS SSH
set action accept
set status enable
set logtraffic enable
next
end
end
Configuring UTM profiles for NAT/Route VDOMs
In NAT/Route VDOMs, UTM profiles are exactly like regular FortiGate unit operation with
one exception. In VDOMs, there are no default UTM profiles.
If you want UTM profiles in VDOMs, you must create them yourself. If you have many
UTM profiles to create in each VDOM, you should consider using a FortiManager unit. It
can get existing profiles from a VDOM or FortiGate unit, and push those profiles down to
multiple other VDOMs or FortiGate units. See FortiManager Administration Guide.
When VDOMs are enabled, you only need one FortiGuard license for the physical unit,
and download FortiGuard updates once for the physical unit. This can result in a large
time and money savings over multiple physical units if you have many VDOMs.
WAN Optimization using VDOMs
If you want to apply both WAN Optimization and UTM features to your network traffic, you
cannot do both in the same VDOM.
The solution is to configure two VDOMs with WAN Optimization in its own VDOM. This
solution is covered in-depth in the WAN Optimization, Web Cache, Explicit Proxy, and
WCCP Guide.
1354
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in NAT/Route mode
Example NAT/Route VDOM configuration
This solution works for any feature combination that is causing problems — split the
troublesome feature into its own VDOM, and route traffic through both VDOMs. However,
it cannot be used to speed up processing — you would need a second physical unit for
that.
The best interface to ensure a fast connection between VDOMs is an inter-VDOM links.
See “Inter-VDOM routing” on page 1385.
Example NAT/Route VDOM configuration
Company A and Company B each have their own internal networks and their own ISPs.
They share a FortiGate unit that is configured with two separate VDOMs, with each VDOM
running in NAT/Route mode enabling separate configuration of network protection profiles.
Each ISP is connected to a different interface on the FortiGate unit.
This network example was chosen to illustrate one of the most typical VDOM
configurations.
This example has the following sections:
•
Network topology and assumptions
•
General configuration steps
•
Creating the VDOMs
•
Configuring the FortiGate interfaces
•
Configuring the vdomA VDOM
•
Configuring the vdomB VDOM
•
Testing the configuration
Network topology and assumptions
Both companies have their own ISPs and their own internal interface, external interface,
and VDOM on the FortiGate unit.
For easier configuration, the following IP addressing is used:
•
all IP addresses on the FortiGate unit end in “.2” such as 10.11.101.2.
•
all IP addresses for ISPs end in “.7”, such as 172.20.201.7.
•
all internal networks are 10.*.*.* networks, and sample internal addresses end in “.55”.
The IP address matrix for this example is as follows.
Address
Company A
Company B
ISP
172.20.201.7
192.168.201.7
10.11.101.0
10.012.101.0
Internal network
FortiGate / VDOM
172.20.201.2 (port1)
10.11.101.2 (port4)
192.168.201.2 (port3)
10.012.101.2 (port2)
The Company A internal network is on the 10.11.101.0/255.255.255.0 subnet. The
Company B internal network is on the 10.12.101.0/255.255.255.0 subnet.
There are no switches or routers required for this configuration.
There are no VLANs in this network topology.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1355
�Example NAT/Route VDOM configuration
Virtual Domains in NAT/Route mode
The interfaces used in this example are port1 through port4. Different FortiGate models
may have different interface labels. port1 and port3 are used as external interfaces. port2
and port4 are internal interfaces.
The administrator is a super_admin account. If you are a using a non-super_admin
account, refer to “Global and per-VDOM settings” on page 1325 to see which parts a nonsuper_admin account can also configure.
When configuring firewall policies in the CLI always choose a policy number that is higher
than any existing policy numbers, select services before profile-status, and
profile-status before profile. If these commands are not entered in that order,
they will not be available to enter.
Figure 196: Example VDOM configuration
Internet
ISP A
172.20.201.7
ISP B
192.168.201.7
port1 172.20.101.2
port3 192.168.101.2
port4 10.11.101.2
port2 10.12.101.2
10.12.101.55
Company B
10.12.101.0
10.11.101.55
Company A
10.11.101.0
General configuration steps
For best results in this configuration, follow the procedures in the order given. Also, note
that if you perform any additional actions between procedures, your configuration may
have different results.
1 Creating the VDOMs
2 Configuring the FortiGate interfaces
3 Configuring the vdomA VDOM, and Configuring the vdomB VDOM:
4 Testing the configuration
Creating the VDOMs
In this example, two new VDOMs are created — vdomA for Company A and vdomB for
Company B. These VDOMs will keep the traffic for these two companies separate while
enabling each company to access its own ISP.
To create two VDOMs - web-based manager
1 Log in with a super_admin account.
1356
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in NAT/Route mode
Example NAT/Route VDOM configuration
2 For Current VDOM, select Global.
3 Go to System & gt; VDOM, and select Create New.
4 Enter vdomA and select OK.
5 Select OK again to return to the VDOM list.
6 Select Create New.
7 Enter vdomB and select OK.
To create two VDOMs - CLI
config vdom
edit vdomA
next
edit vdomB
end
Configuring the FortiGate interfaces
This section configures the interfaces that connect to the companies’ internal networks,
and to the companies’ ISPs.
All interfaces on the FortiGate unit will be configured with an IP address ending in “.2”
such as 10.11.101.2. This will simplify network administration both for the companies, and
for the FortiGate unit global administrator. Also the internal addresses for each company
differ in the second octet of their IP address - Company A is 10.11.*, and Company B is
10.12.* .
This section includes the following topics:
•
Configuring the vdomA interfaces
•
Configuring the vdomB interfaces
Note: If you cannot change the VDOM of an network interface it is because something is
referring to that interface that needs to be deleted. Once all the references are deleted the
interface will be available to switch to a different VDOM. For example a common reference
to the external interface is the default static route entry. See “Configuring interfaces in a
NAT/Route VDOM” on page 1348
Configuring the vdomA interfaces
The vdomA VDOM includes two FortiGate unit interfaces: port1 and external.
The port4 interface connects the Company A internal network to the FortiGate unit, and
shares the internal network subnet of 10.11.101.0/255.255.255.0.
The external interface connects the FortiGate unit to ISP A and the Internet. It shares the
ISP A subnet of 172.20.201.0/255.255.255.0.
To configure the vdomA interfaces - web-based manager
1 For Current VDOM, select Global.
2 Go to System & gt; Network & gt; Interface.
3 Select Edit on the port1 interface.
4 Enter the following information and select OK:
Virtual Domain
vdomA
Addressing mode
Manual
IP/Netmask
172.20.201.2/255.255.255.0
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1357
�Example NAT/Route VDOM configuration
Virtual Domains in NAT/Route mode
5 Select Edit on the port4 interface.
6 Enter the following information and select OK:
Virtual Domain
vdomA
Addressing mode
Manual
IP/Netmask
10.11.101.2/255.255.255.0
To configure the vdomA interfaces - CLI
config global
config system interface
edit port1
set vdom vdomA
set mode static
set ip 172.20.201.2 255.255.255.0
next
edit port4
set vdom ABCdomain
set mode static
set ip 10.11.101.2 255.255.255.0
end
end
end
Configuring the vdomB interfaces
The vdomB VDOM uses two FortiGate unit interfaces: port2 and port3.
The port2 interface connects the Company B internal network to the FortiGate unit, and
shares the internal network subnet of 10.12.101.0/255.255.255.0.
The port3 interface connects the FortiGate unit to ISP B and the Internet. It shares the ISP
B subnet of 192.168.201.0/255.255.255.0.
To configure the DEFdomain interfaces - web-based manager
1 For Current VDOM, select Global.
2 Go to System & gt; Network & gt; Interface.
3 Select Edit on the port3 interface.
4 Enter the following information and select OK:
Virtual domain
vdomB
Addressing mode
Manual
IP/Netmask
192.168.201.2/255.255.255.0
5 Select Edit on the port2 interface.
6 Enter the following information and select OK:
Virtual domain
vdomB
Addressing mode
Manual
IP/Netmask
10.12.101.2/255.255.255.0
To configure the vdomB interfaces - CLI
config global
1358
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in NAT/Route mode
Example NAT/Route VDOM configuration
config system interface
edit port3
set vdom vdomB
set mode static
set ip 192.168.201.2 255.255.255.0
next
edit port2
set vdom vdomB
set mode static
set ip 10.12.101.2 255.255.255.0
end
end
Configuring the vdomA VDOM
With the VDOMs created and the ISPs connected, the next step is to configure the vdomA
VDOM.
Configuring the vdomA includes the following:
•
Adding vdomA firewall addresses
•
Adding the vdomA firewall policy
•
Adding the vdomA default route
Adding vdomA firewall addresses
You need to define the addresses used by Company A’s internal network for use in firewall
policies. This internal network is the 10.11.101.0/255.255.255.0 subnet.
The FortiGate unit provides one default address, “all”, that you can use when a firewall
policy applies to all addresses as the source or destination of a packet.
To add the vdomA firewall addresses - web-based manager
1 For Current VDOM, select vdomA.
2 Go to Firewall & gt; Address.
3 Select Create New.
4 Enter the following information and select OK:
Address Name
Ainternal
Type
Subnet / IP Range
Subnet / IP Range
10.11.101.0/255.255.255.0
Interface
port4
To add the ABCdomain VDOM firewall addresses - CLI
config vdom
edit vdomA
config firewall address
edit Ainternal
set type ipmask
set subnet 10.11.101.0 255.255.255.0
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1359
�Example NAT/Route VDOM configuration
Virtual Domains in NAT/Route mode
Adding the vdomA firewall policy
You need to add the vdomA firewall policy to allow traffic from the internal network to reach
the external network, and from the external network to internal as well. You need two
policies for this domain.
To add the vdomA firewall policy - web-based manager
1 In Current VDOM, select vdomA.
2 Go to Firewall & gt; Policy.
3 Select Create New.
4 Enter the following information and select OK:
Source Interface/Zone
port4
Source Address
Ainternal
Destination Interface/Zone
port1
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
5 Select Create New.
6 Enter the following information and select OK:
Source Interface/Zone
port1
Source Address
all
Destination Interface/Zone
port4
Destination Address
Ainternal
Schedule
Always
Service
ANY
Action
ACCEPT
To add the vdomA firewall policy - CLI
config vdom
edit vdomA
config firewall policy
edit 1
set srcintf port4
set srcaddr Ainternal
set dstintf port1
set dstaddr all
set schedule always
set service ANY
set action accept
set status enable
next
edit 2
set srcintf port1
set srcaddr all
set dstintf port4
set dstaddr Ainternal
1360
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in NAT/Route mode
set
set
set
set
end
end
Example NAT/Route VDOM configuration
schedule always
service ANY
action accept
status enable
Adding the vdomA default route
You also need to define a default route to direct packets from the Company A internal
network to ISP A. Every VDOM needs a default static route, as a minimum, to handle
traffic addressed to external networks such as the Internet.
The administrative distance should be set slightly higher than other routes. Lower admin
distances will get checked first, and this default route will only be used as a last resort.
To add a default route to the vdomA - web-based manager
1 For Current VDOM, select vdomA
2 Goo to Router & gt; Static.
3 Select Create New.
4 Enter the following information and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port1
Gateway
172.20.201.7
Distance
20
To add a default route to the vdomA - CLI
config vdom
edit vdomA
config router static
edit 1
set device port1
set gateway 172.20.201.7
end
Configuring the vdomB VDOM
In this example, the vdomB VDOM is used for Company B. Firewall and routing settings
are specific to a single VDOM.
vdomB includes the FortiGate port2 interface to connect to the Company B internal
network, and the FortiGate port3 interface to connect to ISP B. Firewall policies are
needed to allow traffic from port2 to external and from external to port2 interfaces.
This section includes the following topics:
•
Adding the vdomB firewall address
•
Adding the vdomB firewall policy
•
Adding a default route to the vdomB VDOM
Adding the vdomB firewall address
You need to define addresses for use in firewall policies. In this example, the vdomB
VDOM needs an address for the port2 interface and the “all” address.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1361
�Example NAT/Route VDOM configuration
Virtual Domains in NAT/Route mode
To add the vdomB firewall address - web-based manager
1 In Current VDOM, select vdomB.
2 Go to Firewall & gt; Address.
3 Select Create New.
4 Enter the following information and select OK:
Address Name
Binternal
Type
Subnet / IP Range
Subnet / IP Range
10.12.101.0/255.255.255.0
Interface
port2
To add the vdomB firewall address - CLI
config vdom
edit vdomB
config firewall address
edit Binternal
set type ipmask
set subnet 10.12.101.0 255.255.255.0
end
end
Adding the vdomB firewall policy
You also need a firewall policy for the Company B domain. In this example, the firewall
policy allows all traffic.
To add the vdomB firewall policy - web-based manager
1 Log in with a super_admin account.
2 In Current VDOM, select vdomB.
3 Go to Firewall & gt; Policy.
4 Select Create New.
5 Enter the following information and select OK:
Source Interface/Zone
port2
Source Address
Binternal
Destination Interface/Zone
port3
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
6 Select Create New.
7 Enter the following information and select OK:
Source Interface/Zone
all
Destination Interface/Zone
port2
Destination Address
1362
port3
Source Address
Binternal
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in NAT/Route mode
Example NAT/Route VDOM configuration
Schedule
Always
Service
ANY
Action
ACCEPT
To add the vdomB firewall policy - CLI
config vdom
edit vdomB
config firewall policy
edit 1
set srcintf port2
set dstintf port3
set srcaddr Binternal
set dstaddr all
set schedule always
set service ANY
set action accept
set status enable
edit 1
set srcintf port3
set dstintf port2
set srcaddr all
set dstaddr Binternal
set schedule always
set service ANY
set action accept
set status enable
end
end
Adding a default route to the vdomB VDOM
You need to define a default route to direct packets to ISP B.
To add a default route to the vdomB VDOM - web-based manager
1 Log in as the super_admin administrator.
2 In Current VDOM, select vdomB.
3 Go to Router & gt; Static.
4 Select Create New.
5 Enter the following information and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port3
Gateway
192.168.201.7
Distance
20
To add a default route to the vdomB VDOM - CLI
config vdom
edit vdomB
config router static
edit 1
set dst 0.0.0.0/0
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1363
�Example NAT/Route VDOM configuration
Virtual Domains in NAT/Route mode
set device external
set gateway 192.168.201.7
end
end
Testing the configuration
Once you have completed configuration for both company VDOMs, you can use
diagnostic commands, such as tracert in Windows, to test traffic routed through the
FortiGate unit. Alternately, you can use the traceroute command on a Linux system
with similar output.
Possible errors during the traceroute test are:
•
“***Request timed out” - the trace was not able to make the next connection
towards the destination fast enough
•
“Destination host unreachable” - after a number of timed-out responses the
trace will give up
Possible reasons for these errors are bad connections or configuration errors.
For additional troubleshooting, see “Troubleshooting Virtual Domains” on page 1421.
Testing traffic from the internal network to the ISP
In this example, a route is traced from the Company A internal network to ISP A. The test
was run on a Windows PC with an IP address of 10.11.101.55.
The output here indicates three hops between the source and destination, the IP address
of each hop, and that the trace was successful.
From the Company A internal network, access a command prompt and enter this
command:
C:\ & gt; tracert 172.20.201.7
Tracing route to 172.20.201.7 over a maximum of 30 hops:
1
& lt; 10 ms
& lt; 10 ms
& lt; 10 ms
10.11.101.2
2
& lt; 10 ms
& lt; 10 ms
& lt; 10 ms
172.20.201.2
3
& lt; 10 ms
& lt; 10 ms
& lt; 10 ms
172.20.201.7
Trace complete.
1364
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in Transparent mode
In Transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide
services such as antivirus scanning, web filtering, spam filtering and intrusion protection to
traffic. There are some limitations in Transparent mode in that you cannot use SSL VPN,
PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in Transparent
mode apply to IEEE 802.1Q VLAN trunks passing through the unit.
VDOMs can each be configured to operate either in Transparent or NAT/Route operation
mode, with each VDOM behaving like a separate FortiGate unit operating in the
respective mode. VLANs configured on a VDOM in Transparent mode are the same as
VLANs configured on the FortiGate unit when VDOMs are disabled.
This chapter includes the following sections:
•
Before you begin
•
Transparent operation mode
•
Configuring VDOMs in Transparent mode
•
Example of VDOMs in Transparent mode
Before you begin
Before you begin using this chapter, take a moment to note the following:
•
The information in this chapter applies to all FortiGate units. All FortiGate models
except the FortiGate-30B model support VDOMs, and all FortiGate models support
VLANs.
•
By default, your FortiGate unit supports a maximum of 10 VDOMs in any combination
of NAT/Route and Transparent operating modes. For FortiGate models numbered
3000 and higher, you can purchase a license key to increase the maximum number to
25, 50, 100 or 250 VDOMs.
•
This chapter uses port1 through port4 for interfaces in examples, where possible
aliases have been assigned to the interfaces for extra clarity. The interface names on
some models will vary. For example, some models do not have interfaces labeled
external or internal.
•
A super_admin administrator account is assumed for the procedures and examples;
however, if you are an administrator restricted to a VDOM, you may be able to perform
some procedures. For more information, see “Administrators in Virtual Domains” on
page 1343.
Transparent operation mode
In transparent mode, the FortiGate unit becomes a layer-2 IP forwarding bridge. This
means that Ethernet frames are forwarded based on destination MAC address, and no
other routing is performed. All incoming traffic that is accepted by the firewall, is broadcast
out on all interfaces.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1365
�Transparent operation mode
Virtual Domains in Transparent mode
In transparent mode the FortiGate unit is a forwarding bridge, not a switch. A switch can
develop a port table and associated MAC addresses, so that it can bridge two ports to
deliver the traffic instead of broadcasting to all ports. In transparent mode, the FortiGate
unit does not following this switch behavior, but instead is the forwarding bridge that
broadcasts all packets out over all interfaces, subject to firewall policies.
Features such as broadcast domains, forwarding domains, and STP apply to both
FortiGate units and VDOMs in Transparent mode.
Broadcast domains
A broadcast domain is a network segment in which any network equipment can transmit
data directly to another device without going through a routing device. All the devices
share the same subnet. The subnets are separated by layer-3 devices, such as routers,
that can forward traffic from one broadcast domain to the next.
Broadcast domains are important to transparent mode FortiGate units because the
broadcast domain is the limit of where the FortiGate unit can forward packets when it is in
transparent mode.
Forwarding domains
Address Resolution Protocol (ARP) packets are vital to communication on a network, and
ARP support is enabled on FortiGate unit interfaces by default. Normally you want ARP
packets to pass through the FortiGate unit. However, in Transparent mode ARP packets
arriving on one interface are sent to all other interfaces including VLANs giving the
appearance of duplicates of the same MAC address on different interfaces. Some layer-2
switches become unstable when they detect these duplicate MAC addresses. Unstable
switches may become unreliable or reset and cause network traffic to slow down
considerably.
When you are using VLANs in Transparent mode, the solution to the duplicate MAC
address issue is to use the forward-domain CLI command. This command tags VLAN
traffic as belonging to a particular collision group, and only VLANs tagged as part of that
collision group receive that traffic—it is like an additional set of VLANs. By default, all
interfaces and VLANs are part of forward-domain collision group 0.
To assign VLAN 200 to collision group 2, VLAN 300 to collision group 3, and all other
interfaces to stay in the default collision group 0 enter the following CLI commands:
config system interface
edit vlan200
set vlanid 200
set forward_domain 2
next
edit vlan300
set vlanid 300
set forward_domain 3
next
end
When using forwarding domains, you may experience connection issues with layer-2
traffic, such as ping, if your network configuration has
• packets going through the FortiGate unit in Transparent mode multiple times,
•
•
1366
more than one forwarding domain (such as incoming on one forwarding domain and
outgoing on another)
IPS and AV enabled.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in Transparent mode
Transparent operation mode
Spanning Tree Protocol
VDOMs and FortiGate units do not participate in the Spanning Tree Protocol (STP). STP is
an IEEE 802.1 protocol that ensures there are no layer-2 loops on the network. Loops are
created when there is more than one route for traffic to take and that traffic is broadcast
back to the original switch. This loop floods the network with traffic, quickly reducing
available bandwidth to zero.
If you use your VDOM or FortiGate unit in a network topology that relies on STP for
network loop protection, you need to make changes to your FortiGate configuration.
Otherwise, STP recognizes your FortiGate unit as a blocked link and forwards the data to
another path. By default, your FortiGate unit blocks STP as well as other non-IP protocol
traffic. Using the CLI, you can enable forwarding of STP and other layer-2 protocols
through the interface. In this example, layer-2 forwarding is enabled on the port2 interface:
config global
config system interface
edit port2
set l2forward enable
set stpforward enable
next
end
There are different CLI commands to allow other common layer-2 protocols such as IPX,
PPTP or L2TP on the network. For more information, see the FortiOS CLI Reference.
Differences between NAT/Route and Transparent mode
The biggest difference between NAT/Route and Transparent modes is that you need to
define a management interface IP address and gateway in Transparent mode. This step is
not required in NAT/Route mode where you can access the FortiGate unit through any
interface’s assigned IP address specified in the trusted host IP addresses.
If you incorrectly set the Transparent mode management IP address for your Fortigate
unit, you will be unable to access your unit through the web-based manager. In this
situation, you will need to connect to the FortiGate unit using the console cable and
change the settings so you can access the unit. Alternately, if your unit has an LCD panel,
you can change the operation mode and interface information through the LCD panel.
A more complete list of difference between NAT/Route mode and Transparent mode
includes:
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1367
�Operation mode differences in VDOMs
Virtual Domains in Transparent mode
Table 102: Differences between NAT/Route and Transparent modes
Features
NAT/Route mode
Transparent mode
Specific Management IP address required
No
Yes
Perform Network Address Translation (NAT)
Yes
No
Classless content inspection
No (optional)
Yes
Layer-2 forwarding
Yes
Yes
Layer-3 routing
Yes
No
Classful (stream-based) content inspection
Yes
No
Unicast Routing / Policy
Based routing
Yes
No
DHCP server
Yes
No
SSL gateway
Yes
No
PPTP/L2TP VPN
Yes
No
VLAN support
Yes
Yes - limited to VLAN
trunks.
Ping servers (dead gateway detection)
Yes
No
Operation mode differences in VDOMs
A VDOM, such as root, can have a maximum of 255 interfaces in Network Address
Translation (NAT) mode or Transparent mode. This includes VLANs, other virtual
interfaces, and physical interfaces. To have more than a total of 255 interfaces configured,
you need multiple VDOMs with multiple interfaces on each.
In Transparent mode without VDOMs enabled, all interfaces on the FortiGate unit act as a
bridge — all traffic coming in on one interface is sent back out on all the other interfaces.
This effectively turns the FortiGate unit into a two interface unit no matter how many
physical interfaces it has. When VDOMs are enabled, this allows you to determine how
many interfaces to assign to a VDOM running in Transparent mode. If there are reasons
for assigning more than two interfaces based on your network topology, you are able to.
However, the benefit of VDOMs in this case is that you have the functionality of
Transparent mode, but you can use interfaces for NAT/Route traffic as well.
You can add more VDOMs to separate groups of VLAN subinterfaces. When using a
FortiGate unit to serve multiple organizations, this configuration simplifies administration
because you see only the firewall policies and settings for the VDOM you are configuring.
For information on adding and configuring virtual domains, see “Benefits of Virtual
Domains” on page 1319.
One essential application of VDOMs is to prevent problems caused when a FortiGate unit
is connected to a layer-2 switch that has a global MAC table. FortiGate units normally
forward ARP requests to all interfaces, including VLAN subinterfaces. It is then possible
for the switch to receive duplicate ARP packets on different VLANs. Some layer-2
switches reset when this happens. As ARP requests are only forwarded to interfaces in
the same VDOM, you can solve this problem by creating a VDOM for each VLAN. For a
configuration example, see “Example of VDOMs in Transparent mode” on page 1370.
1368
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in Transparent mode
Configuring VDOMs in Transparent mode
Configuring VDOMs in Transparent mode
In Transparent mode, your FortiGate unit becomes a layer-2 bridge — any traffic coming
in on one port is broadcast out on all the other ports. If your FortiGate unit has many
interfaces, this is not the best use of those interfaces. VDOMs can limit Transparent mode
to only a few interfaces while allowing the rest of the FortiGate unit to remain in NAT/Route
mode.
There are two essential steps to configure your FortiGate unit to work with VLANs in
Transparent mode:
•
Switching to Transparent mode
•
Adding VLAN subinterfaces
•
Creating firewall policies.
You can also configure the protection profiles that manage antivirus scanning, web filtering
and spam filtering. Protection profiles are covered in the FortiGate Administration Guide.
In Transparent mode, you can access the FortiGate web-based manager by connecting to
an interface configured for administrative access and using HTTPS to access the
management IP address. On the FortiGateunit used for examples in this guide,
administrative access is enabled by default on the internal interface and the default
management IP address is 10.11.0.1.
Switching to Transparent mode
A VDOM is in NAT/Route mode by default when it is created. You must switch it to
Transparent mode, and add a management IP address so you can access the VDOM
from your management computer.
Note: Before applying the change to Transparent mode, ensure the VDOM has
administrative access on the selected interface, and that the selected management IP
address is reachable on your network.
To switch the tpVDOM VDOM to Transparent mode - web-based manager
1 Go to Current VDOM menu and select tpVDOM.
2 Go to System & gt; Config & gt; Operation.
3 Select Transparent for Operation mode.
4 Enter the management IP/Netmask.
The IP address must be accessible to the subnet where the management computer is
located. For example 10.11.0.99/255.255.255.0 will be able to access the 10.11.0.0
subnet.
5 Select Apply.
When you select Apply, the FortiGate unit will log you out. When you log back in, the
VDOM will be in Transparent mode.
To switch the tpVDOM VDOM to Transparent mode - CLI
config vdom
edit tpVDOM
config system settings
set opmode transparent
set mangeip 10.11.0.99 255.255.255.0
end
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1369
�Example of VDOMs in Transparent mode
Virtual Domains in Transparent mode
end
Adding VLAN subinterfaces
There are a few differences when adding VLANs in Transparent mode compared to
NAT/Route mode.
In Transparent mode, VLAN traffic is trunked across the VDOM. That means VLAN traffic
cannot be routed, changed, or inspected. For this reason when you assign a VLAN to a
Transparent mode VDOM, you will see the Addressing Mode section of the interface
configuration disappear in from the web-based manager. It is because with no routing,
inspection, or any activities able to be performed on VLAN traffic the VDOM simply rebroadcasts the VLAN traffic. This requires no addressing.
Also any routing related features such as dynamic routing or Virtual Router Redundancy
Protocol (VRRP) are not available in Transparent mode for any interfaces.
Creating firewall policies
Firewall policies permit communication between the FortiGate unit’s network interfaces
based on source and destination IP addresses. Typically you will also limit communication
to desired times and services for additional security.
In Transparent mode, the FortiGate unit performs antivirus and antispam scanning on
each packet as it passes through the unit. You need firewall policies to permit packets to
pass from the VLAN interface where they enter the unit to the VLAN interface where they
exit the unit. If there are no firewall policies configured, no packets will be allowed to pass
from one interface to another. For more information, see the FortiGate Administration
Guide, or FortiGate Fundamentals Guide.
Example of VDOMs in Transparent mode
In this example, the FortiGate unit provides network protection to two organizations —
Company A and Company B. Each company has different policies for incoming and
outgoing traffic, requiring three different firewall policies and protection profiles.
VDOMs are not required for this configuration, but by using VDOMs the profiles and
policies can be more easily managed on a per-VDOM basis either by one central
administrator or separate administrators for each company. Also future expansion is
simply a matter of adding additional VDOMs, whilst not disrupt the existing VDOMs.
For this example, firewalls are only included to deal with web traffic. This is to provide an
example without making configuration unnecessarily complicated.
This example includes the following sections:
•
•
General configuration steps
•
Configuring common items
•
Creating virtual domains
•
Configuring the Company_A VDOM
•
Configuring the Company_B VDOM
•
Configuring the VLAN switch and router
•
1370
Network topology and assumptions
Testing the configuration
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in Transparent mode
Example of VDOMs in Transparent mode
Network topology and assumptions
Each organization’s internal network consists of a different range of IP addresses:
•
10.11.0.0.0/255.255.0.0 for Company A.
•
10.12.0.0/255.255.0.0 for Company B.
For the procedures in this section, it is assumed that you have enabled VDOM
configuration on your FortiGate unit. For more information, see “Enabling and accessing
Virtual Domains” on page 1321.
The VDOM names are similar to the company names for easy recognition. The root
VDOM cannot be renamed and is not used in this example.
Interfaces used in this example are port1 and port2. Some FortiGate models may not have
interfaces with these names. port1 is an external interface. port2 is an internal interface.
Figure 197: VLAN and VDOM Transparent example network topology
Internet
10.0.0.1
192.168.0.1
VLAN Router
VLAN Trunk
VLAN_100_ext
VLAN_200_ext
port1
in Transparent mode
port2
VLAN Trunk
VLAN_100_ext
VLAN_200_ext
Fa0/8
Fa0/1
Fa0/5
VLAN Switch
Company A
VLAN ID 100
10.11.0.0
Company B
VLAN ID 200
10.12.0.0
General configuration steps
The following steps summarize the configuration for this example. For best results, follow
the procedures in the order given. Also, note that if you perform any additional actions
between procedures, your configuration may have different results.
1 Configuring common items
2 Creating virtual domains
3 Configuring the Company_A VDOM
4 Configuring the Company_B VDOM
5 Configuring the VLAN switch and router
6 Testing the configuration
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1371
�Example of VDOMs in Transparent mode
Virtual Domains in Transparent mode
Configuring common items
Both VDOMs require you configure UTM profiles. These will be configured the same way,
but need to be configured in both VDOMs.
The relaxed profile allows users to surf websites they are not allowed to visit during normal
business hours. Also a quota is in place to restrict users to one hour of access to these
websites to ensure employees do not take long and unproductive lunches.
To create a strict web filtering profile - web-based manager
1 Go to the proper VDOM, and select UTM & gt; Web Filter & gt; Profile.
2 Select Create New.
3 Enter strict for the Name.
4 Select Logging for everything.
5 Expand FortiGuard Web Filtering, and select block for all Categories except Business
Oriented, and Other.
6 Block all Classifications except Cached Content, and Image Search.
7 Ensure FortiGuard Quota for all Categories and Classifications is Disabled.
8 Select OK.
To create a strict web filtering profile - CLI
config vdom
edit & lt; vdom_name & gt;
config webfilter profile
edit strict
config ftgd-wf
set allow g07 g08 g21 g22 c01 c03
set deny g01 g02 g03 g04 g05 g06 c02 c04 c05 c06 c07
end
set web-ftgd-err-log enable
next
To create a relaxed web filtering profile - web-based manager
1 Go to the proper VDOM, and select UTM & gt; Web Filter & gt; Profile.
2 Select Create New.
3 Enter relaxed for the Name.
4 Select Logging for everything.
5 Expand FortiGuard Web Filtering, and select block for Potentially Security Violating
Category, and Spam URL Classification.
6 Enable FortiGuard Quotas to allow 1 hour for all allowed Categories and
Classifications.
Creating virtual domains
The FortiGate unit supports 10 virtual domains. Root is the default VDOM. It cannot be
deleted or renamed. The root VDOM is not used in this example. New VDOMs are created
for Company A and Company B
To create the virtual domains - web-based manager
1 With VDOMs enabled, select System & gt; VDOM.
1372
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in Transparent mode
Example of VDOMs in Transparent mode
2 Select Create New.
3 Enter Company_A for Name, and select OK.
4 Select Create New.
5 Enter Company_B for Name, and select OK.
To create the virtual domains - CLI
config system vdom
edit Company_A
next
edit Company_B
end
Configuring the Company_A VDOM
This section describes how to add VLAN subinterfaces and configure firewall policies for
the Company_A VDOM.
This section includes the following topics:
•
Adding VLAN subinterfaces
•
Creating the Lunch schedule
•
Configuring Company_A firewall addresses
•
Creating Company_A firewall policies
Adding VLAN subinterfaces
You need to create a VLAN subinterface on the port2 interface and another one on the
port1 interface, both with the same VLAN ID.
To add VLAN subinterfaces - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select Create New.
3 Enter the following information and select OK:
Name
VLAN_100_int
Interface
port2
VLAN ID
100
Virtual Domain
Company_A
4 Select Create New.
5 Enter the following information and select OK:
Name
VLAN_100_ext
Interface
port1
VLAN ID
100
Virtual Domain
Company_A
To add the VLAN subinterfaces - CLI
config system interface
edit VLAN_100_int
set interface port2
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1373
�Example of VDOMs in Transparent mode
Virtual Domains in Transparent mode
set vlanid 100
set vdom Company_A
next
edit VLAN_100_ext
set interface port1
set vlanid 100
set vdom Company_A
end
Creating the Lunch schedule
Both organizations have the same lunch schedule, but only Company A has relaxed its
security policy to allow employees more freedom in accessing the Internet during lunch.
Lunch schedule will be Monday to Friday from 11:45am to 2:00pm (14:00).
To create a recurring schedule for lunchtime - web-based manager
1 In Company_A VDOM, go to Firewall & gt; Schedule & gt; Recurring.
2 Select Create New.
3 Enter Lunch as the name for the schedule.
4 Select Mon, Tues, Wed, Thu, and Fri.
5 Set the Start time as 11:45 and set the Stop time as 14:00.
6 Select OK.
To create a recurring schedule for lunchtime - CLI
config vdom
edit Company_A
config firewall schedule recurring
edit Lunch
set day monday tuesday wednesday thursday friday
set start 11:45
set end 14:00
end
Configuring Company_A firewall addresses
For Company A, its networks are all on the 10.11.0.0 network, so restricting addresses to
that domain provides added security.
To configure Company_A firewall addresses - web-based manager
1 In the Company_A VDOM, go to Firewall & gt; Address.
2 Select Create New.
3 Enter CompanyA in the Address Name field.
4 Type 10.11.0.0/255.255.0.0 in the Subnet / IP Range field.
5 Select OK.
To configure vdomA firewall addresses - CLI
config firewall address
edit CompanyA
set type ipmask
set subnet 10.11.0.0 255.255.0.0
end
1374
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in Transparent mode
Example of VDOMs in Transparent mode
Creating Company_A firewall policies
A firewall policy can include varying levels of UTM protection. This example only deals
with web filtering. The following firewall policies use the custom UTM strict and
relaxed profiles configured earlier. See “Configuring common items” on page 1372.
For these firewall policies, we assume that all protocols will be on their standard ports,
such as port 80 for http traffic. If the ports are changed, such as using port 8080 for http
traffic, you will have to create custom services for protocols with non-standard ports, and
assign them different names.
The firewalls configured in this section are:
•
internal to external — always deny all
•
external to internal — always deny all
•
internal to external — always allow all, UTM - web filtering: strict
•
internal to external — Lunch allow all, UTM - web filtering:relaxed
Firewall policies allow packets to travel between the internal VLAN_100 interface to the
external interface subject to the restrictions of the protection profile. Entering the policies
in this order means the last one configured is at the top of the policy list, and will be
checked first. This is important because the policies are arranged so if one does not apply
the next is checked until the end of the list.
To configure Company_A firewall policies - web-based manager
1 Go to Firewall & gt; Policy.
2 Select Create New.
3 Enter the following information and select OK:
Source Interface/Zone
VLAN_100_int
Source Address
CompanyA
Destination Interface/Zone
VLAN_100_ext
Destination Address
all
Schedule
always
Service
all
Action
DENY
This policy is a catch all for outgoing traffic to ensure that if it doesn’t match any of the
other policies, it will not be allowed. This is standard procedure.
4 Select Create New.
5 Enter the following information and select OK:
Source Interface/Zone
VLAN_100_ext
Source Address
all
Destination Interface/Zone
VLAN_100_int
Destination Address
CompanyA
Schedule
always
Service
all
Action
DENY
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1375
�Example of VDOMs in Transparent mode
Virtual Domains in Transparent mode
This policy is a catch all for incoming traffic to ensure that if it doesn’t match any of the
other policies, it will not be allowed. This is standard procedure.
6 Select Create New.
7 Enter the following information and select OK:
Source Interface/Zone
VLAN_100_int
Source Address
CompanyA
Destination Interface/Zone
VLAN_100_ext
Destination Address
all
Schedule
always
Service
all
Action
ACCEPT
UTM
Enable
Web Filtering
strict
This policy enforces strict scanning at all times, while allowing all traffic. It ensures
company policies are met for network security.
8 Select Create New.
9 Enter the following information and select OK:
Source Interface/Zone
VLAN_100_int
Source Address
CompanyA
Destination Interface/Zone
VLAN_100_ext
Destination Address
all
Schedule
Lunch
Service
all
Action
ACCEPT
UTM
enable
Web Filtering
relaxed
This policy provides relaxed protection during lunch hours — going from strict down to
scan for protocol options and web filtering. AntiVirus and Email Filtering remain at strict
for security — relaxing them would not provide employees additional access to the
Internet and it would make the company vulnerable.
10 Verify that the policies entered appear in the list with the last policy (lunch) at the top,
and the first policy (deny all) at the bottom. Otherwise traffic will not flow as expected.
To configure Company_A firewall policies - CLI
config vdom
edit Company_A
config firewall policy
edit 1
set srcintf VLAN_100_int
set dstintf VLAN_100_ext
set srcaddr all
set dstaddr all
set action accept
set schedule Lunch
set UTM enabled
1376
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in Transparent mode
Example of VDOMs in Transparent mode
set webfiltering relaxed
next
edit 3
set srcintf VLAN_100_int
set dstintf VLAN_100_ext
set srcaddr all
set dstaddr all
set action accept
set schedule BusinessDay
set service HTTP
set profile_status enable
set profile BusinessOnly
end
Configuring the Company_B VDOM
This section describes how to add VLAN subinterfaces and configure firewall policies for
the Company B VDOM.
This section includes the following topics:
•
Adding VLAN subinterfaces
•
Creating Company_B service groups
•
Configuring Company_B firewall addresses
•
Configuring Company_B firewall policies
Adding VLAN subinterfaces
You need to create a VLAN subinterface on the internal interface and another one on the
external interface, both with the same VLAN ID.
To add VLAN subinterfaces - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Select Create New.
3 Enter the following information and select OK:
Name
VLAN_200_int
Interface
port2
VLAN ID
200
Virtual Domain
Company_B
4 Select Create New.
5 Enter the following information and select OK:
Name
VLAN_200_ext
Interface
port1
VLAN ID
200
Virtual Domain
Company_B
To add the VLAN subinterfaces - CLI
config system interface
edit VLAN_200_int
set interface internal
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1377
�Example of VDOMs in Transparent mode
Virtual Domains in Transparent mode
set vlanid 200
set vdom Company_B
next
edit VLAN_200_ext
set interface external
set vlanid 200
set vdom Company_B
end
Creating Company_B service groups
Company_B does not want its employees to use online gaming software or any online
chat software except NetMeeting, which the company uses for net conferencing. To
simplify the creation of a firewall policy for this purpose, you create a service group that
contains all of the services you want to restrict. A firewall policy can manage only one
service or one group. The administrator decided to simply name this group “Games”
although it also restricts chat software.
To create a games service group - web-based manager
1 Go to Firewall & gt; Service & gt; Group.
2 Select Create New.
3 Enter Games in the Group Name field.
4 For each of AOL, IRC, QUAKE, SIP-MSNmessenger and TALK, select the service in
the Available Services list and select the right arrow to add it to the Members list.
5 Select OK.
To create a games and chat service group - CLI
config firewall service group
edit Games
set member IRC QUAKE AOL TALK
end
Configuring Company_B firewall addresses
Company B’s network is all in the 10.12.0.0 network. Security can be improved by only
allowing traffic from IP addresses on that network.
To configure Company_B firewall address - web-based manager
1 In the Company_B VDOM, go to Firewall & gt; Address.
2 Select Create New.
3 Enter new in the Address Name field.
4 Type 10.12.0.0/255.255.0.0 in the Subnet / IP Range field.
5 Select OK.
To configure DEFdomain firewall addresses - CLI
config vdom
edit Company_B
config firewall address
edit all
set type ipmask
set subnet 10.12.0.0 255.255.0.0
1378
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in Transparent mode
Example of VDOMs in Transparent mode
end
Configuring Company_B firewall policies
Firewall policies allow packets to travel between the internal and external VLAN_200
interfaces subject to the restrictions of the protection profile.
To configure Company_B firewall policies - web-based manager
1 Go to Firewall & gt; Policy.
2 Select Create New.
3 Enter the following information and select OK:
Source Interface/Zone
VLAN_200_int
Source Address
all
Destination Interface/Zone VLAN_200_ext
Destination Address
all
Schedule
BusinessDay
Service
games-chat
Action
DENY
This policy prevents the use of network games or chat programs (except NetMeeting)
during business hours.
4 Enter the following information and select OK:
Source Interface/Zone
VLAN_200_int
Source Address
all
Destination Interface/Zone VLAN_200_ext
Destination Address
all
Schedule
Lunch
Service
HTTP
Action
ACCEPT
Protection Profile
Relaxed
This policy relaxes the web category filtering during lunch hour.
5 Select Create New.
6 Enter the following information and select OK:
Source Interface/Zone
VLAN_200_int
Source Address
all
Destination Interface/Zone VLAN_200_ext
Destination Address
all
Schedule
BusinessDay
Service
HTTP
Action
ACCEPT
Protection Profile
BusinessOnly
This policy provides rather strict web category filtering during business hours.
7 Select Create New.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1379
�Example of VDOMs in Transparent mode
Virtual Domains in Transparent mode
8 Enter the following information and select OK:
Source Interface/Zone
VLAN_200_int
Source Address
all
Destination Interface/Zone VLAN_200_ext
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Protection Profile
Relaxed
Because it is last in the list, this policy applies to the times and services not covered in
preceding policies. This means that outside of regular business hours, the Relaxed
protection profile applies to email and web browsing, and online chat and games are
permitted. Company B needs this policy because its employees sometimes work
overtime. The other companies in this example maintain fixed hours and do not want
any after-hours Internet access.
To configure Company_B firewall policies - CLI
config firewall policy
edit 1
set srcintf VLAN_200_int
set srcaddr all
set dstintf VLAN_200_ext
set dstaddr all
set schedule BusinessDay
set service Games
set action deny
next
edit 2
set srcintf VLAN_200_int
set srcaddr all
set dstintf VLAN_200_ext
set dstaddr all
set action accept
set schedule Lunch
set service HTTP
set profile_status enable
set profile Relaxed
next
edit 3
set srcintf VLAN_200_int
set srcaddr all
set dstintf VLAN_200_ext
set dstaddr all
set action accept
set schedule BusinessDay
set service HTTP
set profile_status enable
set profile BusinessOnly
next
edit 4
1380
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in Transparent mode
Example of VDOMs in Transparent mode
set
set
set
set
set
set
set
set
set
srcintf VLAN_200_int
srcaddr all
dstintf VLAN_200_ext
dstaddr all
action accept
schedule always
service ANY
profile_status enable
profile Relaxed
end
Configuring the VLAN switch and router
The Cisco switch is the first VLAN device internal passes through, and the Cisco router is
the last device before the Internet or ISP.
This section includes the following topics:
•
Configuring the Cisco switch
•
Configuring the Cisco router
Configuring the Cisco switch
On the Cisco Catalyst 2900 ethernet switch, you need to define the VLANs 100, 200 and
300 in the VLAN database, and then add configuration files to define the VLAN
subinterfaces and the 802.1Q trunk interface.
Add this file to Cisco VLAN switch:
!
interface FastEthernet0/1
switchport access vlan 100
!
interface FastEthernet0/5
switchport access vlan 300
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
Switch 1 has the following configuration:
Port 0/1
VLAN ID 100
Port 0/3
VLAN ID 200
Port 0/6
802.1Q trunk
Configuring the Cisco router
The configuration for the Cisco router in this example is the same as in the basic example,
except we add VLAN_300. Each of the three companies has its own subnet assigned to it.
The IP addressees assigned to each VLAN on the router are the gateway addresses for
the VLANs. For example, devices on VLAN_100 would have their gateway set to
10.11.0.1/255.255.0.0.
!
interface FastEthernet0/0
!
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1381
�Example of VDOMs in Transparent mode
Virtual Domains in Transparent mode
interface FastEthernet0/0.1
encapsulation dot1Q 100
ip address 10.11.0.1 255.255.0.0
!
interface FastEthernet0/0.3
encapsulation dot1Q 200
ip address 10.12.0.1 255.255.0.0
!
The router has the following configuration:
Port 0/0.1
VLAN ID 100
Port 0/0.3
VLAN ID 200
Port 0/0
802.1Q trunk
Testing the configuration
Use diagnostic commands, such as tracert, to test traffic routed through the network.
You should test traffic between the internal VLANs as well as from the internal VLANs to
the Internet to ensure connectivity.
For additional troubleshooting, see “Troubleshooting Virtual Domains” on page 1421.
This section includes the following topics:
•
Testing traffic from VLAN_100 to the Internet
•
Testing traffic from VLAN_100 to VLAN_200
Testing traffic from VLAN_100 to the Internet
In this example, a route is traced from VLANs to a host on the Internet. The route target is
www.example.com.
From a host on VLAN_100, access a command prompt and enter this command:
C:\ & gt; tracert www.example.com
Tracing route to www.example.com [208.77.188.166]
over a maximum of 30 hops:
1
& lt; 10 ms
& lt; 10 ms
& lt; 10 ms 10.100.0.1
...
14
172 ms
141 ms
140 ms 208.77.188.166
Trace complete.
The number of steps between the first and the last hop, as well as their IP addresses, will
vary depending on your location and ISP. However, all successful tracerts to
www.example.com will start and end with these lines.
Repeat the tracert for VLAN_200.
The tracert for each VLAN will include the gateway for that VLAN as the first step.
Otherwise, the tracert should be the same for each VLAN.
Testing traffic from VLAN_100 to VLAN_200
In this example, a route is traced between two internal networks. The route target is a host
on VLAN_200. The Windows traceroute command tracert is used.
From VLAN_100, access a Windows command prompt and enter this command:
C:\ & gt; tracert 10.12.0.2
Tracing route to 10.12.0.2 over a maximum of 30 hops:
1382
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Virtual Domains in Transparent mode
1
& lt; 10 ms
& lt; 10 ms
2
& lt; 10 ms
& lt; 10 ms
Trace complete.
Example of VDOMs in Transparent mode
& lt; 10 ms 10.100.0.1
& lt; 10 ms 10.12.0.2
You can repeat this for different routes in the topology. In each case the IP addresses will
be the gateway for the starting VLAN, and the end point at the ending VLAN.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1383
�Example of VDOMs in Transparent mode
1384
Virtual Domains in Transparent mode
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
In the past, virtual domains (VDOMs) were separate from each other—there was no
internal communication. Any communication between VDOMs involved traffic leaving on a
physical interface belonging to one VDOM and re-entering the FortiGate unit on another
physical interface belonging to another VDOM to be inspected by firewall policies in both
directions.
Inter-VDOM routing changes this. With VDOM links, VDOMs can communicate internally
without using additional physical interfaces.
Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual
interfaces that connect VDOMs. A VDOM link contains a pair of interfaces with each one
connected to a VDOM, and forming either end of the inter-VDOM connection.
This chapter contains the following sections:
•
Benefits of inter-VDOM routing
•
Getting started with VDOM links
•
Inter-VDOM configurations
•
Dynamic routing over inter-VDOM links
•
HA virtual clusters and VDOM links
•
Example of inter-VDOM routing
Benefits of inter-VDOM routing
Inter-VDOM routing has a number of advantages over independent VDOM routing. These
benefits include:
•
Freed-up physical interfaces
•
More speed than physical interfaces
•
Continued support for secure firewall policies
•
Configuration flexibility
Freed-up physical interfaces
Tying up physical interfaces on the FortiGate unit presents a problem. With a limited
number of interfaces available, configuration options for the old style of communication
between VDOMs are very limited. VLANs can be an answer to this, but they have some
limitations.
For example, the FortiGate-800 has 8 physical ethernet ports. If they are assigned 2 per
VDOM (one each for external and internal traffic) there can only be 4 VDOMs at most
configured, not the 10 VDOMs the license will allow. Adding even one additional interface
per VDOM to be used to communicate between VDOMs leaves only 2 VDOMs for that
configuration, since it would required 9 interfaces for 3 VDOMs. Even using one physical
interface for both external traffic and inter-VDOM communication would severely lower the
available bandwidth for external traffic on that interface.
With the introduction of inter-VDOM routing, traffic can travel between VDOMs internally,
freeing up physical interfaces for external traffic. Using the above example we can use the
4 VDOM configuration and all the interfaces will have their full bandwidth.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1385
�Benefits of inter-VDOM routing
Inter-VDOM routing
More speed than physical interfaces
Internal interfaces are faster than physical interfaces. Their speed depends on the
FortiGate unit CPU and its load. That means that an inter-VDOM link interface will be
faster than a outbound physical interface connected to another inbound physical interface.
Inter-VDOM links are CPU bound, and cannot be part of an accelerated pair of interfaces.
However, while one virtual interface with normal traffic would be considerably faster than
on a physical interface, the more traffic and more internal interfaces you configure, the
slower they will become until they are slower than the physical interfaces. CPU load can
come from other sources such as AV or content scanning. This produces the same
effect—internal interfaces such as inter-VDOM links will be slower.
Continued support for secure firewall policies
VDOMs help to separate traffic based on your needs. This is an important step in
satisfying regulations that require proof of secure data handling. This is especially
important to health, law, accounting, and other businesses that handle sensitive data
every day.
By keeping things separate, traffic has to leave the FortiGate unit and re-enter to change
VDOMs. This forces traffic to go through the firewall when leaving and enter through
another firewall, keeping traffic secure.
With inter-VDOM routing, the need for the physical interfaces is greatly reduced. However,
firewall policies still need to be in place for traffic to pass through any interface, physical or
virtual, and thus provide the same level of security both internally and externally.
Configuration of firewall policies is the same for inter-VDOM links as for any other
interface, and your data will continue to have the high level of security.
Configuration flexibility
A typical VDOM uses at least two interfaces, typically physical interfaces, one for internal
and one for external traffic. Depending on the configuration, more interfaces may be
required. The one exception to this is possibly one-armed IPS.
As explained earlier, the maximum number of VDOMs configurable on a FortiGate unit is
the number of physical interfaces available divided by two. VLANs can increase the
number by providing multiple virtual interfaces over a single physical interface, but VLANs
have some limitations.
Using physical interfaces for inter-VDOM communication severely limits the number of
possible configurations on your FortiGate unit, but inter-VDOM routing allows these
connections to be moved inside the FortiGate unit. Using virtual interfaces, VDOM links,
frees up the physical interfaces for external traffic. Using VDOM links on a FortiGate unit
with 8 interfaces, you can have 4 VDOMs communicating with each other (meshed
configuration) and continue to have 2 physical interfaces each for internal and external
connections. This configuration would have required 20 physical interfaces without interVDOM routing. With inter-VDOM routing it only requires 8 physical interfaces, with the
other 12 interfaces being internal VDOM links.
Inter-VDOM routing allows you to select Standalone VDOM configuration, Management
VDOM configuration and Meshed VDOM configuration without being limited by the
number of physical interfaces on your FortiGate unit.
1386
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Getting started with VDOM links
Getting started with VDOM links
Once VDOMs are configured on your FortiGate unit, configuring inter-VDOM routing and
VDOM-links is very much like creating a VLAN interface.
VDOM-links are managed through the web-based manager or CLI. In the web-based
manager, VDOM link interfaces are managed in the network interface list.
This section includes the following topics:
•
Viewing VDOM links
•
Creating VDOM links
•
Deleting VDOM links
Viewing VDOM links
VDOM links are displayed on the network interface list in the web-based manager.
You can view VDOM links only if you are using a super_admin account and in global
configuration.
To view the network interface list, in the Global menu go to System & gt; Network.
Figure 198: Interface list displaying interface names and information
VDOM link interface
VDOM
VDOM link pair
Description of interface
Create New
Select the arrow to create a new interface or VDOM link. Interface options
include VLAN, Aggregate, Redundant, or loopback interfaces.
For more information, see “Creating VDOM links” on page 1388, or the
FortiGate Administration Guide.
Edit
Select to change interface configuration for the selected interface.
This option not available if no interfaces or multiple interfaces are selected.
Delete
Select to remove an interface from the list. One or more interfaces must be
selected for this option to be available.
You cannot delete permanent physical interfaces, or any interfaces that
have configuration referring to them. See “Deleting VDOM links” on
page 1390 or “Deleting an interface” on page 1350.
Column Settings
Select to change which information is displayed about the interfaces, and in
which order the columns appear. Use to display VDOM, VLAN, and other
information.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1387
�Getting started with VDOM links
Inter-VDOM routing
Checkbox
Select the checkbox for an interface to edit or delete that interface.
Select multiple interfaces to delete those interfaces.
Optionally select the check box at the top of the column to select or
unselect all checkboxes.
Name
The name of the interface.
The name of the VDOM link (vlink1) has an expand arrow to display or
hide the pair of VDOM link interfaces. For more information, see “Viewing
VDOM links” on page 1387.
IP/Netmask
The IP address and netmask assigned to this interface.
Type
The type of interface such as physical, VLAN, or VDOM link pair.
Access
The protocols allowed for administrators to connect to the FortiGate unit.
Administrative Status The status of this interface, either set to up (active) or down (disabled).
Virtual Domain
The virtual domain this interface belongs to. For more information on
VDOMs, see “Virtual Domains in NAT/Route mode” on page 1347.
Creating VDOM links
VDOM links connect VDOMs together to allow traffic to pass between VDOMs as per
firewall policies. Inter-VDOM links are virtual interfaces that are very similar to VPN tunnel
interfaces except inter-VDOM links do not require IP addresses. See “IP addresses are
not required for inter-VDOM links” on page 1389.
To create a VDOM link, you first create the point-to-point interface, and then bind the two
interface objects associated with it to the virtual domains.
In creating the point-to-point interface, you also create two additional interface objects by
default. They are called vlink10 and vlink11 - the interface name you chose with a 1
or a 0 to designate the two ends of the link.
Once the interface objects are bound, they are treated like normal FortiGate interfaces
and need to be configured just like regular interfaces.
The assumptions for this example are as follows:
•
Your FortiGate unit has VDOMs enabled and you have 2 VDOMs called customer1
and customer2 already configured. For more information on configuring VDOMs see
“Only a super_admin administrator account such as the default “admin” account can
create, disable, or delete VDOMs. That account can create additional administrators
for each VDOM.” on page 1340.
•
You are using a super_admin account.
Note: Inter-VDOM links cannot include VDOMs in Transparent mode.
To configure an inter-VDOM link - web-based manager
1 For Current VDOM, select Global..
2 Select System & gt; Network.
3 Select Create New & gt; VDOM link, enter the following information, and select OK.
Name
vlink1
(The name can be up to 11 characters long. Valid characters are
letters, numbers, “-”, and “_”. No spaces are allowed.)
Interface #0
1388
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Getting started with VDOM links
Virtual Domain
customer1
IP/Netmask
10.11.12.13/255.255.255.0
Administrative
Access
HTTPS, SSL
Interface #1
Virtual Domain
customer2
IP/Netmask
172.120.100.13/255.255.255.0
Administrative
Access
HTTPS, SSL
Note: If your inter-VDOM links have names longer than 8 characters, and you upgrade
from FortiOS 3.0 MR3, the names will be truncated to 8 characters and will not function.
The solution is to change the names of your inter-VDOM links before you upgrade.
To configure an inter-VDOM link - CLI
config global
config system vdom-link
edit vlink1
next
end
config system interface
edit vlink10
set vdom customer1
next
edit vlink11
set vdom customer2
next
end
Once you have created and bound the interface ends to VDOMs, configure the
appropriate firewall policies and other settings that you require. To confirm the inter-VDOM
link was created, find the VDOM link pair and use the expand arrow to view the two VDOM
link interfaces. You can select edit to change any information.
IP addresses are not required for inter-VDOM links
Besides being virtual interfaces, here is one main difference between inter-VDOM links
and regular interfaces—inter-VDOM links do not require IP addresses. This introduces
three possible situations with inter-VDOM links that are:
•
unnumbered - an inter-VDOM link with no IP addresses for either end of the tunnel
•
half numbered - an inter-VDOM link with one IP address for one end and none for the
other end
•
full numbered - an inter-VDOM link with two IP addresses, one for each end.
An IP address is not required for inter-VDOM links because it is an internal connection that
can be referred to by the interface name in firewall policies, and other system references.
Not using an IP address in the configuration can speed up and simplify configuration for
you Also you will not use up all the IP addresses in your subnets if you have many interVDOM links.
Half or full numbered interfaces are required if you are doing NAT, either SNAT or DNAT
as you need an IP number on both ends to translate between.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1389
�Inter-VDOM configurations
Inter-VDOM routing
You can use unnumbered interfaces in static routing, by naming the interface and using
0.0.0.0 for the gateway. Running traceroute will not show the interface in the list of
hops. However you can see the interface when you are sniffing packets, which is useful for
troubleshooting.
Deleting VDOM links
When you delete the VDOM link, the two link objects associated with it will also be
deleted. You cannot delete the objects by themselves. The example uses a VDOM routing
connection called “vlink1”. Removing vlink1 will also remove its two link objects vlink10
and vlink11.
Note: Before deleting the VDOM link, ensure all policies, firewalls, and other configurations
that include the VDOM link are deleted, removed, or changed to no longer include the
VDOM link.
To remove a VDOM link - web-based manager
1 For Current VDOM, select Global..
2 Select System & gt; Network.
3 Select Delete for the VDOM link vlink1.
To remove a VDOM link - CLI
config global
config system vdom-link
delete vlink1
end
For more information, see the FortiGate CLI Reference.
Inter-VDOM configurations
By using fewer physical interfaces to inter-connect VDOMs, inter-VDOM links provide you
with more configuration options.
None of these configurations use VLANs to reduce the number of physical interfaces. It is
generally assumed that an internal or client network will have its own internal interface and
an external interface to connect to its ISP and the Internet.
These inter-VDOM configurations can use any FortiGate model with possible limitations
based on the number of physical interfaces. VLANs can be used to work around these
limitations.
In the following inter-VDOM diagrams, red indicates the physical FortiGate unit, grey
indicate network connections external to the FortiGate unit, and black is used for interVDOM links and VDOMs.
This section includes the following topics:
•
•
Independent VDOMs configuration
•
Management VDOM configuration
•
1390
Standalone VDOM configuration
Meshed VDOM configuration
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Inter-VDOM configurations
Standalone VDOM configuration
The standalone VDOM configuration uses a single VDOM on your FortiGate unit — the
root VDOM that all FortiGate units have by default. This is the VDOM configuration you
are likely familiar with. It is the default configuration for FortiGate units before you create
additional VDOMs.
Figure 199: Standalone VDOM
FortiGate
Internet
Root VDOM
Client1 Network
Client2 Network
The configuration shown in Figure 199 has no VDOM inter-connections and requires no
special configurations or settings.
The standalone VDOM configuration can be used for simple network configurations that
only have one department or one company administering the connections, firewalls and
other VDOM-dependent settings.
However, with this configuration, keeping client networks separate requires many
interfaces, considerable firewall design and maintenance, and can quickly become time
consuming and complex. Also, configuration errors for one client network can easily affect
other client networks, causing unnecessary network downtime.
Independent VDOMs configuration
The independent VDOMs configuration uses multiple VDOMs that are completely
separate from each other. This is another common VDOM configuration.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1391
�Inter-VDOM configurations
Inter-VDOM routing
Figure 200: Independent VDOMs
FortiGate
Internet
VDOM 1
VDOM 2
Client1 Network
Client2 Network
This configuration has no communication between VDOMs and apart from initially setting
up each VDOM, it requires no special configurations or settings. Any communication
between VDOMs is treated as if communication is between separate physical devices.
The independent inter-VDOM configuration can be used where more than one department
or one company is sharing the FortiGate unit. Each can administer the connections,
firewalls and other VDOM-dependent settings for only its own VDOM. To each company or
department, it appears as if it has its own FortiGate unit. This configuration reduces the
amount of firewall configuration and maintenance required by dividing up the work.
However, this configuration lacks a management VDOM for VDOMs 1, 2, and 3. This is
illustrated in Figure 50. This management VDOM would enable an extra level of control for
the FortiGate unit administrator, while still allowing each company or department to
administer its own VDOM.
Management VDOM configuration
In the management VDOM configuration, the root VDOM is the management VDOM. The
other VDOMs are connected to the management VDOM with inter-VDOM links. There are
no other inter-VDOM connections.
Figure 201: Management VDOM configuration
FortiGate
Internet
Root VDOM
inter-VDOM links
VDOM 1
Client1 Network
1392
VDOM 2
Client2 Network
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Inter-VDOM configurations
The inter-VDOM links connect the management VDOM to the other VDOMs. This does
not require any physical interfaces, and the bandwidth of inter-VDOM links can be faster
than physical interfaces, depending on the CPU workload.
Only the management VDOM is connected to the Internet. The other VDOMs are
connected to internal networks. All external traffic is routed through the management
VDOM using inter-VDOM links and firewall policies between the management VDOM and
each VDOM. This ensures the management VDOM has full control over access to the
Internet, including what types of traffic are allowed in both directions. There is no
communication directly between the non-root VDOMs. Security is greatly increased with
only one point of entry and exit. Only the management VDOM needs to be fully managed
to ensure network security in this case. Each client network can manage its own
configuration without compromising security or bringing down another client network.
The management VDOM configuration is ideally suited for a service provider business.
The service provider administers the management VDOM with the other VDOMs as
customers. These customers do not require a dedicated IT person to manage their
network. The service provider controls the traffic and can prevent the customers from
using banned services and prevent Internet connections from initiating those same
banned services. One example of a banned service might be Instant Messaging (IM) at a
company concerned about intellectual property. Another example could be to limit
bandwidth used by file-sharing applications without banning that application completely.
Firewall policies control the traffic between the customer VDOM and the management
VDOM and can be customized for each customer.
The management VDOM configuration is limited in that the customer VDOMs have no
inter-connections. In many situations this limitation is ideal because it maintains proper
security. However, some configurations may require customers to communicate with each
other, which would be easier if the customer VDOMs were inter-connected.
Meshed VDOM configuration
The meshed VDOMs configuration, including partial and full mesh, has VDOMs interconnected with other VDOMs. There is no special feature to accomplish this—they are
just complex VDOM configurations.
Partial mesh means only some VDOMs are inter-connected. In a full mesh configuration,
all VDOMs are inter-connected to all other VDOMs. This can be useful when you want to
provide full access between VDOMs but handle traffic differently depending on which
VDOM it originates from or is going to.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1393
�Dynamic routing over inter-VDOM links
Inter-VDOM routing
Figure 202: Meshed VDOMs
FortiGate
Internet
Root VDOM
inter-VDOM links
VDOM 1
VDOM 2
Client1 Network
Client1 Network
With full access between all VDOMs being possible, it is extra important to ensure proper
security. You can achieve this level of security by establishing extensive firewall policies
and ensuring secure account access for all administrators and users.
Meshed VDOM configurations can become complex very quickly, with full mesh VDOMs
being the most complex. Ensure this is the proper solution for your situation before using
this configuration. Generally, these configurations are seen as theoretical and are rarely
deployed in the field.
Dynamic routing over inter-VDOM links
BGP is supported over inter-VDOM links. Unless otherwise indicated, routing works as
expected over inter-VDOM links.
If an inter-VDOM link has no assigned IP addresses to it, it may be difficult to use that
interface in dynamic routing configurations. For example BGP requires an IP address to
define any BGP router added to the network.
In OSPF, you can configure a router using a router ID and not its IP address. In fact,
having no IP address avoids possible confusing between which value is the router ID and
which is the IP address. However for that router to become adjacent with another OSPF
router it will have to share the same subnet, which is technically impossible without an IP
address. For this reason, while you can configure an OSPF router using an IP-less interVDOM link, it will likely be of limited value to you.
In RIP the metric used is hop count. If the inter-VDOM link can reach other nodes on the
network, such as through a default route, then it may be possible to configure a RIP router
on an inter-VDOM link. However, once again it may be of limited value due to limitations.
As stated earlier, BGP requires an IP address to define a router — an IP-less inter-VDOM
link will not work with BGP.
In Multicast, you can configure an interface without using an IP address. However that
interface will be unable to become an RP candidate. This limits the roles available to such
an interface.
1394
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
HA virtual clusters and VDOM links
HA virtual clusters and VDOM links
FortiGate HA is implemented by configuring two or more FortiGate units to operate as an
HA cluster. To the network, the HA cluster appears to function as a single FortiGate unit,
processing network traffic and providing normal security services such as firewall, VPN,
IPS, virus scanning, web filtering, and spam filtering.
Virtual clustering extends HA features to provide failover protection and load balancing for
a FortiGate unit operating with virtual domains. A virtual cluster consists of a cluster of two
FortiGate units operating with virtual domains. Traffic on different virtual domains can be
load balanced between the cluster units.
With virtual clusters (vclusters) configured, inter-VDOM links must be entirely within one
vcluster. You cannot create links between vclusters, and you cannot move a VDOM that is
linked into another virtual cluster. If your FortiGate units are operating in HA mode, with
multiple vclusters when you create the vdom-link, the CLI command config system
vdom-link includes an option to set which vcluster the link will be in. For more
information, see the FortiGate HA Guide.
What is virtual clustering?
Virtual clustering is an extension of the FGCP for FortiGate units operating with multiple
VDOMS enabled. Virtual clustering operates in active-passive mode to provide failover
protection between two instances of a VDOM operating on two different cluster units. You
can also operate virtual clustering in active-active mode to use HA load balancing to load
balance sessions between cluster units. Alternatively, by distributing VDOM processing
between the two cluster units you can also configure virtual clustering to provide load
balancing by distributing sessions for different VDOMs to each cluster unit.
Virtual clustering and failover protection
Virtual clustering operates on a cluster of two (and only two) FortiGate units with VDOMs
enabled. Each VDOM creates a cluster between instances of the VDOMs on the two
FortiGate units in the virtual cluster. All traffic to and from the VDOM stays within the
VDOM and is processed by the VDOM. One cluster unit is the primary unit for each VDOM
and one cluster unit is the subordinate unit for each VDOM. The primary unit processes all
traffic for the VDOM. The subordinate unit does not process traffic for the VDOM. If a
cluster unit fails, all traffic fails over to the cluster unit that is still operating.
Virtual clustering and heartbeat interfaces
The HA heartbeat provides the same HA services in a virtual clustering configuration as in
a standard HA configuration. One set of HA heartbeat interfaces provides HA heartbeat
services for all of the VDOMs in the cluster. You do not have to add a heartbeat interface
for each VDOM.
Virtual clustering and HA override
For a virtual cluster configuration, override is enabled by default for both virtual clusters
when you:
•
Enable VDOM portioning from the web-based manager by moving virtual domains to
virtual cluster 2
•
Enter set vcluster2 enable from the CLI config system ha command to enable virtual
cluster 2.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1395
�Example of inter-VDOM routing
Inter-VDOM routing
Usually you would enable virtual cluster 2 and expect one cluster unit to be the primary
unit for virtual cluster 1 and the other cluster unit to be the primary unit for virtual cluster 2.
For this distribution to occur override must be enabled for both virtual clusters. Otherwise
you will need to restart the cluster to force it to renegotiate.
Virtual clustering and load balancing or VDOM partitioning
There are two ways to configure load balancing for virtual clustering. The first is to set the
HA mode to active-active. The second is to configure VDOM partitioning. For virtual
clustering, setting the HA Mode to active-active has the same result as active-active HA
for a cluster without virtual domains. The primary unit receives all sessions and load
balances them among the cluster units according to the load balancing schedule. All
cluster units process traffic for all virtual domains.
Note: If override is enabled the cluster may renegotiate too often. You can choose to
disable override at any time. If you decide to disable override, for best results, you should
disable it for both cluster units.
In a VDOM partitioning virtual clustering configuration, the HA mode is set to activepassive. Even though virtual clustering operates in active-passive mode you can configure
a form of load balancing by using VDOM partitioning to distribute traffic between both
cluster units. To configure VDOM partitioning you set one cluster unit as the primary unit
for some virtual domains and you set the other cluster unit as the primary unit for other
virtual domains. All traffic for a virtual domain is processed by the primary unit for that
virtual domain. You can control the distribution of traffic between the cluster units by
adjusting which cluster unit is the primary unit for each virtual domain.
For example, you could have 4 VDOMs, two of which have a high traffic volume and two of
which have a low traffic volume. You can configure each cluster unit to be the primary unit
for one of the high volume VDOMs and one of the low volume VDOMs. As a result each
cluster unit will be processing traffic for a high volume VDOM and a low volume VDOM,
resulting in an even distribution of traffic between the cluster units. You can adjust the
distribution at any time. For example, if a low volume VDOM becomes a high volume
VDOM you can move it from one cluster unit to another until the best balance is achieved.
From the web-based manager you configure VDOM partitioning by setting the HA mode to
active-passive and distributing virtual domains between Virtual Cluster 1 and Virtual
Cluster 2. You can also configure different device priorities, port monitoring, and remote
link failover, for Virtual Cluster 1 and Virtual Cluster 2.
From the CLI you configure VDOM partitioning by setting the HA mode to a-p. Then you
configure device priority, port monitoring, and remote link failover and specify the VDOMs
to include in virtual cluster 1. You do the same for virtual cluster 2 by entering the config
secondary-vcluster command.
Failover protection does not change. If one cluster unit fails, all sessions are processed by
the remaining cluster unit. No traffic interruption occurs for the virtual domains for which
the still functioning cluster unit was the primary unit. Traffic may be interrupted temporarily
for virtual domains for which the failed unit was the primary unit while processing fails over
to the still functioning cluster unit. If the failed cluster unit restarts and rejoins the virtual
cluster, VDOM partitioning load balancing is restored.
Example of inter-VDOM routing
This example shows how to configure a FortiGate unit to use inter-VDOM routing.
This section contains the follow topics:
•
1396
Network topology and assumptions
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
•
Creating the VDOMs
•
Configuring the physical interfaces
•
Configuring the VDOM links
•
Configuring the firewall and UTM settings
•
Testing the configuration
Network topology and assumptions
Two departments of a company, Accounting and Sales, are connected to one
FortiGate-800 unit. To do its work, the Sales department receives a lot of email from
advertising companies that would appear to be spam if the Accounting department
received it. For this reason, each department has its own VDOM to keep firewall policies
and other configurations separate. A management VDOM makes sense to ensure
company policies are followed for traffic content.
The traffic between Accounting and Sales will be email and HTTPS only. It could use a
VDOM link for a meshed configuration, but we will keep from getting too complex. With the
configuration, inter-VDOM traffic will have a slightly longer path to follow than
normal—from one department VDOM, through the management VDOM, and back to the
other department VDOM. Since inter-VDOM links are faster than physical interfaces, this
longer path should not be noticed.
Firewall policies will be in place. For added security, firewall policies will allow only valid
office services such as email, web browsing, and FTP between either department and the
Internet. Any additional services that are required can be added in the future.
The company uses a single ISP to connect to the Internet. The ISP uses DHCP to provide
an IP address to the FortiGate unit. Both departments use the same ISP to reach the
Internet.
Other assumptions for this example are as follows:
•
Your FortiGate unit has interfaces labelled port1 through port4 and VDOMs are not
enabled.
•
You are using the super_admin account.
•
You have the FortiClient application installed.
•
You are familiar with configuring interfaces, firewalls, and other common features on
your FortiGate unit. For more information, see the FortiGate Administration Guide.
Note: All configuration is available to a super_admin. A non-super_admin account may
also perform certain procedures, but only for the VDOM that the account has access to. For
more information, see “Administrators in Virtual Domains” on page 1343.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1397
�Example of inter-VDOM routing
Inter-VDOM routing
Figure 203: Management VDOM for two departments
Internet
ISP
FortiGate
port1
Management VDOM
root
inter-VDOM links
VDOM 1
VDOM 2
Accounting
Sales
port3
port2
Accounting
10.11.0.0
Sales
10.12.0.0
General configuration steps
This example includes the following general steps. For best results, follow the steps in the
order given. Also, note that if you perform any additional actions between procedures,
your configuration may have different results.
1 Creating the VDOMs
2 Configuring the physical interfaces
3 Configuring the VDOM links
4 Configuring the firewall and UTM settings
5 Testing the configuration
Creating the VDOMs
This procedure enables VDOMs and creates the Sales and Accounting VDOMs.
To create the VDOMs - web-based manager
1 Log in as the super_admin administrator.
2 Go to System & gt; Status & gt; System Information & gt; Virtual Domain, and select Enable.
3 Log in again.
4 Go to System & gt; VDOM.
5 Select Create New, enter Accounting for the VDOM Name, and select OK.
6 Select Create New, enter Sales for the VDOM Name, and select OK.
1398
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
To create the VDOMs - CLI
config system global
set vdom enable
end
config system vdom
edit Accounting
next
edit Sales
next
end
Configuring the physical interfaces
Next, the physical interfaces must be configured. This example uses three interfaces on
the FortiGate unit - port2 (internal), port3(dmz), and port1(external). port2 and port3
interfaces each have a department’s network connected. port1 is for all traffic to or from
the Internet and will use DHCP to configure its IP address, which is common with many
ISPs.
To configure the physical interfaces - web-based manager
1 In Current VDOM, select Global.
2 Select System & gt; Network.
3 Select Edit for the port2 interface, enter the following information, and select OK.
Alias
AccountingLocal
Virtual Domain
Accounting
Addressing mode
Manual
IP/Netmask
172.100.1.1/255.255.0.0
Administrative Access
HTTPS, PING, SSH
Description
This is the accounting department internal interface.
4 Select Edit for the port3 interface, enter the following information, and select OK.
Alias
SalesLocal
Virtual Domain
Sales
Addressing mode
Manual
IP/Netmask
192.168.1.1/255.255.0.0
Administrative Access
HTTPS, PING, SSH
Description
This is the sales department internal interface.
5 Select Edit for the port1 interface, enter the following information, and select OK.
Alias
ManagementExternal
Virtual Domain
root
Addressing Mode
DHCP
Distance
5
Retrieve default gateway
from server
Enable
Override internal DNS
Enable
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1399
�Example of inter-VDOM routing
Inter-VDOM routing
Administrative Access
HTTPS, SSH, SNMP
Description
This is the accounting department internal interface.
Note: When the mode is set to DHCP or PPoE on an interface you can set the distance
field. This is the administrative distance for any routes learned through the gateway for this
interface. The gateway is added to the static route table with these values. A lower distance
indicates a preferred route.
To configure the physical interfaces - CLI
config global
config system interface
edit port2
set alias AccountingLocal
set vdom Accounting
set mode static
set ip 172.100.1.1 255.255.0.0
set allowaccess https ping ssh
set description “The accounting dept internal interface”
next
edit port3
set alias SalesLocal
set vdom Sales
set mode static
set ip 192.168.1.1 255.255.0.0
set allowaccess https ping ssh
set description “The sales dept. internal interface”
next
edit port1
set alias ManagementExternal
set vdom root
set mode DHCP
set distance 5
set gwdetect enable
set dns-server-override enable
set allowaccess https ssh snmp
set description “The systemwide management interface.”
next
end
end
Configuring the VDOM links
To complete the connection between each VDOM and the management VDOM, you need
to add the two VDOM links; one pair is the Accounting - management link and the other is
for Sales - management link.
When configuring inter-VDOM links, you do not have to assign IP addresses to the links
unless you are using advanced features such as dynamic routing that require them. Not
assigning IP addresses results in faster configuration, and more available IP addresses on
your networks.
If you require them, or if you simply want to assign IP addresses for clarity can do so.
To configure the Accounting and management VDOM link - web-based manager
1 In Current VDOM, select Global..
1400
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
2 Select System & gt; Network.
3 Select the expand arrow to select Create New & gt; VDOM link.
4 Enter the following information, and select OK.
Name
AccountVlnk
Interface #0
Virtual Domain
Accounting
IP/Netmask
0.0.0.0/0.0.0.0
Administrative Access
HTTPS, PING, SSH
Description
The Accounting VDOM side of the link.
Interface #1
Virtual Domain
root
IP/Netmask
0.0.0.0/0.0.0.0
Administrative Access
HTTPS, PING, SSH
Description
The Management VDOM side of the link.
To configure the Accounting and management VDOM link - CLI
config global
config system vdom-link
edit AccountVlnk
next
end
config system interface
edit AccountVlnk0
set vdom Accounting
set ip 0.0.0.0 0.0.0.0
set allowaccess https ping ssh
set description “Accounting side of the VDOM link“
next
edit AccountVlnk1
set vdom root
set ip 0.0.0.0 0.0.0.0
set allowaccess https ping ssh
set description “Management side of the VDOM link“
next
end
end
To configure the Sales and management VDOM link - web-based manager
1 In Current VDOM, select Global.
2 Select System & gt; Network.
3 Select the expand arrow and select Create New & gt; VDOM link.
4 Enter the following information, and select OK.
Name
SalesVlnk
Interface #0
Virtual Domain
Sales
IP/Netmask
0.0.0.0/0.0.0.0
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1401
�Example of inter-VDOM routing
Inter-VDOM routing
Administrative Access
HTTPS, PING, SSH
Description
The Sales VDOM side of the link.
Interface #1
Virtual Domain
root
IP/Netmask
0.0.0.0/0.0.0.0
Administrative Access
HTTPS, PING, SSH
Description
The Management VDOM side of the link.
To configure the Sales and management VDOM link - CLI
config global
config system vdom-link
edit SalesVlnk
next
end
config system interface
edit SalesVlnk0
set vdom Accounting
set ip 0.0.0.0 0.0.0.0
set allowaccess https ping ssh
set description “Sales side of the VDOM link“
next
edit SalesVlnk1
set vdom root
set ip 0.0.0.0 0.0.0.0
set allowaccess https ping ssh
set description “Management side of the VDOM link“
next
end
end
Configuring the firewall and UTM settings
With the VDOMs, physical interfaces, and VDOM links configured the firewall must now be
configured to allow the proper traffic. Firewalls are configured per-VDOM, and firewall
objects must be created for each VDOM separately.
For this example, the firewall group of services allowed between the internal networks and
the Internet are the basic services for web browsing, file transfer, and email. These
include: HTTP, HTTPS, SSL, FTP, DNS, NTP, POP3, and SMTP.
The only services allowed between Sales and Accounting are secure web browsing
(HTTPS) and email (POP3 and SMTP).
Note: The limited number of services ensures security between departments. The list of
services can be expanded in the future if needed.
UTM settings will block all non-essential business websites while logging all web traffic,
scan and file filter all web and email protocols, and block game and peer-to-peer
applications using application control.
For added security, FortiClient is required on internal computers with AntiVirus scanning
configured. This is enforced by Endpoint NAC in firewall policies.
1402
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
Using firewall addresses makes the firewall policies easier to read. Also if any changes
need to be made in the future, you can simply update the addresses without changing the
firewall policies. The addresses required are:
•
AccountingLocal - all traffic from the internal accounting network
•
AccountingVlnk - all traffic from the VDOM link between accounting and
management VDOMs
•
SalesLocal - all traffic from the internal sales network
•
SalesVlnk - all traffic from the VDOM link between sales and management VDOM.
The Accounting VDOM requires AccountingLocal, AccountingVlnk, and
SalesLocal. The Sales VDOM requires SalesLocal, SalesVlnk, and
AccountingLocal.
The firewall policies required on the Accounting VDOM are
•
AccountingLocal to Internet
•
Internet to AccountingLocal
•
SalesLocal to AccountingLocal
•
AccountingLocal to SalesLocal
The firewall policies required on the Sales VDOM are
•
SalesLocal to Internet
•
Internet to SalesLocal
•
SalesLocal to AccountingLocal
•
AccountingLocal to SalesLocal
This section includes the following topics:
•
Configuring firewall service groups
•
Configuring UTM settings for the Accounting VDOM
•
Configuring firewall settings for the Accounting VDOM
•
Configuring UTM settings for the Sales VDOM
•
Configuring firewall settings for the Sales VDOM
•
Configuring firewall settings between the Accounting and Sales VDOMs
Configuring firewall service groups
Service groups are an easy way to manage multiple services, especially if the same
services are used on different networks.
The two service groups used here are intended for normal office traffic to the Internet, and
for restricted traffic between departments. In both cases network traffic will be limited to
the services listed to prevent any potential security risks or bandwidth-robbing
applications.
These service groups can be changed as needed to either include additional valid
services that are being used on the network, or to exclude services that are not required.
Also, custom services can be created as needed for applications that are not listed. For
more information on firewall service groups, see the firewall chapter of the FortiGate
Administration Guide.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1403
�Example of inter-VDOM routing
Inter-VDOM routing
To configure two firewall service groups - web-based manager
1 In Current VDOM, select Accounting.
2 Select Firewall & gt; Service & gt; Group & gt; Create New, enter the following information, and
select OK.
Group Name
OfficeServices
Members
HTTP, HTTPS, SSL, FTP, DNS, NTP, POP3, PING, SMTP
3 Select Create New, enter the following information, and select OK.
Group Name
AccountingSalesServices
Members
HTTPS, POP3, PING, SMTP
To configure two firewall service groups - CLI
config vdom
edit Accounting
config firewall service group
edit OfficeServices
set member HTTP HTTPS SSL FTP DNS NTP POP3 PING SMTP
next
edit AccountingSalesServices
set member HTTPS POP3 PING SMTP
next
end
end
Configuring UTM settings for the Accounting VDOM
UTM settings include web filtering, antivirus, application control, and other features. This
example just uses those three features to ensure that
•
the business environment is free from viruses
•
employees do not surf grossly inappropriate websites, and
•
employees do not use games or peer-to-peer applications at work.
To configure web filtering for the Accounting VDOM - web-based manager
1 In Current VDOM, select Accounting.
2 Go to UTM & gt; Web Filtering & gt; Profile.
3 Select Create New.
4 Enter webStrict for the Name.
5 Select the arrow to expand the FortiGuard Web Filtering section.
6 Block all Categories except Business Oriented, Other, and Unrated.
7 Block all Classifications except Image Search..
8 Log all Categories and Classifications.
9 Select OK.
To configure web filtering for the Accounting VDOM - CLI
config vdom
edit Accounting
config webfilter profile
1404
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
edit webStrict
config ftgd-wf
set allow g07 g08 g21 g22 c01 c03
set deny g01 g02 g03 g04 g05 g06 c02 c04 c05 c06 c07
end
set web-ftgd-err-log enable
next
end
end
To configure AntiVirus for the Accounting VDOM - web-based manager
1 In Current VDOM, select Accounting.
2 Go to UTM & gt; AntiVirus & gt; Profile.
3 Select Create New.
4 Enter avStrict for the Name.
5 Enable Scan for all protocols.
6 Enable File filter for all protocols, and select built-in-patterns for Option.
7 Enable logging for both Scan and File Filter.
8 Select OK.
To configure AntiVirus for the Accounting VDOM - CLI
config vdom
edit Accounting
config antivirus profile
edit avStrict
config http
set options scan file-filter
end
config ftp
set options scan file-filter
end
config imap
set options scan file-filter
end
config pop3
set options scan file-filter
end
config smtp
set options scan file-filter
end
config nntp
set options scan file-filter
end
config im
set options scan file-filter
end
set filepattable 1
set av-virus-log enable
set av-block-log enable
next
end
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1405
�Example of inter-VDOM routing
Inter-VDOM routing
end
To configure application control for the Accounting VDOM - web-based manager
1 In Current VDOM, select Accounting.
2 Go to UTM & gt; Application Control & gt; Application Control List.
3 Select Create New.
4 Enter appStrict for Name.
5 Select OK.
6 Enable Logging.
7 Select Create New.
8 Enter the following, and select OK.
Category
game
Application
-- all Applications --
Action
Block
Logging
enable
9 Select Create New.
10 Enter the following, and select OK.
Category
p2p
Application
-- all Applications --
Action
Block
Logging
enable
11 Select OK.
To configure application control for the Accounting VDOM - CLI
config vdom
edit Accounting
config application list
edit appStrict
config entries
edit 1
set category 2
next
edit 2
set category 8
next
end
next
end
end
1406
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
Configuring firewall settings for the Accounting VDOM
This configuration includes two firewall addresses and two firewall policies for the
Accounting VDOM - one for the internal network, and one for the VDOM link with the
management VDOM (root).
For added security, all traffic allowed will be scanned. Only valid office traffic will be
allowed using the service group OfficeServices. The FortiClient application must be
used to ensure additional protection for the sensitive accounting information.
All sales and accounting computers have the FortiClient application installed, so the
firewall policies check that FortiClient is installed and that antivirus scanning is enabled.
Note the spelling of AccountVlnk which is due to the eleven character limit on VDOM
link names.
To configure firewall addresses - web-based manager
1 For Current VDOM, select Global..
2 Select VDOM & gt; Accounting & gt; Enter.
3 Select Firewall & gt; Addresses & gt; Create New, enter the following information, and select
OK.
Address Name
AccountingLocal
Type
Subnet/ IP Range
Subnet / IP Range
172.100.0.0
Interface
port1
4 Select Firewall & gt; Addresses & gt; Create New, enter the following information, and select
OK.
Address Name
AccountManagement
Type
Subnet/ IP Range
Subnet / IP Range
10.0.1.0
Interface
AccountVlnk
To configure firewall addresses - CLI
config vdom
edit Accounting
config firewall address
edit AccountingLocal
set type iprange
set subnet 172.100.0.0
set associated-interface port1
next
edit AccountManagement
set type iprange
set subnet 10.0.1.0
set associated-interface AccountVlnk
next
end
end
To configure protocol options for Accounting VDOM - web-based manager
1 In Current VDOM, select Accounting.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1407
�Example of inter-VDOM routing
Inter-VDOM routing
2 Select Firewall & gt; Policy & gt; Protocol Option.
3 Select Create New.
4 Enter default for the Name.
5 Select OK.
To configure the firewall policies from AccountingLocal to the Internet - web-based
manager
1 In Current VDOM, select Accounting.
2 Select Firewall & gt; Policy & gt; Create New.
3 Enter the following information, and select OK.
Source Interface/Zone
port2
Source Address
AccountingLocal
Destination Interface/Zone
AccountVlnk
Destination Address
AccountManagement
Schedule
always
Service
OfficeServices
Action
ACCEPT
Enable NAT
enable
UTM
enabled
Protocol Option
default
Web Filtering
webStrict
AntiVirus Filtering
avStrict
Application Control
appStrict
Enable Endpoint NAC
Enforce_FortiClient_AV
4 In Current VDOM, select root.
5 Select Firewall & gt; Policy & gt; Create New.
6 Enter the following information, and select OK.
Source Interface/Zone
AccountVlnk
Source Address
AccountManagement
Destination Interface/Zone port2
Destination Address
all
Schedule
always
Service
OfficeServices
Action
ACCEPT
Enable NAT
enable
UTM
enable
Protocol Option
Web Filtering
webStrict
AntiVirus Filtering
avStrict
Application Control
appStrict
Enable Endpoint NAC
1408
default
disabled
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
To configure the firewall policies from AccountingLocal to Internet - CLI
config vdom
edit Accounting
config firewall policy
edit 1
set srcintf " port2 "
set dstintf " AccountVlnk "
set srcaddr " AccountingLocal "
set dstaddr " AccountManagement "
set action accept
set schedule " always "
set service " OfficeServices "
set nat enable
set utm-status enable
set av-profile avStrict
set webfilter-profile webStrict
set application-list appStrict
set profile-protocol-options default
set endpoint-check enable
set endpoint-profile " FortiClient_installed "
next
end
end
config vdom
edit root
config firewall policy
edit 2
set srcintf AccountVlnk
set dstintf port1
set srcaddr AccountManagement
set dstaddr all
set action accept
set schedule always
set service OfficeServices
set nat enable
set utm-status enable
set av-profile " scan "
set webfilter-profile " scan "
set application-list " AppControlList "
set profile-protocol-options default
set endpoint-check disable
next
end
end
To configure the firewall policies from Internet to AccountingLocal - web-based
manager
1 In Current VDOM, select root.
2 Select Firewall & gt; Policy & gt; Create New.
3 Enter the following information, and select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1409
�Example of inter-VDOM routing
Inter-VDOM routing
Source Interface/Zone
port1
Source Address
all
Destination Interface/Zone AccountVlnk
Destination Address
AccountManagement
Schedule
always
Service
OfficeServices
Action
ACCEPT
Enable NAT
enable
UTM
enable
Protocol Option
default
Web Filtering
webStrict
AntiVirus Filtering
avStrict
Application Control
appStrict
Enable Endpoint NAC
disabled
4 In Current VDOM, select Accounting.
5 Select Firewall & gt; Policy & gt; Create New, enter the following information, and select OK.
Source Interface/Zone
AccountVlnk
Source Address
AccountManagement
Destination Interface/Zone port2
Destination Address
AccountingLocal
Schedule
always
Service
OfficeServices
Action
ACCEPT
Enable NAT
enable
UTM
enable
Protocol Option
default
Web Filtering
webStrict
AntiVirus Filtering
avStrict
Application Control
appStrict
Enable Endpoint NAC
disabled
To configure the firewall policies from Internet to AccountingLocal - CLI
config vdom
edit root
config firewall policy
edit 3
set srcintf port1
set dstintf AccountVlnk
set srcaddr all
set dstaddr AccountManagement
set action accept
set schedule always
set service OfficeServices
set nat enable
1410
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
set utm-status enable
set av-profile avStrict
set webfilter-profile webStrict
set application-list appstrict
set profile-protocol-options default
set endpoint-check disable
next
end
end
config vdom
edit Accounting
config firewall policy
edit 4
set srcintf AccountVlnk
set dstintf port2
set srcaddr AccountManagement
set dstaddr AccountingLocal
set action accept
set schedule always
set service OfficeServices
set nat enable
set utm-status enable
set av-profile avStrict
set webfilter-profile webStrict
set application-list appstrict
set profile-protocol-options default
set endpoint-check disable
next
end
end
Configuring UTM settings for the Sales VDOM
UTM settings include web filtering, antivirus, application control, and other features. This
example just uses those three features to ensure that
•
the business environment is free from viruses
•
employees do not surf grossly inappropriate websites, and
•
employees do not use games or peer-to-peer applications at work.
Note that Sales web traffic is different from Accounting, and web filtering is different to
account for this.
To configure web filtering for the Sales VDOM - web-based manager
1 In Current VDOM, select Sales.
2 Go to UTM & gt; Web Filtering & gt; Profile.
3 Select Create New.
4 Enter webStrict for the Name.
5 Select the arrow to expand the FortiGuard Web Filtering section.
6 Block all Categories except Potentially Non-productive, Potentially Bandwidth
Consuming, Business Oriented, Other, Unrated.
7 Only block Spam URL and Personal Privacy Classifications.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1411
�Example of inter-VDOM routing
Inter-VDOM routing
8 Log all Categories and Classifications.
9 Select OK.
To configure web filtering for the Sales VDOM - CLI
config vdom
edit Sales
config webfilter profile
edit webStrict
config ftgd-wf
set allow g07 g08 g21 g22 c01 c03
set deny g01 g02 g03 g04 g05 g06 c02 c04 c05 c06 c07
end
set web-ftgd-err-log enable
next
end
end
To configure AntiVirus for the Sales VDOM - web-based manager
1 In Current VDOM, select Sales.
2 Go to UTM & gt; AntiVirus & gt; Profile.
3 Select Create New.
4 Enter avStrict for the Name.
5 Enable Scan for all protocols.
6 Enable File filter for all protocols, and select built-in-patterns for Option.
7 Enable logging for both Scan and File Filter.
8 Select OK.
To configure AntiVirus for the Sales VDOM - CLI
config vdom
edit Sales
config antivirus profile
edit " avStrict "
config http
set options scan file-filter
end
config ftp
set options scan file-filter
end
config imap
set options scan file-filter
end
config pop3
set options scan file-filter
end
config smtp
set options scan file-filter
end
config nntp
set options scan file-filter
end
1412
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
config im
set options scan file-filter
end
set filepattable 1
set av-virus-log enable
set av-block-log enable
next
end
end
To configure application control for the Sales VDOM - web-based manager
1 In Current VDOM, select Sales.
2 Go to UTM & gt; Application Control & gt; Application Control List.
3 Select Create New.
4 Enter appStrict for Name.
5 Select OK.
6 Enable Logging.
7 Select Create New.
8 Enter the following, and select OK.
Category
game
Application
-- all Applications --
Action
Block
Logging
enable
9 Select Create New.
10 Enter the following, and select OK.
Category
p2p
Application
-- all Applications --
Action
Block
Logging
enable
11 Select OK.
To configure application control for the Sales VDOM - CLI
config vdom
edit Sales
config application list
edit " appStrict "
config entries
edit 1
set category 2
next
edit 2
set category 8
next
end
next
end
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1413
�Example of inter-VDOM routing
Inter-VDOM routing
end
Configuring firewall settings for the Sales VDOM
Like the Accounting firewall settings, this configuration includes two firewall addresses
and two firewall policies for the sales VDOM: one for the internal network, and one for the
VDOM link with the management VDOM.
When entering the CLI commands, the number of the firewall policies must be high
enough to be a new policy. Depending on the number of firewall policies on your FortiGate
unit, this may require starting at a higher number than the 6 required for the default
configuration. This number is added automatically when you configure firewall policies
using the web manager interface.
The FortiClient application must be used on Sales network computers to ensure additional
protection for the sensitive information and for protection against spam.
To configure firewall addresses - web-based manager
1 In Current VDOM, select Sales.
2 Select Firewall & gt; Addresses & gt; Create New, enter the following information, and select
OK.
Address Name
SalesLocal
Type
Subnet / IP Range
Subnet / IP Range
172.100.0.0
Interface
port3
3 Select Firewall & gt; Addresses & gt; Create New, enter the following information, and select
OK.
Address Name
SalesManagement
Type
Subnet / IP Range
Subnet / IP Range
10.0.1.0
Interface
SalesVlnk
To configure the firewall addresses - CLI
config vdom
edit Sales
config fireall address
edit SalesLocal
set type iprange
set subnet 172.100.0.0
set associated-interface port2
next
edit SalesManagement
set type iprange
set subnet 10.0.1.0
set associated-interface SalesVlnk
next
end
1414
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
To configure the firewall policies from SalesLocal to the Internet - web-based
manager
1 In Current VDOM, select Sales.
2 Select Firewall & gt; Policy & gt; Create New.
3 Enter the following information, and select OK.
Source Interface/Zone
port3
Source Address
SalesLocal
Destination Interface/Zone SalesVlnk
Destination Address
SalesManagement
Schedule
always
Service
OfficeServices
Action
ACCEPT
Log Allowed Traffic
enabled
Enable Endpoint Control
Check
disabled
Redirect Non-conforming
enabled
Clients to Download Portal
4 In Current VDOM, select Global.
5 Select VDOM & gt; root & gt; Enter.
6 Select Firewall & gt; Policy & gt; Create New, enter the following information, and select OK.
Source Interface/Zone
SalesVlnk
Source Address
SalesManagement
Destination Interface/Zone external
Destination Address
all
Schedule
always
Service
OfficeServices
Action
ACCEPT
Protection Profile
scan
Log Allowed Traffic
enabled
Enable Endpoint Control
Check
disabled
To configure the firewall policies from SalesLocal to the Internet - CLI
config vdom
edit root
config firewall policy
edit 6
set srcintf port2
set srcaddr SalesLocal
set dstintf SalesVlnk
set dstaddr SalesManagement
set schedule always
set service OfficeServices
set action accept
set profile-status enable
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1415
�Example of inter-VDOM routing
Inter-VDOM routing
set
set
set
set
next
end
end
profile scan
logtraffic enable
endpoint-check enable
endpoint-redir-portal enable
config vdom
edit Sales
config firewall policy
edit 7
set srcintf SalesVlnk
set srcaddr SalesManagement
set dstintf external
set dstaddr all
set schedule always
set service OfficeServices
set action accept
set profile-status enable
set profile scan
set logtraffic enable
set endpoint-check enable
next
end
end
To configure the firewall policies from the Internet to SalesLocal - web-based
manager
1 For Current VDOM, select Global..
2 Select VDOM & gt; root & gt; Enter.
3 Select Firewall & gt; Policy & gt; Create New, enter the following information, and select OK.
Source Interface/Zone
external
Source Address
all
Destination Interface/Zone SalesVlnk
Destination Address
SalesManagement
Schedule
always
Service
OfficeServices
Action
ACCEPT
Protection Profile
scan
Log Allowed Traffic
enabled
Enable Endpoint Control
Check
disabled
4 In Current VDOM, select Global.
5 Select VDOM & gt; Sales & gt; Enter.
6 Select Firewall & gt; Policy & gt; Create New, enter the following information, and select OK.
1416
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
Source Interface/Zone
SalesVlnk
Source Address
SalesManagement
Destination Interface/Zone port2
Destination Address
SalesLocal
Schedule
always
Service
OfficeServices
Action
ACCEPT
Protection Profile
scan
Log Allowed Traffic
enabled
Enable Endpoint Control
Check
disabled
Redirect Non-conforming
enabled
Clients to Download Portal
To configure the firewall policies from the Internet to SalesLocal - CLI
config vdom
edit root
config firewall policy
edit 8
set srcintf external
set srcaddr all
set dstintf SalesVlnk
set dstaddr SalesManagement
set schedule always
set service OfficeServices
set action accept
set profile-status enable
set profile scan
set logtraffic enable
set endpoint-check enable
set endpoint-redir-portal enable
next
end
end
config vdom
edit Sales
config firewall policy
edit 9
set srcintf SalesVlnk
set srcaddr SalesManagement
set dstintf port2
set dstaddr SalesLocal
set schedule always
set service OfficeServices
set action accept
set profile-status enable
set profile scan
set logtraffic enable
set endpoint-check enable
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1417
�Example of inter-VDOM routing
Inter-VDOM routing
set endpoint-redir-portal enable
next
end
end
Configuring firewall settings between the Accounting and Sales VDOMs
Firewall policies are required for any communication between each internal network and
the Internet. Policies are also required for the two internal networks to communicate with
each other through the management VDOM.
The more limited AccountingSalesServices group of services will be used between Sales
and Accounting to ensure the traffic is necessary business traffic only. These policies will
result in a partially meshed VDOM configuration. The FortiClient application must be used
to ensure additional protection for the sensitive accounting information.
Two firewall policies are required to allow traffic in both directions between Sales and
Accounting.
To configure the firewall policy between Sales and Accounting on the management
VDOM - web-based manager
1 For Current VDOM, select Global..
2 Select VDOM & gt; root & gt; Enter.
3 Select Firewall & gt; Policy & gt; Create New, enter the following information, and select OK.
Source Interface/Zone
SalesVlnk
Source Address
SalesManagement
Destination Interface/Zone AccountVlnk
Destination Address
AccountingManagement
Schedule
always
Service
AccountingSalesServices
Action
ACCEPT
Protection Profile
scan
Log Allowed Traffic
enabled
Enable Endpoint Control
Check
disabled
Redirect Non-conforming
enabled
Clients to Download Portal
4 Select Firewall & gt; Policy & gt; Create New, enter the following information, and select OK.
Source Interface/Zone
AccountVlnk
Source Address
AccountingManagement
Destination Interface/Zone SalesVlnk
Destination Address
Schedule
always
Service
AccountingSalesServices
Action
ACCEPT
Protection Profile
scan
Log Allowed Traffic
1418
SalesManagement
enabled
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Inter-VDOM routing
Example of inter-VDOM routing
Enable Endpoint Control
Check
disabled
Redirect Non-conforming
enabled
Clients to Download Portal
To configure the firewall policy between Sales and Accounting on the management
VDOM - CLI
config vdom
edit root
config system firewall policy
edit 9
set srcintf SalesVlnk
set srcaddr SalesManagement
set dstintf AccountVlnk
set dstaddr AccountManagement
set schedule always
set service AccountingSalesServices
set action accept
set profile-status enable
set profile scan
set logtraffic enable
set endpoint-check enable
set endpoint-redir-portal enable
next
edit 10
set srcintf AccountVlnk
set srcaddr AccountManagement
set dstintf SalesVlnk
set dstaddr SalesManagement
set schedule always
set service AccountingSalesServices
set action accept
set profile-status enable
set profile scan
set logtraffic enable
set endpoint-check enable
set endpoint-redir-portal enable
next
end
end
Testing the configuration
Once the inter-VDOM routing has been configured, tests must be conducted to confirm
proper operation. If there are any problems, use the troubleshooting tips to resolve them.
This section includes the following topics:
•
Testing connectivity
•
Troubleshooting Tips
Testing connectivity
Testing connectivity ensures that physical networking connections as well as FortiGate
unit interface configurations, including firewall policies, are properly configured.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1419
�Example of inter-VDOM routing
Inter-VDOM routing
The easiest way to test connectivity is to use the ping and traceroute commands to
confirm the connectivity of different routes on the network. Include testing:
•
from AccountingLocal to Internet
•
from Internet to AccountingLocal
•
from SalesLocal to Internet
•
from Internet to SalesLocal
•
from AccountingLocal to SalesLocal.
When using the commands on a Windows computer, go to a command line prompt and
enter either ping & lt; IP address & gt; or tracert & lt; IP address & gt; .
When using the commands on a FortiGate unit, go to the CLI and enter either exec ping
& lt; IP address & gt; or exec traceroute & lt; IP address & gt; .
Troubleshooting Tips
When there are problems with connectivity, the following troubleshooting tips will help
resolve the issues.
•
If a multiple hop test, such as traceroute, is not successful then reduce it to a single
hop to simplify the test. Test each link of the path to see which hop is down. If all hops
are up, check the FortiGate unit policies to ensure they allow basic traffic to flow as
expected.
•
If ping does not work, confirm that the FortiGate unit interfaces have Ping enabled and
also ensure Ping is enabled in the firewall policies. Otherwise the Ping traffic will be
blocked.
•
If one protocol does not work but others do work, check the FortiGate unit firewall
policies for that one protocol to ensure it is allowed.
•
If there are unexplained connectivity problems, check the local computer to ensure it
does not have a software firewall running that may be blocking traffic. MS Windows
computers have a firewall running by default that can cause problems.
For additional troubleshooting, see “Troubleshooting Virtual Domains” on page 1421.
1420
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting Virtual Domains
When you are configuring VDOMs you may run into some issues. This section provides
answers to some common issues with VDOMs.
This section includes:
•
VDOM admin having problems gaining access
•
FortiGate unit running very slowly
•
General VDOM tips and troubleshooting
VDOM admin having problems gaining access
With VDOMs configured, administrators have an extra layer of permissions and may have
problems accessing their information.
Confirm the admin’s VDOM
Each administrator account, other than the super_admin account, is tied to one specific
VDOM. That administrator is not able to access any other VDOM. It may be possible they
are trying to access the wrong VDOM.
Confirm the VDOM’s interfaces
An administrator can only access their VDOM through interfaces that are assigned to that
VDOM. If interfaces on that VDOM are disabled or unavailable there will be no method of
accessing that VDOM by its local administrator. The super_admin will be required to either
bring up the interfaces, fix the interfaces, or move another interface to that VDOM to
restore access.
Confirm the VDOMs admin access
As with all Fortigate units, administration access on the VDOM’s interfaces must be
enabled for that VDOM’s administrators to gain access. For example if SSH is not
enabled, that is not available to administrators.
To enable admin access, the super_admin will go to Global & gt; System & gt; Network, and for
the interface in question enable the admin access.
FortiGate unit running very slowly
You may experience a number of problems resulting from your FortiGate unit being
overloaded. These problems may appear as:
•
CPU and memory threshold limits exceeded on a continual basis
•
AV failopen happening on a regular basis
•
dropped traffic or sessions due to lack of resources
These problems are caused by a lack of system resources. There are a number of
possible reasons for this.
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1421
�General VDOM tips and troubleshooting
Troubleshooting Virtual Domains
Too many VDOMs
If you have configured many VDOMs on your system, past the default ten VDOMs, this
could easily be your problem.
Each VDOM you create on your FortiGate unit requires system resources to function CPU cycles, memory, and disk space. When there are too many VDOMs configured there
are not enough resources for operation. This may be a lack of memory in the session
table, or no CPU cycles for processing incoming IPS traffic, or even a full disk drive.
Go to Global & gt; System & gt; VDOMs and see the number of configured VDOMs on your
system. If you are running 250 or more VDOMs, you must have a FortiGate 5000 chassis.
Otherwise you need to reduce the number of VDOMs on your system to fix the problem.
Even if you have the proper hardware, you may encounter noticeably slow throughput if
you are using advanced features such as UTM or deep content inspection with many
configured VDOMs.
One or more VDOMs are consuming all the resources
If you have sufficient hardware to support the number of VDOMs you are running, check
the global resources on your FortiGate unit. At a glance it will tell you if you are running out
of a particular resource such as sessions, or users. If this is the case, you can then check
your VDOMs to see if one particular VDOM is using more than its share of resources. If
that is the case you can change the resource settings to allow that VDOM (or those
VDOMs) fewer resources and in turn allow the other VDOMs access to those resources.
Too many UTM features in use
If you are running 250 or more VDOMs and have a FortiGate 5000 chassis, it is still
possible that you are running too many features for the FortiGate unit to support all those
VDOMs. To support 250 or more VDOMs, FortiGate units cannot run advanced UTM
features. Instead they are limited to less processor intensive features that do not require
stateful inspection.
It is likely that reducing the UTM features in use even with fewer VDOM configuration will
greatly improve overall system performance and should be considered as an option.
Finally it is possible that your FortiGate unit configuration is incorrect in some other area,
which is using up all your resources. For example, forgetting that you are running a
network sniffer on an interface will create significant amounts of traffic that may prevent
normal operation.
General VDOM tips and troubleshooting
Besides ping and traceroute, there are additional tools for troubleshooting your VDOM
configurations. These include packet sniffing and debugging the packet flow.
Perform a sniffer trace
When troubleshooting networks, it helps to look inside the headers of packets to
determine if they are traveling along the route you expect that they are. Packet sniffing can
also be called a network tap, packet capture, or logic analyzing.
Note: If your FortiGate unit has NP2 interfaces that are offloading traffic, this will change
the sniffer trace. Before performing a trace on any NP2 interfaces, you should disable
offloading on those interfaces.
1422
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting Virtual Domains
General VDOM tips and troubleshooting
What can sniffing packets tell you
If you are running a constant traffic application such as ping, packet sniffing can tell you if
the traffic is reaching the destination, what the port of entry is on the FortiGate unit, if the
ARP resolution is correct, and if the traffic is being sent back to the source as expected.
Sniffing packets can also tell you if the Fortigate unit is silently dropping packets for
reasons such as RPF (Reverse Path Forwarding), also called Anti Spoofing, which
prevents an IP packet from being forwarded if its Source IP does not either belong to a
locally attached subnet (local interface), or be part of the routing between the FortiGate
and another source (static route, RIP, OSPF, BGP). Note that RPF can be disabled by
turning on asymmetric routing in the CLI (config system setting, set
asymmetric enable), however this will disable stateful inspection on the FortiGate unit
and cause many features to be turned off.
Note If you configure virtual IP addresses on your Fortigate unit, it will use those
addresses in preference to the physical IP addresses. You will notice this when you are
sniffing packets because all the traffic will be using the virtual IP addresses. This is due to
the ARP update that is sent out when the VIP address is configured.
How do you sniff packets
When you are using VDOMs, you must be in a VDOM to access the diag sniffer
command. At the global level, the command is not available. This is limit the packets only
to the ones on your VDOM, and protects the privacy of other VDOM clients.
The general form of the internal FortiOS packet sniffer command is:
diag sniffer packet & lt; interface_name & gt; & lt; ‘filter’ & gt; & lt; verbose & gt;
& lt; count & gt;
To stop the sniffer, type CTRL+C.
& lt; interface_name & gt;
The name of the interface to sniff, such as “port1” or “internal”.
This can also be “any” to sniff all interfaces.
& lt; ‘filter’ & gt;
What to look for in the information the sniffer reads. “none”
indicates no filtering, and all packets will be displayed as the other
arguments indicate.
The filter must be inside single quotes (‘).
& lt; verbose & gt;
The level of verbosity as one of:
1 - print header of packets
2 - print header and data from IP of packets
3 - print header and data from Ethernet of packets
& lt; count & gt;
The number of packets the sniffer reads before stopping. If you
don’t put a number here, the sniffer will run forever unit you stop it
with & lt; CTRL C & gt; .
For a simple sniffing example, enter the CLI command diag sniffer packet port1
none 1 3. This will display the next 3 packets on the port1 interface using no filtering,
and using verbose level 1. At this verbosity level you can see the source IP and port, the
destination IP and port, action (such as ack), and sequence numbers.
In the output below, port 443 indicates these are HTTPS packets, and 172.20.120.17 is
both sending and receiving traffic.
Head_Office_620b # diag sniffer packet port1 none 1 3
interfaces=[port1]
filters=[none]
0.545306 172.20.120.17.52989 - & gt; 172.20.120.141.443: psh
3177924955 ack 1854307757
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1423
�General VDOM tips and troubleshooting
Troubleshooting Virtual Domains
0.545963 172.20.120.141.443 - & gt; 172.20.120.17.52989: psh
1854307757 ack 3177925808
0.562409 172.20.120.17.52988 - & gt; 172.20.120.141.443: psh
4225311614 ack 3314279933
For a more advanced example of packet sniffing, the following commands will report
packets on any interface travelling between a computer with the host name of PC1 and the
computer with the host name of PC2. With verbosity 4 and above, the sniffer trace will
display the interface names where traffic enters or leaves the FortiGate unit. Remember to
stop the sniffer, type CTRL+C. Note that PC1 and PC2 may be VDOMs.
FGT# diagnose sniffer packet any " host & lt; PC1 & gt; or host & lt; PC2 & gt; " 4
or
FGT# diagnose sniffer packet any " (host & lt; PC1 & gt; or host & lt; PC2 & gt; ) and
icmp " 4
The following sniffer CLI command includes the ARP protocol in the filter which may be
useful to troubleshoot a failure in the ARP resolution (for instance PC2 may be down and
not responding to the FortiGate ARP requests).
FGT# diagnose sniffer packet any " host & lt; PC1 & gt; or host & lt; PC2 & gt; or
arp " 4
Debug the packet flow
Traffic should come in and leave the VDOM. If you have determined that network traffic is
not entering and leaving the VDOM as expected, debug the packet flow.
Debugging can only be performed using CLI commands. Debugging the packet flow
requires a number of debug commands to be entered as each one configures part of the
debug action, with the final command starting the debug.
Note: If your FortiGate unit has NP2 interfaces that are offloading traffic, this will change
the packet flow. Before performing the debug on any NP2 interfaces, you should disable
offloading on those interfaces.
The following configuration assumes that PC1 is connected to the internal interface of the
FortiGate unit and has an IP address of 10.11.101.200. PC1 is the host name of the
computer.
To debug the packet flow in the CLI, enter the following commands:
FGT# diag debug enable
FGT# diag debug flow filter add & lt; PC1 & gt;
FGT# diag debug flow show console enable
FGT# diag debug flow trace start 100
FGT# diag debug enable
1424
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting Virtual Domains
General VDOM tips and troubleshooting
The start 100 argument in the above list of commands will limit the output to 100
packets from the flow. This is useful for looking at the flow without flooding your log or your
display with too much information.
To stop all other debug activities, enter the command:
FGT# diag debug flow trace stop
The following is an example of debug flow output for traffic that has no matching Firewall
Policy, and is in turn blocked by the FortiGate unit. The denied message indicates the
traffic was blocked. Note that even with VDOMs not enabled, vd-root is still shown.
id=20085 trace_id=319 func=resolve_ip_tuple_fast line=2825
msg= " vd-root received a packet(proto=6,
192.168.129.136:2854- & gt; 192.168.96.153:1863) from port3. "
id=20085 trace_id=319 func=resolve_ip_tuple line=2924
msg= " allocate a new session-013004ac "
id=20085 trace_id=319 func=vf_ip4_route_input line=1597
msg= " find a route: gw-192.168.150.129 via port1 "
id=20085 trace_id=319 func=fw_forward_handler line=248 msg= "
Denied by forward policy check "
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1425
�General VDOM tips and troubleshooting
1426
Troubleshooting Virtual Domains
FortiOS™ Handbook FortiOS 4.0 MR2 Virtual Domains
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 12 High Availability
This FortiOS Handbook chapter contains the following sections:
Solving the High Availability problem defines the HA-related terminology used in this
document.
An introduction to the FortiGate Clustering Protocol (FGCP) introduces the FGCP
clustering protocol and many of its features.
Configuring and connecting HA clusters describes configuring HA clusters and contains
HA clustering configuration examples.
Configuring and connecting virtual clusters describes configuring HA virtual clusters and
contains virtual clustering configuration examples.
Configuring and operating FortiGate full mesh HA describes configuring FortiGate Full
mesh HA and contains a full mesh HA configuration example.
Operating a cluster describes how to operate a cluster and includes detailed information
about how various FortiGate systems operate differently in a cluster.
HA and failover protection describes in detail how FortiGate HA device failover, link
failover, and session failover work.
HA and load balancing describes in detail how FortiGate HA active-active load balancing
and TCP session synchronization load balances sessions.
HA with third-party products describes how FortiGate units interact with third-party
products.
Standalone session synchronization describes FortiGate standalone session
synchronization feature.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1427
�1428
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1429
�1430
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Solving the High Availability problem
In addition to the proprietary FortiGate Cluster Protocol (FGCP), FortiOS offers VRRP and
TCP session synchronization high availability solutions. A strong and flexible High
availability solution is required for many mission-critical firewall and UTM applications.
FortiOS provides three high availability solutions. Each of these solutions can be fine
tuned to fit into many different network scenarios. FortiGate high availability (HA) provides
a solution for two key requirements of critical enterprise networking components:
enhanced reliability and increased performance.
FortiGate Cluster Protocol (FGCP)
FGCP HA provides device and link failover protection, load balancing, session
synchronization, remote IP failover, full mesh HA, and virtual clustering. You can also fine
tune the performance of the FGCP to change how a cluster forms and shares information
among cluster units and how the cluster responds to failures. When configured onto your
network an FGCP cluster appears to be a single FortiGate unit operating in NAT/Route or
Transparent mode. If a failover occurs, the cluster recovers quickly and automatically and
also sends administrator notifications so that the problem that caused the failure can be
corrected and any failed equipment restored.
The FGCP is compatible with most network environments and most networking
equipment. While initial configuration is relatively quick and easy, a large number of tools
and configuration options are available to fine tune the cluster for most situations.
TCP session synchronization
When coupled with external routers and load balancers that load balance TCP sessions
between two FortiGate units, you can use FortiOS TCP session synchronization to
distribute or load balance TCP sessions between two peer FortiGate units. If one of the
peers fails, session failover occurs and active TCP sessions fail over to the peer that is still
operating. This failover occurs without any loss of data. As well, the external routers or
load balancers will detect the failover and re-distribute all sessions to the peer that is still
operating.
Unlike the FCGP, TCP session synchronization does not include configuration
synchronization. In fact, the configuration of the two peers is not identical because in most
cases the peers would have different IP addresses. Also unlike HA, load balancing is done
by external routers or load balancers. The FortiGate units only perform session
synchronization and session failover.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1431
�VRRP
Solving the High Availability problem
VRRP
FortiOS supports VRRP between two or more FortiGate units and between FortiGate units
and third-party routers that support VRRP. Using VRRP you can assign VRRP routers as
master or backup routers. The master router processes traffic and the backup routers
monitor the master router and can begin forwarding traffic if the master fails. Similar to the
FGCP you can configuration VRRP between multiple FortiGate units to provide
redundancy. You can also create a VRRP group with a FortiGate unit and any router that
supports VRRP. If the FortiGate unit fails all traffic switches to the router. Network
connectivity is maintained even though FortiGate security features will be unavailable until
the FortiGate unit can is back on line.
More about the FGCP
FortiGate HA is implemented by configuring two or more FortiGate units to operate as an
HA cluster. To the network, the HA cluster appears to function as a single FortiGate unit,
processing network traffic and providing normal security services such as firewalling,
Unified Threat Management (UTM) and VPN services.
Figure 204: HA cluster installed between an internal network and the Internet
Internal Network
Internal
Switch
FortiGate
High Availability
Cluster
External
Switch
External
Router
Internet
Inside the cluster the individual FortiGate units are called cluster units. These cluster units
share state and configuration information. If one cluster unit fails, the other units in the
cluster automatically replace that unit, taking over the work that the failed unit was doing.
After the failure, the cluster continues to process network traffic and provide normal
FortiGate services with virtually no interruption.
1432
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Solving the High Availability problem
More about the FGCP
Every FortiGate cluster contains one primary unit (also called the master unit) and one or
more subordinate units (also called slave or backup units). The primary unit controls how
the cluster operates. The roles that the primary and subordinate units play in the cluster
depend on the mode in which the cluster operates. See “Active-passive HA (failover
protection)” on page 1440 and “Active-active HA (load balancing and failover protection)”
on page 1441.
The ability of an HA cluster to continue providing firewall services after a failure is called
failover. FortiGate HA failover means that your network does not have to rely on one
FortiGate unit to continue functioning. You can install additional units and form an HA
cluster. Other units in the cluster will take over if one of the units fails.
A second HA feature, called load balancing, can be used to increase performance. A
cluster of FortiGate units can increase overall network performance by sharing the load of
processing network traffic and providing Unified Threat Management (UTM) services. The
cluster appears to your network to be a single device, adding increased performance
without changing your network configuration.
Virtual clustering extends HA features to provide failover protection and load balancing for
a FortiGate operating with virtual domains. A virtual cluster consists of a cluster of two
FortiGate units operating with virtual domains. Traffic on different virtual domains can be
load balanced between the cluster units. For details about virtual clustering, see
“Configuring and connecting virtual clusters” on page 1523.
FortiGate models that support redundant interfaces can be configured to support a
clustering configuration called full mesh HA. Full mesh HA is a method of reducing the
number of single points of failure on a network that includes an HA cluster. For details
about full mesh HA, see “Configuring and operating FortiGate full mesh HA” on
page 1545.
FGCP failover protection
The FGCP provides IP/MAC takeover for failover protection by assigning virtual MAC
addresses to the primary cluster unit and then sending gratuitous ARP packets from the
primary unit interfaces to reprogram the network.
Failover times can be less than a second under optimal conditions. You can fine tune
failover performance for your network by adjusting cluster status checking, routing table
update, and wait timers.
An HA cluster fails over if the primary unit experiences a device or link failure. The cluster
can detect link failures for connections to the primary unit using port monitoring and for
connections between downstream network components using remote IP monitoring. To
compensate for a link failover, the cluster maintains active links to keep traffic flowing
between high-priority networks. Port and remote IP monitoring can be fine tuned without
disrupting cluster operation.
Session Failover
FCGP session failover maintains TCP, SIP and IPsec VPN sessions after a failure.
Session failover does not failover UDP, multicast, ICMP, or SSL VPN sessions. Session
failover may not be required for all networks because many TCP/IP protocols can resume
sessions on their own. Supporting session failover adds extra overhead to cluster
operations and can be disabled to improve cluster performance if its not required.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1433
�More about the FGCP
Solving the High Availability problem
Load Balancing
Active-active HA load balances resource-intensive UTM processing among all cluster
units to provide better UTM performance than a standalone FortiGate unit. If network
traffic consists of mainly TCP sessions, the FGCP can also load balance all TCP sessions
to improve TCP performance in some network configurations. You can use accelerated
FortiGate interfaces to also accelerate HA load balancing and HA load balancing
schedules can be adjusted to optimize performance for the traffic mix on your network.
Weighted load balancing can be used to control the relative amount of sessions
processed by each cluster unit.
Virtual Clustering
Virtual clustering is an extension of the FGCP for a cluster of 2 FortiGate units operating
with multiple VDOMS enabled. Not only does virtual clustering provide failover protection
for a multiple VDOM configuration, but a virtual cluster can load balance traffic between
the cluster units. Load balancing with virtual clustering is quite efficient and load balances
all traffic (not just UTM and TCP traffic). Its possible to fine tune virtual clustering load
balancing in real time to actively optimize load sharing between the cluster units without
affecting the smooth operation of the cluster.
Full Mesh HA
High availability improves the reliability of a network by replacing a single point of failure (a
singe FortiGate unit) with a cluster that can maintain network traffic if one of the cluster
units fails. However, in a cluster configuration single points of failure remain. Full mesh HA
removes these single points of failure by allowing you to connect redundant switches to
each cluster interface. Full mesh HA is achieved by configuring 802.3ad aggregate or
redundant interfaces on the FortiGate unit and connecting redundant switches to these
interfaces. Configuration is a relatively simple extension of the normal
aggregate/redundant interface and HA configurations.
Cluster Management
FortiOS HA provides a wide range of cluster management features:
Automatic continuous configuration synchronization. You can get a cluster up and running
almost as quickly as a standalone FortiGate unit by performing a few basic steps to
configure HA settings and minimal network settings on each cluster unit. When the cluster
is operating you can make start configuring FortiGate features such as UTM and IPsec
VPN in the same way as for a standalone FortiGate unit. All configuration changes (even
complex changes such as switching to multiple VDOM mode or from NAT/Route to
Transparent mode) are synchronized among all cluster units.
Firmware upgrades/downgrades. Upgrading or downgrading cluster firmware is similar to
upgrading or downgrading standalone FortiGate firmware. The Firmware is uploaded once
to the primary unit and the cluster automatically upgrades or downgrades all cluster units
in one operation with minimal or no service interruption.
Individual cluster unit management. In some cases you may want to manage individual
cluster units. You can do so from cluster CLI by navigating to each cluster unit. You can
also use the reserved management interface feature to give each cluster unit its own IP
address and default route. You can use the reserved management interfaces and IP
addresses to connect to the GUI and CLI of each cluster unit and configure an SNMP
server to poll each cluster unit.
1434
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Solving the High Availability problem
More about the FGCP
Removing and adding cluster units. In one simple step any unit (even the primary unit) can
be removed from a cluster and given a new IP address. The cluster keeps operating as it
was; the transition happening without interrupting cluster operation. Any unit can also be
added to an operating cluster without disrupting network traffic. All you have to do is
connect the new unit and change its HA configuration to match the cluster's. The cluster
automatically finds and adds the unit and synchronizes its configuration with the cluster.
Debug and diagnose commands. A full range of debug and diagnose commands can be
used to report on HA operation and find and fix problems.
Logging and reporting. All cluster units can be configured to record all log messages.
These message can be stored on the individual cluster units or sent to a FortiAnalyzer
unit. You can view all cluster unit log messages by logging into any cluster unit.
FortiManager support. FortiManager understands FortiOS HA and automatically
recognizes when you add a FortiOS cluster to the FortiManager configuration.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1435
�More about the FGCP
1436
Solving the High Availability problem
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate
Clustering Protocol (FGCP)
A FortiGate HA cluster consists of two or more FortiGate units configured for HA
operation. Each FortiGate unit in a cluster is called a cluster unit. All cluster units must be
the same FortiGate model with the same FortiOS firmware build installed. All cluster units
must also have the same hardware configuration (for example, the same AMC modules
installed in the same slots, the same number of hard disks and so on) and be running in
the same operating mode (NAT/Route mode or Transparent mode).
On startup, after configuring the cluster units with the same HA configuration, the cluster
units use the FortiGate Clustering Protocol (FGCP) to find other FortiGate units configured
for HA operation and to negotiate to create a cluster. During cluster operation, the FGCP
shares communication and synchronization information among the cluster units. This
communication and synchronization is called the FGCP heartbeat or the HA heartbeat.
Often, this is shortened to just heartbeat. For a cluster to form, the cluster units must be
able to communicate using their configured heartbeat interfaces.
The cluster uses the FGCP to select the primary unit, and to provide device, link and
session failover. The FGCP also manages the two HA modes; active-passive (failover HA)
and active-active (load balancing HA).
This chapter describes.
•
Configuring a FortiGate unit for HA operation
•
Active-passive and active-active HA
•
Identifying the cluster and cluster units
•
Device failover, link failover, and session failover
•
Primary unit selection
•
HA override
•
FortiGate HA compatibility with PPPoE and DHCP
•
Hard disk configuration and HA
•
Recommended practices
•
FGCP HA terminology
Configuring a FortiGate unit for HA operation
Each FortiGate unit in the cluster must have the same HA configuration. Once the cluster
is connected, you can configure it in the same way as you would configure a standalone
FortiGate unit. The following procedures set the HA mode to active-passive and sets the
HA password to HA_pass.
To configure a FortiGate unit for HA operation - web-based manager
1 Power on the FortiGate unit to be configured.
2 Log into to the web-based manager.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1437
�Configuring a FortiGate unit for HA operation
An introduction to the FortiGate Clustering Protocol (FGCP)
3 On the Dashboard System Information dashboard widget, beside Host Name select
Change.
4 Enter a new Host Name for this FortiGate unit.
Changing the host name makes it easier to identify individual cluster units when the
cluster is operating.
5 Go to System & gt; Config & gt; HA and change the following settings:
Mode
Active-Passive
Group Name
Example_cluster
Password
HA_pass
Note: The password must be the same for all FortiGate units in
the cluster.
You can accept the default configuration for the remaining HA options and change
them later, once the cluster is operating.
6 Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
the FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster
virtual MAC addresses” on page 1605). To be able to reconnect sooner, you can
update the ARP table of your management PC by deleting the ARP table entry for the
FortiGate unit (or just deleting all ARP table entries). You may be able to delete the
ARP table of your management PC from a command prompt using a command similar
to arp -d.
7 Power off the FortiGate unit.
8 Repeat this procedure for all of the FortiGate units in the cluster.
Once all of the units are configured, continue with “Connecting a FortiGate HA cluster”
on page 1439.
To configure a FortiGate unit for HA operation - CLI
1 Power on the FortiGate unit to be configured.
2 Log into to the CLI.
3 Enter the following command to change the FortiGate unit host name.
config system global
set hostname Example1_host
end
Changing the host name makes it easier to identify individual cluster units when the
cluster is operating.
4 Enter the following command to enable HA:
config system ha
set mode active-passive
set group-name Example_cluster
set password HA_pass
end
You can accept the default configuration for the remaining HA options and change
them later, once the cluster is operating.
1438
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate Clustering Protocol (FGCP)
Configuring a FortiGate unit for HA operation
The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose
connectivity with the FortiGate unit as the HA cluster negotiates and because the
FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster virtual
MAC addresses” on page 1605). To be able to reconnect sooner, you can update the
ARP table of your management PC by deleting the ARP table entry for the FortiGate
unit (or just deleting all arp table entries). You may be able to delete the arp table of
your management PC from a command prompt using a command similar to arp -d.
5 Power off the FortiGate unit.
6 Repeat this procedure for all of the FortiGate units in the cluster.
Once all of the units are configured, continue with “Connecting a FortiGate HA cluster”.
Connecting a FortiGate HA cluster
Use the following procedure to connect a cluster. Connect the cluster units to each other
and to your network. You must connect all matching interfaces in the cluster to the same
switch, then connect these interfaces to their networks using the same switch.
Although you can use hubs, Fortinet recommends using switches for all cluster
connections for the best performance.
Connecting an HA cluster to your network temporarily interrupts communications on the
network because new physical connections are being made to route traffic through the
cluster. Also, starting the cluster interrupts network traffic until the individual cluster units
are functioning and the cluster completes negotiation. Cluster negotiation is automatic and
normally takes just a few seconds. During system startup and negotiation all network
traffic is dropped.
This section describes how to connect the cluster shown in Figure 205 on page 1439 that
consists of two FortiGate-620B units to be connected between the Internet and a head
office internal network. The port1 interfaces of the FortiGate unit connect the cluster to the
Internet and the port2 interfaces connect the cluster to the internal network. The port3 and
port4 interfaces are used for redundant HA heartbeat links.
Figure 205: Example cluster connections
Internal
Network
Port1
Port2
Port3
Port4
Port3
Port4
Switch
Switch
Port1
Internet
Port2
FortiGate-620B
Cluster
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1439
�Active-passive and active-active HA
An introduction to the FortiGate Clustering Protocol (FGCP)
To connect a FortiGate HA cluster
1 Connect the port1 interfaces of each cluster unit to a switch or hub connected to the
Internet.
2 Connect the port2 interfaces of each cluster unit to a switch or hub connected to the
internal network.
3 Connect the port3 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
4 Connect the port4 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
5 Power on both of the FortiGate units.
As the cluster units start, they negotiate to choose the primary unit and the subordinate
units. This negotiation occurs with no user intervention and normally just takes a few
seconds.
At least one heartbeat interface should be connected together for the cluster to
operate. You can also connect the heartbeat interfaces to a network. If the cluster
consists of just two FortiGate units, you can connect the heartbeat interfaces directly
using a crossover cable. For more information about heartbeat interfaces, see “HA
heartbeat and communication between cluster units” on page 1598.
You could use one switch to connect all four heartbeat interfaces. However, this is not
recommended because of the switch fails both heartbeat interfaces will become
disconnected.
You can now configure the cluster as if it is a single FortiGate unit.
Active-passive and active-active HA
The first decision to make when configuring FortiGate HA is whether to choose
active-passive or active-active HA mode. To configure the HA mode, go to System & gt;
Config & gt; HA and set Mode to Active-Passive or Active-Active.
From the CLI enter the following command to set the HA mode to active-passive:
config system ha
set mode a-p
end
To form a cluster, all cluster units must be set to the same mode. You can also change the
mode after the cluster is up and running. Changing the mode of a functioning cluster
causes a slight delay while the cluster renegotiates to operate in the new mode and
possibly select a new primary unit.
Active-passive HA (failover protection)
An active-passive (A-P) HA cluster provides hot standby failover protection.
An active-passive cluster consists of a primary unit that processes communication
sessions, and one or more subordinate units. The subordinate units are connected to the
network and to the primary unit but do not process communication sessions. Instead, the
subordinate units run in a standby state. In this standby state, the configuration of the
subordinate units is synchronized with the configuration of the primary unit and the
subordinate units monitor the status of the primary unit.
Active-passive HA provides transparent device failover among cluster units. If a cluster
unit fails, another immediately take its place. See “Device failover” on page 1597.
1440
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate Clustering Protocol (FGCP)
Identifying the cluster and cluster units
Active-passive HA also provides transparent link failover among cluster units. If a cluster
unit interface fails or is disconnected, this cluster unit updates the link state database and
the cluster negotiates and may select a new primary unit. See “Link failover” on page 1621
for more information.
If session failover (also called session pickup) is enabled, active-passive HA provides
session failover for some communication sessions. See “Session failover (session pickup)” on page 1630 for information about session failover and its limitations.
The following example shows how to configure a FortiGate unit for active-passive HA
operation. You would enter the exact same commands on every FortiGate unit in the
cluster.
config system ha
set mode a-p
set group-name myname
set password HApass
end
Active-active HA (load balancing and failover protection)
Active-active (A-A) HA load balances resource-intensive UTM processing among all
cluster units. UTM processing applies protocol recognition, virus scanning, IPS, web
filtering, email filtering, data leak prevention (DLP), application control, and VoIP content
scanning and protection to HTTP, HTTPS, FTP, IMAP, IMAPS, POP3, POP3S, SMTP,
SMTPS, IM, NNTP, SIP, SIMPLE, and SCCP sessions accepted by firewall policies. By
load balancing this resource-intensive UTM processing among all cluster units, an activeactive HA cluster may provide better UTM performance than a standalone FortiGate unit.
Other features enabled in firewall policies such as Endpoint NAC, traffic shaping and
authentication have no effect active-active load balancing.
All non-UTM sessions are not load balanced and are processed by the primary unit. You
can also optionally configure active-active HA to load balance all TCP sessions in addition
to UTM sessions. For more information see “Load balancing UTM sessions and TCP
sessions” on page 1647.
An active-active HA cluster consists of a primary unit that receives all communication
sessions and load balances them among the primary unit and all of the subordinate units.
In an active-active cluster the subordinate units are also considered active since they also
process UTM sessions.
In all other ways active-active HA operates the same as active-passive HA.
The following example shows how to configure a FortiGate unit for active-active HA
operation. You would enter the exact same commands on every FortiGate unit in the
cluster.
config system ha
set mode a-a
set group-name myname
set password HApass
end
Identifying the cluster and cluster units
You can use the cluster group name, group id, and password to identify a cluster and
distinguish one cluster from another. If you have more than one cluster on the same
network, each cluster must have a different group name, group id, and password.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1441
�Device failover, link failover, and session failover
An introduction to the FortiGate Clustering Protocol (FGCP)
Group name
Use the group name to identify the cluster. The maximum length of the group name 32
characters. The group name must be the same for all cluster units before the cluster units
can form a cluster. After a cluster is operating, you can change the group name. The group
name change is synchronized to all cluster units.
The default group name is FGT-HA. The group name appears on the FortiGate dashboard
of a functioning cluster as the Cluster Name.
To change the group name from the web-based manager go to Config & gt; System & gt; HA and
change the Group Name.
Enter the following CLI command to change the group name to Cluster_name:
config system ha
set group-name Cluster_name
end
Password
Use the password to identify the cluster. You should always change the password when
configuring a cluster. The password must be the same for all FortiGate units before they
can form a cluster. The maximum password length is 19 characters. When the cluster is
operating you can change the password, if required. Two clusters on the same network
cannot have the same password.
To change the password from the web-based manager go to Config & gt; System & gt; HA and
change the Password.
Enter the following CLI command to change the group name to ha_pwd:
config system ha
set password ha_pwd
end
Group ID
Similar to the group name, the group ID is also used to identify the cluster. In most cases
you do not have to change the group ID. However, you should change the group ID if you
have more than one cluster on the same network. All members of the HA cluster must
have the same group ID. The group ID range is from 0 to 63.
Changing the group ID changes the cluster virtual MAC address. See “Cluster virtual MAC
addresses” on page 1605.
Enter the following CLI command to change the group ID to 10:
config system ha
set group-id 10
end
Device failover, link failover, and session failover
The FGCP provides transparent device and link failover. You can also enable session
pickup to provide session failover. A failover can be caused by a hardware failure, a
software failure, or something as simple as a network cable being disconnected. When a
failover occurs, the cluster detects and recognizes the failure and takes steps to respond
so that the network can continue to operate without interruption. The internal operation of
the cluster changes, but network components outside of the cluster notice little or no
change.
1442
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate Clustering Protocol (FGCP)
Primary unit selection
If a failover occurs, the cluster also records log messages about the event and can be
configured to send log messages to a syslog server and to a FortiAnalyzer unit. The
cluster can also send SNMP traps and alert email messages. These alerts can notify
network administrators of the failover and may contain information that the network
administrators can use to find and fix the problem that caused the failure.
For a complete description of device failover, link failover, and session failover, how
clusters support these types of failover, and how FortiGate HA clusters compensate for a
failure to maintain network traffic flow see “HA and failover protection” on page 1595.
Primary unit selection
Once FortiGate units recognize that they can form a cluster, the cluster units negotiate to
select a primary unit. Primary unit selection occurs automatically based on the criteria
shown in Figure 206. After the cluster selects the primary unit, all of the remaining cluster
units become subordinate units.
Negotiation and primary unit selection also takes place if a primary unit fails (device
failover) or if a monitored interface fails or is disconnected (link failover). During a device
or link failover, the cluster renegotiates to select a new primary unit also using the criteria
shown in Figure 206.
Figure 206: Selecting the primary unit
Begin Negotiation
Greater
Connected
Monitored
Interfaces
Less
Equal
Less
Greater
Age
Equal
Less
Greater
Device Priority
Equal
Less
Greater
Serial Number
Primary Unit
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Subordinate Unit
1443
�Primary unit selection
An introduction to the FortiGate Clustering Protocol (FGCP)
For many basic HA configurations primary unit selection simply selects the cluster unit
with the highest serial number to become the primary unit. A basic HA configuration
involves setting the HA mode to active-passive or active-active and configuring the cluster
group name and password. Using this configuration, the cluster unit with the highest serial
number becomes the primary unit because primary unit selection disregards connected
monitored interfaces (because interface monitoring is not configured), the age of the
cluster units would usually always be the same, and all units would have the same device
priority.
Using the serial number is a convenient way to differentiate cluster units; so basing
primary unit selection on the serial number is predictable and easy to understand and
interpret. Also the cluster unit with the highest serial number would usually be the newest
FortiGate unit with the most recent hardware version. In many cases you may not need
active control over primary unit selection, so basic primary unit selection based on serial
number is sufficient.
In some situations you may want control over which cluster unit becomes the primary unit.
You can control primary unit selection by setting the device priority of one cluster unit to be
higher than the device priority of all other cluster units. If you change one or more device
priorities, during negotiation, the cluster unit with the highest device priority becomes the
primary unit. As shown in Figure 206 the FGCP selects the primary unit based on device
priority before serial number. For more information about how to use device priorities, see
“Primary unit selection and device priority” on page 1447.
The only other way that you can influence primary unit selection is by configuring interface
monitoring (also called port monitoring). Using interface monitoring you can make sure
that cluster units with failed or disconnected monitored interfaces cannot become the
primary unit. See “Primary unit selection and monitored interfaces” on page 1444.
Finally, the age of a cluster unit is determined by a number of cluster operating factors.
Normally the age of all cluster units is the same so normally age has no effect on primary
unit selection. Age does affect primary unit selection after a monitored interface failure.
For more information about age, see “Primary unit selection and age” on page 1445.
This section describes:
•
Primary unit selection and monitored interfaces
•
Primary unit selection and age
•
Primary unit selection and device priority
•
Primary unit selection and FortiGate unit serial number
•
Points to remember about primary unit selection
Primary unit selection and monitored interfaces
If you have configured interface monitoring the cluster unit with the highest number of
monitored interfaces that are connected to networks becomes the primary unit. Put
another way, the cluster unit with the highest number of failed or disconnected monitored
interfaces cannot become the primary unit.
Normally, when a cluster starts up, all monitored interfaces of all cluster units are
connected and functioning normally. So monitored interfaces do not usually affect primary
unit selection when the cluster first starts.
A cluster always renegotiates when a monitored interface fails or is disconnected (called
link failover). A cluster also always renegotiates when a failed or disconnected monitored
interface is restored.
1444
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate Clustering Protocol (FGCP)
Primary unit selection
If a primary unit monitored interface fails or is disconnected, the cluster renegotiates and if
this is the only failed or disconnected monitored interface the cluster selects a new primary
unit.
If a subordinate unit monitored interface fails or is disconnected, the cluster also
renegotiates but will not necessarily select a new primary unit. However, the subordinate
unit with the failed or disconnected monitored interface cannot become the primary unit.
Multiple monitored interfaces can fail or become disconnected on more than one cluster
unit. Each time a monitored interface is disconnected or fails, the cluster negotiates to
select the cluster unit with the most connected and operating monitored interfaces to
become the primary unit. In fact, the intent of the link failover feature is just this, to make
sure that the primary unit is always the cluster unit with the most connected and operating
monitored interfaces. For information about monitored interfaces and link failover see
“Link failover” on page 1621.
Primary unit selection and age
The cluster unit with the highest age value becomes the primary unit. The age of a cluster
unit is the amount of time since a monitored interface failed or is disconnected. Age is also
reset when a cluster unit starts. So, when all cluster units start up at the same time, they
all have the same age. Age does not affect primary unit selection when all cluster units
start up at the same time.
If a link failure of a monitored interface occurs, the age value for the cluster unit that
experiences the link failure is reset. The cluster unit that experienced the link failure now
has a lower age value than the other units in the cluster. Because the link failure affects
primary unit selection before age, the reduced age value does not normally effect primary
unit selection.
However, even if the failed monitored interface is restored this cluster unit cannot become
the primary unit because the age of this cluster unit was reset when the failure occurred.
As a result, the cluster unit with the failed and then restored monitored interface has an
age value that is lower than the ages of the other cluster units. As a result, the way the
cluster handles age reduces the number of times the cluster selects a new primary unit.
Note: In any cluster, some of the FortiGate units in the cluster may take longer to start up
than others. This startup time difference can happen as a result of a number of issues and
does not affect the normal operation of the cluster. To make sure that cluster units that start
slower can still become primary units, the FGCP ignores age differences of up to 5 minutes.
Displaying cluster unit age differences
You can use the CLI command diagnose sys ha dump 1 to display the age difference
of the units in a cluster. This command also displays information about a number of
HA-related parameters for each cluster unit. You can enter the command from the primary
unit CLI or you can enter the command from a subordinate unit after using execute ha
manage to log into a subordinate unit CLI. The information displayed by the command is
relative to the unit that you enter the command from.
For example, for a cluster of two FortiGate-5001SX units with no changes to the default
HA configuration except to enable interface monitoring for port5, entering the diagnose
sys ha dump 1 command from the primary unit CLI displays information similar to the
following:
diagnose sys ha dump 1
HA information.
vcluster id=1, nventry=2, state=work,
digest=fe.21.14.b3.e1.8d...
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1445
�Primary unit selection
An introduction to the FortiGate Clustering Protocol (FGCP)
ventry idx=0,id=1,FG50012205400050,prio=128,0,override=0,
flag=1,time=0,mon=0.
mondev=port5,50
ventry idx=1,id=1,FG50012204400045,prio=128,0,override=0,
flag=0,time=194,mon=0.
The command displays one ventry line for each cluster unit. The first ventry in the
example contains information for the cluster unit that you are logged into. The other
ventry lines contain information for the subordinate units (in the example there is only
one subordinate unit). The mondev entry displays the interface monitoring configuration.
The time field is always 0 for the unit that you are logged into. The time field for the
other cluster unit is the age difference between the unit that you are logged into and the
other cluster unit. The age difference is in the form seconds/10. In the example, the age of
the primary unit is 19.4 seconds more than the age of the subordinate unit. The age
difference is less than 5 minutes so age has no affect on primary unit selection. The
cluster selected the unit with the highest serial number to be the primary unit.
If you use execute ha manage 1 to log into the subordinate unit CLI and enter
diagnose sys ha dump 1 you get results similar to the following:
diagnose sys ha dump 1
HA information.
vcluster id=1, nventry=2, state=standy,
digest=fe.21.14.b3.e1.8d...
ventry idx=1,id=1,FG50012204400045,prio=128,0,override=0,
flag=1,time=0,mon=0.
mondev=port5,50
ventry idx=0,id=1,FG50012205400050,prio=128,0,override=0,
flag=0,time=-194,mon=0.
The time for the primary unit is -194, indicating that age of the subordinate unit is 19.4
seconds less than the age of the primary unit.
If port5 (the monitored interface) of the primary unit is disconnected, the cluster
renegotiates and the former subordinate unit becomes the primary unit. When you log into
the new primary unit CLI and enter diagnose sys ha dump 1 you could get results
similar to the following:
diagnose sys ha dump 1
HA information.
vcluster id=1, nventry=2, state=work,
digest=9e.70.74.a2.5e.4a...
ventry idx=0,id=1,FG50012204400045,prio=128,0,override=0,
flag=1,time=0,mon=0.
mondev=port5,50
ventry idx=1,id=1,FG50012205400050,prio=128,-50,override=0,
flag=0,time=58710,mon=0.
The command results show that the age of the new primary unit is 5871.0 seconds more
than the age of the new subordinate unit.
If port5 of the former primary unit is reconnected the cluster will not select a new primary
unit because the age of the primary unit will still be 5871.0 seconds more than the age of
the subordinate unit. When you log into the primary unit CLI and enter diagnose sys
ha dump 1 you get results similar to the following:
diagnose sys ha dump 1
HA information.
vcluster id=1, nventry=2, state=work,
digest=9e.70.74.a2.5e.4a...
1446
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate Clustering Protocol (FGCP)
Primary unit selection
ventry idx=0,id=1,FG50012204400045,prio=128,0,override=0,
flag=1,time=0,mon=0.
mondev=port5,50
ventry idx=1,id=1,FG50012205400050,prio=128,0,override=0,
flag=0,time=58710,mon=0.
Resetting the age of all cluster units
In some cases, age differences among cluster units can result in the wrong cluster unit or
the wrong virtual cluster becoming the primary unit. For example, if a cluster unit set to a
high priority reboots, that unit will have a lower age than other cluster units when it rejoins
the cluster. Since age takes precedence over priority the priority of this cluster unit will not
be a factor in primary unit selection.
This problem also affects virtual cluster VDOM partitioning in a similar way. After a reboot
of one of the units in a virtual cluster configuration, traffic for all VDOMs could continue to
be processed by the cluster unit that did not reboot. This can happen because the age of
both virtual clusters on the unit that did not reboot is greater that the age of both virtual
clusters on the unit that rebooted.
One way to resolve this issue is to reboot all of the cluster units at the same time so that
the age of all of the cluster units is reset. However, rebooting cluster units may interrupt or
at least slow down traffic. If you would rather not reboot all of the cluster units you can
instead use the following command to reset the ages of all of the cluster units.
diagnose sys ha reset-uptime
This command resets the age of all cluster units so age is no longer a factor in primary unit
selection and device priority is used to select the primary unit.
Note: The diagnose sys ha reset-uptime command should only be used as a
temporary solution. The command resets the HA age internally and does not affect the up
time displayed for cluster units using the diagnose sys ha dump 1 command or the up
time displayed on the Dashboard or cluster members list. To make sure the actual up time
for cluster units is the same as the HA age you should reboot the cluster units during a
maintenance window.
Primary unit selection and device priority
A cluster unit with the highest device priority becomes the primary unit when the cluster
starts up or renegotiates. By default, the device priority for all cluster units is 128. You can
change the device priority to control which FortiGate unit becomes the primary unit during
cluster negotiation. All other factors that influence primary unit selection either cannot be
configured (age and serial number) or are synchronized among all cluster units (interface
monitoring). You can set a different device priority for each cluster unit. During negotiation,
if all monitored interfaces are connected, and all cluster units enter the cluster at the same
time (or have the same age), the cluster with the highest device priority becomes the
primary unit.
A higher device priority does not affect primary unit selection for a cluster unit with the
most failed monitored interfaces or with an age that is higher than all other cluster units
because failed monitored interfaces and age are used to select a primary unit before
device priority.
Increasing the device priority of a cluster unit does not always guarantee that this cluster
unit will become the primary unit. During cluster operation, an event that may affect
primary unit selection may not always result in the cluster renegotiating. For example,
when a unit joins a functioning cluster, the cluster will not renegotiate. So if a unit with a
higher device priority joins a cluster the new unit becomes a subordinate unit until the
cluster renegotiates.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1447
�Primary unit selection
An introduction to the FortiGate Clustering Protocol (FGCP)
Note: Enabling the override HA CLI keyword makes changes in device priority more
effective by causing the cluster to negotiate more often to make sure that the primary unit is
always the unit with the highest device priority. For more information about override, see
“HA override” on page 1449.
Controlling primary unit selection by changing the device priority
You set a different device priority for each cluster unit to control the order in which cluster
units become the primary unit when the primary unit fails.
To change the device priority from the web-based manager go to Config & gt; System & gt; HA
and change the Device Priority.
Enter the following CLI command to change the device priority to 200:
config system ha
set priority 200
end
The device priority is not synchronized among cluster units. In a functioning cluster you
change device priority to change the priority of any unit in the cluster. Whenever you
change the device priority of a cluster unit, when the cluster negotiates, the unit with the
highest device priority becomes the primary unit.
The following example shows how to change the device priority of a subordinate unit to
255 so that this subordinate unit becomes the primary unit. This example involves
connecting to the cluster CLI and using the execute ha manage 0 command to
connect to the highest priority subordinate unit. After you enter the following commands
the cluster renegotiates and selects a new primary unit.
execute ha manage 1
config system ha
set priority 255
end
If you have three units in a cluster you can set the device priorities as shown in Table 103.
When the cluster starts up, cluster unit A becomes the primary unit because it has the
highest device priority. If unit A fails, unit B becomes the primary unit because unit B has a
higher device priority than unit C.
Table 103: Example device priorities for a cluster of three FortiGate units
Cluster unit
Device priority
A
200
B
100
C
50
Normally, when configuring HA you do not have to change the device priority of any of the
cluster units. If all cluster units have the same device priority, when the cluster first starts
up the FGCP negotiates to select the cluster unit with the highest serial number to be the
primary unit.
Clusters also function normally if all units have the same device priority. However, you can
use the device priority if you want to control the roles that individual units play in the
cluster. For example, if you want the same unit to always become the primary unit, set this
unit device priority higher than the device priority of other cluster units. Also, if you want a
cluster unit to always become a subordinate unit, set this cluster unit device priority lower
than the device priority of other cluster units.
The device priority range is 0 to 255. The default device priority is 128.
1448
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate Clustering Protocol (FGCP)
HA override
If you are configuring a virtual cluster, if you have added virtual domains to both virtual
clusters, you can set the device priority that the cluster unit has in virtual cluster 1 and
virtual cluster 2. If a FortiGate unit has different device priorities in virtual cluster 1 and
virtual cluster 2, the FortiGate unit may be the primary unit in one virtual cluster and the
subordinate unit in the other. For more information, see “Virtual clustering and load
balancing or VDOM partitioning” on page 1525.
Primary unit selection and FortiGate unit serial number
The cluster unit with the highest serial number is more likely to become the primary unit.
When first configuring FortiGate units to be added to a cluster, if you do not change the
device priority of any cluster unit, then the cluster unit with the highest serial number
always becomes the primary unit.
Age does take precedence over serial number, so if a cluster unit takes longer to join a
cluster for some reason (for example if one cluster unit is powered on after the others),
that cluster unit will not become the primary unit because the other units have been in the
cluster longer.
Device priority and failed monitored interfaces also take precedence over serial number.
So if you set the device priority of one unit higher or if a monitored interface fails, the
cluster will not use the FortiGate serial number to select the primary unit.
Points to remember about primary unit selection
Some points to remember about primary unit selection:
•
The FGCP compares primary unit selection criteria in the following order: Failed
Monitored interfaces & gt; Age & gt; Device Priority & gt; Serial number. The selection process
stops at the first criteria that selects one cluster unit.
•
Negotiation and primary unit selection is triggered if a cluster unit fails or if a monitored
interface fails.
•
If the HA age difference is more than 5 minutes, the cluster unit that is operating longer
becomes the primary unit.
•
If HA age difference is less than 5 minutes, the device priority and FortiGate serial
number selects the cluster unit to become the primary unit.
•
Every time a monitored interface fails the HA age of the cluster unit is reset to 0.
•
Every time a cluster unit restarts the HA age of the cluster unit is reset to 0.
HA override
The HA override CLI keyword is disabled by default. When override is disabled a
cluster may not renegotiate when an event occurs that affects primary unit selection. For
example, when override is disabled a cluster will not renegotiate when you change a
cluster unit device priority or when you add a new cluster unit to a cluster. This is true even
if the unit added to the cluster has a higher device priority than any other unit in the cluster.
Also, when override is disabled a cluster does not negotiate if the new unit added to the
cluster has a failed or disconnected monitored interface.
Note: For a virtual cluster configuration, override is enabled by default for both virtual
clusters when you enable virtual cluster 2. For more information, see “Virtual clustering and
HA override” on page 1524.
In most cases you should keep override disabled to reduce how often the cluster
negotiates. Frequent negotiations may cause frequent traffic interruptions.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1449
�HA override
An introduction to the FortiGate Clustering Protocol (FGCP)
However, if you want to make sure that the same cluster unit always operates as the
primary unit and if you are less concerned about frequent cluster negotiation you can
enable override.
To enable override, select a cluster unit to always be the primary unit. Connect to this
cluster unit CLI and use the config system ha CLI command to enable override.
For override to be effective, you must also set the device priority highest on the cluster
unit with override enabled. To increase the device priority, from the CLI use the config
system ha command and increase the value of the priority keyword to a number
higher than the default priority of 128.
You can also increase the device priority from the web-based manager by going to System
& gt; Config & gt; HA. To increase the device priority of the primary unit select edit for the primary
or subordinate unit and set the Device Priority to a number higher than 128.
Note: The override setting and device priority value are not synchronized to all cluster
units.
With override enabled, the primary unit with the highest device priority will always
become the primary unit. Whenever an event occurs that may affect primary unit
selection, the cluster negotiates. For example, when override is enabled a cluster
renegotiates when you change the device priority of any cluster unit or when you add a
new cluster unit to a cluster.
This section also describes:
•
Override and primary unit selection
•
Controlling primary unit selection using device priority and override
•
Points to remember about primary unit selection when override is enabled
•
Configuration changes can be lost if override is enabled
•
Override and disconnecting a unit from a cluster
Override and primary unit selection
Enabling override changes the order of primary unit selection. As shown in Figure 207 if
override is enabled, primary unit selection considers device priority before age and
serial number. This means that if you set the device priority higher on one cluster unit, with
override enabled this cluster unit becomes the primary unit even if its age and serial
number are lower than other cluster units.
Similar to when override is disabled, when override is enabled primary unit selection
checks for connected monitored interfaces first. So if interface monitoring is enabled, the
cluster unit with the most disconnected monitored interfaces cannot become the primary
unit, even of the unit has the highest device priority.
If all monitored interfaces are connected (or interface monitoring is not enabled) and the
device priority of all cluster units is the same then age and serial number affects primary
unit selection.
1450
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate Clustering Protocol (FGCP)
HA override
Figure 207: Selecting the primary unit with override enabled
Begin Negotiation
Greater
Connected
Monitored
Interfaces
Less
Equal
Less
Greater
Device Priority
Equal
Less
Greater
Age
Equal
Less
Greater
Serial Number
Primary Unit
Subordinate Unit
Controlling primary unit selection using device priority and override
To configure one cluster unit to always become the primary unit you should set its device
priority to be higher than the device priorities of the other cluster units and you should
enable override for this cluster unit.
Using this configuration, when the cluster is operating normally the primary unit is always
the unit with override enabled and with the highest device priority. If the primary unit
fails the cluster renegotiates to select another cluster unit to be the primary unit. If the
failed primary unit recovers, starts up again and rejoins the cluster, because override is
enabled, the cluster renegotiates. Because the restarted primary unit has the highest
device priority it once again becomes the primary unit.
In the same situation with override disabled, because the age of the failed primary unit
is lower than the age of the other cluster units, when the failed primary unit rejoins the
cluster it does not become the primary unit. Instead, even though the failed primary unit
may have the highest device priority it becomes a subordinate unit because its age is
lower than the age of all the other cluster units.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1451
�HA override
An introduction to the FortiGate Clustering Protocol (FGCP)
Points to remember about primary unit selection when override is enabled
Some points to remember about primary unit selection when override is enabled:
•
The FGCP compares primary unit selection criteria in the following order: Failed
Monitored Interfaces & gt; Device Priority & gt; Age & gt; Serial number. The selection process
stops at the first criteria that selects one cluster unit.
•
Negotiation and primary unit selection is triggered whenever an event occurs which
may affect primary unit selection. For example negotiation occurs, when you change
the device priority, when you add a new unit to a cluster, if a cluster unit fails, or if a
monitored interface fails.
•
Device priority is considered before age. Otherwise age is handled the same when
override is enabled.
Configuration changes can be lost if override is enabled
In some cases, when override is enabled and you make configuration changes to an HA
cluster these changes can be lost. For example, consider the following sequence:
1 A cluster of two FortiGate units is operating with override enabled.
• FGT-A: Primary unit with device priority 200 and with override enabled
• FGT-B: Subordinate unit with device priority 100 and with override disabled
• If both units are operating, FGT-A always becomes the primary unit because FGT-A
has the highest device priority.
2 FGT-A fails and FGT-B becomes the new primary unit.
3 The administrator makes configuration changes to the cluster.
The configuration changes are made to FGT-B because FGT-B is operating as the
primary unit. These configuration changes are not synchronized to FGT-A because
FGT-A is not operating.
4 FGT-A is restored and starts up again.
5 The cluster renegotiates and FGT-A becomes the new primary unit.
6 The cluster recognizes that the configurations of FGT-A and FGT-B are not the same.
7 The configuration of FGT-A is synchronized to FGT-B.
The configuration is always synchronized from the primary unit to the subordinate
units.
8 The cluster is now operating with the same configuration as FGT-A. The configuration
changes made to FGT-B have been lost.
The solution
When override is enabled, you can prevent configuration changes from being lost by
doing the following:
•
•
Make sure the device priority of the primary unit is set higher than the device priorities
of all other cluster units before making configuration changes.
•
1452
Verify that all cluster units are operating before making configuration changes (from the
web-based manager go to System & gt; Config & gt; HA to view the cluster members list or
from the FortiOS CLI enter get system ha status).
Disable override either permanently or until all configuration changes have been
made and synchronized to all cluster units.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate Clustering Protocol (FGCP)
FortiGate HA compatibility with PPPoE and DHCP
Override and disconnecting a unit from a cluster
A similar scenario to that described in “Configuration changes can be lost if override is
enabled” may occur when override is enabled and you use the Disconnect from Cluster
option from the web-based manager or the execute ha disconnect command from
the CLI to disconnect a cluster unit from a cluster.
Configuration changes made to the cluster can be lost when you reconnect the
disconnected unit to the cluster. You should make sure that the device priority of the
disconnected unit is lower than the device priority of the current primary unit. Otherwise,
when the disconnected unit joins the cluster, if override is enabled, the cluster
renegotiates and the disconnected unit may become the primary unit. If this happens, the
configuration of the disconnected unit is synchronized to all other cluster units and any
configuration changes made between when the unit was disconnected and reconnected
are lost.
FortiGate HA compatibility with PPPoE and DHCP
FortiGate HA is not compatible with PPP protocols such as PPPoE. FortiGate HA is also
not compatible with DHCP. If one or more FortiGate unit interfaces is dynamically
configured using DHCP or PPPoE you cannot switch to operate in HA mode. Also, you
cannot switch to operate in HA mode if one or more FortiGate unit interfaces is configured
as a PPTP or L2TP client.
You can configure a cluster to act as a DHCP server or a DHCP relay agent. In both
active-passive and active-active clusters DHCP relay sessions are always handled by the
primary unit. It is possible that a DHCP relay session could be interrupted by a failover. If
this occurs the DHCP relay session is not resumed after the failover and the DHCP client
may have to repeat the DHCP request.
When a cluster is operating as a DHCP server the primary unit responds to all DHCP
requests and maintains the DHCP server address lease database. The cluster also
dynamically synchronizes the DHCP server address lease database to the subordinate
units. If a failover occurs, the new primary unit will have an up-to-date DHCP server
address lease database. Synchronizing the DHCP address lease database prevents the
new primary unit from responding incorrectly to new DHCP requests after a failover.
Also, it is possible that when FortiGate units first negotiate to form a cluster that a unit that
ends up as a subordinate unit in the cluster will have information in its DHCP address
lease database that the cluster unit operating as the primary unit does note have. This can
happen if a FortiGate unit responds to DHCP requests while operating as a standalone
unit and then when the cluster is formed this unit becomes a subordinate unit. Because of
this possibility, after a cluster is formed the DHCP address lease databases of all of the
cluster units are merged into one database which is then synchronized to all cluster units.
Hard disk configuration and HA
If your cluster units include hard disks, all cluster units must have identical hard disk
configurations. This means each cluster unit must have same number of hard disks
(including AMC and FortiGate Storage Module (FSM) hard disks) and also means that
matching hard disks in each cluster unit must be the same size, have the same hard disk
format, and have the same number of partitions.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1453
�Recommended practices
An introduction to the FortiGate Clustering Protocol (FGCP)
In most cases the default hard disk configuration of the cluster units will be compatible.
However, a hard disk formatted by an older FortiGate firmware version may not be
compatible with a hard disk formatted by a more recent firmware version. Problems may
also arise if you have used the execute scsi-dev command to add or change hard
disk protections.
If a cluster unit CLI display hard disk compatibility messages, you may need to use the
execute scsi-dev delete command to delete partitions. You can also use the
execute formatlogdisk command to reformat hard disks. In some cases after
deleting all partitions and reformatting the hard disks, you may still see hard disk
incompatibility messages. If this happens, contact Fortinet Customer Support for
assistance.
Recommended practices
Fortinet suggests the following practices related to high availability:
•
Use Active-Active HA to distribute TCP and UTM sessions among multiple cluster
units. An active-active cluster may have higher throughput than a standalone FortiGate
unit or than an active-passive cluster.
•
Use a different host name on each FortiGate unit when configuring an HA cluster.
Fewer steps are required to add host names to each cluster unit before configuring HA
and forming a cluster.
•
Enabling load-balance-all can increase device and network load since more
traffic is load-balanced. This may be appropriate for use in a deployment using the
firewall capabilities of the FortiGate unit and IPS but no other content inspection. See
“Load balancing UTM sessions and TCP sessions” on page 1647.
•
An advantage of using session pickup is that non-UTM sessions will be picked up by
the new primary unit after a failover. The disadvantage is that the cluster generates
more heartbeat traffic to support session pickup as a larger portion of the session table
must be synchronized. Session pickup should be configured only when required and is
not recommended for use with SOHO FortiGate models. Session pickup should only
be used if the primary heartbeat link is dedicated (otherwise the additional HA
heartbeat traffic could affect network performance). See “Session failover” on
page 1596.
•
To avoid unpredictable results, when you connect a switch to multiple redundant or
aggregate interfaces in an active-passive cluster you should configure separate
redundant or aggregate interfaces on the switch; one for each cluster unit. See “HA
MAC addresses and 802.3ad aggregation” on page 1496.
•
Use SNMP, syslog, or email alerts to monitor a cluster for failover messages. Alert
messages about cluster failovers may help find and diagnose network problems
quickly and efficiently. See “Operating a cluster” on page 1557.
Heartbeat interfaces
Fortinet suggests the following practices related to heartbeat interfaces:
•
1454
Isolate heartbeat interfaces from user networks. Heartbeat packets contain sensitive
cluster configuration information and can consume a considerable amount of network
bandwidth. If the cluster consists of two FortiGate units, connect the heartbeat
interfaces directly using a crossover cable. For clusters with more than two units,
connect heartbeat interfaces to a separate switch that is not connected to any network.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate Clustering Protocol (FGCP)
FGCP HA terminology
•
If heartbeat traffic cannot be isolated from user networks, enable heartbeat message
encryption and authentication to protect cluster information. See “Enabling or disabling
HA heartbeat encryption and authentication” on page 1605.
•
Configure and connect multiple heartbeat interfaces so that if one heartbeat interface
fails or becomes disconnected, HA heartbeat traffic can continue to be transmitted
using the backup heartbeat interface. If heartbeat communication fails, all cluster
members will think they are the primary unit resulting in multiple devices on the
network with the same IP addresses and MAC addresses (condition referred to as Split
Brain) and communication will be disrupted until heartbeat communication can be
reestablished.
•
Do not monitor dedicated heartbeat interfaces; monitor those interfaces whose failure
should trigger a device failover.
Interface monitoring (port monitoring)
Fortinet suggests the following practices related to interface monitoring (also called port
monitoring):
•
Wait until a cluster is up and running and all interfaces are connected before enabling
interface monitoring. A monitored interface can easily become disconnected during
initial setup and cause failovers to occur before the cluster is fully configured and
tested.
•
Monitor interfaces connected to networks that process high priority traffic so that the
cluster maintains connections to these networks if a failure occurs.
•
Avoid configuring interface monitoring for all interfaces.
•
Supplement interface monitoring with remote link failover. Configure remote link
failover to maintain packet flow if a link not directly connected to a cluster unit (for
example, between a switch connected to a cluster interface and the network) fails. See
“Remote link failover” on page 1626.
Troubleshooting
The following sections in this document contain troubleshooting information:
•
“Troubleshooting HA clusters” on page 1518
•
“Troubleshooting virtual clustering” on page 1542
FGCP HA terminology
The following HA-specific terms are used in this document.
Cluster
A group of FortiGate units that act as a single virtual FortiGate unit to maintain connectivity
even if one of the FortiGate units in the cluster fails.
Cluster unit
A FortiGate unit operating in a FortiGate HA cluster.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1455
�FGCP HA terminology
An introduction to the FortiGate Clustering Protocol (FGCP)
Device failover
Device failover is a basic requirement of any highly available system. Device failover
means that if a device fails, a replacement device automatically takes the place of the
failed device and continues operating in the same manner as the failed device. See also
“Device failover, link failover, and session failover” on page 1442.
Failover
A FortiGate unit taking over processing network traffic in place of another unit in the
cluster that suffered a device failure or a link failure.
Failure
A hardware or software problem that causes a FortiGate unit or a monitored interface to
stop processing network traffic.
FGCP
The FortiGate clustering protocol (FGCP) that specifies how the FortiGate units in a
cluster communicate to keep the cluster operating.
Full mesh HA
Full mesh HA is a method of removing single points of failure on a network that includes
an HA cluster. FortiGate models that support redundant interfaces can be used to create a
cluster configuration called full mesh HA. Full mesh HA includes redundant connections
between all network components. If any single component or any single connection fails,
traffic switches to the redundant component or connection.
HA virtual MAC address
When operating in HA mode, all of the interfaces of the primary unit acquire the same HA
virtual MAC address. All communications with the cluster must use this MAC address. The
HA virtual MAC address is set according to the group ID.
Heartbeat
Also called FGCP heartbeat or HA heartbeat. The heartbeat constantly communicates HA
status and synchronization information to make sure that the cluster is operating properly.
Heartbeat device
An ethernet network interface in a cluster that is used by the FGCP for heartbeat
communications among cluster units.
Heartbeat failover
If an interface functioning as the heartbeat device fails, the heartbeat is transferred to
another interface also configured as an HA heartbeat device.
Hello state
In the hello state a cluster unit has powered on in HA mode, is using HA heartbeat
interfaces to send hello packets, and is listening on its heartbeat interfaces for hello
packets from other FortiGate units. Hello state may appear in HA log messages.
1456
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate Clustering Protocol (FGCP)
FGCP HA terminology
High availability
The ability that a cluster has to maintain a connection when there is a device or link failure
by having another unit in the cluster take over the connection, without any loss of
connectivity. To achieve high availability, all FortiGate units in the cluster share session
and configuration information.
Interface monitoring
You can configure interface monitoring (also called port monitoring) to monitor FortiGate
interfaces to verify that the monitored interfaces are functioning properly and connected to
their networks. If a monitored interface fails or is disconnected from its network the
interface leaves the cluster and a link failover occurs. For more information about interface
monitoring, see “Link failover” on page 1621.
Link failover
Link failover means that if a monitored interface fails, the cluster reorganizes to reestablish a link to the network that the monitored interface was connected to and to
continue operating with minimal or no disruption of network traffic. See also “Device
failover, link failover, and session failover” on page 1442.
Load balancing
Also known as active-active HA. All units in the cluster process network traffic. The FGCP
employs a technique called unicast load balancing in which a given interface of all cluster
units has the same virtual MAC address. The primary unit is associated with the cluster
HA virtual MAC address and cluster IP address. The primary unit is the only cluster unit to
receive packets sent to the cluster. The primary unit can process packets itself, or
propagate them to subordinate units according to a load balancing schedule.
Monitored interface
An interface that is monitored by a cluster to make sure that it is connected and operating
correctly. The cluster monitors the connectivity of this interface for all cluster units. If a
monitored interface fails or becomes disconnected from its network, the cluster will
compensate.
Primary unit
Also called the primary cluster unit, this cluster unit controls how the cluster operates. The
primary unit sends hello packets to all cluster units to synchronize session information,
synchronize the cluster configuration, and to synchronize the cluster routing table. The
hello packets also confirm for the subordinate units that the primary unit is still functioning.
The primary unit also tracks the status of all subordinate units. When you start a
management connection to a cluster, you connect to the primary unit.
In an active-passive cluster, the primary unit processes all network traffic. If a subordinate
unit fails, the primary unit updates the cluster configuration database.
In an active-active cluster, the primary unit receives all network traffic and re-directs this
traffic to subordinate units. If a subordinate unit fails, the primary unit updates the cluster
status and redistributes load balanced traffic to other subordinate units in the cluster.
The FortiGate firmware uses the term master to refer to the primary unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1457
�FGCP HA terminology
An introduction to the FortiGate Clustering Protocol (FGCP)
Session failover
Session failover means that a cluster maintains active network sessions after a device or
link failover. FortiGate HA does not support session failover by default. To enable session
failover you must change the HA configuration to select Enable Session Pick-up. See also
“Device failover, link failover, and session failover” on page 1442.
Session pickup
If you enable session pickup for a cluster, if the primary unit fails or a subordinate unit in
an active-active cluster fails, all communication sessions with the cluster are maintained or
picked up by the cluster after the cluster negotiates to select a new primary unit.
In most cases you would want to enable session pickup. However, if session pickup is not
a requirement of your HA installation, you can disable this option to save processing
resources and reduce the network bandwidth used by HA session synchronization.
Standby state
A subordinate unit in an active-passive HA cluster operates in the standby state. In a
virtual cluster, a subordinate virtual domain also operates in the standby state. The
standby state is actually a hot-standby state because the subordinate unit or subordinate
virtual domain is not processing traffic but is monitoring the primary unit session table to
take the place of the primary unit or primary virtual domain if a failure occurs.
In an active-active cluster all cluster units operate in a work state.
When standby state appears in HA log messages this usually means that a cluster unit
has become a subordinate unit in an active-passive cluster or that a virtual domain has
become a subordinate virtual domain.
State synchronization
The part of the FGCP that maintains connections after failover.
Subordinate unit
Also called the subordinate cluster unit, each cluster contains one or more cluster units
that are not functioning as the primary unit. Subordinate units are always waiting to
become the primary unit. If a subordinate unit does not receive hello packets from the
primary unit, it attempts to become the primary unit.
In an active-active cluster, subordinate units keep track of cluster connections, keep their
configurations and routing tables synchronized with the primary unit, and process network
traffic assigned to them by the primary unit. In an active-passive cluster, subordinate units
do not process network traffic. However, active-passive subordinate units do keep track of
cluster connections and do keep their configurations and routing tables synchronized with
the primary unit.
The FortiGate firmware uses the terms slave and subsidiary unit to refer to a subordinate
unit.
1458
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�An introduction to the FortiGate Clustering Protocol (FGCP)
FGCP HA terminology
Virtual clustering
Virtual clustering is an extension of the FGCP for FortiGate units operating with multiple
VDOMS enabled. Virtual clustering operates in active-passive mode to provide failover
protection between two instances of a VDOM operating on two different cluster units. You
can also operate virtual clustering in active-active mode to use HA load blandishing to
load balance sessions between cluster units. Alternatively, by distributing VDOM
processing between the two cluster units you can also configure virtual clustering to
provide load balancing by distributing sessions for different VDOMs to each cluster unit.
Work state
The primary unit in an active-passive HA cluster, a primary virtual domain in a virtual
cluster, and all cluster units in an active-active cluster operate in the work state. A cluster
unit operating in the work state processes traffic, monitors the status of the other cluster
units, and tracks the session table of the cluster.
When work state appears in HA log messages this usually means that a cluster unit has
become the primary unit or that a virtual domain has become a primary virtual domain.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1459
�FGCP HA terminology
1460
An introduction to the FortiGate Clustering Protocol (FGCP)
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA
clusters
This chapter contains general procedures and descriptions as well as detailed
configuration examples that describe how to configure FortiGate HA clusters.
The examples in this chapter include example values only. In most cases you will
substitute your own values. The examples in this chapter also do not contain detailed
descriptions of configuration parameters.
This chapter contains the following sections:
•
About the procedures in this chapter
•
Example: NAT/Route mode active-passive HA configuration
•
Example: Transparent mode active-active HA configuration
•
Example: advanced Transparent mode active-active HA configuration
•
Example: converting a standalone FortiGate unit to a cluster
•
Example: adding a new unit to an operating cluster
•
Example: replacing a failed cluster unit
•
Example: HA and 802.3ad aggregated interfaces
•
Example: HA and redundant interfaces
•
Troubleshooting HA clusters
About the procedures in this chapter
The procedures in this chapter describe some of many possible sequences of steps for
configuring HA clustering. As you become more experienced with FortiOS HA you may
choose to use a different sequence of configuration steps.
For simplicity, many of these procedures assume that you are starting with new FortiGate
units set to the factory default configuration. However, starting from the default
configuration is not a requirement for a successful HA deployment. FortiGate HA is flexible
enough to support a successful configuration from many different starting points.
Example: NAT/Route mode active-passive HA configuration
This section describes a simple HA network topology that includes an HA cluster of two
FortiGate-620B units in NAT/Route mode installed between an internal network and the
Internet.
•
Example NAT/Route mode HA network topology
•
General configuration steps
•
Configuring a NAT/Route mode active-passive cluster of two FortiGate-620B units web-based manager
•
Configuring a NAT/Route mode active-passive cluster of two FortiGate-620B units CLI
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1461
�Example: NAT/Route mode active-passive HA configuration
Configuring and connecting HA clusters
Example NAT/Route mode HA network topology
Figure 208 shows a typical FortiGate-620B HA cluster consisting of two FortiGate-620B
units (620_ha_1 and 620_ha_2) connected to the same internal (port2) and external
(port1) networks.
Figure 208: Example NAT/Route mode HA network topology
Internal
Network
620_ha_1
Port1: 172.20.120.141
Port2: 10.11.101.100
Port3
Port3
10.11.101.0
Port4
Port4
Switch
Switch
Router
172.20.120.2
Port1: 172.20.120.141
Port2: 10.11.101.100
620_ha_2
Internet
FortiGate-620B
Cluster
Port3 and port4 are the default FortiGate-620B heartbeat interfaces. Because the cluster
consists of two FortiGate units, you can make the connections between the heartbeat
interfaces using crossover cables. You could also use switches and regular ethernet
cables.
General configuration steps
The section includes web-based manager and CLI procedures. These procedures
assume that the FortiGate-620B units are running the same FortiOS firmware build and
are set to the factory default configuration.
General configuration steps
1 Configure the FortiGate units for HA operation.
• Optionally change each unit’s host name.
• Configure HA.
2 Connect the cluster to the network.
3 Confirm that the cluster units are operating as a cluster and add basic configuration
settings to the cluster.
• View cluster status from the web-based manager or CLI.
• Add a password for the admin administrative account.
• Change the IP addresses and netmasks of the internal and external interfaces.
• Add a default route.
1462
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: NAT/Route mode active-passive HA configuration
Configuring a NAT/Route mode active-passive cluster of two FortiGate-620B
units - web-based manager
Use the following procedures to configure two FortiGate-620B units for NAT/Route HA
operation using the FortiGate web-based manager. These procedures assume you are
starting with two FortiGate-602B units with factory default settings.
Note: Give each cluster unit a unique host name to make the individual units easier to
identify when they are part of a functioning cluster. The default FortiGate unit host name is
the FortiGate serial number. You may want to change this host name to something more
meaningful for your network.
To configure the first FortiGate-620B unit (host name 620_ha_1)
1 Power on the first FortiGate unit.
2 On your management computer with an Ethernet connection, set the static IP address
to 192.168.1.2 and the netmask to 255.255.255.0.
3 On a management computer, start a web browser and browse to the address
https://192.168.1.99 (remember to include the “s” in https://).
The FortiGate login is displayed.
4 Type admin in the Name field and select Login.
The FortiGate dashboard is displayed.
5 On the System Information dashboard widget beside Host Name, select Change.
6 Enter a new Host Name for this FortiGate unit.
New Name
602_ha_1
7 Select OK.
8 Go to System & gt; Config & gt; HA and change the following settings:
Mode
Active-Passive
Group Name
example1.com
Password
HA_pass_1
Note: This is the minimum recommended configuration for an active-active HA cluster. You
can also configure other HA options, but if you wait until after the cluster is operating you
will only have to configure these options once for the cluster instead of separately for each
unit in the cluster.
9 Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
the FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster
virtual MAC addresses” on page 1605). The MAC addresses of the FortiGate-620B
interfaces change to the following virtual MAC addresses:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1463
�Example: NAT/Route mode active-passive HA configuration
Configuring and connecting HA clusters
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
To confirm these MAC address changes, you can use the get hardware nic (or
diagnose hardware deviceinfo nic) CLI command to view the virtual MAC
address of any FortiGate unit interface. For example, use the following command to
view the port1 interface virtual MAC address (MAC) and the port1 permanent MAC
address (Permanent_HWaddr):
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
10 Power off the first FortiGate unit (602_ha_1).
To configure the second FortiGate-620B unit (host name 620_ha_2)
1 Power on the second FortiGate unit.
2 On a management computer, start a web browser and browse to the address
https://192.168.1.99 (remember to include the “s” in https://).
The FortiGate login is displayed.
3 Type admin in the Name field and select Login.
The FortiGate dashboard is displayed.
4 On the System Information dashboard widget, beside Host Name select Change.
5 Enter a new Host Name for this FortiGate unit.
New Name
602_ha_2
6 Select OK.
1464
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: NAT/Route mode active-passive HA configuration
7 Go to System & gt; Config & gt; HA and change the following settings:
Mode
Active-Passive
Group Name
example1.com
Password
HA_pass_1
8 Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
because the FGCP changes the MAC address of the FortiGate unit interfaces.
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
9 Power off the second FortiGate unit.
To connect the cluster to the network
1 Connect the port1 interfaces of 620_ha_1 and 620_ha_2 to a switch or hub connected
to the Internet.
2 Connect the port2 interfaces of 620_ha_1 and 620_ha_2 to a switch or hub connected
to the internal network.
3 Connect the port3 interfaces of 620_ha_1 and 620_ha_2 together. You can use a
crossover Ethernet cable or regular Ethernet cables and a switch or hub.
4 Connect the port4 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
5 Power on the cluster units.
The units start and negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention and normally takes less than a minute.
When negotiation is complete the cluster is ready to be configured for your network.
To view cluster status
Use the following steps to view the cluster dashboard and cluster members list to confirm
that the cluster units are operating as a cluster.
Note: Once the cluster is operating, because configuration changes are synchronized to all
cluster units, configuring the cluster is the same as configuring an individual FortiGate unit.
You could have performed the following configuration steps separately on each FortiGate
unit before you connected them to form a cluster.
1 Start Internet Explorer and browse to the address https://192.168.1.99 (remember to
include the “s” in https://).
The FortiGate Login is displayed.
2 Type admin in the Name field and select Login.
The FortiGate dashboard is displayed.
The System Information dashboard widget shows the Cluster Name (example1.com)
and the host names and serial numbers of the Cluster Members. The Unit Operation
widget shows multiple cluster units.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1465
�Example: NAT/Route mode active-passive HA configuration
Configuring and connecting HA clusters
Figure 209: Sample FortiGate-620B cluster dashboard
3 Go to System & gt; Config & gt; HA to view the cluster members list.
The list shows both cluster units, their host names, their roles in the cluster, and their
priorities. You can use this list to confirm that the cluster is operating normally. For
example, if the list shows only one cluster unit then the other unit has left the cluster for
some reason.
Figure 210: Sample FortiGate-620B cluster members list
To troubleshoot the cluster configuration
If the cluster members list and the dashboard do not display information for both cluster
units, the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
To add basic configuration settings to the cluster
Use the following steps to configure the cluster to connect to its network. The following are
example configuration steps only and do not represent all of the steps required to
configure the cluster for a given network.
1 Log into the cluster web-based manager.
2 Go to System & gt; Admin & gt; Administrators.
1466
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: NAT/Route mode active-passive HA configuration
3 For admin, select the Change Password icon
4 Enter and confirm a new password.
5 Select OK.
6 Go to System & gt; Network & gt; Interface.
7 Edit the port2 interface and change IP/Netmask to 10.11.101.100/24.
8 Select OK.
Note: After changing the IP address of the port1 interface you may have to change the IP
address of your management computer and then reconnect to the port1 interface using the
172.20.120.141 IP address.
9 Edit the port1 interface and change IP/Netmask to 172.20.120.141/24.
10 Select OK.
11 Go to Router & gt; Static.
12 Change the default route.
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
172.20.120.2
Device
port1
Distance
10
13 Select OK.
Configuring a NAT/Route mode active-passive cluster of two FortiGate-620B
units - CLI
Use the following procedures to configure two FortiGate-620B units for NAT/Route HA
operation using the FortiGate CLI. These procedures assume you are starting with two
FortiGate-602B units with factory default settings.
To configure the first FortiGate-620B unit (host name 620_ha_1)
1 Power on the FortiGate unit.
2 Connect a null modem cable to the communications port of the management computer
and to the FortiGate Console port.
3 Start HyperTerminal (or any terminal emulation program), enter a name for the
connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the null modem cable and select OK.
5 Select the following port settings and select OK.
Bits per second 9600
Data bits
8
Parity
None
Stop bits
1
Flow control
None
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1467
�Example: NAT/Route mode active-passive HA configuration
Configuring and connecting HA clusters
6 Press Enter to connect to the FortiGate CLI.
The FortiGate unit CLI login prompt appears.
If the prompt does not appear, press Enter. If it still does not appear, power off your
FortiGate unit and power it back on. If you are connected, at this stage you will see
startup messages that will confirm you are connected. The login prompt will appear
after the startup has completed.
7 Type admin and press Enter twice.
8 Change the host name for this FortiGate unit.
config system global
set hostname 620_ha_1
end
9 Configure HA settings.
config system ha
set mode a-p
set group-name example1.com
set password HA_pass_1
end
The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose
network connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP
changes the MAC address of the FortiGate unit interfaces (see “Cluster virtual MAC
addresses” on page 1605). The MAC addresses of the FortiGate-620B interfaces
change to the following virtual MAC addresses:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
1468
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: NAT/Route mode active-passive HA configuration
To confirm these MAC address changes, you can use the get hardware nic (or
diagnose hardware deviceinfo nic) CLI command to view the virtual MAC
address of any FortiGate unit interface. For example, use the following command to
view the port1 interface virtual MAC address (MAC) and the port1 permanent MAC
address (Permanent_HWaddr):
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
10 Display the HA configuration (optional).
get system ha
group-id
: 0
group-name
: example1.com
mode
: a-p
password
: *
hbdev
: " port3 " 50 " port4 " 50
route-ttl
: 10
route-wait
: 0
route-hold
: 10
sync-config
: enable
encryption
: disable
authentication
: disable
hb-interval
: 2
hb-lost-threshold
: 6
helo-holddown
: 20
arps
: 5
arps-interval
: 8
session-pickup
: disable
link-failed-signal : disable
uninterruptable-upgrade: enable
ha-mgmt-status
: disable
ha-eth-type
: 8890
hc-eth-type
: 8891
l2ep-eth-type
: 8893
subsecond
: disable
vcluster2
: disable
vcluster-id
: 1
override
: disable
priority
: 128
monitor
:
pingserver-monitor-interface:
pingserver-failover-threshold: 0
pingserver-flip-timeout: 60
vdom
: " root "
11 Power off the FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1469
�Example: NAT/Route mode active-passive HA configuration
Configuring and connecting HA clusters
To configure the second FortiGate-620B unit (host name 620_ha_2)
1 Power on the FortiGate unit.
2 Connect a null modem cable to the communications port of the management computer
and to the FortiGate Console port.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the null modem cable and select OK.
5 Select the following port settings and select OK.
Bits per second 9600
Data bits
8
Parity
None
Stop bits
1
Flow control
None
6 Press Enter to connect to the FortiGate CLI.
The FortiGate unit CLI login prompt appears.
7 Type admin and press Enter twice.
8 Change the host name for this FortiGate unit.
config system global
set hostname 620_ha_2
end
9 Configure HA settings.
config system ha
set mode a-p
set group-name example1.com
set password HA_pass_1
end
The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose
network connectivity with the FortiGate unit as the HA cluster negotiates and because
the FGCP changes the MAC address of the FortiGate unit interfaces.
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
10 Display the HA configuration (optional).
get system ha
group-id
: 0
group-name
: example1.com
mode
: a-p
password
: *
hbdev
: " port3 " 50 " port4 " 50
route-ttl
: 10
route-wait
: 0
route-hold
: 10
sync-config
: enable
encryption
: disable
authentication
: disable
hb-interval
: 2
1470
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: NAT/Route mode active-passive HA configuration
hb-lost-threshold
: 6
helo-holddown
: 20
arps
: 5
arps-interval
: 8
session-pickup
: disable
link-failed-signal : disable
uninterruptable-upgrade: enable
ha-mgmt-status
: disable
ha-eth-type
: 8890
hc-eth-type
: 8891
l2ep-eth-type
: 8893
subsecond
: disable
vcluster2
: disable
vcluster-id
: 1
override
: disable
priority
: 128
monitor
:
pingserver-monitor-interface:
pingserver-failover-threshold: 0
pingserver-flip-timeout: 60
vdom
: " root "
11 Power off the FortiGate unit.
To connect the cluster to the network
1 Connect the port1 interfaces of 620_ha_1 and 620_ha_2 to a switch or hub connected
to the Internet.
2 Connect the port2 interfaces of 620_ha_1 and 620_ha_2 to a switch or hub connected
to the internal network.
3 Connect the port3 interfaces of 620_ha_1 and 620_ha_2 together. You can use a
crossover Ethernet cable or regular Ethernet cables and a switch or hub.
4 Connect the port4 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
5 Power on the cluster units.
The units start and negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention and normally takes less than a minute.
When negotiation is complete the cluster is ready to be configured for your network.
To view cluster status
Use the following steps to view cluster status from the CLI.
1 Determine which cluster unit is the primary unit.
• Use the null-modem cable and serial connection to re-connect to the CLI of one of
the cluster units.
• Enter the command get system status.
If the command output includes Current HA mode: a-a, master, the cluster
units are operating as a cluster and you have connected to the primary unit.
Continue with Step 2.
If the command output includes Current HA mode: a-a, backup, you have
connected to a subordinate unit. Connect the null-modem cable to the other cluster
unit, which should be the primary unit and continue with Step 2.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1471
�Example: NAT/Route mode active-passive HA configuration
Configuring and connecting HA clusters
Note: If the command output includes Current HA mode: standalone, the cluster unit
is not operating in HA mode and you should review your HA configuration.
2 Enter the following command to confirm the HA configuration of the cluster:
get system ha status
Model: 620
Mode: a-a
Group: 0
Debug: 0
ses_pickup: disable
Master:128 620_ha_2
FG600B3908600825 0
Slave :128 620_ha_1
FG600B3908600705 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG600B3908600825
Slave :1 FG600B3908600705
The command output shows both cluster units, their host names, their roles in the
cluster, and their priorities. You can use this command to confirm that the cluster is
operating normally. For example, if the command shows only one cluster unit then the
other unit has left the cluster for some reason.
To troubleshoot the cluster configuration
If the cluster members list and the dashboard do not display information for both cluster
units the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
To add basic configuration settings to the cluster
Use the following steps to add some basic settings to the cluster so that it can connect to
the network.
1 Log into the primary unit CLI.
2 Add a password for the admin administrative account.
config system admin
edit admin
set password & lt; password_str & gt;
end
3 Configure the port1 and port2 interfaces.
config system interface
edit port1
set ip 172.20.120.141/24
next
edit port2
set ip 10.11.101.100/24
end
4 Add a default route.
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 172.20.120.2
set device port1
end
1472
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: Transparent mode active-active HA configuration
Example: Transparent mode active-active HA configuration
This section describes a simple HA network topology that includes an HA cluster of two
FortiGate-620B units installed between an internal network and the Internet and running in
Transparent mode.
•
Example Transparent mode HA network topology
•
General configuration steps
Example Transparent mode HA network topology
Figure 211 shows a Transparent mode FortiGate-620B HA cluster consisting of two
FortiGate-620B units (620_ha_1 and 620_ha_2) installed between the Internet and
internal network. The topology includes a router that performs NAT between the internal
network and the Internet. The cluster management IP address is 10.11.101.100.
Figure 211: Transparent mode HA network topology
Internal
Network
620_ha_1
Port1
Port2
Port3
Port3
10.11.101.0
Port4
Port4
Switch
Switch
10.11.101.2
Router
172.20.120.2
Port1
Port2
620_ha_2
Internet
FortiGate-620B Cluster
Management IP
10.11.101.100
Port3 and port4 are the default FortiGate-620B heartbeat interfaces. Because the cluster
consists of two FortiGate units, you can make the connections between the heartbeat
interfaces using crossover cables. You could also use switches and regular ethernet
cables.
General configuration steps
This section includes web-based manager and CLI procedures. These procedures
assume that the FortiGate-620B units are running the same FortiOS firmware build and
are set to the factory default configuration.
In this example, the configuration steps are identical to the NAT/Route mode configuration
steps until the cluster is operating. When the cluster is operating, you can switch to
Transparent mode and add basic configuration settings to cluster.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1473
�Example: Transparent mode active-active HA configuration
Configuring and connecting HA clusters
General configuration steps
1 Configure the FortiGate units for HA operation.
• Optionally change each unit’s host name.
• Configure HA.
2 Connect the cluster to the network.
3 Confirm that the cluster units are operating as a cluster.
4 Switch the cluster to Transparent mode and add basic configuration settings to the
cluster.
• Switch to Transparent mode, add the management IP address and a default route.
• Add a password for the admin administrative account.
• View cluster status from the web-based manager or CLI.
Configuring a Transparent mode active-active cluster of two FortiGate-620B
units - web-based manager
Use the following procedures to configure the FortiGate-620B units for HA operation using
the FortiGate web-based manager. These procedures assume you are starting with two
FortiGate-602B units with factory default settings.
Tip: Waiting until you have established the cluster to switch to Transparent mode means
fewer configuration steps because you can switch the mode of the cluster in one step.
To configure the first FortiGate-620B unit (host name 620_ha_1)
1 Power on the first FortiGate unit.
2 Set the IP address of a management computer with an Ethernet connection to the
static IP address 192.168.1.2 and a netmask of 255.255.255.0.
3 On a management computer, start a web browser and browse to the address
https://192.168.1.99 (remember to include the “s” in https://).
The FortiGate login is displayed.
4 Type admin in the Name field and select Login.
The FortiGate dashboard is displayed.
5 On the System Information dashboard widget, beside Host Name select Change.
6 Enter a new Host Name for this FortiGate unit.
New Name
620_ha_1
7 Select OK.
8 Go to System & gt; Config & gt; HA and change the following settings:
Mode
Active-Active
Group Name
example2.com
Password
HA_pass_2
Note: This is the minimum recommended configuration for an active-active HA cluster. You
can configure other HA options at this point, but if you wait until the cluster is operating you
will only have to configure these options once for the cluster instead of separately for each
cluster unit.
1474
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: Transparent mode active-active HA configuration
9 Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
the FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster
virtual MAC addresses” on page 1605). The MAC addresses of the FortiGate-620B
interfaces change to the following virtual MAC addresses:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
To confirm these MAC address changes, you can use the get hardware nic (or
diagnose hardware deviceinfo nic) CLI command to view the virtual MAC
address of any FortiGate unit interface. For example, use the following command to
view the port1 interface virtual MAC address (MAC) and the port1 permanent MAC
address (Permanent_HWaddr):
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
10 Power off the first FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1475
�Example: Transparent mode active-active HA configuration
Configuring and connecting HA clusters
To configure the second FortiGate-620B unit (host name 620_ha_2)
1 Power on second FortiGate unit.
2 On a management computer, start Internet Explorer and browse to the address
https://192.168.1.99 (remember to include the “s” in https://).
The FortiGate login is displayed.
3 Type admin in the Name field and select Login.
The FortiGate dashboard is displayed.
4 On the System Information dashboard widget, beside Host Name select Change.
5 Enter a new Host Name for this FortiGate unit.
New Name
620_ha_2
6 Select OK.
7 Go to System & gt; Config & gt; HA and change the following settings:
Mode
Active-Active
Group Name
example2.com
Password
HA_pass_2
8 Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
because the FGCP changes the MAC address of the FortiGate unit interfaces.
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
9 Power off the second FortiGate unit.
To connect the cluster to the network
1 Connect the port1 interfaces of 620_ha_1 and 620_ha_2 to a switch or hub connected
to the Internet.
2 Connect the port2 interfaces of 620_ha_1 and 620_ha_2 to a switch or hub connected
to the internal network.
3 Connect the port3 interfaces of 620_ha_1 and 620_ha_2 together. You can use a
crossover Ethernet cable or regular Ethernet cables and a switch or hub.
4 Connect the port4 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
5 Power on the cluster units.
The units start and negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention and normally takes less than a minute.
When negotiation is complete the cluster is ready to be configured for your network.
1476
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: Transparent mode active-active HA configuration
To switch the cluster to Transparent mode
Switching from NAT/Route to Transparent mode involves adding the Transparent mode
management IP address and default route.
Note: Since configuration changes are synchronized to all cluster units, switching the
cluster to operate in Transparent mode once the cluster is operating is the same as
switching an individual FortiGate unit to Transparent mode. You could have performed the
following configuration steps separately on each FortiGate unit before you connected them
to form a cluster.
1 Start a web browser and browse to the address https://192.168.1.99 (remember
to include the “s” in https://).
The FortiGate Login is displayed.
2 Type admin in the Name field and select Login.
3 Under System Information, beside Operation Mode select Change.
4 Set Operation Mode to Transparent.
5 Configure basic Transparent mode settings.
Operation Mode
Transparent
Management IP/Mask
10.11.101.100/24
Default Gateway
10.11.101.2
6 Select Apply.
The cluster switches to operating in Transparent mode. The virtual MAC addresses
assigned to the cluster interfaces do not change.
To view cluster status
Use the following steps to view the cluster dashboard and cluster members list to confirm
that the cluster units are operating as a cluster.
Note: Once the cluster is operating, because configuration changes are synchronized to all
cluster units, configuring the cluster is the same as configuring an individual FortiGate unit.
You could have performed the following configuration steps separately on each FortiGate
unit before you connected them to form a cluster.
1 Start Internet Explorer and browse to the address https://10.11.101.100 (remember to
include the “s” in https://).
The FortiGate Login is displayed.
2 Type admin in the Name field and select Login.
The FortiGate dashboard is displayed.
The System Information dashboard widget shows the Cluster Name (example2.com)
and the host names and serial numbers of the Cluster Members. The Unit Operation
widget shows multiple cluster units.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1477
�Example: Transparent mode active-active HA configuration
Configuring and connecting HA clusters
Figure 212: Sample FortiGate-620B cluster dashboard
3 Go to System & gt; Config & gt; HA to view the cluster members list.
The list shows both cluster units, their host names, their roles in the cluster, and their
priorities. You can use this list to confirm that the cluster is operating normally. For
example, if the list shows only one cluster unit then the other unit has left the cluster for
some reason.
Figure 213: Sample FortiGate-620B cluster members list
To troubleshoot the cluster configuration
If the cluster members list and the dashboard do not display information for both cluster
units, the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
To add basic configuration settings to the cluster
Use the following steps to configure the cluster. Note that the following are example
configuration steps only and do not represent all of the steps required to configure the
cluster for a given network.
1 Log into the cluster web-based manager.
2 Go to System & gt; Admin & gt; Administrators.
1478
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: Transparent mode active-active HA configuration
3 For admin, select the Change Password icon
4 Enter and confirm a new password.
5 Select OK.
Note: You added a default gateway when you switched to Transparent mode so you don’t
need to add a default route as part of the basic configuration of the cluster at this point.
Configuring a Transparent mode active-active cluster of two FortiGate-620B
units - CLI
Use the following procedures to configure the FortiGate-620B units for Transparent mode
HA operation using the FortiGate CLI.
To configure each FortiGate unit for HA operation
1 Power on the FortiGate unit.
2 Connect a null modem cable to the communications port of the management computer
and to the FortiGate Console port.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the null modem cable and select OK.
5 Select the following port settings and select OK.
Bits per second 9600
Data bits
8
Parity
None
Stop bits
1
Flow control
None
6 Press Enter to connect to the FortiGate CLI.
The FortiGate unit CLI login prompt appears.If the prompt does not appear, press
Enter. If it still does not appear, power off your FortiGate unit and power it back on. If
you are connected, at this stage you will see startup messages that will confirm you are
connected. The login prompt will appear after the startup has completed.
7 Type admin and press Enter twice.
8 Change the host name for this FortiGate unit. For example:
config system global
set hostname 620_ha_1
end
9 Configure HA settings.
config system ha
set mode a-a
set group-name example2.com
set password HA_pass_2
end
Note: This is the minimum recommended configuration for an active-active HA cluster. You
can also configure other HA options, but if you wait until after the cluster is operating you
will only have to configure these options once for the cluster instead of separately for each
cluster unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1479
�Example: Transparent mode active-active HA configuration
Configuring and connecting HA clusters
The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose
network connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP
changes the MAC address of the FortiGate unit interfaces (see “Cluster virtual MAC
addresses” on page 1605). The MAC addresses of the FortiGate-620B interfaces
change to the following virtual MAC addresses:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
To confirm these MAC address changes, you can use the get hardware nic (or
diagnose hardware deviceinfo nic) CLI command to view the virtual MAC
address of any FortiGate unit interface. For example, use the following command to
view the port1 interface virtual MAC address (MAC) and the port1 permanent MAC
address (Permanent_HWaddr):
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
1480
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: Transparent mode active-active HA configuration
10 Display the HA configuration (optional).
get system ha
group-id
: 0
group-name
: example2.com
mode
: a-a
password
: *
hbdev
: " port3 " 50 " port4 " 50
route-ttl
: 10
route-wait
: 0
route-hold
: 10
sync-config
: enable
encryption
: disable
authentication
: disable
hb-interval
: 2
hb-lost-threshold
: 6
helo-holddown
: 20
arps
: 5
arps-interval
: 8
session-pickup
: disable
link-failed-signal : disable
uninterruptable-upgrade: enable
ha-mgmt-status
: disable
ha-eth-type
: 8890
hc-eth-type
: 8891
l2ep-eth-type
: 8893
subsecond
: disable
vcluster2
: disable
vcluster-id
: 1
override
: disable
priority
: 128
monitor
:
pingserver-monitor-interface:
pingserver-failover-threshold: 0
pingserver-flip-timeout: 60
vdom
: " root "
11 Power off the FortiGate unit.
To configure the second FortiGate-620B unit (host name 620_ha_2)
1 Power on the FortiGate unit.
2 Connect a null modem cable to the communications port of the management computer
and to the FortiGate Console port.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the null modem cable and select OK.
5 Select the following port settings and select OK.
Bits per second 9600
Data bits
8
Parity
None
Stop bits
1
Flow control
None
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1481
�Example: Transparent mode active-active HA configuration
Configuring and connecting HA clusters
6 Press Enter to connect to the FortiGate CLI.
The FortiGate unit CLI login prompt appears.If the prompt does not appear, press
Enter. If it still does not appear, power off your FortiGate unit and power it back on. If
you are connected, at this stage you will see startup messages that will confirm you are
connected. The login prompt will appear after the startup has completed.
7 Type admin and press Enter twice.
8 Change the host name for this FortiGate unit.
config system global
set hostname 620_ha_2
end
9 Configure HA settings.
config system ha
set mode a-a
set group-name example2.com
set password HA_pass_2
end
The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose
network connectivity with the FortiGate unit as the HA cluster negotiates and because
the FGCP changes the MAC address of the FortiGate unit interfaces.
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
10 Display the HA configuration (optional).
get system ha
group-id
: 0
group-name
: example2.com
mode
: a-a
password
: *
hbdev
: " port3 " 50 " port4 " 50
route-ttl
: 10
route-wait
: 0
route-hold
: 10
sync-config
: enable
encryption
: disable
authentication
: disable
hb-interval
: 2
hb-lost-threshold
: 6
helo-holddown
: 20
arps
: 5
arps-interval
: 8
session-pickup
: disable
link-failed-signal : disable
uninterruptable-upgrade: enable
ha-mgmt-status
: disable
ha-eth-type
: 8890
hc-eth-type
: 8891
l2ep-eth-type
: 8893
subsecond
: disable
vcluster2
: disable
vcluster-id
: 1
1482
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: Transparent mode active-active HA configuration
override
: disable
priority
: 128
monitor
:
pingserver-monitor-interface:
pingserver-failover-threshold: 0
pingserver-flip-timeout: 60
vdom
: " root "
11 Power off the FortiGate unit.
To connect the cluster to the network
1 Connect the port1 interfaces of 620_ha_1 and 620_ha_2 to a switch or hub connected
to the Internet.
2 Connect the port2 interfaces of 620_ha_1 and 620_ha_2 to a switch or hub connected
to the internal network.
3 Connect the port3 interfaces of 620_ha_1 and 620_ha_2 together. You can use a
crossover Ethernet cable or regular Ethernet cables and a switch or hub.
4 Connect the port4 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
5 Power on the cluster units.
The units start and negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention and normally takes less than a minute.
When negotiation is complete the cluster is ready to be configured for your network.
To connect to the cluster CLI and switch the cluster to Transparent mode
1 Determine which cluster unit is the primary unit.
• Use the null-modem cable and serial connection to re-connect to the CLI of one of
the cluster units.
• Enter the command get system status.
If the command output includes Current HA mode: a-a, master, the cluster
units are operating as a cluster and you have connected to the primary unit.
Continue with Step 2.
If the command output includes Current HA mode: a-a, backup, you have
connected to a subordinate unit. Connect to the other cluster unit, which should be
the primary unit and continue with Step 2.
Note: If the command output includes Current HA mode: standalone, the cluster unit
is not operating in HA mode. See “Troubleshooting the initial cluster configuration” on
page 1518.
2 Change to transparent mode.
config system settings
set opmode transparent
set manageip 192.168.20.3/24
set gateway 192.168.20.1
end
The cluster switches to Transparent Mode, and your administration session is
disconnected.
You can now connect to the cluster CLI using SSH to connect to the cluster internal
interface using the management IP address (192.168.20.3).
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1483
�Example: Transparent mode active-active HA configuration
Configuring and connecting HA clusters
To view cluster status
Use the following steps to view cluster status from the CLI.
1 Determine which cluster unit is the primary unit.
• Use the null-modem cable and serial connection to re-connect to the CLI of one of
the cluster units.
• Enter the command get system status.
If the command output includes Current HA mode: a-a, master, the cluster
units are operating as a cluster and you have connected to the primary unit.
Continue with Step 2.
If the command output includes Current HA mode: a-a, backup, you have
connected to a subordinate unit. Connect the null-modem cable to the other cluster
unit, which should be the primary unit and continue with Step 2.
Note: If the command output includes Current HA mode: standalone, the cluster unit
is not operating in HA mode and you should review your HA configuration.
2 Enter the following command to confirm the HA configuration of the cluster:
get system ha status
Model: 620
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:128 620_ha_2
FG600B3908600825 0
Slave :128 620_ha_1
FG600B3908600705 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG600B3908600825
Slave :1 FG600B3908600705
The command output shows both cluster units, their host names, their roles in the
cluster, and their priorities. You can use this command to confirm that the cluster is
operating normally. For example, if the command shows only one cluster unit then the
other unit has left the cluster for some reason.
To troubleshoot the cluster configuration
If the cluster members list and the dashboard do not display information for both cluster
units the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
To add a password for the admin administrative account
1 Add a password for the admin administrative account.
config system admin
edit admin
set password & lt; psswrd & gt;
end
1484
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: advanced Transparent mode active-active HA configuration
Example: advanced Transparent mode active-active HA
configuration
This section describes a more complex HA network topology that includes an HA cluster
of three FortiGate-5002FA2 units running in Transparent mode and installed between an
internal network and an engineering network.
•
Example Transparent mode HA network topology
•
General configuration steps
Example Transparent mode HA network topology
Figure 214 shows a Transparent mode FortiGate-5005FA2 HA cluster consisting of three
FortiGate-5005FA2 units (5005_ha_1, 5005_ha_2, and 5005_ha_3) installed in a
FortiGate-5000 series chassis with one FortiSwitch-5003A board. The cluster applies
virus scanning to traffic passing between an engineering network and an internal network.
The topology includes a router that performs NAT between the internal network and the
engineering network. The cluster is connected to the engineering network with an
management IP address of 10.22.101.20. This IP address is on the engineering network
subnet.
Figure 214: Transparent mode HA network topology
ACT
LINK
ACT
USB
USB
7
1
BASE
Internal
Network
5005_ha_1
FABRIC
port1
LINK
2
3
4
5
ACC
STATUS
IPM
port4
ACT
base1
5005_ha_2
USB
7
1
BASE
FABRIC
USB
LINK
Router
10.22.101.1
base1
port4
10.21.101.10
ACT
2
3
4
5
OOS
ACC
STATUS
IPM
fabric1
port4
ACT
USB
base1
USB
7
1
BASE
ACT
LINK
FABRIC
LINK
10.21.101.0
8
6
CONSOLE
port1
port1
8
6
CONSOLE
OOS
LINK
Management IP
10.22.101.20
fabric1
2
3
4
5
OOS
ACC
STATUS
8
6
CONSOLE
IPM
fabric1
5005_ha_3
Engineering Network
10.22.101.0
By default fabric1 and fabric2 are the FortiGate-5005FA2 heartbeat interfaces. This
example changes the heartbeat configuration to use the base1 and port4 interfaces for the
heartbeat. The base1 connection is handled using the base backplane channel switched
by the FortiSwitch-5003A board. The port4 connection is handled by connecting the port4
interfaces together using a switch.
The cluster connects to the engineering network using fabric1. The FortiSwitch-5003A
board provides switching for the fabric1 interfaces and the fabric1 connection to the
engineering network.
Configuring a Transparent mode active-active cluster of three FortiGate-5005FA2
units - web-based manager
These procedures assume you are starting with three FortiGate-5005FA2 units with
factory default settings but not installed in chassis slots and a FortiSwitch-5003A board
installed in chassis slot 1. The chassis is powered on. This configuration works for a
FortiGate-5050 chassis or for a FortiGate-5140 chassis. No configuration changes to the
FortiSwitch-5003A board are required.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1485
�Example: advanced Transparent mode active-active HA configuration
Configuring and connecting HA clusters
To configure the FortiGate-5005FA2 units
1 Power on the first FortiGate unit by inserting it into chassis slot 5.
2 Connect port1 to the network and log into the web-based manager.
3 On the System Information dashboard widget, beside Host Name select Change.
4 Enter a new Host Name for this FortiGate unit.
New Name
5005_ha_1
5 Select OK.
6 Go to System & gt; Network & gt; Interface and select Show backplane interfaces.
7 Make sure the administrative status and link status is for base1 and fabric1.
You can edit the interface to set the administrative status to up. The link status will be
up if the administrative status is up and the FortiGate-5005FA2 board can connect to
the FortiSwitch-5003A board.
8 Go to System & gt; Config & gt; HA and change the following settings:
Mode
Active-Active
Group Name
example3.com
Password
HA_pass_3
Heartbeat Interface
Enable
Priority
base1
Select
50
fabric1
Clear check box 0
fabric2
Clear check box 0
port4
Select
50
9 Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
the FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster
virtual MAC addresses” on page 1605). The MAC addresses of the FortiGate-5005FA2
interfaces change to the following virtual MAC addresses:
• base1 interface virtual MAC: 00-09-0f-09-00-00
• base2 interface virtual MAC: 00-09-0f-09-00-01
• fabric1 interface virtual MAC: 00-09-0f-09-00-02
• fabric2 interface virtual MAC: 00-09-0f-09-00-03
• port1 interface virtual MAC: 00-09-0f-09-00-04
• port2 interface virtual MAC: 00-09-0f-09-00-05
• port3 interface virtual MAC: 00-09-0f-09-00-06
• port4 interface virtual MAC: 00-09-0f-09-00-07
• port5 interface virtual MAC: 00-09-0f-09-00-08
• port6 interface virtual MAC: 00-09-0f-09-00-09
• port7 interface virtual MAC: 00-09-0f-09-00-0a
1486
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: advanced Transparent mode active-active HA configuration
• port8 interface virtual MAC: 00-09-0f-09-00-0b
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
You can use the get hardware nic (or diagnose hardware deviceinfo nic)
CLI command to view the virtual MAC address of any FortiGate unit interface. For
example, use the following command to view the port1 interface virtual MAC address
(Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
get hardware nic port1
.
.
.
Current_HWaddr
00:09:0f:09:00:04
Permanent_HWaddr
00:09:0f:71:0a:dc
.
.
.
10 Power off the first FortiGate unit.
11 Repeat these steps for the second and third FortiGate units, with the following
difference.
Set the second FortiGate unit host name to:
New Name
5005_ha_2
Set the third FortiGate unit host name to:
New Name
5005_ha_3
As you insert and configure each FortiGate unit, they will negotiate and join the cluster
using the base1 interface for HA heartbeat communication.
To connect the cluster to the network
1 Connect the port1 interfaces of the cluster to a switch or hub that can connect to the
router and the internal network.
2 Connect the port4 interfaces of the cluster units together using a switch.
These interfaces become the backup heartbeat interface.
3 Connect one of the FortiSwitch-5003A front panel fabric interfaces (for example, F3) to
the engineering network.
To switch the cluster to operate in Transparent mode
Switching from NAT/Route to Transparent mode also involves adding the Transparent
mode management IP address and default route.
1 Log into the web-based manager.
2 Under System Information, beside Operation Mode select Change.
3 Set Operation Mode to Transparent.
4 Configure basic Transparent mode settings.
Operation Mode
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Transparent
1487
�Example: advanced Transparent mode active-active HA configuration
Configuring and connecting HA clusters
Management IP/Mask
10.22.101.20/24
Default Gateway
10.22.101.1
5 Select Apply.
The cluster switches to operating in Transparent mode. The virtual MAC addresses
assigned to the cluster interfaces do not change. You must login again using the new
TP address.
To view cluster status
Use the following steps to view the cluster dashboard and cluster members list to confirm
that the cluster units are operating as a cluster.
1 View the system dashboard.
The System Information dashboard widget shows the Cluster Name (example3.com)
and the host names and serial numbers of the Cluster Members. The Unit Operation
widget shows multiple cluster units.
2 Go to System & gt; Config & gt; HA to view the cluster members list.
The list shows three cluster units, their host names, their roles in the cluster, and their
priorities. You can use this list to confirm that the cluster is operating normally.
To troubleshoot the cluster configuration
If the cluster members list and the dashboard do not display information for both cluster
units, the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
To add basic configuration settings to the cluster
Use the following steps to configure the cluster. The following are example configuration
steps only and do not represent all of the steps required to configure the cluster for a given
network.
1 Log into the cluster web-based manager.
2 Go to System & gt; Admin & gt; Administrators.
3 For admin, select the Change Password icon
4 Enter and confirm a new password.
5 Select OK.
The default route was changed when you switched to Transparent mode.
Configuring a Transparent mode active-active cluster of three FortiGate-5005FA2
units - CLI
Use the following procedures to configure the three FortiGate-5005FA2 units for
Transparent mode HA operation using the FortiGate CLI.
To configure the FortiGate-5005FA2 units
1 Power on the first FortiGate unit by inserting it into chassis slot 5.
2 Connect port1 to the network and log into the CLI.
You can also use a console connection.
3 Change the host name for this FortiGate unit. For example:
config system global
set hostname 5005_ha_1
end
1488
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: advanced Transparent mode active-active HA configuration
4 Enable showing backplane interfaces.
config system global
set show-backplane-intf enable
end
5 Make sure the administrative status and link status is up for base1 and fabric1.
Enter get system interface to view the status of these interfaces.
You can use the following commands to set the administrative status to up for these
interfaces.
config system interface
edit base1
set status up
next
edit fabricq
set status up
end
6 Configure HA settings.
config system ha
set mode a-a
set group-name example3.com
set password HA_pass_3
set hbdev base1 50 port4 50
end
Note: This is the minimum recommended configuration for an active-active HA cluster. You
can also configure other HA options, but if you wait until after the cluster is operating you
will only have to configure these options once for the cluster instead of separately for each
cluster unit.
The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose
connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP
changes the MAC address of the FortiGate unit interfaces (see “Cluster virtual MAC
addresses” on page 1605). The MAC addresses of the FortiGate-620B interfaces
change to the following virtual MAC addresses:
• base1 interface virtual MAC: 00-09-0f-09-00-00
• base2 interface virtual MAC: 00-09-0f-09-00-01
• fabric1 interface virtual MAC: 00-09-0f-09-00-02
• fabric2 interface virtual MAC: 00-09-0f-09-00-03
• port1 interface virtual MAC: 00-09-0f-09-00-04
• port2 interface virtual MAC: 00-09-0f-09-00-05
• port3 interface virtual MAC: 00-09-0f-09-00-06
• port4 interface virtual MAC: 00-09-0f-09-00-07
• port5 interface virtual MAC: 00-09-0f-09-00-08
• port6 interface virtual MAC: 00-09-0f-09-00-09
• port7 interface virtual MAC: 00-09-0f-09-00-0a
• port8 interface virtual MAC: 00-09-0f-09-00-0b
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1489
�Example: advanced Transparent mode active-active HA configuration
Configuring and connecting HA clusters
You can use the get hardware nic (or diagnose hardware deviceinfo nic)
CLI command to view the virtual MAC address of any FortiGate unit interface. For
example, use the following command to view the port1 interface virtual MAC address
(Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
get hardware nic port1
.
.
.
Current_HWaddr
00:09:0f:09:00:04
Permanent_HWaddr
00:09:0f:71:0a:dc
.
.
.
7 Display the HA configuration (optional).
get system ha
group-id
: 0
group-name
: example3.com
mode
: a-a
password
: *
hbdev
: " base1 " 50 " port4 " 50
route-ttl
: 10
route-wait
: 0
route-hold
: 10
sync-config
: enable
encryption
: disable
authentication
: disable
hb-interval
: 2
hb-lost-threshold
: 20
helo-holddown
: 20
arps
: 5
arps-interval
: 8
session-pickup
: disable
link-failed-signal : disable
uninterruptable-upgrade: enable
ha-mgmt-status
: disable
ha-eth-type
: 8890
hc-eth-type
: 8891
l2ep-eth-type
: 8893
subsecond
: disable
vcluster2
: disable
vcluster-id
: 1
override
: disable
priority
: 128
schedule
: round-robin
monitor
:
pingserver-monitor-interface:
pingserver-failover-threshold: 0
pingserver-flip-timeout: 60
vdom
: " root "
load-balance-all
: disable
1490
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: advanced Transparent mode active-active HA configuration
8 Repeat these steps for the second and third FortiGate units.
Set the second FortiGate unit host name to:
config system global
set hostname 5005_ha_2
end
Set the third FortiGate unit host name to:
config system global
set hostname 5005_ha_3
end
As you insert and configure each FortiGate unit they will negotiate and join the cluster
using the base1 interface for HA heartbeat communication.
To connect the cluster to the network
1 Connect the port1 interfaces of the cluster to a switch or hub that can connect to the
router and the internal network.
2 Connect the port4 interfaces of the cluster units together using a switch.
These interfaces become the backup heartbeat interface.
3 Connect one of the FortiSwitch-5003A front panel fabric interfaces (for example, F3) to
the engineering network.
To switch the cluster to Transparent mode
1 Log into the cluster CLI.
2 Change to Transparent mode.
config system settings
set opmode transparent
set manageip 10.22.101.20/24
set gateway 10.22.101.1
end
The cluster switches to Transparent Mode.
You can now connect to the cluster CLI using SSH to connect to the cluster internal
interface using the management IP address (10.22.101.20 ).
To view cluster status
Use the following steps to view cluster status from the CLI.
1 Log into the CLI.
2 To verify the HA status of the cluster unit that you logged into, enter the CLI command
get system status. Look for the following information in the command output.
Current HA mode: a-a, master
The cluster units are operating as a cluster and you
have connected to the primary unit.
Current HA mode: a-a, backup
The cluster units are operating as a cluster and you
have connected to a subordinate unit.
Current HA mode: standalone
The cluster unit is not operating in HA mode
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1491
�Example: converting a standalone FortiGate unit to a cluster
Configuring and connecting HA clusters
3 Enter the following command to confirm the HA configuration of the cluster:
get system ha status
Model: 5005
Mode: a-a
Group: 0
Debug: 0
ses_pickup: disable
load_balance: disable
schedule: round robin
Master:128 5005_ha_1
FG5A253E07600124 0
Slave :128 5005_ha_2
FG5A253E06500088 1
Slave :128 5005_ha_3
FG5A253E06500099 2
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG5A253E07600124
Slave :1 FG5A253E06500088
Slave :2 FG5A253E06500099
The command output shows both cluster units, their host names, their roles in the
cluster, and their priorities. You can use this command to confirm that the cluster is
operating normally. For example, if the command shows only one cluster unit then the
other unit has left the cluster for some reason.
To troubleshoot the cluster configuration
If the cluster members list and the dashboard do not display information for both cluster
units the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
To add a password for the admin administrative account
1 Add a password for the admin administrative account.
config system admin
edit admin
set password & lt; psswrd & gt;
end
Example: converting a standalone FortiGate unit to a cluster
You can convert an already configured and installed FortiGate unit into a cluster by
configuring this FortiGate unit to be a primary unit and then adding subordinate units.
General configuration steps:
•
Configure the original FortiGate unit for HA operation.
•
Set the HA Device Priority of the original FortiGate unit to 255 to make sure that this
FortiGate unit becomes the primary unit after cluster negotiation and synchronization.
•
Back up the configuration of the original FortiGate unit.
•
Configure one or more new FortiGate units with the same HA configuration as the
original FortiGate unit with one exception. Keep the Unit Priority at the default setting,
which is 128.
•
Connect the FortiGate units to form a cluster and connect the cluster to your network.
When you power on all of the FortiGate units in the cluster, the original FortiGate unit
becomes the primary unit. Its configuration is synchronized to all of the subordinate units.
The entire cluster now operates with the original FortiGate unit configuration. No further
configuration changes are required.
1492
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: converting a standalone FortiGate unit to a cluster
The new FortiGate units must:
•
Have the same hardware configuration as the original FortiGate unit. Including the
same hard disk configuration and the same AMC cards installed in the same slots.
•
Have the same firmware build as the original FortiGate unit.
•
Be set to the same operating mode (NAT or Transparent) as the original FortiGate unit.
•
Be operating in single VDOM mode.
In addition to one or more new FortiGate units, you need sufficient switches or hubs to
connect all of the FortiGate interfaces in the cluster. Generally you will need one hub or
switch per interface, as it will have to combine that interface on all units—all port1
interfaces use the port1 hub, port2 interfaces use the port2 hub, and so on. Intelligent
switches that can be partitioned can reduce your switch and hub requirements.
Converting a FortiGate unit to a primary unit and adding in the subordinate unit or units
results in a brief service interruption as you disconnect and reconnect FortiGate interfaces
and as the cluster negotiates. Therefore, conversion should only be done during off peak
hours.
To configure the original FortiGate unit for HA operation
1 Connect to the FortiGate unit web-based manager.
2 Go to System & gt; Config & gt; HA.
3 Configure the FortiGate unit for HA operation.
Mode
Active-Active
Device Priority
255
Group Name
example4.com
Password
HA_pass_4
You can make other HA configuration changes after the cluster is operating.
4 Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
because the FGCP changes the MAC address of the FortiGate unit interfaces (see
“Cluster virtual MAC addresses” on page 1605).
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
5 Configure the new FortiGate units with the same HA configuration as the original
FortiGate unit. The one exception is to keep the device priorities of the new FortiGate
units at 128 to ensure the original FortiGate unit will become the primary unit in the new
cluster.
Mode
Active-Active
Device Priority
128
Group Name
example4.com
Password
HA_pass_4
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1493
�Example: adding a new unit to an operating cluster
Configuring and connecting HA clusters
6 Configure the other FortiGate units to the same operation mode as the original
FortiGate unit.
There is no need to make any other configuration changes (including network
configuration changes) to the other FortiGate units.
7 Optionally power off all of the cluster units.
If you don’t power off all of the units they may not negotiate to form a cluster when they
are connected together.
8 Connect the cluster to your network.
For example, for a configuration similar to the FortiGate-620B cluster configuration
described in this chapter, see “To connect the cluster to the network” on page 1465.
9 Power on all of the cluster units.
As the units start they change their MAC addresses and then negotiate to choose the
primary unit and the subordinate units. This negotiation occurs with no user
intervention and normally takes less than a minute.
The original the FortiGate unit becomes the primary unit because the device priority of
the original FortiGate unit is higher than the device priority of the other FortiGate units.
The configuration of the original FortiGate unit is synchronized to all the cluster units.
As a result, the cluster is quickly up and running and configured for your network. No
further configuration changes are required.
Example: adding a new unit to an operating cluster
This procedure describes how to add a new FortiGate unit to a functioning cluster. Adding
a new unit to a cluster does not interrupt the operation of the cluster unless you have to
change how the cluster is connected to the network to accommodate the new cluster unit.
You can use this procedure to add as many units as required to the cluster.
To add a new unit to a functioning cluster
1 Install the same firmware build on the new cluster unit as is running on the cluster.
2 Configure the new cluster unit for HA operation with the same HA configuration as the
other units in the cluster.
3 If the cluster is running in Transparent mode, change the operating mode of the new
cluster unit to Transparent mode.
4 Connect the new cluster unit to the cluster.
For example, for a configuration similar to the FortiGate-620B cluster configuration
described in this chapter, see “To connect the cluster to the network” on page 1465.
5 Power on the new cluster unit.
When the unit starts it negotiates to join the cluster. After it joins the cluster, the cluster
synchronizes the new unit configuration with the configuration of the primary unit.
You can add a new unit to a functioning cluster at any time. The new cluster unit must:
•
•
Have the same firmware build as the cluster.
•
Be set to the same operating mode (NAT or Transparent) as the cluster.
•
1494
Have the same hardware configuration as the cluster units. Including the same hard
disk configuration and the same AMC cards installed in the same slots.
Be operating in single VDOM mode.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: replacing a failed cluster unit
Example: replacing a failed cluster unit
This procedure describes how to remove a failed cluster unit from a cluster and add a new
one to replace it. You can also use this procedure to remove a failed unit from a cluster,
repair it and add it back to the cluster. Replacing a failed does not interrupt the operation
of the cluster unless you have to change how the cluster is connected to the network to
accommodate the replacement unit.
You can use this procedure to replace more than one cluster unit.
To replace a failed cluster unit
1 Disconnect the failed unit from the cluster and the network.
If you maintain other connections between the network and the still functioning cluster
unit or units and between remaining cluster units network traffic will continue to be
processed.
2 Repair the failed cluster unit, or obtain a replacement unit with the exact same
hardware configuration as the failed cluster unit.
3 Install the same firmware build on the repaired or replacement unit as is running on the
cluster.
4 Configure the repaired or replacement unit for HA operation with the same HA
configuration as the cluster.
5 If the cluster is running in Transparent mode, change the operating mode of the
repaired or replacement cluster unit to Transparent mode.
6 Connect the repaired or replacement cluster unit to the cluster.
For example, for a configuration similar to the FortiGate-620B cluster configuration
described in this chapter, see “To connect the cluster to the network” on page 1465.
7 Power on the repaired or replacement cluster unit.
When the unit starts it negotiates to join the cluster. After it joins the cluster, the cluster
synchronizes the repaired or replacement unit configuration with the configuration of
the primary unit.
You can add a repaired or replacement unit to a functioning cluster at any time. The
repaired or replacement cluster unit must:
•
Have the same hardware configuration as the cluster units. Including the same hard
disk configuration and the same AMC cards installed in the same slots.
•
Have the same firmware build as the cluster.
•
Be set to the same operating mode (NAT or Transparent) as the cluster.
•
Be operating in single VDOM mode.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1495
�Example: HA and 802.3ad aggregated interfaces
Configuring and connecting HA clusters
Example: HA and 802.3ad aggregated interfaces
On FortiGate models that support it you can use 802.3ad link aggregation to combine two
or more interfaces into a single aggregated interface. 802.3ad Link Aggregation and it's
management protocol, Link Aggregation Control Protocol (LACP) are a method for
combining multiple physical links into a single logical link.This increases both potential
throughput and network resiliency. Using LACP, traffic is distributed among the physical
interfaces in the link, potentially resulting in increased performance.
This example describes how to configure an HA cluster consisting of two FortiGate-620B
units with two aggregated 1000 Mb connections to the Internet using port1 and port2 and
two aggregated 1000 Mb connections to the internal network using port3 and port4. The
aggregated interfaces are also configured as HA monitored interfaces.
Each of the aggregate links connects to a different switch. Each switch is configured for
link aggregation (2x1000Mb).
Figure 215: Example cluster with aggregate interfaces
Internal
Network
2x1000 Mb
Aggregate of
Port1 and Port2
172.20.120.141
2 x1000 Mb
620_ha_1 Aggregate of
Port3 and Port4
10.11.101.100
Router
172.20.120.2
Port5
10.11.101.0
Port6
Port5
External
Switch
Port6
2x1000 Mb
Aggregate of
Port1 and Port2
172.20.120.141
620_ha_2
Internal
Switch
2 x1000 Mb
Aggregate of
Port3 and Port4
10.11.101.100
Internet
FortiGate-620B
Cluster
HA interface monitoring, link failover, and 802.3ad aggregation
When monitoring the aggregated interface, HA interface monitoring treats the aggregated
link as a single interface and does not monitor the individual physical interfaces in the link.
HA interface monitoring registers the link to have failed only if all the physical interfaces in
the link have failed. If only some of the physical interfaces in the link fail or become
disconnected, HA considers the link to be operating normally.
HA MAC addresses and 802.3ad aggregation
If a configuration uses the Link Aggregate Control Protocol (LACP) (either passive or
active), LACP is negotiated over all of the interfaces in any link. For a standalone
FortiGate unit, the FortiGate LACP implementation uses the MAC address of the first
interface in the link to uniquely identify that link. For example, a link consisting of port1 and
port2 interfaces would have the MAC address of port1.
1496
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: HA and 802.3ad aggregated interfaces
In an HA cluster, HA changes the MAC addresses of the cluster interfaces to virtual MAC
addresses. An aggregate interface in a cluster acquires the virtual MAC address that
would have been acquired by the first interface in the aggregate.
Link aggregation, HA failover performance, and HA mode
To operate an active-active or active-passive cluster with aggregated interfaces and for
best performance of a cluster with aggregated interfaces, the switches used to connect
the cluster unit aggregated interfaces together should support configuring multiple Link
Aggregation (LAG) groups.
For example, the cluster shown in Figure 215 should be configured into two LAG groups
on the external switch: one for the port1 and port2 aggregated interface of 620_ha_1 and
a second one for the port1 and port2 aggregate interface of 620_ha_2. You should also be
able to do the same on the internal switch for the port3 and port4 aggregated interfaces of
each cluster unit.
As a result, the subordinate unit aggregated interfaces would participate in LACP
negotiation while the cluster is operating. In an active-active mode cluster, packets could
be redirected to the subordinate unit interfaces. As well, in active-active or active-passive
mode, after a failover the subordinate unit can become a primary unit without having to
perform LACP negotiation before it can process traffic. Performing LACP negotiation
causes a minor failover delay.
However if you cannot configure multiple LAG groups on the switches, due to the primary
and subordinate unit interfaces having the same MAC address, the switch will put all of the
interfaces into the same LAG group which would disrupt the functioning of the cluster. To
prevent this from happening, you must change the FortiGate aggregated interface
configuration to prevent subordinate units from participating in LACP negotiation.
For example, use the following command to prevent subordinate units from participating in
LACP negotiation with an aggregate interface named Port1_Port2:
config system interface
edit Port1_Port2
set lacp-ha-slave disable
end
As a result of this setting, subordinate unit aggregated interfaces cannot accept packets.
This means that you cannot operate the cluster in active-active mode because in
active-active mode the subordinate units must be able to receive and process packets.
Also, failover may take longer because after a failover the subordinate unit has to perform
LACP negotiation before being able to process network traffic.
Also, it may also be necessary to configure the switch to use Passive or even Static mode
for LACP to prevent the switch from sending packets to the subordinate unit interfaces,
which won’t be able to process them.
Finally, in some cases depending on the LACP configuration of the switches, you may
experience delayed failover if the FortiGate LACP configuration is not compatible with the
switch LACP configuration. For example, in some cases setting the FortiGate LACP mode
to static reduces the failover delay because the FortiGate unit does not perform LACP
negotiation. However there is a potential problem with this configuration because static
LACP does not send bridge protocol data unit (BPDU) packets to test the connections. So
a non-physical failure (for example, if a device is not responding because its too busy)
may not be detected and packets could be lost or delayed.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1497
�Example: HA and 802.3ad aggregated interfaces
Configuring and connecting HA clusters
General configuration steps
The section includes web-based manager and CLI procedures. These procedures
assume that the FortiGate-620B units are running the same FortiOS firmware build and
are set to the factory default configuration.
General configuration steps
1 Configure the FortiGate units for HA operation.
• Change each unit’s host name.
• Configure HA.
2 Connect the cluster to the network.
3 View cluster status.
4 Add basic configuration settings and configure the aggregated interfaces.
• Add a password for the admin administrative account.
• Add the aggregated interfaces.
• Disable lacp-ha-slave so that the subordinate unit does not send LACP packets.
• Add a default route.
You could also configure aggregated interfaces in each FortiGate unit before the units
form a cluster.
5 Configure HA port monitoring for the aggregated interfaces.
Configuring active-passive HA cluster that includes aggregated interfaces web-based manager
These procedures assume you are starting with two FortiGate-620B units with factory
default settings.
To configure the FortiGate-620B units for HA operation
1 Power on the first FortiGate-620B unit and log into the web-based manager.
2 On the System Information dashboard widget, beside Host Name select Change.
3 Enter a new Host Name for this FortiGate unit.
New Name
620_ha_1
4 Select OK.
5 Go to System & gt; Config & gt; HA and change the following settings.
Mode
Active-Passive
Group Name
example5.com
Password
HA_pass_5
Heartbeat Interface
Enable
Priority
port5
Select
50
port6
Select
50
Since port3 and port4 will be used for a aggregated interface, you must change the HA
heartbeat configuration to not use those interfaces.
1498
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: HA and 802.3ad aggregated interfaces
6 Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
the FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster
virtual MAC addresses” on page 1605). The MAC addresses of the FortiGate-620B
interfaces change to the following virtual MAC addresses:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
You can use the get hardware nic (or diagnose hardware deviceinfo nic)
CLI command to view the virtual MAC address of any FortiGate unit interface. For
example, use the following command to view the port1 interface virtual MAC address
(Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
7 Power off the first FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1499
�Example: HA and 802.3ad aggregated interfaces
Configuring and connecting HA clusters
8 Repeat these steps for the second FortiGate unit.
Set the second FortiGate unit host name to:
New Name
620_ha_2
To connect the cluster to the network
1 Connect the port1 and port2 interfaces of 620_ha_1 and 620_ha_2 to a switch
connected to the Internet.
Configure the switch so that the port1 and port2 of 620_ha_1 make up an aggregated
interface and port1 and port2 of 620_ha_2 make up a second aggregated interface.
2 Connect the port3 and port4 interfaces of 620_ha_1 and 620_ha_2 to a switch
connected to the internal network.
Configure the switch so that the port3 and port4 of 620_ha_1 make up an aggregated
interface and port3 and port4 of 620_ha_2 make up another aggregated interface.
3 Connect the port5 interfaces of 620_ha_1 and 620_ha_2 together. You can use a
crossover Ethernet cable or regular Ethernet cables and a switch or hub.
4 Connect the port5 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
5 Power on the cluster units.
The units negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention and normally takes less than a minute.
When negotiation is complete, the cluster is ready to be configured for your network.
To view cluster status
Use the following steps to view the cluster dashboard and cluster members list to confirm
that the cluster units are operating as a cluster.
1 View the system dashboard.
The System Information dashboard widget shows the Cluster Name (example5.com)
and the host names and serial numbers of the Cluster Members. The Unit Operation
widget shows multiple cluster units.
2 Go to System & gt; Config & gt; HA to view the cluster members list.
The list shows two cluster units, their host names, their roles in the cluster, and their
priorities. You can use this list to confirm that the cluster is operating normally.
To troubleshoot the cluster configuration
If the cluster members list and the dashboard do not display information for both cluster
units, the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
To add basic configuration settings and the aggregate interfaces
Use the following steps to add a few basic configuration settings.
1 Log into the cluster web-based manager.
2 Go to System & gt; Admin & gt; Administrators.
3 For admin, select the Change Password icon.
4 Enter and confirm a new password.
5 Select OK.
1500
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: HA and 802.3ad aggregated interfaces
6 Go to Router & gt; Static and temporarily delete the default route.
You cannot add an interface to a aggregated interface if any settings (such as the
default route) are configured for it.
7 Go to System & gt; Network & gt; Interface and select Create New to add the aggregate
interface to connect to the Internet.
8 Set Type to 802.3ad Aggregate and configure the aggregate interface to be connected
to the Internet:
Name
Port1_Port2
Physical Interface Members
Selected Interfaces
port1, port2
IP/Netmask
172.20.120.141/24
9 Select OK.
10 Select Create New to add the aggregate interface to connect to the internal network.
11 Set Type to 802.3ad Aggregate and configure the aggregate interface to be connected
to the Internet:
Name
Port3_Port4
Physical Interface Members
Selected Interfaces
port3, port4
IP/Netmask
10.11.101.100/24
Administrative Access
HTTPS, PING, SSH
12 Select OK.
The virtual MAC addresses of the FortiGate-620B interfaces change to the following.
Note that port1 and port2 both have the port1 virtual MAC address and port3 and port4
both have the port3 virtual MAC address:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-00 (same as port1)
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0d (same as port3)
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1501
�Example: HA and 802.3ad aggregated interfaces
Configuring and connecting HA clusters
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
13 Connect to the CLI and enter the following command to disable sending LACP packets
from the subordinate unit:
config system interface
edit Port1_Port2
set lacp-ha-slave disable
next
edit Port3_Port4
set lacp-ha-slave disable
end
14 Go to Router & gt; Static.
15 Add the default route.
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
172.20.120.2
Device
Port1_Port2
Distance
10
16 Select OK.
To configure HA port monitoring for the aggregate interfaces
1 Go to System & gt; Config & gt; HA.
2 In the cluster members list, edit the primary unit.
3 Configure the following port monitoring for the aggregate interfaces:
Port Monitor
Port1_Port2
Select
Port3_Port4
Select
4 Select OK.
Configuring active-passive HA cluster that includes aggregate interfaces - CLI
These procedures assume you are starting with two FortiGate-620B units with factory
default settings.
To configure the FortiGate-620B units for HA operation
1 Power on the first FortiGate-620B unit and log into the CLI.
2 Change the host name for this FortiGate unit:
config system global
set hostname 620_ha_1
end
3 Configure HA settings.
config system ha
set mode a-p
set group-name example5.com
set password HA_pass_5
set hbdev port5 50 port6 50
1502
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: HA and 802.3ad aggregated interfaces
end
Since port3 and port4 will be used for an aggregated interface, you must change the
HA heartbeat configuration.
The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose
connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP
changes the MAC address of the FortiGate unit interfaces (see “Cluster virtual MAC
addresses” on page 1605). The MAC addresses of the FortiGate-620B interfaces
change to the following virtual MAC addresses:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
You can use the get hardware nic (or diagnose hardware deviceinfo nic)
CLI command to view the virtual MAC address of any FortiGate unit interface. For
example, use the following command to view the port1 interface virtual MAC address
(Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1503
�Example: HA and 802.3ad aggregated interfaces
Configuring and connecting HA clusters
4 Display the HA configuration (optional).
get system ha
group-id
: 0
group-name
: example5.com
mode
: a-p
password
: *
hbdev
: " port5 " 50 " port6 " 50
route-ttl
: 10
route-wait
: 0
route-hold
: 10
sync-config
: enable
encryption
: disable
authentication
: disable
hb-interval
: 2
hb-lost-threshold
: 20
helo-holddown
: 20
arps
: 5
arps-interval
: 8
session-pickup
: disable
link-failed-signal : disable
uninterruptable-upgrade: enable
ha-mgmt-status
: disable
ha-eth-type
: 8890
hc-eth-type
: 8891
l2ep-eth-type
: 8893
subsecond
: disable
vcluster2
: disable
vcluster-id
: 1
override
: disable
priority
: 128
monitor
:
pingserver-monitor-interface:
pingserver-failover-threshold: 0
pingserver-flip-timeout: 60
vdom
: " root "
5 Repeat these steps for the other FortiGate unit.
Set the other FortiGate unit host name to:
config system global
set hostname 620_ha_2
end
To connect the cluster to the network
1 Connect the port1 and port2 interfaces of 620_ha_1 and 620_ha_2 to a switch
connected to the Internet.
Configure the switch so that the port1 and port2 of 620_ha_1 make up an aggregated
interface and port1 and port2 of 620_ha_2 make up another aggregated interface.
2 Connect the port3 and port4 interfaces of 620_ha_1 and 620_ha_2 to a switch
connected to the internal network.
Configure the switch so that the port3 and port4 of 620_ha_1 make up an interfaced
and port3 and port4 of 620_ha_2 make up another aggregated interface.
1504
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: HA and 802.3ad aggregated interfaces
3 Connect the port5 interfaces of 620_ha_1 and 620_ha_2 together. You can use a
crossover Ethernet cable or regular Ethernet cables and a switch or hub.
4 Connect the port5 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
5 Power on the cluster units.
The units start and negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention and normally takes less than a minute.
When negotiation is complete the cluster is ready to be configured for your network.
To view cluster status
Use the following steps to view cluster status from the CLI.
1 Log into the CLI.
2 Enter get system status to verify the HA status of the cluster unit that you logged
into.Look for the following information in the command output.
Current HA mode: a-a, master The cluster units are operating as a cluster and you
have connected to the primary unit.
Current HA mode: a-a, backup The cluster units are operating as a cluster and you
have connected to a subordinate unit.
Current HA mode: standalone
The cluster unit is not operating in HA mode
3 Enter the following command to confirm the HA configuration of the cluster:
get system ha status
Model: 620
Mode: a-a
Group: 0
Debug: 0
ses_pickup: disable
Master:128 620_ha_2
FG600B3908600825 0
Slave :128 620_ha_1
FG600B3908600705 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG600B3908600825
Slave :1 FG600B3908600705
The command output shows both cluster units, their host names, their roles in the
cluster, and their priorities. You can use this command to confirm that the cluster is
operating normally. For example, if the command shows only one cluster unit then the
other unit has left the cluster for some reason.
To troubleshoot the cluster configuration
If the cluster members list and the dashboard do not display information for both cluster
units the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1505
�Example: HA and 802.3ad aggregated interfaces
Configuring and connecting HA clusters
To add basic configuration settings and the aggregate interfaces
Use the following steps to add a few basic configuration settings and the aggregate
interfaces.
1 Add a password for the admin administrative account.
config system admin
edit admin
set password & lt; psswrd & gt;
end
2 Temporarily delete the default route.
You cannot add an interface to an aggregate interface if any settings (such as the
default route) are configured for it. In this example the index of the default route is 1.
config router static
delete 1
end
3 Add the aggregate interfaces:
config system interface
edit Port1_Port2
set type aggregate
set lacp-ha-slave disable
set member port1 port2
set ip 172.20.120.141/24
set vdom root
next
edit Port3_Port4
set type aggregate
set lacp-ha-slave disable
set member port3 port4
set ip 10.11.101.100/24
set vdom root
end
The virtual MAC addresses of the FortiGate-620B interfaces change to the following.
Note that port1 and port2 both have the port1 virtual MAC address and port3 and port4
both have the port3 virtual MAC address:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-00 (same as port1)
• port20 interface virtual MAC: 00-09-0f-09-00-0c
1506
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: HA and redundant interfaces
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0d (same as port3)
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
4 Add the default route.
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 172.20.120.2
set device Port1_Port2
end
To configure HA port monitoring for the aggregate interfaces
1 Configure HA port monitoring for the aggregate interfaces.
config system ha
set monitor Port1_Port2 Port3_Port4
end
Example: HA and redundant interfaces
On FortiGate models that support it you can combine two or more interfaces into a single
redundant interface. A redundant interface consists of two or more physical interfaces.
Traffic is processed by the first physical interface in the redundant interface. If that
physical interface fails, traffic fails over to the next physical interface. Redundant
interfaces don’t have the benefit of improved performance that aggregate interfaces can
have, but they do provide failover if a physical interface fails or is disconnected.
Figure 216: Example cluster with a redundant interfaces
Internal
Network
Redundant interface 620_ha_1
Port1 and Port2
172.20.120.141
Port5
10.11.101.0
Port6
Port5
Redundant interface
Port3 and Port4
10.11.101.100
Port6
Switch
Switch
Router
172.20.120.2
Redundant interface
Port1 and Port2
172.20.120.141
620_ha_2
Redundant interface
Port3 and Port4
10.11.101.100
Internet
FortiGate-620B
Cluster
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1507
�Example: HA and redundant interfaces
Configuring and connecting HA clusters
This example describes how to configure an HA cluster consisting of two FortiGate-620B
units with a a redundant interface connection to the Internet and to an internal network.
The connection to the Internet uses port1 and port2. The connection to the internal
network uses port3 and port4. The HA heartbeat uses port5 and port6.
The redundant interfaces are also configured as HA monitored interfaces.
HA interface monitoring, link failover, and redundant interfaces
HA interface monitoring monitors the redundant interface as a single interface and does
not monitor the individual physical interfaces in the redundant interface. HA interface
monitoring registers the redundant interface to have failed only if all the physical interfaces
in the redundant interface have failed. If only some of the physical interfaces in the
redundant interface fail or become disconnected, HA considers the redundant interface to
be operating normally.
HA MAC addresses and redundant interfaces
For a standalone FortiGate unit a redundant interface has the MAC address of the first
physical interface added to the redundant interface configuration. A redundant interface
consisting of port1 and port2 would have the MAC address of port1.
In an HA cluster, HA changes the MAC addresses of the cluster interfaces to virtual MAC
addresses. A redundant interface in a cluster acquires the virtual MAC address that would
have been acquired by the first physical interface added to the redundant interface
configuration.
Connecting multiple redundant interfaces to one switch while operating in activepassive HA mode
HA assigns the same virtual MAC addresses to the subordinate unit interfaces as are
assigned to the corresponding primary unit interfaces. Consider a cluster of two FortiGate
units operating in active-passive mode with a redundant interface consisting of port1 and
port2. You can connect multiple redundant interfaces to the same switch if you configure
the switch so that it defines multiple separate redundant interfaces and puts the redundant
interfaces of each cluster unit into separate redundant interfaces. In this configuration,
each cluster unit forms a separate redundant interface with the switch.
However, if the switch is configured with a single four-port redundant interface
configuration, because the same MAC addresses are being used by both cluster units, the
switch adds all four interfaces (port1 and port2 from the primary unit and port1 and port2
from the subordinate unit) to the same redundant interface.
To avoid unpredictable results, when you connect a switch to multiple redundant interfaces
in an active-passive cluster you should configure separate redundant interfaces on the
switch; one for each cluster unit.
Connecting multiple redundant interfaces to one switch while operating in activeactive HA mode
In an active-active cluster, all cluster units send and receive packets. To operate a cluster
with redundant interfaces in active-active mode, with multiple redundant interfaces
connected to the same switch, you must separate the redundant interfaces of each cluster
unit into different redundant interfaces on the connecting switch.
1508
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: HA and redundant interfaces
General configuration steps
The section includes web-based manager and CLI procedures. These procedures
assume that the FortiGate-620B units are running the same FortiOS firmware build and
are set to the factory default configuration.
General configuration steps
1 Configure the FortiGate units for HA operation.
• Change each unit’s host name.
• Configure HA.
2 Connect the cluster to the network.
3 View cluster status.
4 Add basic configuration settings and configure the redundant interfaces.
• Add a password for the admin administrative account.
• Add the redundant interfaces.
• Add a default route.
You could also configure redundant interfaces in each FortiGate unit before they form a
cluster.
5 Configure HA port monitoring for the redundant interfaces.
Configuring active-passive HA cluster that includes redundant interfaces web-based manager
These procedures assume you are starting with two FortiGate-620B units with factory
default settings.
To configure the FortiGate-620B units for HA operation
1 Power on the first FortiGate-620B unit and log into the web-based manager.
2 On the System Information dashboard widget, beside Host Name select Change.
3 Enter a new Host Name for this FortiGate unit.
New Name
620_ha_1
4 Select OK.
5 Go to System & gt; Config & gt; HA and change the following settings.
Mode
Active-Passive
Group Name
example6.com
Password
HA_pass_6
Heartbeat Interface
Enable
Priority
port5
Select
50
port6
Select
50
Since port3 and port4 will be used for a redundant interface, you must change the HA
heartbeat configuration.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1509
�Example: HA and redundant interfaces
Configuring and connecting HA clusters
6 Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
the FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster
virtual MAC addresses” on page 1605). The MAC addresses of the FortiGate-620B
interfaces change to the following virtual MAC addresses:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
You can use the get hardware nic (or diagnose hardware deviceinfo nic)
CLI command to view the virtual MAC address of any FortiGate unit interface. For
example, use the following command to view the port1 interface virtual MAC address
(Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
7 Power off the first FortiGate unit.
1510
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: HA and redundant interfaces
8 Repeat these steps for the second FortiGate unit.
Set the second FortiGate unit host name to:
New Name
620_ha_2
To connect the cluster to the network
1 Connect the port1 and port2 interfaces of 620_ha_1 and 620_ha_2 to a switch
connected to the Internet.
Configure the switch so that the port1 and port2 of 620_ha_1 make up a redundant
interface and port1 and port2 of 620_ha_2 make up another redundant interface.
2 Connect the port3 and port4 interfaces of 620_ha_1 and 620_ha_2 to a switch
connected to the internal network.
Configure the switch so that the port3 and port4 of 620_ha_1 make up a redundant
interface and port3 and port4 of 620_ha_2 make up another redundant interface.
3 Connect the port5 interfaces of 620_ha_1 and 620_ha_2 together. You can use a
crossover Ethernet cable or regular Ethernet cables and a switch or hub.
4 Connect the port5 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
5 Power on the cluster units.
The units start and negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention and normally takes less than a minute.
When negotiation is complete the cluster is ready to be configured for your network.
To view cluster status
Use the following steps to view the cluster dashboard and cluster members list to confirm
that the cluster units are operating as a cluster.
1 View the system dashboard.
The System Information dashboard widget shows the Cluster Name (example5.com)
and the host names and serial numbers of the Cluster Members. The Unit Operation
widget shows multiple cluster units.
2 Go to System & gt; Config & gt; HA to view the cluster members list.
The list shows two cluster units, their host names, their roles in the cluster, and their
priorities. You can use this list to confirm that the cluster is operating normally.
To troubleshoot the cluster configuration
If the cluster members list and the dashboard do not display information for both cluster
units the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
To add basic configuration settings and the redundant interfaces
Use the following steps to add a few basic configuration settings.
1 Log into the cluster web-based manager.
2 Go to System & gt; Admin & gt; Administrators.
3 For admin, select the Change Password icon
4 Enter and confirm a new password.
5 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1511
�Example: HA and redundant interfaces
Configuring and connecting HA clusters
6 Go to Router & gt; Static and temporarily delete the default route.
You cannot add an interface to a redundant interface if any settings (such as the
default route) are configured for it.
7 Go to System & gt; Network & gt; Interface and select Create New to add the redundant
interface to connect to the Internet.
8 Set Type to Redundant Interface and configure the redundant interface to be
connected to the Internet:
Name
Port1_Port2
Physical Interface Members
Selected Interfaces
port1, port2
IP/Netmask
172.20.120.141/24
9 Select OK.
10 Select Create New to add the redundant interface to connect to the internal network.
11 Set Type to Redundant Interface and configure the redundant interface to be
connected to the Internet:
Name
Port3_Port4
Physical Interface Members
Selected Interfaces
port3, port4
IP/Netmask
10.11.101.100/24
Administrative Access
HTTPS, PING, SSH
12 Select OK.
The virtual MAC addresses of the FortiGate-620B interfaces change to the following.
Note that port1 and port2 both have the port1 virtual MAC address and port3 and port4
both have the port3 virtual MAC address:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-00 (same as port1)
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0d (same as port3)
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
1512
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: HA and redundant interfaces
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
13 Go to Router & gt; Static.
14 Add the default route.
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
172.20.120.2
Device
Port1_Port2
Distance
10
15 Select OK.
To configure HA port monitoring for the redundant interfaces
1 Go to System & gt; Config & gt; HA.
2 In the cluster members list, edit the primary unit.
3 Configure the following port monitoring for the redundant interfaces:
Port Monitor
Port1_Port2
Select
Port3_Port4
Select
4 Select OK.
Configuring active-passive HA cluster that includes redundant interfaces - CLI
These procedures assume you are starting with two FortiGate-620B units with factory
default settings.
To configure the FortiGate-620B units for HA operation
1 Power on the first FortiGate-620B unit and log into the CLI.
2 Change the host name for this FortiGate unit:
config system global
set hostname 620_ha_1
end
3 Configure HA settings.
config system ha
set mode a-p
set group-name example6.com
set password HA_pass_6
set hbdev port5 50 port6 50
end
Since port3 and port4 will be used for a redundant interface, you must change the HA
heartbeat configuration.
The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose
connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP
changes the MAC address of the FortiGate unit interfaces (see “Cluster virtual MAC
addresses” on page 1605). The MAC addresses of the FortiGate-620B interfaces
change to the following virtual MAC addresses:
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1513
�Example: HA and redundant interfaces
Configuring and connecting HA clusters
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
You can use the get hardware nic (or diagnose hardware deviceinfo nic)
CLI command to view the virtual MAC address of any FortiGate unit interface. For
example, use the following command to view the port1 interface virtual MAC address
(Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
4 Display the HA configuration (optional).
get system ha
group-id
: 0
group-name
: example6.com
mode
: a-p
password
: *
hbdev
: " port5 " 50 " port6 " 50
route-ttl
: 10
route-wait
: 0
1514
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: HA and redundant interfaces
route-hold
: 10
sync-config
: enable
encryption
: disable
authentication
: disable
hb-interval
: 2
hb-lost-threshold
: 20
helo-holddown
: 20
arps
: 5
arps-interval
: 8
session-pickup
: disable
link-failed-signal : disable
uninterruptable-upgrade: enable
ha-mgmt-status
: disable
ha-eth-type
: 8890
hc-eth-type
: 8891
l2ep-eth-type
: 8893
subsecond
: disable
vcluster2
: disable
vcluster-id
: 1
override
: disable
priority
: 128
monitor
:
pingserver-monitor-interface:
pingserver-failover-threshold: 0
pingserver-flip-timeout: 60
vdom
: " root "
5 Repeat these steps for the other FortiGate unit.
Set the other FortiGate unit host name to:
config system global
set hostname 620_ha_2
end
To connect the cluster to the network
1 Connect the port1 and port2 interfaces of 620_ha_1 and 620_ha_2 to a switch
connected to the Internet.
Configure the switch so that the port1 and port2 of 620_ha_1 make up a redundant
interface and port1 and port2 of 620_ha_2 make up another redundant interface.
2 Connect the port3 and port4 interfaces of 620_ha_1 and 620_ha_2 to a switch
connected to the internal network.
Configure the switch so that the port3 and port4 of 620_ha_1 make up a redundant
interface and port3 and port4 of 620_ha_2 make up another redundant interface.
3 Connect the port5 interfaces of 620_ha_1 and 620_ha_2 together. You can use a
crossover Ethernet cable or regular Ethernet cables and a switch or hub.
4 Connect the port5 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
5 Power on the cluster units.
The units start and negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention and normally takes less than a minute.
When negotiation is complete the cluster is ready to be configured for your network.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1515
�Example: HA and redundant interfaces
Configuring and connecting HA clusters
To view cluster status
Use the following steps to view cluster status from the CLI.
1 Log into the CLI.
2 Enter get system status to verify the HA status of the cluster unit that you logged
into.Look for the following information in the command output.
Current HA mode: a-a, master
The cluster units are operating as a cluster and you
have connected to the primary unit.
Current HA mode: a-a, backup
The cluster units are operating as a cluster and you
have connected to a subordinate unit.
Current HA mode: standalone
The cluster unit is not operating in HA mode
3 Enter the following command to confirm the HA configuration of the cluster:
get system ha status
Model: 620
Mode: a-a
Group: 0
Debug: 0
ses_pickup: disable
Master:128 620_ha_2
FG600B3908600825 0
Slave :128 620_ha_1
FG600B3908600705 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG600B3908600825
Slave :1 FG600B3908600705
The command output shows both cluster units, their host names, their roles in the
cluster, and their priorities. You can use this command to confirm that the cluster is
operating normally. For example, if the command shows only one cluster unit then the
other unit has left the cluster for some reason.
To troubleshoot the cluster configuration
If the cluster members list and the dashboard do not display information for both cluster
units the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
To add basic configuration settings and the redundant interfaces
Use the following steps to add a few basic configuration settings and the redundant
interfaces.
1 Add a password for the admin administrative account.
config system admin
edit admin
set password & lt; psswrd & gt;
end
2 Temporarily delete the default route.
You cannot add an interface to a redundant interface if any settings (such as the
default route) are configured for it. In this example the index of the default route is 1.
config router static
delete 1
end
3 Add the redundant interfaces:
1516
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Example: HA and redundant interfaces
config system interface
edit Port1_Port2
set type redundant
set member port1 port2
set ip 172.20.120.141/24
set vdom root
next
edit Port3_Port4
set type redundant
set member port3 port4
set ip 10.11.101.100/24
set vdom root
end
The virtual MAC addresses of the FortiGate-620B interfaces change to the following.
Note that port1 and port2 both have the port1 virtual MAC address and port3 and port4
both have the port3 virtual MAC address:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-00 (same as port1)
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0d (same as port3)
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
4 Add the default route.
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 172.20.120.2
set device Port1_Port2
end
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1517
�Troubleshooting HA clusters
Configuring and connecting HA clusters
To configure HA port monitoring for the redundant interfaces
1 Configure HA port monitoring for the redundant interfaces.
config system ha
set monitor Port1_Port2 Port3_Port4
end
Troubleshooting HA clusters
This section describes some HA clustering troubleshooting techniques.
Before you set up a cluster
Before you set up a cluster ask yourself the following questions about the FortiGate units
that you are planning to use to create a cluster.
1 Do all the FortiGate units have the same hardware configuration? Including the same
hard disk configuration and the same AMC cards installed in the same slots?
2 Do all FortiGate units have the same firmware build?
3 Are all FortiGate units set to the same operating mode (NAT or Transparent)?
4 Are all the FortiGate units operating in single VDOM mode?
5 If the FortiGate units are operating in multiple VDOM mode do they all have the same
VDOM configuration?
Note: In some cases you may be able to form a cluster if different FortiGate units have
different firmware builds, different VDOM configurations, and are in different operating
modes. However, if you encounter problems they may be resolved by installing the same
firmware build on each unit, and give them the same VDOM configuration and operating
mode.
Troubleshooting the initial cluster configuration
This section describes how to check a cluster when it first starts up to make sure that it is
configured and operating correctly. This section assumes you have already configured
your HA cluster.
To verify that a cluster can process traffic and react to a failure
1 Add a basic firewall configuration and send network traffic through the cluster to
confirm connectivity.
For example, if the cluster is installed between the Internet and an internal network, set
up a basic internal to external firewall policy that accepts all traffic. Then from a PC on
the internal network, browse to a website on the Internet or ping a server on the
Internet to confirm connectivity.
2 From your management PC, set ping to continuously ping the cluster, and then start a
large download, or in some other way establish ongoing traffic through the cluster.
3 While traffic is going through the cluster, disconnect the power from one of the cluster
units.
You could also shut down or restart a cluster unit.
Traffic should continue with minimal interruption.
4 Start up the cluster unit that you disconnected.
The unit should re-join the cluster with little or no affect on traffic.
1518
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
Troubleshooting HA clusters
5 Disconnect a cable for one of the HA heartbeat interfaces.
The cluster should keep functioning, using the other HA heartbeat interface.
6 If you have port monitoring enabled, disconnect a network cable from a monitored
interface.
Traffic should continue with minimal interruption.
To verify the cluster configuration - web-based manager
1 Log into the cluster web-based manager.
2 Check the system dashboard to verify that the System Information widget displays all
of the cluster units.
3 Check the cluster member graphic to verify that the correct cluster unit interfaces are
connected.
4 Go to System & gt; Config & gt; HA and verify that all of the cluster units are displayed on the
cluster members list.
5 From the cluster members list, edit the primary unit (master) and verify the cluster
configuration is as expected.
To troubleshoot the cluster configuration - web-based manager
1 Connect to each cluster unit web-based manager and verify that the HA configurations
are the same.
To connect to each web-based manager, you may need to disconnect some units from
the network to connect to the other if the units have the same IP address.
2 If the configurations are the same, try re-entering the cluster Password on each cluster
unit in case you made an error typing the password when configuring one of the cluster
units.
3 Check that the correct interfaces of each cluster unit are connected.
Check the cables and interface LEDs.
Use the Unit Operation dashboard widget, system network interface list, or cluster
members list to verify that each interface that should be connected actually is
connected.
If Link is down re-verify the physical connection. Try replacing network cables or
switches as required.
To verify the cluster configuration - CLI
1 Log into each cluster unit CLI.
You can use the console connection if you need to avoid the problem of units having
the same IP address.
2 Enter the command get system status.
Look for the following information in the command output.
Current HA mode: a-a, master The cluster units are operating as a cluster and you
have connected to the primary unit.
Current HA mode: a-a, backup The cluster units are operating as a cluster and you
have connected to a subordinate unit.
Current HA mode: standalone
The cluster unit is not operating in HA mode
3 Verify that the get system ha status command displays all of the cluster units.
4 Enter the get system ha command to verify that the HA configuration is correct and
the same for each cluster unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1519
�Troubleshooting HA clusters
Configuring and connecting HA clusters
To troubleshoot the cluster configuration - CLI
1 Try using the following command to re-enter the cluster password on each cluster unit
in case you made an error typing the password when configuring one of the cluster
units.
config system ha
set password & lt; password & gt;
end
2 Check that the correct interfaces of each cluster unit are connected.
Check the cables and interface LEDs.
Use get hardware nic & lt; interface_name & gt; command to confirm that each
interface is connected. If the interface is connected the command output should
contain a Link: up entry similar to the following:
get hardware nic port1
.
.
.
Link: up
.
.
.
If Link is down, re-verify the physical connection. Try replacing network cables or
switches as required.
More troubleshooting information
Much of the information in this HA guide can be useful for troubleshooting HA clusters.
Here are some links to sections with more information.
• If sessions are lost after a failover you may need to change route-ttl to keep
synchronized routes active longer. See “Change how long routes stay in a cluster unit
routing table” on page 1619.
• To control which cluster unit becomes the primary unit, you can change the device
priority and enable override. See “Controlling primary unit selection using device
priority and override” on page 1451.
• Changes made to a cluster can be lost if override is enabled. See “Configuration
changes can be lost if override is enabled” on page 1452.
• In some cases, age differences among cluster units result in the wrong cluster unit
becoming the primary unit. For example, if a cluster unit set to a high priority reboots,
that unit will have a lower age than other cluster units. You can resolve this problem by
resetting the age of one or more cluster units. See “Resetting the age of all cluster
units” on page 1447.
• If one of the cluster units needs to be serviced or removed from the cluster for other
reasons, you can do so without affecting the operation of the cluster. See
“Disconnecting a cluster unit from a cluster” on page 1591.
• The web-based manager and CLI will not allow you to configure HA if you have
configured a FortiGate interface to get its IP address using DHCP or PPPoE. See
“FortiGate HA compatibility with PPPoE and DHCP” on page 1453.
1520
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting HA clusters
•
•
•
•
•
•
•
•
•
•
•
Troubleshooting HA clusters
Some third-party network equipment may prevent HA heartbeat communication,
resulting in a failure of the cluster or the creation of a split brain scenario. For example,
some switches use packets with the same Ethertype as HA heartbeat packets use for
internal functions and when used for HA heartbeat communication the switch
generates CRC errors and the packets are not forwarded. See “Heartbeat packet
Ethertypes” on page 1602.
Very busy clusters may not be able to send HA heartbeat packets quickly enough, also
resulting in a split brain scenario. You may be able to resolve this problem by modifying
HA heartbeat timing. See “Modifying heartbeat timing” on page 1603.
If it takes longer than expected for a cluster to failover you can try changing how the
primary unit sends gratuitous ARP packets. See “Changing how the primary unit sends
gratuitous ARP packets after a failover” on page 1606.
When you first put a FortiGate unit in HA mode you may loose connectivity to the unit.
This occurs because HA changes the MAC addresses of all FortiGate unit interfaces,
including the one that you are connecting to. The cluster MAC addresses also change
if you change the some HA settings such as the cluster group ID. The connection will
be restored in a short time as your network and PC updates to the new MAC address.
To reconnect sooner, you can update the ARP table of your management PC by
deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries).
You may be able to delete the arp table of your management PC from a command
prompt using a command similar to arp -d.
Since HA changes all cluster unit MAC addresses, if your network uses MAC address
filtering you may have to make configuration changes to account for the HA MAC
addresses.
A network may experience packet loss when two FortiGate HA clusters have been
deployed in the same broadcast domain. Deploying two HA clusters in the same
broadcast domain can result in packet loss because of MAC address conflicts. The
packet loss can be diagnosed by pinging from one cluster to the other or by pinging
both of the clusters from a device within the broadcast domain. You can resolve the
MAC address conflict by changing the HA Group ID configuration of the two clusters.
The HA Group ID is sometimes also called the Cluster ID. See “Diagnosing packet loss
with two FortiGate HA clusters in the same broadcast domain” on page 1610.
The cluster CLI displays slave is not in sync messages if there is a
synchronization problem between the primary unit and one or more subordinate units.
See “How to diagnose HA out of sync messages” on page 1616.
If you have configured dynamic routing and the new primary unit takes too long to
update its routing table after a failover you can configure graceful restart and also
optimize how routing updates are synchronized. See “Configuring graceful restart for
dynamic routing failover” on page 1618 and “Controlling how the FGCP synchronizes
routing updates” on page 1619.
Some switches may not be able to detect that the primary unit has become a
subordinate unit and will keep sending packets to the former primary unit. This can
occur after a link failover if the switch does not detect the failure and does not clear its
MAC forwarding table. See “Updating MAC forwarding tables when a link failover
occurs” on page 1625.
If a link not directly connected to a cluster unit (for example, between a switch
connected to a cluster interface and the network) fails you can enable remote link
failover to maintain communication. See “Remote link failover” on page 1626.
If you find that some cluster units are not running the same firmware build you can
reinstall the correct firmware build on the cluster to upgrade all cluster units to the
same firmware build. See “Synchronizing the firmware build running on a new cluster
unit” on page 1581.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1521
�Troubleshooting HA clusters
1522
Configuring and connecting HA clusters
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting virtual
clusters
This chapter provides an introduction to virtual clustering and also contains general
procedures and configuration examples that describe how to configure FortiGate HA
virtual clustering.
This chapter contains the following sections:
•
Virtual clustering overview
•
Configuring HA for virtual clustering
•
Example: virtual clustering with two VDOMs and VDOM partitioning
•
Example: inter-VDOM links in a virtual clustering configuration
•
Troubleshooting virtual clustering
Virtual clustering overview
Virtual clustering is an extension of the FGCP for a cluster of 2 FortiGate units operating
with multiple VDOMS enabled. Virtual clustering operates in active-passive mode to
provide failover protection between two instances of a VDOM operating on two different
cluster units. You can also operate virtual clustering in active-active mode to use HA load
balancing to load balance sessions between cluster units. Alternatively, by distributing
VDOM processing between the two cluster units you can also configure virtual clustering
to provide load balancing by distributing sessions for different VDOMs to each cluster unit.
Figure shows an example virtual cluster configuration consisting of two FortiGate-620B
units. The virtual cluster has two virtual domains, root and Eng_vdm.
The root virtual domain includes the port1 and port2 interfaces. The Eng_vdm virtual
domain includes the port5 and port6 interfaces. The port3 and port4 interfaces (not shown
in the diagram) are the HA heartbeat interfaces.
Note: FortiGate virtual clustering is limited to a cluster of 2 FortiGate units with multiple
VDOMs enabled. If you want to create a cluster of more than 2 FortiGate units operating
with multiple VDOMS you could consider other solutions that either do not include multiple
VDOMs in one cluster or employ a feature such as standalone session synchronization.
See “Standalone session synchronization” on page 1661.
Virtual clustering and failover protection
Virtual clustering operates on a cluster of two (and only two) FortiGate units with VDOMs
enabled. Each VDOM creates a cluster between instances of the VDOMs on the two
FortiGate units in the virtual cluster. All traffic to and from the VDOM stays within the
VDOM and is processed by the VDOM. One cluster unit is the primary unit for each VDOM
and one cluster unit is the subordinate unit for each VDOM. The primary unit processes all
traffic for the VDOM. The subordinate unit does not process traffic for the VDOM. If a
cluster unit fails, all traffic fails over to the cluster unit that is still operating.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1523
�Virtual clustering overview
Configuring and connecting virtual clusters
Virtual clustering and heartbeat interfaces
The HA heartbeat provides the same HA services in a virtual clustering configuration as in
a standard HA configuration. One set of HA heartbeat interfaces provides HA heartbeat
services for all of the VDOMs in the cluster. You do not have to add a heartbeat interface
for each VDOM.
Figure 217: Example virtual cluster of two FortiGate-620B units
Internal
Network
root Traffic
Eng_vdm Traffic
620_ha_1
Port1
Port2
Port5
Port6
Port5
Port6
Engineering
Network
Router
Port2
Port1
620_ha_2
Internet
FortiGate-620B
Virtual Cluster
Virtual clustering and HA override
For a virtual cluster configuration, override is enabled by default for both virtual clusters
when you:
•
Enable VDOM partionning from the web-based manager by moving virtual domains to
virtual cluster 2
•
Enter set vcluster2 enable from the CLI config system ha command to
enable virtual cluster 2.
Usually you would enable virtual cluster 2 and expect one cluster unit to be the primary
unit for virtual cluster 1 and the other cluster unit to be the primary unit for virtual cluster 2.
For this distribution to occur override must be enabled for both virtual clusters. Otherwise
you will need to restart the cluster to force it to renegotiate.
Note: If override is enabled the cluster may renegotiate too often.You can choose to disable
override at any time. If you decide to disable override, for best results, you should disable it
for both cluster units.
For more information about HA override see “HA override” on page 1449.
1524
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting virtual clusters
Configuring HA for virtual clustering
Virtual clustering and load balancing or VDOM partitioning
There are two ways to configure load balancing for virtual clustering. The first is to set the
HA mode to active-active. The second is to configure VDOM partitioning. For virtual
clustering, setting the HA Mode to active-active has the same result as active-active HA
for a cluster without virtual domains. The primary unit receives all sessions and load
balances them among the cluster units according to the load balancing schedule. All
cluster units process traffic for all virtual domains.
In a VDOM partitioning virtual clustering configuration, the HA mode is set to activepassive. Even though virtual clustering operates in active-passive mode you can configure
a form of load balancing by using VDOM partitioning to distribute traffic between both
cluster units. To configure VDOM partitioning you set one cluster unit as the primary unit
for some virtual domains and you set the other cluster unit as the primary unit for other
virtual domains. All traffic for a virtual domain is processed by the primary unit for that
virtual domain. You can control the distribution of traffic between the cluster units by
adjusting which cluster unit is the primary unit for each virtual domain.
For example, you could have 4 VDOMs, two of which have a high traffic volume and two of
which have a low traffic volume. You can configure each cluster unit to be the primary unit
for one of the high volume VDOMs and one of the low volume VDOMs. As a result each
cluster unit will be processing traffic for a high volume VDOM and a low volume VDOM,
resulting in an even distribution of traffic between the cluster units. You can adjust the
distribution at any time. For example, if a low volume VDOM becomes a high volume
VDOM you can move it from one cluster unit to another until the best balance is achieved.
From the web-based manager you configure VDOM partitioning by setting the HA mode to
active-passive and distributing virtual domains between Virtual Cluster 1 and Virtual
Cluster 2. You can also configure different device priorities, port monitoring, and remote
link failover, for Virtual Cluster 1 and Virtual Cluster 2.
From the CLI you configure VDOM partitioning by setting the HA mode to a-p. Then you
configure device priority, port monitoring, and remote link failover and specify the VDOMs
to include in virtual cluster 1. You do the same for virtual cluster 2 by entering the
config secondary-vcluster command.
Failover protection does not change. If one cluster unit fails, all sessions are processed by
the remaining cluster unit. No traffic interruption occurs for the virtual domains for which
the still functioning cluster unit was the primary unit. Traffic may be interrupted temporarily
for virtual domains for which the failed unit was the primary unit while processing fails over
to the still functioning cluster unit.
If the failed cluster unit restarts and rejoins the virtual cluster, VDOM partitioning load
balancing is restored.
Configuring HA for virtual clustering
If your cluster uses VDOMs, you are configuring virtual clustering. Most virtual cluster HA
options are the same as normal HA options. However, virtual clusters include VDOM
partitioning options. Other differences between configuration options for regular HA and
for virtual clustering HA are described below.
To configure HA options for a cluster with VDOMs enabled:
•
Log into the global web-based manager and go to System & gt; Config & gt; HA.
•
From the CLI, log into the Global Configuration:
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1525
�Configuring HA for virtual clustering
Configuring and connecting virtual clusters
The following example shows how to configure active-active virtual clustering:
config global
config system ha
set mode a-a
set group-name vexample1.com
set password vHA_pass_1
end
end
The following example shows how to configure active-passive virtual clustering:
config global
config system ha
set mode a-p
set group-name vexample1.com
set password vHA_pass_1
end
end
The following example shows how to configure VDOM partitioning for virtual clustering. In
the example, the FortiGate unit is configured with three VDOMs (domain_1, domain_2,
and domain_3) in addition to the root VDOM. The example shows how to set up a basic
HA configuration that sets the device priority of virtual cluster 1 to 200. The example also
shows how to enable vcluster2, how to set the device priority of virtual cluster 2 to 100
and how to add the virtual domains domain_2 and domain_3 to virtual cluster 2.
When you enable multiple VDOMs, vcluster2 is enabled by default. Even so the
command to enable vcluster2 is included in this example in case for some reason it has
been disabled. When vcluster2 is enabled, override is also enabled.
The result of this configuration would be that the cluster unit that you are logged into
becomes the primary unit for virtual cluster 1. This cluster unit processes all traffic for the
root and domain_1 virtual domains.
config global
config system ha
set mode a-p
set group-name vexample1.com
set password vHA_pass_1
set priority 200
set vcluster2 enable
config secondary-vcluster
set vdom domain_2 domain_3
set priority 100
end
end
end
The following example shows how to use the execute ha manage command to change
the device priorities for virtual cluster 1 and virtual cluster 2 for the other unit in the cluster.
The commands set the device priority of virtual cluster 1 to 100 and virtual cluster 2 to 200.
1526
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting virtual clusters
Example: virtual clustering with two VDOMs and VDOM partitioning
The result of this configuration would be that the other cluster unit becomes the primary
unit for virtual cluster 2. This other cluster unit would process all traffic for the domain_2
and domain_3 virtual domains.
config global
execute ha manage 1
config system ha
set priority 100
set vcluster2 enable
config secondary-vcluster
set priority 200
end
end
end
end
Example: virtual clustering with two VDOMs and VDOM
partitioning
This section describes how to configure the example virtual clustering configuration shown
in Figure 218. This configuration includes two virtual domains, root and Eng_vdm and
includes VDOM partitioning that sends all root VDOM traffic to 620_ha_1 and all
Eng_vdom VDOM traffic to 620_ha_2. The traffic from the internal network and the
engineering network is distributed between the two FortiGate units in the virtual cluster. If
one of the cluster units fails, the remaining unit will process traffic for both VDOMs.
The procedures in this example describe some of many possible sequences of steps for
configuring virtual clustering. For simplicity many of these procedures assume that you
are starting with new FortiGate units set to the factory default configuration. However, this
is not a requirement for a successful HA deployment. FortiGate HA is flexible enough to
support a successful configuration from many different starting points.
Example virtual clustering network topology
Figure 218 shows a typical FortiGate-620B HA virtual cluster consisting of two
FortiGate-620B units (620_ha_1 and 620_ha_2) connected to and internal network, an
engineering network and the Internet. To simplify the diagram the heartbeat connections
are not shown.
The traffic from the internal network is processed by the root VDOM, which includes the
port1 and port2 interfaces. The traffic from the engineering network is processed by the
Eng_vdm VDOM, which includes the port5 and port6 interfaces. VDOM partitioning is
configured so that all traffic from the internal network is processed by 620_ha_1 and all
traffic from the engineering network is processed by 620_ha_2.
This virtual cluster uses the default FortiGate-620B heartbeat interfaces (port3 and port4).
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1527
�Example: virtual clustering with two VDOMs and VDOM partitioning
Configuring and connecting virtual clusters
Figure 218: Example virtual cluster of two FortiGate-620B units showing VDOM partitioning
Internal
Network
root Traffic
Eng_vdm Traffic
Port1: 172.20.120.141
Port2: 10.11.101.100
Port5: 172.20.120.143
Port6: 10.12.101.100
620_ha_1
Port1
Port2
Port5
Port5
Router
172.20.120.2
10.11.101.0
Port6
Port6
Engineering
Network
Port2
Port1
620_ha_2
Internet
FortiGate-620B
Virtual Cluster
10.12.101.0
General configuration steps
The section includes web-based manager and CLI procedures. These procedures
assume that the FortiGate-620B units are running the same FortiOS firmware build and
are set to the factory default configuration.
General configuration steps
1 Configure the FortiGate units for HA operation.
• Optionally change each unit’s host name.
• Configure HA.
2 Connect the cluster to the network.
3 Configure VDOM settings for the cluster:
• Enable multiple VDOMs.
• Add the Eng_vdm VDOM.
• Add port5 and port6 to the Eng_vdom.
4 Configure VDOM partitioning.
5 Confirm that the cluster units are operating as a virtual cluster and add basic
configuration settings to the cluster.
• View cluster status from the web-based manager or CLI.
• Add a password for the admin administrative account.
• Change the IP addresses and netmasks of the port1, port2, port5, and port6
interfaces.
• Add a default routes to each VDOM.
1528
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting virtual clusters
Example: virtual clustering with two VDOMs and VDOM partitioning
Configuring virtual clustering with two VDOMs and VDOM partitioning web-based manager
These procedures assume you are starting with two FortiGate-620B units with factory
default settings.
To configure the FortiGate-620B units for HA operation
1 Power on the first FortiGate-620B unit and log into the web-based manager.
2 On the System Information dashboard widget, beside Host Name select Change.
3 Enter a new Host Name for this FortiGate unit.
New Name
620_ha_1
4 Select OK.
5 Go to System & gt; Config & gt; HA and change the following settings.
Mode
Active-Passive
Group Name
vexample2.com
Password
vHA_pass_2
6 Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
the FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster
virtual MAC addresses” on page 1605). The MAC addresses of the FortiGate-620B
interfaces change to the following virtual MAC addresses:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1529
�Example: virtual clustering with two VDOMs and VDOM partitioning
Configuring and connecting virtual clusters
To be able to reconnect sooner, you can update the ARP table of your management
PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table
entries). You may be able to delete the arp table of your management PC from a
command prompt using a command similar to arp -d.
You can use the get hardware nic (or diagnose hardware deviceinfo nic)
CLI command to view the virtual MAC address of any FortiGate unit interface. For
example, use the following command to view the port1 interface virtual MAC address
(Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
7 Power off the first FortiGate unit.
8 Repeat these steps for the second FortiGate unit.
Set the second FortiGate unit host name to:
New Name
620_ha_2
To connect the cluster to the network
1 Connect the port1 interfaces of 620_ha_1 and 620_ha_2 to a switch connected to the
Internet.
2 Connect the port5 interfaces of 620_ha_1 and 620_ha_2 to switch connected to the
Internet.
You could use the same switch for the port1 and port5 interfaces.
3 Connect the port2 interfaces of 620_ha_1 and 620_ha_2 to a switch connected to the
internal network.
4 Connect the port6 interfaces of 620_ha_1 and 620_ha_2 to a switch connected to the
engineering network.
5 Connect the port3 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
6 Connect the port4 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
7 Power on the cluster units.
The units start and negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention.
When negotiation is complete you can continue.
To configure VDOM settings for the cluster
1 Log into the web-based manager.
2 On the System Information dashboard widget, beside Virtual Domain select Enable.
3 Select OK and then log back into the web-based manager.
4 Go to System & gt; VDOM and select Create New to add a new VDOM.
Name
1530
Eng_vdm
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting virtual clusters
Example: virtual clustering with two VDOMs and VDOM partitioning
5 Go to System & gt; Network & gt; Interface.
6 Edit the port5 interface, add it to the Eng_vdm VDOM and configure other interface
settings:
Alias
Engineering_external
Virtual Domain
Eng_vdm
IP/Netmask
172.20.120.143/24
7 Select OK.
8 Edit the port6 interface, add it to the Eng_vdm VDOM and configure other interface
settings:
Alias
Engineering_internal
Virtual Domain
Eng_vdm
IP/Netmask
10.120.101.100/24
Administrative Access
HTTPS, PING, SSH
9 Select OK.
To add a default route to each VDOM
1 Go to System & gt; VDOM and Enter the root VDOM.
2 Go to Router & gt; Static.
3 Change the default route.
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
172.20.120.2
Device
port1
Distance
10
4 Select Global.
5 Go to System & gt; VDOM and Enter the Eng_vdm VDOM.
6 Go to Router & gt; Static.
7 Change the default route.
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
172.20.120.2
Device
port5
Distance
10
To configure VDOM partitioning
1 Go to System & gt; Config & gt; HA.
The cluster members shows two cluster units in Virtual Cluster 1.
2 Edit the cluster unit with the Role of MASTER.
3 Change VDOM partitioning to move the Eng_vdm to the Virtual Cluster 2 list.
4 Select OK.
5 Change the Virtual Cluster 1 and Virtual Cluster 2 device priorities for each cluster unit
to the following:
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1531
�Example: virtual clustering with two VDOMs and VDOM partitioning
Configuring and connecting virtual clusters
Device Priority
Host Name
Virtual Cluster 1
Virtual Cluster 2
620_ha_1
200
100
620_ha_2
100
200
You can do this by editing the HA configurations of each cluster unit in the cluster
members list and changing device priorities.
Since the device priority of Virtual Cluster 1 is highest for 620_ha_1 and since the root
VDOM is in Virtual Cluster 1, all traffic for the root VDOM is processed by 620_ha_1.
Since the device priority of Virtual Cluster 2 is highest for 620_ha_2 and since the
Eng_vdm VDOM is in Virtual Cluster 2, all traffic for the Eng_vdm VDOM is processed
by 620_ha_2.
To view cluster status and verify the VDOM partitioning configuration
1 Log into the web-based manager.
2 Go to System & gt; Config & gt; HA.
The cluster members list should show the following:
• Virtual Cluster 1 contains the root VDOM.
• 620_ha_1 is the primary unit (master) for Virtual Cluster 1.
• Virtual Cluster 2 contains the Eng_vdm VDOM.
• 620_ha_2 is the primary unit (master) for Virtual Cluster 2.
Figure 219: Example virtual clustering cluster members list
1532
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting virtual clusters
Example: virtual clustering with two VDOMs and VDOM partitioning
To test the VDOM partitioning configuration
You can do the following to confirm that traffic for the root VDOM is processed by
620_ha_1 and traffic for the Eng_vdm is processed by 620_ha_2.
1 Log into the web-based manager by connecting to port2 using IP address
10.11.101.100.
You will log into 610_ha_1 because port2 is in the root VDOM and all traffic for this
VDOM is processed by 610_ha_1. You can confirm that you have logged into
610_ha_1 by checking the HTML title displayed by your web browser. The title will
include the 610_ha_1 host name. Also on the System Information dashboard widget
displays the serial number of the 610_ha_1 FortiGate unit.
2 Log into the web-based manager by connecting to port6 using IP address
10.12.101.100.
You will log into 610_ha_2 because port6 is in the Eng_vdm VDOM and all traffic for
this VDOM is processed by 610_ha_2.
3 Add firewall policies to the root virtual domain that allows communication from the
internal network to the Internet and connect to the Internet from the internal network.
4 Log into the web-based manager and go to Config & gt; System & gt; HA and select View HA
Statistics.
The statistics display shows more active sessions, total packets, network utilization,
and total bytes for the 620_ha_1 unit.
5 Add firewall policies to the Eng_vdm virtual domain that allow communication from the
engineering network to the Internet and connect to the Internet from the engineering
network.
6 Log into the web-based manager and go to Config & gt; System & gt; HA and select View HA
Statistics.
The statistics display shows more active sessions, total packets, network utilization,
and total bytes for the 620_ha_2 unit.
Configuring virtual clustering with two VDOMs and VDOM partitioning - CLI
These procedures assume you are starting with two FortiGate-620B units with factory
default settings.
To configure the FortiGate-620B units for HA operation
1 Power on the first FortiGate-620B unit and log into the CLI.
2 Change the host name for this FortiGate unit:
config system global
set hostname 620_ha_1
end
3 Configure HA settings.
config system ha
set mode a-p
set group-name vexample2.com
set password vHA_pass_2
end
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1533
�Example: virtual clustering with two VDOMs and VDOM partitioning
Configuring and connecting virtual clusters
The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose
connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP
changes the MAC address of the FortiGate unit interfaces (see “Cluster virtual MAC
addresses” on page 1605). The MAC addresses of the FortiGate-620B interfaces
change to the following virtual MAC addresses:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
To be able to reconnect sooner, you can update the ARP table of your management
PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table
entries). You may be able to delete the arp table of your management PC from a
command prompt using a command similar to arp -d.
You can use the get hardware nic (or diagnose hardware deviceinfo nic)
CLI command to view the virtual MAC address of any FortiGate unit interface. For
example, use the following command to view the port1 interface virtual MAC address
(Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
4 Display the HA configuration (optional).
get system ha
group-id
: 0
group-name
: vexample2.com
1534
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting virtual clusters
Example: virtual clustering with two VDOMs and VDOM partitioning
mode
: a-p
password
: *
hbdev
: " port3 " 50 " port4 " 50
route-ttl
: 10
route-wait
: 0
route-hold
: 10
sync-config
: enable
encryption
: disable
authentication
: disable
hb-interval
: 2
hb-lost-threshold
: 20
helo-holddown
: 20
arps
: 5
arps-interval
: 8
session-pickup
: disable
link-failed-signal : disable
uninterruptable-upgrade: enable
ha-mgmt-status
: disable
ha-eth-type
: 8890
hc-eth-type
: 8891
l2ep-eth-type
: 8893
subsecond
: disable
vcluster2
: disable
vcluster-id
: 1
override
: disable
priority
: 128
monitor
:
pingserver-monitor-interface:
pingserver-failover-threshold: 0
pingserver-flip-timeout: 60
vdom
: " root "
5 Power off the first FortiGate unit.
6 Repeat these steps for the second FortiGate unit.
Set the other FortiGate unit host name to:
config system global
set hostname 620_ha_2
end
To connect the cluster to the network
1 Connect the port1 interfaces of 620_ha_1 and 620_ha_2 to a switch connected to the
Internet.
2 Connect the port5 interfaces of 620_ha_1 and 620_ha_2 to switch connected to the
Internet.
You could use the same switch for port1 and port5.
3 Connect the port2 interfaces of 620_ha_1 and 620_ha_2 to a switch connected to the
internal network.
4 Connect the port6 interfaces of 620_ha_1 and 620_ha_2 to a switch connected to the
engineering network.
5 Connect the port3 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1535
�Example: virtual clustering with two VDOMs and VDOM partitioning
Configuring and connecting virtual clusters
6 Connect the port4 interfaces of the cluster units together. You can use a crossover
Ethernet cable or regular Ethernet cables and a switch or hub.
7 Power on the cluster units.
The units start and negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention.
When negotiation is complete you can continue.
To configure VDOM settings for the cluster
1 Log into the CLI.
2 Enter the following command to enable multiple VDOMs for the cluster.
config system global
set vdom-admin enable
end
3 Log back into the CLI.
4 Enter the following command to add the Eng_vdm VDOM:
config vdom
edit Eng_vdm
end
5 Edit the port5 interface, add it to the Eng_vdm VDOM and configure other interface
settings:
config global
config system interface
edit port5
set vdom Eng_vdm
set alias Engineering_external
set ip 172.20.12.143/24
next
edit port6
set vdom Eng_vdm
set alias Engineering_internal
set ip 10.120.101.100/24
end
end
To add a default route to each VDOM
1 Enter the following command to add default routes to the root and Eng_vdm VDOMs.
config vdom
edit root
config router static
edit 1
set dst 0.0.0.0/0.0.0.0
set gateway 172.20.120.2
set device port1
end
next
edit Eng_vdm
config router static
edit 1
set dst 0.0.0.0/0.0.0.0
set gateway 172.20.120.2
1536
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting virtual clusters
Example: virtual clustering with two VDOMs and VDOM partitioning
set device port5
end
end
To configure VDOM partitioning
1 Enter the get system ha status command to view cluster unit status:
For example, from the 620_ha_2 cluster unit CLI:
config global
get system ha status
Model: 620
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:128 620_ha_2
FG600B3908600825 0
Slave :128 620_ha_1
FG600B3908600705 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG600B3908600825
Slave :1 FG600B3908600705
This command output shows that VDOM partitioning has not been configured because
only virtual cluster 1 is shown. The command output also shows that the 620_ha_2 is
the primary unit for the cluster and for virtual cluster 1 because this cluster unit has the
highest serial number
2 Enter the following commands to configure VDOM partitioning:
config global
config system ha
set vcluster2 enable
config secondary-vcluster
set vdom Eng_vdm
end
end
end
3 Enter the get system ha status command to view cluster unit status:
For example, from the 620_ha_2 cluster unit CLI:
config global
get system ha status
Model: 620
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:128 620_ha_2
FG600B3908600825 0
Slave :128 620_ha_1
FG600B3908600705 1
number of vcluster: 2
vcluster 1: work 169.254.0.1
Master:0 FG600B3908600825
Slave :1 FG600B3908600705
vcluster 2: work 169.254.0.1
Master:0 FG600B3908600825
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1537
�Example: virtual clustering with two VDOMs and VDOM partitioning
Configuring and connecting virtual clusters
Slave :1 FG600B3908600705
This command output shows VDOM partitioning has been configured because both
virtual cluster 1 and virtual cluster 2 are visible. However the configuration is not
complete because 620_ha_2 is the primary unit for both virtual clusters. The command
output shows this because under both vcluster entries the Master entry shows
FG600B3908600825, which is the serial number of 620_ha_2. As a result of this
configuration, 620_ha_2 processes traffic for both VDOMs and 620_ha_1 does not
process any traffic.
4 Change the Virtual Cluster 1 and Virtual Cluster 2 device priorities for each cluster unit
so that 620_ha_1 processes virtual cluster 1 traffic and 620_ha_2 processes virtual
cluster 2 traffic.
Since the root VDOM is in virtual cluster 1 and the Eng_vdm VDOM is in virtual cluster
2 the result of this configuration will be that 620_ha_1 will process all root VDOM traffic
and 620_ha_2 will process all Eng_vdm traffic. You make this happen by changing the
cluster unit device priorities for each virtual cluster. You could use the following
settings:
Device Priority
Host Name
Virtual Cluster 1
Virtual Cluster 2
620_ha_1
200
100
620_ha_2
100
200
Since the device priority is not synchronized you can edit the device priorities of each
virtual cluster on each FortiGate unit separately. To do this:
• Log into the CLI and note the FortiGate unit you have actually logged into (for
example, by checking the host name displayed in the CLI prompt).
• Change the virtual cluster 1 and 2 device priorities for this cluster unit.
• Then use the execute ha manage command to log into the other cluster unit CLI
and set its virtual cluster 1 and 2 device priorities.
Enter the following commands from the 620_ha_1 cluster unit CLI:
config global
config system ha
set priority 200
config secondary-vcluster
set priority 100
end
end
end
Enter the following commands from the 620_ha_2 cluster unit CLI:
config global
config system ha
set priority 100
config secondary-vcluster
set priority 200
end
end
end
Note: The cluster may renegotiate during this step resulting in a temporary loss of
connection to the CLI and a temporary service interruption.
1538
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting virtual clusters
Example: virtual clustering with two VDOMs and VDOM partitioning
Since the device priority of Virtual Cluster 1 is highest for 620_ha_1 and since the root
VDOM is in Virtual Cluster 1, all traffic for the root VDOM is processed by 620_ha_1.
Since the device priority of Virtual Cluster 2 is highest for 620_ha_2 and since the
Eng_vdm VDOM is in Virtual Cluster 2, all traffic for the Eng_vdm VDOM is processed
by 620_ha_2.
To verify the VDOM partitioning configuration
1 Log into the 620_ha_2 cluster unit CLI and enter the following command:
config global
get system ha status
Model: 620
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Slave :100 620_ha_2
FG600B3908600825 0
Master:200 620_ha_1
FG600B3908600705 1
number of vcluster: 2
vcluster 1: standby 169.254.0.2
Slave :1 FG600B3908600825
Master:0 FG600B3908600705
vcluster 2: work 169.254.0.1
Master:0 FG600B3908600825
Slave :1 FG600B3908600705
The command output shows that 620_ha_1 is the primary unit for virtual cluster 1
(because the command output show the Master of virtual cluster 1 is the serial
number of 620_ha_1) and that 620_ha_2 is the primary unit for virtual cluster 2.
If you enter the same command from the 620_ha_1 CLI the same information is
displayed but in a different order. The command always displays the status of the
cluster unit that you are logged into first.
config global
get system ha status
Model: 620
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:200 620_ha_1
FG600B3908600705 1
Slave :100 620_ha_2
FG600B3908600825 0
number of vcluster: 2
vcluster 1: work 169.254.0.2
Master:0 FG600B3908600705
Slave :1 FG600B3908600825
vcluster 2: standby 169.254.0.1
Slave :1 FG600B3908600705
Master:0 FG600B3908600825
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1539
�Example: inter-VDOM links in a virtual clustering configuration
Configuring and connecting virtual clusters
To test the VDOM partitioning configuration
You can do the following to confirm that traffic for the root VDOM is processed by
620_ha_1 and traffic for the Eng_vdm is processed by 620_ha_2. These steps assume
the cluster is operating correctly.
1 Log into the CLI by connecting to port2 using IP address 10.11.101.100.
You will log into 610_ha_1 because port2 is in the root VDOM and all traffic for this
VDOM is processed by 610_ha_1. You can confirm that you have logged into
610_ha_1 by checking the host name in the CLI prompt. Also the get system
status command displays the status of the 610_ha_1 cluster unit.
2 Log into the web-based manager or CLI by connecting to port6 using IP address
10.12.101.100.
You will log into 610_ha_2 because port6 is in the Eng_vdm VDOM and all traffic for
this VDOM is processed by 610_ha_2.
3 Add firewall policies to the root virtual domain that allow communication from the
internal network to the Internet and connect to the Internet from the internal network.
4 Log into the web-based manager and go to Config & gt; System & gt; HA and select View HA
Statistics.
The statistics display shows more active sessions, total packets, network utilization,
and total bytes for the 620_ha_1 unit.
5 Add firewall policies to the Eng_vdm virtual domain that allow communication from the
engineering network to the Internet and connect to the Internet from the engineering
network.
6 Log into the web-based manager and go to Config & gt; System & gt; HA and select View HA
Statistics.
The statistics display shows more active sessions, total packets, network utilization,
and total bytes for the 620_ha_2 unit.
Example: inter-VDOM links in a virtual clustering configuration
In a virtual domain configuration you can use inter-VDOM links to route traffic between two
virtual domains operating in a single FortiGate unit without using physical interfaces.
Adding an inter-VDOM link has the affect of adding two interfaces to the FortiGate unit and
routing traffic between the virtual domains using the inter-VDOM link interfaces.
In a virtual clustering configuration inter-VDOM links can only be made between virtual
domains that are in the same virtual cluster. So, if you are planning on configuring interVDOM links in a virtual clustering configuration, you should make sure the virtual domains
that you want to link are in the same virtual cluster.
For example, Table 104 and Table 105 show an example virtual clustering configuration
where each virtual cluster contains three virtual domains. In this configuration you can
configure inter-VDOM links between root and vdom_1 and between vdom_2 and vdom_3.
But, you cannot configure inter-VDOM links between root and vdom_2 or between
vdom_1 and vdom_3 (and so on).
1540
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting virtual clusters
Example: inter-VDOM links in a virtual clustering configuration
Table 104: Virtual Cluster 1 configuration
Virtual Domains
Hostname
FortiGate_A
Priority
200
Priority
100
Role
Primary
root
vdom_1
FortiGate_B
Role
Subordinate
Table 105: Virtual Cluster 2 configuration
Virtual Domains
Hostname
FortiGate_A
Priority
100
Priority
200
Role
Subordinate
vdom_2
vdom_3
FortiGate_B
Role
Primary
Configuring inter-VDOM links in a virtual clustering configuration
Configuring inter-VDOM links in a virtual clustering configuration is very similar to
configuring inter-VDOM links for a standalone FortiGate unit. The main difference the
config system vdom-link command includes the vcluster keyword. The default
setting for vcluster is vcluster1. So you only have to use the vcluster keyword if
you are added an inter-VDOM link to virtual cluster 2.
To add an inter-VDOM link to virtual cluster 1
This procedure describes how to create an inter-VDOM link to virtual cluster 1 that results
in a link between the root and vdom_1 virtual domains.
Note: Inter-VDOM links are also called internal point-to-point interfaces.
1 Add an inter-VDOM link called vc1link.
config global
config system vdom-link
edit vc1link
end
Adding the inter-VDOM link also adds two interfaces. In this example, these interfaces
are called vc1link0 and vc1link1. These interfaces appear in all CLI and
web-based manager interface lists. These interfaces can only be added to virtual
domains in virtual cluster 1.
2 Bind the vc1link0 interface to the root virtual domain and bind the vc1link1
interface to the vdom_1 virtual domain.
config system interface
edit vc1link0
set vdom root
next
edit vc1link1
set vdom vdom_1
end
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1541
�Troubleshooting virtual clustering
Configuring and connecting virtual clusters
To add an inter-VDOM link to virtual cluster 2
This procedure describes how to create an inter-VDOM link to virtual cluster 2 that results
in a link between the vdom_2 and vdom_3 virtual domains.
3 Add an inter-VDOM link called vc2link.
config global
config system vdom-link
edit vc2link
set vcluster vcluster2
end
Adding the inter-VDOM link also adds two interfaces. In this example,
these interfaces are called vc2link0 and vc2link1. These interfaces appear in all
CLI and web-based manager interface lists. These interfaces can only be added to
virtual domains in virtual cluster 2.
4 Bind the vc2link0 interface to the vdom_2 virtual domain and bind the vc2link1
interface to the vdom_3 virtual domain.
config system interface
edit vc2link0
set vdom vdom_2
next
edit vc2link1
set vdom vdom_3
end
Troubleshooting virtual clustering
Troubleshooting virtual clusters is similar to troubleshooting any cluster (see
“Troubleshooting HA clusters” on page 1518). This section describes a few testing and
troubleshooting techniques for virtual clustering
To test the VDOM partitioning configuration
You can do the following to confirm that traffic for different VDOMs will be distributed
among both FortiGate units in the virtual cluster. These steps assume the cluster is
otherwise operating correctly.
1 Log into the web-based manager or CLI using the IP addresses of interfaces in each
VDOM.
Confirm that you have logged into the FortiGate unit that should be processing traffic
for that VDOM by checking the HTML title displayed by your web browser or the CLI
prompt. Both of these should include the host name of the cluster unit that you have
logged into. Also on the system Dashboard, the System Information widget displays
the serial number of the FortiGate unit that you logged into. From the CLI the get
system status command displays the status of the cluster unit that you logged into.
1542
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and connecting virtual clusters
Troubleshooting virtual clustering
2 To verify that the correct cluster unit is processing traffic for a VDOM:
• Add firewall policies to the VDOM that allow communication between the interfaces
in the VDOM.
• Optionally enable traffic logging and other monitoring for that VDOM and these
firewall policies.
• Start communication sessions that pass traffic through the VDOM.
• Log into the web-based manager and go to Config & gt; System & gt; HA and select View
HA Statistics. Verify that the statistics display shows more active sessions, total
packets, network utilization, and total bytes for the unit that should be processing all
traffic for the VDOM.
• Optionally check traffic logging and the Top Sessions Widget for the FortiGate unit
that should be processing traffic for that VDOM to verify that the traffic is being
processed by this FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1543
�Troubleshooting virtual clustering
1544
Configuring and connecting virtual clusters
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and operating FortiGate
full mesh HA
This chapter provides an introduction to full mesh HA and also contains general
procedures and configuration examples that describe how to configure FortiGate full mesh
HA.
The examples in this chapter include example values only. In most cases you will
substitute your own values. The examples in this chapter also do not contain detailed
descriptions of configuration parameters.
This chapter contains the following sections:
•
Full mesh HA overview
•
Example: full mesh HA configuration
Full mesh HA overview
When two or more FortiGate units are connected to a network in an HA cluster the
reliability of the network is improved because the HA cluster replaces a single FortiGate
unit as a single point of failure. With a cluster, a single FortiGate unit is replaced by a
cluster of two or more FortiGate units.
However, even with a cluster, potential single points of failure remain. The interfaces of
each cluster unit connect to a single switch and that switch provides a single connection to
the network. If the switch fails or if the connection between the switch and the network fails
service is interrupted to that network.
The HA cluster does improve the reliability of the network because switches are not as
complex components as FortiGate units, so are less likely to fail. However, for even
greater reliability, a configuration is required that includes redundant connections between
the cluster the networks that it is connected to.
FortiGate models that support 802.3ad Aggregate or Redundant interfaces can be used to
create a cluster configuration called full mesh HA. Full mesh HA is a method of reducing
the number of single points of failure on a network that includes an HA cluster.
This redundant configuration can be achieved using FortiGate 802.3ad Aggregate or
Redundant interfaces and a full mesh HA configuration. In a full mesh HA configuration,
you connect an HA cluster consisting of two or more FortiGate units to the network using
802.3ad Aggregate or Redundant interfaces and redundant switches. Each 802.3ad
Aggregate or Redundant interface is connected to two switches and both of these
switches are connected to the network.
The resulting full mesh configuration, an example is shown in Figure 220, includes
redundant connections between all network components. If any single component or any
single connection fails, traffic automatically switches to the redundant component and
connection and traffic flow resumes.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1545
�Full mesh HA overview
Configuring and operating FortiGate full mesh HA
Figure 220: SIngle points of failure in a standalone and HA network configuration
Internal
Network
Standalone FortiGate unit
single points of failure
Port1: 172.20.120.141
Port2: 10.11.101.100
10.11.101.0
Router
172.20.120.2
Internet
Internal
Network
FortiGate Cluster
single points of failure
620_ha_1
Port1: 172.20.120.141
Switch
Port2: 10.11.101.100
Port3
Port3
Port4
10.11.101.0
Port4
Router
172.20.120.2
Port1: 172.20.120.141
Switch
Port2: 10.11.101.100
620_ha_2
Internet
FortiGate-620B
Cluster
Full mesh HA and redundant heartbeat interfaces
A full mesh HA configuration also includes redundant HA heartbeat interfaces. At least two
heartbeat interfaces should be selected in the HA configuration and both sets of HA
heartbeat interfaces should be connected. The HA heartbeat interfaces do not have to be
configured as redundant interfaces because the FGCP handles failover between
heartbeat interfaces.
Full mesh HA, redundant interfaces and 802.3ad aggregate interfaces
Full mesh HA is supported for both redundant interfaces and 802.3ad aggregate
interfaces. In most cases you would simply use redundant interfaces. However, if your
switches support 802.3ad aggregate interfaces and split multi-trunking you can use
aggregate interfaces in place of redundant interfaces for full mesh HA. One advantage of
using aggregate interfaces is that all of the physical interfaces in the aggregate interface
can send and receive packets. As a result, using aggregate interfaces may increase the
bandwidth capacity of the cluster.
Usually redundant and aggregate interfaces consist of two physical interfaces. However,
you can add more than two physical interfaces to a redundant or aggregate interface.
Adding more interfaces can increase redundancy protection. Adding more interfaces can
also increase bandwidth capacity if you are using 802.3ad aggregate interfaces.
1546
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and operating FortiGate full mesh HA
Example: full mesh HA configuration
Example: full mesh HA configuration
Figure 220 shows a full mesh HA configuration with a cluster of two FortiGate-620b units.
This section describes the FortiGate configuration settings and network components
required for a full mesh HA configuration. This section also contains example steps for
setting up this full mesh HA configuration. The procedures in this section describe one of
many possible sequences of steps for configuring full mesh HA. As you become more
experienced with FortiOS, HA, and full mesh HA you may choose to use a different
sequence of configuration steps.
Figure 221: Full Mesh HA configuration
Internal
Network
620_ha_1
Redundant Interface
Port1 and Port2
172.20.120.141
Sw1
Redundant Interface
Port3 and Port4
10.11.101.100
Sw3
10.11.101.0
ISL
Port5
Sw2
Router
172.20.120.2
Redundant Interface
Port1 and Port2
172.20.120.141
ISL
HA Port6
620_ha_2
Sw4
Redundant Interface
Port3 and Port4
10.11.101.100
Internet
For simplicity these procedures assume that you are starting with two new FortiGate units
set to the factory default configuration. However, starting from the default configuration is
not a requirement for a successful HA deployment. FortiGate HA is flexible enough to
support a successful configuration from many different starting points.
These procedures describe how to configure a cluster operating in NAT/Route mode
because NAT/Route is the default FortiGate operating mode. However, the steps are the
same if the cluster operates in Transparent mode. You can either switch the cluster units
to operate in Transparent mode before beginning these procedures, or you can switch the
cluster to operate in Transparent mode after HA is configured and the cluster is connected
and operating.
FortiGate-620B full mesh HA configuration
The two FortiGate-620B units (620_ha_1 and 620_ha_2) can be operating in NAT/Route
or Transparent mode. Aside from the standard HA settings, the FortiGate-620B
configuration includes the following:
•
The port5 and port6 interfaces configured as heartbeat interfaces. A full mesh HA
configuration also includes redundant HA heartbeat interfaces.
•
The port1 and port2 interfaces added to a redundant interface. Port1 is the active
physical interface in this redundant interface. To make the port1 interface the active
physical interface it should appear above the port2 interface in the redundant interface
configuration.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1547
�Example: full mesh HA configuration
•
Configuring and operating FortiGate full mesh HA
The port3 and port4 interfaces added to a redundant interface. Port3 is the active
physical interface in this redundant interface. To make the port3 interface the active
physical interface it should appear above the port4 interface in the redundant interface
configuration.
Full mesh switch configuration
The following redundant switch configuration is required:
•
Two redundant switches (Sw3 and Sw4) connected to the internal network. Establish
an interswitch-link (ISL) between them.
•
Two redundant switches (Sw1 and Sw2) connected to the Internet. Establish an
interswitch-link (ISL) between them.
Full mesh network connections
Make the following physical network connections for 620_ha_1:
•
Port1 to Sw1 (active)
•
Port2 to Sw2 (inactive)
•
Port3 to Sw3 (active)
•
Port4 to Sw4 (inactive)
Make the following physical network connections for 620_ha_2:
•
Port1 to Sw2 (active)
•
Port2 to Sw1 (inactive)
•
Port3 to Sw4 (active)
•
Port4 to Sw3 (inactive)
How packets travel from the internal network through the full mesh cluster and to
the Internet
If the cluster is operating in active-passive mode and 620_ha_2 is the primary unit, all
packets take the following path from the internal network to the internet:
1 From the internal network to Sw4. Sw4 is the active connection to 620_ha_2; which is
the primary unit. The primary unit receives all packets.
2 From Sw4 to the 620_ha_2 port3 interface. Active connection between Sw4 and
620_ha_2. Port3 is the active member of the redundant interface.
3 From 620_ha_2 port3 to 620_ha_2 port1. Active connection between 620_ha_2 and
Sw2. Port1 is the active member of the redundant interface.
4 From Sw2 to the external router and the Internet.
Configuring FortiGate-620B units for HA operation - web-based manager
Each FortiGate-620B unit in the cluster must have the same HA configuration.
To configure the FortiGate-620B units for HA operation
1 Connect to the web-based manager of one of the FortiGate-620B units.
2 On the System Information dashboard widget, beside Host Name select Change.
3 Enter a new Host Name for this FortiGate unit.
New Name
620_ha_1
4 Go to System & gt; Config & gt; HA and change the following settings.
1548
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and operating FortiGate full mesh HA
Mode
Active-Active
Group Name
Rexample1.com
Password
Example: full mesh HA configuration
RHA_pass_1
Heartbeat Interface
Enable
Priority
port5
Select
50
port6
Select
50
5 Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
the FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster
virtual MAC addresses” on page 1605). The MAC addresses of the FortiGate-620B
interfaces change to the following virtual MAC addresses:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
To be able to reconnect sooner, you can update the ARP table of your management
PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table
entries). You may be able to delete the arp table of your management PC from a
command prompt using a command similar to arp -d.
You can use the get hardware nic (or diagnose hardware deviceinfo nic)
CLI command to view the virtual MAC address of any FortiGate unit interface. For
example, use the following command to view the port1 interface virtual MAC address
(Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1549
�Example: full mesh HA configuration
Configuring and operating FortiGate full mesh HA
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
6 Power off the first FortiGate unit.
7 Repeat these steps for the second FortiGate unit.
Set the second FortiGate unit host name to:
New Name
620_ha_2
To connect the cluster to your network
1 Make the following physical network connections for 620_ha_1:
• Port1 to Sw1 (active)
• Port2 to Sw2 (inactive)
• Port3 to Sw3 (active)
• Port4 to Sw4 (inactive)
2 Make the following physical network connections for 620_ha_2:
• Port1 to Sw2 (active)
• Port2 to Sw1 (inactive)
• Port3 to Sw4 (active)
• Port4 to Sw3 (inactive)
3 Connect Sw3 and Sw4 to the internal network.
4 Connect Sw1 and Sw2 to the external router.
5 Enable ISL communication between Sw1 and Sw2 and between Sw3 and Sw4.
6 Power on the cluster units.
The units start and negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention.
When negotiation is complete the cluster is ready to be configured for your network.
To view cluster status
Use the following steps to view the cluster dashboard and cluster members list to confirm
that the cluster units are operating as a cluster.
1 View the system dashboard.
The System Information dashboard widget shows the Cluster Name (Rexample1.com)
and the host names and serial numbers of the Cluster Members. The Unit Operation
widget shows multiple cluster units.
2 Go to System & gt; Config & gt; HA to view the cluster members list.
The list shows two cluster units, their host names, their roles in the cluster, and their
priorities. You can use this list to confirm that the cluster is operating normally.
1550
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and operating FortiGate full mesh HA
Example: full mesh HA configuration
To troubleshoot the cluster configuration
If the cluster members list and the dashboard does not display information for both cluster
units the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
To add basic configuration settings and the redundant interfaces
Use the following steps to add a few basic configuration settings.
1 Log into the cluster web-based manager.
2 Go to System & gt; Admin & gt; Administrators.
3 For admin, select the Change Password icon
4 Enter and confirm a new password.
5 Select OK.
6 Go to Router & gt; Static and temporarily delete the default route.
You cannot add an interface to a redundant interface if any settings (such as the
default route) are configured for it.
7 Go to System & gt; Network & gt; Interface and select Create New and configure the
redundant interface to connect to the Internet.
Name
Port1_Port2
Type
Redundant
Physical Interface Members
Selected Interfaces
port1, port2
IP/Netmask
172.20.120.141/24
8 Select OK.
9 Select Create New and configure the redundant interface to connect to the internal
network.
Name
Port3_Port4
Type
Redundant
Physical Interface Members
Selected Interfaces
port3, port4
IP/Netmask
10.11.101.100/24
Administrative Access
HTTPS, PING, SSH
10 Select OK.
The virtual MAC addresses of the FortiGate-620B interfaces change to the following.
Notice that port1 and port2 both have the port1 virtual MAC address and port3 and
port4 both have the port3 virtual MAC address:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1551
�Example: full mesh HA configuration
Configuring and operating FortiGate full mesh HA
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-00 (same as port1)
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0d (same as port3)
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
11 Go to Router & gt; Static.
12 Add the default route.
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
172.20.120.2
Device
Port1_Port2
Distance
10
13 Select OK.
To configure HA port monitoring for the redundant interfaces
1 Go to System & gt; Config & gt; HA.
2 In the cluster members list, edit the primary unit.
3 Configure the following port monitoring for the redundant interfaces:
Port Monitor
Port1_Port2
Select
Port3_Port4
Select
4 Select OK.
Configuring FortiGate-620B units for HA operation - CLI
Each FortiGate-620B unit in the cluster must have the same HA configuration. Use the
following procedure to configure the FortiGate-620B units for HA operation.
To configure the FortiGate-620B units for HA operation
1 Connect to the CLI of one of the FortiGate-620B units.
2 Enter a new Host Name for this FortiGate unit.
config system global
set hostname 620_ha_1
end
1552
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and operating FortiGate full mesh HA
Example: full mesh HA configuration
3 Configure HA settings.
config system ha
set mode a-a
set group-name Rexample1.com
set password RHA_pass_1
set hbdev port5 50 port6 50
end
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may
temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and
the FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster
virtual MAC addresses” on page 1605). The MAC addresses of the FortiGate-620B
interfaces change to the following virtual MAC addresses:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-0b
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0e
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
To be able to reconnect sooner, you can update the ARP table of your management
PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table
entries). You may be able to delete the arp table of your management PC from a
command prompt using a command similar to arp -d.
You can use the get hardware nic (or diagnose hardware deviceinfo nic)
CLI command to view the virtual MAC address of any FortiGate unit interface. For
example, use the following command to view the port1 interface virtual MAC address
(Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1553
�Example: full mesh HA configuration
Configuring and operating FortiGate full mesh HA
get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
4 Power off the first FortiGate unit.
5 Repeat these steps for the second FortiGate unit.
Set the other FortiGate unit host name to:
config system global
set hostname 620_ha_2
end
To connect the cluster to your network
1 Make the following physical network connections for 620_ha_1:
• Port1 to Sw1 (active)
• Port2 to Sw2 (inactive)
• Port3 to Sw3 (active)
• Port4 to Sw4 (inactive)
2 Make the following physical network connections for 620_ha_2:
• Port1 to Sw2 (active)
• Port2 to Sw1 (inactive)
• Port3 to Sw4 (active)
• Port4 to Sw3 (inactive)
3 Connect Sw3 and Sw4 to the internal network.
4 Connect Sw1 and Sw2 to the external router.
5 Enable ISL communication between Sw1 and Sw2 and between Sw3 and Sw4.
6 Power on the cluster units.
The units start and negotiate to choose the primary unit and the subordinate unit. This
negotiation occurs with no user intervention.
When negotiation is complete the cluster is ready to be configured for your network.
To view cluster status
Use the following steps to view cluster status from the CLI.
1 Log into the CLI.
2 Enter get system status to verify the HA status of the cluster unit that you logged
into.
If the command output includes Current HA mode: a-a, master, the cluster units
are operating as a cluster and you have connected to the primary unit.
If the command output includes Current HA mode: a-a, backup, you have
connected to a subordinate unit.
If the command output includes Current HA mode: standalone the cluster unit is
not operating in HA mode.
1554
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring and operating FortiGate full mesh HA
Example: full mesh HA configuration
3 Enter the following command to confirm the HA configuration of the cluster:
get system ha status
Model: 620
Mode: a-a
Group: 0
Debug: 0
ses_pickup: disable
Master:128 620_ha_2
FG600B3908600825 0
Slave :128 620_ha_1
FG600B3908600705 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG600B3908600825
Slave :1 FG600B3908600705
The command output shows both cluster units, their host names, their roles in the
cluster, and their priorities. You can use this command to confirm that the cluster is
operating normally. For example, if the command shows only one cluster unit then the
other unit has left the cluster for some reason.
4 Use the execute ha manage command to connect to the other cluster unit’s CLI and
use these commands to verify cluster status.
To troubleshoot the cluster configuration
If the cluster members list and the dashboard does not display information for both cluster
units the FortiGate units are not functioning as a cluster. See “Troubleshooting HA
clusters” on page 1518 to troubleshoot the cluster.
To add basic configuration settings and the redundant interfaces
Use the following steps to add a few basic configuration settings. Some steps use the CLI
and some the web-based manager.
1 Log into the cluster CLI.
2 Add a password for the admin administrative account.
config system admin
edit admin
set password & lt; password_str & gt;
end
3 Temporarily delete the default route.
You cannot add an interface to a redundant interface if any settings (such as the
default route) are configured for it.
config router static
delete 1
end
4 Go to System & gt; Network & gt; Interface and select Create New to add the redundant
interface to connect to the Internet.
5 Add the redundant interface to connect to the Internet.
config sysetem interface
edit Port1_Port2
set type redundant
set member port1 port2
end
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1555
�Example: full mesh HA configuration
Configuring and operating FortiGate full mesh HA
6 Add the redundant interface to connect to the internal network.
config sysetem interface
edit Port3_Port4
set type redundant
set member port3 port4
end
The virtual MAC addresses of the FortiGate-620B interfaces change to the following.
Note that port1 and port2 both have the port1 virtual MAC address and port3 and port4
both have the port3 virtual MAC address:
• port1 interface virtual MAC: 00-09-0f-09-00-00
• port10 interface virtual MAC: 00-09-0f-09-00-01
• port11 interface virtual MAC: 00-09-0f-09-00-02
• port12 interface virtual MAC: 00-09-0f-09-00-03
• port13 interface virtual MAC: 00-09-0f-09-00-04
• port14 interface virtual MAC: 00-09-0f-09-00-05
• port15 interface virtual MAC: 00-09-0f-09-00-06
• port16 interface virtual MAC: 00-09-0f-09-00-07
• port17 interface virtual MAC: 00-09-0f-09-00-08
• port18 interface virtual MAC: 00-09-0f-09-00-09
• port19 interface virtual MAC: 00-09-0f-09-00-0a
• port2 interface virtual MAC: 00-09-0f-09-00-00 (same as port1)
• port20 interface virtual MAC: 00-09-0f-09-00-0c
• port3 interface virtual MAC: 00-09-0f-09-00-0d
• port4 interface virtual MAC: 00-09-0f-09-00-0d (same as port3)
• port5 interface virtual MAC: 00-09-0f-09-00-0f
• port6 interface virtual MAC: 00-09-0f-09-00-10
• port7 interface virtual MAC: 00-09-0f-09-00-11
• port8 interface virtual MAC: 00-09-0f-09-00-12
• port9 interface virtual MAC: 00-09-0f-09-00-13
7 Go to Router & gt; Static.
8 Add the default route.
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 172.20.120.2
set device Port1_Port2
end
To configure HA port monitoring for the redundant interfaces
1 Enter the following command to configure port monitoring for the redundant interfaces:
config system ha
set monitor Port1_Port2 Port3_Port4
end
1556
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
With some exceptions, you can operate a cluster in much the same way as you operate a
standalone FortiGate unit. This chapter describes those exceptions and also the
similarities involved in operating a cluster instead of a standalone FortiGate unit.
This chapter contains the following sections:
•
Operating a cluster
•
Operating a virtual cluster
•
Managing individual cluster units using a reserved management interface
•
The primary unit acts as a router for subordinate unit management traffic
•
Clusters and FortiGuard services
•
Clusters and logging
•
Clusters and SNMP
•
Clusters and file quarantine
•
Cluster members list
•
Virtual cluster members list
•
Viewing HA statistics
•
Changing the HA configuration of an operating cluster
•
Changing the HA configuration of an operating virtual cluster
•
Changing the subordinate unit host name and device priority
•
Upgrading cluster firmware
•
Downgrading cluster firmware
•
Backing up and restoring the cluster configuration
•
Monitoring cluster units for failover
•
Viewing cluster status from the CLI
•
Disconnecting a cluster unit from a cluster
•
Adding a disconnected FortiGate unit back to its cluster
Operating a cluster
The configurations of all of the FortiGate units in a cluster are synchronized so that the
cluster units can simulate a single FortiGate unit. Because of this synchronization, you
manage the HA cluster instead of managing the individual cluster units. You manage the
cluster by connecting to the web-based manager using any cluster interface configured for
HTTPS or HTTP administrative access. You can also manage the cluster by connecting to
the CLI using any cluster interface configured for SSH or telnet administrative access.
The cluster web-based manager dashboard displays the cluster name, the host name and
serial number of each cluster member, and also shows the role of each unit in the cluster.
The roles can be master (primary unit) and slave (subordinate units). The dashboard also
displays a cluster unit front panel illustration.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1557
�Operating a virtual cluster
Operating a cluster
Figure 222: Example cluster web-based manager dashboard
You can also go to System & gt; Config & gt; HA to view the cluster members list. This includes
status information for each cluster unit. You can also use the cluster members list for a
number of cluster management functions including changing the HA configuration of an
operating cluster, changing the host name and device priority of a subordinate unit, and
disconnecting a cluster unit from a cluster. See “Cluster members list” on page 1576.
You can use log messages to view information about the status of the cluster. See
“Viewing and managing log messages for individual cluster units” on page 1566. You can
use SNMP to manage the cluster by configuring a cluster interface for SNMP
administrative access. Using an SNMP manager you can get cluster configuration
information and receive traps.
You can configure a reserved management interface to manage individual cluster units.
You can use this interface to access the web-based manager or CLI and to configure
SNMP management for individual cluster units. See “Managing individual cluster units
using a reserved management interface” on page 1559.
You can manage individual cluster units by using SSH, telnet, or the CLI console on the
web-based manager dashboard to connect to the CLI of the cluster. From the CLI you can
use the execute ha manage command to connect to the CLI of any unit in the cluster.
You can also manage individual cluster units by using a null-modem cable to connect to
any cluster unit CLI. From there you can use the execute ha manage command to
connect to the CLI of each unit in the cluster.
Operating a virtual cluster
Managing a virtual cluster is very similar to managing a cluster that does not contain
multiple virtual domains. Most of the information in this chapter applies to managing both
kinds of clusters. This section describes what is different when managing a virtual cluster.
If virtual domains are enabled, the cluster web-based manager dashboard displays the
cluster name and the role of each cluster unit in virtual cluster 1 and virtual cluster 2.
1558
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Managing individual cluster units using a reserved management interface
Figure 223: Example virtual clustering web-based manager dashboard TO BE REMOVED
The configuration and maintenance options that you have when you connect to a virtual
cluster web-based manager or CLI depend on the virtual domain that you connect to and
the administrator account that you use to connect.
If you connect to a cluster as the administrator of a virtual domain, you connect directly to
the virtual domain. Since HA virtual clustering is a global configuration, virtual domain
administrators cannot see HA configuration options. However, virtual domain
administrators see the host name of the cluster unit that they are connecting to on the web
browser title bar or CLI prompt. This host name is the host name of the primary unit for the
virtual domain. Also, when viewing log messages by going to Log & Report & gt; Log Access
virtual domain administrator can select to view log messages for either of the cluster units.
If you connect to a virtual cluster as the admin administrator you connect to the global
web-based manager or CLI. Even so, you are connecting to an interface and to the virtual
domain that the interface has been added to. The virtual domain that you connect to does
not make a difference for most configuration and maintenance operations. However, there
are a few exceptions. You connect to the FortiGate unit that functions as the primary unit
for the virtual domain. So the host name displayed on the web browser title bar and on the
CLI is the host name of this primary unit.
Managing individual cluster units using a reserved management
interface
You can provide direct management access to all cluster units by reserving a
management interface as part of the HA configuration. Once this management interface is
reserved, you can configure a different IP address, administrative access and other
interface settings for this interface for each cluster unit. Then by connecting this interface
of each cluster unit to your network you can manage each cluster unit separately from a
different IP address. Configuration changes to the reserved management interface are not
synchronized to other cluster units.
The reserved management interface provides direct management access to each cluster
unit and gives each cluster unit a different identity on your network. This simplifies using
external services, such as SNMP, to monitor and manage each cluster unit.
Note: The reserved management interface is not assigned an HA virtual MAC address like
other cluster interfaces. Instead the reserved management interface retains the permanent
hardware address of the physical interface unless you change it using the config
system interface command.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1559
�Managing individual cluster units using a reserved management interface
Operating a cluster
If you enable SNMP administrative access for the reserved management interface you
can use SNMP to monitor each cluster unit using the reserved management interface IP
address. To monitor each cluster unit using SNMP, just add the IP address of each cluster
unit’s reserved management interface to the SNMP server configuration. You must also
enable direct management of cluster members in the cluster SNMP configuration.
If you enable HTTPS or HTTP administrative access for the reserved management
interfaces you can connect to the web-based manager of each cluster unit. Any
configuration changes made to any of the cluster units is automatically synchronized to all
cluster units. From the subordinate units the web-based manager has the same features
as the primary unit except that unit-specific information is displayed for the subordinate
unit, for example:
•
The Dashboard System Information widget displays the subordinate unit serial number
but also displays the same information about the cluster as the primary unit
•
On the Cluster members list (go to System & gt; Config & gt; HA) you can change the HA
configuration of the subordinate unit that you are logged into. For the primary unit and
other subordinate units you can change only the host name and device priority.
•
Log Access displays the logs of the subordinate that you are logged into fist, You use
the HA Cluster list to view the log messages of other cluster units including the primary
unit.
If you enable SSH or TELNET administrative access for the reserved management
interfaces you can connect to the CLI of each cluster unit. The CLI prompt contains the
host name of the cluster unit that you have connected to. Any configuration changes made
to any of the cluster units is automatically synchronized to all cluster units. You can also
use the execute ha manage command to connect to other cluster unit CLIs.
Configuring the reserved management interface and SNMP remote management
of individual cluster units
This example describes how to configure SNMP remote management of individual cluster
units using the HA reserved management interface. The configuration consists of two
FortiGate-620B units already operating as a cluster. In the example, the port8 interface of
each cluster unit is connected to the internal network using the switch and configured as
the reserved management interface.
1560
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Managing individual cluster units using a reserved management interface
Figure 224: SNMP remote management of individual cluster units
Internal
Network
SNMP Server
Switch
10.11.101.20
Port2: 10.11.101.100
FortiGate-620B
Cluster
Port8: 10.11.101.102
(Subordinate Unit)
Port8: 10.11.101.101
(Primary Unit)
Port1: 172.20.120.141
Internet
To configure the reserved management interface - web-based manager
1 Go to System & gt; Config & gt; HA.
2 Edit the primary unit.
3 Select Reserve Management Port for Cluster Member and select port8.
4 Select OK.
To configure the reserved management interface - CLI
From the CLI you can also configure a default route that is only used by the reserved
management interface.
1 Log into the CLI of any cluster unit.
2 Enter the following command to enable the reserved management interface, set port8
as the reserved interface, and add a default route of 10.11.101.100 for the reserved
management interface.
config system ha
set ha-mgmt-status enable
set ha-mgmt-interface port8
set ha-mgmt-interface-gateway 10.11.101.100
end
The reserved management interface default route is not synchronized to other cluster
units.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1561
�Managing individual cluster units using a reserved management interface
Operating a cluster
To change the primary unit reserved management interface configuration web-based manager
You can change the IP address of the primary unit reserved management interface from
the primary unit web-based manager. Configuration changes to the reserved
management interface are not synchronized to other cluster units.
1 From a PC on the internal network, browse to http://10.11.101.100 and log into the
cluster web-based manager.
This logs you into the primary unit web-based manager.
You can identify the primary unit from its serial number or host name that appears on
the System Information dashboard widget.
2 Go to System & gt; Network & gt; Interface and edit the port8 interface as follows:
Alias
primary_reserved
IP/Netmask
10.11.101.101/24
Administrative Access
Ping, SSH, HTTPS, SNMP
3 Select OK.
You can now log into the primary unit web-based manager by browsing to
https://10.11.101.101. You can also log into this primary unit CLI by using an SSH client
to connect to 10.11.101.101.
To change subordinate unit reserved management interface configuration - CLI
At this point you cannot connect to the subordinate unit reserved management interface
because it does not have an IP address. Instead, this procedure describes connecting to
the primary unit CLI and using the execute ha manage command to connect to
subordinate unit CLI to change the port8 interface. You can also use a serial connection to
the cluster unit CLI. Configuration changes to the reserved management interface are not
synchronized to other cluster units.
1 Connect to the primary unit CLI and use the execute ha manage command to
connect to a subordinate unit CLI.
You can identify the subordinate unit from is serial number or host name. The host
name appears in the CLI prompt.
2 Enter the following command to change the port8 IP address to 10.11.101.102 and
set management access to HTTPS, ping, SSH, and SNMP.
config system interface
edit port8
set ip 10.11.101.102/24
set allowaccess https ping ssh snmp
end
You can now log into the subordinate unit web-based manager by browsing to
https://10.11.101.102. You can also log into this subordinate unit CLI by using an SSH
client to connect to 10.11.101.102.
1562
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Managing individual cluster units using a reserved management interface
To configure the cluster for SNMP management using the reserved management
interfaces - CLI
This procedure describes how to configure the cluster to allow the SNMP server to get
status information from the primary unit and the subordinate unit. The SNMP configuration
is synchronized to all cluster units. To support using the reserved management interfaces,
you must add at least one HA direct management host to an SNMP community. If your
SNMP configuration includes SNMP users with user names and passwords you must also
enable HA direct management for SNMP users.
1 Enter the following command to add an SNMP community called Community and add
a host to the community for the reserved management interface of each cluster unit.
The host includes the IP address of the SNMP server (10.11.101.20).
config system snmp community
edit 1
set name Community
config hosts
edit 1
set ha-direct enable
set ip 10.11.101.20
end
end
2 Enter the following command to add an SNMP user for the reserved management
interface.
config system snmp user
edit 1
set ha-direct enable
set notify-hosts 10.11.101.20
end
Configure other settings as required.
To get the HA status table using reserved management IP addresses
The following SNMP get command gets the HA status table for the primary unit. The
community name is Community. The IP address of the primary unit reserved
management interface is 10.11.101.101. The HA status table MIB field is fgHaStatsTable
and the OID for this MIB field is 1.3.6.1.4.1.12356.101.13.2. The first command uses the
MIB field name and the second uses the OID for this table:
snmpget -v2c -c Community 10.11.101.101 fgHaStatsTable
snmpget -v2c -c Community 10.11.101.101
1.3.6.1.4.1.12356.101.13.2
The following SNMP get command gets the HA status table for the subordinate unit. The
community name is Community. The IP address of the primary unit reserved
management interface is 10.11.101.102. The HA status table MIB field is fgHaStatsTable
and the OID for this MIB field is 1.3.6.1.4.1.12356.101.13.2. The first command uses the
MIB field name and the second uses the OID for this table:
snmpget -v2c -c Community 10.11.101.102 fgHaStatsTable
snmpget -v2c -c Community 10.11.101.102
1.3.6.1.4.1.12356.101.13.2
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1563
�The primary unit acts as a router for subordinate unit management traffic
Operating a cluster
The primary unit acts as a router for subordinate unit management
traffic
HA uses routing and inter-VDOM links to route subordinate unit management traffic
through the primary unit to the network. Similar to a standalone FortiGate unit, subordinate
units may generate their own management traffic, including:
•
DNS queries.
•
FortiGuard Web Filtering rating requests.
•
Log messages to be sent to a FortiAnalyzer unit, to a syslog server, or to the
FortiGuard Analysis and Management Service.
•
Log file uploads to a FortiAnalyzer unit.
•
Quarantine file uploads to a FortiAnalyzer unit.
•
SNMP traps.
•
Communication with remote authentication servers (RADIUS, LDAP, TACACS+ and so
on)
Subordinate units send this management traffic over the HA heartbeat link to the primary
unit. The primary unit forwards the management traffic to its destination. The primary unit
also routes replies back to the subordinate unit in the same way.
HA uses a hidden VDOM called vsys_ha for HA operations. The vsys_ha VDOM includes
the HA heartbeat interfaces, and all communication over the HA heartbeat link goes
through the vsys_ha VDOM. To provide communication from a subordinate unit to the
network, HA adds hidden inter-VDOM links between the primary unit management VDOM
and the primary unit vsys_ha VDOM. By default, root is the management VDOM.
Management traffic from the subordinate unit originates in the subordinate unit vsys_ha
VDOM. The vsys_ha VDOM routes the management traffic over the HA heartbeat link to
the primary unit vsys_ha VDOM. This management traffic is then routed to the primary unit
management VDOM and from there out onto the network.
DNS queries and FortiGuard Web Filtering and Email Filter requests are still handled by
the HA proxy so the primary unit and subordinate units share the same DNS query cache
and the same FortiGuard Web Filtering and Email Filter cache. In a virtual clustering
configuration, the cluster unit that is the primary unit for the management virtual domain
maintains the FortiGuard Web Filtering, Email Filtering, and DNS query cache.
Figure 225:Subordinate unit management traffic path
vsys_ha
169.254.0.1
169.254.0.2
vsys_ha
HA link
169.254.0.65
root
169.254.0.66
root
Network
Primary unit
1564
Subordinate unit
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Clusters and FortiGuard services
Cluster communication with RADIUS and LDAP servers
In an active-passive cluster, only the primary unit processes traffic, so the primary unit
communicates with RADIUS or LDAP servers. In a cluster that is operating in active-active
mode, subordinate units send RADIUS and LDAP requests to the primary unit over the HA
heartbeat link and the primary units routes them to their destination. The primary unit
relays the responses back to the subordinate unit.
Clusters and FortiGuard services
This section describes how various FortiGate HA clustering configurations communicate
with the FDN.
In an operating cluster, the primary unit communicates directly with the FortiGuard
Distribution Network (FDN). Subordinate units also communicate directly with the FDN but
as described in “The primary unit acts as a router for subordinate unit management traffic”
on page 1564, all communication between subordinate units and the FDN is routed
through the primary unit.
You must register and licence all of the units in a cluster for all required FortiGuard
services, both because all cluster units communicate with the FDN and because any
cluster unit could potentially become the primary unit.
FortiGuard and active-passive clusters
For an active-passive cluster, only the primary unit processes traffic. Even so, all cluster
units communicate with the FDN. Only the primary unit sends FortiGuard Web Filtering
and Antispam requests to the FDN. All cluster units receive FortiGuard Antivirus, IPS, and
application control updates from the FDN.
In an active-passive cluster the FortiGuard Web Filter and Email Filter caches are located
on the primary unit in the same way as for a standalone FortiGate unit. The caches are not
shared among cluster units so after a failover the new primary unit must build up new
caches.
In an active-passive cluster all cluster units also communicate with the FortiGuard
Analysis and Management Service (FAMS).
FortiGuard and active-active clusters
For an active-active cluster, both the primary unit and the subordinate units process traffic.
Communication between the cluster units and the FDN is the same as for active-passive
clusters with the following exception.
Because the subordinate units process traffic, they may also be making FortiGuard Web
Filtering and Email Filter requests. The primary unit receives all such requests from the
subordinate units and relays them to the FDN and then relays the FDN responses back to
the subordinate units. The FortiGuard Web Filtering and Email Filtering URL caches are
maintained on the primary unit. The primary unit caches are used for primary and
subordinate unit requests.
FortiGuard and virtual clustering
For a virtual clustering configuration the management virtual domain of each cluster unit
communicates with the FDN. The cluster unit that is the primary unit for the management
virtual domain maintains the FortiGuard Web Filtering and Email Filtering caches. All
FortiGuard Web Filtering and Email Filtering requests are proxied by the management
VDOM of the cluster unit that is the primary unit for the management virtual domain.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1565
�Clusters and logging
Operating a cluster
Clusters and logging
This section describes the log messages that provide information about how HA is
functioning, how to view and manage logs for each unit in a cluster, and provides some
example log messages that are recorded during specific cluster events.
You configure logging for a cluster in the same way as you configuring logging for a
standalone FortiGate unit. Log configuration changes made to the cluster are
synchronized to all cluster units.
All cluster units record log messages separately to the individual cluster unit’s log disk, to
the cluster unit’s system memory, or both. You can view and manage log messages for
each cluster unit from the cluster web-based manager Log Access page.
When remote logging is configured, all cluster units send log messages to remote
FortiAnalyzer units or other remote servers as configured. HA uses routing and interVDOM links to route subordinate unit log traffic through the primary unit to the network.
See “The primary unit acts as a router for subordinate unit management traffic” on
page 1564.
When you configure a FortiAnalyzer unit to receive log messages from a FortiGate cluster,
you should add a cluster to the FortiAnalyzer unit configuration so that the FortiAnalyzer
unit can receive log messages from all cluster units.
Viewing and managing log messages for individual cluster units
This section describes how to view and manage log messages for an individual cluster
unit.
To view HA cluster log messages
1 Log into to the cluster web-based manager.
2 Go to Log & Report & gt; Log Access and select Memory or Disk.
For each log display, the HA Cluster list displays the serial number of the cluster unit
for which log messages are displayed. The serial numbers are displayed in order in the
list.
3 Set HA Cluster to the serial number of one of the cluster units to display log messages
for that unit.
You can view logs saved to memory or logs saved to the hard disk for the cluster unit.
About HA event log messages
HA event log messages always include the host name and serial number of the cluster
unit that recorded the message. HA event log messages also include the HA state of the
unit and also indicate when a cluster unit switches (or moves) from one HA state to
another. Cluster units can operate in the HA states listed in Table 106:
Table 106: HA states
Hello
Work
In an active-passive cluster a cluster unit is operating as the primary unit.
In an active-active cluster unit is operating as the primary unit or a
subordinate unit.
Standby
1566
A FortiGate unit configured for HA operation has started up and is looking
for other FortiGate units with which to form a cluster.
In an active-passive cluster the cluster unit is operating as a subordinate
unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Clusters and logging
HA log Event log messages also indicate the virtual cluster that the cluster unit is
operating in as well as the member number of the unit in the cluster. if virtual domains are
not enabled, all clusters unit are always operating in virtual cluster 1. If virtual domains are
enabled, a cluster unit may be operating in virtual cluster 1 or virtual cluster 2. The
member number indicates the position of the cluster unit in the cluster members list.
Member 0 is the primary unit. Member 1 is the first subordinate unit, member 2 is the
second subordinate unit, and so on.
The following log message indicates that the cluster unit with host name 5005_ha_2 and
serial number FG5A253E06500088 has become the primary unit because it is operating
in the work state as member 0.
2010-01-13 13:45:32 log_id=0105037892 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster's member state moved " vcluster=1 vcluster_state=work
vcluster_member=0 hostname=5005_ha_2 sn=FG5A253E06500088
The following log message indicates that the cluster unit with host name 5005_ha_1 and
serial number FG5A253E06500088 has become the first subordinate unit in an activepassive cluster because it is operating in the standby state as member 1.
2010-01-13 14:28:39 log_id=0105037892 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster's member state moved " vcluster=1 vcluster_state=standby
vcluster_member=1 hostname=5005_ha_2 sn=FG5A253E06500088
The following log message indicates that the cluster unit with host name 5005_ha_1 and
serial number FG5A253E07600124 has become the first subordinate unit in an activeactive cluster because it is operating in the work state as member 1.
2010-01-13 14:23:58 log_id=0105037892 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster's member state moved " vcluster=1 vcluster_state=work
vcluster_member=1 hostname=5005_ha_1 sn=FG5A253E07600124
The following log message indicates that the FortiGate unit was disconnected from a
cluster. The message shows that the cluster unit was disconnected over the telnet link
between cluster units and the HA mode was changed from active-active to standalone.
2010-01-13 13:45:09 log_id=0104032140 type=event subtype=admin vd=root
pri=notice user= " FGT_ha_admin " ui=telnet(169.254.0.2) old=A-A new=standalone
msg= " User FGT_ha_admin changed HA mode from A-A to standalone "
HA log messages
See the FortiGate Log Message Reference for a listing of and descriptions of the HA log
messages.
Example log messages
This section displays some log message sequences when specific cluster events occur.
Unit changing to HA mode and becoming the primary unit
1 2010-01-14 13:24:56 log_id=0104032140 type=event subtype=admin vd=root
pri=notice user= " admin " ui=GUI(10.21.101.100) old=standalone new=A-P msg= " User
admin changed HA mode from standalone to A-P "
The administrator changed the HA mode to active-passive.
2 2010-01-14 13:25:09 log_id=0105037899 type=event subtype=ha pri=notice vd= " root "
msg= " HA device(interface) peerinfo " ha_role=slave devintfname=port4
The the cluster unit received heartbeat packets at the port4 interface.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1567
�Clusters and logging
Operating a cluster
3 2010-01-14 13:25:09 log_id=0105037894 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster detected member join " vcluster=1 ha_group=0
The the cluster unit detected another unit that it could form a cluster with.
4 2010-01-14 13:25:11 log_id=0105037892 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster's member state moved " vcluster=1 vcluster_state=work
vcluster_member=0 hostname=5005_ha_1 sn=FG5A253E07600124
The the cluster unit’s state changed to work, meaning that the cluster unit became the
primary unit.
Unit changing to HA mode and becoming a subordinate unit
1 2010-01-13 14:57:04 log_id=0104032140 type=event subtype=admin vd=root
pri=notice user= " admin " ui=GUI(10.21.101.100) old=standalone new=A-P msg= " User
admin changed HA mode from standalone to A-P "
The administrator changed the HA mode to active-passive.
2 2010-01-13 14:57:07 log_id=0105037899 type=event subtype=ha pri=notice vd= " root "
msg= " HA device(interface) peerinfo " ha_role=slave devintfname=port4
The the cluster unit received heartbeat packets at the port4 interface.
3 2010-01-13 14:57:07 log_id=0105037894 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster detected member join " vcluster=1 ha_group=0
The the cluster unit detected another unit that it could form a cluster with.
4 2010-01-13 14:57:09 log_id=0105037892 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster's member state moved " vcluster=1 vcluster_state=standby
vcluster_member=1 hostname=5005_ha_1 sn=FG5A253E07600124
The the cluster unit’s state changed to standby, meaning that the cluster unit became a
subordinate unit.
Primary unit fails (and is removed from cluster)
These messages are recorded by a subordinate unit (which becomes the primary unit).
1 2010-01-13 14:49:44 log_id=0105037901 type=event subtype=ha pri=critical vd= " root "
msg= " Heartbeat device(interface) down " ha_role=slave hbdn_reason=neighbor info
lost devintfname=port4
The subordinate unit looses communication with the primary unit.
2 2010-01-13 14:50:00 log_id=0105037893 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster detected member dead " vcluster=1 ha_group=0
The subordinate unit determines that the primary unit is no longer operating.
3 2010-01-13 14:50:02 log_id=0105037892 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster's member state moved " vcluster=1 vcluster_state=work
vcluster_member=0 hostname=5005_ha_2 sn=FG5A253E06500088
The subordinate unit negotiates to form a cluster and then begins to operate as the
primary unit.
1568
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Clusters and logging
Subordinate unit fails (and is removed from cluster)
These messages are recorded by the primary unit.
1 2010-01-14 13:01:03 log_id=0105037901 type=event subtype=ha pri=critical vd= " root "
msg= " Heartbeat device(interface) down " ha_role=master hbdn_reason=neighbor info
lost devintfname=port4
The primary unit looses contact with the subordinate unit.
2 2010-01-14 13:01:19 log_id=0105037893 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster detected member dead " vcluster=1 ha_group=0
The primary unit determines that the subordinate unit is no longer operating.
3 2010-01-14 13:01:21 log_id=0105037892 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster's member state moved " vcluster=1 vcluster_state=work
vcluster_member=0 hostname=5005_ha_1 sn=FG5A253E07600124
The primary unit negotiates to form a cluster and then continues to operate as the
primary unit.
New unit added to cluster
These messages are recorded by the primary unit.
1 2010-01-13 14:57:07 log_id=0105037899 type=event subtype=ha pri=notice vd= " root "
msg= " HA device(interface) peerinfo " ha_role=master devintfname=port4
The the cluster unit received heartbeat packets at the port4 interface.
2 2010-01-13 14:57:07 log_id=0105037894 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster detected member join " vcluster=1 ha_group=0
The the cluster unit detected another unit that it could form a cluster with.
3 2010-01-13 14:57:09 log_id=0105037892 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster's member state moved " vcluster=1 vcluster_state=work
vcluster_member=0 hostname=5005_ha_2 sn=FG5A253E06500088
The primary unit negotiates to form a cluster with the new cluster unit and then
continues to operate as the primary unit.
Unit removed from cluster
These log messages appear on the unit that was removed from the cluster.:
1 2010-01-13 14:49:37 log_id=0104032121 type=event subtype=admin vd=root
pri=notice user= " admin " ui=GUI(10.21.101.100) intf= " port1 " field=access
old= " https+ping+ssh " new= " https+ping+ssh+snmp+http+telnet " msg= " User admin
changed the access setting of interface port1 from GUI(10.21.101.100) "
2 2010-01-13 14:49:37 log_id=0104032121 type=event subtype=admin vd=root
pri=notice user= " admin " ui=GUI(10.21.101.100) intf= " port1 " field=ip
old=10.21.101.102:255.255.255.0 new=10.21.101.103:255.255.255.0 msg= " User
admin changed the ip setting of interface port1 from GUI(10.21.101.100) "
3 2010-01-13 14:49:37 log_id=0104032140 type=event subtype=admin vd=root
pri=notice user= " admin " ui=GUI(10.21.101.100) old=A-P new=standalone msg= " User
admin changed HA mode from A-P to standalone "
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1569
�Clusters and logging
Operating a cluster
Link failure of a monitored interface
These log messages, recorded by the primary unit, show the monitored port1 interface
failed or was disconnected and the primary unit becoming a subordinate unit:
1 2010-01-14 16:59:39 log_id=0100020099 type=event subtype=system vd=root
pri=information action=interface-stat-change status=DOWN msg= " Link monitor:
Interface port1 was turned down "
2 2010-01-14 16:59:39 log_id=0105037898 type=event subtype=ha pri=warning
vd= " root " msg= " HA device(interface) fail " ha_role=master devintfname=port1
3 2010-01-14 16:59:41 log_id=0105037892 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster's member state moved " vcluster=1 vcluster_state=standby
vcluster_member=1 hostname=620_ha_1 sn=FG600B3908600705
Link failure of a monitored interface fixed
These log messages show the monitored port1 being reconnected and the cluster unit
becoming the primary unit.
1 2010-01-14 16:59:58 log_id=0100020099 type=event subtype=system vd=root
pri=information action=interface-stat-change status=UP msg= " Link monitor: Interface
port1 was turned up "
2 2010-01-14 16:59:58 log_id=0105037897 type=event subtype=ha pri=notice vd= " root "
msg= " HA device(interface) ready " ha_role=slave devintfname=port1
3 2010-01-14 17:00:00 log_id=0105037892 type=event subtype=ha pri=notice vd= " root "
msg= " Virtual cluster's member state moved " vcluster=1 vcluster_state=work
vcluster_member=0 hostname=620_ha_1 sn=FG600B3908600705
Configuration change synchronized from primary unit to subordinate unit
The following event log message is written by the primary unit when the admin
administrator adds firewall policy with ID=3 by connecting to the web-based manager from
a management PC with IP address 172.20.120.14 using HTTPS or HTTP:
2009-11-13 09:11:45 log_id=0104032126 type=event subtype=admin vd=root
pri=notice user= " admin " ui=GUI(172.20.120.14) seq=1 sintf= " external " dintf= " internal "
saddr= " all " daddr= " all " act=accept nat=no iptype=ipv4 schd= " always " svr= " ANY "
log=no idbased=no msg= " User admin added IPv4 firewall policy 3 from
GUI(172.20.120.11) "
When incremental synchronization makes the same change to a subordinate unit the
subordinate unit writes the following log message:
2009-11-13 09:11:45 log_id=0104032126 type=event subtype=admin vd=root
pri=notice user= " admin " ui=ha_daemon seq=1 sintf= " external " dintf= " internal "
saddr= " all " daddr= " all " act=accept nat=no iptype=ipv4 schd= " always " svr= " ANY "
log=no idbased=no msg= " User admin added IPv4 firewall policy 3 from
GUI(172.20.120.11) "
Notice that the two messages are identical (including the log IDs) except that on the
subordinate unit the ui (user interface) is ha_daemon. ha_daemon is the name of the user
interface used by the HA synchronization process to make incremental synchronization
configuration changes.
1570
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Clusters and logging
Configuration change synchronized from subordinate unit to primary unit
The following event log message is written by a subordinate unit after the admin
administrator logs into the subordinate unit CLI using the execute ha manage
command and adds firewall policy 6.
2009-11-13 09:14:45 log_id=0104032126 type=event subtype=admin vd=root
pri=notice user= " admin " ui=telnet(169.254.0.1) seq=6 sintf= " external " dintf= " internal "
saddr= " all " daddr= " all " act=accept nat=no iptype=ipv4 schd= " always " svr= " ANY "
log=no idbased=no msg= " User admin added IPv4 firewall policy 6 from
telnet(169.254.0.1) "
Notice the user interface is telnet(169.254.0.1). 169.254.0.1 is the IP address of the HA
heartbeat interface of the primary unit. The log message shows that the execute ha
manage command sets up a telnet session from the primary unit to the subordinate unit
over the HA heartbeat link. Note that the IP address could be 169.254.0.2 if the cluster
renegotiated.
When incremental synchronization makes the same change to the primary unit, the
primary unit writes the following log message:
2009-11-13 09:14:45 log_id=0104032126 type=event subtype=admin vd=root
pri=notice user= " admin " ui=ha_daemon seq=6 sintf= " external " dintf= " internal "
saddr= " all " daddr= " all " act=accept nat=no iptype=ipv4 schd= " always " svr= " ANY "
log=no idbased=no msg= " User admin added IPv4 firewall policy 6 from ha_daemon "
Notice again that the messages are identical (including the log ID) except for the user
interface.
Fortigate HA message " HA master heartbeat interface & lt; intf_name & gt; lost neighbor
information "
The following HA log messages may be recorded by an operating cluster:
2009-02-16 11:06:34 device_id=FG2001111111 log_id=0105035001 type=event
subtype=ha pri=critical vd=root msg= " HA slave heartbeat interface internal lost
neighbor information "
2009-02-16 11:06:40 device_id=FG2001111111 log_id=0105035001 type=event
subtype=ha pri=notice vd=root msg= " Virtual cluster 1 of group 0 detected new joined
HA member "
2009-02-16 11:06:40 device_id=FG2001111111 log_id=0105035001 type=event
subtype=ha pri=notice vd=root msg= " HA master heartbeat interface internal get peer
information "
These log messages indicate that the cluster units could not connect to each other over
the HA heartbeat link for the period of time that is given by hb-interval x hb-lost-threshold,
which is 1.2 seconds with the default values.
To diagnose this problem
1 Check all heartbeat interface connections including cables and switches to make sure
they are connected and operating normally.
2 Use the following commands to display the status of the heartbeat interfaces.
get hardware nic & lt; heartbeat_interface_name & gt;
diagnose hardware deviceinfo nic & lt; heartbeat_interface_name & gt;
The status information may indicate the interface status and link status and also
indicate if a large number of errors have been detected.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1571
�Clusters and logging
Operating a cluster
3 If the log message only appear during peak traffic times, increase the tolerance for
missed HA heartbeat packets by using the following commands to increase the lost
heartbeat threshold and heartbeat interval:
config system ha
set hb-lost-threshold 12
set hb-interval 4
end
These settings multiply by 4 the loss detection interval. You can use higher values as
well.
4 Optionally disable session-pickup to reduce the processing load on the heartbeat
interfaces.
It may be useful to monitor CPU and memory usage to check for low memory and high
CPU usage. You can configure event logging to monitor CPU and memory usage. You can
also enable the CPU over usage and memory low SNMP events.
Once this monitoring is in place, try and determine if there have been any changes in the
network or an increase of traffic recently that could be the cause. Check to see if the
problem happens frequently and if so what the pattern is.
To monitor the CPU of the cluster units and troubleshoot further, use the following
procedure and commands:
get system performance status
get sys performance top 2
diagnose sys top 2
These commands repeated at frequent intervals will show the activity of the CPU and the
number of sessions.
Search the Fortinet Knowledge Base for articles about monitoring CPU and Memory
usage.
If the problem persists, gather the following information (a console connection might be
necessary if connectivity is lost) and provide it to Technical Support when opening a ticket:
•
•
1572
Debug log from the web-based manager: System & gt; Maintenance & gt; Advanced & gt; debug
log
CLI command output:
diag sys top 2 (keep it running for 20 seconds)
get sys perf status (repeat this command multiple times to get good samples)
get sys ha status
diag sys ha status
diag sys ha dump all
diag sys ha dump 2
diag sys ha dump 3
diag netlink dev list
diag hardware dev nic & lt; Heartbeat port Name & gt;
execute log filter category event
execute log display
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Clusters and SNMP
Clusters and SNMP
You can use SNMP to manage a cluster by configuring a cluster interface for SNMP
administrative access. Using an SNMP manager you can get cluster configuration and
status information and receive traps.
You configure SNMP for a cluster in the same way as configuring SNMP for a standalone
FortiGate unit. SNMP configuration changes made to the cluster are shared by all cluster
units.
Each cluster unit sends its own traps and SNMP manager systems can use SNMP get
commands to query each cluster unit separately. To set SNMP get queries to each cluster
unit you must create a special get command that includes the serial number of the cluster
unit.
Alternatively you can use the HA reserved management interface feature to give each
cluster unit a different management IP address. Then you can create an SNMP get
command for each cluster unit that just includes the management IP address and does
not have to include the serial number. See “Managing individual cluster units using a
reserved management interface” on page 1559.
For a list of HA MIB fields and OIDs, see the SNMP section of your FortiGate unit’s online
help (or search for MIB or OID).
SNMP get command syntax for the primary unit
Normally, to get configuration and status information for a standalone FortiGate unit or for
a primary unit, an SNMP manager would use an SNMP get command to get the
information in a MIB field. The SNMP get command syntax would be similar to the
following:
snmpget -v2c -c & lt; community_name & gt; & lt; address_ipv4 & gt; { & lt; OID & gt; |
& lt; MIB_field & gt; }
where:
& lt; community_name & gt; is an SNMP community name added to the FortiGate configuration.
You can add more than one community name to a FortiGate SNMP configuration. The
most commonly used community name is public.
& lt; address_ipv4 & gt; is the IP address of the FortiGate interface that the SNMP manager
connects to.
{ & lt; OID & gt; | & lt; MIB_field & gt; } is the object identifier (OID) for the MIB field or the MIB field
name itself. To find OIDs and MIB field names, see your FortiGate unit’s online help.
To get the HA status table for the primary unit
The following SNMP get command gets the HA status table for the primary unit. The
community name is public. The IP address of the FortiGate unit interface is 10.10.10.1.
The HA status table MIB field is fgHaStatsTable and the OID for this MIB field is
1.3.6.1.4.1.12356.101.13.2. The first command uses the MIB field name and the second
uses the OID for this table:
snmpget -v2c -c public 10.10.10.1 fgHaStatsTable
snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.101.13.2
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1573
�Clusters and SNMP
Operating a cluster
SNMP get command syntax for any cluster unit
To get configuration status information for a specific cluster unit (for the primary unit or for
any subordinate unit), the SNMP manager must add the serial number of the cluster unit
to the SNMP get command after the community name. The community name and the
serial number are separated with a dash. The syntax for this SNMP get command would
be:
snmpget -v2c -c & lt; community_name & gt; - & lt; fgt_serial & gt; & lt; address_ipv4 & gt;
{ & lt; OID & gt; | & lt; MIB_field & gt; }
where:
& lt; community_name & gt; is an SNMP community name added to the FortiGate configuration.
You can add more than one community name to a FortiGate SNMP configuration. All units
in the cluster have the same community name. The most commonly used community
name is public.
& lt; fgt_serial & gt; is the serial number of any cluster unit. For example,
FGT4002803033172. You can specify the serial number of any cluster unit, including the
primary unit, to get information for that unit.
& lt; address_ipv4 & gt; is the IP address of the FortiGate interface that the SNMP manager
connects to.
{ & lt; OID & gt; | & lt; MIB_field & gt; } is the object identifier (OID) for the MIB field or the MIB field
name itself. To find OIDs and MIB field names see your FortiGate unit’s online help.
If the serial number matches the serial number of a subordinate unit, the SNMP get
request is sent over the HA heartbeat link to the subordinate unit. After processing the
request, the subordinate unit sends the reply back over the HA heartbeat link back to the
primary unit. The primary unit then forwards the response back to the SNMP manager.
If the serial number matches the serial number of the primary unit, the SNMP get request
is processed by the primary unit. You can actually add a serial number to the community
name of any SNMP get request. But normally you only need to do this for getting
information from a subordinate unit.
To get the HA status table for a subordinate unit
The following SNMP get command gets the HA status table for a subordinate unit in a
FortiGate-5001SX cluster. The subordinate unit has serial number FG50012205400050.
The community name is public. The IP address of the FortiGate interface is 10.10.10.1.
The HA status table MIB field is fgHaStatsTable and the OID for this MIB field is
1.3.6.1.4.1.12356.101.13.2. The first command uses the MIB field name and the second
uses the OID for this table:
snmpget -v2c -c public-FG50012205400050 10.10.10.1
fgHaStatsTable
snmpget -v2c -c public-FG50012205400050 10.10.10.1
1.3.6.1.4.1.12356.101.13.2
FortiGate SNMP recognizes the community name with syntax & lt; community_name & gt; & lt; fgt_serial & gt; . When the primary unit receives an SNMP get request that includes the
community name followed by serial number, the FGCP extracts the serial number from the
request. Then the primary unit redirects the SNMP get request to the cluster unit with that
serial number. If the serial number matches the serial number of the primary unit, the
SNMP get is processed by the primary unit.
1574
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Clusters and file quarantine
Getting serial numbers for all the units in a cluster
If you do not have the serial numbers of all cluster units available, you can use the
following SNMP command syntax to get all cluster unit serial numbers.
The following SNMP get command uses the MIB field name fgHaStatsSerial to get all
cluster unit serial numbers. The OID for this MIB field is
1.3.6.1.4.1.12356.101.13.2.2. The community name is public. The IP address
of the FortiGate interface is 10.10.10.1. The first command uses the MIB field name and
the second uses the OID for this table:
snmpget -v2c -c public 10.10.10.1 fgHaStatsSerial
snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.101.13.2.2
SNMP get command syntax - reserved management interface enabled
To get configuration and status information for any cluster unit where you have enabled
the HA reserved management interface feature and assigned IP addresses to the
management interface of each cluster unit, an SNMP manager would use the following get
command syntax:
snmpget -v2c -c & lt; community_name & gt; & lt; mgt_address_ipv4 & gt; { & lt; OID & gt; |
& lt; MIB_field & gt; }
where:
& lt; community_name & gt; is an SNMP community name added to the FortiGate configuration.
You can add more than one community names to a FortiGate SNMP configuration. The
most commonly used community name is public.
& lt; mgt_address_ipv4 & gt; is the IP address of the FortiGate HA reserved management
interface that the SNMP manager connects to.
{ & lt; OID & gt; | & lt; MIB_field & gt; } is the object identifier (OID) for the MIB field or the MIB field
name itself. To find OIDs and MIB field names see your FortiGate unit’s online help.
See “To get the HA status table using reserved management IP addresses” on page 1563.
Clusters and file quarantine
You can configure file quarantine for a cluster in the same way as configuring file
quarantine for a standalone FortiGate unit. Quarantine configuration changes made to the
cluster are shared by all cluster units.
In an active-active cluster, both the primary unit and the subordinate units accept antivirus
sessions and may quarantine files. In an active-passive cluster, only the primary unit
quarantines files. Multiple cluster units in an active-passive cluster may have quarantined
files if different cluster units have been the primary unit.
All cluster units quarantine files separately to their own hard disk. You can go to
Log & Report & gt; Archive Access & gt; Quarantine to view and manage the quarantine file list for
each cluster unit.
All cluster units can also quarantine files to a FortiAnalyzer unit. When you configure a
FortiAnalyzer unit to receive quarantine files from a cluster, you should add each cluster
unit to the FortiAnalyzer device configuration so that the FortiAnalyzer unit can receive
quarantine files from all cluster units.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1575
�Cluster members list
Operating a cluster
Cluster members list
Display the cluster members list to view the status of the FortiGate units in an operating
cluster. To display the cluster members list, go to System & gt; Config & gt; HA.
From the cluster members list you can also:
•
View HA statistics (see “Viewing HA statistics” on page 1578).
•
View and optionally change the HA configuration of the operating cluster (see
“Changing the HA configuration of an operating cluster” on page 1579).
•
View and optionally change the host name and device priority of a subordinate unit
(see “Changing the subordinate unit host name and device priority” on page 1580).
•
Disconnect a cluster unit from a cluster (see “Disconnecting a cluster unit from a
cluster” on page 1591).
•
Download the Debug log for any cluster unit. You can send this debug log file to
Fortinet Technical Support to help diagnose problems with the cluster or with individual
cluster units.
Figure 226: Example cluster members list
Up and Down
Arrows
Download Debug Log
Edit
Disconnect from Cluster
View HA Statistics
Display the serial number, status, and monitor information for each cluster
unit. See “Viewing HA statistics” on page 1578.
Up and down arrows Change the order in which cluster members are listed. The operation of the
cluster or of the units in the cluster are not affected. All that changes is the
order in which cluster units are displayed on the cluster members list.
Cluster member
Hostname
The host name of the FortiGate unit. The default host name of the FortiGate
unit is the FortiGate unit serial number.
• To change the primary unit host name, go to the system dashboard and
select Change beside the current host name int System Information
widget.
• To change a subordinate unit host name, from the cluster members list
select the edit icon for a subordinate unit.
Role
1576
Illustrations of the front panels of the cluster units. If the network jack for an
interface is shaded green, the interface is connected. Pause the mouse
pointer over each illustration to view the cluster unit host name, serial
number, and how long the unit has been operating (up time). The list of
monitored interfaces is also displayed.
The status or role of the cluster unit in the cluster.
• Role is MASTER for the primary (or master) unit
• Role is SLAVE for all subordinate (or backup) cluster units
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Virtual cluster members list
Priority
The device priority of the cluster unit. Each cluster unit can have a different
device priority. During HA negotiation, the unit with the highest device
priority becomes the primary unit.
The device priority range is 0 to 255. The default device priority is 128.
Disconnect from
cluster
Disconnect the cluster unit from the cluster. See “Disconnecting a cluster
unit from a cluster” on page 1591.
Edit
Select Edit to change a cluster unit HA configuration.
• For a primary unit, select Edit to change the cluster HA configuration.
You can also change the device priority of the primary unit.
• For a primary unit in a virtual cluster, select Edit to change the virtual
cluster HA configuration. You can also change the virtual cluster 1 and
virtual cluster 2 device priority of this cluster unit.
• For a subordinate unit, select Edit to change the subordinate unit host
name and device priority. See “Changing the subordinate unit host
name and device priority” on page 1580.
• For a subordinate unit in a virtual cluster, select Edit to change the
subordinate unit host name. In addition you can change the device
priority for the subordinate unit for the selected virtual cluster.
Download debug log Download an encrypted debug log to a file. You can send this debug log file
to Fortinet Technical Support to help diagnose problems with the cluster or
with individual cluster units.
Virtual cluster members list
If virtual domains are enabled, you can display the cluster members list to view the status
of the operating virtual clusters. The virtual cluster members list shows the status of both
virtual clusters including the virtual domains added to each virtual cluster.
To display the virtual cluster members list for an operating cluster log in as the admin
administrator, select Global Configuration and go to System & gt; Config & gt; HA.
Figure 227: Example FortiGate-5001SX virtual cluster members list
Download Debug Log
Up and Down
Arrows
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Edit
Disconnect from Cluster
1577
�Viewing HA statistics
Operating a cluster
The fields and functions of the virtual cluster members list are the same as the fields and
functions described in “Cluster members list” on page 1576 with the following exceptions.
•
When you select the edit icon for a primary unit in a virtual cluster, you can change the
virtual cluster 1 and virtual cluster 2 device priority of this cluster unit and you can edit
the VDOM partitioning configuration of the cluster.
•
When you select the edit icon for a subordinate unit in a virtual cluster, you can change
the device priority for the subordinate unit for the selected virtual cluster.
Also, the HA cluster members list changes depending on the cluster unit. For the virtual
cluster described in the “Example: virtual clustering with two VDOMs and VDOM
partitioning” on page 1527 if you connect to port5 using you are connecting to 620b_ha_2
(620b_ha_2 is displayed on the web browser title bar or in the CLI prompt).
If you connect to port1 you are connecting to 620b_ha_1 (620b_ha_2 is displayed on the
web browser title bar or in the CLI prompt).
Viewing HA statistics
From the cluster members list you can select View HA statistics to display the serial
number, status, and monitor information for each cluster unit. To view HA statistics, go to
System & gt; Config & gt; HA and select View HA Statistics.
Figure 228: Example HA statistics (active-passive cluster)
Refresh every
Select to control how often the web-based manager updates the HA statistics
display.
Back to HA monitor Close the HA statistics list and return to the cluster members list.
Serial No.
Status
Indicates the status of each cluster unit. A green check mark indicates that the
cluster unit is operating normally. A red X indicates that the cluster unit cannot
communicate with the primary unit.
Up Time
The time in days, hours, minutes, and seconds since the cluster unit was last
started.
Monitor
Displays system status information for each cluster unit.
CPU Usage
1578
Use the serial number ID to identify each FortiGate unit in the cluster. The
cluster ID matches the FortiGate unit serial number.
The current CPU status of each cluster unit. The web-based manager
displays CPU usage for core processes only. CPU usage for management
processes (for example, for HTTPS connections to the web-based manager)
is excluded.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Changing the HA configuration of an operating cluster
Memory Usage
The current memory status of each cluster unit. The web-based manager
displays memory usage for core processes only. Memory usage for
management processes (for example, for HTTPS connections to the
web-based manager) is excluded.
Active Sessions
The number of communications sessions being processed by the cluster unit.
Total Packets
The number of packets that have been processed by the cluster unit since it
last started up.
Virus Detected
The number of viruses detected by the cluster unit.
Network Utilization The total network bandwidth being used by all of the cluster unit interfaces.
Total Bytes
The number of bytes that have been processed by the cluster unit since it last
started up.
Intrusion Detected The number of intrusions or attacks detected by Intrusion Protection running
on the cluster unit.
Changing the HA configuration of an operating cluster
To change the configuration settings of an operating cluster, go to System & gt; Config & gt; HA
to display the cluster members list. Select Edit for the master (or primary) unit in the
cluster members list to display the HA configuration page for the cluster.
You can use the HA configuration page to check and fine tune the configuration of the
cluster after the cluster is up and running. For example, if you connect or disconnect
cluster interfaces you may want to change the Port Monitor configuration.
Any changes you make on this page, with the exception of changes to the device priority,
are first made to the primary unit configuration and then synchronized to the subordinate
units. Changing the device priority only affects the primary unit.
Changing the HA configuration of an operating virtual cluster
To change the configuration settings of the primary unit in a functioning cluster with virtual
domains enabled, log in as the admin administrator, select Global Configuration and go to
System & gt; Config & gt; HA to display the cluster members list. Select Edit for the master (or
primary) unit in virtual cluster 1 or virtual cluster 2 to display the HA configuration page for
the virtual cluster.
You can use the virtual cluster HA configuration page to check and fine tune the
configuration of both virtual clusters after the cluster is up and running. For example, you
may want to change the Port Monitor configuration for virtual cluster 1 and virtual cluster 2
so that each virtual cluster monitors its own interfaces.
You can also use this configuration page to move virtual domains between virtual cluster 1
and virtual cluster 2. Usually you would distribute virtual domains between the two virtual
clusters to balance the amount of traffic being processed by each virtual cluster.
Any changes you make on this page, with the exception of changes to the device
priorities, are first made to the primary unit configuration and then synchronized to the
subordinate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1579
�Changing the subordinate unit host name and device priority
Operating a cluster
You can also adjust device priorities to configure the role of this cluster unit in the virtual
cluster. For example, to distribute traffic to both cluster units in the virtual cluster
configuration, you would want one cluster unit to be the primary unit for virtual cluster 1
and the other cluster unit to be the primary unit for virtual cluster 2. You can create this
configuration by setting the device priorities. The cluster unit with the highest device
priority in virtual cluster 1 becomes the primary unit for virtual cluster 1. The cluster unit
with the highest device priority in virtual cluster 2 becomes the primary unit in virtual
cluster 2.
Changing the subordinate unit host name and device priority
To change the host name and device priority of a subordinate unit in an operating cluster,
go to System & gt; Config & gt; HA to display the cluster members list. Select Edit for any slave
(subordinate) unit in the cluster members list.
To change the host name and device priority of a subordinate unit in an operating cluster
with virtual domains enabled, log in as the admin administrator, select Global
Configuration and go to System & gt; Config & gt; HA to display the cluster members list. Select
Edit for any slave (subordinate) unit in the cluster members list.
You can change the host name (Peer) and device priority (Priority) of this subordinate unit.
These changes only affect the configuration of the subordinate unit.
The device priority is not synchronized among cluster members. In a functioning cluster
you can change device priority to change the priority of any unit in the cluster. The next
time the cluster negotiates, the cluster unit with the highest device priority becomes the
primary unit.
The device priority range is 0 to 255. The default device priority is 128.
Upgrading cluster firmware
You can upgrade the FortiOS firmware running on an HA cluster in the same manner as
upgrading the firmware running on a standalone FortiGate unit. During a normal firmware
upgrade, the cluster upgrades the primary unit and all subordinate units to run the new
firmware image. The firmware upgrade takes place without interrupting communication
through the cluster.
Caution: Upgrading cluster firmware to a new major release (for example upgrading from
3.0 MRx to 4.0 MRx) is supported for clusters. Make sure you are taking an upgrade path
described in the release notes. Even so you should back up your configuration and only
perform such a firmware upgrade during a maintenance window.
To upgrade the firmware without interrupting communication through the cluster, the
cluster goes through a series of steps that involve first upgrading the firmware running on
the subordinate units, then making one of the subordinate units the primary unit, and
finally upgrading the firmware on the former primary unit. These steps are transparent to
the user and the network, but depending upon your HA configuration may result in the
cluster selecting a new primary unit.
The following sequence describes in detail the steps the cluster goes through during a
firmware upgrade and how different HA configuration settings may affect the outcome.
1 The administrator uploads a new firmware image from the web-based manager or CLI.
2 If the cluster is operating in active-active mode load balancing is turned off.
3 The cluster upgrades the firmware running on all of the subordinate units.
1580
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Upgrading cluster firmware
4 Once the subordinate units have been upgraded, a new primary unit is selected.
This primary unit will be running the new upgraded firmware.
5 The cluster now upgrades the firmware of the former primary unit.
6 Depending on the device priority and override configuration of the cluster, one of the
following happens
• If override is enabled and the former primary unit has the highest device priority, the
cluster renegotiates and the former primary unit (or the unit with the highest device
priority) once again becomes the primary unit.
• If override is not enabled or if all cluster units have the same device priority, the new
primary unit continues to operate as the primary unit and the former primary unit
continues to operate as a subordinate unit.
7 If the cluster is operating in active-active mode, load balancing is turned back on.
Changing how the cluster processes firmware upgrades
By default cluster firmware upgrades proceed as uninterruptable upgrades that do not
interrupt traffic flow. If required, you can use the following CLI command to change how
the cluster handles firmware upgrades. You might want to change this setting if you are
finding uninterruptable upgrades take too much time.
config system ha
set uninterruptable-upgrade disable
end
uninterruptable-upgrade is enabled by default. If you disable uninterruptableupgrade the cluster still upgrades the firmware on all cluster units, but all cluster units are
upgraded at once; which takes less time but interrupts communication through the cluster.
Synchronizing the firmware build running on a new cluster unit
If the firmware build running on a FortiGate unit that you add to a cluster is older than the
cluster firmware build, you may be able to use the following steps to synchronize the
firmware running on the new cluster unit.
This procedure describes re-installing the same firmware build on a cluster to force the
cluster to upgrade all cluster units to the same firmware build.
Due to firmware upgrade and synchronization issues, in some cases this procedure may
not work. In all cases it will work to install the same firmware build on the new unit as the
one that the cluster is running before adding the new unit to the cluster.
To synchronize the firmware build running on a new cluster unit
1 Obtain a firmware image that is the same as build already running on the cluster.
2 Connect to the cluster using the web-based manager.
3 Go to System & gt; Dashboard & gt; Status.
4 Select Update beside Firmware Version.
You can also install a newer firmware build.
5 Select OK.
After the firmware image is uploaded to the cluster, the primary unit upgrades all
cluster units to this firmware build.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1581
�Downgrading cluster firmware
Operating a cluster
Downgrading cluster firmware
For various reasons you may need to downgrade the firmware that a cluster is running.
You can use the information in this section to downgrade the firmware version running on
a cluster.
In most cases you can downgrade the firmware on an operating cluster using the same
steps as for a firmware upgrade. A warning message appears during the downgrade but
the downgrade usually works and after the downgrade the cluster continues operating
normally with the older firmware image.
Downgrading between some firmware versions, especially if features have changed
between the two versions, may not always work without the requirement to fix
configuration issues after the downgrade.
Only perform firmware downgrades during maintenance windows and make sure you
back up your cluster configuration before the downgrade.
If the firmware downgrade that you are planning may not work without configuration loss
or other problems, you can use the following downgrade procedure to make sure your
configuration is not lost after the downgrade.
To downgrade cluster firmware
This example shows how to downgrade the cluster shown in Figure 208 on page 1462.
The cluster consists of two cluster units (620_ha_1 and 620_ha_2). The port1 and port2
interfaces are connected networks and the port3 and port4 interfaces are connected
together for the HA heartbeat.
This example, describes separating each unit from the cluster and downgrading the
firmware for the standalone FortiGate units. There are several ways you could disconnect
units from the cluster. This example describes using the disconnect from cluster function
described in “Disconnecting a cluster unit from a cluster” on page 1591.
1 Go to System & gt; Maintenance & gt; Backup & Restore and backup the cluster
configuration.
From the CLI use execute backup config.
2 Go to System & gt; Config & gt; HA and for 620_ha_1 select Disconnect from cluster icon.
3 Select the port2 interface and enter an IP address and netmask of 10.11.101.101/24
and select OK.
From the CLI you can enter the following command (FG600B3908600705 is the serial
number of the cluster unit) to be able to manage the standalone FortiGate unit by
connecting to the port2 interface with IP address and netmask 10.11.101.101/24.
execute ha disconnect FG600B3908600705 port2 10.11.101.101/24
After 620_ha_1 is disconnected, 620_ha_2 continues processing traffic.
4 Connect to the 620_ha_1 web-based manager or CLI using IP address
10.11.101.101/24 and follow normal procedures to downgrade standalone FortiGate
unit firmware.
5 When the downgrade is complete confirm that the configuration of 620_ha_1 is correct.
6 Set the HA mode of 620_ha_2 to Standalone and follow normal procedures to
downgrade standalone FortiGate unit firmware.
Network communication will be interrupted for a short time during the downgrade.
7 When the downgrade is complete confirm that the configuration of 620_ha_2 is correct.
8 Set the HA mode of 620_ha_2 to Active-Passive or the required HA mode.
1582
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Backing up and restoring the cluster configuration
9 Set the HA mode of 620_ha_1 to the same mode as 620_ha_2.
If you have not otherwise changed the HA settings of the cluster units and if the
firmware downgrades have not affected the configurations the units should negotiate
and form cluster running the downgraded firmware.
Backing up and restoring the cluster configuration
You can backup the configuration of the primary unit by logging into the web-based
manager or CLI and following normal configuration backup procedures.
The following configuration settings are not synchronized to all cluster units:
•
HA override and priority
•
The interface configuration of the HA reserved management interface (config
system interface)
•
The HA reserved management interface default route (ha-mgmt-interfacegateway)
•
The FortiGate unit host name.
To backup these configuration settings for each cluster unit you must log into each cluster
unit and backup its configuration.
If you need to restore the configuration of the cluster including the configuration settings
that are not synchronized you should first restore the configuration of the primary unit and
then restore the configuration of each cluster unit. Alternatively you could log into each
cluster unit and manually add the configuration settings that were not restored.
Monitoring cluster units for failover
If the primary unit in the cluster fails, the units in the cluster renegotiate to select a new
primary unit. Failure of the primary unit results in the following:
•
If SNMP is enabled, the new primary unit sends HA trap messages. The messages
indicate a cluster status change, HA heartbeat failure, and HA member down. For
more info about HA and SNMP, see “Clusters and SNMP” on page 1573.
•
If event logging is enabled and HA activity event is selected, the new primary unit
records log messages that show that the unit has become the primary unit. See
“Example log messages” on page 1567 for some example message sequences when
a failover occurs.
•
If alert email is configured to send email for HA activity events, the new primary unit
sends an alert email containing the log message recorded by the event log.
•
The cluster contains fewer FortiGate units. The failed primary unit no longer appears
on the Cluster Members list.
•
The host name and serial number of the primary unit changes. You can see these
changes when you log into the web-based manager or CLI.
•
The cluster info displayed on the dashboard, cluster members list or from the get
system ha status command changes.
If a subordinate unit fails, the cluster continues to function normally. Failure of a
subordinate unit results in the following:
•
If event logging is enabled and HA activity event is selected, the primary unit records
log messages that show that a subordinate has been removed from the cluster. See
“Example log messages” on page 1567 for some example message sequences.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1583
�Viewing cluster status from the CLI
Operating a cluster
•
If alert email is configured to send email for HA activity events, the new primary unit
sends an alert email containing the log message recorded by the event log.
•
The cluster contains fewer FortiGate units. The failed unit no longer appears on the
Cluster Members list.
Viewing cluster status from the CLI
Use the get system ha status command to display information about an HA cluster.
The command displays general HA configuration settings. The command also displays
information about how the cluster unit that you have logged into is operating in the cluster.
Usually you would log into the primary unit CLI using SSH or telnet. In this case the get
system ha status command displays information about the primary unit first, and also
displays the HA state of the primary unit (the primary unit operates in the work state).
However, if you log into the primary unit and then use the execute ha manage
command to log into a subordinate unit, (or if you use a console connection to log into a
subordinate unit) the get system status command displays information about this
subordinate unit first, and also displays the HA state of this subordinate unit. The state of a
subordinate unit is work for an active-active cluster and standby for an active-passive
cluster.
For a virtual cluster configuration, the get system ha status command displays
information about how the cluster unit that you have logged into is operating in virtual
cluster 1 and virtual cluster 2. For example, if you connect to the cluster unit that is the
primary unit for virtual cluster 1 and the subordinate unit for virtual cluster 2, the output of
the get system ha status command shows virtual cluster 1 in the work state and
virtual cluster 2 in the standby state. The get system ha status command also
displays additional information about virtual cluster 1 and virtual cluster 2.
The command display includes the following fields.
Fields
Description
Model
The FortiGate model number.
Mode
The HA mode of the cluster: a-a or a-p.
Group
The group ID of the cluster.
Debug
The debug status of the cluster.
ses_pickup
The status of session pickup: enable or disable.
load balance
The status of the load-balance-all keyword: enable or disable.
Relevant to active-active clusters only.
schedule
The active-active load balancing schedule. Relevant to active-active
clusters only.
Master
Slave
Master displays the device priority, host name, serial number, and
cluster index of the primary (or master) unit.
Slave displays the device priority, host name, serial number, and cluster
index of the subordinate (or slave, or backup) unit or units.
The list of cluster units changes depending on how you log into the CLI.
Usually you would use SSH or telnet to log into the primary unit CLI. In
this case the primary unit would be at the top the list followed by the
other cluster units.
If you use execute ha manage or a console connection to log into a
subordinate unit CLI, and then enter get system ha status the
subordinate unit that you have logged into appears at the top of the list of
cluster units.
number of vcluster The number of virtual clusters. If virtual domains are not enabled, the
cluster has one virtual cluster. If virtual domains are enabled the cluster
has two virtual clusters.
1584
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Viewing cluster status from the CLI
Fields
Description
vcluster 1
Master
Slave
The HA state (hello, work, or standby) and HA heartbeat IP address of
the cluster unit that you have logged into in virtual cluster 1. If virtual
domains are not enabled, vcluster 1 displays information for the
cluster. If virtual domains are enabled, vcluster 1 displays
information for virtual cluster 1.
The HA heartbeat IP address is 169.254.0.2 if you are logged into the
primary unit of virtual cluster 1 and 169.254.0.1 if you are logged into a
subordinate unit of virtual cluster 1.
vcluster 1 also lists the primary unit (master) and subordinate units
(slave) in virtual cluster 1. The list includes the cluster index and serial
number of each cluster unit in virtual cluster 1. The cluster unit that you
have logged into is at the top of the list.
If virtual domains are not enabled and you connect to the primary unit
CLI, the HA state of the cluster unit in virtual cluster 1 is work. The
display lists the cluster units starting with the primary unit.
If virtual domains are not enabled and you connect to a subordinate unit
CLI, the HA state of the cluster unit in virtual cluster 1 is standby. The
display lists the cluster units starting with the subordinate unit that you
have logged into.
If virtual domains are enabled and you connect to the virtual cluster 1
primary unit CLI, the HA state of the cluster unit in virtual cluster 1 is
work. The display lists the cluster units starting with the virtual cluster 1
primary unit.
If virtual domains are enabled and you connect to the virtual cluster 1
subordinate unit CLI, the HA state of the cluster unit in virtual cluster 1 is
standby. The display lists the cluster units starting with the subordinate
unit that you are logged into.
vcluster 2
Master
Slave
vcluster 2 only appears if virtual domains are enabled. vcluster 2
displays the HA state (hello, work, or standby) and HA heartbeat IP
address of the cluster unit that you have logged into in virtual cluster 2.
The HA heartbeat IP address is 169.254.0.2 if you are logged into the
primary unit of virtual cluster 2 and 169.254.0.1 if you are logged into a
subordinate unit of virtual cluster 2.
vcluster 2 also lists the primary unit (master) and subordinate units
(slave) in virtual cluster 2. The list includes the cluster index and serial
number of each cluster unit in virtual cluster 2. The cluster unit that you
have logged into is at the top of the list.
If you connect to the virtual cluster 2 primary unit CLI, the HA state of the
cluster unit in virtual cluster 2 is work. The display lists the cluster units
starting with the virtual cluster 2 primary unit.
If you connect to the virtual cluster 2 subordinate unit CLI, the HA state
of the cluster unit in virtual cluster 2 is standby. The display lists the
cluster units starting with the subordinate unit that you are logged into.
Examples
The following example shows get system ha status output for a cluster of two
FortiGate-5001SX units operating in active-active mode. The cluster group ID, session
pickup, load balance all, and the load balancing schedule are all set to the default values.
The device priority of the primary unit is also set to the default value. The device priority of
the subordinate unit has been reduced to 100. The host name of the primary unit is
5001_Slot_4. The host name of the subordinate unit in is 5001_Slot_3.
The command output was produced by connecting to the primary unit CLI (host name
5001_Slot_4).
Model: 5000
Mode: a-a
Group: 0
Debug: 0
ses_pickup: disable
load_balance: disable
schedule: round robin
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1585
�Viewing cluster status from the CLI
Operating a cluster
Master:128 5001_Slot_4
FG50012204400045 1
Slave :100 5001_Slot_3
FG50012205400050 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Master:0 FG50012204400045
Slave :1 FG50012205400050
The following command output was produced by using execute HA manage 0 to log
into the subordinate unit CLI of the cluster shown in the previous example. The host name
of the subordinate unit is 5001_Slot_3.
Model: 5000
Mode: a-a
Group: 0
Debug: 0
ses_pickup: disable
load_balance: disable
schedule: round robin
Slave :100 5001_Slot_3
FG50012205400050 0
Master:128 5001_Slot_4
FG50012204400045 1
number of vcluster: 1
vcluster 1: work 169.254.0.2
Slave :1 FG50012205400050
Master:0 FG50012204400045
The following example shows get system ha status output for a cluster of three
FortiGate-5001 units operating in active-passive mode. The cluster group ID is set to 20
and session pickup is enabled. Load balance all and the load balancing schedule are set
to the default value. The device priority of the primary unit is set to 200. The device
priorities of the subordinate units are set to 128 and 100. The host name of the primary
unit is 5001_Slot_5. The host names of the subordinate units are 5001_Slot_3 and
5001_Slot_4.
Model: 5000
Mode: a-p
Group: 20
Debug: 0
ses_pickup: enable
load_balance: disable
schedule: round robin
Master:200 5001_Slot_5
FG50012206400112 0
Slave :100 5001_Slot_3
FG50012205400050 1
Slave :128 5001_Slot_4
FG50012204400045 2
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG50012206400112
Slave :1 FG50012204400045
Slave :2 FG50012205400050
The following example shows get system ha status output for a cluster of two
FortiGate-5001 units with virtual clustering enabled. This command output was produced
by logging into the primary unit for virtual cluster 1 (hostname: 5001_Slot_4, serial number
FG50012204400045).
The virtual clustering output shows that the cluster unit with host name 5001_Slot_4 and
serial number FG50012204400045 is operating as the primary unit for virtual cluster 1 and
the subordinate unit for virtual cluster 2.
1586
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Viewing cluster status from the CLI
For virtual cluster 1 the cluster unit that you have logged into is operating in the work state
and the serial number of the primary unit for virtual cluster 1 is FG50012204400045. For
virtual cluster 2 the cluster unit that you have logged into is operating in the standby state
and the serial number of the primary unit for virtual cluster 2 is FG50012205400050.
Model: 5000
Mode: a-p
Group: 20
Debug: 0
ses_pickup: enable
load_balance: disable
schedule: round robin
Master:128 5001_Slot_4
FG50012204400045 1
Slave :100 5001_Slot_3
FG50012205400050 0
number of vcluster: 2
vcluster 1: work 169.254.0.2
Master:0 FG50012204400045
Slave :1 FG50012205400050
vcluster 2: standby 169.254.0.1
Slave :1 FG50012204400045
Master:0 FG50012205400050
The following example shows get system ha status output for the same cluster as
shown in the previous example after using execute ha manage 0 to log into the
primary unit for virtual cluster 2 (hostname: 5001_Slot_3, serial number
FG50012205400050).
Model: 5000
Mode: a-p
Group: 20
Debug: 0
ses_pickup: enable
load_balance: disable
schedule: round robin
Slave :100 5001_Slot_3
FG50012205400050 0
Master:128 5001_Slot_4
FG50012204400045 1
number of vcluster: 2
vcluster 1: standby 169.254.0.2
Slave :1 FG50012205400050
Master:0 FG50012204400045
vcluster 2: work 169.254.0.1
Master:0 FG50012205400050
Slave :1 FG50012204400045
The following example shows get system ha status output for a virtual cluster
configuration where the cluster unit with hostname: 5001_Slot_4 and serial number
FG50012204400045 is the primary unit for both virtual clusters. This command output is
produced by logging into cluster unit with host name 5001_Slot_4 and serial number
FG50012204400045.
Model: 5000
Mode: a-p
Group: 20
Debug: 0
ses_pickup: enable
load_balance: disable
schedule: round robin
Master:128 5001_Slot_4
FG50012204400045 1
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1587
�Viewing cluster status from the CLI
Operating a cluster
Slave :100 5001_Slot_3
FG50012205400050 0
number of vcluster: 2
vcluster 1: work 169.254.0.2
Master:0 FG50012204400045
Slave :1 FG50012205400050
vcluster 2: work 169.254.0.2
Master:0 FG50012204400045
Slave :1 FG50012205400050
About the HA cluster index and the execute ha manage command
When a cluster starts up, the FortiGate Cluster Protocol (FGCP) assigns a cluster index
and a HA heartbeat IP address to each cluster unit based on the serial number of the
cluster unit. The FGCP selects the cluster unit with the highest serial number to become
the primary unit. The FGCP assigns a cluster index of 0 and an HA heartbeat IP address
of 169.254.0.1 to this unit. The FGCP assigns a cluster index of 1 and an HA heartbeat IP
address of 169.254.0.2 to the cluster unit with the second highest serial number. If the
cluster contains more units, the cluster unit with the third highest serial number is assigned
a cluster index of 2 and an HA heartbeat IP address of 169.254.0.3, and so on. You can
display the cluster index assigned to each cluster unit using the get system ha
status command. Also when you use the execute ha manage command you select a
cluster unit to log into by entering its cluster index.
The cluster index and HA heartbeat IP address only change if a unit leaves the cluster or if
a new unit joins the cluster. When one of these events happens, the FGCP resets the
cluster index and HA heartbeat IP address of each cluster unit according to serial number
in the same way as when the cluster first starts up.
Each cluster unit keeps its assigned cluster index and HA heartbeat IP address even as
the units take on different roles in the cluster. After the initial cluster index and HA
heartbeat IP addresses are set according to serial number, the FGCP checks other
primary unit selection criteria such as device priority and monitored interfaces. Checking
these criteria could result in selecting a cluster unit without the highest serial number to
operate as the primary unit.
Even if the cluster unit without the highest serial number now becomes the primary unit,
the cluster indexes and HA heartbeat IP addresses assigned to the individual cluster units
do not change. Instead the FGCP assigns a second cluster index, which could be called
the operating cluster index, to reflect this role change. The operating cluster index is 0 for
the primary unit and 1 and higher for the other units in the cluster. By default both sets of
cluster indexes are the same. But if primary unit selection selects the cluster unit that does
not have the highest serial number to be the primary unit then this cluster unit is assigned
an operating cluster index of 0. The operating cluster index is used by the FGCP only. You
can display the operating cluster index assigned to each cluster unit using the get
system ha status command. There are no CLI commands that reference the
operating cluster index.
Note: Even though there are two cluster indexes there is only one HA heartbeat IP address
and the HA heartbeat address is not affected by a change in the operating cluster index.
Using the execute ha manage command
When you use the CLI command execute ha manage & lt; index_integer & gt; to connect
to the CLI of another cluster unit, the & lt; index_integer & gt; that you enter is the cluster
index of the unit that you want to connect to.
1588
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Viewing cluster status from the CLI
Using get system ha status to display cluster indexes
You can display the cluster index assigned to each cluster unit using the CLI command
get system ha status. The following example shows the information displayed by the
get system ha status command for a cluster consisting of two FortiGate-5001SX
units operating in active-passive HA mode with virtual domains not enabled and without
virtual clustering.
get system ha status
Model: 5000
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:128 5001_slot_7 FG50012205400050 0
Slave :128 5001_slot_11 FG50012204400045 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG50012205400050
Slave :1 FG50012204400045
In this example, the cluster unit with serial number FG50012205400050 has the highest
serial number and so has a cluster index of 0 and the cluster unit with serial number
FG50012204400045 has a cluster index of 1. From the CLI of the primary (or master) unit
of this cluster you can connect to the CLI of the subordinate (or slave) unit using the
following command:
execute ha manage 1
This works because the cluster unit with serial number FG50012204400045 has a cluster
index of 1.
The get system ha status command output shows two similar lists of indexes and
serial numbers. The listing on the sixth and seventh lines of the command output are the
cluster indexes assigned according to cluster unit serial number. These are the cluster
indexes that you enter when using the execute ha manage command. The cluster
indexes shown in the last two lines of the command output are the operating cluster
indexes that reflect how the cluster units are actually operating in the cluster. In this
example both sets of cluster indexes are the same.
The last three lines of the command output display the status of vcluster 1. In a cluster
consisting of two cluster units operating without virtual domains enabled all clustering
actually takes place in virtual cluster 1. HA is designed to work this way to support virtual
clustering. If this cluster was operating with virtual domains enabled, adding virtual cluster
2 is similar to adding a new copy of virtual cluster 1. Virtual cluster 2 is visible in the get
system ha status command output when you add virtual domains to virtual cluster 2.
The HA heartbeat IP address displayed on line 8 is the HA heartbeat IP address of the
cluster unit that is actually operating as the primary unit. For a default configuration this IP
address will always be 169.254.0.1 because the cluster unit with the highest serial number
will be the primary unit. This IP address changes if the operating primary unit is not the
primary unit with the highest serial number.
Example: actual and operating cluster indexes do not match
This example shows get system ha status command output for same cluster of two
FortiGate-5001SX units. However, in this example the device priority of the cluster unit
with the serial number FG50012204400045 is increased to 200. As a result the cluster unit
with the lowest serial number becomes the primary unit. This means the actual and
operating cluster indexes of the cluster units do not match.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1589
�Viewing cluster status from the CLI
Operating a cluster
get system ha status
Model: 5000
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:128 5001_slot_7 FG50012205400050 0
Slave :200 5001_slot_11 FG50012204400045 1
number of vcluster: 1
vcluster 1: work 169.254.0.2
Master:1 FG50012205400050
Slave :0 FG50012204400045
The actual cluster indexes have not changed but the operating cluster indexes have. Also,
the HA heartbeat IP address displayed for vcluster 1 has changed to 169.254.0.2.
Virtual clustering example output
The get system ha status command output is the same if a cluster is operating with
virtual clustering turned on but with all virtual domains in virtual cluster 1. The following
get system ha status command output example shows the same cluster operating
as a virtual cluster with virtual domains in virtual cluster 1 and added to virtual cluster 2. In
this example the cluster unit with serial number FG50012204400045 is the primary unit for
virtual cluster 1 and the cluster unit with serial number FG50012205400050 is the primary
unit for virtual cluster 2.
get system ha status
Model: 5000
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:128 5001_slot_7 FG50012205400050 0
Slave :200 5001_slot_11 FG50012204400045 1
number of vcluster: 2
vcluster 1: work 169.254.0.2
Master:1 FG50012205400050
Slave :0 FG50012204400045
vcluster 2: standby 169.254.0.1
Master:0 FG50012205400050
Slave :1 FG50012204400045
This example shows three sets of indexes. The indexes in lines six and seven are still
used by the execute ha manage command. The indexes on lines ten and eleven are for
the primary and subordinate units in virtual cluster 1 and the indexes on the last two lines
are for virtual cluster 2.
Managing individual cluster units
The following procedure describes how to use SSH to log into the primary unit CLI and
from there to use the execute ha manage command to connect to the CLI of any other
unit in the cluster. The procedure is very similar if you use telnet, or the web-based
manager dashboard CLI console.
1590
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Disconnecting a cluster unit from a cluster
You can use the execute ha manage command from the CLI of any cluster unit to log
into the CLI of another the cluster unit. Usually you would use this command from the CLI
of the primary unit to log into the CLI of a subordinate unit. However, if you have logged
into a subordinate unit CLI, you can use this command to log into the primary unit CLI, or
the CLI of another subordinate unit.
Using SSH or telnet or the web-based manager dashboard CLI console you can only log
into the primary unit CLI. Using a direct console connection you can log into any cluster
unit. In both cases you can use execute ha manage to connect to the CLI of other
cluster units.
Note: You log into the subordinate unit using the FGT_ha_admin administrator account.
This built-in administrator account gives you read and write permission on the subordinate
unit. Normally this built-in administrative account is not visible, however FGT_ha_admin
does appear in event log messages.
1 Use SSH to connect to the cluster and log into the primary unit CLI.
Connect to any cluster interface configured for SSH administrative access to log into
the cluster.
2 Enter the following command followed by a space and type a question mark (?):
execute ha manage
The CLI displays a list of all the subordinate units in the cluster. Each cluster unit is
numbered, starting at 1. The information displayed for each cluster unit includes the
unit serial number and the host name of the unit.
3 Complete the command with the number of the subordinate unit to log into. For
example, to log into subordinate unit 1, enter the following command:
execute ha manage 1
Press Enter to connect to and log into the CLI of the selected subordinate unit. If this
subordinate unit has a different host name, the CLI prompt changes to this host name.
You can use CLI commands to manage this subordinate unit. If you make changes to
the configuration of any cluster unit (primary or subordinate unit) these changes are
synchronized to all cluster units.
4 You can now use the execute ha manage command to connect to any other cluster
unit (including the primary unit). You can also use the exit command to return to the
primary unit CLI.
Disconnecting a cluster unit from a cluster
Use the following procedures to disconnect a cluster unit from a functioning cluster without
disrupting the operation of the cluster. You can disconnect a cluster unit if you need to use
the disconnected FortiGate unit for another purpose, such as to act as a standalone
firewall.
You can use the following procedures for a standard cluster and for a virtual clustering
configuration. To use the following procedures from a virtual cluster you must be logged in
as the admin administrator and you must have selected Global Configuration.
When you disconnect a cluster unit you must assign an IP address and netmask to one of
the interfaces of the disconnected unit. You can disconnect any unit from the cluster even
the primary unit. After the unit is disconnected, the cluster responds as if the disconnected
unit has failed. The cluster may renegotiate and may select a new primary unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1591
�Adding a disconnected FortiGate unit back to its cluster
Operating a cluster
When the cluster unit is disconnected the HA mode is changed to standalone. In addition,
all interface IP addresses of the disconnected unit are set to 0.0.0.0 except for the
interface that you configure.
Otherwise the configuration of the disconnected unit is not changed. The HA configuration
of the disconnected unit is not changed either (except to change the HA mode to
Standalone).
To disconnect a cluster unit from a cluster - web-based manager
1 Go to System & gt; Config & gt; HA to view the cluster members list.
2 Select the Disconnect from cluster icon for the cluster unit to disconnect from the
cluster.
3 Select the interface that you want to configure. You also specify the IP address and
netmask for this interface. When the FortiGate unit is disconnected, all management
access options are enabled for this interface.
4 Specify an IP address and netmask for the interface. You can use this IP address to
connect to the interface to configure the disconnected FortiGate unit.
5 Select OK.
The FortiGate unit is disconnected from the cluster and the cluster may renegotiate
and select a new primary unit. The selected interface of the disconnected unit is
configured with the specified IP address and netmask.
To disconnect a cluster unit from a cluster - CLI
1 Enter the following command to disconnect a cluster unit with serial number
FGT5002803033050. The internal interface of the disconnected unit is set to IP
address 1.1.1.1 and netmask 255.255.255.0.
execute ha disconnect FGT5002803033050 internal 1.1.1.1
255.255.255.0
Adding a disconnected FortiGate unit back to its cluster
If you disconnect a FortiGate unit from a cluster, you can re-connect the disconnected
FortiGate unit to the cluster by setting the HA mode of the disconnected unit to match the
HA mode of the cluster. Usually the disconnected unit rejoins the cluster as a subordinate
unit and the cluster automatically synchronizes its configuration.
Note: You do not have to change the HA password on the disconnected unit unless the HA
password has been changed after the unit was disconnected. Disconnecting a unit from a
cluster does not change the HA password.
Caution: You should make sure that the device priority of the disconnected unit is lower
than the device priority of the current primary unit. You should also make sure that the HA
override CLI option is not enabled on the disconnected unit. Otherwise, when the
disconnected joins the cluster, the cluster will renegotiate and the disconnected unit may
become the primary unit. If this happens, the configuration of the disconnected unit is
synchronized to all other cluster units. This configuration change might disrupt the
operation of the cluster.
The following procedure assumes that the disconnected FortiGate unit is correctly
physically connected to your network and to the cluster but is not running in HA mode and
not part of the cluster.
1592
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Operating a cluster
Adding a disconnected FortiGate unit back to its cluster
Before you start this procedure you should note the device priority of the primary unit.
To add a disconnected FortiGate unit back to its cluster - web-based manager
1 Log into the disconnected FortiGate unit.
If virtual domains are enabled, log in as the admin administrator and select Global
Configuration.
2 Go to System & gt; Config & gt; HA.
3 Change Mode to match the mode of the cluster.
4 If required, change the group name and password to match the cluster.
5 Set the Device Priority lower than the device priority of the primary unit.
6 Select OK.
The disconnected FortiGate unit joins the cluster.
To add a disconnected FortiGate unit back to its cluster - CLI
1 Log into the CLI of the FortiGate unit to be added back to the cluster.
2 Enter the following command to access the global configuration and add the FortiGate
unit back to a cluster operating in active-passive mode and set the device priority to 50
(a low number) so that this unit will not become the primary unit:
config global
config system ha
set mode a-p
set priority 50
end
end
You may have to also change the group name, group id and password. However if you
have not changed these for the cluster or the FortiGate unit after it was disconnected
from the cluster you should not have to adjust them now.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1593
�Adding a disconnected FortiGate unit back to its cluster
1594
Operating a cluster
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
In FortiGate active-passive HA, the FortiGate Clustering Protocol (FGCP) provides
failover protection. This means that an active-passive cluster can provide FortiGate
services even when one of the cluster units encounters a problem that would result in
complete loss of connectivity for a stand-alone FortiGate unit. This failover protection
provides a backup mechanism that can be used to reduce the risk of unexpected
downtime, especially in a mission-critical environment.
The FGCP supports three kinds of failover protection. Device failover automatically
replaces a failed device and restarts traffic flow with minimal impact on the network. Link
failover maintains traffic flow if a link fails. Session failover resumes communication
sessions with minimal loss of data if a device or link failover occurs.
This chapter describes how FGCP failover protection works and provides detailed
NAT/Route and Transparent mode packet flow descriptions. This chapter also describes
standalone session synchronization, a FortiGate configuration that uses some HA failover
protection features to provide session synchronization for two FortiGate units that are not
operating in HA mode.
This chapter contains the following sections:
•
About active-passive failover
•
About active-active failover
•
Device failover
•
HA heartbeat and communication between cluster units
•
Cluster virtual MAC addresses
•
Synchronizing the configuration
•
Synchronizing routing table updates
•
Synchronizing IPsec VPN SAs
•
Link failover
•
Remote link failover
•
Session failover (session pick-up)
•
Subsecond failover
•
WAN optimization and HA
•
Failover and attached network equipment
•
Monitoring cluster units for failover
•
NAT/Route mode active-passive cluster packet flow
•
Transparent mode active-passive cluster packet flow
•
Failover performance
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1595
�About active-passive failover
HA and failover protection
About active-passive failover
To achieve failover protection in an active-passive cluster, one of the cluster units
functions as the primary unit, while the rest of the cluster units are subordinate units,
operating in an active stand-by mode. The cluster IP addresses and HA virtual MAC
addresses are associated with the cluster interfaces of the primary unit. All traffic directed
at the cluster is actually sent to and processed by the primary unit.
While the cluster is functioning, the primary unit functions as the FortiGate network
security device for the networks that it is connected to. In addition, the primary unit and
subordinate units use the HA heartbeat to keep in constant communication. The
subordinate units report their status to the cluster unit and receive and store connection
and state table updates.
Device failure
If the primary unit encounters a problem that is severe enough to cause it to fail, the
remaining cluster units negotiate to select a new primary unit. This occurs because all of
the subordinate units are constantly waiting to negotiate to become primary units. Only the
heartbeat packets sent by the primary unit keep the subordinate units from becoming
primary units. Each received heartbeat packet resets negotiation timers in the subordinate
units. If this timer is allowed to run out because the subordinate units do not receive
heartbeat packets from the primary unit, the subordinate units assume that the primary
unit has failed, and negotiate to become primary units themselves.
Using the same FCGP negotiation process that occurs when the cluster starts up, after
they determine that the primary unit has failed, the subordinate units negotiate amongst
themselves to select a new primary unit. The subordinate unit that wins the negotiation
becomes the new primary unit with the same MAC and IP addresses as the former
primary unit. The new primary unit then sends gratuitous ARP packets out all of its
interfaces to inform attached switches to send traffic to the new primary unit. Sessions
then resume with the new primary unit.
Link failure
If a primary unit interface fails or is disconnected while a cluster is operation, a link failure
occurs. When a link failure occurs the cluster units negotiate to select a new primary unit.
Since the primary unit has not stopped operating, it participates in the negotiation. The link
failure means that a new primary unit must be selected and the cluster unit with the link
failure joins the cluster as a subordinate unit.
Just as for a device failover, the new primary unit sends gratuitous arp packets out all of its
interfaces to inform attached switches to send traffic to it. Sessions then resume with the
new primary unit.
If a subordinate unit experiences a device failure its status in the cluster does not change.
However, in future negotiations a cluster unit with a link failure is unlikely to become the
primary unit.
Session failover
If you enable session failover (also called session pickup) for the cluster, during cluster
operation the primary unit informs the subordinate units of changes to the primary unit
connection and state tables, keeping the subordinate units up-to-date with the traffic
currently being processed by the cluster.
After a failover the new primary unit recognizes open sessions that were being handled by
the cluster. The sessions continue to be processed by the new primary unit and are
handled according to their last known state.
1596
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
About active-active failover
If you leave session pickup disabled, the cluster does not keep track of sessions and after
a failover, active sessions have to be restarted or resumed.
Primary unit recovery
If a primary unit recovers after a device or link failure, it will operate as a subordinate unit,
unless the override CLI keyword is enabled and its device priority is set higher than the
unit priority of other cluster units (see “HA override” on page 1449).
About active-active failover
HA failover in a cluster running in active-active mode is similar to active-passive failover
described above. Active-active subordinate units are constantly waiting to negotiate to
become primary units and, if session failover is enabled, continuously receive connection
state information from the primary unit. If the primary unit fails, or one of the primary unit
interfaces fails, the cluster units use the same mechanisms to detect the failure and to
negotiate to select a new primary unit. If session failover is enabled, the new primary unit
also maintains communication sessions through the cluster using the shared connection
state table.
Active-active HA load balances sessions among all cluster units. For session failover, the
cluster must maintain all of these sessions. To load balance sessions, the functioning
cluster uses a load balancing schedule to distribute sessions to all cluster units. The
shared connection state table tracks the communication sessions being processed by all
cluster units (not just the primary unit). After a failover, the new primary unit uses the load
balancing schedule to re-distribute all of the communication sessions recorded in the
shared connection state table among all of the remaining cluster units. The connections
continue to be processed by the cluster, but possibly by a different cluster unit, and are
handled according to their last known state.
Device failover
The FGCP provides transparent device failover. Device failover is a basic requirement of
any highly available system. Device failover means that if a device fails, a replacement
device automatically takes the place of the failed device and continues operating in the
same manner as the failed device.
In the case of FortiOS HA, the device is the primary unit. If the primary unit fails, device
failover ensures that one of the subordinate units in the cluster automatically takes the
place of the primary unit and can continue processing network traffic in the same way as
the failed primary unit.
Note: Device failover does not maintain communication sessions. After a device failover,
communication sessions have to be restarted. To maintain communication sessions, you
must enable session failover. See “Session failover (session pick-up)” on page 1630.
FortiGate HA device failover is supported by the HA heartbeat, virtual MAC addresses,
configuration synchronization, route synchronization and IPsec VPN SA synchronization.
The HA heartbeat makes sure that the subordinate units detect a primary unit failure. If the
primary unit fails to respond on time to HA heartbeat packets the subordinate units
assume that the primary unit has failed and negotiate to select a new primary unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1597
�HA heartbeat and communication between cluster units
HA and failover protection
The new primary unit takes the place of the failed primary unit and continues functioning in
the same way as the failed primary unit. For the new primary unit to continue functioning
like the failed primary unit, the new primary unit must be able to reconnect to network
devices and the new primary unit must have the same configuration as the failed primary
unit.
FortiGate HA uses virtual MAC addresses to reconnect the new primary unit to network
devices. The FGCP causes the new primary unit interfaces to acquire the same virtual
MAC addresses as the failed primary unit. As a result, the new primary unit has the same
network identity as the failed primary unit.
The new primary unit interfaces have different physical connections than the failed primary
unit. Both the failed and the new primary unit interfaces are connected to the same
switches, but the new primary unit interfaces are connected to different ports on these
switches. To make sure that the switches send packets to the new primary unit, the new
primary unit interfaces send gratuitous ARP packets to the connected switches. These
gratuitous ARP packets notify the switches that the primary unit MAC and IP addresses
are on different switch ports and cause the switches to send packets to the ports
connected to the new primary unit. In this way, the new primary unit continues to receive
packets that would otherwise have been sent to the failed primary unit.
Configuration synchronization means that the new primary unit always has the same
configuration as the failed primary unit. As a result the new primary unit operates in
exactly the same way as the failed primary unit. If configuration synchronization were not
available the new primary unit may not process network traffic in the same way as the
failed primary unit.
Route synchronization synchronizes the primary unit routing table to all subordinate units
so that after a failover the new primary unit does not have to form a completely new
routing table. IPsec VPN SA synchronization synchronizes IPsec VPN security
associations (SAs) and other IPsec session data so that after a failover the new primary
unit can resume IPsec tunnels without having to establish new SAs.
HA heartbeat and communication between cluster units
The HA heartbeat keeps cluster units communicating with each other. The heartbeat
consists of hello packets that are sent at regular intervals by the heartbeat interface of all
cluster units. These hello packets describe the state of the cluster unit and are used by
other cluster units to keep all cluster units synchronized.
HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891,
and 0x8890. The default time interval between HA heartbeats is 200 ms. The FGCP uses
link-local IP4 addresses in the 169.254.0.x range for HA heartbeat interface IP addresses.
For best results, isolate the heartbeat devices from your user networks by connecting the
heartbeat devices to a separate switch that is not connected to any network. If the cluster
consists of two FortiGate units you can connect the heartbeat device interfaces directly
using a crossover cable. Heartbeat packets contain sensitive information about the cluster
configuration. Heartbeat packets may also use a considerable amount of network
bandwidth. For these reasons, it is preferable to isolate heartbeat packets from your user
networks.
On startup, a FortiGate unit configured for HA operation broadcasts HA heartbeat hello
packets from its HA heartbeat interface to find other FortiGate units configured to operate
in HA mode. If two or more FortiGate units operating in HA mode connect with each other,
they compare HA configurations (HA mode, HA password, and HA group ID). If the HA
configurations match, the units negotiate to form a cluster.
1598
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
HA heartbeat and communication between cluster units
While the cluster is operating, the HA heartbeat confirms that all cluster units are
functioning normally. The heartbeat also reports the state of all cluster units, including the
communication sessions that they are processing.
Heartbeat interfaces
A heartbeat interface is an Ethernet network interface in a cluster that is used by the
FGCP for HA heartbeat communications between cluster units.
To change the HA heartbeat configuration go to System & gt; Config & gt; HA and select the
FortiGate interfaces to use as HA heartbeat interfaces.
From the CLI enter the following command to make port4 and port5 HA heartbeat
interfaces and give both interfaces a heartbeat priority of 150:
config system ha
set hbdev port4 150 port5 150
end
The following example shows how to change the default heartbeat interface configuration
so that the port4 and port1 interfaces can be used for HA heartbeat communication and to
give the port4 interface the highest heartbeat priority so that port4 is the preferred HA
heartbeat interface.
config system ha
set hbdev port4 100 port1 50
end
By default, for most FortiGate models two interfaces are configured to be heartbeat
interfaces. You can change the heartbeat interface configuration as required. For example
you can select additional or different heartbeat interfaces. You can also select only one
heartbeat interface.
In addition to selecting the heartbeat interfaces, you also set the Priority for each
heartbeat interface. In all cases, the heartbeat interface with the highest priority is used for
all HA heartbeat communication. If the interface fails or becomes disconnected, the
selected heartbeat interface that has the next highest priority handles all heartbeat
communication.
If more than one heartbeat interface has the same priority, the heartbeat interface with the
highest priority that is also highest in the heartbeat interface list is used for all HA
heartbeat communication. If this interface fails or becomes disconnected, the selected
heartbeat interface with the highest priority that is next highest in the list handles all
heartbeat communication.
The default heartbeat interface configuration sets the priority of two heartbeat interfaces to
50. You can accept the default heartbeat interface configuration if one or both of the
default heartbeat interfaces are connected. You can select different heartbeat interfaces,
select more heartbeat interfaces and change heartbeat priorities according to your
requirements.
For the HA cluster to function correctly, you must select at least one heartbeat interface
and this interface of all of the cluster units must be connected together. If heartbeat
communication is interrupted and cannot failover to a second heartbeat interface, the
cluster units will not be able to communicate with each other and more than one cluster
unit may become a primary unit. As a result the cluster stops functioning normally because
multiple devices on the network may be operating as primary units with the same IP and
MAC addresses creating a kind if split brain scenario.
The heartbeat interface priority range is 0 to 512. The default priority when you select a
new heartbeat interface is 0. The higher the number the higher the priority.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1599
�HA heartbeat and communication between cluster units
HA and failover protection
In most cases you can maintain the default heartbeat interface configuration as long as
you can connect the heartbeat interfaces together. Configuring HA heartbeat interfaces is
the same for virtual clustering and for standard HA clustering.
You can enable heartbeat communications for physical interfaces, but not for VLAN
subinterfaces, IPsec VPN interfaces, redundant interfaces, or for 802.3ad aggregate
interfaces. You cannot select these types of interfaces in the heartbeat interface list.
Selecting more heartbeat interfaces increases reliability. If a heartbeat interface fails or is
disconnected, the HA heartbeat fails over to the next heartbeat interface.
You can select up to 8 heartbeat interfaces. This limit only applies to FortiGate units with
more than 8 physical interfaces.
HA heartbeat traffic can use a considerable amount of network bandwidth. If possible,
enable HA heartbeat traffic on interfaces used only for HA heartbeat traffic or on interfaces
connected to less busy networks.
Connecting HA heartbeat interfaces
For most FortiGate models if you do not change the heartbeat interface configuration, you
can isolate the default heartbeat interfaces of all of the cluster units by connecting them all
to the same switch. Use one switch per heartbeat interface. If the cluster consists of two
units you can connect the heartbeat interfaces together using crossover cables. For an
example of how to connect heartbeat interfaces, see “Connecting a FortiGate HA cluster”
on page 1439.
HA heartbeat and data traffic are supported on the same cluster interface. In NAT/Route
mode, if you decide to use heartbeat interfaces for processing network traffic or for a
management connection, you can assign the interface any IP address. This IP address
does not affect HA heartbeat traffic.
In Transparent mode, you can connect the heartbeat interface to your network and enable
management access. You would then establish a management connection to the interface
using the Transparent mode management IP address. This configuration does not affect
HA heartbeat traffic.
Heartbeat interfaces and FortiGate switch interfaces
You can configure a FortiGate interface that contains an internal switch as an HA
heartbeat interface. However this configuration is not recommended for two reasons:
•
For security reasons and to save network bandwidth you should keep HA heartbeat
traffic off of your internal network, and internal switch interfaces are usually intended to
be connected to your internal network.
•
Heartbeat packets may be lost if the switch interface is processing high volumes of
traffic. Losing heartbeat packets may lead to unnecessary and repeated failovers.
Heartbeat packets and heartbeat interface selection
HA heartbeat hello packets are constantly sent by all of the enabled heartbeat interfaces.
Using these hello packets, each cluster unit confirms that the other cluster units are still
operating. The FGCP selects one of the heartbeat interfaces to be used for
communication between the cluster units. The FGCP selects the heartbeat interface for
heartbeat communication based on the linkfail states of the heartbeat interfaces, on the
priority of the heartbeat interfaces, and on the interface index.
1600
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
HA heartbeat and communication between cluster units
The FGCP checks the linkfail state of all heartbeat interfaces to determine which ones are
connected. The FGCP selects one of these connected heartbeat interfaces to be the one
used for heartbeat communication. The FGCP selects the connected heartbeat interface
with the highest priority for heartbeat communication.
If more than one connected heartbeat interface has the highest priority the FGCP selects
the heartbeat interface with the lowest interface index. The web-based manager lists the
FortiGate unit interfaces in alphabetical order. This order corresponds to the interface
index order with lowest index at the top and highest at the bottom. If more than one
heartbeat interface has the highest priority, the FGCP selects the interface that is highest
in the heartbeat interface list (or first in alphabetical order) for heartbeat communication.
If the interface that is processing heartbeat traffic fails or becomes disconnected, the
FGCP uses the same criteria to select another heartbeat interface for heartbeat
communication. If the original heartbeat interface is fixed or reconnected, the FGCP again
selects this interface for heartbeat communication.
The HA heartbeat communicates cluster session information, synchronizes the cluster
configuration, synchronizes the cluster routing table, and reports individual cluster
member status. The HA heartbeat constantly communicates HA status information to
make sure that the cluster is operating properly.
Interface index and display order
The web-based manager and CLI display interface names in alphanumeric order. For
example, the sort order for a FortiGate unit with 10 interfaces (named port1 through
port10) places port10 at the bottom of the list:
•
port1
•
port2 through 9
•
port10
However, interfaces are indexed in hash map order, rather than purely by alphabetic order
or purely by interface number value comparisons. As a result, the list is sorted primarily
alphabetical by interface name (for example, base1 is before port1), then secondarily by
index numbers:
•
port1
•
port10
•
port2 through port9
HA heartbeat interface IP addresses
The FGCP uses link-local IP4 addresses (RFC 3927) in the 169.254.0.x range for HA
heartbeat interface IP addresses and for inter-VDOM link interface IP addresses. When a
cluster initially starts up, the primary unit heartbeat interface IP address is 169.254.0.1.
Subordinate units are assigned heartbeat interface IP addresses in the range 169.254.0.2
to 169.254.0.63. HA inter-VDOM link interfaces on the primary unit are assigned IP
addresses 169.254.0.65 and 169.254.0.66.
The ninth line of the following CLI command output shows the HA heartbeat interface IP
address of the primary unit.
get system ha status
Model: 620
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1601
�HA heartbeat and communication between cluster units
HA and failover protection
Master:150 head_office_upper FG600B3908600825 1
Slave :150 head_office_lower FG600B3908600705 0
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG600B3908600825
Slave :1 FG600B3908600705
You can also use the execute traceroute command from the subordinate unit CLI to
display HA heartbeat IP addresses and the HA inter-VDOM link IP addresses. For
example, use execute ha manage 1 to connect to the subordinate unit CLI and then
enter the following command to trace the route to an IP address on your network:
execute traceroute 172.20.20.10
traceroute to 172.20.20.10 (172.20.20.10), 32 hops max, 72 byte packets
1 169.254.0.1 0 ms 0 ms 0 ms
2 169.254.0.66 0 ms 0 ms 0 ms
3 172.20.20.10 0 ms 0 ms 0 ms
Both HA heartbeat and data traffic are supported on the same FortiGate interface. All
heartbeat communication takes place on a separate VDOM called vsys_ha. Heartbeat
traffic uses a virtual interface called port_ha in the vsys_ha VDOM. Data and heartbeat
traffic use the same physical interface, but they’re logically separated into separate
VDOMs.
Heartbeat packet Ethertypes
Normal IP packets are 802.3 packets that have an Ethernet type (Ethertype) field value of
0x0800. Ethertype values other than 0x0800 are understood as level2 frames rather than
IP packets.
By default, HA heartbeat packets use the following Ethertypes:
•
HA heartbeat packets for NAT/Route mode clusters use Ethertype 0x8890. These
packets are used by cluster units to find other cluster units and to verify the status of
other cluster units while the cluster is operating. You can change the Ethertype of these
packets using the ha-eth-type option of the config system ha command.
•
HA heartbeat packets for Transparent mode clusters use Ethertype 0x8891. These
packets are used by cluster units to find other cluster units and to verify the status of
other cluster units while the cluster is operating. You can change the Ethertype of these
packets using the hc-eth-type option of the config system ha command.
•
HA telnet sessions between cluster units over HA heartbeat links use Ethertype
0x8893. The telnet sessions are used to synchronize the cluster configurations. Telnet
sessions are also used when an administrator uses the execute ha manage
command to connect from one cluster unit CLI to another. You can change the
Ethertype of these packets using the l2ep-eth-type option of the config system
ha command.
Because heartbeat packets are recognized as level2 frames, the switches and routers on
your heartbeat network that connect to heartbeat interfaces must be configured to allow
them. If level2 frames are dropped by these network devices, heartbeat traffic will not be
allowed between the cluster units.
Some third-party network equipment may use packets with these Ethertypes for other
purposes. For example, Cisco N5K/Nexus switches use Ethertype 0x8890 for some
functions. When one of these switches receives Ethertype 0x8890 packets from an
attached cluster unit, the switch generates CRC errors and the packets are not forwarded.
As a result, FortiGate units connected with these switches cannot form a cluster.
1602
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
HA heartbeat and communication between cluster units
In some cases, if the heartbeat interfaces are connected and configured so regular traffic
flows but heartbeat traffic is not forwarded, you can change the configuration of the switch
that connects the HA heartbeat interfaces to allow level2 frames with Ethertypes 0x8890,
0x8893, and 0x8891 to pass.
Alternatively, you can use the following CLI options to change the Ethertypes of the HA
heartbeat packets:
config system ha
set ha-eth-type & lt; ha_ethertype_4-digit_hex
set hc-eth-type & lt; hc_ethertype_4-digit_ex & gt;
set l2ep-eth-type & lt; l2ep_ethertype_4-digit_hex & gt;
end
For example, use the following command to change the Ethertype of the HA heartbeat
packets from 0x8890 to 0x8895 and to change the Ethertype of HA Telnet session packets
from 0x8891 to 0x889f:
config system ha
set ha-eth-type 8895
set l2ep-eth-type 889f
end
Modifying heartbeat timing
In an HA cluster, if a cluster unit CPU becomes very busy, the cluster unit may not be able
to send heartbeat packets on time. If heartbeat packets are not sent on time other units in
the cluster may think that the cluster unit has failed and the cluster will experience a
failover.
A cluster unit CPU may become very busy if the cluster is subject to a syn flood attack, if
network traffic is very heavy, or for other similar reasons. You can use the following CLI
commands to configure how the cluster times HA heartbeat packets:
config system ha
set hb-interval & lt; interval_integer & gt;
set hb-lost-threshold & lt; threshold_integer & gt;
set helo-holddown & lt; holddown_integer & gt;
end
Changing the lost heartbeat threshold
The lost heartbeat threshold is the number of consecutive heartbeat packets that are not
received from another cluster unit before assuming that the cluster unit has failed. The
default value is 6, meaning that if the 6 heartbeat packets are not received from a cluster
unit then that cluster unit is considered to have failed. The range is 1 to 60 packets.
If the primary unit does not receive a heartbeat packet from a subordinate unit before the
heartbeat threshold expires, the primary unit assumes that the subordinate unit has failed.
If a subordinate unit does not receive a heartbeat packet from the primary unit before the
heartbeat threshold expires, the subordinate unit assumes that the primary unit has failed.
The subordinate unit then begins negotiating to become the new primary unit.
The lower the hb-lost-threshold the faster a cluster responds when a unit fails.
However, sometimes heartbeat packets may not be sent because a cluster unit is very
busy. This can lead to a false positive failure detection. To reduce these false positives you
can increase the hb-lost-threshold.
Use the following CLI command to increase the lost heartbeat threshold to 12:
config system ha
set hb-lost-threshold 12
end
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1603
�HA heartbeat and communication between cluster units
HA and failover protection
Changing the heartbeat interval
The heartbeat interval is the time between sending HA heartbeat packets. The heartbeat
interval range is 1 to 20 (100*ms). The heartbeat interval default is 2 (200 ms).
A heartbeat interval of 2 means the time between heartbeat packets is 200 ms. Changing
the heartbeat interval to 5 changes the time between heartbeat packets to 500 ms
(5 * 100ms = 500ms).
The HA heartbeat packets consume more bandwidth if the heartbeat interval is short. But
if the heartbeat interval is very long, the cluster is not as sensitive to topology and other
network changes.
Use the following CLI command to increase the heartbeat interval to 10:
config system ha
set hb-interval 10
end
The heartbeat interval combines with the lost heartbeat threshold to set how long a cluster
unit waits before assuming that another cluster unit has failed and is no longer sending
heartbeat packets. By default, if a cluster unit does not receive a heartbeat packet from a
cluster unit for 6 * 200 = 1200 milliseconds or 1.2 seconds the cluster unit assumes that
the other cluster unit has failed.
You can increase both the heartbeat interval and the lost heartbeat threshold to reduce
false positives. For example, increasing the heartbeat interval to 20 and the lost heartbeat
threshold to 30 means a failure will be assumed if no heartbeat packets are received after
30 * 2000 milliseconds = 60,000 milliseconds, or 60 seconds.
Use the following CLI command to increase the heartbeat interval to 20 and the lost
heartbeat threshold to 30:
config system ha
set hb-lost-threshold 20
set hb-interval 30
end
Changing the time to wait in the helo state
The hello state hold-down time is the number of seconds that a cluster unit waits before
changing from hello state to work state. After a failure or when starting up, cluster units
operate in the hello state to send and receive heartbeat packets so that all the cluster units
can find each other and form a cluster. A cluster unit should change from the hello state to
work state after it finds all of the other FortiGate units to form a cluster with. If for some
reason all cluster units cannot find each other during the hello state then some cluster
units may be joining the cluster after it has formed. This can cause disruptions to the
cluster and affect how it operates.
One reason for a delay in all of the cluster units joining the cluster could be the cluster
units are located at different sites of if for some other reason communication is delayed
between the heartbeat interfaces.
If cluster units are joining your cluster after it has started up of if it takes a while for units to
join the cluster you can increase the time that the cluster units wait in the helo state. The
hello state hold-down time range is 5 to 300 seconds. The hello state hold-down time
default is 20 seconds.
Use the following CLI command to increase the time to wait in the helo state to 1 minute
(60 seconds):
config system ha
set helo-holddown 60
end
1604
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Cluster virtual MAC addresses
Enabling or disabling HA heartbeat encryption and authentication
You can enable HA heartbeat encryption and authentication to encrypt and authenticate
HA heartbeat packets. HA heartbeat packets should be encrypted and authenticated if the
cluster interfaces that send HA heartbeat packets are also connected to your networks.
If HA heartbeat packets are not encrypted the cluster password and changes to the cluster
configuration could be exposed and an attacker may be able to sniff HA packets to get
cluster information. Enabling HA heartbeat message authentication prevents an attacker
from creating false HA heartbeat messages. False HA heartbeat messages could affect
the stability of the cluster.
HA heartbeat encryption and authentication are disabled by default. Enabling HA
encryption and authentication could reduce cluster performance. Use the following CLI
command to enable HA heartbeat encryption and authentication.
config system ha
set authentication enable
set encryption enable
end
HA authentication and encryption uses AES-128 for encryption and SHA1 for
authentication.
Cluster virtual MAC addresses
When a cluster is operating, the FGCP assigns virtual MAC addresses to each primary
unit interface. HA uses virtual MAC addresses so that if a failover occurs, the new primary
unit interfaces will have the same virtual MAC addresses and IP addresses as the failed
primary unit. As a result, most network equipment would identify the new primary unit as
the exact same device as the failed primary unit.
If the MAC addresses changed after a failover, the network would take longer to recover
because all attached network devices would have to learn the new MAC addresses before
they could communicate with the cluster.
If a cluster is operating in NAT/Route mode, the FGCP assigns a different virtual MAC
address to each primary unit interface. VLAN subinterfaces are assigned the same virtual
MAC address as the physical interface that the VLAN subinterface is added to. Redundant
interfaces or 802.3ad aggregate interfaces are assigned the virtual MAC address of the
first interface in the redundant or aggregate list.
If a cluster is operating in Transparent mode, the FGCP assigns a virtual MAC address for
the primary unit management IP address. Since you can connect to the management IP
address from any interface, all of the FortiGate interfaces appear to have the same virtual
MAC address.
Note: A MAC address conflict can occur if two clusters are operating on the same network.
See “Diagnosing packet loss with two FortiGate HA clusters in the same broadcast domain”
on page 1610 for more information.
Note: Subordinate unit MAC addresses do not change. You can verify this by connecting to
the subordinate unit CLI and using the get hardware interface nic command to
display the MAC addresses of each FortiGate interface.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1605
�Cluster virtual MAC addresses
HA and failover protection
When the new primary unit is selected after a failover, the primary unit sends gratuitous
ARP packets to update the devices connected to the cluster interfaces (usually layer-2
switches) with the virtual MAC address. Gratuitous ARP packets configure connected
network devices to associate the cluster virtual MAC addresses and cluster IP address
with primary unit physical interfaces and with the layer-2 switch physical interfaces. This is
sometimes called using gratuitous ARP packets (sometimes called GARP packets) to train
the network. The gratuitous ARP packets sent from the primary unit are intended to make
sure that the layer-2 switch forwarding databases (FDBs) are updated as quickly as
possible.
Sending gratuitous ARP packets is not required for routers and hosts on the network
because the new primary unit will have the same MAC and IP addresses as the failed
primary unit. However, since the new primary unit interfaces are connected to different
switch interfaces than the failed primary unit, many network switches will update their
FDBs more quickly after a failover if the new primary unit sends gratuitous ARP packets.
Changing how the primary unit sends gratuitous ARP packets after a failover
When a failover occurs it is important that the devices connected to the primary unit
update their FDBs as quickly as possible to reestablish traffic forwarding.
Depending on your network configuration, you may be able to change the number of
gratuitous ARP packets and the time interval between ARP packets to reduce the cluster
failover time.
You cannot disable sending gratuitous ARP packets, but you can use the following
command to change the number of packets that are sent. For example, enter the following
command to send 20 gratuitous ARP packets:
config system ha
set arps 20
end
You can use this command to configure the primary unit to send from 1 to 60 ARP
packets. Usually you would not change the default setting of 5. In some cases, however,
you might want to reduce the number of gratuitous ARP packets. For example, if your
cluster has a large number of VLAN interfaces and virtual domains and because
gratuitous ARP packets are broadcast, sending a higher number gratuitous ARP packets
may generate a lot of network traffic. As long as the cluster still fails over successfully, you
could reduce the number of gratuitous ARP packets that are sent to reduce the amount of
traffic produced after a failover.
If failover is taking longer that expected, you may be able to reduce the failover time by
increasing the number gratuitous ARP packets sent.
You can also use the following command to change the time interval in seconds between
gratuitous ARP packets. For example, enter the following command to change the time
between ARP packets to 3 seconds:
config system ha
set arps-interval 3
end
The time interval can be in the range of 1 to 20 seconds. The default is 8 seconds
between gratuitous ARP packets. Normally you would not need to change the time
interval. However, you could decrease the time to be able send more packets in less time
if your cluster takes a long time to failover.
1606
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Cluster virtual MAC addresses
There may also be a number of reasons to set the interval higher. For example, if your
cluster has a large number of VLAN interfaces and virtual domains and because
gratuitous ARP packets are broadcast, sending gratuitous ARP packets may generate a
lot of network traffic. As long as the cluster still fails over successfully you could increase
the interval to reduce the amount of traffic produced after a failover.
For more information about gratuitous ARP packets see RFC 826 and RFC 3927.
How the virtual MAC address is determined
The virtual MAC address is determined based on following formula:
00-09-0f-09- & lt; group-id_hex & gt; - & lt; vcluster_integer & gt; & lt; idx & gt;
where
& lt; group-id_hex & gt; is the HA Group ID for the cluster converted to hexadecimal.
Table 107 lists the virtual MAC address set for each group ID.
Table 107: HA group ID in integer and hexadecimal format
Integer Group ID
Hexadecimal Group ID
0
00
1
01
2
02
3
03
4
04
...
...
10
0a
11
0b
...
...
63
3f
& lt; vcluster_integer & gt; is 0 for virtual cluster 1 and 2 for virtual cluster 2. If virtual
domains are not enabled, HA sets the virtual cluster to 1 and by default all interfaces are in
the root virtual domain. Including virtual cluster and virtual domain factors in the virtual
MAC address formula means that the same formula can be used whether or not virtual
domains and virtual clustering is enabled.
& lt; idx & gt; is the index number of the interface. Interfaces are numbered from 0 to x (where x
is the number of interfaces). Interfaces are numbered according to their has map order.
See “Interface index and display order” on page 1601. The first interface has an index of
0. The second interface in the list has an index of 1 and so on.
Note: Only the & lt; idx & gt; part of the virtual MAC address is different for each interface. The
& lt; vcluster_integer & gt; would be different for different interfaces if multiple VDOMs have
been added.
Example virtual MAC addresses
An HA cluster with HA group ID unchanged (default=0) and virtual domains not enabled
would have the following virtual MAC addresses for interfaces port1 to port12:
•
port1 virtual MAC: 00-09-0f-09-00-00
•
port10 virtual MAC: 00-09-0f-09-00-01
•
port2 virtual MAC: 00-09-0f-09-00-02
•
port3 virtual MAC: 00-09-0f-09-00-03
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1607
�Cluster virtual MAC addresses
HA and failover protection
•
port4 virtual MAC: 00-09-0f-09-00-04
•
port5 virtual MAC: 00-09-0f-09-00-05
•
port6 virtual MAC: 00-09-0f-09-00-06
•
port7 virtual MAC: 00-09-0f-09-00-07
•
port8 virtual MAC: 00-09-0f-09-00-08
•
port9 virtual MAC: 00-09-0f-09-00-09
•
port11 virtual MAC: 00-09-0f-09-00-0a
•
port12 virtual MAC: 00-09-0f-09-00-0b
If the group ID is changed to 34 these virtual MAC addresses change to:
•
port1 virtual MAC: 00-09-0f-09-22-00
•
port10 virtual MAC: 00-09-0f-09-22-01
•
port2 virtual MAC: 00-09-0f-09-22-02
•
port3 virtual MAC: 00-09-0f-09-22-03
•
port4 virtual MAC: 00-09-0f-09-22-04
•
port5 virtual MAC: 00-09-0f-09-22-05
•
port6 virtual MAC: 00-09-0f-09-22-06
•
port7 virtual MAC: 00-09-0f-09-22-07
•
port8 virtual MAC: 00-09-0f-09-22-08
•
port9 virtual MAC: 00-09-0f-09-22-09
•
port11 virtual MAC: 00-09-0f-09-22-0a
•
port12 virtual MAC: 00-09-0f-09-22-0b
A cluster with virtual domains enabled where the HA group ID has been changed to 23,
port5 and port 6 are in the root virtual domain (which is in virtual cluster1), and port7 and
port8 are in the vdom_1 virtual domain (which is in virtual cluster 2) would have the
following virtual MAC addresses:
port5 interface virtual MAC: 00-09-0f-09-23-05
port6 interface virtual MAC: 00-09-0f-09-23-06
port7 interface virtual MAC: 00-09-0f-09-23-27
port8 interface virtual MAC: 00-09-0f-09-23-28
Displaying the virtual MAC address
Every FortiGate unit physical interface has two MAC addresses: the current hardware
address and the permanent hardware address. The permanent hardware address cannot
be changed, it is the actual MAC address of the interface hardware. The current hardware
address can be changed. The current hardware address is the address seen by the
network. For a FortiGate unit not operating in HA, you can use the following command to
change the current hardware address of the port1 interface:
config system interface
edit port1
set macaddr & lt; mac_address & gt;
end
end
1608
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Cluster virtual MAC addresses
For an operating cluster, the current hardware address of each cluster unit interface is
changed to the HA virtual MAC address by the FGCP. The macaddr option is not
available for a functioning cluster. You cannot change an interface MAC address and you
cannot view MAC addresses from the system interface CLI command.
You can use the get hardware nic & lt; interface_name_str & gt; command to display
both MAC addresses for any FortiGate interface. This command displays hardware
information for the specified interface. Depending on their hardware configuration, this
command may display different information for different interfaces. You can use this
command to display the current hardware address as Current_HWaddr and the
permanent hardware address as Permanent_HWaddr. For some interfaces the current
hardware address is displayed as MAC. The command displays a great deal of information
about the interface so you may have to scroll the output to find the hardware addresses.
Note: You can also use the diagnose hardware deviceinfo nic
& lt; interface_str & gt; command to display both MAC addresses for any FortiGate interface.
Before HA configuration the current and permanent hardware addresses are the same.
For example for one of the units in Cluster_1:
FGT60B3907503171 # get hardware nic internal
.
.
.
MAC: 02:09:0f:78:18:c9
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
During HA operation the current hardware address becomes the HA virtual MAC address,
for example for the units in Cluster_1:
FGT60B3907503171 # get hardware nic internal
.
.
.
MAC: 00:09:0f:09:00:02
Permanent_HWaddr: 02:09:0f:78:18:c9
.
.
.
The following command output for Cluster_2 shows the same current hardware address
for port1 as for the internal interface of Cluster_2, indicating a MAC address conflict.
FG300A2904500238 # get hardware nic port1
.
.
.
MAC: 00:09:0f:09:00:02
Permanent_HWaddr: 00:09:0F:85:40:FD
.
.
.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1609
�Cluster virtual MAC addresses
HA and failover protection
Diagnosing packet loss with two FortiGate HA clusters in the same broadcast
domain
A network may experience packet loss when two FortiGate HA clusters have been
deployed in the same broadcast domain. Deploying two HA clusters in the same
broadcast domain can result in packet loss because of MAC address conflicts. The packet
loss can be diagnosed by pinging from one cluster to the other or by pinging both of the
clusters from a device within the broadcast domain. You can resolve the MAC address
conflict by changing the HA Group ID configuration of the two clusters. The HA Group ID
is sometimes also called the Cluster ID.
This section describes a topology that can result in packet loss, how to determine if
packets are being lost, and how to correct the problem by changing the HA Group ID.
Note: Note: Packet loss on a network can also be caused by IP address conflicts. Finding
and fixing IP address conflicts can be difficult. However, if you are experiencing packet loss
and your network contains two FortiGate HA clusters you can use the information in this
article to eliminate one possible source of packet loss.
Changing the HA group ID to avoid MAC address conflicts
Change the Group ID to change the virtual MAC address of all cluster interfaces. You can
change the Group ID from the FortiGate CLI using the following command:
config system ha
set group-id & lt; id_integer & gt;
end
Example topology
The topology below shows two clusters. The Cluster_1 internal interfaces and the
Cluster_2 port 1 interfaces are both connected to the same broadcast domain. In this
topology the broadcast domain could be an internal network. Both clusters could also be
connected to the Internet or to different networks.
Figure 229: Example HA topology with possible MAC address conflicts
Cluster_1
wan1
Cluster_2
internal
port1
port2
wan2
wan2
wan1
port3
port3
internal
port1
port2
L2 Switch
Ping testing for packet loss
If the network is experiencing packet loss, it is possible that you will not notice a problem
unless you are constantly pinging both HA clusters. During normal operation of the
network you also might not notice packet loss because the loss rate may not be severe
enough to timeout TCP sessions. Also many common types if TCP traffic, such as web
browsing, may not be greatly affected by packet loss. However, packet loss can have a
significant effect on real time protocols that deliver audio and video data.
1610
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Synchronizing the configuration
To test for packet loss you can set up two constant ping sessions, one to each cluster. If
packet loss is occurring the two ping sessions should show alternating replies and
timeouts from each cluster.
Cluster_1
reply
reply
reply
timeout
timeout
reply
reply
timeout
timeout
timeout
timeout
Cluster_2
timeout
timeout
timeout
reply
reply
timeout
timeout
reply
reply
reply
reply
Viewing MAC address conflicts on attached switches
If two HA clusters with the same virtual MAC address are connected to the same
broadcast domain (L2 switch or hub), the MAC address will conflict and bounce between
the two clusters. This example Cisco switch MAC address table shows the MAC address
flapping between different interfaces (1/0/1 and 1/0/4).
1
0009.0f09.0002
DYNAMIC
Gi1/0/1
1
0009.0f09.0002
DYNAMIC
Gi1/0/4
Synchronizing the configuration
The FGCP uses a combination of incremental and periodic synchronization to make sure
that the configuration of all cluster units is synchronized to that of the primary unit.
The following settings are not synchronized between cluster units:
•
HA override.
•
HA device priority.
•
The virtual cluster priority.
•
The FortiGate unit host name.
•
The system interface settings of the HA reserved management interface.
•
The HA default route for the reserved management interface, set using the
ha-mgt-interface-gateway option of the config system ha command.
The primary unit synchronizes all other configuration settings, including the other HA
configuration settings.
Disabling automatic configuration synchronization
In some cases you may want to use the following command to disable automatic
synchronization of the primary unit configuration to all cluster units.
config system ha
set sync-config disable
end
When this option is disabled the cluster no longer synchronizes configuration changes. If a
device failure occurs, the new primary unit may not have the same configuration as the
failed primary unit. As a result, the new primary unit may process sessions differently or
may not function on the network in the same way.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1611
�Synchronizing the configuration
HA and failover protection
In most cases you should not disable automatic configuration synchronization. However, if
you have disabled this feature you can use the execute ha synchronize command to
manually synchronize a subordinate unit’s configuration to that of the primary unit.
You must enter execute ha synchronize commands from the subordinate unit that
you want to synchronize with the primary unit. Use the execute ha manage command
to access a subordinate unit CLI. See “Viewing cluster status from the CLI” on page 1584.
For example, to access the first subordinate unit and force a synchronization at any time,
even if automatic synchronization is disabled enter:
execute ha manage 0
execute ha synchronize start
You can use the following command to stop a synchronization that is in progress.
execute ha synchronize stop
You can use the following command to a synchronization all parts of the configuration:
execute ha synchronize all
Individual options are also available to synchronize parts of the configuration. For
example, enter the following command to synchronize CA certificates:
execute ha synchronize ca
Incremental synchronization
When you log into the cluster web-based manager or CLI to make configuration changes,
you are actually logging into the primary unit. All of your configuration changes are first
made to the primary unit. Incremental synchronization then immediately synchronizes
these changes to all of the subordinate units.
When you log into a subordinate unit CLI (for example using execute ha manage) all of
the configuration changes that you make to the subordinate unit are also immediately
synchronized to all cluster units, including the primary unit, using the same process.
Incremental synchronization also synchronizes other dynamic configuration information
such as the DHCP server address lease database, routing table updates, IPsec SAs,
MAC address tables, and so on. See “FortiGate HA compatibility with PPPoE and DHCP”
on page 1453 for more information about DHCP server address lease synchronization
and “Synchronizing routing table updates” on page 1618 for information about routing
table updates.
Whenever a change is made to a cluster unit configuration, incremental synchronization
sends the same configuration change to all other cluster units over the HA heartbeat link.
An HA synchronization process running on the each cluster unit receives the configuration
change and applies it to the cluster unit. The HA synchronization process makes the
configuration change by entering a CLI command that appears to be entered by the
administrator who made the configuration change in the first place.
Synchronization takes place silently, and no log messages are recorded about the
synchronization activity. However, log messages can be recorded by the cluster units
when the synchronization process enters CLI commands. You can see these log
messages on the subordinate units if you enable event logging and set the minimum
severity level to Information and then check the event log messages written by the cluster
units when you make a configuration change. See “Configuration change synchronized
from primary unit to subordinate unit” on page 1570.
You can also see these log messages on the primary unit if you make configuration
changes from a subordinate unit. See “Configuration change synchronized from
subordinate unit to primary unit” on page 1571.
1612
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Synchronizing the configuration
Periodic synchronization
Incremental synchronization makes sure that as an administrator makes configuration
changes, the configurations of all cluster units remain the same. However, a number of
factors could cause one or more cluster units to go out of sync with the primary unit. For
example, if you add a new unit to a functioning cluster, the configuration of this new unit
will not match the configuration of the other cluster units. Its not practical to use
incremental synchronization to change the configuration of the new unit.
Periodic synchronization is a mechanism that looks for synchronization problems and
fixes them. Every minute the cluster compares the configuration file checksum of the
primary unit with the configuration file checksums of each of the subordinate units. If all
subordinate unit checksums are the same as the primary unit checksum, all cluster units
are considered synchronized.
If one or more of the subordinate unit checksums is not the same as the primary unit
checksum, the subordinate unit configuration is considered out of sync with the primary
unit. The checksum of the out of sync subordinate unit is checked again every 15
seconds. This re-checking occurs in case the configurations are out of sync because an
incremental configuration sequence has not completed. If the checksums do not match
after 5 checks the subordinate unit that is out of sync retrieves the configuration from the
primary unit. The subordinate unit then reloads its configuration and resumes operating as
a subordinate unit with the same configuration as the primary unit.
The configuration of the subordinate unit is reset in this way because when a subordinate
unit configuration gets out of sync with the primary unit configuration there is no efficient
way to determine what the configuration differences are and to correct them. Resetting the
subordinate unit configuration becomes the most efficient way to resynchronize the
subordinate unit.
Synchronization requires that all cluster units run the same FortiOS firmware build. If
some cluster units are running different firmware builds, then unstable cluster operation
may occur and the cluster units may not be able to synchronize correctly.
Note: Re-installing the firmware build running on the primary unit forces the primary unit to
upgrade all cluster units to the same firmware build.
Console messages when configuration synchronization succeeds
When a cluster first forms, or when a new unit is added to a cluster as a subordinate unit,
the following messages appear on the CLI console to indicate that the unit joined the
cluster and had its configuring synchronized with the primary unit.
slave's configuration is not in sync with master's, sequence:0
slave's configuration is not in sync with master's, sequence:1
slave's configuration is not in sync with master's, sequence:2
slave's configuration is not in sync with master's, sequence:3
slave's configuration is not in sync with master's, sequence:4
slave starts to sync with master
logout all admin users
slave succeeded to sync with master
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1613
�Synchronizing the configuration
HA and failover protection
Console messages when configuration synchronization fails
If you connect to the console of a subordinate unit that is out of synchronization with the
primary unit, messages similar to the following are displayed.
slave is not in
slave is not in
slave is not in
slave is not in
slave is not in
global compared
sync with master,
sync with master,
sync with master,
sync with master,
sync with master,
not matched
sequence:0.
sequence:1.
sequence:2.
sequence:3.
sequence:4.
(type
(type
(type
(type
(type
0x3)
0x3)
0x3)
0x3)
0x3)
If synchronization problems occur the console message sequence may be repeated over
and over again. The messages all include a type value (in the example type 0x3). The
type value can help Fortinet Support diagnose the synchronization problem.
Table 108: HA out of sync object messages and the configuration objects that they reference
Out of Sync Message
HA_SYNC_SETTING_CONFIGURATION =
0x03
HA_SYNC_SETTING_AV = 0x10
HA_SYNC_SETTING_VIR_DB = 0x11
HA_SYNC_SETTING_SHARED_LIB = 0x12
HA_SYNC_SETTING_SCAN_UNIT = 0x13
HA_SYNC_SETTING_IMAP_PRXY = 0x14
HA_SYNC_SETTING_SMTP_PRXY = 0x15
HA_SYNC_SETTING_POP3_PRXY = 0x16
HA_SYNC_SETTING_HTTP_PRXY = 0x17
HA_SYNC_SETTING_FTP_PRXY = 0x18
HA_SYNC_SETTING_FCNI = 0x19
HA_SYNC_SETTING_FDNI = 0x1a
HA_SYNC_SETTING_FSCI = 0x1b
HA_SYNC_SETTING_FSAE = 0x1c
HA_SYNC_SETTING_IDS = 0x20
HA_SYNC_SETTING_IDSUSER_RULES =
0x21
HA_SYNC_SETTING_IDSCUSTOM = 0x22
HA_SYNC_SETTING_IDS_MONITOR = 0x23
HA_SYNC_SETTING_IDS_SENSOR = 0x24
HA_SYNC_SETTING_NIDS_LIB = 0x25
HA_SYNC_SETTING_WEBLISTS = 0x30
HA_SYNC_SETTING_CONTENTFILTER =
0x31
HA_SYNC_SETTING_URLFILTER = 0x32
HA_SYNC_SETTING_FTGD_OVRD = 0x33
HA_SYNC_SETTING_FTGD_LRATING = 0x34
HA_SYNC_SETTING_EMAILLISTS = 0x40
HA_SYNC_SETTING_EMAILCONTENT = 0x41
HA_SYNC_SETTING_EMAILBWLIST = 0x42
HA_SYNC_SETTING_IPBWL = 0x43
HA_SYNC_SETTING_MHEADER = 0x44
HA_SYNC_SETTING_RBL = 0x45
1614
Configuration Object
/data/config
/etc/vir
/data/lib/libav.so
/bin/scanunitd
/bin/imapd
/bin/smtp
/bin/pop3
/bin/thttp
/bin/ftpd
/etc/fcni.dat
/etc/fdnservers.dat
/etc/sci.dat
/etc/fsae_adgrp.cache
/etc/ids.rules
/etc/idsuser.rules
/bin/ipsmonitor
/bin/ipsengine
/data/lib/libips.so
/data/cmdb/webfilter.bword
/data/cmdb/webfilter.urlfilter
/data/cmdb/webfilter.fgtd-ovrd
/data/cmdb/webfilter.fgtd-ovrd
/data/cmdb/spamfilter.bword
/data/cmdb/spamfilter.emailbwl
/data/cmdb/spamfilter.ipbwl
/data/cmdb/spamfilter.mheader
/data/cmdb/spamfilter.rbl
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Synchronizing the configuration
Table 108: HA out of sync object messages and the configuration objects that they reference
(Continued)
Out of Sync Message
HA_SYNC_SETTING_CERT_CONF = 0x50
HA_SYNC_SETTING_CERT_CA = 0x51
HA_SYNC_SETTING_CERT_LOCAL = 0x52
HA_SYNC_SETTING_CERT_CRL = 0x53
HA_SYNC_SETTING_DB_VER = 0x55
HA_GET_DETAIL_CSUM = 0x71
HA_SYNC_CC_SIG = 0x75
HA_SYNC_CC_OP
= 0x76
HA_SYNC_CC_MAIN = 0x77
HA_SYNC_FTGD_CAT_LIST = 0x7a
Configuration Object
/etc/cert/cert.conf
/etc/cert/ca
/etc/cert/local
/etc/cert/crl
/etc/cc_sig.dat
/etc/cc_op
/etc/cc_main
/migadmin/webfilter/ublock/ftgd/
data/
Comparing checksums of cluster units
You can use the diagnose sys ha showcsum command to compare the configuration
checksums of all cluster units. The output of this command shows checksums labelled
global and all as well as checksums for each of the VDOMs including the root
VDOM.
The primary unit and subordinate unit checksums should be the same. If they are not you
can use the execute ha synchronize command to force a synchronization.
The following command output is for the primary unit of a cluster that does not have
multiple VDOMs enabled:
diagnose sys ha showcsum
is_manage_master()=1, is_root_master()=1
debugzone
global: a0 7f a7 ff ac 00 d5 b6 82 37 cc 13 3e 0b 9b 77
root: 43 72 47 68 7b da 81 17 c8 f5 10 dd fd 6b e9 57
all: c5 90 ed 22 24 3e 96 06 44 35 b6 63 7c 84 88 d5
checksum
global: a0 7f a7 ff ac 00 d5 b6 82 37 cc 13 3e 0b 9b 77
root: 43 72 47 68 7b da 81 17 c8 f5 10 dd fd 6b e9 57
all: c5 90 ed 22 24 3e 96 06 44 35 b6 63 7c 84 88 d5
The following command output is for a subordinate unit of the same cluster:
diagnose sys ha showcsum
is_manage_master()=0, is_root_master()=0
debugzone
global: a0 7f a7 ff ac 00 d5 b6 82 37 cc 13 3e 0b 9b 77
root: 43 72 47 68 7b da 81 17 c8 f5 10 dd fd 6b e9 57
all: c5 90 ed 22 24 3e 96 06 44 35 b6 63 7c 84 88 d5
checksum
global: a0 7f a7 ff ac 00 d5 b6 82 37 cc 13 3e 0b 9b 77
root: 43 72 47 68 7b da 81 17 c8 f5 10 dd fd 6b e9 57
all: c5 90 ed 22 24 3e 96 06 44 35 b6 63 7c 84 88 d5
The following example shows using this command for the primary unit of a cluster with
multiple VDOMs. Two VDOMs have been added named test and Eng_vdm.
From the primary unit:
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1615
�Synchronizing the configuration
HA and failover protection
config global
diagnose sys ha showcsum
is_manage_master()=1, is_root_master()=1
debugzone
global: 65 75 88 97 2d 58 1b bf 38 d3 3d 52 5b 0e 30 a9
test: a5 16 34 8c 7a 46 d6 a4 1e 1f c8 64 ec 1b 53 fe
root: 3c 12 45 98 69 f2 d8 08 24 cf 02 ea 71 57 a7 01
Eng_vdm: 64 51 7c 58 97 79 b1 b3 b3 ed 5c ec cd 07 74 09
all: 30 68 77 82 a1 5d 13 99 d1 42 a3 2f 9f b9 15 53
checksum
global: 65 75 88 97 2d 58 1b bf 38 d3 3d 52 5b 0e 30 a9
test: a5 16 34 8c 7a 46 d6 a4 1e 1f c8 64 ec 1b 53 fe
root: 3c 12 45 98 69 f2 d8 08 24 cf 02 ea 71 57 a7 01
Eng_vdm: 64 51 7c 58 97 79 b1 b3 b3 ed 5c ec cd 07 74 09
all: 30 68 77 82 a1 5d 13 99 d1 42 a3 2f 9f b9 15 53
From the subordinate unit:
config global
diagnose sys ha showcsum
is_manage_master()=0, is_root_master()=0
debugzone
global: 65 75 88 97 2d 58 1b bf 38 d3 3d 52 5b 0e 30 a9
test: a5 16 34 8c 7a 46 d6 a4 1e 1f c8 64 ec 1b 53 fe
root: 3c 12 45 98 69 f2 d8 08 24 cf 02 ea 71 57 a7 01
Eng_vdm: 64 51 7c 58 97 79 b1 b3 b3 ed 5c ec cd 07 74 09
all: 30 68 77 82 a1 5d 13 99 d1 42 a3 2f 9f b9 15 53
checksum
global: 65 75 88 97 2d 58 1b bf 38 d3 3d 52 5b 0e 30 a9
test: a5 16 34 8c 7a 46 d6 a4 1e 1f c8 64 ec 1b 53 fe
root: 3c 12 45 98 69 f2 d8 08 24 cf 02 ea 71 57 a7 01
Eng_vdm: 64 51 7c 58 97 79 b1 b3 b3 ed 5c ec cd 07 74 09
all: 30 68 77 82 a1 5d 13 99 d1 42 a3 2f 9f b9 15 53
How to diagnose HA out of sync messages
This section describes how to use the commands diagnose sys ha showcsum and
diagnose debug to diagnose the cause of HA out of sync messages.
If HA synchronization is not successful, use the following procedures on each cluster unit
to find the cause.
To determine why HA synchronization does not occur
1 Connect to each cluster unit CLI by connected to the console port.
2 Enter the following commands to enable debugging and display HA out of sync
messages.
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application hatalk -1
diagnose debug application hasync -1
Collect the console output and compare the out of sync messages with the information
in Table 108 on page 1614.
3 Enter the following commands to turn off debugging.
1616
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Synchronizing the configuration
diagnose debug disable
diagnose debug reset
To determine what part of the configuration is causing the problem
If the previous procedure displays messages that include sync object 0x30 (for example,
HA_SYNC_SETTING_CONFIGURATION = 0x03) there is a synchronization problem with
the configuration. Use the following steps to determine the part of the configuration that is
causing the problem.
If your cluster consists of two cluster units, use this procedure to capture the configuration
checksums for each unit. If your cluster consists of more that two cluster units, repeat this
procedure for all cluster units that returned messages that include 0x30 sync object
messages.
1 Connect to each cluster unit CLI by connected to the console port.
2 Enter the following command to turn on terminal capture
diagnose debug enable
3 Enter the following command to stop HA synchronization.
execute ha sync stop
4 Enter the following command to display configuration checksums.
diagnose sys ha showcsum 1
5 Copy the output to a text file.
6 Repeat for all affected units.
7 Compare the text file from the primary unit with the text file from each cluster unit to
find the checksums that do not match.
You can use a diff function to compare text files.
8 Repeat steps 4 to 7 for each checksum level:
diagnose sys ha showcsum 2
diagnose sys ha showcsum 3
diagnose sys ha showcsum 4
diagnose sys ha showcsum 5
diagnose sys ha showcsum 6
diagnose sys ha showcsum 7
diagnose sys ha showcsum 8
9 When the non-matching checksum is found, attempt to drill down further. This is
possible for objects that have sub-components.
For example you can enter the following commands:
diagnose sys ha showcsum system.global
diagnose sys ha showcsum system.interface
Generally it is the first non-matching checksum in one of the levels that is the cause of
the synchronization problem.
10 Attempt to can remove/change the part of the configuration that is causing the
problem. You can do this by making configuration changes from the primary unit or
subordinate unit CLI.
11 Enter the following commands to start HA configuration and stop debugging:
execute ha sync start
diagnose debug dis
diagnose debug reset
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1617
�Synchronizing routing table updates
HA and failover protection
Synchronizing routing table updates
In a functioning cluster, the primary unit keeps all subordinate unit routing tables up to date
and synchronized with the primary unit. After a failover, because of these routing table
updates the new primary unit does not have to populate its routing table before being able
to route traffic. After a failover the new primary unit rebuilds its routing table, but having the
synchronized routes already available means the table is rebuilt much faster than if no
route information was available.
This section describes how clusters handle dynamic routing failover and also describes
how to use CLI commands to control the timing of routing table updates of the subordinate
unit routing tables from the primary unit.
Configuring graceful restart for dynamic routing failover
When an HA failover occurs, neighbor routers will detect that the cluster has failed and
remove it from the network until the routing topology stabilizes. During the time the routers
may stop sending IP packets to the cluster and communications sessions that would
normally be processed by the cluster may time out or be dropped. Also the new primary
unit will not receive routing updates and so will not be able to build and maintain its routing
database.
You can configure graceful restart (also called nonstop forwarding (NSF)) as described in
RFC3623 (Graceful OSPF Restart) to solve the problem of dynamic routing failover. If
graceful restart is enabled on neighbor routers, they will keep sending packets to the
cluster following the HA failover instead of removing it from the network. The neighboring
routers assume that the cluster is experiencing a graceful restart.
After the failover, the new primary unit can continue to process communication sessions
using the synchronized routing data received from the failed primary unit before the
failover. This gives the new primary unit time to update its routing table after the failover.
You can use the following commands to enable graceful restart or NSF on Cisco routers:
router ospf 1
log-adjacency-changes
nsf ietf helper strict-lsa-checking
If the cluster is running BGP, use the following command to enable graceful restart for
BGP:
config router bgp
set graceful-restart enable
end
You can also add BGP neighbors and configure the cluster unit to notify these neighbors
that it supports graceful restart.
config router bgp
config neighbor
edit & lt; neighbor_address_Ipv4 & gt;
set capability-graceful-restart enable
end
end
If the cluster is running OSPF, use the following command to enable graceful restart for
OSFP:
config router ospf
set restart-mode graceful-restart
end
1618
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Synchronizing routing table updates
To make sure the new primary unit keeps its synchronized routing data long enough to
acquire new routing data, you should also increase the HA route time to live, route wait,
and route hold values to 60 using the following CLI command:
config system ha
set route-ttl 60
set route-wait 60
set route-hold 60
end
Controlling how the FGCP synchronizes routing updates
You can use the following commands to control some of the timing settings that the FGCP
uses when synchronizing routing updates from the primary unit to subordinate units and
maintaining routes on the primary unit after a failover.
config system ha
set route-hold & lt; hold_integer & gt;
set route-ttl & lt; ttl_integer & gt;
set route-wait & lt; wait_integer & gt;
end
Change how long routes stay in a cluster unit routing table
Change the route-ttl time to control how long routes remain in a cluster unit routing
table. The time to live range is 0 to 3600 seconds. The default time to live is 10 seconds.
The time to live controls how long routes remain active in a cluster unit routing table after
the cluster unit becomes a primary unit. To maintain communication sessions after a
cluster unit becomes a primary unit, routes remain active in the routing table for the route
time to live while the new primary unit acquires new routes.
If route-ttl is set to 0 the primary unit must acquire all new routes before it can
continue processing traffic. By default, route-ttl is set to 10 which may mean that only
a few routes will remain in the routing table after a failover. Normally keeping route-ttl
to 10 or reducing the value to 0 is acceptable because acquiring new routes usually
occurs very quickly, especially if graceful restart is enabled, so only a minor delay is
caused by acquiring new routes.
If the primary unit needs to acquire a very large number of routes, or if for other reasons,
there is a delay in acquiring all routes, the primary unit may not be able to maintain all
communication sessions.
You can increase the route time to live if you find that communication sessions are lost
after a failover so that the primary unit can use synchronized routes that are already in the
routing table, instead of waiting to acquire new routes.
Change the time between routing updates
Change the route-hold time to change the time that the primary unit waits between
sending routing table updates to subordinate units. The route hold range is 0 to 3600
seconds. The default route hold time is 10 seconds.
To avoid flooding routing table updates to subordinate units, set route-hold to a
relatively long time to prevent subsequent updates from occurring too quickly. Flooding
routing table updates can affect cluster performance if a great deal of routing information
is synchronized between cluster units. Increasing the time between updates means that
this data exchange will not have to happen so often.
The route-hold time should be coordinated with the route-wait time.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1619
�Synchronizing IPsec VPN SAs
HA and failover protection
Change the time the primary unit waits after receiving a routing update
Change the route-wait time to change how long the primary unit waits after receiving
routing updates before sending the updates to the subordinate units. For quick routing
table updates to occur, set route-wait to a relatively short time so that the primary unit does
not hold routing table changes for too long before updating the subordinate units.
The route-wait range is 0 to 3600 seconds. The default route-wait is 0 seconds.
Normally, because the route-wait time is 0 seconds the primary unit sends routing
table updates to the subordinate units every time its routing table changes.
Once a routing table update is sent, the primary unit waits the route-hold time before
sending the next update.
Usually routing table updates are periodic and sporadic. Subordinate units should receive
these changes as soon as possible so route-wait is set to 0 seconds. route-hold
can be set to a relatively long time because normally the next route update would not
occur for a while.
In some cases, routing table updates can occur in bursts. A large burst of routing table
updates can occur if a router or a link on a network fails or changes. When a burst of
routing table updates occurs, there is a potential that the primary unit could flood the
subordinate units with routing table updates. Flooding routing table updates can affect
cluster performance if a great deal of routing information is synchronized between cluster
units. Setting route-wait to a longer time reduces the frequency of additional updates
are and prevents flooding of routing table updates from occurring.
Synchronizing IPsec VPN SAs
The FGCP synchronizes IPsec security associations (SAs) between cluster members so
that if a failover occurs, the cluster can resume IPsec sessions without having to establish
new SAs. The result is improved failover performance because IPsec sessions are not
interrupted to establish new SAs. Also, establishing a large number of SAs can reduce
cluster performance.
The FGCP implements slightly different synchronization mechanisms for IKEv1 and
IKEv2.
Synchronizing SAs for IKEv1
When an SA is synchronized to the subordinate units. the sequence number is set to the
maximum sequence number. After a failover, all inbound traffic that connects with the new
primary unit and uses the SA will be accepted without needing to re-key. However, first
outbound packet to use the SA causes the sequence number to overflow and so causes
the new primary unit to re-key the SA.
Please note the following:
•
•
IPsec SAs are not synchronized until the IKE process has finished synchronizing the
ISAKMP SAs. This is required in for dialup tunnels since it is the synchronizing of the
ISAKMP SA that creates the dialup tunnel.
•
A dialup interface is created as soon as the phase1 is complete. This ensures that the
when HA synchronizes phase1 information the dialup name is included.
•
1620
The cluster synchronizes all IPsec SAs.
If the IKE process re-starts for any reason it deletes any dialup tunnels that exist. This
forces the peer to re-key them.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Link failover
•
IPsec SA deletion happens immediately. Routes associated with a dialup tunnel that is
being deleted are cleaned up synchronously as part of the delete, rather than waiting
for the SA hard-expiry.
•
The FGCP does not sync the IPsec tunnel MTU from the primary unit to the
subordinate units. This means that after HA failover if the first packet received by the
FortiGate unit arrives after the HA route has been deleted and before the new route is
added and the packet is larger than the default MTU of 1024 then the FortiGate unit
sends back an ICMP fragmentation required. However, as soon as routing is reestablished then the MTU will be corrected and traffic will flow.
Synchronizing SAs for IKEv2
Due to the way the IKEv2 protocol is designed the FGCP cannot use exactly the same
solution that is used for synchronizing IKEv1 SAs, though it is similar.
For IKEv2, like IKEv1, the FGCP synchronizes IKE and ISAKMP SAs from the primary
unit to the subordinate units. However, for IKEv2 the FGCP cannot actually use this IKE
SA to send/receive IKE traffic because IKEv2 includes a sequence number in every IKE
message and thus it would require synchronizing every message to the subordinate units
to keep the sequence numbers on the subordinate units up to date.
After a failover when the new primary unit accepts incoming IKEv2 sessions, as in IKEv1,
the primary unit uses the synchronized SA to decrypt the traffic before passing it through
to its destination. For outgoing sessions, because the synchronized SA has an old
sequence number, the primary unit negotiates a new SA. This is different from IKEv1
where the existing SA is re-keyed.
Normally for IKEv2 the new primary unit could just negotiate a CHILD_SA using the
synchronized SA. However, because the sequence numbers are not up-to-date, as noted
above, the synchronized SA cannot be used and the primary unit must instead negotiate a
whole new SA.
Link failover
Link failover means that if a monitored interface fails, the cluster reorganizes to reestablish
a link to the network that the monitored interface was connected to and to continue
operating with minimal or no disruption of network traffic.
You configure monitored interfaces (also called interface monitoring or port monitoring) by
selecting the interfaces to monitor as part of the cluster HA configuration.
You can monitor up to 16 interfaces. This limit only applies to FortiGate units with more
than 16 physical interfaces. In a multiple VDOM configuration you can monitor up to 16
interfaces per virtual cluster.
The interfaces that you can monitor appear on the port monitor list. You can monitor all
FortiGate interfaces including redundant interfaces and 802.3ad aggregate interfaces.
You cannot monitor the following types of interfaces (you cannot select the interfaces on
the port monitor list):
•
FortiGate interfaces that contain an internal switch.
•
VLAN subinterfaces.
•
IPsec VPN interfaces.
•
Individual physical interfaces that have been added to a redundant or 802.3ad
aggregate interface.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1621
�Link failover
HA and failover protection
•
FortiGate-5000 series backplane interfaces that have not been configured as network
interfaces.
If you are configuring a virtual cluster you can create a different port monitor configuration
for each virtual cluster. Usually for each virtual cluster you would monitor the interfaces
that have been added to the virtual domains in each virtual cluster.
Tip: Wait until after the cluster is up and running to enable interface monitoring. You do not
need to configure interface monitoring to get a cluster up and running and interface
monitoring will cause failovers if for some reason during initial setup a monitored interface
has become disconnected. You can always enable interface monitoring once you have
verified that the cluster is connected and operating properly.
Note: You should only monitor interfaces that are connected to networks, because a
failover may occur if you monitor an unconnected interface.
To enable interface monitoring - web-based manager
Use the following steps to monitor the port1 and port2 interfaces of a cluster.
1 Connect to the cluster web-based manager.
2 Go to System & gt; Config & gt; HA and edit the primary unit (Role is MASTER).
3 Select the Port Monitor check boxes for the port1 and port2 interfaces and select OK.
The configuration change is synchronized to all cluster units.
To enable interface monitoring - CLI
Use the following steps to monitor the port1 and port2 interfaces of a cluster.
1 Connect to the cluster CLI.
2 Enter the following command to enable interface monitoring for port1 and port2.
configure system ha
set monitor port1 port2
end
The following example shows how to enable monitoring for the external, internal, and DMZ
interfaces.
config system ha
set monitor external internal dmz
end
With interface monitoring enabled, during cluster operation, the cluster monitors each
cluster unit to determine if the monitored interfaces are operating and connected. Each
cluster unit can detect a failure of its network interface hardware. Cluster units can also
detect if its network interfaces are disconnected from the switch they should be connected
to.
Note: Cluster units cannot determine if the switch that its interfaces are connected to is still
connected to the network. However, you can use remote IP monitoring to make sure that
the cluster unit can connect to downstream network devices. See “Remote link failover” on
page 1626.
1622
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Link failover
Because the primary unit receives all traffic processed by the cluster, a cluster can only
process traffic from a network if the primary unit can connect to it. So, if the link between a
network and the primary unit fails, to maintain communication with this network, the cluster
must select a different primary unit; one that is still connected to the network. Unless
another link failure has occurred, the new primary unit will have an active link to the
network and will be able to maintain communication with it.
To support link failover, each cluster unit stores link state information for all monitored
cluster units in a link state database. All cluster units keep this link state database up to
date by sharing link state information with the other cluster units. If one of the monitored
interfaces on one of the cluster units becomes disconnected or fails, this information is
immediately shared with all cluster units.
If a monitored interface on the primary unit fails
If a monitored interface on the primary unit fails, the cluster renegotiates to select a new
primary unit using the process described in “Primary unit selection” on page 1443.
Because the cluster unit with the failed monitored interface has the lowest monitor priority,
a different cluster unit becomes the primary unit. The new primary unit should have fewer
link failures.
After the failover, the cluster resumes and maintains communication sessions in the same
way as for a device failure. See “Device failover” on page 1597.
If a monitored interface on a subordinate unit fails
If a monitored interface on a subordinate unit fails, this information is shared with all
cluster units. The cluster does not renegotiate. The subordinate unit with the failed
monitored interface continues to function in the cluster.
In an active-passive cluster after a subordinate unit link failover, the subordinate unit
continues to function normally as a subordinate unit in the cluster.
In an active-active cluster after a subordinate unit link failure:
•
The subordinate unit with the failed monitored interface can continue processing
connections between functioning interfaces. However, the primary unit stops sending
sessions to a subordinate unit that use any failed monitored interfaces on the
subordinate unit.
•
If session pickup is enabled, all sessions being processed by the subordinate unit
failed interface that can be are failed over to other cluster units. Sessions that cannot
be failed over are lost and have to be restarted.
•
If session pickup is not enabled all sessions being processed by the subordinate unit
failed interface are lost.
How link failover maintains traffic flow
Monitoring an interface means that the interface is connected to a high priority network. As
a high priority network, the cluster should maintain traffic flow to and from the network,
even if a link failure occurs. Because the primary unit receives all traffic processed by the
cluster, a cluster can only process traffic from a network if the primary unit can connect to
it. So, if the link that the primary unit has to a high priority network fails, to maintain traffic
flow to and from this network, the cluster must select a different primary unit. This new
primary unit should have an active link to the high priority network.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1623
�Link failover
HA and failover protection
Figure 230: A link failure causes a cluster to select a new primary unit
Primary Unit
Packets from
internal network
Link Failure
Occurs
Link
Failure
Primary Unit
Packets from
internal network
Cluster Selects
New Primary Unit
Link
Failure
Packets from
internal network
Primary Unit
If a monitored interface on the primary unit fails, the cluster renegotiates and selects the
cluster unit with the highest monitor priority to become the new primary unit. The cluster
unit with the highest monitor priority is the cluster unit with the most monitored interfaces
connected to networks.
After a link failover, the primary unit processes all traffic and all subordinate units, even the
cluster unit with the link failure, share session and link status. In addition all configuration
changes, routes, and IPsec SAs are synchronized to the cluster unit with the link failure.
In an active-active cluster, the primary unit load balances traffic to all the units in the
cluster. The cluster unit with the link failure can process connections between its
functioning interfaces (for, example if the cluster has connections to an internal, external,
and DMZ network, the cluster unit with the link failure can still process connections
between the external and DMZ networks).
If a monitored interface on a subordinate unit fails, the subordinate unit shares this
information with all cluster units. The cluster does not renegotiate. The subordinate unit
with the failed monitored interface continues to function in the cluster. In an active-active
cluster, the subordinate unit can continue processing connections between functioning
interfaces. The primary unit re-distributes traffic that was being processed by the failed
interface of the subordinate unit to other cluster units. If session pickup is enabled, similar
to a failover, some of these sessions continue while others must restart. See “Session
failover (session pick-up)” on page 1630.
1624
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Link failover
Recovery after a link failover
If you find and correct the problem that caused a link failure (for example, re-connect a
disconnected network cable) the cluster updates its link state database and the cluster unit
continues to operate as a subordinate unit. In an active-active cluster the primary unit will
begin load balancing sessions to the now reconnected interface.
If the override CLI keyword is enabled on this cluster unit and its device priority is set
higher that the unit priority of other cluster units the cluster will renegotiate when the link
failure is repaired and the cluster unit with the highest device priority becomes the primary
unit.
Testing link failover
You can test link failure by disconnecting the network cable from a monitored interface of a
cluster unit. If you disconnect a cable from a primary unit monitored interface the cluster
should renegotiate and select one of the other cluster units as the primary unit. You can
also verify that traffic received by the disconnected interface continues to be processed by
the cluster after the failover.
If you disconnect a cable from a subordinate unit interface the cluster will not renegotiate.
Updating MAC forwarding tables when a link failover occurs
When a FortiGate HA cluster is operating and a monitored interface fails on the primary
unit, the primary unit usually becomes a subordinate unit and another cluster unit
becomes the primary unit. After a link failover, the new primary unit sends gratuitous ARP
packets to refresh the MAC forwarding tables (also called arp tables) of the switches
connected to the cluster. This is normal link failover operation (for more information, see
“Link failover” on page 1621).
Some switches may not be able to detect that the primary unit has become a subordinate
unit and will keep sending packets to the former primary unit. This can occur if the switch
does not detect the failure and does not clear its MAC forwarding table.
To make sure the switch detects the failover and clears its MAC forwarding tables, you can
use the following command to cause a cluster unit with a monitored interface link failure to
shut down all of its interfaces (except the heartbeat interfaces) for one second after the
failover occurs. Usually this means the interfaces of the former primary unit are shut down.
When this happens the switch should be able to detect this failure and clear its MAC
forwarding tables of the MAC addresses of the former primary unit. Since the new primary
unit has sent or will send gratuitous ARP packets the switch can then update its MAC
forwarding tables to for the new primary unit.
config system ha
set link-failed-signal enable
end
Multiple link failures
Every time a monitored interface fails, the cluster repeats the processes described above.
If multiple monitored interfaces fail on more than one cluster unit, the cluster continues to
negotiate to select a primary unit that can provide the most network connections.
Example link failover scenarios
For the following examples, assume a cluster configuration consisting of two FortiGate
units (FGT_1 and FGT_2) connected to three networks: internal using port2, external
using port1, and DMZ using port3. In the HA configuration, the device priority of FGT_1 is
set higher than the unit priority of FGT_2.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1625
�Remote link failover
HA and failover protection
The cluster processes traffic flowing between the internal and external networks, between
the internal and DMZ networks, and between the external and DMZ networks. If there are
no link failures, FGT1 becomes the primary unit because it has the highest device priority.
Figure 231: Sample link failover scenario topology
Internal Network
DMZ
network
port3:
Interface
Monitoring
Disabled
port2: Interface
Monitoring Enabled
Cluster
FGT_1
FGT_2
port1: Interface
Monitoring Enabled
Internet
Example: the port1 link on FGT_1 fails
If the port1 link on FGT_1 fails, FGT_2 becomes primary unit because it has fewer
interfaces with a link failure. If the cluster is operating in active-active mode, the cluster
load balances traffic between the internal network (port2) and the DMZ network (port3).
Traffic between the Internet (port1) and the internal network (port2) and between the
Internet (port1) and the DMZ network (port3) is processed by the primary unit only.
Example: port2 on FGT_1 and port1 on FGT_2 fail
If port2 on FGT_1 and port1 on FGT_2 fail, then FGT_1 becomes the primary unit. After
both of these link failures, both cluster units have the same monitor priority. So the cluster
unit with the highest device priority (FGT_1) becomes the primary unit.
Only traffic between the Internet (port1) and DMZ (port3) networks can pass through the
cluster and the traffic is handled by the primary unit only. No load balancing will occur if the
cluster is operating in active-active mode.
Remote link failover
Remote link failover (also called remote IP monitoring) is similar to HA port monitoring.
Port monitoring causes a cluster to failover if a monitored primary unit interface fails or is
disconnected. Remote IP monitoring uses ping servers configured on FortiGate interfaces
on the primary unit to test connectivity with IP addresses of network devices. Usually
these would be IP addresses of network devices not directly connected to the cluster. For
example, a downstream router. Remote IP monitoring causes a failover if one or more of
these remote IP addresses does not respond to a ping server.
1626
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Remote link failover
By being able to detect failures in network equipment not directly connected to the cluster,
remote IP monitoring can be useful in a number of ways depending on your network
configuration. For example, in a full mesh HA configuration, with remote IP monitoring, the
cluster can detect failures in network equipment that is not directly connected to the
cluster but that would interrupt traffic processed by the cluster if the equipment failed.
Figure 232: Example HA remote IP monitoring topology
Monitored
Remote IP
192.168.20.20
Router
Ping Server from
Primary unit
cannot Reach
Monitored IP,
Causing HA
Failover
Physical
Link
Operating
Internet
Link Failure
Switch
Switch
port2
Primary
Unit
Subordinate
Unit
HA link
port1
Switch
Switch
Router
Internal Network
In the simplified example topology shown in Figure 232, the switch connected directly to
the primary unit is operating normally but the link on the other side of the switches fails. As
a result traffic can no longer flow between the primary unit and the Internet.
To detect this failure you can create a remote IP monitoring configuration consisting of a
ping server on port2 of the cluster. The primary unit tests connectivity to 192.168.20.20. If
the ping server cannot connect to 192.268.20.20 the cluster to fails over and the
subordinate unit becomes the new primary unit. The remote HA monitoring ping server on
the new primary unit can connect to 192.168.20.20 so the failover maintains connectivity
between the internal network and the Internet through the cluster.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1627
�Remote link failover
HA and failover protection
To configure remote IP monitoring
1 Enter the following commands to configure HA remote monitoring for the example
topology.
• Enter the pingserver-monitor-interface keyword to enable HA remote IP
monitoring on port2.
• Enter the pingserver-failover-threshold keyword to set the HA remote IP
monitoring failover threshold to 10. If one or more ping servers fails, cluster failover
occurs when the priority of all failed ping servers reaches or exceeds this threshold.
You set the priority for each ping server using the ha-priority keyword as
described in step 2 below.
• Enter the pingserver-flip-timeout keyword to set the flip timeout to 120
minutes. After a failover, if HA remote IP monitoring on the new primary unit also
causes a failover, the flip timeout prevents the failover from occurring until the timer
runs out. Setting the pingserver-flip-timeout to 120 means that remote IP
monitoring can only cause a failover every 120 minutes. This flip timeout is required
to prevent repeating failovers if remote IP monitoring causes a failover from all
cluster units because none of the cluster units can connect to the monitored IP
addresses.
config system ha
set pingserver-monitor-interface port2
set pingserver-failover-threshold 10
set pingserver-flip-timeout 120
end
2 Enter the following commands to add the ping server to the port2 interface and to set
the HA remote IP monitoring priority for this ping server.
• Enter the detectserver keyword to add the ping server and set the ping server IP
address to 192.168.20.20.
• Enter the ha-priority keyword to set the HA remote IP monitoring priority of the
ping server to 10 so that if this ping server does not connect to 192.168.20.20 the
HA remote IP monitoring priority will be high enough to reach the failover threshold
and cause a failover.
config system interface
edit port2
set detectserver 192.168.20.20
set ha-priority 10
end
3 You can also use the config global command to change the time interval between
ping server pings using the interval keyword and to change the number of times
that the ping fails before a failure is detected using the failtime keyword.
4 You can also do the following to configure HA remote IP monitoring to test more IP
addresses:
• Enable HA remote IP monitoring on more interfaces by adding more interface
names to the pingserver-monitor-interface keyword.
• If your FortiGate configuration includes VLAN interfaces, aggregate interfaces and
other interface types, you can add the names of these interfaces to the
pingserver-monitor-interface keyword to configure HA remote IP
monitoring for these interfaces.
• Add a second IP address to the detectserver keyword to monitor two IP
addresses on each interface.
1628
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Remote link failover
Note: If you add two IP addresses to the detectserver keyword the ping will be sent to
both at the same time, and only when neither server responds will the ping server fail.
• Add secondary IPs to any interface and enter detectserver and ha-priority
for each of the secondary IPs. You can do this to monitor multiple IP addresses on
any interface and set a different HA priority for each one. By adding multiple ping
servers to the remote HA monitoring configuration and setting the HA priorities for
each you can fine tune remote IP monitoring. For example, if its more important to
maintain connections to some remote IPs you can set the HA priorities higher for
these IPs. And if its less important to maintain connections to other remote IPs you
can set the HA priorities lower for these IPs. You can also adjust the pingserverfailover-threshold so that if the cluster cannot connect to one or two high
priority IPs a failover occurs. But a failover will not occur if the cluster cannot
connect to one or two low priority IPs.
Ping server priority and the failover threshold
When one HA ping servers fails, its priority is compared with the failover threshold. If the
priority is greater than or equal to the failover threshold, HA remote IP monitoring triggers
an HA failover. If the priority is less than the failover threshold, a failover does not occur. If
an HA remote IP monitoring configuration includes only one HA ping server, its priority
should be the same as or higher than the failover threshold.
When more than one ping server fails, the total of the priorities of the failed ping servers is
compared with the failover threshold. An HA failover is triggered only if the total of the
priorities is greater than or equal to the failover threshold. If you have configured two HA
ping servers both with priorities of 10 and if the failover threshold is 20, an HA failover
occurs only when both ping servers fail. If you have configured three ping servers all with
priorities of 10 and if the failover threshold is 20, a failover occurs if any two ping servers
fail. And so on.
By adding multiple ping servers to the remote HA monitoring configuration and setting the
HA priorities for each, you can fine tune remote IP monitoring. For example, if it is more
important to maintain connections to some remote IP addresses you can set the HA
priorities higher for these important IP addresses. And if it is less important to maintain
connections to other remote IP addresses you can set the HA priorities lower for these.
You can also adjust the failover threshold so that if the cluster cannot connect to one or
two high priority IP addresses a failover occurs. But a failover will not occur if the cluster
cannot connect to one or two low priority IP addresses.
The failover threshold range is 0 to 50. Setting the failover threshold to 0 means that if any
ping server added to the HA remote IP monitoring configuration fails an HA failover will
occur.
Flip timeout
The HA remote IP monitoring configuration also involves setting a flip timeout. The flip
timeout is required to reduce the frequency of failovers if, after a failover, HA remote IP
monitoring on the new primary unit also causes a failover. This can happen if the new
primary unit cannot connect to one or more of the monitored remote IP addresses. The
result could be that until you fix the network problem that blocks connections to the remote
IP addresses, the cluster will experience repeated failovers. You can control how often the
failovers occur by setting the flip timeout. The flip timeout stops HA remote IP monitoring
from causing a failover until the primary unit has been operating for the duration of the flip
timeout.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1629
�Session failover (session pick-up)
HA and failover protection
If you set the flip timeout to a relatively high number of minutes you can find and repair the
network problem that prevented the cluster from connecting to the remote IP address
without the cluster experiencing very many failovers. Even if it takes a while to detect the
problem, repeated failovers at relatively long time intervals do not usually disrupt network
traffic.
Detecting HA remote IP monitoring failovers
Just as with any HA failover, you can detect HA remote IP monitoring failovers by using
SNMP to monitor for HA traps. You can also use alert email to receive notifications of HA
status changes and monitor log messages for HA failover log messages. In addition,
FortiGate units send the critical log message Ping Server is down when a ping
server fails. The log message includes the name of the interface that the ping server has
been added to.
Session failover (session pick-up)
Session failover means that a cluster maintains active network TCP and IPsec VPN
sessions after a device or link failover. Session failover does not failover UDP, multicast,
ICMP, or SSL VPN sessions. In some cases UDP sessions may be maintained after a
failover.
FortiGate HA does not support session failover by default. To enable session failover go to
System & gt; Config & gt; HA and select Enable Session Pick-up.
From the CLI enter:
config system ha
set session-pickup enable
end
To support session failover, when Enable Session Pick-up is selected, the FGCP
maintains an HA session table for most TCP communication sessions being processed by
the cluster and synchronizes this session table with all cluster units. If a cluster unit fails,
the HA session table information is available to the remaining cluster units and these
cluster units use this session table to resume most of the TCP sessions that were being
processed by the failed cluster unit without interruption.
You must enable session pickup for session failover protection. If you do not require
session failover protection, leaving session pickup disabled may reduce HA CPU usage
and reduce HA heartbeat network bandwidth usage.
If Enable Session Pick-up is not selected, the FGCP does not maintain an HA session
table and most TCP sessions do not resume after a failover. After a device or link failover
all sessions are briefly interrupted and must be restarted after the cluster renegotiates.
Many protocols can successfully restart sessions without loss of data. Other protocols
may experience data loss and some protocols may require sessions to be manually
restarted.
Some sessions may resume after a failover whether or not enable session pick-up is
selected:
•
•
1630
“Session failover and UDP, ICMP, multicast and broadcast packets” on page 1632,
“FortiOS Carrier GTP session failover” on page 1633
“Active-active HA subordinate units sessions can resume after a failover” on
page 1633.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Session failover (session pick-up)
Session failover not supported for all sessions
Most of the features applied to sessions by FortiGate UTM functionality require the
FortiGate unit to maintain very large amounts of internal state information for each
session. The FGCP does not synchronize internal state information for the following UTM
features, so the following types of sessions will not resume after a failover:
•
Virus scanning of HTTP, HTTPS, FTP, IMAP, IMAPS, POP3, POP3S, SMTP, SMTPS,
IM, and NNTP sessions,
•
Web filtering and FortiGuard Web Filtering of HTTP and HTTPS sessions,
•
Spam filtering of IMAP, IMAPS, POP3, POP3S, SMTP, and SMTPS sessions,
•
DLP scanning of IMAP, IMAPS, POP3, POP3S, SMTP, SMTPS, SIP, SIMPLE, and
SCCP sessions,
•
DLP archiving of HTTP, HTTPS, FTP, IMAP, IMAPS, POP3, SMTP, SMTPS, IM, NNTP,
AIM, ICQ, MSN, Yahoo! IM, SIP, SIMPLE, and SCCP signal control sessions,
Note: Active-active clusters can resume some of these sessions after a failover. See
“Active-active HA subordinate units sessions can resume after a failover” on page 1633 for
details.
If you use these features to protect most of the sessions that your cluster processes,
enabling session failover may not actually provide significant session failover protection.
TCP sessions that are not being processed by these UTM features resume after a failover
even if these sessions are accepted by firewall policies with UTM options configured. Only
TCP sessions that are actually being processed by these UTM features do not resume
after a failover. For example:
•
TCP sessions that are not virus scanned, web filtered, spam filtered, content archived,
or are not SIP, SIMPLE, or SCCP signal traffic resume after a failover, even if they are
accepted by a firewall policy with UTM options enabled. For example, SNMP TCP
sessions resume after a failover because FortiOS does not apply any UTM options to
SNMP sessions.
•
TCP sessions for a protocol for which UTM features have not been enabled resume
after a failover even if they are accepted by a firewall policy with UTM features
enabled. For example, if you have not enabled any antivirus or content archiving
settings for FTP, FTP sessions resume after a failover.
The following UTM features do not affect TCP session failover:
•
IPS does not affect session failover. Sessions being scanned by IPS resume after a
failover. After a failover; however, IPS can only perform packet-based inspection of
resumed sessions; reducing the number of vulnerabilities that IPS can detect. This
limitation only applies to in-progress resumed sessions.
•
Application control does not affect session failover. Sessions that are being monitored
by application control resume after a failover.
•
Logging enabled form UTM features does not affect session failover. UTM logging
writes event log messages for UTM events; such as when a virus is found by antivirus
scanning, when Web Filtering blocks a URL, and so on. Logging does not enable
features that would prevent sessions from being failed over, logging just reports on the
activities of enabled features.
If more than one UTM feature is applied to a TCP session, that session will not resume
after a failover as long as one of the UTM features prevents session failover. For example:
•
Sessions being scanned by IPS and also being virus scanned do not resume after a
failover.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1631
�Session failover (session pick-up)
•
HA and failover protection
Sessions that are being monitored by application control and that are being DLP
archived or virus scanned will not resume after a failover.
SIP session failover
The FGCP supports SIP session failover (also called stateful failover) for active-passive
HA. To support SIP session failover, create a standard HA configuration and select Enable
Session Pick-up option.
SIP session failover replicates SIP states to all cluster units. If an HA failover occurs, all inprogress SIP calls (setup complete) and their RTP flows are maintained and the calls will
continue after the failover with minimal or no interruption.
SIP calls being set up at the time of a failover may lose signaling messages. In most cases
the SIP clients and servers should use message retransmission to complete the call setup
after the failover has completed. As a result, SIP users may experience a delay if their
calls are being set up when an HA a failover occurs. But in most cases the call setup
should be able to continue after the failover.
Session failover and explicit web proxy, WCCP, and WAN optimization sessions
Similar to UTM sessions, the explicit web proxy, WCCP and WAN optimization features all
require the FortiGate unit to maintain very large amounts of internal state information for
each session. This information is not maintained and these sessions do not resume after a
failover.
Session failover and SSL offloading and HTTP multiplexing
SSL offloading and HTTP multiplexing are both enabled from firewall virtual IPs and
firewall load balancing. Similar to the features applied by UTM, SSL offloading and HTTP
multiplexing require the FortiGate unit to maintain very large amounts of internal state
information for each session. Sessions accepted by firewall policies containing virtual IPs
or virtual servers with SSL offloading or HTTP multiplexing enabled do not resume after a
failover.
IPsec VPN and SSL VPN sessions
Session failover is supported for all IPsec VPN tunnels. To support IPsec VPN tunnel
failover, when an IPsec VPN tunnel starts, the FGCP distributes the SA and related IPsec
VPN tunnel data to all cluster units.
Session failover is not supported for SSL VPN tunnels.
PPTP and L2TP VPN sessions
PPTP and L2TP VPNs are supported in HA mode. For a cluster you can configure PPTP
and L2TP settings and you can also add firewall policies to allow PPTP and L2TP pass
through. However, the FGCP does not provide session failover for PPTP or L2TP. After a
failover, all active PPTP and L2TP sessions are lost and must be restarted.
Session failover and UDP, ICMP, multicast and broadcast packets
The FGCP does not maintain a session table for UDP, ICMP, multicast, or broadcast
packets. So the cluster does not specifically support failover of these packets.
Some UDP traffic can continue to flow through the cluster after a failover. This can happen
if, after the failover, a UDP packet that is part of an already established communication
stream matches a firewall policy. Then a new session will be created and traffic will flow.
So after a short interruption, UDP sessions can appear to have failed over. However, this
may not be reliable for the following reasons:
1632
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Session failover (session pick-up)
•
UDP packets in the direction of the firewall policy must be received before reply
packets can be accepted. For example, if a port1 - & gt; port2 policy accepts UDP packets,
UDP packets received at port2 destined for the network connected to port1 will not be
accepted until the policy accepts UDP packets at port1 that are destined for the
network connected to port2. So, if a user connects from an internal network to the
Internet and starts receiving UDP packets from the Internet (for example streaming
media), after a failover the user will not receive any more UDP packets until the user
re-connects to the Internet site.
•
UDP sessions accepted by NAT policies will not resume after a failover because NAT
will usually give the new session a different source port. So only traffic for UDP
protocols that can handle the source port changing during a session will continue to
flow.
FortiOS Carrier GTP session failover
FortiOS Carrier HA supports GTP session failover. The primary unit synchronizes the GTP
tunnel state to all cluster units after the GTP tunnel setup is completed. After the tunnel
setup is completed, GTP sessions use UDP and HA does not synchronize UDP sessions
to all cluster units. However, similar to other UDP sessions, after a failover, since the new
primary unit will have the GTP tunnel state information, GTP UDP sessions using the
same tunnel can continue to flow with some limitations.
The limitation on packets continuing to flow is that there has to be a firewall policy to
accept the packets. For example, if the FortiOS Carrier unit has an internal to external
firewall policy, GTP UDP sessions using an established tunnel that are received by the
internal interface are accepted by the firewall policy and can continue to flow. However,
GTP UDP packets for an established tunnel that are received at the external interface
cannot flow until packets from the same tunnel are received at the internal interface.
If you have bi-directional policies that accept GTP UDP sessions then traffic in either
direction that uses an established tunnel can continue to flow after a failover without
interruption.
Active-active HA subordinate units sessions can resume after a failover
In an active-active cluster, subordinate units process sessions. After a failover, all cluster
units that are still operating may be able to continue processing the sessions that they
were processing before the failover. These sessions are maintained because after the
failover the new primary unit uses the HA session table to continue to send session
packets to the cluster units that were processing the sessions before the failover. Cluster
units maintain their own information about the sessions that they are processing and this
information is not affected by the failover. In this way, the cluster units that are still
operating can continue processing their own sessions without loss of data.
The cluster keeps processing as many sessions as it can. But some sessions can be lost.
Depending on what caused the failover, sessions can be lost in the following ways:
•
A cluster unit fails (the primary unit or a subordinate unit). All sessions that were being
processed by that cluster unit are lost.
•
A link failure occurs. All sessions that were being processed through the network
interface that failed are lost.
This mechanism for continuing sessions is not the same as session failover because:
•
Only the sessions that can be are maintained.
•
The sessions are maintained on the same cluster units and not re-distributed.
•
Sessions that cannot be maintained are lost.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1633
�Subsecond failover
HA and failover protection
Subsecond failover
HA subsecond failover can reduce the failover time after a device or link failover and also
changes how the cluster performs a firmware upgrade to minimize down time. Use the
following command to enable subsecond failover:
config system ha
set subsecond enable
end
Subsecond failover can accelerate HA failover depending on the FortiGate unit HA and
hardware configuration and the network configuration. Network devices that respond
slowly to an HA failover can prevent this feature from reducing failover times to less than a
second. Also, subsecond failover can normally only be achieved for a cluster of two units
operating in Transparent mode with only two interfaces connected to the network. Failover
is also more efficient for accelerated FortiGate interfaces that use NP2 or newer network
processors.
For information about how to reduce failover times, see “Failover performance” on
page 1640.
Subsecond failover and cluster firmware upgrades
When subsecond failover enabled the following happens during an uninterruptable
firmware upgrade”
1 The administrator uploads a new firmware image to the cluster.
2 If the cluster is operating in active-active mode load balancing is turned off.
3 The cluster upgrades the firmware running on all of the subordinate units.
4 Once the subordinate units have been upgraded, the cluster selects a new primary unit
from among the subordinate units.
This primary unit selection happens in the normal way except that the current primary
unit is not involved.
5 A failover to the new primary unit is triggered and the new primary unit start processing
traffic.
The failover takes place in less than one second.
6 The cluster upgrades the firmware on the former primary unit.
7 The cluster continues to operate with the new primary unit and the former primary unit
becomes a subordinate unit (unless override is enabled or the former primary unit has
fewer link failures than the new primary unit).
8 If the cluster is operating in active-active mode, load balancing is turned back on.
WAN optimization and HA
You can configure WAN optimization on a FortiGate HA cluster. The recommended HA
configuration for WAN optimization is active-passive mode. Also, when the cluster is
operating, all WAN optimization sessions are processed by the primary unit only. Even if
the cluster is operating in active-active mode, HA does not load-balance WAN
optimization sessions. HA also does not support WAN optimization session failover.
In a cluster, the primary unit only stores web cache and byte cache databases. These
databases are not synchronized to the subordinate units. So, after a failover, the new
primary unit must rebuild its web and byte caches. As well, the new primary unit cannot
connect to a SAS partition that the failed primary unit used.
1634
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Failover and attached network equipment
Rebuilding the byte caches can happen relatively quickly because the new primary unit
gets byte cache data from the other FortiGate units that it is participating with in WAN
optimization tunnels.
Failover and attached network equipment
It normally takes a cluster approximately 6 seconds to complete a failover. However, the
actual failover time experienced by your network users may depend on how quickly the
switches connected to the cluster interfaces accept the cluster MAC address update from
the primary unit. If the switches do not recognize and accept the gratuitous ARP packets
and update their MAC forwarding table, the failover time will increase.
Also, individual session failover depends on whether the cluster is operating in activeactive or active-passive mode, and whether the content of the traffic is to be virus
scanned. Depending on application behavior, it may take a TCP session a longer period of
time (up to 30 seconds) to recover completely.
Monitoring cluster units for failover
You can use logging and SNMP to monitor cluster units for failover. Both the primary and
subordinate units can be configured to write log messages and send SNMP traps if a
failover occurs. You can also log into the cluster web-based manager and CLI to
determine if a failover has occurred. See “Monitoring cluster units for failover” on
page 1583.
NAT/Route mode active-passive cluster packet flow
This section describes how packets are processed and how failover occurs in an activepassive HA cluster running in NAT/Route mode. In the example, the NAT/Route mode
cluster acts as the internet firewall for a client computer’s internal network. The client
computer’s default route points at the IP address of the cluster internal interface. The
client connects to a web server on the Internet. Internet routing routes packets from the
cluster external interface to the web server, and from the web server to the cluster external
interface.
In an active-passive cluster operating in NAT/Route mode, four MAC addresses are
involved in communication between the client and the web server when the primary unit
processes the connection:
•
Internal virtual MAC address (MAC_V_int) assigned to the primary unit internal
interface,
•
External virtual MAC address (MAC_V_ext) assigned to the primary unit external
interface,
•
Client MAC address (MAC_Client),
•
Server MAC address (MAC_Server),
In NAT/Route mode, the HA cluster works as a gateway when it responds to ARP
requests. Therefore, the client and server only know the gateway MAC addresses. The
client only knows the cluster internal virtual MAC address (MAC_V_int) and the server
only know the cluster external virtual MAC address (MAC_V_int). Cluster virtual MAC
addresses are described in “Cluster virtual MAC addresses” on page 1605.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1635
�NAT/Route mode active-passive cluster packet flow
HA and failover protection
Figure 233: NAT/Route mode active-passive packet flow
Switch 1
Switch 2
HA cluster
IP: 10.11.101.100
MAC: MAC_V_int
Primary Unit
Cluster
Internal
Interface
Client
IP: 172.20.120.141
MAC: MAC_V_ext
Cluster
External
Interface
Subordinate Unit
IP: 10.11.101.10
MAC: MAC_Client
Web
Server
IP: 172.20.120.130
MAC: MAC_Server
Packet flow from client to web server
1 The client computer requests a connection from 10.11.101.10 to 172.20.120.130.
2 The default route on the client computer recognizes 10.11.101.100 (the cluster IP
address) as the gateway to the external network where the web server is located.
3 The client computer issues an ARP request to 10.11.101.100.
4 The primary unit intercepts the ARP request, and responds with the internal virtual
MAC address (MAC_V_int) which corresponds to its IP address of 10.11.101.100.
5 The client’s request packet reaches the primary unit internal interface.
IP address
MAC address
Source
10.11.101.10
MAC_Client
Destination
172.20.120.130
MAC_V_int
6 The primary unit processes the packet.
7 The primary unit forwards the packet from its external interface to the web server.
IP address
MAC address
Source
172.20.120.141
MAC_V_ext
Destination
172.20.120.130
MAC_Server
8 The primary unit continues to process packets in this way unless a failover occurs.
Packet flow from web server to client
1 When the web server responds to the client’s packet, the cluster external interface IP
address (172.20.120.141) is recognized as the gateway to the internal network.
2 The web server issues an ARP request to 172.20.120.141.
3 The primary unit intercepts the ARP request, and responds with the external virtual
MAC address (MAC_V_ext) which corresponds its IP address of 172.20.120.141.
1636
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Transparent mode active-passive cluster packet flow
4 The web server then sends response packets to the primary unit external interface.
IP address
MAC address
Source
172.20.120.130
MAC_Server
Destination
172.20.120.141
MAC_V_ext
5 The primary unit processes the packet.
6 The primary unit forwards the packet from its internal interface to the client.
IP address
MAC address
Source
172.20.120.130 MAC_V_int
Destination
10.11.101.10
MAC_Client
7 The primary unit continues to process packets in this way unless a failover occurs.
When a failover occurs
The following steps are followed after a device or link failure of the primary unit causes a
failover.
1 If the primary unit fails the subordinate unit becomes the primary unit.
2 The new primary unit changes the MAC addresses of all of its interfaces to the HA
virtual MAC addresses.
The new primary unit has the same IP addresses and MAC addresses as the failed
primary unit.
3 The new primary units sends gratuitous ARP packets from the internal interface to the
10.11.101.0 network to associate its internal IP address with the internal virtual MAC
address.
4 The new primary units sends gratuitous ARP packets to the 172.20.120.0 to associate
its external IP address with the external virtual MAC address.
5 Traffic sent to the cluster is now received and processed by the new primary unit.
If there were more than two cluster units in the original cluster, these remaining units
would become subordinate units.
Transparent mode active-passive cluster packet flow
This section describes how packets are processed and how failover occurs in an
active-passive HA cluster running in Transparent mode. The cluster is installed on an
internal network in front of a mail server and the client connects to the mail server through
the Transparent mode cluster.
In an active-passive cluster operating in Transparent mode, two MAC addresses are
involved in the communication between a client and a server when the primary unit
processes a connection:
•
Client MAC address (MAC_Client)
•
Server MAC address (MAC_Server)
The HA virtual MAC addresses are not directly involved in communication between the
client and the server. The client computer sends packets to the mail server and the mail
server sends responses. In both cases the packets are intercepted and processed by the
cluster.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1637
�Transparent mode active-passive cluster packet flow
HA and failover protection
The cluster’s presence on the network is transparent to the client and server computers.
The primary unit sends gratuitous ARP packets to Switch 1 that associate all MAC
addresses on the network segment connected to the cluster external interface with the HA
virtual MAC address. The primary unit also sends gratuitous ARP packets to Switch 2 that
associate all MAC addresses on the network segment connected to the cluster internal
interface with the HA virtual MAC address. In both cases, this results in the switches
sending packets to the primary unit interfaces.
Figure 234: Transparent mode active-passive packet flow
Switch 1
Switch 2
HA cluster
Primary Unit
Cluster
Internal
Interface
Client
Cluster
External
Interface
Subordinate Unit
IP: 10.11.101.10
MAC: MAC_Client
Mail
Server
IP: 10.11.101.200
MAC: MAC_Server
Packet flow from client to mail server
1 The client computer requests a connection from 10.11.101.10 to 110.11.101.200.
2 The client computer issues an ARP request to 10.11.101.200.
3 The primary unit forwards the ARP request to the mail server.
4 The mail server responds with its MAC address (MAC_Server) which corresponds to
its IP address of 10.11.101.200. The primary unit returns the ARP response to the
client computer.
5 The client’s request packet reaches the primary unit internal interface.
IP address
MAC address
Source
10.11.101.10
MAC_Client
Destination
10.11.101.200
MAC_Server
6 The primary unit processes the packet.
7 The primary unit forwards the packet from its external interface to the mail server.
IP address
MAC address
Source
10.11.101.10
MAC_Client
Destination
10.11.101.200
MAC_Server
8 The primary unit continues to process packets in this way unless a failover occurs.
Packet flow from mail server to client
1 To respond to the client computer, the mail server issues an ARP request to
10.11.101.10.
2 The primary unit forwards the ARP request to the client computer.
1638
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Transparent mode active-passive cluster packet flow
3 The client computer responds with its MAC address (MAC_Client) which corresponds
to its IP address of 192.168.20.10. The primary unit returns the ARP response to the
mail server.
4 The mail server’s response packet reaches the primary unit external interface.
IP address
MAC address
Source
10.11.101.200
MAC_Server
Destination
10.11.101.10
MAC_Client
5 The primary unit processes the packet.
6 The primary unit forwards the packet from its internal interface to the client.
IP address
MAC address
Source
10.11.101.200
MAC_Server
Destination
10.11.101.10
MAC_Client
7 The primary unit continues to process packets in this way unless a failover occurs.
When a failover occurs
The following steps are followed after a device or link failure of the primary unit causes a
failover.
1 If the primary unit fails, the subordinate unit negotiates to become the primary unit.
2 The new primary unit changes the MAC addresses of all of its interfaces to the HA
virtual MAC address.
3 The new primary units sends gratuitous ARP packets to switch 1 to associate its MAC
address with the MAC addresses on the network segment connected to the external
interface.
4 The new primary units sends gratuitous ARP packets to switch 2 to associate its MAC
address with the MAC addresses on the network segment connected to the internal
interface.
5 Traffic sent to the cluster is now received and processed by the new primary unit.
If there were more than two cluster units in the original cluster, these remaining units
would become subordinate units.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1639
�Failover performance
HA and failover protection
Failover performance
This section describes the designed device and link failover times for a FortiGate cluster
and also shows results of a failover performance test.
Device failover performance
By design FGCP device failover time is 2 seconds for a two-member cluster with ideal
network and traffic conditions. If subsecond failover is enabled the failover time can drop
below 1 second.
All cluster units regularly receive HA heartbeat packets from all other cluster units over the
HA heartbeat link. If any cluster unit does not receive a heartbeat packet from any other
cluster unit for 2 seconds, the cluster unit that has not sent heartbeat packets is
considered to have failed.
It may take another few seconds for the cluster to negotiate and re-distribute
communication sessions. Typically if subsecond failover is not enabled you can expect a
failover time of 9 to 15 seconds depending on the cluster and network configuration. The
failover time can also be increased by more complex configurations and or configurations
with network equipment that is slow to respond.
You can change the hb-lost-threshold to increase or decrease the device failover time.
See “Modifying heartbeat timing” on page 1603 for information about using hb-lostthreshold, and other heartbeat timing settings.
Link failover performance
Link failover time is controlled by how long it takes for a cluster to synchronize the cluster
link database. When a link failure occurs, the cluster unit that experienced the link failure
uses HA heartbeat packets to broadcast the updated link database to all cluster units.
When all cluster units have received the updated database the failover is complete.
It may take another few seconds for the cluster to negotiate and re-distribute
communication sessions.
Reducing failover times
You can do the following to help reduce failover times:
•
•
If possible operate the cluster in Transparent mode.
•
Use high-performance switches to that the switches failover to interfaces connected to
the new primary unit as quickly as possible.
•
Use accelerated FortiGate interfaces. In some cases accelerated interfaces will reduce
failover times.
•
Make sure the FortiGate unit sends multiple gratuitous arp packets after a failover. In
some cases, sending more gratuitous arp packets will cause connected network
equipment to recognize the failover sooner. To send 10 gratuitous arp packets:
config system ha
set arps 10
end
•
1640
Keep the network configuration as simple as possible with as few as possible network
connections to the cluster.
Reduce the time between gratuitous arp packets. This may also caused connected
network equipment to recognize the failover sooner. To send 50 gratuitous arp packets
with 1 second between each packet:
config system ha
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and failover protection
Failover performance
set arp 50
set arps-interval 1
end
•
Reduce the number of lost heartbeat packets and reduce the heartbeat interval timers
to be able to more quickly detect a device failure. To set the lost heartbeat threshold to
3 packets and the heartbeat interval to 100 milliseconds:
config system ha
set hb-interval 3
set hb-lost-threshold 1
end
•
Reduce the hello state hold down time to reduce the amount of the time the cluster
waits before transitioning from the hello to the work state. To set the hello state hold
down time to 5 seconds:
config system ha
set helo-holddown 5
end
•
Enable sending a link failed signal after a link failover to make sure that attached
network equipment responds a quickly as possible to a link failure. To enable the link
failed signal:
config system ha
set link-failed-signal enable
end
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1641
�Failover performance
1642
HA and failover protection
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and load balancing
FGCP active-active load balancing distributes network traffic among all of the units in a
cluster. Load balancing can improve cluster performance because the processing load is
shared among multiple cluster units.
This chapter describes how active-active load balancing works and provides detailed
NAT/Route and Transparent mode packet flow descriptions.
This chapter contains the following sections:
•
Load balancing overview
•
Configuring load balancing settings
•
NAT/Route mode active-active cluster packet flow
•
Transparent mode active-active cluster packet flow
Load balancing overview
In active-active HA, the FGCP uses unicast load balancing in which the primary unit is
associated with the cluster HA virtual MAC address and cluster IP address. The primary
unit is the only cluster unit to receive packets sent to the cluster.
An active-active HA cluster consists of a primary unit that processes communication
sessions and one or more subordinate units that also process communication sessions.
The primary unit receives all sessions and load balances sessions for firewall policies with
UTM enabled to all cluster units. Because processing UTM sessions can be CPU and
memory-intensive, load balancing UTM traffic may result in an active-active cluster having
higher throughout than an active-passive cluster or a standalone FortiGate unit because
resource-intensive UTM processing is distributed among all cluster units.
You can also enable the load-balance-all CLI keyword to have the primary unit load
balance all TCP sessions. Load balancing TCP sessions is less likely to improve
throughput because of extra overhead required for load balancing. So
load-balance-all is disabled by default.
During active-active HA load balancing operation, when the primary unit receives the first
packet of a UTM session (or a TCP session if load-balance-all is enabled) the
primary unit uses the configured load balancing schedule to determine the cluster unit that
will process the session. The primary unit stores the load balancing information for each
active load balanced session in the cluster load balancing session table. Using the
information in this table, the primary unit can then forward all of the remaining packets in
each session to the appropriate cluster unit. The load balancing session table is
synchronized among all cluster units.
UDP, ICMP, multicast, and broadcast sessions are never load balanced and are always
processed by the primary unit. VoIP, IM, P2P, IPsec VPN, HTTPS, SSL VPN, HTTP
multiplexing, SSL offloading, WAN optimization, explicit web proxy, and WCCP sessions
are also always processed only by the primary unit.
In addition to load balancing, active-active HA also provides device and link failover
protection similar to active-passive HA. If the primary unit fails, a subordinate unit
becomes the primary unit and resumes operating the cluster. See “Device failover” on
page 1597 and “Link failover” on page 1621 for more information.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1643
�Load balancing overview
HA and load balancing
Active-active HA provides session failover protection for all TCP sessions except UTM
sessions. Active-active HA does not provide session failover for UTM sessions.
Active-active HA also does not provide session failover for UDP, ICMP, multicast, and
broadcast sessions. Protection profile sessions and all UDP, ICMP, multicast, and
broadcast sessions are not failed over and must be restarted.
If a subordinate unit fails, the primary unit redistributes all TCP communications sessions
among the remaining cluster units. Protection profile sessions that are in progress on the
subordinate unit that failed are not failed over and must be restarted. All sessions being
processed by the primary unit, including UDP, ICMP, multicast, and broadcast sessions,
are not affected.
Because of the limitation of not supporting failover of UDP, ICMP, multicast, and broadcast
sessions, active-active HA can be a less robust session failover solution than
active-passive HA. See “Session failover (session pick-up)” on page 1630 more
information about FortiGate session failover and its limitations.
Active-active HA does maintain as many UTM sessions as possible after a failover by
continuing to process the UTM sessions that were being processed by the cluster units
that are still operating. See “Active-active HA subordinate units sessions can resume after
a failover” on page 1633 for more information. Active-passive HA does not support
maintaining UTM sessions after a failover.
Load balancing schedules
The load balancing schedule controls how the primary unit distributes packets to all cluster
units. You can select from the following load balancing schedules.
None
Hub
Load balancing if the cluster interfaces are connected to a hub. Traffic is
distributed to cluster units based on the source IP and destination IP of the
packet.
LeastConnection
If the cluster units are connected using switches, select Least Connection to
distribute network traffic to the cluster unit currently processing the fewest
connections.
Round-Robin
If the cluster units are connected using switches, select Round-Robin to distribute
network traffic to the next available cluster unit.
Weighted
Round-Robin
Similar to round robin, but weighted values are assigned to each of the units in a
cluster based on their capacity and on how many connections they are currently
processing. For example, the primary unit should have a lower weighted value
because it handles scheduling and forwards traffic. Weighted round robin
distributes traffic more evenly because units that are not processing traffic will be
more likely to receive new connections than units that are very busy.
Random
If the cluster units are connected using switches, select Random to randomly
distribute traffic to cluster units.
IP
Load balancing according to IP address. If the cluster units are connected using
switches, select IP to distribute traffic to units in a cluster based on the source IP
and destination IP of the packet.
IP Port
1644
No load balancing. Select None when the cluster interfaces are connected to load
balancing switches. If you select None, the Primary unit does not load balance
traffic and the subordinate units process incoming traffic that does not come from
the Primary unit. For all other load balancing schedules, all traffic is received first
by the Primary unit, and then forwarded to the subordinate units. The subordinate
units only receive and process packets sent from the primary unit.
Load balancing according to IP address and port. If the cluster units are
connected using switches, select IP Port to distribute traffic to units in a cluster
based on the source IP, source port, destination IP, and destination port of the
packet.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and load balancing
Load balancing overview
Once a packet has been propagated to a subordinate unit, all packets are part of that
same communication session are also propagated to that same subordinate unit. Traffic is
distributed according to communication session, not just according to individual packet.
Any subordinate unit that receives a forwarded packet processes it, without applying load
balancing. Note that subordinate units are still considered to be active, because they
perform routing, virus scanning, and other FortiGate unit tasks on their share of the traffic.
Active subordinate units also share their session and link status information with all cluster
units. The only things that active members do not do is make load balancing decisions.
Even though the primary unit is responsible for the load balancing process, the primary
unit still acts like a FortiGate unit in that it processes packets, performing, routing, firewall,
virus scanning, and other FortiGate unit tasks on its share of the traffic. Depending on the
load balancing schedule used, the primary unit may assign itself a smaller share of the
total load.
Selecting which packets are load balanced
The primary unit processes all UDP and ICMP traffic. By default, the primary unit also
processes all TCP traffic and load balances virus scanning traffic among all cluster units.
You can change the default configuration so that the cluster load balances both TCP traffic
and virus scanning traffic among all cluster units.
Load balancing increases network bandwidth usage and also increases the load on the
primary unit CPU. Because of this, in some network environments, load balancing TCP
traffic may not result in an overall cluster performance increase. However, in other network
environments, TCP load balancing may improve cluster performance.
If the cluster is configured to load balance virus scanning sessions, the primary unit uses
the load balancing schedule to distribute HTTP, FTP, SMTP, POP3, and IMAP packets to
be virus scanned, among the primary unit and the subordinate units. Load balancing virus
scanning traffic is much more likely to increase cluster performance. Virus scanning is
processor intensive for the cluster unit that is performing the virus scanning. Distributing
virus scanning over the cluster units significantly reduces the processing load on the
primary unit. As a result overall cluster performance should improve. See “Load balancing
UTM sessions and TCP sessions” on page 1647.
More about active-active failover
If a subordinate unit fails, the primary unit re-distributes the connections that the
subordinate unit was processing among the remaining active cluster members. If the
primary unit fails, the subordinate units negotiate to select a new primary unit. The new
primary unit continues to distribute packets among the remaining active cluster units.
Failover works in a similar way if the cluster consists of only two units. If the primary unit
fails the subordinate unit negotiates and becomes the new primary unit. If the subordinate
unit fails, the primary unit processes all traffic. In both cases, the single remaining unit
continues to function as a primary unit, maintaining the HA virtual MAC address for all of
its interfaces.
HTTPS sessions, active-active load balancing, and proxy servers
To prevent HTTPS web filtering problems active-active HA does not load balance HTTPS
sessions. The FortiGate unit identifies HTTPS sessions as all sessions received on the
HTTPS TCP port. The default HTTPS port is 443. You can use the CLI command config
antivirus service to configure the FortiGate unit to use a custom port for HTTPS
sessions. If you change the HTTPS port using this CLI command, the FGCP stops load
balancing all sessions that use the custom HTTPS port.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1645
�Configuring load balancing settings
HA and load balancing
Normally you would not change the HTTPS port. However, if your network uses a proxy
server for HTTPS traffic you may have to use the config antivirus service
command to configure your cluster to use a custom HTTPS port. If your network uses a
proxy server you might also use the same port for both HTTP and HTTPS traffic. In this
case you would use config antivirus service to configure the FortiGate unit to use
custom ports for both HTTP and HTTPS traffic.
Using the same port for HTTP and HTTPS traffic can cause problems with active-active
clusters because active-active clusters always load balance HTTP traffic. If both HTTP
and HTTPS use the same port, the active-active cluster cannot tell the difference between
HTTP and HTTPS traffic and will load balance both HTTP and HTTPS traffic.
As mentioned above, load balancing HTTPS traffic may cause problems with HTTPS web
filtering. To avoid this problem, you should configure your proxy server to use different
ports for HTTP and HTTPS traffic. Then use the config antivirus service
command to configure your cluster to also use different ports for HTTP and HTTPS.
Using FortiGate network processor interfaces to accelerate active-active HA
performance
Many FortiGate models and FortiGate AMC modules include network processors that can
provide hardware acceleration for active-active HA load balancing by offloading load
balancing from the primary unit CPU. HA load balancing can be accelerated by NP1
network processors (called FA2 interfaces), NP2 network processors and NP4 network
processors.
In some cases, performance of the primary unit can be reduced by active-active HA load
balancing. Primary unit CPU cycles and bus bandwidth are required to receive, calculate
load balancing schedules, and send balanced packets to the subordinate units. In very
busy active-active clusters the primary unit may not be able to keep up with the processing
load. This can result in lost traffic and can also cause the primary unit to delay sending
heartbeat packets possibly reducing the stability and reliability of the active-active HA
cluster.
Adding network processors to busy cluster unit interfaces increases load balancing
performance by offloading load balancing to the network processors. The first packet of
every new session is received by the primary unit and the primary unit uses its load
balancing schedule to select the cluster unit that will process the new session. This
information is passed back to the network processor and all subsequent packets of the
same sessions are received by the primary unit interface network processor which sends
the packet directly to a subordinate unit without using the primary unit CPU. Load
balancing is effectively offloaded from the primary unit to the network processor resulting
in a faster and more stable active-active cluster.
Using network processors to accelerate load balancing is especially useful if the loadbalance-all option is enabled and the cluster is load balancing all TCP sessions
because this could mean that the cluster is load balancing an excessive number of
sessions.
To take advantage of network processor load balancing acceleration, connect the cluster
unit interfaces with network processors to the busiest networks. Connect non-accelerated
interfaces to less busy networks. No special FortiOS or HA configuration is required.
Network processor acceleration of active-active HA load balancing is supported for any
active-active HA configuration or active-active HA load balancing schedule.
Configuring load balancing settings
This section describes how to configure the following load balancing settings:
1646
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and load balancing
Configuring load balancing settings
•
Selecting a load balancing schedule
•
Load balancing UTM sessions and TCP sessions
•
Configuring weighted-round-robin weights
Selecting a load balancing schedule
You can select the load balancing schedule when initially configuring the cluster and you
can change the load balancing schedule at any time while the cluster is operating without
affecting cluster operation.
You can select a load balancing schedule from the CLI. Use the following command to
select a load balancing schedule:
config system ha
set schedule {hub | ip | ipport | leastconnection | none |
random | round-robin | weight-round-robin}
end
Load balancing UTM sessions and TCP sessions
By default a FortiGate active-active cluster load balances UTM sessions among all cluster
units. UTM processing applies protocol recognition, virus scanning, IPS, web filtering,
email filtering, data leak prevention (DLP), application control, and VoIP content scanning
and protection to HTTP, HTTPS, FTP, IMAP, IMAPS, POP3, POP3S, SMTP, SMTPS, IM,
NNTP, SIP, SIMPLE, and SCCP sessions accepted by firewall policies. By load balancing
this resource-intensive UTM processing among all cluster units, an active-active HA
cluster may provide better UTM performance than a standalone FortiGate unit. Other
features enabled in firewall policies such as Endpoint NAC, traffic shaping and
authentication have no effect active-active load balancing.
All other sessions are processed by the primary unit. Using the CLI, you can configure the
cluster to load balance TCP sessions among all cluster units in addition to UTM sessions.
All UDP, ICMP, multicast, and broadcast sessions are never load balanced, but are always
processed by the primary unit.
Use the following command to enable load balancing UTM and TCP sessions.
config system ha
set load-balance-all enable
end
Enabling load-balance-all to load balance TCP sessions may not improve
throughput because the cluster requires additional overhead to load balance sessions.
The primary unit receives all sessions and load balances some TCP sessions to the
subordinate units. Load balancing UTM sessions can improve performance because UTM
session performance is limited by CPU performance. However, load balancing a non-UTM
session usually requires about as much overhead as just processing it.
If your active-active cluster is processing TCP sessions and not performing UTM, you can
enable load-balance-all and monitor network performance to see if it improves. If
performance is not improved, you should change the HA mode to active-passive since
active-active HA is not providing any benefit.
Configuring weighted-round-robin weights
You can configure weighted round-robin load balancing for a cluster and configure the
weights for each of the cluster units according to their priority in the cluster. When you set
schedule to weight-round-robin you can use the weight option to set the weight of
each cluster unit. The weight is set according to the priority of each unit in the cluster. A
FortiGate HA cluster can contain up to 16 FortiGate units so you can set up to 16 weights.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1647
�Configuring load balancing settings
HA and load balancing
The priority of a cluster unit is determined by its device priority, the number of monitored
interfaces that are functioning, its age in the cluster and its serial number. Priorities are
used to select a primary unit and to set an order of all of the subordinate units. Thus the
priority order of the cluster units can vary depending on configuration settings, link failures
and so on. Since weights are also set using this priority order the weights are independent
of specific cluster units but do depend on the role of the each unit in the cluster.
You can use the following command to display the priority order of units in a cluster. The
following example displays the priority order for a cluster of 5 FortiGate-620B units:
get system ha status
Model: 620
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:150 head_office_cla FG600B3908600825 0
Slave :150 head_office_clb FG600B3908600705 1
Slave :150 head_office_clc FG600B3908600702 2
Slave :150 head_office_cld FG600B3908600605 3
Slave :150 head_office_cle FG600B3908600309 4
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG600B3908600825
Slave :1 FG600B3908600705
Slave :2 FG600B3908600702
Slave :3 FG600B3908600605
Slave :4 FG600B3908600309
The cluster units are listed in priority order starting at the 6th output line. The primary unit
always has the highest priority and is listed first followed by the subordinate units in priority
order. The last 5 output lines list the cluster units in vcluster 1 and are not always in priority
order. For more information about the get system ha status command, see “Viewing
cluster status from the CLI” on page 1584.
The default weight for each cluster unit is 1. This means that sessions are distributed
evenly among all cluster units. You can use the set weight command to change the
weights of cluster units to dispirited sessions to cluster units depending on their priority in
the cluster. The weight can be between 0 and 31. Increase the weight to increase the
number of connections processed by the cluster unit with that priority.
1648
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and load balancing
NAT/Route mode active-active cluster packet flow
You enter the weight for each unit separately. For example, if you have a cluster of 5 units
you can set the weights for each unit as follows:
config system ha
set mode a-a
set schedule weight-roud-robin
set weight 0 5
set weight 1 10
set weight 2 15
set weight 3 20
set weight 4 30
end
If you enter the get command to view the HA configuration the out for weight would be:
weight 5 10 15 20 30 1 1 1 1 1 1 1 1 1 1 1
This configuration has the following results:
•
The first five connections are processed by the primary unit (priority 0, weight 5)
•
The next 10 connections are processed by the first subordinate unit (priority 1, weight
10)
•
The next 15 connections are processed by the second subordinate unit (priority 2,
weight 15)
•
The next 20 connections are processed by the third subordinate unit (priority 3, weight
20)
•
The next 30 connections are processed by the fourth subordinate unit (priority 4,
weight 30)
NAT/Route mode active-active cluster packet flow
This section describes an example of how packets are load balanced and how failover
occurs in an active-active HA cluster running in NAT/Route mode. In the example, the
NAT/Route mode cluster acts as the internet firewall for a client computer’s internal
network. The client computer’s default route points at the IP address of the cluster internal
interface. The client connects to a web server on the Internet. Internet routing routes
packets from the cluster external interface to the web server, and from the web server to
the cluster external interface.
In NAT/Route mode, eight MAC addresses are involved in active-active communication
between the client and the web server when the primary unit load balances packets to the
subordinate unit:
•
Internal virtual MAC address (MAC_V_int) assigned to the primary unit internal
interface,
•
External virtual MAC address (MAC_V_ext) assigned to the primary unit external
interface,
•
Client MAC address (MAC_Client),
•
Server MAC address (MAC_Server),
•
Primary unit original internal MAC address (MAC_P_int),
•
Primary unit original external MAC address (MAC_P_ext),
•
Subordinate unit internal MAC address (MAC_S_int),
•
Subordinate unit external MAC address (MAC_S_ext).
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1649
�NAT/Route mode active-active cluster packet flow
HA and load balancing
In NAT/Route mode, the HA cluster works as a gateway when it responds to ARP
requests. Therefore, the client and server only know the gateway MAC addresses. The
client only knows the cluster internal virtual MAC address (MAC_V_int) and the server
only know the cluster external virtual MAC address (MAC_V_int). The cluster virtual MAC
address is described in “Cluster virtual MAC addresses” on page 1605.
Figure 235: NAT/Route mode active-active packet flow
Switch 1
Switch 2
HA cluster
IP: 10.11.101.100
MAC: MAC_V_int
Primary Unit
IP: 172.20.120.141
MAC: MAC_V_ext
MAC: MAC_P_ext
MAC: MAC_P_int
Cluster
Internal
Interface
Cluster
External
Interface
Web
Server
Client
Subordinate Unit
IP: 10.11.101.10
MAC: MAC_Client
MAC: MAC_S_int
IP: 172.20.120.130
MAC: MAC_Server
MAC: MAC_S_ext
Packet flow from client to web server
1 The client computer requests a connection from 10.11.101.10 to 172.20.120.130.
2 The default route on the client computer recognizes 10.11.101.100 (the cluster IP
address) as the gateway to the external network where the web server is located.
3 The client computer issues an ARP request to 10.11.101.100.
4 The primary unit intercepts the ARP request, and responds with the internal virtual
MAC address (MAC_V_int) which corresponds to its IP address of 10.11.101.100.
5 The client’s request packet reaches the primary unit internal interface.
IP address
MAC address
Source
10.11.101.10
MAC_Client
Destination
172.20.120.130
MAC_V_int
6 The primary unit decides that the subordinate unit should handle this packet, and
forwards it to the subordinate unit internal interface. The source MAC address of the
forwarded packet is changed to the actual MAC address of the primary unit internal
interface.
IP address
MAC address
Source
10.11.101.10
MAC_P_int
Destination
172.20.120.130
MAC_S_int
7 The subordinate unit recognizes that the packet has been forwarded from the primary
unit and processes it.
1650
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and load balancing
NAT/Route mode active-active cluster packet flow
8 The subordinate unit forwards the packet from its external interface to the web server.
IP address
MAC address
Source
172.20.120.141
MAC_S_ext
Destination
172.20.120.130
MAC_Server
9 The primary unit forwards further packets in the same session to the subordinate unit.
10 Packets for other sessions are load balanced by the primary unit and either sent to the
subordinate unit or processed by the primary unit.
Packet flow from web server to client
1 When the web server responds to the client’s packet, the cluster external interface IP
address (172.20.120.141) is recognized as the gateway to the internal network.
2 The web server issues an ARP request to 172.20.120.141.
3 The primary unit intercepts the ARP request, and responds with the external virtual
MAC address (MAC_V_ext) which corresponds its IP address of 172.20.120.141.
4 The web server then sends response packets to the primary unit external interface.
IP address
MAC address
Source
172.20.120.130 MAC_Server
Destination
172.20.120.141 MAC_V_ext
5 The primary unit decides that the subordinate unit should handle this packet, and
forwards it to the subordinate unit external interface. The source MAC address of the
forwarded packet is changed to the actual MAC address of the primary unit external
interface.
IP address
MAC address
Source
172.20.120.130
MAC_P_ext
Destination
172.20.120.141
MAC_S_ext
6 The subordinate unit recognizes that packet has been forwarded from the primary unit
and processes it.
7 The subordinate unit forwards the packet from its internal interface to the client.
IP address
MAC address
Source
172.20.120.130
MAC_S_int
Destination
10.11.101.10
MAC_Client
8 The primary unit forwards further packets in the same session to the subordinate unit.
9 Packets for other sessions are load balanced by the primary unit and either sent to the
subordinate unit or processed by the primary unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1651
�Transparent mode active-active cluster packet flow
HA and load balancing
When a failover occurs
The following steps are followed after a device or link failure of the primary unit causes a
failover.
1 If the primary unit fails, the subordinate unit negotiates to become the primary unit.
2 The new primary unit changes the MAC addresses of all of its interfaces to the HA
virtual MAC addresses.
The new primary unit has the same IP addresses and MAC addresses as the failed
primary unit.
3 The new primary units sends gratuitous ARP packets to the 10.10.101.0 network to
associate its internal IP address with the internal virtual MAC address.
4 The new primary units sends gratuitous ARP packets to the 172.20.120.0 network to
associate its external IP address with the external virtual MAC address.
5 Traffic sent to the cluster is now received and processed by the new primary unit.
If there were more than two cluster units in the original cluster, the new primary unit
would load balance packets to the remaining cluster members.
Transparent mode active-active cluster packet flow
This section describes and example of how packets are load balanced and how failover
occurs in an active-active HA cluster running in Transparent mode. The cluster is installed
on an internal network in front of a mail server and the client connects to the mail server
through the Transparent mode cluster.
In Transparent mode, six MAC addresses are involved in active-active communication
between a client and a server when the primary unit load balances packets to the
subordinate unit:
•
Client MAC address (MAC_Client),
•
Server MAC address (MAC_Server),
•
Primary unit original internal MAC address (MAC_P_int),
•
Primary unit original external MAC address (MAC_P_ext),
•
Subordinate unit internal MAC address (MAC_S_int),
•
Subordinate unit external MAC address (MAC_S_ext).
The HA virtual MAC addresses are not directly involved in communicate between the
client and the server. The client computer sends packets to the mail server and the mail
server sends responses. In both cases the packets are intercepted and load balanced
among cluster members.
The cluster’s presence on the network and its load balancing are transparent to the client
and server computers. The primary unit sends gratuitous ARP packets to Switch 1 that
associate all MAC addresses on the network segment connected to the cluster external
interface with the external virtual MAC address. The primary unit also sends gratuitous
ARP packets to Switch 2 that associate all MAC addresses on the network segment
connected to the cluster internal interface with the internal virtual MAC address. In both
cases, this results in the switches sending packets to the primary unit interfaces.
1652
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and load balancing
Transparent mode active-active cluster packet flow
Figure 236: Transparent mode active-active packet flow
Switch 1
Switch 2
HA cluster
Primary Unit
MAC: MAC_P_int
MAC: MAC_P_ext
Cluster
Internal
Interface
Cluster
External
Interface
Mail
Server
Client
Subordinate Unit
IP: 10.11.101.10
MAC: MAC_Client
MAC: MAC_S_int
IP: 10.11.101.200
MAC: MAC_Server
MAC: MAC_S_ext
Packet flow from client to mail server
1 The client computer requests a connection from 10.11.101.10 to 10.11.101.200.
2 The client computer issues an ARP request to 10.11.101.200.
3 The primary unit forwards the ARP request to the mail server.
4 The mail server responds with its MAC address (MAC_Server) which corresponds to
its IP address of 10.11.101.200. The primary unit returns the ARP response to the
client computer.
5 The client’s request packet reaches the primary unit internal interface.
IP address
MAC address
Source
10.11.101.10
MAC_Client
Destination
10.11.101.200
MAC_Server
6 The primary unit decides that the subordinate unit should handle this packet, and
forwards it to the subordinate unit internal interface. The source MAC address of the
forwarded packet is changed to the actual MAC address of the primary unit internal
interface.
IP address
MAC address
Source
10.11.101.10
MAC_P_int
Destination
10.11.101.200
MAC_S_int
7 The subordinate unit recognizes that packet has been forwarded from the primary unit
and processes it.
8 The subordinate unit forwards the packet from its external interface to the mail server.
IP address
MAC address
Source
10.11.101.10
MAC_S_ext
Destination
10.11.101.200
MAC_Server
9 The primary unit forwards further packets in the same session to the subordinate unit.
10 Packets for other sessions are load balanced by the primary unit and either sent to the
subordinate unit or processed by the primary unit.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1653
�Transparent mode active-active cluster packet flow
HA and load balancing
Packet flow from mail server to client
1 To respond to the client computer, the mail server issues an ARP request to
10.11.101.10.
2 The primary unit forwards the ARP request to the client computer.
3 The client computer responds with its MAC address (MAC_Client) which corresponds
to its IP address of 10.11.101.10. The primary unit returns the ARP response to the
mail server.
4 The mail server’s response packet reaches the primary unit external interface.
IP address
MAC address
Source
10.11.101.200
MAC_Server
Destination
10.11.101.10
MAC_Client
5 The primary unit decides that the subordinate unit should handle this packet, and
forwards it to the subordinate unit external interface. The source MAC address of the
forwarded packet is changed to the actual MAC address of the primary unit external
interface.
IP address
MAC address
Source
10.11.101.200
MAC_P_ext
Destination
10.11.101.10
MAC_S_ext
6 The subordinate unit recognizes that packet has been forwarded from the primary unit
and processes it.
7 The subordinate unit forwards the packet from its internal interface to the client.
IP address
MAC address
Source
10.11.101.200
MAC_S_int
Destination
10.11.101.10
MAC_Client
8 The primary unit forwards further packets in the same session to the subordinate unit.
9 Packets for other sessions are load balanced by the primary unit and either sent to the
subordinate unit or processed by the primary unit.
When a failover occurs
The following steps are followed after a device or link failure of the primary unit causes a
failover.
1 If the primary unit fails the subordinate unit negotiates to become the primary unit.
2 The new primary unit changes the MAC addresses of all of its interfaces to the HA
virtual MAC address.
3 The new primary units sends gratuitous ARP requests to switch 1 to associate its MAC
address with the MAC addresses on the network segment connected to the external
interface.
4 The new primary units sends gratuitous ARP requests to switch 2 to associate its MAC
address with the MAC addresses on the network segment connected to the internal
interface.
1654
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA and load balancing
Transparent mode active-active cluster packet flow
5 Traffic sent to the cluster is now received and processed by the new primary unit.
If there were more than two cluster units in the original cluster, the new primary unit
would load balance packets to the remaining cluster members.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1655
�Transparent mode active-active cluster packet flow
1656
HA and load balancing
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA with third-party products
This chapter provides information about operating FortiGate clusters with third party
products such as layer-2 and layer-3 switches. This chapter describes:
•
Troubleshooting layer-2 switches
•
Failover issues with layer-3 switches
•
Changing spanning tree protocol settings for some switches
•
Failover and attached network equipment
•
Ethertype conflicts with third-party switches
•
LACP, 802.3ad aggregation and third-party switches
Troubleshooting layer-2 switches
Issues may occur because of the way an HA cluster assigns MAC addresses to the
primary unit. In a functioning HA cluster, all primary unit interfaces are assigned the same
virtual MAC address. The last byte of the virtual MAC address is the hexadecimal
equivalent of the group ID. See “Cluster virtual MAC addresses” on page 1605 for more
information about the HA group ID and the cluster virtual MAC address.
Figure 237: Typical HA configuration, each interface connected to a different switch
Internal
Network
FortiGate
Cluster
FortiGate unit #1
Port1
Port2
External
Switch
Internal
Switch
Router
Port1
Port2
FortiGate unit #2
Internet
Assigning the virtual MAC addresses in this way results in two restrictions when installing
HA clusters:
•
Two clusters with the same group ID can not connect to the same switch and cannot
be installed on the same network unless they are separated by a router.
•
Two or more interfaces on the same primary unit cannot be connected to the same
switch unless the traffic is separated using VLANs and unless the switch is VLANaware.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1657
�Failover issues with layer-3 switches
HA with third-party products
Forwarding delay on layer 2 switches
You must ensure that if there is a switch between the FortiGate HA cluster and the
network its is protecting and the switch has a forwarding delay (even if spanning tree is
disabled) when one of its interfaces is activated then the forwarding delay should be set as
low as possible. For example, some versions of Cisco IOS have a forwarding delay of 15
seconds even when spanning tree is disabled. If left at this default value then TCP session
pickup can fail because traffic is not forwarded through the switch on HA failover.
Failover issues with layer-3 switches
After a failover, the new primary unit sends gratuitous ARP packets to refresh the MAC
forwarding tables of the switches connected to the cluster. If the cluster is connected using
layer-2 switches, the MAC forwarding tables (also called arp tables) are refreshed by the
gratuitous ARP packets and the switches start directing packets to the new primary unit.
In some configurations that use layer-3 switches, after a failover, the layer-3 switches may
not successfully re-direct traffic to the new primary unit. The possible reason for this is that
the layer-3 switch might keep a table of IP addresses and interfaces and may not update
this table for a relatively long time after the failover (the table is not updated by the
gratuitous ARP packets). Until the table is updated, the layer-3 switch keeps forwarding
packets to the now failed cluster unit. As a result, traffic stops and the cluster does not
function.
As of the release date of this document, Fortinet has not developed a workaround for this
problem. One possible solution would be to clear the forwarding table on the layer-3
switch.
The config system ha link-failed-signal command described in “Updating
MAC forwarding tables when a link failover occurs” on page 1625 can be used to resolve
link failover issues similar to those described here.
Changing spanning tree protocol settings for some switches
Configuration changes may be required when you are running an active-active HA cluster
that is connected to a switch that operates using the spanning tree protocol. For example,
the following spanning tree parameters may need to be changed:
Maximum Age
The time that a bridge stores the spanning tree bridge control data unit (BPDU)
before discarding it. A maximum age of 20 seconds means it may take 20
seconds before the switch changes a port to the listening state.
Forward Delay
The time that a connected port stays in listening and learning state. A forward
delay of 15 seconds assumes a maximum network size of seven bridge hops, a
maximum of three lost BPDUs and a hello-interval of 2 seconds.
For an active-active HA cluster to be compatible with the spanning tree algorithm, the
FGCP requires that the sum of maximum age and forward delay should be less than 20
seconds. The maximum age and forward delay settings are designed to prevent layer 2
loops. If there is no possibility of layer 2 loops in the network, you could reduce the forward
delay to the minimum value.
For some Dell 3348 switches the default maximum age is 20 seconds and the default
forward delay is 15 seconds. In this configuration the switch cannot work with a FortiGate
HA cluster. However, the switch and cluster are compatible if the maximum age is reduced
to 10 seconds and the forward delay is reduced to 5 seconds.
1658
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�HA with third-party products
Failover and attached network equipment
Spanning Tree protocol (STP)
Spanning tree protocol is an IEEE 802.1 standard link management protocol that for
media access control bridges. STP uses the spanning tree algorithm to provide path
redundancy while preventing undesirable loops in a network that are created by multiple
active paths between stations. Loops can be created if there are more than route between
two hosts. To control path redundancy, STP creates a tree that spans all of the switches in
an extended network. Using the information in the tree, the STP can force redundant
paths into a standby, or blocked, state. The result is that only one active path is available
at a time between any two network devices (preventing looping). Redundant links are
used as backups if the initial link should fail. Without spanning tree in place, it is possible
that two connections may be simultaneously live, which could result in an endless loop of
traffic on the network.
Bridge Protocol Data Unit (BPDU)
BPDUs are spanning tree data messages exchanged across switches within an extended
network. BPDU packets contain information on ports, addresses, priorities and costs and
ensure that the data ends up where it was intended to go. BPDU messages are
exchanged across bridges to detect loops in a network topology. The loops are then
removed by shutting down selected bridge interfaces and placing redundant switch ports
in a backup, or blocked, state.
Failover and attached network equipment
It normally takes a cluster approximately 6 seconds to complete a failover. However, the
actual failover time may depend on how quickly the switches connected to the cluster
interfaces accept the cluster MAC address update from the primary unit. If the switches do
not recognize and accept the gratuitous ARP packets and update their MAC forwarding
table, the failover time will increase.
Also, individual session failover depends on whether the cluster is operating in activeactive or active-passive mode, and whether the content of the traffic is to be virus
scanned. Depending on application behavior, it may take a TCP session a longer period of
time (up to 30 seconds) to recover completely.
Ethertype conflicts with third-party switches
Some third-party network equipment may use packets with Ethertypes that are the same
as the ethertypes used for HA heartbeat packets. For example, Cisco N5K/Nexus
switches use Ethertype 0x8890 for some functions. When one of these switches receives
Ethertype 0x8890 heartbeat packets from an attached cluster unit, the switch generates
CRC errors and the packets are not forwarded. As a result, FortiGate units connected with
these switches cannot form a cluster.
In some cases, if the heartbeat interfaces are connected and configured so regular traffic
flows but heartbeat traffic is not forwarded, you can change the configuration of the switch
that connects the HA heartbeat interfaces to allow level2 frames with Ethertypes 0x8890,
0x8893, and 0x8891 to pass.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1659
�LACP, 802.3ad aggregation and third-party switches
HA with third-party products
You can also use the following CLI commands to change the Ethertypes of the HA
heartbeat packets:
config system ha
set ha-eth-type & lt; ha_ethertype_4-digit_hex & gt;
set hc-eth-type & lt; hc_ethertype_4-digit_hex & gt;
set l2ep-eth-type & lt; l2ep_ethertype_4-digit_hex & gt;
end
For more information, see “Heartbeat packet Ethertypes” on page 1602.
LACP, 802.3ad aggregation and third-party switches
If a cluster contains 802.3ad aggregated interfaces you should connect the cluster to
switches that support configuring multiple Link Aggregation (LAG) groups.
The primary and subordinate unit interfaces have the same MAC address, so if you
cannot configure multiple LAG groups a switch may place all interfaces with the same
MAC address into the same LAG group; disrupting the operation of the cluster.
You can change the FortiGate configuration to prevent subordinate units from participating
in LACP negotiation. For example, use the following command to do this for an aggregate
interface named Port1_Port2:
config system interface
edit Port1_Port2
set lacp-ha-slave disable
end
This configuration prevents the subordinate unit interfaces from sending or receiving
packets. Resulting in the cluster not being able to operate in active-active mode. As well,
failover may be slower because after a failover the new primary unit has to perform LACP
negotiation before being able to process network traffic.
For more information, see “Example: HA and 802.3ad aggregated interfaces” on
page 1496.
1660
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Standalone session synchronization
You can use the config system session-sync command to configure standalone
session synchronization between two standalone FortiGate units. You can use this feature
with external routers or load balancers configured to distribute or load balance TCP
sessions between two peer FortiGate units. If one of the peers fails, session failover
occurs and active TCP sessions fail over to the peer that is still operating. This failover
occurs without any loss of data. As well, the external routers or load balancers will detect
the failover and re-distribute all sessions to the peer that is still operating.
Note: Standalone session synchronization between two standalone FortiGate units is also
sometimes called TCP session synchronization or session synchronization between nonHA FortiGate units.
Note: You cannot configure standalone session synchronization when HA is enabled.
Standalone session synchronization can be used instead of HA to provide TCP session
synchronization between two peer FortiGate units. If the external load balancers direct all
sessions to one peer the affect is similar to active-passive HA. If external load balancers
or routers load balance traffic to both peers, the effect is similar to active-active HA. The
load balancers should be configured so that all of the packets for any given session are
processed by the same peer. This includes return packets.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1661
�Notes and limitations
Standalone session synchronization
Figure 238: Standalone session synchronization
Internet
Router or
Load Balancer
Session
Syncronization
Link
FortiGate Unit
FortiGate Unit
Router or
Load Balancer
Internal Network
By default, standalone session synchronization synchronizes all TCP sessions. You can
optionally add filters to a configuration control which TCP sessions are synchronized. You
can add filters to only synchronize packets from specified source and destination
addresses, specified source and destination interfaces, and specified predefined firewall
TCP services.
Unlike HA, standalone session synchronization does not include configuration
synchronization. In fact, the configuration of the two peers is not identical because in most
cases the peers would have different IP addresses. Also unlike HA, load balancing is done
by external routers or load balancers. The FortiGate units only perform session
synchronization and session failover.
Notes and limitations
Standalone session synchronization has the following limitations:
•
•
Standalone session synchronization is a global configuration option. As a result you
can only add one predefined firewall TCP service to a filter configuration. You cannot
add custom services or service groups even if virtual domains are not enabled.
•
1662
Only TCP sessions accepted by firewall policies are synchronized. Due to their nonstateful nature, UDP and ICMP sessions don't need to be synchronized to naturally
failover.
You can only add one filter configuration to a given standalone session synchronization
configuration. However, you can add multiple filters by adding multiple identical
standalone session synchronization configurations, each one with a different filter
configuration.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Standalone session synchronization
Configuring session synchronization
•
Sessions accepted by firewall policies with UTM options configured are not
synchronized.
•
Sessions that include network address translation (NAT) applied by selecting NAT in
firewall policies are not synchronized because the address translation binds to a
FortiGate unit address and the peers have different IP addresses.
•
Session synchronization is a CLI only configuration.
•
Session synchronization is available for FortiGate units or virtual domains operating in
NAT/Route or Transparent mode. NAT sessions are not synchronized in either mode.
In NAT/Route mode, only sessions for route mode firewall policies are synchronized. In
Transparent mode, only sessions for normal Transparent mode policies are
synchronized.
•
Session synchronization cannot be asymmetric. Session synchronization is stateful.
So all of the packets of a given session must be processed on the same peer. This
includes return packets. You must configure the load balancers so that they do not
cause asymmetric routing.
•
Session synchronization is supported for traffic on physical interfaces, VLAN
interfaces, zones, and aggregate interfaces. Session synchronization has not been
tested for inter-vdom links, accelerated interfaces (FA2 and NP2), between HA
clusters, and for redundant interfaces.
•
The names of the matching interfaces, including VLAN interfaces, aggregate interfaces
and so on, must be the same on both peers.
Configuring session synchronization
You configure session synchronization for each virtual domain to be synchronized. If
virtual domain configuration is not enabled, you configure session synchronization for the
root virtual domain. When virtual domain configuration is enabled and you have added
virtual domains you configure session synchronization for each virtual domain to be
synchronized. You don’t have to synchronize all of the virtual domains.
You must configure session synchronization on both peers. The session synchronization
configurations of each peer should compliment the other. In fact you can manage and
configure both peers as separate FortiGate units. Using FortiManager, you can manage
both peers as two separate FortiGate devices.
On each peer, configuring session synchronization consists of selecting the virtual
domains to be synchronized using the syncvd field, selecting the virtual domain on the
other peer that receives the synchronization packets using the peervd field, and setting
IP address of the interface in the peer unit that receives the synchronization packets using
the peerip field. The interface with the peerip must be in the peervd virtual domain.
The syncvd and peervd settings must be the same on both peers. However, the
peerip settings will be different because the peerip setting on the first peer includes the
IP address of an interface on the second peer. And the peerip setting on the second
peer includes the IP address of an interface on the first peer.
Because session synchronization does not synchronize FortiGate configuration settings
you must configure both peers separately. For session synchronization to work properly all
session synchronized virtual domains must be added to both peers. The names of the
matching interfaces in each virtual domain must also be the same; this includes the
names of matching VLAN interfaces. Note that the index numbers of the matching
interfaces and VLAN interfaces can be different. Also the VLAN IDs of the matching VLAN
interfaces can be different.
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1663
�Configuring the session synchronization link
Standalone session synchronization
As well, the session synchronized virtual domains should have the same firewall policies
so that sessions can be resumed after a failover using the same firewall policies.
For a configuration example, see “Basic example configuration” on page 1664.
Configuring the session synchronization link
When session synchronization is operating, the peers share session information over an
Ethernet link between the peers similar to an HA heartbeat link. Usually you would use the
same interface on each peer for session synchronization. You should connect the session
synchronization interfaces directly without using a switch or other networking equipment. If
possible use a crossover cable for the session synchronization link. For FortiGate-5000
systems you can use a backplane interface as the session synchronization link.
You can use different interfaces on each peer for session synchronization links. Also, if
you multiple sessions synchronization configurations, you can have multiple session
synchronization links between the peers. In fact if you are synchronizing a lot of sessions,
you may want to configure and connect multiple session synchronization links to distribute
session synchronization traffic to these multiple links.
You cannot configure backup session synchronization links. Each configuration only
includes one session synchronization link.
The session synchronization link should always be maintained. If session synchronization
communication is interrupted and a failure occurs, sessions will not failover and data could
be lost.
Session synchronization traffic can use a considerable amount of network bandwidth. If
possible, session synchronization link interfaces should only be used for session
synchronization traffic and not for data traffic.
Basic example configuration
The following configuration example shows how to configure a basic session
synchronization configuration for two peer FortiGate units shown in Figure 239 on
page 1665. The host names of peers are peer_1 and peer_2. Both peers are configured
with two virtual domains: root and vdom_1. All sessions processed by vdom_1 are
synchronized. The synchronization link interface is port3 which is in the root virtual
domain. The IP address of port3 on peer_1 is 10.10.10.1. The IP address of port3 on
peer_2 is 10.10.10.2.
Also on both peers, port1 and port2 are added to vdom_1. On peer_1 the IP address of
port1 is set to 192.168.20.1 and the IP address of port2 is set to 172.110.20.1. On peer_2
the IP address of port1 is set to 192.168.20.2 and the IP address of port2 is set to
172.110.20.2.
1664
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Standalone session synchronization
Basic example configuration
Figure 239: Example standalone session synchronization network configuration
Internet
Router or
Load Balancer
FortiGate Unit
FortiGate Unit
port2
port2
Vdom_1
port1
Peer_1
port3
root
port3
10.10.10.1
Session
Syncronization
Link
root
port3
10.10.10.2
port1
port2
Vdom_1
port1
Peer_2
Router or
Load Balancer
Internal Network
To configure standalone session synchronization
1 Configure the load balancer or router to send all sessions to peer_1.
2 Configure the load balancer or router to send all traffic to peer_2 if peer_1 fails.
3 Use normal FortiGate configuration steps on peer_1:
• Enable virtual domain configuration.
• Add the vdom_1 virtual domain.
• Add port1 and port2 to the vdom_1 virtual domain and configure these interfaces.
• Set the IP address of port1 to 192.168.20.1.
• Set the IP address of port2 to 172.110.20.1.
• Set the IP address of port3 to 10.10.10.1.
• Add route mode firewall policies between port1 and port2 to vdom_1.
4 Enter the following commands to configure session synchronization for peer_1
config system session-sync
edit 1
set peerip 10.10.10.2
set peervd root
set syncvd vdom_1
end
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1665
�Basic example configuration
Standalone session synchronization
5 Use normal FortiGate configuration steps on peer_2:
• Enable virtual domain configuration.
• Add the vdom_1 virtual domain.
• Add port1 and port2 to the vdom_1 virtual domain and configure these interfaces.
• Set the IP address of port1 to 192.168.20.2.
• Set the IP address of port2 to 172.110.20.2.
• Set the IP address of port3 to 10.10.10.1.
• Add route mode firewall policies between port1 and port2 to vdom_1.
6 Enter the following commands to configure session synchronization for peer_1
config system session-sync
edit 1
set peerip 10.10.10.1
set peervd root
set syncvd vdom_1
end
To add a filter
You can add a filter to this basic configuration if you only want to synchronize some TCP
sessions. For example you can enter the following commands on both FortiGate units to
edit the standalone sessions configurations and add a filter so that only HTTP sessions
are synchronized
config system session-sync
edit 1
config filter
set service HTTP
end
end
1666
FortiOS™ Handbook FortiOS 4.0 MR2 High Availability
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 13 Endpoint
This FortiOS Handbook chapter contains the following sections:
•
Network Access Control and monitoring explains how to configure endpoint NAC,
including the configuration of endpoint application control. The endpoint monitor
feature is also explained.
•
Network Vulnerability Scan explains how to scan your network for potential security
issues.
FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1667
�1668
FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Access Control and
monitoring
This section describes the Endpoint NAC feature and how to configure it.
The following topics are included in this section:
•
NAC overview
•
Configuring FortiClient required version and download location
•
Configuring application detection and control
•
Configuring Endpoint profiles
•
Enabling Endpoint NAC in firewall policies
•
Monitoring endpoints
•
Modifying Endpoint NAC replacement pages
•
Example
NAC overview
Network Access Control (NAC) ensures that workstation computers (endpoints) meet
security requirements, otherwise they are not permitted access. Endpoint NAC can
enforce
•
use of FortiClient Endpoint Security
•
use of FortiClient firewall
•
use of FortiClient antivirus protection
•
use of up-to-date FortiClient antivirus signatures
•
installation or running of specific applications
•
absence or non-use of specific applications
Non-compliant endpoints are quarantined. Optionally, endpoints that lack FortiClient
Endpoint Security can be warned instead of quarantined.
Endpoint NAC settings are grouped into one or more Endpoint NAC Profiles. You enable
Endpoint NAC in firewall policies and select a NAC Profile.
User experience
Endpoint NAC applies to users attempting to make a connection that is controlled by a
firewall policy with Endpoint NAC enabled. The user of a non-compliant endpoint
communicating by use of a web browser receives a replacement message HTML page
from the FortiGate unit. For information about modifying these replacement pages, see
“Modifying Endpoint NAC replacement pages” on page 1679.
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1669
�NAC overview
Network Access Control and monitoring
Non-compliant user warning
If the Endpoint NAC profile Notify Hosts to Install FortiClient (Warn only) option is enabled,
the user sees a message like this:
Figure 240: Default non-compliant endpoint warning
If there is a FortiClient installer available for the user’s endpoint computer, a link is
provided to download the installer from the location defined in Endpoint & gt; NAC & gt;
FortiClient. If there is no installer available, the user is asked to contact the network
administrator.
The link at the bottom of the page enables the user to continue to the requested web site
without installing FortiClient Endpoint Security.
Non-compliant user quarantine
If the Endpoint NAC profile Quarantine Hosts to User Portal (Enforce compliance) option is
enabled, the user sees a message like this:
Figure 241: Default non-compliant endpoint quarantine
1670
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Access Control and monitoring
NAC overview
There is a download link for the FortiClient installer, if one is available. The same message
will be displayed for every connection attempt Endpoint NAC is in effect until the user
installs FortiClient Endpoint Security.
Blocked user
If an endpoint has FortiClient Endpoint Security installed but is not compliant with the
Endpoint NAC profile’s Additional Client Options or Application Detection rules, the
FortiGate unit sends a message like this to the user’s browser.
Figure 242: Endpoint blocked message
The user needs to resolve the listed issues and retry the connection.
Configuration overview
Endpoint NAC requires that all hosts using the firewall policy have the FortiClient Endpoint
Security application installed. Make sure that all hosts affected by this policy are able to
install this application. Currently, FortiClient Endpoint Security is available for Microsoft
Windows 2000 and later only.
To set up Endpoint NAC, you need to
•
Enable Central Management by the FortiGuard Analysis & Management Service if you
will use FortiGuard Services to update the FortiClient application or antivirus
signatures. You do not need to enter account information. See Central Management in
the FortiGate Administration Guide.
•
Configure the minimum required version of FortiClient and the source of FortiClient
installer downloads for non-compliant endpoints. See “Configuring FortiClient required
version and download location” on page 1672.
•
Configure application sensors. An application sensor specifies which applications are
required, allowed, or not allowed on endpoints. See “Configuring application sensors”
on page 1673.
•
Configure Endpoint profiles which specify the FortiClient enforcement settings and the
application detection list to apply. See “Configuring Endpoint profiles” on page 1676.
•
Enable Endpoint in firewall policies, selecting the appropriate Endpoint NAC profile.
Note: You cannot enable Endpoint in firewall policies if Redirect HTTP Challenge to a
Secure Channel (HTTPS) is enabled in User & gt; Authentication.
•
Optionally, modify the inactivity timeout for endpoints. The default is 5 minutes. After
that time period, the FortiGate unit rechecks the endpoint for Endpoint compliance. To
change the timeout, adjust the compliance-timeout value in the config
endpoint-control settings CLI command.
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1671
�Configuring FortiClient required version and download location
•
Network Access Control and monitoring
Optionally, modify the Endpoint Download Portal and the Endpoint Recommendation
Portal replacement messages.
Configuring FortiClient required version and download location
The Endpoint NAC feature can set a minimum FortiClient version that endpoints are
required to run. To make this policy easy for users, you can configure a download source
for the FortiClient installer.
Configuring FortiClient requirement and download location - web-based manager
1 Go to Endpoint & gt; NAC & gt; FortiClient.
Figure 243: Configuring FortiClient version requirements and installer source
2 Do one of the following:
• Select FortiGuard Distribution Network. FortiGuard must be configured on the
FortiGate unit.
• Select This FortiGate. Users can download a FortiClient installer file from this
FortiGate unit. This option is available only on FortiGate models that support upload
of FortiClient installer files.
• Select Custom URL. Enter the URL from which users can download the FortiClient
installer.
Note: Select This FortiGate or Custom URL if you want to provide a customized
FortiClient application. This is required if a FortiManager unit will centrally manage
FortiClient applications. For information about customizing the FortiClient application,
see the FortiClient Administration Guide.
1672
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Access Control and monitoring
Configuring application detection and control
3 Optionally, select Enforce Minimum Version and select the minimum acceptable
version number or Latest Available for the FortiClient Endpoint Security application.
The list contains the FortiClient versions available from the selected FortiClient Installer
Download Location.
Fortinet recommends that administrators wait for a reasonable period of time after
deploying a FortiClient version update before updating the minimum version required
to the most recent version. This gives users some time to install the update.
Configuring FortiClient requirement and download location - CLI
In this example, users are required to have FortiClient version 4.1.3 or later. FortiGuard
provides the FortiClient installer.
config endpoint-control
set enforce minimum-version enable
set version-check minimum
set version 4.1.3
set download-location fortiguard
end
Configuring application detection and control
Network access control (NAC) can allow or deny endpoint access to the network based on
the applications that are installed or running on the endpoint. The Application Sensor
defines the rules for endpoint applications and is selected as part of the Endpoint NAC
profile.
Configuring application sensors
An application sensor is part of an Endpoint NAC profile that you can apply in your firewall
policies. Application detection rules in the sensor detect the application by name and
vendor and test its current status on the endpoint. A rule can test for any of the following
status values:
• Installed — application is installed and may or may not be currently running
• Not Installed — application is not installed
• Running — application is installed and currently running
• Not Running — application is not currently running or is not installed
The rule determines the action to take when the specified application matches the status.
The possible actions are:
• Allow — allow the endpoint to connect.
• Deny — warn or quarantine the endpoint, depending on Endpoint profile settings.
• Monitor — allow the endpoint to connect and include this endpoint’s information in
statistics and logs on the Endpoint Monitor page.
You also choose one of these options as the default action when other unspecified
applications are detected on the endpoint. If you select Deny, endpoints can have only a
specific set of applications installed and are denied access if any other applications are
installed.
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1673
�Configuring application detection and control
Network Access Control and monitoring
Application sensor rules are based on application signatures provided by FortiGuard
Services. You create your application detection list entries by selecting applications from
FortiGuard-supplied lists of categories, vendors, and application names. To view
application information from FortiGuard services, go to Endpoint & gt; NAC & gt; Application
Database.
An application sensor rule checks applications against the database from the top down
until it finds a match. Specific entries, such as those that list one particular application,
should precede more general entries, such as those that match all applications of a
particular category.
To create an application sensor - web-based manager
1 Go to Endpoint & gt; NAC & gt; Application Sensor and select Create New.
2 Enter a Name and optionally Comments for the application sensor, then select OK.
The options for the sensor are displayed.
3 In Other Applications, select the action to take if an application is detected that does
not have an entry in this sensor.
4 Select whether to Allow, Deny, or simply Monitor the applications not listed in this
sensor.
If you select Deny, endpoints must have only the applications you specify and are
denied access if any other applications are installed.
If you select Allow or Monitor, endpoints can have any application installed, and are
denied access only if they have an application for which you created a specific Deny
rule.
5 Select Create New.
6 Select the software Vendor and then select the specific Application.
If you select an application Category, the Application list is limited to applications in the
selected category. To see all applications for the selected Vendor, leave Category set
to All Categories.
7 Select the Status and Action, depending on the type of rule you are creating:
Application detection rule
Status
Action
Application must be installed and running
Not Running
Deny
Application must be installed
Not Installed
Deny
Monitor endpoint with this application running
Running
Monitor
Monitor endpoint with this application installed
Installed
Monitor
Application must not be running
Running
Deny
Application must not be installed
Installed
Deny
Application is allowed
(not required if Other Application is Allow)
any
Allow
8 Select OK.
9 To create additional rules for this sensor, repeat steps 5 through 8.
10 Select OK.
To create an application sensor - CLI
This example creates an application sensor that denies access to endpoints with peer-topeer file sharing applications installed. All other applications are allowed.
1674
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Access Control and monitoring
Configuring application detection and control
config endpoint-control app-detect rule-list
edit " sensor1 "
set other-application-action allow
config entries
edit 1
set application 0
set category 15
set vendor 0
set status installed
set action deny
end
end
Viewing the application database
You can view the application list provided by FortiGuard Services. Go to Endpoint & gt; NAC & gt;
Application Database.
Figure 244: Endpoint NAC Predefined application list
The list contains the following information. You can select the name of any column to sort
the data by that field. You can also create filters on each column.
Application Database page
Lists all the applications that are provided by FortiGuard Services
Category
The type of application. Example: Document Viewers
Name
The name of the application.
Vendor
The vendor that the application is associated with. For example, the
Adobe Reader is associated with the vendor, Adobe Systems
Incorporated.
ID
Unique application ID.
Group
Another categorization of the applications. Groups are not used in
application sensor rules.
Page controls
Shows the current page number in the list. Select the left and right
arrows to display the first, previous, next or last page of known
endpoints.
[Total Signatures:
& lt; number & gt; ]
The total number of application signatures currently in the database.
Column Settings
Select the columns to display in the list. You can also determine the
order in which they appear.
Clear All Filters
Clear any column display filters you might have applied.
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1675
�Configuring Endpoint profiles
Network Access Control and monitoring
Configuring Endpoint profiles
An Endpoint profile contains FortiClient enforcement settings and can specify an
application detection list. Firewall policies can apply an Endpoint profile to the traffic they
handle.
To create an endpoint profile
1 Go to Endpoint & gt; NAC & gt; Profile and select Create New.
Figure 245: Creating Endpoint NAC profiles
2 Enter a Name for the profile.
3 Choose what to do when users do not have the required version of FortiClient Endpoint
Security installed:
• Notify Hosts to Install FortiClient (Warn only)
• Quarantine Hosts to User Portal (Enforce compliance)
4 Optionally enable Additional Client Options and any of the following options:
• Anti-virus Enabled — the FortiClient antivirus feature must be enabled
• Anti-virus Up-to-date — the FortiClient antivirus signatures must be up-to-date
• Firewall enabled — the FortiClient firewall must not be set to Pass All
5 Optionally, Enable Application Detection and select the Application Detection List.
Endpoints will be allowed or blocked based on the selected application sensor.
6 Select OK.
To configure the endpoint profile - CLI
In the CLI only, there is an option require-license that requires the user’s copy of
FortiClient Endpoint Security to be licensed. In this example, the license is not required.
1676
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Access Control and monitoring
Enabling Endpoint NAC in firewall policies
config endpoint-control profile
edit " our_profile "
set application-detection enable
set application-detection-rule-list " sensor1 "
set feature-enforcement enable
set recommendation-disclaimer disable
set require-av disable
set require-firewall enable
set require-license disable
set require-webfilter disable
end
Enabling Endpoint NAC in firewall policies
Endpoint NAC is applied to any traffic where the controlling firewall policy has Endpoint
NAC enabled. The selected Endpoint NAC profile determines the conditions that govern
network access.
You can also enable Endpoint NAC in identity-based firewall policies. Users must
authenticate and their computers must meet the requirements of the Endpoint NAC profile.
To enable Endpoint NAC - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy and edit the firewall policy where you want to enable
Endpoint NAC.
2 Select Enable Endpoint NAC and select the Endpoint NAC profile.
Figure 246: Enabling Endpoint NAC in a firewall policy
3 Select OK.
To configure the firewall policy - CLI
In this example, the LAN connects to Port 2 and the Internet is connected to Port 1. An
Endpoint NAC profile is applied.
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr LANusers
set dstaddr all
set action accept
set schedule " always "
set service " ANY "
set nat enable
set endpoint-check enable
set endpoint-profile " our_profile "
end
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1677
�Monitoring endpoints
Network Access Control and monitoring
Monitoring endpoints
To view the list of known endpoints, go to Endpoint & gt; Monitor & gt; Endpoint Monitor. You can
view compliant or non-compliant endpoints. By default, both are shown. An endpoint is
added to the list when it uses a firewall policy that has Endpoint NAC enabled.
Once an endpoint is added to the list, it remains there until the FortiGate unit restarts.
Every time an endpoint accesses (or attempts to access) network services through the
FortiGate unit the entry for the endpoint is updated.
The endpoints list can provide an inventory of the endpoints on your network. Entries for
endpoints not running the FortiClient application include the IP address, last update time,
and traffic volume/attempts. The “non-compliant” status indicates the endpoint is not
running the FortiClient application.
Entries for endpoints running the FortiClient application show much more information,
depending on what is available for the FortiClient application to gather. Detailed
information you can view includes endpoint hardware (CPU and model name) and the
software running on the endpoints. You can adjust column settings and filters to display
this information in many different forms.
From the endpoints list, you can view information for each endpoint, temporarily exempt
blocked endpoints, and restore exempted end points to their blocked state.
Figure 247: Endpoint Monitor (showing one endpoint without FortiClient software installed)
Refresh
Non-Compliant
Non-Compliant
But Temporarily
Exempted
1678
View
Exempt Temporarily
Restore to
Blocked State
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Access Control and monitoring
Modifying Endpoint NAC replacement pages
Viewing details about the endpoint
Select the View icon to see more detailed information about the endpoint.
Figure 248: Viewing details about an endpoint
Modifying Endpoint NAC replacement pages
The FortiGate unit sends one of the following HTML pages to non-compliant users who
attempt to use a firewall policy in which Endpoint NAC is enabled:
•
Endpoint NAC Download Portal — The FortiGate unit sends this page if the Endpoint
NAC profile has the Quarantine Hosts to User Portal (Enforce compliance) option
selected. The user can download the FortiClient Endpoint Security application installer.
If you modify this replacement message, be sure to retain the %%LINK%% tag which
provides the download URL for the FortiClient installer.
•
Endpoint NAC Recommendation Portal — The FortiGate unit sends this page if the
Endpoint NAC profile has the Notify Hosts to Install FortiClient (Warn only) option
selected. The user can either download the FortiClient Endpoint Security application
installer or select the Continue to link to access their desired destination. If you modify
this replacement message, be sure to retain both the %%LINK%% tag which provides
the download URL for the FortiClient installer and the %%DST_ADDR%% link that
contains the URL that the user requested.
To modify these messages in the web-based manager, go to System & gt; Config & gt;
Replacement Message. Expand Endpoint NAC and select the Edit icon of the message
that you want to modify.
You can also modify these messages in the CLI.
•
Download portal:
config system replacemsg ec endpt-download-portal
•
Recommendation portal:
config system replacemsg ec endpt-recommendation-portal
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1679
�Example
Network Access Control and monitoring
Example
The Example company has the following requirements for employee computers:
•
must run FortiClient Endpoint Security version 4.1.3 with firewall enabled
•
must have OpenOffice 3.1 installed
•
cannot have any peer-to-peer file sharing applications installed
•
must not have any games running
•
all other applications are allowed
Anti-virus will be applied to all endpoint traffic.
Configuring FortiClient download source and required version
FortiGuard Services will provide the FortiClient installer.
To configure FortiClient requirements - web-based manager
1 Go to Endpoint & gt; NAC & gt; FortiClient.
2 Check that FortiGuard Availability shows a green checkmark icon.
If you see a red ‘X’ icon, check your FortiGuard configuration.
3 Under FortiGuard Installer Download Location, select FortiGuard Distribution Network.
4 Select Enforce Minimum Version and then select 4.1.3 from the list.
5 Select Apply.
To configure FortiClient requirements - CLI
config endpoint-control settings
set download-location fortiguard
set version-check minimum
set enforce-minimum-version enable
set version 4.1.3
set compliance-timeout 5
end
Configuring an application sensor
Create sensors for OpenOffice, P2P applications, and games.
To configure the application sensor - web-based manager
1 Go to Endpoint & gt; NAC & gt; Application Sensor.
2 Select Create New, enter a Name for the sensor, and then select OK.
3 In Other Applications (not specified below), select Allow.
4 Select Create New, enter the following information, and then select OK:
This creates a rule requiring OpenOffice 3.1.
Category
Vendor
OpenOffice.org
Application
OpenOffice.org 3.1
Status
Not Installed
Action
1680
Leave as All Categories
Deny
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Access Control and monitoring
Example
5 Select Create New, enter the following information, and then select OK:
This creates a rule denying users with P2P applications installed.
Category
P2P File Sharing
Vendor
Leave as All Vendors
Application
Leave as All Applications
Status
Installed
Action
Deny
6 Select Create New, enter the following information, and then select OK:
This creates a rule denying users with games applications running.
Category
Games
Vendor
Leave as All Vendors
Application
Leave as All Applications
Status
Running
Action
Deny
7 Optionally enter a descriptive Comment.
8 Select OK.
To configure the application sensor - CLI
The three application detection entries are entered in the same order as for the webbased manager, above. To find codes, use the ‘?’. For example, set vendor ? lists the
vendor codes.
config endpoint-control app-detect rule-list
edit " apprules1 "
set other-application-action allow
config entries
edit 1
set application 1141
set category 0
set vendor 64
set status not-installed
set action deny
next
edit 2
set application 0
set category 15
set vendor 0
set status installed
set action deny
next
edit 3
set application 0
set category 20
set vendor 0
set status running
set action deny
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1681
�Example
Network Access Control and monitoring
Configuring an endpoint profile
Configure user quarantine, require users to have firewall protection, and apply the
application detection list you created earlier.
To configure the endpoint profile - web-based manager
1 Go to Endpoint & gt; NAC & gt; Profile and select Create New.
2 Enter a Name for the profile.
3 Select Quarantine Hosts to User Portal (Enforce compliance).
4 Enable Additional Client Options, then enable Firewall Enabled.
5 Select Enable Application Detection and then select the Application Detection List that
you configured earlier.
6 Select OK.
To configure the endpoint profile - CLI
config endpoint-control profile
edit " our_profile "
set application-detection enable
set application-detection-rule-list " apprules1 "
set feature-enforcement enable
set recommendation-disclaimer disable
set require-av disable
set require-firewall enable
set require-license disable
set require-webfilter disable
end
Configuring the firewall policy
The firewall policy enables access to the Internet, but requires hosts to meet the Endpoint
NAC requirements configured in the Endpoint NAC profile that you configured earlier.
To configure the firewall policy - web-based manager
1 Go to Firewall Policy and select Create New.
2 Enter the following information and select OK:
Source Interface/Zone
Source Address
Select the LAN address range.
Destination Interface/Zone
Select the interface which connects to the Internet.
Destination Address
All
Schedule
as required
Service
ANY
Action
ACCEPT
NAT
Enable NAT
Enable Endpoint NAC
1682
Select the interface which connects to the LAN.
Select the Endpoint NAC profile that you configured
earlier.
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Access Control and monitoring
Example
To configure the firewall policy - CLI
In this example, the LAN connects to Port 2 and the Internet is connected to Port 1.
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr LANusers
set dstaddr all
set action accept
set schedule " always "
set service " ANY "
set nat enable
set endpoint-check enable
set endpoint-profile " our_profile "
end
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1683
�Example
1684
Network Access Control and monitoring
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Vulnerability Scan
The Network Vulnerability Scan helps you to protect your network assets (servers and
workstations) by scanning them for security weaknesses. You can scan on-demand or on
a scheduled basis. Results are viewable on the FortiGate unit, but results are also sent to
an attached FortiAnalyzer unit. The FortiAnalyzer unit can collect the results of
vulnerability scans from multiple FortiGate units at different locations on your network,
compiling a comprehensive report about network security.
This section describes how to configure a single FortiGate unit for network scanning and
how to view the results of the scan.
Note: Some of the web-based manager configuration described in this document is not
available in the initial release of FortiOS v4.0 MR2. Use the CLI commands instead.
The following topics are included in this section:
•
Overview
•
Selecting assets to scan
•
Configuring scans
•
Viewing scan results
Overview
Network vulnerability scanning has three main parts:
•
Select the assets to scan
•
Schedule scans or initiate them manually
•
View the scan results
Selecting assets to scan
An asset is a server or workstation computer on your network. You can specify assets
individually, but it is easier to use the network vulnerability scan feature’s asset discovery
function. The discovery function searches a specified IP address range and populates the
asset list. You then select the assets to include in network vulnerability scans.
Asset discovery scans the following ports:
•
TCP: 21-23, 25, 53, 80, 88,110-111, 135, 139, 443, 445
•
UDP: 53, 111, 135, 137, 161, 500
Discovering assets
The simplest way to build the Asset list is to perform a discovery scan on the range of IP
addresses where your network assets are installed.
To discover assets - web-based manager
1 Go to Endpoint & gt; Network Vulnerability Scan & gt; Asset and select Create New.
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1685
�Selecting assets to scan
Network Vulnerability Scan
2 Enter a Name for this scan.
3 In Type, select Range and then enter the IP address Range to scan.
4 In Scan Type, select Asset Discovery Only.
5 Select OK.
This creates an entry in the Asset list.
6 Select the Enable check box for the asset that you just created and then select
Discover Assets.
Above the table header, on the top right, the status of the current scan is shown.
Depending on the number of computers to be discovered, the scan can take several
minutes, until the web-based manager reports “Scan completed.” The number of
assets discovered is listed to the left of the Discover Assets button.
7 Select Assets Found and then select Import.
The discovered assets are added to the Asset list. By default, all are enabled for
scanning.
8 Unless you want to discover assets on every scan, clear the Enable check box for this
Asset discovery only asset.
You might want to add authentication credentials to some of your assets. To edit an entry
in the Asset list, select its check box (at the left side of the list) and then select Edit. For
more information about individual asset settings, see “Adding assets manually”, below.
To discover assets - CLI
This example discovers assets in the range 10.11.101.10 to 10.11.101.200.
1 First configure the asset range to scan:
config netscan assets
edit 0
set name " office_discovery "
set addr-type range
set start-ip 10.11.101.10
set end-ip 10.11.101.200
set mode discovery
set status enable
end
2 Execute the discovery scan:
execute netscan start discover
3 Check the status of the discovery scan:
execute netscan status
Repeat periodically until status is “scan complete”.
4 Optionally, view a list of the discovered assets:
execute netscan list
5 Add the discovered assets to the asset list:
execute netscan import
1686
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Vulnerability Scan
Selecting assets to scan
Adding assets manually
There is no need to perform a discovery scan if you know the IP address of the computer
that you want to scan, or you know that you want to scan all of the computers in a
particular IP address range.
If you create an asset with an IP address range, any authentication credentials you enter
will apply to all devices in the range. If this is not appropriate, you need to create individual
entries for each computer instead.
To add an asset - web-based manager
1 Go to Endpoint & gt; Network Vulnerability Scan & gt; Asset and select Create New.
2 Enter the following information and select OK:
Name
Enter a name for this asset.
Type
Select Host to configure a single IP address.
Select Range to configure a range of IP addresses to scan.
IP Address
Enter the IP address of the asset. (Type is Host.)
Range
Enter the start and end of the IP address range. (Type is Range.)
Scan Type
Select Vulnerability Scan.
Windows Authentication Select to use authentication on a Windows operating system.
Enter the username and password in the fields provided.
Unix Authentication
Select to use authentication on a Unix operating system.
Enter the username and password in the fields provided.
To add an asset - CLI
This example adds a single computer to the Asset list:
config netscan assets
edit 0
set name " server1 "
set addr-type ip
set start-ip 10.11.101.20
set mode scan
set auth-windows enable
set win-username admin
set win-password zxcvbnm
set status enable
end
This example adds an address range to the Asset list. Authentication is not used:
config netscan assets
edit 0
set name " fileservers "
set addr-type range
set start-ip 10.11.101.160
set end-ip 10.11.101.170
set mode scan
set status enable
end
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1687
�Configuring scans
Network Vulnerability Scan
Configuring scans
You can configure regular network scans on a daily, weekly, or monthly basis. There are
three scan modes. Full scan checks every TCP and UDP port and takes the most time.
Standard scan checks the ports used by most known applications. Quick scan checks only
the most commonly used ports. For a detailed list of the TCP and UDP ports examined by
each scan mode, see Table 109 on page 1688. Also, the get netscan settings CLI
command lists the TCP and UDP ports scanned in the current scan mode. See the
tcp-ports and udp-ports fields.
You can also initiate the configured scan manually.
Table 109: Ports scanned in each scan mode
Standard TCP: 1-3, 5, 7, 9, 11, 13, 15, 17-25, 27, 29, 31, 33, 35, 37-39, 41-223, 242-246, 256265, 280-282, 309, 311, 318, 322-325, 344-351, 363, 369-581, 587, 592-593, 598, 600,
Scan
606-620, 624, 627, 631, 633-637, 666-674, 700, 704-705, 707, 709-711, 729-731, 740742, 744, 747-754, 758-765, 767, 769-777, 780-783, 786, 799-801, 860, 873, 886-888,
900-901, 911, 950, 954-955, 990-993, 995-1001, 1008, 1010-1011, 1015, 1023-1100,
1109-1112, 1114, 1123, 1155, 1167, 1170, 1207, 1212, 1214, 1220-1222, 1234-1236,
1241, 1243, 1245, 1248, 1269, 1313-1314, 1337, 1344-1625, 1636-1774, 1776-1815,
1818-1824, 1901-1909, 1911-1920, 1944-1951, 1973, 1981, 1985-2028, 2030, 20322036, 2038, 2040-2049, 2053, 2065, 2067, 2080, 2097, 2100, 2102-2107, 2109, 2111,
2115, 2120, 2140, 2160-2161, 2201-2202, 2213, 2221-2223, 2232-2239, 2241, 2260,
2279-2288, 2297, 2301, 2307, 2334, 2339, 2345, 2381, 2389, 2391, 2393-2394, 2399,
2401, 2433, 2447, 2500-2501, 2532, 2544, 2564-2565, 2583, 2592, 2600-2605, 26262627, 2638-2639, 2690, 2700, 2716, 2766, 2784-2789, 2801, 2908-2912, 2953-2954,
2998, 3000-3002, 3006-3007, 3010-3011, 3020, 3047-3049, 3080, 3127-3128, 31413145, 3180-3181, 3205, 3232, 3260, 3264, 3267-3269, 3279, 3306, 3322-3325, 3333,
3340, 3351-3352, 3355, 3372, 3389, 3421, 3454-3457, 3689-3690, 3700, 3791, 3900,
3984-3986, 4000-4002, 4008-4009, 4080, 4092, 4100, 4103, 4105, 4107, 4132-4134,
4144, 4242, 4321, 4333, 4343, 4443-4454, 4500-4501, 4567, 4590, 4626, 4651, 46604663, 4672, 4899, 4903, 4950, 5000-5005, 5009-5011, 5020-5021, 5031, 5050, 5053,
5080, 5100-5101, 5145, 5150, 5190-5193, 5222, 5236, 5300-5305, 5321, 5400-5402,
5432, 5510, 5520-5521, 5530, 5540, 5550, 5554-5558, 5569, 5599-5601, 5631-5632,
5634, 5678-5679, 5713-5717, 5729, 5742, 5745, 5755, 5757, 5766-5767, 5800-5802,
5900-5902, 5977-5979, 5997-6053, 6080, 6103, 6110-6112, 6123, 6129, 6141-6149,
6253, 6346, 6387, 6389, 6400, 6455-6456, 6499-6500, 6515, 6558, 6588, 6660-6670,
6672-6673, 6699, 6767, 6771, 6776, 6831, 6883, 6912, 6939, 6969-6970, 7000-7021,
7070, 7080, 7099-7100, 7121, 7161, 7174, 7200-7201, 7300-7301, 7306-7308, 7395,
7426-7431, 7491, 7511, 7777-7778, 7781, 7789, 7895, 7938, 7999-8020, 8023, 8032,
8039, 8080-8082, 8090, 8100, 8181, 8192, 8200, 8383, 8403, 8443, 8450, 8484, 8732,
8765, 8886-8894, 8910, 9000-9001, 9005, 9043, 9080, 9090, 9098-9100, 9400, 9443,
9535, 9872-9876, 9878, 9889, 9989-10000, 10005, 10007, 10080-10082, 10101, 10520,
10607, 10666, 11000, 11004, 11223, 12076, 12223, 12345-12346, 12361-12362, 12456,
12468-12469, 12631, 12701, 12753, 13000, 13333, 14237-14238, 15858, 16384,
16660, 16959, 16969, 17007, 17300, 18000, 18181-18186, 18190-18192, 18194,
18209-18210, 18231-18232, 18264, 19541, 20000-20001, 20011, 20034, 20200, 20203,
20331, 21544, 21554, 21845-21849, 22222, 22273, 22289, 22305, 22321, 22555,
22800, 22951, 23456, 23476-23477, 25000-25009, 25252, 25793, 25867, 26000,
26208, 26274, 27000-27009, 27374, 27665, 29369, 29891, 30029, 30100-30102,
30129, 30303, 30999, 31336-31337, 31339, 31554, 31666, 31785, 31787-31788,
32000, 32768-32790, 33333, 33567-33568, 33911, 34324, 37651, 40412, 40421-40423,
42424, 44337, 47557, 47806, 47808, 49400, 50505, 50766, 51102, 51107, 51112,
53001, 54321, 57341, 60008, 61439, 61466, 65000, 65301, 65512
UDP: 7, 9, 13, 17, 19, 21, 37, 53, 67-69, 98, 111, 121, 123, 135, 137-138, 161, 177, 371,
389, 407, 445, 456, 464, 500, 512, 514, 517-518, 520, 555, 635, 666, 858, 1001, 10101011, 1015, 1024-1049, 1051-1055, 1170, 1243, 1245, 1434, 1492, 1600, 1604, 1645,
1701, 1807, 1812, 1900, 1978, 1981, 1999, 2001-2002, 2023, 2049, 2115, 2140, 2801,
3024, 3129, 3150, 3283, 3527, 3700, 3801, 4000, 4092, 4156, 4569, 4590, 4781, 50005001, 5036, 5060, 5321, 5400-5402, 5503, 5569, 5632, 5742, 6073, 6502, 6670, 6771,
6912, 6969, 7000, 7300-7301, 7306-7308, 7778, 7789, 7938, 9872-9875, 9989, 10067,
10167, 11000, 11223, 12223, 12345-12346, 12361-12362, 15253, 15345, 16969, 20001,
20034, 21544, 22222, 23456, 26274, 27444, 30029, 31335, 31337-31339, 31666,
31785, 31789, 31791-31792, 32771, 33333, 34324, 40412, 40421-40423, 40426,
47262, 50505, 50766, 51100-51101, 51109, 53001, 61466, 65000
1688
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Vulnerability Scan
Configuring scans
Full Scan All TCP and UDP ports (1-65535)
Quick
Scan
TCP: 11, 13, 15, 17, 19-23, 25, 37, 42, 53, 66, 69-70, 79-81, 88, 98, 109-111, 113, 118119, 123, 135, 139, 143, 220, 256-259, 264, 371, 389, 411, 443, 445, 464-465, 512-515,
523-524, 540, 548, 554, 563, 580, 593, 636, 749-751, 873, 900-901, 990, 992-993, 995,
1080, 1114, 1214, 1234, 1352, 1433, 1494, 1508, 1521, 1720, 1723, 1755, 1801, 20002001, 2003, 2049, 2301, 2401, 2447, 2690, 2766, 3128, 3268-3269, 3306, 3372, 3389,
4100, 4443-4444, 4661-4662, 5000, 5432, 5555-5556, 5631-5632, 5634, 5800-5802,
5900-5901, 6000, 6112, 6346, 6387, 6666-6667, 6699, 7007, 7100, 7161, 7777-7778,
8000-8001, 8010, 8080-8081, 8100, 8888, 8910, 9100, 10000, 12345-12346, 20034,
21554, 32000, 32768-32790
UDP: 7, 13, 17, 19, 37, 53, 67-69, 111, 123, 135, 137, 161, 177, 407, 464, 500, 517-518,
520, 1434, 1645, 1701, 1812, 2049, 3527, 4569, 4665, 5036, 5060, 5632, 6502, 7778,
15345
To configure scanning - web-based manager
1 Go to Endpoint & gt; Network Vulnerability Scan & gt; Scan.
2 Enter the following information and select Apply.
Scan Mode
Quick — check only the most commonly used ports
Standard — check the ports used by most known applications
Full — check all TCP and UDP ports
For a detailed list of the TCP and UDP ports examined by each scan
mode, see Table 109 on page 1688.
Schedule
Manually – perform scan on request only
Schedule – use the following fields to configure a schedule
Recurrence
Select Daily, Weekly, or Monthly.
If you select Weekly, the Day of Week drop-down list appears. If you
select Monthly, the Day of Month drop-down list appears.
Time
Select the time of day to start the scan, in the format HH:MM.
Day of Week
For a weekly scan, select the day of the week.
Day of Month
For a monthly scan, select the day of the month.
To configure scanning - CLI
To configure, for example, a standard scan to be performed every Sunday at 2:00am, you
would enter:
config netscan settings
set scan-mode standard
set schedule enable
set time 02:00
set recurrence weekly
set day-of-week sunday
end
To perform a vulnerability scan manually - web-based manager
1 Go to Endpoint & gt; Network Vulnerability Scan & gt; Asset.
2 Select the Enable check box for each asset you want to scan.
3 Select Start Scan.
Above the table header, on the top right, the status of the current scan is shown.
Depending on the number of computers to be discovered, the scan can take several
minutes, until the web-based manager reports “Scan completed.”
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1689
�Viewing scan results
Network Vulnerability Scan
To perform a vulnerability scan manually - CLI
You must have some assets configured with mode set to scan.
1 Execute the discovery scan:
execute netscan start scan
2 Check the status of the discovery scan:
execute netscan status
Repeat periodically until status is “scan complete”.
Viewing scan results
The results of network scanning are available as summary graphs and log entries.
Viewing scan logs
To view network scan logs, go to Log & Report & gt; Log Access & gt; Network Scan.
Figure 249: Network scan logs
Select any log entry to view log details.
1690
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Network Vulnerability Scan
Viewing scan results
Figure 250: Network scan log details
Viewing Executive Summary graphs
To view summary graphs, go to Log & Report & gt; Report Access & gt; Executive Summary. You
might need to add the following widgets to the page to view the summaries you require.
Table 110: Executive summary widgets for network scan
Chart
Widget name
Vulnerabilities by Category
vulner-by-category-last24h
Vulnerabilities by Severity
vulner-by-severity-last24h
Top Vulnerable Operating Systems Detected
top-vulner-os-last24h
Top Vulnerable Services Detected
top-vulner-service-last24h
Top Vulnerable TCP Services Detected
top-vulner-tcp-service-last24h
Top Vulnerable UDP Services Detected
top-vulner-udp-service-last24h
Creating reports
You can use the FortiGate unit’s Log & Report features to generate reports on the results of
network vulnerability scanning.
To create a report of scanning results
1 Go to Log & Report & gt; Report Config & gt; Layout and select Create New.
2 Enter a Name for the report.
3 Optionally select a Report Theme.
4 Enter a Title to appear on the report.
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1691
�Viewing scan results
Network Vulnerability Scan
5 Choose each Option and Output Format that you require.
6 If you want to have the report generated on a regular basis, create a Schedule.
7 Select the Report Components.
The components are listed in order below the Report Components heading. For a
network vulnerability scan report, you will need to select Chart components from the
Vulnerability category. The following vulnerability charts are available:
Table 111: Executive summary widgets for network scan
Chart
Component name
Vulnerabilities by Category
vulner-by-category-last24h
Vulnerabilities by Severity
vulner-by-severity-last24h
Top Vulnerable Operating Systems Detected
top-vulner-os-last24h
Top Vulnerable Services Detected
top-vulner-service-last24h
Top Vulnerable TCP Services Detected
top-vulner-tcp-service-last24h
Top Vulnerable UDP Services Detected
top-vulner-udp-service-last24h
8 Optionally select other components, such as headings and text.
9 Select OK.
The report will be generated at the scheduled time.
To generate a report manually
1 Go to Log & Report & gt; Report Config & gt; Layout.
2 Select the required report.
3 Select Run.
Viewing reports
Go to Log & Report & gt; Report Access & gt; Disk to view generated reports.
Figure 251: List of reports
If HTML output was enabled, you can select the Report File name to view the report in a
separate browser window.
If PDF output was enabled, you can select the link in the Other Formats column to view
the report.
1692
FortiOS™ Handbook FortiOS 4.0 MR2 Endpoint
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 14 Traffic Shaping
This FortiOS Handbook Chapter contains the following sections:
•
The purpose of traffic shaping - describes traffic shaping theories and quality of
service.
•
Traffic shaping methods - describes the different methods of applying traffic shaping
within FortiOS, and how to use TOS and Differentiated Services.
•
Examples - provides some basic examples for the application of shapers.
•
Troubleshooting - provides diagnose commands to use to troubleshoot traffic shapers
to see if they are working correctly.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1693
�1694
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The purpose of traffic shaping
Traffic shaping, or traffic management, once included in a firewall policy, controls the
bandwidth available and sets the priority of traffic processed by the policy to control the
volume of traffic for a specific period (bandwidth throttling) or rate the traffic is sent (rate
limiting).
Traffic shaping attempts to normalize traffic peaks and bursts to prioritize certain flows
over others. But there is a physical limitation to the amount of data which can be buffered
and to the length of time. Once these thresholds have been surpassed, frames and
packets will be dropped, and sessions will be affected in other ways. For example,
incorrect traffic shaping configurations may actually further degrade certain network flows,
since the excessive discarding of packets can create additional overhead at the upper
layers that may be attempting to recover from these errors.
A basic traffic shaping approach is to prioritize certain traffic flows over other traffic whose
potential discarding is less advantageous. This would mean that you accept sacrificing
certain performance and stability on low-priority traffic, to increase or guarantee
performance and stability to high-priority traffic.
If, for example, you are applying bandwidth limitations to certain flows, you must accept
the fact that these sessions can be limited and therefore negatively impacted.
Note that traffic shaping is effective for normal IP traffic at normal traffic rates. Traffic
shaping is not effective during periods when traffic exceeds the capacity of the FortiGate
unit. Because packets must be received by the FortiGate unit before they are subject to
traffic shaping, if the FortiGate unit cannot process all of the traffic it receives, then
dropped packets, delays, and latency are likely to occur.
To ensure that traffic shaping is working at its best, make sure that the interface ethernet
statistics show no errors, collisions or buffer overruns.
Accelerated interfaces (NP2, NP4, CE) affects traffic shaping. For more information, see
“Hardware Acceleration” on page 2147.
This chapter contains the following sections:
•
Quality of Service
•
Traffic policing
•
Bandwidth guarantee, limit, and priority interactions
•
Important considerations
Quality of Service
Quality of service (QoS) is the capability of the network to adjust some quality aspects for
selected flows within your overall network traffic, and may include such techniques as
priority-based queueing and traffic policing. Because bandwidth is finite and because
some types of traffic are slow, jitter or packet loss sensitive, bandwidth intensive, or
operation critical, QoS can be a useful tool for optimizing the performance of the various
applications on your network.
Before implementing QoS, organizations should first identify the types of traffic that are
important to the organization, the types of traffic that use high amounts of bandwidth, and
the types of traffic that are sensitive to latency or packet loss.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1695
�Traffic policing
The purpose of traffic shaping
For example, a company might want to guarantee sufficient bandwidth for revenue
producing e-commerce traffic. They need to ensure that transactions can be completed
and that clients do not experience service delays and interruptions. At the same time, the
company may need to ensure low latency for voice over IP (VoIP) traffic used by sales and
customer support, while traffic latency and bursts may be less critical to the success of
other network applications such as long term, resumable file transfers. Many
organizations discover that QoS is especially important for managing their voice and
streaming multi-media traffic. These types of traffic can rapidly consume bandwidth and
are sensitive to latency.
Discovering the needs and relative importance of each traffic type on your network will
help you to design an appropriate overall approach, including how you will configure each
available QoS component technique. Some organizations discover that they only need
configure bandwidth limits for some services. Other organizations determine that they
need to fully configure interface and firewall policy bandwidth limits for all services, and
prioritize queueing of critical services relative to traffic rate.
You can implement QoS on FortiGate units for services including H.323, TCP, UDP, ICMP,
and ESP, using the following techniques:
Traffic policing
Drops packets that do not conform to bandwidth limitations.
Traffic shaping
Helps to ensure that the traffic may consume bandwidth at least at the
guaranteed rate by assigning a greater priority queue if the guarantee is not
being met. Also ensures that the traffic cannot consume bandwidth greater than
the maximum at any given instant in time. Flows greater than the maximum rate
are subject to traffic policing.
Queuing
Transmits packets in order of their assigned priority queue for that physical
interface. All traffic in a higher priority traffic queue must be completely
transmitted before traffic in lower priority queues will be transmitted.
When deciding how to configure QoS techniques, it can be helpful to know when FortiGate
units employ each technique in the overall traffic processing flow, and the considerations
that arise from those mechanisms.
Traffic policing
As traffic arrives (ingress) and departs (egress) on an interface, the FortiGate unit begins
to process the traffic. In later phases of the network processing, such as enforcing
maximum bandwidth use on sessions handled by a firewall policy, if the current rate for the
destination interface or traffic regulated by that firewall policy is too high, the FortiGate unit
may be required to drop the packet. As a result, time spent on prior processing, such as
web filtering, decryption or IPS, can be wasted on some packets that are not ultimately
forwarded. This also applies to VLAN interfaces as well has physical interfaces.
You can prevent this wasted effort on ingress by configuring the FortiGate unit to
preemptively drop excess packets when they are received at the source interface, before
most other traffic processing is performed:
config system interface
edit & lt; interface_name & gt;
set inbandwidth & lt; rate_int & gt;
next
end
where & lt; rate_int & gt; is the bandwidth limit in KB/s. Excess packets will be dropped. If
inbandwidth is 0, the rate is not limited.
1696
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The purpose of traffic shaping
Bandwidth guarantee, limit, and priority interactions
A similar command is available that can be performed on egress as well using the CLI
commands:
config system interface
edit & lt; interface_name & gt;
set outbandwidth & lt; rate_int & gt;
next
end
As with ingress, setting the rate to 0 (zero) sets the rate to unlimited.
Rate limiting traffic accepted by the interface enables you to restrict incoming traffic to
rates that, while no longer the full capacity of the interface, at the traffic shaping point in
the processing are more likely to result in acceptable rates of outgoing traffic per
destination interface or all firewall policies. This conserves FortiGate processing
resources for those packets that are more likely to be viable completely to the point of
egress.
Excessive traffic policing can degrade network performance rather than improve it. For
details on factors you may want to consider when configuring traffic policing, see
“Important considerations” on page 1702.
Bandwidth guarantee, limit, and priority interactions
After packet acceptance, the FortiGate unit classifies traffic and may apply traffic policing
at additional points during processing. It may also apply additional QoS techniques, such
as prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing
to enforce bandwidth limits, and priority queue adjustment to assist packets in achieving
the guaranteed rate.
If you have configured prioritization, the FortiGate unit prioritizes egressing packets by
distributing them among FIFO (first in, first out) queues associated with each possible
priority number. Each physical interface has six priority queues. Virtual interfaces do not
have their own queues, and instead use the priority queues of the physical interface to
which they are bound.
Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest
priority queue. However, for the reasons described below, you may observe that your
traffic uses only a subset of those six queues. Some traffic may always use a certain
queue number. Some queueing may vary by the packet rate or mixture of services. Some
queue numbers may be used only by through traffic for which you have configured traffic
shaping in the firewall policy that applies to that traffic session. For example:
•
Administrative access traffic will always use queue 0.
•
Traffic matching firewall policies without traffic shaping may use queue 0, queue 1, or
queue 2. Which queue will be used depends on the priority value you have configured
for packets with that ToS (type of service) byte value, if you have configured ToS-based
priorities.
•
Traffic matching firewall policies with traffic shaping may use any queue. Which queue
will be used depends on whether the packet rate is currently below the guaranteed
bandwidth (queue 0), or above the guaranteed bandwidth (queue 1 to 5, depending on
the sum of the firewall policy’s Traffic Priority value with the priority that matches the
ToS byte). Packets at rates greater than the maximum bandwidth limit are dropped.
Prioritization and traffic shaping behavior varies by your configuration, the service types
and traffic volumes, and by whether the traffic is through traffic, or the traffic originates
from or terminates at the FortiGate unit itself.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1697
�Bandwidth guarantee, limit, and priority interactions
The purpose of traffic shaping
FortiGate traffic
For traffic types originating on or terminating at the FortiGate unit, such as administrative
access to the FortiGate through HTTPS or SSH, or IPSec tunnel negotiations, firewall
policies do not apply, and therefore FortiGate units do not apply traffic shaping. Such
traffic also uses the highest priority queue, queue 0. In other words:
packet priority = 0
Exceptions to this rule include traffic types that, while technically originated by the
FortiGate unit, are connections related to a session governed by a firewall policy. For
example, if you have enabled scanning by FortiGuard Antivirus, traffic from the sender
technically terminates at the FortiGate proxy that scans that traffic type; the FortiGate unit
initiates a second connection that transmits scanned content to its destination. Because
the second connection’s traffic is technically originating from the FortiGate proxy and
therefore the FortiGate unit itself, it uses the highest priority queue, queue 0. However, this
connection is logically associated with through traffic, and is therefore subject to possible
bandwidth enforcement and guarantees in its governing firewall policy. In this way, it
behaves partly like other through traffic.
Through traffic
For traffic passing through the FortiGate unit, which method a FortiGate unit uses to
determine the priority queue varies by whether you have enabled Traffic Shaping. Packets
may or may not use a priority queue directly or indirectly derived from the type of service
(ToS) byte — sometimes used instead with differentiated services — in the packet’s IP
header.
If Traffic Shaping is not enabled in the firewall policy, the FortiGate unit neither limits nor
guarantees bandwidth, and traffic for that session uses the priority queue determined
directly by matching the ToS byte in its header with your configured values:
config system global
set tos-based-priority {high | low | medium}
end
or, if you have configured a priority specifically for that TOS byte value:
config system tos-based-priority
edit & lt; id_int & gt;
set tos [0-15]
set priority {high | low | medium}
next
end
where tos is the value of the ToS byte in the packet’s IP header, and high has a priority
value of 0 and low is 2. Priority values configured in the second location will override the
global ToS-based priority. In other words:
packet priority = ToS-based priority
For example, you might specify that packets with a ToS byte value of 2 should use queue
0, the highest priority queue:
config system tos-based-priority
edit 15
set tos 2
set priority high
next
end
1698
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The purpose of traffic shaping
Bandwidth guarantee, limit, and priority interactions
If Traffic Shaping is enabled in the firewall policy using shared traffic shapers, the
FortiGate unit may instead or also subject packets to traffic policing, or priority queue
increase in an effort to meet bandwidth guarantees configured in the shaper:
config firewall shaper traffic-shaper
edit & lt; shaper_name & gt;
...
set priority {high | medium | low}
set maximum-bandwidth & lt; rate & gt;
set guaranteed-bandwidth & lt; rate & gt;
end
where high has a priority value of 1 and low is 3, and & lt; rate_int & gt; is the bandwidth limit in
KB/s.
Figure 252: Traffic queueing as packet rate increases
3
1
2
3
1
2
•
If the current packet rate is less than Guaranteed Bandwidth, packets use priority
queue 0. In other words:
packet priority = 0
•
If the current packet rate is greater than Guaranteed Bandwidth but less than
Maximum Bandwidth, the FortiGate unit assigns a priority queue by adding the
numerical value of the firewall policy-based priority, where the value of High is 1, and
Low is 3, with the numerical value of the ToS-based priority, where high has a priority
value of 0 and low is 2. Because the two values are added, depending on the your
configured ToS-based priorities, packets in this category could use queues from queue
1 to queue 5. In other words:
packet priority = ToS-based priority + firewall policy-based priority
For example, if you have enabled Traffic Shaping in the firewall policy, and the firewall
policy’s Traffic Priority is Low (value 3), and the priority normally applied to packets with
that ToS byte is medium (value 1), then packets have a total packet priority of 4, and
use priority queue 4.
•
If the current packet rate exceeds Maximum Bandwidth, excess packets are dropped.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1699
�Bandwidth guarantee, limit, and priority interactions
The purpose of traffic shaping
Calculation and regulation of packet rates
Packet rates specified for Maximum Bandwidth or Guaranteed Bandwidth are:
rate = amount / time
where rate is expressed in kilobytes per second (KB/s).
Burst size at any given instant cannot exceed the amount configured in Maximum
Bandwidth. Packets in excess are dropped. Packets deduct from the amount of bandwidth
available to subsequent packets and available bandwidth regenerates at a fixed rate. As a
result, bandwidth available to a given packet may be less than the configured rate, down
to a minimum of 0 KB/s.
Rate calculation and behavior can alternatively be described using the token bucket
metaphor, where:
•
a traffic flow has an associated bucket, which represents burst size bounds, and is the
size of your configured bandwidth limit
•
the bucket receives tokens, which represent available bandwidth, at the fixed
configured rate
•
as time passes, tokens are added to the bucket, up to the capacity of the bucket;
excess tokens are discarded
•
when a packet arrives, the packet must deduct bandwidth tokens from the bucket equal
to its packet size in order to egress
•
packets cannot egress if there are insufficient tokens to pay for its egress; these
nonconforming packets are dropped
Bursts are not redistributed over a longer interval, so bursts are propagated rather than
smoothed, although their peak size is limited.
Maximum burst size is the capacity of the bucket (the configured bandwidth limit); actual
size varies by the current number of tokens in the bucket, which may be less than bucket
capacity, due to deductions from previous packets and the fixed rate at which tokens
accumulate. A depleted bucket refills at the rate of your configured bandwidth limit. Bursts
cannot borrow tokens from other time intervals. This behavior is illustrated in Figure 253
on page 1701.
1700
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The purpose of traffic shaping
Bandwidth guarantee, limit, and priority interactions
Figure 253: Bursts and bandwidth limits over time
By limiting traffic peaks and token regeneration in this way, the available bandwidth at a
given moment may be less than bucket capacity, but your limit on the total amount per
time interval is ensured. That is, total bandwidth use during each interval of 1 second is at
most the integral of your configured rate.
You may observe that external clients, such as FTP or BitTorrent clients, initially report
rates between Maximum Bandwidth and twice that of Maximum Bandwidth, depending on
the size of their initial burst. This is notably so when a connection is initiated following a
period of no network activity.The apparent discrepancy in rates is caused by a difference
of perspective when delimiting time intervals. A burst from the client may initially consume
all tokens in the bucket, and before the end of 1 second, as the bucket regenerates, be
allowed to consume almost another bucket’s worth of bandwidth. From the perspective of
the client, this constitutes one time interval. From the perspective of the FortiGate unit,
however, the bucket cannot accumulate tokens while full; therefore, the time interval for
token regeneration begins after the initial burst, and does not contain the burst. These
different points of reference result in an initial discrepancy equal to the size of the burst —
the client’s rate contains it, but the FortiGate unit’s rate does not. If the connection is
sustained to its limit and time progresses over an increasing number of intervals, however,
this discrepancy decreases in importance relative to the bandwidth total, and the client’s
reported rate will eventually approach that of the FortiGate unit’s configured rate limit.
For example, your Maximum Bandwidth might be 50 KB/s and there has been no network
activity for one or more seconds. The bucket is full. A burst from an FTP client immediately
consumes 50 KB. Because the bucket completely regenerates over 1 second, by the time
almost another 1 second has elapsed from the initial burst, traffic can consume another
49.999 KB, for a total of 99.999 KB between the two points in time. From the vantage point
of an external FTP client regulated by this bandwidth limit, it therefore initially appears that
the bandwidth limit is 99.999 KB/s, almost twice the configured limit of 50 KB/s. However,
bucket capacity only regenerates at your configured rate of 50 KB/s, and so the
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1701
�Important considerations
The purpose of traffic shaping
connection can only consume a maximum of 50 KB during each second thereafter. The
result is that as bandwidth consumption is averaged over an increasing number of time
intervals, each of which are limited to 50 KB/s, the effects of the first interval’s doubled
bandwidth size diminishes proportionately, and the client’s reported rate eventually
approach your configured rate limit. This effect is illustrated in Table 112 on page 1702.
Table 112: Effects of a 50 KB/s limit on client reported rates
Total size transferred (KB)
Time (s)
Rate reported by client (KB/s)
99.999
(50 + 49.999)
1
99.999
149.999
2
74.999
199.999
3
66.666
249.999
4
62.499
299.999
5
59.998
349.999
6
58.333
...
...
...
Guaranteed Bandwidth can also be described using a token bucket metaphor. However,
because this feature attempts to achieve or exceed a rate rather than limit it, the FortiGate
unit does not discard non-conforming packets, as it does for Maximum Bandwidth;
instead, when the flow does not achieve the rate, the FortiGate unit increases the packets’
priority queue, in an effort to increase the rate.
Guaranteed and maximum bandwidth rates apply to the bidirectional total for all sessions
controlled by the firewall policy. For example, an FTP connection may entail two separate
connections for the data and control portion of the session; some packets may be reply
traffic rather than initiating traffic. All packets for both connections are counted when
calculating the packet rate for comparison with the guaranteed and maximum bandwidth
rate.
Important considerations
In essence, by implementing QoS, you trade some performance and/or stability from
traffic X by discarding packets or introducing latency in order to improve performance and
stability of traffic Y. The best traffic shaping configuration for your network will
appropriately balance the needs of each traffic flow by considering not only the needs of
your particular organization, but also the resiliency and other characteristics of each
particular service. For example, you may find that web browsing traffic is both more
resistant to interruptions or latency and less business critical than UDP or VoIP traffic, and
so you might implement less restrictive QoS measures on UDP or VoIP traffic than on
HTTP traffic.
An appropriate QoS configuration will also take into account the physical limits of your
network devices, and the interactions of the aforementioned QoS mechanisms, described
in “Bandwidth guarantee, limit, and priority interactions” on page 1697.
You may choose to configure QoS differently based upon the hardware limits of your
network and FortiGate unit. Traffic shaping may be less beneficial in extremely
high-volume situations where traffic exceeds a network interface’s or your FortiGate
model’s overall physical capacity. A FortiGate unit must have sufficient resources, such as
memory and processing power, to process all traffic it receives, and to process it at the
required rate; if it does not have this capacity, then dropped packets and increased latency
1702
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The purpose of traffic shaping
Important considerations
are likely to occur. For example, if the total amount of memory available for queueing on a
physical interface is frequently exceeded by your network’s typical packet rates, frames
and packets must be dropped. In such a situation, you might choose to implement QoS
using a higher model FortiGate unit, or to configure an incoming bandwidth limit on each
interface.
Incorrect traffic shaping configurations can actually further degrade certain network flows,
because excessive discarding of packets or increased latency beyond points that can be
gracefully handled by that protocol can create additional overhead at upper layers of the
network, which may be attempting to recover from these errors. For example, a
configuration might be too restrictive on the bandwidth accepted by an interface, and may
therefore drop too many packets, resulting in the inability to complete or maintain a SIP
call.
To optimize traffic shaping performance, first ensure that the network interface’s Ethernet
statistics are clean of errors, collisions, or buffer overruns. To check the interface, enter
the following diagnose command to see the traffic statistics:
diagnose hardware deviceinfo nic & lt; port_name & gt;
If these are not clean, adjust FortiGate unit and settings of routers or other network
devices that are connected to the FortiGate unit. For additional information, see
“Troubleshooting” on page 1725.
Once Ethernet statistics are clean, you may want to use only some of the available
FortiGate QoS techniques, or configure them differently, based upon the nature of
FortiGate QoS mechanisms described in “Bandwidth guarantee, limit, and priority
interactions” on page 1697. Configuration considerations include:
•
For maximum bandwidth limits, ensure that bandwidth limits at the source interface
and/or the firewall policy are not too low, which can cause the FortiGate unit to discard
an excessive number of packets.
•
For prioritization, consider the ratios of how packets are distributed between available
queues, and which queue is used by which types of services. If you assign most
packets to the same priority queue, it negates the effects of configuring prioritization. If
you assign many high bandwidth services to high priority queues, lower priority queues
may be starved for bandwidth and experience increased or indefinite latency. For
example, you may want to prioritize a latency-sensitive service such as SIP over a
bandwidth-intensive service such as FTP. Consider also that bandwidth guarantees
can affect the queue distribution, assigning packets to queue 0 instead of their typical
queue in high-volume situations.
•
You may or may not want to guarantee bandwidth, because it causes the FortiGate unit
to assign packets to queue 0 if the guaranteed packet rate is not currently being met.
Comparing queueing behavior for lower- and higher-bandwidth situations, this would
mean that effects of prioritization only become visible as traffic volumes rise and
exceed their guarantees. Because of this, you might want only some services to use
bandwidth guarantees, to avoid the possibility that in high-volume situations all traffic
uses the same queue, thereby negating the effects of configuring prioritization.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1703
�Important considerations
The purpose of traffic shaping
•
For prioritization, configure prioritization for all through traffic. You may want to
configure prioritization by either ToS-based priority or firewall policy priority, but not
both. This simplifies analysis and troubleshooting.
Traffic subject to both firewall policy and ToS-based priorities will use a combined
priority from both of those parts of the configuration, while traffic subject to only one of
the prioritization methods will use only that priority. If you configure both methods, or if
you configure either method for only a subset of your traffic, packets for which a
combined priority applies will frequently receive a lower priority queue than packets for
which you have only configured one priority method, or for which you have not
configured prioritization.
For example, if both ToS-based priority and firewall policy priority both dictate that a
packet should receive a “medium” priority, in the absence of bandwidth guarantees, a
packet will use queue 3, while if only ToS-based priority had been configured, the
packet would have used queue 1, and if only firewall policy-based priority had been
configured, the packet would have used queue 2. If no prioritization had been
configured at all, the packet would have used queue 0.
For example alternative QoS implementations that illustrate these considerations, see
“Examples” on page 1717
1704
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Traffic shaping methods
In FortiOS, there are three types of traffic shaping configuration. Each has a specific
function, and all can be used together in varying configurations. Policy shaping enables
you to define the maximum bandwidth and guaranteed bandwidth set for a firewall policy,
while per-IP shaping enables you to define traffic control on a more granular level.
Application traffic shaping goes further, enabling traffic controls on specific applications or
application groupings.
This chapter describes the types of traffic shapers and how to configure them in the
web-based manager and the CLI.
This chapter includes topics on
•
Shared policy shaping
•
Per-IP shaping
•
Application control shaping
•
Shaping order of operations
•
Enabling in the firewall policy
•
Type of Service priority
•
Differentiated Services
•
Tos and DSCP mapping
Traffic shaping options
When configuring traffic shaping for your network, there are three different methods to
control the flow of network traffic to ensure that the desired traffic gets through while also
limiting the bandwidth that users use for other less important or bandwidth consuming
traffic. The three shaping options are:
•
shared policy shaping - bandwidth management by firewall policies
•
per-IP shaping - bandwidth management by user IP addresses
•
application control shaping - bandwidth management by application
Shared policy shaping and per IP shaping are enabled within the firewall policy, while the
application control shaping is configured in UTM & gt; Application Control and enabled in the
firewall policy by selecting UTM and selecting the application control profile from the
drop-down list.
For more information on setting up the shapers in a firewall policy, and how the FortiGate
unit triages the different shapers, see “Shaping order of operations” on page 1709.
Shared policy shaping
Traffic shaping by firewall policy enables you to control the maximum and/or guaranteed
throughput for a selected firewall policy or group of policies. When configuring a shaper,
you can select to apply the bandwidth shaping per policy or for all policies. Depending on
your selection, the FortiGate unit will apply the shaping rules differently.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1705
�Shared policy shaping
Traffic shaping methods
Per policy
When selecting a shaper to be per policy, the FortiGate unit will apply the shaping rules
defined to each firewall policy individually.
For example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s.
There are four firewall policies monitoring traffic through the FortiGate unit. Three of these
have the shaper enabled. Each firewall policy has the same maximum bandwidth of 1000
Kb/s.
Per policy traffic shaping is compatible with client/server (active-passive) transparent
mode WAN optimization rules. Traffic shaping is ignored for peer-to-peer WAN
optimization and for client/server WAN optimization not operating in transparent mode.
All policies
When selecting a shaper to be for all policies - For All Policies Using This Shaper - the
FortiGate unit applies the shaping rules to all policies using the same shaper. For
example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s.
There are four firewall policies monitoring traffic through the FortiGate unit. All four have
the shaper enabled. Each firewall policy must share the defined 1000 Kb/s, and is set on a
first come, first served basis. For example, if policy 1 uses 800 Kb/s, the remaining three
must share 200 Kb/s. As policy 1 uses less bandwidth, it is opened up to the other policies
to use as required. Once used, any other policies will encounter latency until free
bandwidth opens from a policy currently in use.
Maximum and guaranteed bandwidth
The maximum bandwidth instructs the firewall policy what the largest amount of traffic
allowed using the policy. Depending on the service or the users included for the firewall
policy, this number can provide a larger or smaller throughput depending on the priority
you set for the shaper.
The guaranteed bandwidth ensures there is a consistent reserved bandwidth available for
a given service or user. When setting the guaranteed bandwidth, ensure that the value is
significantly less than the bandwidth capacity of the interface, otherwise no other traffic will
pass through the interface or very little an potentially causing unwanted latency.
Note: Setting both Guaranteed Bandwidth and Maximum Bandwidth to 0 (zero),
effectively blocks traffic.
Traffic priority
Select a Traffic Priority of high, medium or low, so the FortiGate unit manages the relative
priorities of different types of traffic. For example, a policy for connecting to a secure web
server needed to support e-commerce traffic should be assigned a high traffic priority.
Less important services should be assigned a low priority. The firewall provides bandwidth
to low-priority connections only when bandwidth is not needed for high-priority
connections.
Be sure to enable traffic shaping on all firewall policies. If you do not apply any traffic
shaping rule to a policy, the policy is set to high priority by default.
Distribute firewall policies over all three priority queues.
1706
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Traffic shaping methods
Per-IP shaping
VLAN, VDOM and virtual interfaces
Policy-based traffic shaping does not used queues directly. It shapes the traffic and if the
packet is allowed by the firewall policy, then a priority is assigned. That priority controls
what queue the packet will be put in upon egress. VLANs, VDOMs, aggregate ports and
other virtual devices do not have queues and as such, traffic is sent directly to the
underlying physical device where it is queued and affected by the physical ports.
This is also the case with IPsec connections.
Example
The following steps creates a Per Policy traffic shaper called “Throughput” with a
maximum traffic amount of 120,000 KB/s, and a guaranteed traffic of 50,000 KB/s with a
high traffic priority.
To create the shared shaper - web-based manager
1 Go to Firewall & gt; Traffic Shaper & gt; Shared and select Create New.
2 Enter the Name Throughput.
3 Select Per Policy.
4 Select the Maximum Bandwidth check box and enter the value 120000.
5 Select the Guaranteed Bandwidth check box and enter the value 50000.
6 Set the Traffic Priority to High.
7 Select OK.
To create the shared shaper - CLI
config firewall shaper traffic-shaper
edit Throughput
set per-policy enable
set maximum-bandwidth 120000
set guaranteed-bandwidth 50000
set priority high
end
Per-IP shaping
Traffic shaping by IP enables you to apply traffic shaping to all source IP addresses in the
firewall policy. As well as controlling the maximum bandwidth users of a selected policy,
you can also define the maximum number of concurrent sessions.
Per-IP traffic shaping enables you limit the behavior of every member of a policy to avoid
one user from using all the available bandwidth - it now is shared within a group equally.
Using a per-IP shaper avoids having to create multiple policies for every user you want to
apply a shaper.
Note: Per-IP traffic shaping is not supported over NP2 interfaces.
Example
The following steps creates a Per-IP traffic shaper called “Accounting” with a maximum
traffic amount of 120,000 KB/s, and the number of concurrent sessions of 200.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1707
�Application control shaping
Traffic shaping methods
To create the shared shaper - web-based manager
1 Go to Firewall & gt; Traffic Shaper & gt; Per-IP.
2 Select Create New.
3 Enter the Name Accounting.
4 Select the Maximum Bandwidth check box and enter the value 120000.
5 Select the Maximum Concurrent Sessions check box and enter the value 200.
6 Select OK.
To create the shared shaper - CLI
config firewall shaper per-ip-shaper
edit Accounting
set max-bandwidth 120000
set max-concurrent-sessions 200
end
Application control shaping
Traffic shaping is also possible for specific applications. Through the UTM & gt; Application
Control feature, you can configure a specific application’s maximum bandwidth. When
configuring the application control features, if the application is set to pass, you can set the
traffic shaping options. The shapers available are those set up in the Firewall & gt; Traffic
Shaping menu.
Example
This example sets the traffic shaping definition for Facebook to a medium priority, a default
traffic shaper.
To add traffic shaping for Facebook - web-based manager
1 Go to UTM & gt; Application Control List.
2 Select Create New to create a new application group, and enter the name Web.
3 Select OK.
4 Select Create New.
5 Select Web from the Category drop-down list.
6 Select Facebook from the Application drop-down list.
7 Select Pass for the Action.
8 Select Traffic Shaping and select medium-priority from the drop-down list.
9 Select OK.
1708
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Traffic shaping methods
Shaping order of operations
To add traffic shaping for Facebook - CLI
config application list
edit web
config entries
edit 1
set category 12
set application 15832
set action pass
set shaper medium-priority
end
end
end
Shaping order of operations
The FortiGate unit offers three different traffic shaping options, all of which can be enabled
at the same time within the same firewall policy. Generally speaking, the hierarchy for
shapers in FortiOS is:
•
Application Control shaper
•
Firewall policy shaper
•
Per-IP shaper
With this hierarchy, if an application control list has a traffic shaper defined, it will have
precedence always over any other firewall policy shaper. For example, with the example
above creating an application control for Facebook, the shaper defined for Facebook will
supersede any firewall policy enabled traffic shapers. While the Facebook application may
reach its maximum bandwidth, the user can still have the bandwidth room available from
the shared shaper and, if enabled, the per-IP shaper.
Equally, any firewall policy shared shaper will have precedence over any per-IP shaper.
However, traffic that exceeds any of these shapers will be dropped. For example, the
policy shaper will take effect first, however, if the per-IP shaper limit is reached first, then
traffic for that user will be dropped even if the shared shaper limit for the policy has not
been exceeded.
Enabling in the firewall policy
All traffic shapers are enabled within a firewall policy, including the Application Control
shapers. As such, the shapers are in effect after any DoS sensor policies, and before any
routing or packet scanning occurs.
To enable traffic shaping - web-based manager
1 Go to Firewall & gt; Policy.
2 Select Create New or select an existing policy and select Edit.
3 Select Traffic Shaping.
4 Select the shaping option and select the shaper from the drop-down list.
5 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1709
�Type of Service priority
Traffic shaping methods
To enable traffic shaping - CLI
config firewall policy
edit & lt; policy_number & gt;
...
set traffic-shaper & lt; shaper_name & gt;
end
Reverse direction traffic shaping
The shaper you select for the policy (shared shaper) will affect the traffic in the direction
defined in the policy. For example, if the source port is port 1 and the destination is port 3,
the shaping affects the flow in this direction only. By selecting Reverse Direction Traffic
Shaping, you can define the traffic shaper for the policy in the opposite direction. In this
example, from port 3 to port 1.
Application control shaper
Application control shapers are in effect within the application control profile. Within the
firewall policy options, select UTM then Application Control and select the application from
the list.
Type of Service priority
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how
the IP datagram should be delivered, as described in RFC 791, using criteria of delay,
priority, reliability, and minimum cost. Each quality helps gateways determine the best way
to route datagrams. A router maintains a TOS value for each route in its routing table. The
lowest priority TOS is 0, the highest is 7 when bits 3, 4, and 5 are all set to 1. There are 4
other bits that are seldom used or reserved that are not included here. Together these bits
are the tos variable of the tos-based-priority command. The router tries to match
the TOS of the datagram to the TOS on one of the possible routes to the destination. If
there is no match, the datagram is sent over a zero TOS route. Using increased quality
may increase the cost of delivery because better performance may consume limited
network resources.
Table 113: The role of each bit in the IP header TOS 8-bit field
bits 0, 1, 2
Precedence
Some networks treat high precedence traffic as more
important traffic. Precedence should only be used within a
network, and can be used differently in each network.
Typically you do not care about these bits.
bit 3
Delay
When set to 1, this bit indicates low delay is a priority. This is
useful for such services as VoIP where delays degrade the
quality of the sound.
bit 4
Throughput
When set to 1, this bit indicates high throughput is a priority.
This is useful for services that require lots of bandwidth such
as video conferencing.
bit 5
Reliability
When set to 1, this bit indicates high reliability is a priority. This
is useful when a service must always be available such as
with DNS servers.
bit 6
Cost
When set to 1, this bit indicates low cost is a priority. Generally
there is a higher delivery cost associated with enabling bits
3,4, or 5, and bit 6 indicates to use the lowest cost route.
bit 7
Reserved for
future use
Not used at this time.
The TOS value is set in the CLI using the commands:
1710
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Traffic shaping methods
Differentiated Services
config system tos-based-priority
edit & lt; name & gt;
set tos & lt; ip_tos_value & gt;
set priority [high | medium | low]
end
Where tos is Enter the value of the type of service byte in the IP datagram header with a value
between 0 and 15, and priority is the priority of this type of service. priority. These
priority levels conform to the firewall traffic shaping priorities. For a list of ToS values and
their DSCP equivalents see “Tos and DSCP mapping” on page 1716.
Example
config system tos-based-priority
edit 1
set tos 1
set priority low
next
edit 4
set tos 4
set priority medium
next
edit 6
set tos 6
set priority high
next
end
TOS in FortiOS
Traffic shaping and TOS follow the following sequence:
1 The CLI command tos-based-priority acts as a tos-to-priority mapping.
FortiOS maps the TOS to a priority when it receives a packet.
2 Traffic shaping settings adjust the packet’s priority according the traffic.
3 Deliver the packet based on its priority.
Differentiated Services
Differentiated Services describes a set of end-to-end Quality of Service (QoS) capabilities.
End-to-end QoS is the ability of a network to deliver service required by specific network
traffic from one end of the network to another. By configuring differentiated services, you
configure your network to deliver particular levels of service for different packets based on
the QoS specified by each packet.
Differentiated Services (also called DiffServ) is defined by RFC 2474 and 2475 as
enhancements to IP networking to enable scalable service discrimination in the IP network
without the need for per-flow state and signaling at every hop. Routers that can
understand differentiated services sort IP traffic into classes by inspecting the DS field in
IPv4 header or the Traffic Class field in the IPv6 header.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1711
�Differentiated Services
Traffic shaping methods
You can use the FortiGate Differentiated Services feature to change the DSCP
(Differentiated Services Code Point) value for all packets accepted by a policy. The
network can use these DSCP values to classify, mark, shape, and police traffic, and to
perform intelligent queuing. DSCP features are applied to traffic by configuring the routers
on your network to apply different service levels to packets depending on the DSCP value
of the packet.
If the differentiated services feature is not enabled, the FortiGate unit treats traffic as if the
DSCP value is set to the default (00), and will not change IP packets' DSCP field. DSCP
values are also not applied to traffic if the traffic originates from a FortiGate unit itself.
The FortiGate unit applies the DSCP value to the differentiated services (formerly TOS)
field in the first word of the IP header. The typical first word of an IP header, with the
default DSCP value, is 4500:
•
4 for IPv4
•
5 for a length of five words
•
00 for the default DSCP value
You can change the packet's DSCP field for traffic initiating a session (forward) or for reply
traffic (reverse) and enable each direction separately and configure it in the firewall policy.
Note: Changes to DSCP values in a firewall policy effect new sessions. If traffic
must use the new DSCP values immediately, clear all existing sessions.
DSCP is enabled using the CLI command:
config firewall policy
edit & lt; policy_number & gt;
...
set diffserv-forward enable
set diffservcode-forward & lt; binary_integer & gt;
set diffserv-reverse enable
set diffservcode-rev & lt; binary_integer & gt;
end
For more information on the different DCSP commands, see the examples below and the
CLI Reference.
Note: If you only set diffserv-forward and diffserv-reverse without setting the
corresponding diffvercode values, the FortiGate unit will reset the bits to zero.
For a list of DSCP values and their ToS equivalents see “Tos and DSCP mapping” on
page 1716.
DSCP examples
For all the following DSCP examples, the FortiGate and client PC configuration is the
following diagram.
FortiGate A
User 1
Port 6
1712
FortiGate B
Port 3
WAN2
User 2
Internal
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Traffic shaping methods
Differentiated Services
Example
In this example, an ICMP ping is executed between User 1and FortiGate B, through a
FortiGate unit. DSCP is disabled on FortiGate B, and FortiGate A contains the following
configuration:
config firewall policy
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY
set diffserv-forward enable
set diffservcode-forward 101110
end
As a result, FortiGate A changes the DSCP field for outgoing traffic, but not to its reply
traffic. The binary DSCP values used map to the following hexadecimal
TOS field values, which are observable by a sniffer (also known as a packet tracer):
•
DSCP 000000 is TOS field 0x00
•
DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited
forwarding (EF)
If you performed an ICMP ping between User 1 and User 2, the following output illustrates
the IP headers for the request and the reply by sniffers on each of FortiGate unit’s network
interfaces. The right-most two digits of each IP header are the TOS field, which contains
the DSCP value.
User 2
User 1
4500
4500
45b8
45b8
45b8
45b8
4500
4500
4500
4500
4500
4500
Example
In this example, an ICMP ping is executed between User 1 and FortiGate B, through
FortiGate A. DSCP is disabled on FortiGate B, and FortiGate A contains the following
configuration:
config firewall policy
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY "
set diffserv-forward enable
set diffserv-rev enable
set diffservcode-forward 101110
set diffservcode-rev 101111
end
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1713
�Differentiated Services
Traffic shaping methods
As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply
traffic. The binary DSCP values in map to the following hexadecimal TOS field values,
which are observable by a sniffer (also known as a packet tracer):
•
DSCP 000000 is TOS field 0x00
•
DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited
forwarding (EF)
•
DSCP 101111 is TOS field 0xbc
If you performed an ICMP ping between User 1 and User 2, the output below illustrates
the IP headers observed for the request and the reply by sniffers on each of FortiGate A's
and FortiGate B's network interfaces. The right-most two digits of each IP header are the
TOS field, which contains the DSCP value.
User 2
User 1
4500
4500
45b8
45b8
45b8
45b8
45bc
45bc
4500
4500
4500
4500
Example
In this example, an ICMP ping is executed between User 1 and FortiGate B, through
FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, and enabled only
for reply traffic on FortiGate B. FortiGate A contains the following configuration:
config firewall policy
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY
set diffserv-forward enable
set diffserv-rev enable
set diffservcode-forward 101110
set diffservcode-rev 101111
end
FortiGate B contains the following configuration:
config firewall policy
edit 2
set srcintf wan2
set dstintf internal
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY
set diffserv-rev enable
set diffservcode-rev 101101
end
As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply
traffic, and FortiGate B changes the DSCP field only for reply traffic. The binary DSCP
values in this configuration map to the following hexadecimal TOS field values:
1714
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Traffic shaping methods
Differentiated Services
•
DSCP 000000 is TOS field 0x00
•
DSCP 101101 is TOS field 0xb4
•
DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited
forwarding (EF)
•
DSCP 101111 is TOS field 0xbc
If you performed an ICMP ping between User 1 and User 2, the output below illustrates
the IP headers observed for the request and the reply by sniffers on each of FortiGate A's
and FortiGate B's network interfaces. The right-most two digits of each IP header are the
TOS field, which contains the DSCP value.
User 2
User 1
4500
4500
45b8
45b8
45b8
45b8
45bc
45bc
45b4
45b4
4500
4500
Example
In this example, HTTPS and DNS traffic is sent from User 1 to FortiGate B, through
FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, and enabled only
for reply traffic on FortiGate B. FortiGate A contains the following configuration:
config firewall policy
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY
set diffserv-forward enable
set diffserv-rev enable
set diffservcode-forward 101110
set diffservcode-rev 101111
end
FortiGate B contains the following configuration:
config firewall policy
edit 2
set srcintf wan2
set dstintf internal
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY
set diffserv-rev enable
set diffservcode-rev 101101
end
As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply
traffic, but FortiGate B changes the DSCP field only for reply traffic which passes through
its internal interface. Since the example traffic does not pass through the internal interface,
FortiGate B does not mark the packets. The binary DSCP values in this configuration map
to the following hexadecimal TOS field values:
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1715
�Tos and DSCP mapping
Traffic shaping methods
•
DSCP 000000 is TOS field 0x00
•
DSCP 101101 is TOS field 0xb4, which is configured on FortiGate B but not observed
by the sniffer because the example traffic originates from the FortiGate unit itself, and
therefore does not match that firewall policy.
•
DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited
forwarding (EF)
•
DSCP 101111 is TOS field 0xbc
If you sent HTTPS or DNS traffic from User 1 to FortiGate B, the following would illustrate
the IP headers observed for the request and the reply by sniffers on each of FortiGate A's
and FortiGate B's network interfaces. The right-most two digits of each IP header are the
TOS field, which contains the DSCP value.
User 2
User 1
4500
4500
45b8
45b8
45bc
45bc
4500
4500
Tos and DSCP mapping
The table below lists the mapping of DSCP and ToS hexidecimal values for each service
for QoS.
Table 114: ToS to DSCP mappings
Service Class
DSCP Bits
DSCP Value
ToS Value
ToS Hexidecimal
Network Control
111000
56-63
224
0xE0
Internetwork Control
110000
48-55
192
0xC0
Critical - Voice Data (RTP)
101110
46
184
0xB8
101000
40
160
0xA0
100010
34
136
0x88
Flash Override
Video Data
36
144
0x90
100110
38
152
0x98
100000
Flash
Voice Control
100100
32
128
0x80
011010
26
104
0x68
011100
28
112
0x70
011110
30
120
0x78
011000
24
96
0x60
010010
18
72
0x48
010100
20
80
0x50
010110
22
88
0x58
010000
16
64
0x40
001010
10
40
0x28
001100
12
48
0x30
001110
14
56
0x38
001000
8
32
0x20
Routine - Best Effort
000000
0
0
0x00
Routine - Penalty Box
000010
2
8
0x08
Immediate
Deterministic (SNA)
Priority
Controlled Load
1716
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
While it is possible to configure QoS using a combination of firewall policies and in
ToS-based priorities, and to distribute traffic over all six of the possible queues for each
physical interface, the results of those configurations can be more difficult to analyze due
to their complexity. In those cases, prioritization behavior can vary by several factors,
including traffic volume, ToS (type of service) or differentiated services markings, and
correlation of session to a firewall policy.
The following simple examples illustrate QoS configurations using either prioritization by
firewall policy, or prioritization by ToS byte, but not both. The examples also assume you
are not configuring traffic shaping for interfaces that receive hardware acceleration from
network processing units (NPU).
QoS using priority from firewall policies
Configurations implementing QoS using the priority values defined in firewall policies are
capable of applying bandwidth limits and guarantees.
In addition to configuring traffic shaping, you may also choose to limit bandwidth accepted
by each interface. This can be useful in scenarios where bandwidth being received on
source interfaces frequently exceeds the maximum bandwidth limit defined in the firewall
policy. In this case, rather than wasting processing power on packets that will only be
dropped later in the processing to enforce those limits, you may choose to preemptively
police the traffic.
Note that if you implement QoS using firewall policies rather than ToS byte, the FortiGate
unit applies QoS to all packets controlled by the policy. Control is less granular than
prioritization by ToS byte, but has the benefits of correlating quality of service to a firewall
policy, enabling you to distribute traffic over up to four of the possible 6 priority queues
(queue 0 to queue 3), not requiring other devices in your network to set or respect the ToS
byte, and of enabling you to configure bandwidth limits and guarantees.
In this example, we limit the bandwidth accepted by each source interface, limit the
bandwidth used by sessions controlled by the firewall policy, and then configure prioritized
queueing on the destination interface based upon the priority in the firewall policy, subject
to alternative assignment to queue 0 when necessary to achieve the guaranteed packet
rate.
To limit bandwidth accepted by an interface
In the CLI, enter the following commands:
config system interface
edit & lt; name_str & gt;
set inbandwidth & lt; rate_int & gt;
next
end
where & lt; rate_int & gt; is the bandwidth limit in KB/s. Excess packets will be dropped.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1717
�QoS using priority from firewall policies
Examples
To configure bandwidth guarantees, limits, and priorities
1 Go to Firewall & gt; Traffic Shaper & gt; Shared, and select Create New.
2 Enter a name for the shaper.
3 Enter the Guaranteed Bandwidth, if any.
Bandwidth guarantees affect prioritization. While packet rates are less than this rate,
they use priority queue 0. If this is not the effect you intend, consider entering a small
guaranteed rate, or enter 0 to effectively disable bandwidth guarantees.
4 Enter Maximum Bandwidth.
Packets greater than this rate will be discarded.
5 Select the Traffic Priority.
High has a priority value of 1, while Low is 3. While the current packet rate is below
Guaranteed Bandwidth, the FortiGate unit will disregard this setting, and instead use
priority queue 0.
6 Select OK.
Sample configuration
This sample configuration limits ingressing bandwidth to 500 KB/s. It also applies separate
traffic shapers to FTP and HTTP traffic. In addition to the interface bandwidth limit, HTTP
traffic is subject to a firewall policy bandwidth limit of 200 KB/s.
All egressing FTP traffic greater than 10 KB/s is subject to a low priority queue (queue 3),
while all egressing HTTP traffic greater than 100 KB/s is subject to a medium priority
queue (queue 2). That is, unless FTP traffic rates are lower than their guaranteed rate,
and web traffic rates are greater than their guaranteed rate, FTP traffic is lower priority
than web traffic.
Traffic less than these guaranteed bandwidth rates use the highest priority queue
(queue 0).
Set the inbandwidth limits. This setting is only available in the CLI:
config system interface
edit wan1
set inbandwidth 500
next
end
Create the traffic shapers or FTP and HTTP.
To configure the shapers - web-based manager
1 Go to Firewall & gt; Traffic Shaper & gt; Shared, and select Create New.
2 Enter FTP for the name of the shaper.
3 Enter the Guaranteed Bandwidth, of 10 KBps.
4 Enter Maximum Bandwidth of 500 KBps.
5 Select the Traffic Priority of Low.
6 Select OK.
7 Select Create New.
8 Enter HTTP for the name of the shaper.
9 Enter the Guaranteed Bandwidth, of 100 KBps.
10 Enter Maximum Bandwidth of 200 KBps.
1718
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
QoS using priority from ToS or differentiated services
11 Select the Traffic Priority of Medium.
12 Select OK.
To configure the shapers - CLI
config firewall shaper traffic-shaper
edit FTP
set maximum-bandwidth 500
set guaranteed-bandwidth 10
set per-policy enable
set priority low
end
next
edit HTTP
set maximum-bandwidth 200
set guaranteed-bandwidth 100
set per-policy enable
set priority medium
end
QoS using priority from ToS or differentiated services
Configurations implementing QoS using the priority values defined in either global or
specific ToS byte values are not capable of applying bandwidth limits and guarantees, but
are capable of prioritizing traffic at per-packet levels, rather than uniformly to all services
matched by the firewall policy.
In addition to configuring traffic prioritization, you may also choose to limit bandwidth being
received by each interface. This can sometimes be useful in scenarios where you want to
limit traffic levels, but do not want to configure traffic shaping within a firewall policy. This
has the benefit of policing traffic at a point before the FortiGate unit performs most
processing.
Note that if you implement QoS using ToS octet rather than firewall policies, the FortiGate
unit applies QoS on a packet by packet basis, and priorities may be different for packets
and services controlled by the same firewall policy. This is more granular control than
prioritization by firewall policies, but has the drawbacks that quality of service is may not
be uniform for multiple services controlled by the same firewall policy, packets will only use
up to three of the six possible queues (queue 0 to queue 2), and bandwidth cannot be
guaranteed. Other devices in your network must also be able to set or preserve ToS bytes.
In this example, we limit the bandwidth accepted by each source interface, and then
configure prioritized queueing on the destination interface based upon the value of the
ToS byte located in the IP header of each accepted packet.
To limit bandwidth accepted by an interface, in the CLI, enter the following commands:
config system interface
edit & lt; name_str & gt;
set inbandwidth & lt; rate_int & gt;
next
end
where & lt; rate_int & gt; is the bandwidth limit in KB/s. Excess packets will be dropped.
To configure priorities, in the CLI, configure the global priority value using the following
commands:
config system global
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1719
�Example setup for VoIP
Examples
set tos-based-priority {high | low | medium}
end
where high has a priority value of 0 and low is 2.
If you want to prioritize some ToS byte values differently than the global ToS-based
priority, configure the priority for packets with that ToS byte value using the following
commands:
config system tos-based-priority
edit & lt; id_int & gt;
set tos [0-15]
set priority {high | low | medium}
next
end
where and tos is the value of the ToS byte in the packet’s IP header, and high has a
priority value of 0 and low is 2. Priority values configured in this location will override
the global ToS-based priority.
Sample configuration
This sample configuration limits ingressing bandwidth to 500 KB/s. It also queues
egressing traffic based upon the ToS byte in the IP header of ingressing packets.
Unless specified for the packet’s ToS byte value, packets use the low priority queue
(queue 2). For ToS byte values 4 and 15, the priorities are specified as medium (value 1)
and high (value 0), respectively.
config system interface
edit wan1
set inbandwidth 500
next
end
config system global
set tos-based-priority low
end
config system tos-based-priority
edit 4
set tos 4
set priority medium
next
edit 15
set tos 15
set priority high
next
end
Example setup for VoIP
In this example, there are three traffic shaping requirements for a network:
•
•
FTP bursts must be contained so as not to consume any available bandwidth. As such
this traffic needs to be throttled to a smaller amount.
•
1720
Voice over IP (VoIP) requires a guaranteed, high-priority for bandwidth for telephone
communications.
A consistent bandwidth requirement is needed for all other email and web-based
traffic.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
Example setup for VoIP
To enable this requirement, you need to create three separate shapers and three firewall
policies for each traffic type.
Note: For this example, the actual values are not actual values, they are used for the
simplicity of the example.
Creating the traffic shapers
First create the traffic shapers that define the maximum and guaranteed bandwidth. The
shared shapers will be used, some with per-policy and some all policies as shown in the
table, to better control traffic.
VoIP shaper
The VoIP functionary is a key component to the business as a communication tool and as
such requires a guaranteed bandwidth.
To create a VoIP shaper - web-based manager
1 Go to Firewall & gt; Traffic Shaping & gt; Shared.
2 Enter the Name voip.
3 Select Per Policy.
4 Enter the Maximum Bandwidth of 1000 Kb/s
5 Enter the Guaranteed Bandwidth of 800 Kb/s.
6 Select a Traffic Priority of High.
7 Select OK.
To create a VoIP shaper - CLI
config firewall shaper traffic-shaper
edit voip
set maximum-bandwidth 1000
set guaranteed-bandwidth 800
set per-policy enable
set priority high
end
This ensures that whatever number of policies use this shaper, the defined bandwidth will
always be the same. At the same time, the bandwidth is continually guaranteed at 800
Kb/s but if available can be as much as 1000 Kb/s. Setting the priority to high ensures that
the FortiGate unit always considers VoIP traffic as the most important.
FTP shaper
The FTP shaper sets the maximum bandwidth to use to avoid sudden spikes by sudden
uploading or downloading of large files, and interfering with other more important traffic.
To create a FTP shaper - web-based manager
1 Go to Firewall & gt; Traffic Shaping & gt; Shared.
2 Enter the Name ftp.
3 Select For all Policies Using This Shaper.
4 Enter the Maximum Bandwidth of 200 Kb/s
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1721
�Example setup for VoIP
Examples
5 Enter the Guaranteed Bandwidth of 200 Kb/s.
6 Select a Traffic Priority of Low.
7 Select OK.
To create a FTP shaper - CLI
config firewall shaper traffic-shaper
edit ftp
set maximum-bandwidth 200
set guaranteed-bandwidth 200
set priority low
end
For this shaper, the maximum and guaranteed bandwidth are set low and to the same
value. In this case, the bandwidth is restricted to a specific amount. By also setting the
traffic priority low ensures more important traffic will be able to pass before FTP traffic.
Regular traffic shaper
The regular shaper sets the maximum bandwidth and guaranteed bandwidth for everyday
business traffic such as web and email traffic.
To create a regular shaper - web-based manager
1 Go to Firewall & gt; Traffic Shaping & gt; Shared.
2 Enter the Name daily_traffic.
3 Select Per Policy.
4 Enter the Maximum Bandwidth of 600 Kb/s
5 Enter the Guaranteed Bandwidth of 600 Kb/s.
6 Select a Traffic Priority of Medium.
7 Select OK.
To create a regular shaper - CLI
config firewall shaper traffic-shaper
edit daily_traffic
set maximum-bandwidth 600
set guaranteed-bandwidth 600
set per-policy enable
set priority medium
end
For this shaper, the maximum and guaranteed bandwidth are set to a moderate value of
600 Kb/s. It is also set for per policy, which ensures each firewall policy for day-to-day
business traffic has the same distribution of bandwidth.
Creating firewall policies
To employ the shaper, create firewall policies that use the shapers within the policies.
Create a separate policy for each service and enable traffic shaping. For example, a policy
for FTP traffic, a policy for SIP and so on.
For the following steps the VoIP traffic shaper is enabled as well as the reverse direction
option. This ensures that return traffic for a VoIP call has the same guaranteed bandwidth
as the outgoing call.
1722
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
Example setup for VoIP
To enable traffic shaping in the firewall policy - web-based manager
1 Go to Firewall & gt; Policy and select Create New.
2 Enter the following and select:
Source interface/Zone
Internal
Source address
All
Destination interface/Zone
WAN1
Destination address
All
Schedule
always
Service
SIP
Action
ALLOW
3 Select Traffic Shaping.
4 From the drop-down list, select the voip shaper created in the previous steps.
5 Select Reverse Direction Traffic Shaping.
6 Select OK.
To enable traffic shaping in the firewall policy - CLI
config firewall policy
edit 6
set srcintf internal
set scraddr all
set dstintf wan1
set dstaddr all
set action accept
set schedule always
set service sip
set traffic-shaper voip
set reverse-traffic-shaper voip
end
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1723
�Example setup for VoIP
1724
Examples
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting
This chapter outlines some troubleshooting tips and steps to diagnose the shapers and
whether they are working correctly. These diagnose commands include:
• diagnose system tos-based-priority
• diagnose firewall shaper traffic-shaper
• diagnose firewall per-ip-shaper
•
diagnose debug flow
This chapter includes the topics:
•
Interface diagnosis
•
Shaper diagnose commands
•
Packet loss with statistics on shapers
•
Packet lost with the debug flow
•
Session list details with dual traffic shaper
•
Additional Information
Interface diagnosis
To optimize traffic shaping performance, first ensure that the network interface’s Ethernet
statistics are clean of errors, collisions, or buffer overruns.To check the interface, enter the
following diagnose command to see the traffic statistics:
diagnose hardware deviceinfo nic & lt; port_name & gt;
Shaper diagnose commands
There are specific diagnose commands you can use to verify the configuration and flow of
traffic, including packet loss due to the employed shaper.
All of these diagnose troubleshooting commands are supported in both IPv4 and IPv6.
TOS command
Use the following command to list command to view information of the TOS lists and
traffic.
diagnose system tos-based-priority
This example displays the priority value currently correlated with each possible TOS byte
value. Priority values are displayed in order of their corresponding TOS byte values, which
can range between 0 and 15, from lowest TOS byte value to highest.
For example, if you have not configured TOS-based priorities, the following appears...
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
...reflecting that all packets are currently using the same default priority, high (value 0).
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1725
�Shaper diagnose commands
Troubleshooting
If you have configured a TOS-based priority of low (value 2) for packets with a ToS byte
value of 3, the following appears...
0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0
...reflecting that most packets are using the default priority value, except those with a ToS
byte value of 3.
Shared shaper
To view information for the shared traffic shaper for firewall policies enter the command
diagnose firewall shaper traffic-shaper list
The resultant output displays the information on all available shapers. The more shapers
available the longer the list. For example:
name Throughput
maximum-bandwidth 1200000 KB/sec
guaranteed-bandwidth 50000 KB/sec
current-bandwidth 0 B/sec
priority 1
packets dropped 0
Additional commands include:
diagnose firewall shaper traffic-shaper state - provides the total number
of traffic shapers on the FortiGate unit.
diagnose firewall shaper traffic-shaper stats - provides summary
statistics on the shapers. Sample output looks like the following:
shapers 9 ipv4 0 ipv6 0 drops 0
Per-IP shaper
To view information for the per-IP shaper for firewall policies enter the command
diagnose firewall shaper per-ip-shaper list
The resultant output displays the information on all available per-IP shapers. The more
shapers available the longer the list. For example:
name accounting_group
maximum-bandwidth 200000 KB/sec
maximum-concurrent-session 55
packet dropped 0
Additional commands include:
diagnose firewall shaper per-ip-shaper state - provides the total number of
per-ip shapers on the FortiGate unit.
diagnose firewall shaper per-ip-shaper stats - provides summary statistics
on the shapers. Sample output looks like the following:
memory allocated 3 packet dropped: 0
You can also clear the per-ip statistical data to begin a fresh diagnoses using:
diagnose firewall shaper per-ip-shaper clear
1726
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting
Packet lost with the debug flow
Packet loss with statistics on shapers
For each shaper there are counters that allow to verify if packets have been discarded. To
view this information, in the CLI, enter the command diagnose firewall shaper.
The results will look similar to the following output:
diagnose firewall shaper traffic-shaper list
name limit_GB_25_MB_50_LQ
maximum-bandwidth 50 KB/sec
guaranteed-bandwidth 25 KB/sec
current-bandwidth 51 KB/sec
priority 3
dropped 1291985
The diagnose command output is different if the shapers are configured either per-policy
or shared between policies. For per-IP the output would be:
diagnose firewall shaper per-ip-shaper list
name accounting_group
maximum-bandwidth 200000 KB/sec
maximum-concurrent-session 55
packet dropped 3264220
Packet lost with the debug flow
When using the debug flow diagnostic command, there is a specific message information
that a packet has exceed the shaper limits and therefor discarded:
diagnose debug flow show console enable
diagnose debug flow filter addr 10.143.0.5
diagnose debug flow trace start 1000
id=20085 trace_id=11 msg= " vd-root received a packet(proto=17,
10.141.0.11:3735- & gt; 10.143.0.5:5001) from port5. "
id=20085 trace_id=11 msg= " Find an existing session, id-0000eabc, original
direction "
id=20085 trace_id=11 msg= " exceeded shaper limit, drop "
Session list details with dual traffic shaper
When a Firewall Policy has a different traffic shaper for each direction, it is reflected in the
session list output from the CLI:
diagnose system session list
session info: proto=6 proto_state=02 expire=115 timeout=3600
flags=00000000 sock
flag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec
traffic 48/sec
reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec
traffic 0/sec
ha_id=0 hakey=44020
policy_dir=0 tunnel=/
state=may_dirty rem os rs
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1727
�Additional Information
Troubleshooting
statistic(bytes/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2
orgin- & gt; sink: org pre- & gt; post, reply pre- & gt; post dev=2- & gt; 3/3- & gt; 2
gwy=10.160.0.1/0.0.0.0
hook=pre dir=org act=dnat 192.168.171.243:2538 & gt; 192.168.182.110:80(10.160.0.1:80)
hook=post dir=reply act=snat 10.160.0.1:80 & gt; 192.168.171.243:2538(192.168.182.110:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81
tos=ff/ff app=0 dd_type=0 dd_rule_id=0
Additional Information
•
•
Traffic shaping accuracy is optimum for firewall policies without a protection profile
where no FortiGate content inspection is processed.
•
Do not oversubscribe an outbandwith throughput. For example, sum[guaranteed BW]
& lt; outbandwith. For accuracy in bandwidth calculation, it is required to set the
“outbandwidth” parameter on the interfaces. For more information see “Bandwidth
guarantee, limit, and priority interactions” on page 1697.
•
1728
Packets discarded by the shaper impact flow-control mechanisms like TCP. For more
accurate testing results prefer UDP protocol.
The FortiGate unit is not prioritizing traffic based on the DSCP marking configured in
the firewall policy. However, TOS based prioritizing can be made at ingress. For more
information see “Differentiated Services” on page 1711.
FortiOS™ Handbook FortiOS 4.0 MR2 Traffic Shaping
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 15 FortiOS Carrier
This FortiOS Handbook chapter contains the following sections:
Overview of FortiOS Carrier features provides an overview of the three major topics for
FortiOS Carrier — Dynamic Profiles, MMS, and GTP.
Dynamic profiles and profile groups describes dynamic profiles, RADIUS systems, HTTP
header options, and cookie based overrides.
MMS Carrier End Point features describes controlling access to MMS services based on a
user’s carrier end point, blocking network access for IP addresses based on carrier end
points, and Extracting carrier end points for user and administrative notifications.
MMS UTM features describes FortiOS UTM features as they apply to MMS including
MMS virus scanning, MMS file filtering, MMS content-based Antispam protection, and
MMS DLP archiving.
Message flood protection describes setting thresholds to protect your MMS servers from
receiving too many messages from the same sender.
Duplicate message protection describes setting thresholds to protect your MMS servers
from receiving the same message from more than one sender.
MMS Replacement messages describes customizing MMS replacement messages.
Configuring GTP on FortiOS Carrier explains configuration of the more basic FortiOS
Carrier GTP features.
GTP message type filtering explains this feature, and how to configure it on FortiOS
Carrier.
GTP identity filtering explains this feature, and how to configure it on FortiOS Carrier.
Troubleshooting provides answer to common FortiOS Carrier GTP issues.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1729
�1730
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1731
�1732
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Overview of FortiOS Carrier features
FortiOS Carrier specific features include dynamic profiles and groups, Multimedia
messaging service (MMS) protection, and GPRS Tunneling Protocol (GTP) protection.
This section includes:
•
Overview
•
MMS background
•
How FortiOS Carrier processes MMS messages
•
MMS protection profiles
•
Bypassing MMS protection profile filtering based on user’s carrier end points
•
Applying MMS protection profiles to MMS traffic
•
GTP basic concepts
•
Parts of a GPRS network
•
GPRS network common interfaces
•
Packet flow through the GPRS network
Overview
FortiOS Carrier provides all the features found on FortiGate units plus added features
specific to carrier networks. These features are explained in this document and include
dynamic profiles and groups, Multimedia messaging service (MMS) protection, and GPRS
Tunneling Protocol (GTP) protection. These features include:
•
Dynamic profiles
•
MMS
•
GTP
Dynamic profiles
Managed Security Service Providers (MSSPs) and carrier service providers can use the
FortiOS Carrier dynamic profile configuration to dynamically assign profile groups to
customer traffic. Using the dynamic profile, FortiOS Carrier can receive RADIUS Start
records from service provider accounting systems when customers connect to service
provider networks. In real time FortiOS Carrier can extract identifying information and
profile group names from these RADIUS Start records and match the identifying
information with the customer communication session. FortiOS Carrier can then
dynamically select and apply the profile group named in the RADIUS Start record to the
communication session. See “Dynamic profiles and profile groups” on page 1755.
MMS
MMS is a standard for sending messages that include multimedia content between mobile
phones. MMS is also popular as a method of delivering news and entertainment content
including videos, pictures, text pages and other content. See “MMS background” on
page 1734.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1733
�MMS background
Overview of FortiOS Carrier features
GTP
The GPRS Tunneling Protocol (GTP) runs on GPRS carrier networks. GPRS is a GSM
packet radio standard. It provides more efficient usage of the radio interface so that mobile
devices can share the same radio channel.
GPRS provides direct connections to the Internet (TCP/IP) and X.25 networks for point-topoint services (connection-less/connection oriented) and point-to-multipoint services
(broadcast).
GPRS currently supports data rates from 9.6kbps to 100+kbps, and is best suited for burst
forms of traffic. GPRS involves both radio and wired components. The mobile phone
sends the message to a base station unit (radio based), and the base station unit sends
the message to the carrier network and eventually the Internet (wired carrier network).
See “GTP basic concepts” on page 1745.
MMS background
MMS is a standard for sending messages that include multimedia content between mobile
phones. MMS is also popular as a method of delivering news and entertainment content
including videos, pictures, text pages and other content.
Figure 254: MMS content interfaces
Internet
MM3
(SMTP)
Mobile
Users
MM1 (HTTP)
MMS Service
Provider Network
MMSC
MM7
Content
Provider
(HTTP/SOAP)
MM4
(SMTP)
Other
Operator
MM1
(HTTP)
Mobile
Users
MMS content interfaces
MMS messages are sent and received between sending devices, receiving devices and
servers using MMS content interfaces.
There are eight interfaces defined for the MMS standard, referred to as MM1 through
MM8. The most important of these interfaces, when considering the transfer of data, is the
MM1 interface, as this defines how mobile users communicate from the mobile network to
the Multimedia Message Service Center (MMSC). And most MMS content that should be
monitored and controlled comes from these mobile users onto the provider network.
1734
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Overview of FortiOS Carrier features
MMS background
Other MMS content interfaces that connect a service provider network to other external
sources can pose threats as well. MM3 handles communication between the Internet and
the MMSC and is a possible source of viruses and other content problems from the
Internet. MM4 handles communication between different content provider MMSCs.
Filtering MM4 content protects the service provider network from content sent from other
service providers and their subscribers. Finally MM7 is used for communication between
content providers and the MMSC. Filtering MM3 content can also keep harmful content off
of the service provider network.
Table 115: MMS content interfaces that
Type
Transaction
Similar to
MM 1
Handset to MMSC
HTTP
MM 3
Between MMSC and Internet
SMTP
MM 4
Between Operator MMSCs
SMTP
MM 7
Content Providers to MMSC
HTTP and SOAP
How MMS content interfaces are applied
As shown in Figure 255, the sender’s mobile device encodes the MMS content in a form
similar to MIME email message (MMS MIME content formats are defined by the MMS
Message Encapsulation specification). The encoded message is then forwarded to the
service provider’s MMSC. Communication between the sending device and the MMSC
uses the MM1 content interface. The MM1 content interface establishes a connection and
sends an MM1 send request (m-send.req) message that contains the MMS message.
The MMSC processes this request and sends back an MM1 send confirmation (msend.conf) HTTP response indicating the status of the message — accepted or an error
occurred, for example.
Figure 255: MM1 transactions between senders and receivers and the MMSC
Sender
(sends MMS message
to receiver)
MMSC
1. m-send.req (contains the MMS message and
is directed to the URI of the MMSC)
3. m-send.conf (confirms message receipt and
handles any error conditions, also includes
transaction identity)
Receiver
(receives MMS message
from sender)
2. m-notification.req (indicates mesage is
available for delivery, includes size, expiry
and URI)
4. m-notifyresp.ind (WSP/HTTP POST to
confirm receipt of notification)
5. WSP/HTTP GET.req
(Requests the MM.content)
6. m-retrieve.conf (the MMS content)
8. m-delivery.ind (optional, confirms delivery
of MMS content)
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
7. m-acknowledge.ind (if requested, optional
acknowledgment of receipt of MMS content)
1735
�MMS background
Overview of FortiOS Carrier features
If the recipient is on another carrier, the MMSC forwards the message to the recipient's
carrier. This forwarding uses the MM4 content interface for forwarding content between
operator MMSCs (see Figure 256).
Before the MMSC can forward the message to the final recipient, it must first determine if
the receiver’s handset can receive MMS messages using the MM1 content interface. If the
recipient can use the MM1 content interface, the content is extracted and sent to a
temporary storage server with an HTTP front-end.
To retrieve the message, the receiver’s handset establishes a connection with the MMSC.
An HTTP get request is then sent from the recipient to the MMSC. This message contains
the URL where the content of the message is stored. The MMSC responds with a retrieve
confirmation (m-retrieve.conf) HTTP response that contains the message.
Figure 256: MM4 messages sent between operator MMSCs
Sending Operator
MMSC
Receiving Operator
MMSC
1. MM4-forward.req (contains the MMS content and
is directed to the receiving MMSC.
X-MMS headers contain MMS extensions)
2. MM4-forward.res (administrative message
to confirm transaction with status code)
3. MM4-delivery-report.req (feedback
required by UA pr VASP)
4. MM4-delivery_report.res (response to feedback
request with status codes)
This causes the receiver’s handset to receive the content from the embedded URL.
Several messages are exchanged to indicate status of the delivery attempt. Before
delivering content, some MMSCs also include a content adaptation service that attempts
to modify the multimedia content into a format suitable for the recipient’s handset.
If the receiver’s handset is not MM1 capable, the message can be delivered to a web
based service and the receiver can view the content from a normal internet browser. The
URL for the content can be sent to the receiver in an SMS text message. Using this
method, non-MM1 capable recipients can still receive MMS content.
Email and web-based gateways from MMSC to the Internet use the MM3 content
interface. On the receiving side, the content servers can typically receive service requests
both from WAP and normal HTTP browsers, so delivery via the web is simple. For sending
from external sources to handsets, most carriers allow MIME encoded message to be sent
to the receiver's phone number with a special domain.
1736
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Overview of FortiOS Carrier features
How FortiOS Carrier processes MMS messages
How FortiOS Carrier processes MMS messages
MMS messages can be vectors for propagating undesirable content such as spam and
viruses. FortiOS Carrier can scan MMS messages sent using the MM1, MM3, MM4, and
MM7 content interfaces. By configuring and adding MMS protection profiles and adding
the MMS protection profiles to firewall policies, you can configure FortiOS Carrier to scan
MMS messages for spam and viruses. You can also use MMS protection profiles to apply
content blocking, carrier end point filtering, MMS address translation, sending MMS
notifications, DLP archiving of MMS messages, and logging of MMS message activity.
Figure 257: FortiOS Carrier MMS processing
Internet
MM3
(SMTP)
Mobile
Users
FortiOS Carrier
MM1 (HTTP)
MM1
MM3
MM7
MM7
Content
Provider
(HTTP/SOAP)
MMS Service
Provider Network
MMSC
FortiOS Carrier
Mobile
Users
MM4
(SMTP)
Other
Operator
MM1
(HTTP)
FortiOS Carrier can send MMS messages to senders informing those senders that their
device is infected. FortiOS Carrier can also send MMS notifications to administrators to
inform them of suspicious activity on their networks.
For message floods and duplicate messages, FortiOS Carrier does not send notifications
to message senders but does send notifications to administrators and sends messages to
sender handsets to complete MM1 and MM4 sessions.
FortiOS Carrier and MMS content scanning
The following applies to MMS content scanning including virus scanning, file filtering,
content spam filtering, carrier end point filtering, and MMS content checksum filtering
MMS.
MM1 Content Scanning
During MM1 content scanning a message is first transmitted from the sender, establishing
a connection with the MMSC. FortiOS Carrier intercepts this connection and acts as the
endpoint. FortiOS Carrier then establishes its own connection to the MMSC. Once
connected, the client transmits its m-send.req HTTP post request to FortiOS Carrier
which scans it according to the MMS protection profile settings. If the content is clean, the
message is forwarded to the MMSC. The MMSC returns m-send.conf HTTP response
through FortiOS Carrier to the sender.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1737
�How FortiOS Carrier processes MMS messages
Overview of FortiOS Carrier features
If FortiOS Carrier blocks the message (for example because a virus was found (see
Figure 258), FortiOS Carrier resets the connection to the MMSC and sends msend.conf HTTP response back to the sender. The content of the response message
can be customized using replacement messages. Replacement messages are available
for the different kinds of MMS scanning that the FortiOS Carrier unit can perform. FortiOS
Carrier then terminates the connection. Sending back an m-send.conf message
prevents the sender from retrying to send the message.
Figure 258: MM1 MMS scanning of message sent by sender (blocking m.send.req messages)
Sender
FortiOS Carrier
MMSC
1. Open TCP session
2. Open TCP session
3. m-send.req
5. Reset TCP session
4. Content blocked
6. m-send.conf replacement
message
7. Close TCP Session
8. m-send.rec notification message
to sender
(MM1 or MM7/SOAP payload, by configuration)
Sent once per notification period,
regardless of how many messages
are blocked
9. Notification message to
administrators (various protocols)
Sent once per notification period,
regardless of how many messages
are blocked
FortiOS Carrier also sends m-send.rec notifications messages to the MMSC that are
then forwarded to the sender to notify them of blocked messages.
Filtering message retrieval
Filtering message retrieval works in an similar way (see Figure 259). FortiOS Carrier
intercepts the connection to the MMSC, and the m-retrieve.conf HTTP response from the
MMSC is scanned according to the MMS content scanning settings. If the content is clean,
the response is forwarded back to the client. If the content is blocked, FortiOS Carrier
drops the connection to the MMSC. It then builds an m-retrieve.conf message from the
associated replacement message and transmits this back to the client.
FortiOS Carrier also sends m-send.rec notifications messages to the MMSC that are
then forwarded to the receiver to notify them of blocked messages.
1738
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Overview of FortiOS Carrier features
How FortiOS Carrier processes MMS messages
Figure 259: MM1 MMS scanning of messages received by receiver (blocking m.retrieve.conf
messages)
MMSC
FortiOS Carrier
Receiver
1. GET request for message
2. GET request for message
3. m-retrieve.conf mesage
5. m-retrieve.conf replacement
message
4. Content blocked
6. m-send.rec notification message
to sender
(MM1 or MM7/SOAP payload, by configuration)
Sent once per notification period,
regardless of how many messages
are blocked
7. Notification message to
administrators (various protocols)
Sent once per notification period,
regardless of how many messages
are blocked
Filtering MM3 and MM4 messages works in an similar way (see Figure 260 and
Figure 261). FortiOS Carrier intercepts connections to the MMSC, scans message as
configured. When a message is blocked, FortiOS Carrier closes sessions as required,
sends confirmation messages to the sender, notifies administrators, and notifies senders
and receivers of messages being blocked.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1739
�How FortiOS Carrier processes MMS messages
Overview of FortiOS Carrier features
Figure 260: MM3 MMS scanning of messages sent from a sender on the Internet to an MMSC
Internet
Sender on the Internet
FortiOS Carrier
MMSC
1. Open TCP session
2. Open TCP session
3. Send full email message
4. Send full email message
3. m-retrieve.conf mesage
Without ‘.’ on single line
5. Content blocked
6. Reset TCP session
7. Send 550 Error and replacement
message
8. Close TCP session
9. MM3 notification message
Sent once per notification period,
regardless of how many messages
are blocked
1740
10. Notification message to
administrators (various protocols)
Sent once per notification period,
regardless of how many messages
are blocked
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Overview of FortiOS Carrier features
How FortiOS Carrier processes MMS messages
Figure 261: MM4 MMS scanning of messages sent between operator MMSCs
Sending Operator
MMSC
FortiOS Carrier
Receiving Operator
MMSC
1. Open TCP session
2. Open TCP session
3. Send full MM4-forward.req
message
5. m-retrieve.conf mesage
4. Send full MM4-forward.req
message
Without ‘.’ on single line
6. Content blocked
7. Reset TCP session
8. Send 250 response
9. Close TCP session
10. Open new TCP session
11. Send MM4-forward.res message
12. Close TCP session
13. MM4-forward.req notification
Sent once per notification period,
regardless of how many messages
are blocked
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
10, 11, 12 Only initiated if the
MM4-forward.req message
requested a response
14. Notification message to
administrators (various protocols)
Sent once per notification period,
regardless of how many messages
are blocked
1741
�How FortiOS Carrier processes MMS messages
Overview of FortiOS Carrier features
Figure 262: MM7 MMS scanning of messages sent between a VASP and an MMSC
Sending
VASP
Receiving
MMSC
FortiOS Carrier
1. Open TCP session
2. Open TCP session
3. submit.req or delivery.req
5. Reset TCP session
4. Content blocked
6. submit.resp/delivery.resp
replacement message
7. Close TCP session
8. submit.req/delivery.req
notification message
Sent once per notification period,
regardless of how many messages
are blocked
9. Notification message to
administrators (various protocols)
Sent once per notification period,
regardless of how many messages
are blocked
FortiOS Carrier and MMS duplicate message and message floods
FortiOS Carrier detects duplicate messages and message floods for the MM1 and MM4
interfaces. How FortiOS Carrier detects and responds to duplicate messages and
message floods is different from how FortiOS Carrier detects and responds to viruses and
other MMS scanning protection measures.
For message floods and duplicate messages, if the sender is an attacker they can gain
useful information about message flood and duplicate message thresholds if they receive
notifications about floods or duplicate messages. Plus, duplicate messages and message
floods are usually a result of a large amount of messaging activity and filtering of these
messages is designed to reduce the amount of unwanted messaging traffic. Adding to the
traffic by sending notifications to senders and receivers could result in an increase in
message traffic.
You can create up to three thresholds for detecting duplicate messages and message
floods. For each threshold you can configure the FortiOS Carrier unit to respond by
logging the activity, archiving or quarantining the messages, notifying administrators of the
activity, and by blocking the messages. In many cases you may only want to configure
blocking for higher activity thresholds, and to just monitor and send administrator
notifications at lower activity thresholds.
When a block threshold is reached for MM1 messages, FortiOS Carrier sends msend.conf or m-retrieve.conf messages to the originator of the activity. These messages
are sent to end the MM1 sessions, otherwise the originator would keep retrying to re-send
the message that was blocked. When a block threshold is reached for MM4, FortiOS
Carrier sends MM4-forward.res messages to close the MM4 session. These MM4
messages are sent only if initiated by the originating MM4-forward.req message.
1742
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Overview of FortiOS Carrier features
How FortiOS Carrier processes MMS messages
Figure 263: MM1 message flood and duplicate message blocking of sent messages
Sender
FortiOS Carrier
MMSC
1. Open TCP session
2. Open TCP session
3. m-send.req
5. Reset TCP session
4. Flood or duplicate blocked
6. m-send.conf replacement
message
7. Close TCP Session
8. Notification message to
administrators (various protocols)
Sent once per notification period,
regardless of how many messages
are blocked
Figure 264: MM1 message flood and duplicate message blocking of received messages
MMSC
FortiOS Carrier
Receiver
1. GET request for message
2. GET request for message
3. m-retrieve.conf mesage
5. m-retrieve.conf replacement
message
4. Flood or duplicate blocked
6. Notification message to
administrators (various protocols)
Sent once per notification period,
regardless of how many messages
are blocked
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1743
�MMS protection profiles
Overview of FortiOS Carrier features
Figure 265: MM4 message flood and duplicate message blocking
Forwarding Operator
MMSC
FortiOS Carrier
Receiving Operator
MMSC
1. Open TCP session
2. Open TCP session
3. Send full MM4-forward.req
message
4. Send full MM4-forward.req
message
5. m-retrieve.conf mesage
Without ‘.’ on single line
6. Flood or duplicate blocked
7. Reset TCP session
8. Send 250 response
9. Close TCP session
10. Open new TCP session
11. Send MM4-forward.res message
12. Close TCP session
10, 11, 12 Only initiated if the
MM4-forward.req message
requested a response
13. Notification message to
administrators (various protocols)
Sent once per notification period,
regardless of how many messages
are blocked
MMS protection profiles
An MMS protection profile is a group of settings that you can apply to an MMS session
matched by a firewall policy.
MMS protection profiles are easy to configure and can be used by more than one firewall
policy. You can configure a single MMS protection profile for the different traffic types
handled by a set of firewall policies that require identical protection levels and types. This
eliminates the need to repeatedly configure those same MMS protection profile settings
for each individual firewall policy.
For example, while traffic between trusted and untrusted networks might need strict
protection, traffic between trusted internal addresses might need only moderate
protection. You would configure two separate MMS protection profiles to provide the
different levels of protection: one for traffic between trusted networks, and one for traffic
between trusted and untrusted networks.
Once you have configured the MMS Protection Profile, to apply the profile to MMS traffic
you need to add it to a firewall policy.
1744
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Overview of FortiOS Carrier features
Bypassing MMS protection profile filtering based on user’s carrier end points
Bypassing MMS protection profile filtering based on user’s carrier
end points
You can use carrier end point filtering to exempt MMS sessions from MMS protection
profile filtering. Carrier end point filtering matches carrier end points in MMS sessions with
carrier end point patterns. If you add a carrier end point pattern to a filter list and set the
action to exempt from all scanning, all messages from matching carrier end points bypass
MMS protection profile filtering. See “Controlling access to MMS services based on a
user’s carrier end point” on page 87.
Applying MMS protection profiles to MMS traffic
To apply an MMS protection profile you must first create the MMS protection profile and
then add the MMS protection profile to a firewall policy by enabling the UTM option. The
MMS protection profile then applies to the traffic accepted by that firewall policy.
MMS protection profiles can contain settings relevant to many different services. Each
firewall policy uses the subset of the MMS protection profile settings that apply to the
sessions accepted by the firewall policy. In this way, you might define just one MMS
protection profile that can be used by many firewall policies, each policy using a different
or overlapping subset of the MMS protection profile.
To add an MMS protection profile to a firewall policy
1 Go to UTM & gt; Carrier & gt; MMS Profile.
2 Select Create New to add an MMS protection profile.
3 Configure and save the new MMS protection profile.
4 Go to Firewall & gt; Policy.
5 Select Create New to add a firewall policy, or select an existing policy and Edit to add
the MMS profile.
6 Configure the firewall policy as required.
7 Enable UTM.
8 Select Enable MMS Profile, and select the MMS profile to add to the firewall policy.
9 Select OK.
GTP basic concepts
GPRS currently supports data rates from 9.6kbps to 100+kbps, and is best suited for burst
forms of traffic. GPRS involves both radio and wired components. The mobile phone
sends the message to a base station unit (radio based), and the base station unit sends
the message to the carrier network and eventually the Internet (wired carrier network).
The network system then either sends the message back to a base station and to the
destination mobile unit, or forwards the message to the proper carrier’s network where it
gets routed to the mobile unit.
This sections includes:
•
PDP Context
•
GPRS security
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1745
�Parts of a GPRS network
Overview of FortiOS Carrier features
GPRS security
The GPRS network has some built-in security in the form of GPRS authentication.
However this is minimal, and is not sufficient for carrier network security needs. A GTP
firewall, such as FortiOS Carrier, is required to secure the Gi, Gn, and Gp interfaces.
GPRS authentication
GPRS authentication is handled by the SGSN to prevent unauthorized GPRS calls from
reaching the GSM network beyond the SGSN (the base station system, and mobile
station). Authentication is accomplished using some of the customer’s information with a
random number and uses two algorithms to create ciphers that then allow authentication
for that customer.
User identity confidentiality ensures that customer information stays between the mobile
station and the SGSN — no identifying information goes past the SGSN. Past that point
other numbers are used to identify the customer and their connection on the network.
Periodically the SGSN may request identity information from the mobile station to
compare to what is on record. This specifically looks at the IMEI number.
Call confidentiality is achieved through the use of a cipher, similar to the GPRS
authentication described earlier. The cipher is applied between the mobile station and the
SGSN. Essentially a cipher mask is XORd with each outgoing frame, and the receiving
side XORs with its own cipher to result in the original frame and data.
Parts of a GPRS network
A sample GTP network consists of the end handset sender, the sender’s mobile station,
the carrier’s network including the SGSN and GGSN, the reciever’s mobile station, and
the reciever handset.
When a handset moves from one mobile station and SGSN to another, the handset’s
connection to the internet is preserved because the tunnel the handset has to the internet
using GTP tracks the user’s location and information. For example the handset could
move from one cell to another, or between countries.
The parts of a GPRS network can be separated into the following groups according to the
roles of the devices:
•
Radio access to the GPRS network is accomplished by mobile phones and mobile
stations (MS). See “Radio access” on page 1747.
•
Transport the GPRS packets across the GPRS network is accomplished by SGSNs
and GGSNs, both local and remote, by delivering packets to the external services. See
“Transport” on page 1747.
•
Billing and records are handled by CDF, CFR, HLR, and VLR devices. See “Billing and
records” on page 1748.
GPRS networks also rely on access points and PDP contexts as central parts of the
communication structure. They are not actual devices, but critical just the same.
For more information on APN, see “Access Point Number (APN)” on page 1850. For more
information on PDP Context, see “PDP Context” on page 1749.
These devices, their roles, neighboring devices, the interfaces and protocols they use are
outlined in the following table. These devices and their connections can be viewed in the
“Packet flow through the GPRS network” on page 1752.
1746
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Overview of FortiOS Carrier features
Parts of a GPRS network
Table 116: Devices on the GPRS network
Device role
Neighboring Devices
interfaces used
Protocols used
Mobile Phone
MS
radio access
technology
Mobile Stations
(MS)
Mobile Phone, SGSN
Gb
IP, Frame Relay
SGSN (local)
MS, SGSN (local or remote), GGSN
(local and remote), CDR, CFR, HLR,
VLR
Ga, Gb, Gn, Gp,
Gz
IP, Frame Relay,
GTP, GTP’
SGSN (remote)
SGSN (local)
Gn
GTP
GGSN (local)
SGSN (local or remote), GGSN (local
and remote), CDR, CFR, HLR, VLR
Ga, Gi, Gn, Gp,
Gz
IP, GTP, GTP’
GGSN (remote)
SGSN (local), WAP gateway, Internet,
other external services
Gi, Gp
IP, GTP
CDR, CFR
SGSN (local), GGSN (local)
Ga, Gz
GTP’
HLR, VLR
SGSN (local), GGSN (local)
Ga, Gz
GTP’
Radio access
For a mobile phone to access the GPRS core network, it must first connect to a mobile
station. This is a cellular tower that is connected to the carrier network.
How the mobile phone connects to the mobile station (MS) is determined by what radio
access technologies are supported by the MS.
Transport
GTP
GPRS Tunnelling Protocol (GTP) is a group of IP-based communications protocols used
to carry General Packet Radio Service (GPRS) within Global System for Mobile
Communications (GSM) and Universal Mobile Telecommunications System (UMTS)
networks. It allows carriers to transport actual cellular packets over their network via
tunneling. This tunneling allows users to move between SGSNs and still maintain
connection to the the internet through the GGSN.
On a GPRS network, Packet Data Protocol (PDP) context is a data structure used by both
the Serving GPRS Support Node (SGSN) and the Gateway GPRS Support Node
(GGSN). The PDP context contains the subscribers information including their access
point, IP address, IMSI number, and their tunnel endpoint ID for each of the SGSN and
GGSN.
There have been two versions of GTP to date. The original version of GTP (version 0) had
the following differences from the current version (version 1).
•
the tunnel identification was not random
•
there were options for transporting X.25
•
the fixed port number 3386 was used for all functions, not just charging
•
Optionally TCP was allowed as a transport instead of UDP
•
not all message types are supported in version 0
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1747
�Parts of a GPRS network
Overview of FortiOS Carrier features
GTP-C
GTP-C refers to the control layer of the GPRS Transmission network. This part of the
protocol deals with network related traffic. For more information on GTP-C, see “GTP-C
messages” on page 1843.
GTP-U
GTP-U refers to the user layer of the GPRS Tunneling network. This part of the protocol
deals with user related traffic, user tunnels, and user administration issues.
A GTP-U tunnel is identified by a TEID, an IP address, and a UDP port number. The IP
address and the UDP port number define a UDP/IP path, a connectionless path between
two endpoints (i.e. SGSN or GGSN). The TEID identifies the tunnel endpoint in the
receiving GTP-U protocol entity; it allows for the multiplexing and demultiplexing of GTP
tunnels on a UDP/IP path between a given GSN-GSN pair. For more information on GTPU, see “GTP-U messages” on page 1844.
The GTP core network consists of one or more SGSNs and GGSNs.
GGSN
THE GGSN connects the GPRS network to outside networks such as the Internet. These
outside networks are called packet data networks (PDNs). The GGSN acts as an edge
router between the two different networks — the GGSN forwards incoming packets from
the external PDN to the addressed SGSN and the GGSN also forwards outgoing packets
to the external PDN. the GGSN also converts the packets from the GPRS packets with
SGSN to the external packets, such as IP or X.25.
SGSN
The SGSN connects the GPRS network to mobile stations, and mobile units. Each SGSN
has a geographical area, and mobile phones in that area connect to the GPRS network
through this SGSN. The SGSN also maintains a location register that contains customer’s
location and user profiles until they connect through a different SGSN at which time the
customer information is moved to the new SGSN. This information is used for packet
routing and transfer, mobility management also known as location management, logical
link management, and authentication and billing functions.
Billing and records
A major part of the GPRS network is devoted to billing. Customer billing requires enough
information to identify the customer, and then billing specific information such as
connection locations and times, as well as amount of data transferred. A modified form of
GTP called GTP’ is used for billing. The home location records and visitor location records
store information about customers that is critical to billing.
GTP’
GTP is used to handle tunnels of user traffic between SGSNs and GGSNs. However for
billing purposes, other devices that are not supported by GTP are required. GTP’ (GTP
prime) is a modified form of GTP and is used to communicate with these devices such as
the Charging Data Function (CDF) that communicates billing information to the Charging
Gateway Function (CGF). In most cases, GTP‘ transports user records from many
1748
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Overview of FortiOS Carrier features
Parts of a GPRS network
individual network elements such as the GGSNs to a centralised computer which then
delivers the charging data more conveniently to the network operator's billing center, often
through the CGF. The core network sends charging information to the CGF, typically
including PDP context activation times and the quantity of data which the end user has
transferred.
GTP’ is used by the Ga and Gz interfaces to transfer billing information. GTP’ uses
registered UDP/TCP port 3386. GTP’ defines a different header, additional messages,
field values, as well as a synchronisation protocol to avoid losing or duplicating CDRs on
CGF or SGSN/GGSN failure. Transferred CDRs are encoded in ASN.1.
HLR
The Home Location Register (HLR) is a central database that contains details of each
mobile phone subscriber that is authorized to use the GSM core network. There can be
several logical, and physical, HLRs per public land mobile network (PLMN), though one
international mobile subscriber identity (IMSI)/MSISDN pair can be associated with only
one logical HLR (which can span several physical nodes) at a time. The HLRs store
details of every SIM card issued by the mobile phone operator. Each SIM has a unique
identifier called an IMSI which is the primary key to each HLR record.
VLR
The Visitor Location Register (VLR) is a database which stores information about all the
mobile devices that are currently under the jurisdiction of the Mobile Switching Center
which it serves. Of all the information the VLR stores about each Mobile Station, the most
important is the current Location Area Identity (LAI). This information is vital in the call
setup process.
Whenever an MSC detects a new MS in its network, in addition to creating a new record in
the VLR, it also updates the HLR of the mobile subscriber, informing it of the new location
of that MS.
For more information on GTP‘, see “GTP-U and Charging Management Messages” on
page 1844.
PDP Context
When a mobile customer has an active connection open, either voice or data, both the
SGSN and GGSN have the packet data protocol (PDP) context information for that
customer and session.
When a mobile phone wants to communicate with an address on an external packet
network, either an IP or X.25 address, the mobile station that phone is connected to opens
a PDP context through the SGSN and GGSN to the end address. Before any traffic is
sent, the PDP context must first be activated.
The information included in the PDP context includes the customer’s IP address, the IMSI
number of the mobile handset, and the tunnel endpoint ID for both the SGSN and GGSN.
The ID is a number that allows the session to be unique, much like a session ID on a
TCP/IP firewall. All this information ensures a uniquely identifiable connection is made.
Since one mobile device may have multiple connections open at one time, such as data
connections to different Internet services and voice connections to different locations,
there may be more than one PDP context with the same IP address making the extra
identifying information required.
The end point that the mobile phone is connecting to only knows about the GGSN — the
rest of the GPRS connection is masked by the GGSN.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1749
�Parts of a GPRS network
Overview of FortiOS Carrier features
Along the PDP context path, communication is accomplished in using three different
protocols.
•
The connection between the Mobile Station and SGSN uses the SM protocol.
•
Between SGSN and GGSN GTP is used.
•
Between GGSN and the end point either IP or X.25 is used.
FortiOS Carrier is concerned with the SGSN to GGSN part of the PDP context — the part
that uses GTP.
For more about PDP context, see “Tunnel Management Messages” on page 1843.
Creating a PDP context
While FortiOS Carrier is concerned mostly with the SGSN to GGSN part of the PDP
Context, knowing the steps involved in creating a PDP context helps understand the role
each device, protocol, and message type plays.
Either a mobile station or a GGSN can create a PDP context.
A Mobile Station creates a PDP context
1 The Mobile Station (MS) sends a PDP activation request message to the SGSN
including the MS PDP address, and APN.
2 Optionally, security functions may be performed in order to authenticate the MS.
3 The SGSN determines the GGSN address by using the APN identifier.
4 The SGSN creates a downlink GTP tunnel to send IP packets between the GGSN and
SGSN.
5 The GGSN creates an entry in its PDP context table to deliver IP packets between the
SGSN and the external packet switching network.
6 The GGSN creates an uplink GTP tunnel to route IP-PDU from SGSN to GGSN.
7 The GGSN then sends back to the SGSN the result of the PDP context creation and if
necessary the MS PDP address.
8 The SGSN sends an Activate PDP context accept message to the MS by
returning negotiated the PDP context information and if necessary the MS PDP
address.
9 Now traffic can pass from the MS to the external network end point.
A GGSN creates a PDP context
1 The network receives an IP packet from an external network.
2 The GGSN checks if the PDP Context has already been created.
3 If not, the GGSN sends a PDU notification request to the SGSN in order to
initiate a PDP context activation.
4 The GGSN retrieves the IP address of the appropriate SGSN address by interrogating
the HLR from the IMSI identifier of the MS.
5 The SGSN sends to the MS a request to activate the indicated PDP context.
6 The PDP context activation procedure follows the one initiated by the MS. See “A
Mobile Station creates a PDP context” on page 1750.
7 When the PDP context is activated, the IP packet can be sent from the GGSN to the
MS.
1750
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Overview of FortiOS Carrier features
GPRS network common interfaces
Terminating a PDP context
A PDP context must be terminated or else it remains open. To terminate the PDP context
an MS sends a Deactivate PDP context message to the SGSN, which then sends a
Delete PDP Context message to the GGSN. When the SGSN receives a PDP context
deletion acknowledgment from the GGSN, the SGSN confirms to the MS the PDP context
deactivation. The PDP can be terminated by the SGSN or GGSN as well with a slight
variation on the order of the messages passed.
When the PDP Context is terminated, the tunnel it was using is deleted as well. If this is
not completed in a timely manner, it is possible for someone else to start using the tunnel
before it is deleted. This hijacking will result in the original customer being overbilled for
the extra usage. Anti-overbilling helps prevent this. See “Configuring Anti-overbilling in
FortiOS Carrier” on page 1838.
GPRS network common interfaces
There are interfaces for each connection on the GPRS network. An interface is an
established standard form of communication between two devices. Consider a TCP/IP
network. In addition to the transport protocol (TCP) there are other protocols on that
network that describe how devices can expect communications to be organized, just like
GPRS interfaces.
Interfaces between devices on the network
There are a series of interfaces that define how different devices on the carrier network
communicate with each other. There interfaces are called Ga to Gz, and each one defines
how a specific pair of devices will communicate. For example Gb is the interface between
the base station and the SGSN, and Gn is one possible interface between the SGSN and
GGSN.
The SGSN and GGSN keep track of the CDR information and forward it to the Charging
Data Function (CDF) using the Gr interface between the SGSN and home location register
(HLR), Gs interface between the SGSN and MSC (VLR), Gx interface between the GGSN
and the Charging Rules Function (CRF), Gy between the GGSN and online charging
system (OCS), and finally Gz which is the off-line (CDR-based) charging interface
between the GSN and the CG that uses GTP'.
Each of these interfaces on the GPRS network is has a name in the format of Gx where
x is a letter of the alphabet that determines what part of the network the interface is used
in. It is common for network diagrams of GPRS networks to include the interface name on
connections between devices. See “Packet flow through the GPRS network” on
page 1752.
Tip: The FortiOS Carrier unit only provides protection on the Gn, Gp, and Gi interfaces.
Table 117: GPRS network interfaces, their roles, and billing
Name
Device connections that Traffic Protocol
use this interface
used
Ga
CDR and GSN (SGSNs
and GGSNs)
GTP‘ - GTP
CDR have the accounting records, that
modified to
are compiled in the GSN and then sent to
include CDR role the Charging Gateway (CG)
Gb
MS and SGSN
Frame Relay or
IP
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Its role or how it affects billing
When an IP address moves to a new MS,
the old MS may continue to use and bill
that IP address.
1751
�Packet flow through the GPRS network
Overview of FortiOS Carrier features
Table 117: GPRS network interfaces, their roles, and billing
Gi
GGSN and public data
networks (PDNs)
IP based
This is the connection to the internet. If
the GTP tunnel is deleted without
notifying the Gi interface, the connection
may remain open incurring additional
charges. FortiOS Carrier firewalls this
interface.
Gn
SGSN and external
SGSNs and internal
GGSNs
GTP
Gp
Internal SGSN and
external GGSNs
GTP
When the GTP tunnel is deleted, need to
inform other interfaces immediately to
prevent misuse of connections remaining
open. FortiOS Carrier firewalls these
interfaces.
Gz
GSN (SGSN and GGSN)
and the charging gateway
(CG)
GTP‘
Used for the offline charging interface.
Ga is used for online charging.
Note: Corporate customers may have a direct connection to the Gi interface for higher security. The
Gi interface is normally an IP network, though a tunnelling protocol such as GRE or IPsec may be
used instead.
Packet flow through the GPRS network
To better understand the GPRS network, we will follow the path data takes for a normal
connection. For this example a mobile phone is placing a call that involves accessing
services on the Internet.
Figure 266: Sample GPRS network topology
z
Gb
a/
Internal
Sending GPRS
System Node 1
(SGSN)
G
Mobile
Station
(MS) 1
Ga
Mobile Phone
(Sender_location1)
/z
Billing
HLR, VLR
CDF, CGF
Internal
Gateway GPRS
System Node
(GGSN)
Gn
Gi
Internet
WAP gateway
G
Gn
p
Gi
Gb
Mobile
Station
(MS) 2
Mobile Phone
(Sender_location2)
Corporate IP
network
Gn
External
Sending GPRS
System Node 2
(SGSN)
External
Gateway GPRS
System Node
(GGSN)
1 A mobile phone places a call using a mobile station (MS). This connection between the
mobile phone and the MS is a radio connection using one of the radio access
technologies. See “Radio Access Technology (RAT) type” on page 1850.
2 The MS connects to a GPRS System Node (GSN) specifically a Sending GSN. This
connection uses the Gb interface and typically uses IP address or Frame Relay.
1752
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Overview of FortiOS Carrier features
Packet flow through the GPRS network
3 The SGSN checks the mobile phone information located in the home location register
(HLR) or visitor location register (VLR) to ensure there is subscriber information for that
phone. If this mobile phone is from another network, it uses the VLR and updates its
home carrier’s information with its current location and information. This connection
involves the Ga or Gz interfaces, and uses the GTP’ protocol for communication.
4 The SGSN checks records to make sure the phone didn’t transfer this connection from
a different MS. If that is the case, the connection has already been established (along
with the billing) and is handed off to this SGSN. If the call is being handed over from
another SGSN, it will use the Gn interface between the two SGSNs.
5 The SGSN sends GTP messages to the local external Gateway GSN (GGSN) to
create a GTP tunnel for this PDP context to access the Internet. It is possible that a
remote GGSN has access to a service, such as a WAP gateway, that the local GGSN
is missing. In this situation, the local SGSN uses the Gp interface to connect to the
remote GGSN. Both the Gn and Gp interfaces use GTP.
6 The both the local and remote GGSNs connect to external services outside the GPRS
network. These services can include a WAP gateway, a corporate IP network directly
connected to the GPRS network, or the Internet. The connection from the GGSN to the
external services uses the Gi interface.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1753
�Packet flow through the GPRS network
1754
Overview of FortiOS Carrier features
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic profiles and profile groups
This section explains how to set up the FortiOS Carrier dynamic profile to extract carrier
end points, IP addresses, and profile group names from RADIUS records and how to use
this information to dynamically apply profile groups to communication sessions. This
section also describes configuring HTTP header options, and cookie overrides.
This section describes:
•
Dynamic profile and RADIUS-based accounting systems
•
HTTP header options
•
Cookie Override configuration
Dynamic profile and RADIUS-based accounting systems
The dynamic profile functions like an application programming interface (API) between
FortiOS Carrier and RADIUS-based accounting systems. Service providers can add
customer identifying information and profile group names to their accounting system.
Then, in response to a customer connecting to the service provider network (for example,
by using a mobile phone to browse the Web), the service provider accounting system can
send a RADIUS Start record to FortiOS Carrier. FortiOS Carrier then uses the dynamic
profile configuration to extract customer identifying information from the RADIUS Start
record.
A useful example of the dynamic profile is the application of parental controls to customer
communication sessions. Service providers can create profile groups that provide different
levels of parental controls. Then, as requested by customers, these different levels of
parental controls can be applied to communication sessions; the level of parental control
depending on the profile group name added to the customer’s account in the service
provider accounting system. For a detailed example of parental controls used this way,
see “Example: Parental control dynamic profile group configuration” on page 1763.
Figure 267: Information flow between customers, the service provider accounting system,
and FortiOS Carrier
Accounting server
identifies the
2
customer
3
Accounting server sends RADIUS
Start record to FortiOS Carrier.
3 Includes source IP, carrier end
point, and profile group name
1
3
2
Customer
1
connects
to the service
provider network
1
2
Internet
6 Customer
session filtered
by profile group
4
Customer
session received
by FortiOS Carrier
FortiOS Carrier uses
source IP and carrier
end point to select a profile
group to apply to the session
5
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1755
�Dynamic profile and RADIUS-based accounting systems
Dynamic profiles and profile groups
About carrier end points
The FortiOS Carrier term for customer identifying information is carrier end point. The
carrier end point can be any information that the service provider uses to identify a
customer and the device that the customer is using to connect to the network. For
example, if the customer is using a mobile phone, the carrier end point could be the
phone’s MSISDN number. The carrier end point information must be included in the
RADIUS Start record and must be available in the customer communication session (for
example, in the HTTP header).
Note: In most cases, FortiOS Carrier can find the carrier end point and IP address in
customer communication sessions. An important exception is WAP traffic. Because WAP
traffic may have the source IP address changed from the customer’s IP address to the IP
address of the WAP server, extra configuration may be required to extract the carrier end
point and source IP address from WAP traffic. See “HTTP header options” on page 1767
for information on configuring FortiOS Carrier for WAP traffic. In fact the HTTP header
options always control how FortiOS Carrier extracts information from customer
communication sessions. But, in most cases, you do not need to change the default setting
of Use Session IP Address.
Without the carrier end point, customers can only be identified by the IP address of the
device that they are using. Because IP addresses may not be permanent or multiple users
may be behind a NAT device, the additional carrier end point information is a more reliable
and accurate way to identify individual customers.
Dynamic profiles and firewall policies
For FortiOS Carrier to dynamically apply profile groups, you must add firewall policies that
accept customer communication sessions. These firewall policies must include a profile
group—it is through the profile group that FortiOS Carrier extracts the carrier end point
from the communication session.
The profile group added to the firewall policy also acts as a default or fail-safe profile group
that is used if one cannot be dynamically assigned. You can use this default profile group
to apply the minimum or default protection to the customer communication session, with
the dynamically assigned profiles providing either increased protection or exemptions
from protection depending on how you want to configure the system. For an illustration of
this interaction, see “Example: Parental control dynamic profile group configuration” on
page 1763.
Note: A profile group may fail to be dynamically assigned to a carrier end point for the
following reasons:
•
•
•
The RADIUS Start record that includes the carrier end point does not include a profile
group name
The RADIUS Start record that includes the carrier end point does not include a profile
group name that matches the name of a profile group added to FortiOS Carrier
The carrier end point in the communication session does not match any of the carrier
end points received by FortiOS Carrier from a RADIUS Start record. When this
happens, FortiOS Carrier waits for a short time to receive a new RADIUS Start record
before using the default profile group. The User Context Creation Timeout controls the
amount of time FortiOS Carrier waits. To change this timeout, see “Timeout options” on
page 1762.
Accounting system RADIUS configuration
You can configure dynamic profiles to work with most service provider RADIUS-based
accounting systems. In most cases, you only need to do the following to your system
accounting system before you can use dynamic profiles:
1756
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic profiles and profile groups
Dynamic profile and RADIUS-based accounting systems
•
Add a profile group name field to customer accounts so that the name is added to the
RADIUS Start record sent by the accounting system to FortiOS Carrier. Profile group
names just have to be added to the accounts of customers who purchase the service
provided by the profile groups. If a profile group is not found in a RADIUS Start record,
FortiOS Carrier reverts to the default profile group.
•
Configure your accounting system to send RADIUS Start records to the FortiOS Carrier
unit. You can send the RADIUS Start records to any FortiOS Carrier network interface.
If your FortiOS Carrier unit is operating with virtual domains (VDOMs) enabled, the
RADIUS Start records must be sent to a network interface in the management VDOM.
About the user context list
FortiOS Carrier maintains a dynamic user context list — a list of current carrier end
points, IP addresses, and profile group names received in RADIUS Start records. FortiOS
Carrier uses timeouts to make sure that the list contains only current information,
removing entries that are no longer needed (see “Timeout options” on page 1762).
FortiOS Carrier can also remove entries from the user context list if the accounting system
sends a RADIUS Stop record when a customer finishes a communication session. When
FortiOS Carrier receives a RADIUS Stop record, the carrier end point in the record is
removed from the user context list. The RADIUS Stop records are optional, but they make
sure FortiOS Carrier maintains an accurate user context list.
Note: You can use the IP Filter list to block access through FortiOS Carrier for carrier end
points. To use this feature, add carrier end points to the list and select block traffic. FortiOS
Carrier uses the user context list to look up a carrier end point in the IP filter list to find the
find source IP address that the carrier end point is using. Then at the IP level, FortiOS
Carrier blocks all sessions from the source IP address.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1757
�Dynamic profile and RADIUS-based accounting systems
Dynamic profiles and profile groups
Figure 268: FortiOS Carrier dynamic profile information flow
2
The dynamic profile extracts
source IP, carrier end point,
and protection profile name.
FortiOS Carrier receives
RADIUS Start record
1
Dynamic profile
process
3
Source IP, carrier end point,
and protection profile name
added to user context list.
User context list
Dynamic profile selection
process queries the user
context list for the
profile group name
6
Dynamic profile
selection process
5
Profile group name
found and selected by
dynamic profile selection process.
Dynamic profile selection
process extracts source IP
and carrier end point from
the customer session.
7
Profile
group
8
3
1
Profile group applied
to customer session
3
2
1
2
Firewall
Internet
4
9
Firewall policy with
profile group receives
customer session
Traffic allowed
by profile group
9 Traffic blocked
by profile group
Accepting sessions from dynamic profile users only
Extracting a carrier end point from the content of a communication session creates extra
processing overhead for the FortiOS Carrier unit. This extra overhead is acceptable for
communication sessions that you want to apply dynamic profiles to because of the ability
to examine the content of the communication session.
However, communication sessions that do not have a carrier end point in the user context
list also create the same extra processing overhead only to be dropped when no match is
found. In some cases you can reduce the amount of processing overhead by adding
specific source and destination addresses to a dynamic profile firewall policy so that the
policy matches fewer sessions. However, this may or may not work depending on factors
such as your network design.
A better solution is to select Dynamic Profile Users Only in the firewall policy. If this option
is selected, the dynamic profile policy only accepts sessions with source addresses that
are in the user context list. Sessions with source addresses that are not in the user context
list do not match the policy. For sessions that don’t match the policy, the FortiOS Carrier
unit continues searching down the policy list for a match.
You can add policies below the dynamic profile policy to apply various FortiOS Carrier
features to non-dynamic profile sessions. For example:
1758
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic profiles and profile groups
Dynamic profile and RADIUS-based accounting systems
•
To block all non-dynamic profile sessions, make the next policy in the list a deny policy
that matches all traffic. You could select Log Violation Traffic in this policy to log all nondynamic profile sessions.
•
To use traffic shaping to reduce the bandwidth available for non-dynamic profile
sessions, a restrictive traffic shaper to the policy below the dynamic profile policy.
The Dynamic Profile Users Only option also allows you to differentiate between dynamic
profile and non-dynamic profile sessions without including a profile group in the dynamic
profile policy. You can use this property to apply a profile group only to non-dynamic profile
traffic by adding a profile group to the next policy in the list. All dynamic profile sessions
would use the dynamic profile policy and all non-dynamic profile sessions would use the
next policy.
One example use of this configuration would be if you can assume that your dynamic
profile users are not a security risk and you want to give them the benefit of enhanced
performance of firewall sessions that do not apply a profile group.
Note: With Dynamic Profile User Only selected, the FortiOS Carrier unit does not wait for
the User Context Creation Timeout to see if a matching entry is added to the user context
list. If there is a delay in receiving the RADIUS record and adding entries to the user context
list, it is possible that sessions may not be matched with the dynamic profile firewall policy
when they should be. If users experience this problem you may need to improve the
performance of your RADIUS server, network, or FortiOS Carrier unit. For more information
about the User Context Creation Timeout, see “Timeout options” on page 1762.
Configuring the dynamic profile
You can configure the dynamic profile to:
•
Enable dynamically assigning profile groups
•
Select the protocols that FortiOS Carrier can dynamically assign profile groups to
•
Configure the RADIUS options used by FortiOS Carrier to extract information from the
RADIUS Start record and to communicate with the RADIUS server
•
Change timeouts that control how long FortiOS Carrier keeps entries in the carrier end
point list and how long FortiOS Carrier waits for a user context entry to be added after
receiving a communication session
•
Select the kinds of log messages that FortiOS Carrier writes when dynamic profile
events occur.
To view the dynamic profile settings, go to System & gt; Dynamic Profile. Complete the fields
described in the following sections and select Apply.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1759
�Dynamic profile and RADIUS-based accounting systems
Dynamic profiles and profile groups
Figure 269: Example dynamic profile configuration
Enabling dynamic profile configuration
You need to select Enable to enable the dynamic profile. Then, configure the other
required dynamic profile settings and select Apply, so that FortiOS Carrier can accept
connections on the RADIUS server TCP port number configured in the dynamic profile
(see “RADIUS options” on page 1761).
As well, FortiOS Carrier attempts to dynamically assign a profile group to all
communication sessions accepted by any firewall policy that includes a profile group.
FortiOS Carrier can dynamically assign a profile group only if both the following conditions
are met:
•
a match is found between the carrier end point and source IP address in the
communication session and a carrier end point and source IP address received in a
RADIUS Start record
•
the RADIUS Start record includes a profile group name.
If either condition is not met, the dynamic profile configuration has no effect on the
communication session, and the session is processed normally.
Protocol settings
You can select the protocols to dynamically assign profile groups to. By default, all
protocols listed are selected because, in most cases, you would want to do this. Clear the
check box for any protocol to exempt it. For example, if you want to bypass customer VoIP
sessions, clear the IM / IPS / VOIP check box.
1760
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic profiles and profile groups
Dynamic profile and RADIUS-based accounting systems
Figure 270: Example protocol settings
You may want to disable the protocols that you do not need to reduce load on the FortiOS
Carrier unit and improve performance. For example, if you are not using FortiGuard
overrides you could disable this setting to save system resources. The same is true for
IPS. If the dynamically assigned profile groups use IPS then you should enable IM / IPS /
VOIP.
If you enable Carrier End Point Logging, FortiOS Carrier inserts the appropriate carrier
end point into all log messages generated by FortiOS Carrier when these log messages
are generated by events related to processing a carrier end point communication session.
RADIUS options
You need to configure the dynamic profile RADIUS options to enable FortiOS Carrier to
interact with the RADIUS server to extract the carrier end point and profile group name.
Note: Dynamic profiles always use the RADIUS framed-ip-addr field to get the IP
address associated with the carrier end point.
Figure 271: Example dynamic profile RADIUS options
Send RADIUS
Responses
Select if you want FortiOS Carrier to send RADIUS responses after
receiving RADIUS Start and Stop records. This setting may be required
by your accounting system.
Validate RADIUS Secret
Select if you want FortiOS Carrier to verify that the RADIUS secret
entered below matches the RADIUS secret in the RADIUS Start or End
record. You can use the RADIUS secret to verify that the RADIUS
record is valid.
RADIUS Server Port
If required, change the UDP port number used by the RADIUS
accounting server for sending RADIUS records. The default is 1813.
FortiOS Carrier listens for RADIUS Start and Stop records on this port.
RADIUS Secret
Enter the RADIUS secret used by the RADIUS accounting server.
Carrier End Point
Attribute
To extract the carrier end point from the RADIUS Start record, this field
must be set to the name of the RADIUS attribute that contains the
carrier end point. The example dynamic profile in Figure 273 expects
the carrier end point to be in the Calling-Station-ID attribute.
For details about RADIUS attributes see RFC 2138 and RFC 2866.
Profile Attribute
To extract a profile group name from the RADIUS Start record, set this
field to the name of the RADIUS attribute that contains the profile group
name. The example dynamic profile in Figure 273 expects the profile
group name in the Class attribute.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1761
�Dynamic profile and RADIUS-based accounting systems
Profile Key
Dynamic profiles and profile groups
You can enter a string in this field if the Profile Attribute always contains
the same text string directly before the profile group name. For
example, if the Profile Attribute always includes the string
profile_name= before the profile group name (for example,
profile_name= & lt; profile_name_str & gt; ), set the Profile Key to
profile_name. FortiOS Carrier uses the string in the Profile Key to
extract the profile name from the complete Profile Attribute string.
Timeout options
The dynamic profile timeouts control how long FortiOS Carrier keeps entries in the user
context list. Usually you would not want entries staying in the user context list if they are
not being used. A smaller list is easier and more efficient for FortiOS Carrier to manage.
As well, because user context information can change, a smaller list means incorrect or
out-of-date information is more likely to be removed.
Figure 272: Example dynamic profile Timeout options
User Context Entry Enter the number of seconds that a user context entry can remain in the list
without FortiOS Carrier receiving a communication session from the carrier
Timeout
end point. If a user context entry is not being looked up, then the user must no
longer be connected to the network.
This timeout is only required if FortiOS Carrier does not receive the RADIUS
Stop record. However, even if the accounting system does send RADIUS Stop
records, this timeout should be set in case FortiOS Carrier misses one.
The default user context entry timeout is 28800 seconds (8 hours). You can
keep this timeout relatively high because it is not usually a problem to have a
long list. But a timeout is usually required because FortiOS Carrier should
remove entries that are no longer used.
You might want to reduce this timeout if the accounting server does not send
RADIUS Stop records. Also, if customer IP addresses change often, you might
want to set this timeout lower so that out-of-date entries are removed from the
list.
Avoid entering a setting that is too low because FortiOS Carrier may remove
user context entries for users who are still connected.
Set the timeout to 0 if you do not want FortiOS Carrier to remove entries from
the list except in response to RADIUS Stop messages.
User Context
Creation Timeout
If FortiOS Carrier receives a communication session and can’t find a
corresponding carrier end point and IP address in the user context list, the
system waits for the User Context Creation Timeout. If a match is not found
after this timeout, FortiOS Carrier applies the profile group in the firewall policy
to the communication session.
The default user context creation timeout is 5 seconds. You might want to
increase this timeout if the default profile group, instead of the dynamic profile,
is being applied to users. This could be happening if there is a delay before
FortiOS Carrier receives the RADIUS Start record from the accounting server.
If you set this timeout to 0, FortiOS Carrier blocks communication sessions
that do not have a matching entry in the user context list.
Log settings
You can use Log settings to configure FortiOS Carrier to record event log messages for
dynamic profile events. You can also set a log message period to group log messages.
1762
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic profiles and profile groups
Dynamic profile and RADIUS-based accounting systems
Figure 273: Example dynamic profile log settings
Log Message
Period
Enter the time in seconds to group event log messages for dynamic profile
events. For example, if the log message period is 30 seconds, FortiOS
Carrier generates groups of single-event log messages every 30 seconds
instead of generating event log messages continuously. The grouped log
messages generated each period contain a count of how many events of that
type occurred.
If you set this period to 0, FortiOS Carrier generates all event log messages
in real time.
Protocol Errors
Select to have FortiOS Carrier generate event log messages if RADIUS
protocol errors occur. One example could be a RADIUS record containing a
RADIUS secret that does not match the one added to the dynamic profile.
Missing Profile
Errors
Select to have FortiOS Carrier generate an event log message whenever
FortiOS Carrier cannot find a profile group name in a RADIUS start message
that matches the name of a profile group added to FortiOS Carrier.
Missing Context
Errors
Select to have FortiOS Carrier generate an event log message whenever a
user context creation timeout expires indicating that FortiOS Carrier was not
able to match a communication session because a matching entry was not
found in the user context list.
Missed Accounting Select to have FortiOS Carrier generate an event log message whenever a
user context entry timeout expires indicating that FortiOS Carrier removed an
‘Stop’ Events
entry from the user context list without receiving a RADIUS Stop message.
Accounting Events Select to have FortiOS Carrier generate an event log message when FortiOS
Carrier does not find the expected information in a RADIUS record. This may
happen, for example, if a RADIUS record contains more than the expected
number of addresses.
Other Log
Messages
Select to have FortiOS Carrier generate event log messages for other events.
The event is described in the log message. For example, a log message may
be generated if the memory limit for the user context list is reached and the
oldest entries in the table have been dropped.
Example: Parental control dynamic profile group configuration
This example describes how to create a dynamic profile group configuration that provides
parental controls for web browsing using FortiGuard Web Filtering.
The example requires at least two profile groups, one that provides default protection and
one that applies FortiGuard Web Filtering. For ease of configuration, you can use the
Scan default profile group for default protection. To apply FortiGuard Web Filtering you
can add a new profile group called fguard_parent and configure FortiGuard Web Filtering
to apply the required level of protection. You can add multiple levels of protection by
adding more profile groups with different FortiGuard Web Filtering settings.
You must add at least one firewall policy that accepts traffic that profile groups should be
dynamically assigned to. You should add the scan profile group to this firewall policy.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1763
�Dynamic profile and RADIUS-based accounting systems
Dynamic profiles and profile groups
Your accounting system should be able to send RADIUS Start and Stop records to a
FortiOS Carrier network interface. The Start record should be sent when a user first
connects to the network. If possible, a Stop record should also be sent when the user
disconnects from the network. If the FortiOS Carrier system has virtual domains enabled,
the interface that receives the RADIUS records should be in the management virtual
domain.
The accounting system must be able to include the following information in the RADIUS
Start records for this example to work:
•
A RADIUS attribute containing a carrier end point (for example, the user’s MSISDN
number or other identifying information such as an email address). This example
includes the carrier end point in the RADIUS User-Name attribute. The User-Name is
the user’s email address.
•
A RADIUS attribute containing the fguard_parent profile group name. You only have to
include this name for users who have requested the parental control service. This
example includes the profile group name in the RADIUS Class attribute with a prefix of
control= in the form: control=fguard_parent.
•
The user’s source IP address should be included in the framed-ip-addr
(Framed_IP_Address) RADIUS attribute.
Finally the dynamic profile must include the settings required to extract the carrier end
point and profile group name from the RADIUS Start message. You can configure other
dynamic profile settings as required for the RADIUS server.
To configure the parental control configuration on FortiOS Carrier
1 Add the fguard_parent Web Filter profile:
• Go to UTM & gt; Web Filter & gt; Profile and select Create New.
• Set the profile name to fguard_parent.
• Expand FortiGuard Web Filtering and change the configuration to apply parental
controls of HTTP traffic as required.
• Select OK to save the profile.
2 Add the parent profile group:
• Go to UTM & gt; Profile Group & gt; Profile Group.
• Select Create New, and name the group parent.
• Enable Web Filter, and select the fguard_parent profile from the list.
• Optionally configure other profile group settings such as virus scanning.
1764
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic profiles and profile groups
Dynamic profile and RADIUS-based accounting systems
Figure 274: Example FortiGuard web filtering profile group configuration
3 Add a firewall policy that accepts HTTP traffic from a customer and includes the scan
profile group:
• Go to Firewall & gt; Policy.
• Select Create New.
• Add a firewall policy. In the example, customers connect to FortiOS Carrier port7
and the internet is connected to port2. Select UTM & gt; Group & gt; Profile Group and
select parent from the profile group list.
• Select OK to save the firewall policy.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1765
�Dynamic profile and RADIUS-based accounting systems
Dynamic profiles and profile groups
Figure 275: Example firewall policy that includes the scan profile group
4 Configure the accounting system:
• Configure the system to send RADIUS Start and Stop records to FortiOS Carrier.
• Add the fguard_parent profile group name to accounts of customers who have
requested parental controls.
5 In FortiOS Carrier, enable dynamic profile and configure RADIUS options as required
for the RADIUS server:
• Go to System & gt; Dynamic Profile.
• Select Enable.
• Add the RADIUS server’s RADIUS Secret.
• Set Carrier End Point Attribute to User-Name.
• Set Profile Attribute to Class.
• Set Profile Key to control.
• Configure other dynamic profile options as required.
• Select Apply to save the dynamic profile configuration.
FortiOS Carrier now accepts RADIUS Start records on UDP port 1813, as shown in
Figure 275 and adds records to the user context list.
1766
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic profiles and profile groups
HTTP header options
Figure 276: Example dynamic profile configuration
The parent profile group should now be applied to all user traffic if the user has
requested parental controls for web traffic. You can use the diagnose commands
described in “Dynamic Profile diagnose commands” on page 1855 to confirm that
FortiOS Carrier is receiving RADIUS Start records from the accounting system and is
able to extract IP addresses, carrier end points, and profile group names from them.
HTTP header options
HTTP header options control how FortiOS Carrier finds source IP addresses and carrier
end points in communication sessions. In most cases, you do not have to change the
default setting Use Session IP Address. This setting assumes that the source IP address
of communication sessions is the actual IP address of the originator of the communication
session. This setting also causes FortiOS Carrier to look in the HTTP header for the
carrier end point.
However, some types of traffic are exceptions that require selection of one of the other
Profile Query types and additional configuration settings. An important exception is WAP
traffic because this traffic comes from a WAP server instead of directly from a customer.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1767
�HTTP header options
Dynamic profiles and profile groups
How FortiOS Carrier applies HTTP header options
If the HTTP header option Profile Query Type is set to Use Session IP Address, when a
FortiOS Carrier firewall policy that contains a profile group receives a communication
session, FortiOS Carrier looks in the session header for the source IP address and carrier
end point and tries to match these with the user context list. If a match is found, FortiOS
Carrier adds the associated carrier end point to log messages and the associated profile
group is dynamically applied to the communication session. This is the expected
operation.
However, the following can happen if some or all of this information is not available:
•
FortiOS Carrier cannot find a matching source IP address in the user context list: the
carrier end point is not added to log messages and the default profile group in the
firewall policy is applied to the communication session.
•
A match is found but the matching entry in the user context list does not contain a
profile group name or the profile group name does not match the name of a profile
group added to FortiOS Carrier: the carrier end point is added to log messages but the
default profile group in the firewall policy is applied to the communication session.
If FortiOS Carrier receives WAP sessions (or other sessions that are exceptions), you
must change the HTTP header options to either Use Extracted IP Address or Use
Extracted Carrier End Point and configure additional settings to extract the IP address and
carrier end point from the communication session.
In some cases you may not be able to extract both the correct IP address and the correct
carrier end point. If this happens, you can configure HTTP header options settings to use
only the available information.
The following table illustrates what may happen when FortiOS Carrier receives a
communication session, depending on the selected Profile Query Type:
Table 118: Profile Query Type settings and FortiOS Carrier behavior
Profile Query Type
Scenario
Use Extracted IP
Address
FortiOS Carrier extracts the original source IP address from the
Use Extracted
Carrier End Point
Use Extracted IP
Address or Use
Extracted Carrier
End Point
1768
communication session, finds a matching IP address in the user context
list, and uses the associated carrier end point and profile group name in the
user context list for the communication session. FortiOS Carrier cannot
extract a carrier end point from the HTTP header, so instead uses the one
in the user context list.
FortiOS Carrier extracts the carrier end point from the communication
session, finds a matching carrier end point in the user context list, and uses
the associated profile group name in the user context list for the
communication session. FortiOS Carrier ignores the IP address in the
user context list.
FortiOS Carrier cannot find the specified IP address header or carrier end
point header. If Missing Header: Use Session IP Address is selected,
FortiOS Carrier matches the source IP address of the communication
session with the user context list and uses the associated carrier end point
and profile group in the user context list with the communication session.
FortiOS Carrier cannot find the specified IP address header or carrier end
point header. If Missing Header: Use Session IP Address is not selected,
FortiOS Carrier processes the communication session as a normal
communication session, that is without associating a carrier end point or
dynamically applying a profile group.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic profiles and profile groups
HTTP header options
Configuring carrier end point HTTP header options
You may want to change the way carrier end points (usually MSISDNs) are included in
communication sessions by your WAP gateway. Among other things, and depending on
your country and on the WAP gateway that you are using, the MSISDN may have different
formats, may be included in different x- fields, or may include hex values.
To configure carrier end point HTTP header options, go to System & gt; Dynamic Profile & gt;
HTTP Header Options. Complete the fields as described in the table below and select
Apply.
Figure 277: Carrier end point HTTP header options
General Options
Profile Query Type Select the specific type of dynamic profile query to be executed:
Use Session IP Default setting. Use the actual source IP address of the communication
Address
session and the carrier end point extracted from the communication session.
Use Extracted IP Use the actual source IP address of communication sessions and get the
carrier end point from the user context list. Configure together with other
Address
HTTP header options described below to get the IP address from
communication sessions.
Use Extracted
Carrier End
Point
Extract the carrier end point from communication sessions and get the source
IP address from the user context list. Configure together with other HTTP
header options described below to get the carrier end point from
communication sessions.
The following options are available only if you select “Use Extracted IP Address” or “Use
Extracted Carrier End Point”
IP Address Header Specify the header field in the communication session that includes the
source IP address. The default IP address header is X-Up-Forwarded-For.
Suppress
Select to delete the IP address header found in the specified IP Address
Header field. You can use this feature to prevent your customers’ source IP
addresses from appearing on the Internet.
Carrier End Point
Header
Specify the header field in the communication session that includes the carrier
end point. The default carrier end point header is x-up-calling-line-id.
Suppress
Select to delete the carrier end point header found in the specified Carrier End
Point Header field. You can use this feature to prevent your customers’ carrier
end points from appearing on the Internet.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1769
�HTTP header options
Dynamic profiles and profile groups
Missing Header:
Use Session IP
Address
Select this option to use the actual source IP address of the session if FortiOS
Carrier cannot find the specified IP address header or if the specified IP
address header does not contain an IP address. FortiOS Carrier matches this
IP address with the IP addresses in the user context list.
Carrier End Point
Source
Configure FortiOS Carrier to find the communication session’s carrier end
point in the HTTP Header Field or in a Cookie in the HTTP session.
Header Carrier End Select if the carrier end point is encoded in the communication session using
hexadecimal notation. FortiOS Carrier converts the carrier end point from hex
Point in Hex
to decimal.
Carrier End Point Prefix Options
Add Carrier End
Point Prefix
Select to add a prefix to the carrier end point found in the communication
session. The following options are available only if this option is selected. For
more information, see “Example: How FortiOS Carrier applies carrier end
point prefix options” on page 1770.
Prefix
Enter the prefix to be added to the carrier end point.
Minimum Length
Enter a minimum value. The prefix is not added to the carrier end point if it
has the same or fewer digits than the minimum length.
Maximum Length
Enter a maximum value. The prefix is not added to the carrier end point if it
has the same or more digits than the maximum length.
Example: How FortiOS Carrier applies carrier end point prefix options
This example scenario illustrates how you can use carrier end point prefix options to add
the correct country code to MSISDNs. Here are the conditions:
•
Your WAP gateway is not adding the correct country code to the MSISDNs in the
communication sessions that it forwards. Because you are including the country code
in carrier end points in RADIUS records, the carrier end points in the WAP
communication session do not match the carrier end points in the user context list.
•
You also have test messages on your networks from systems that are providing service
quality checking or other functionality. These test messages include identifying
numbers that are 4 to 6 digits long (i.e. smaller than MSISDNs which are usually 10
digits). These numbers are added to the same header as the MSISDNs. You can use
the minimum length field to make sure that the numbers in the test messages are not
changed.
•
Its possible that some of the MSISDNs sent by the WAP server do include the country
code. You would not want to add another country code in this case. You can use the
maximum length field to make sure that MSISDN numbers with country codes are not
changed
•
Your system uses 10-digit MSISDNs. Adding the country code increases the MSISDN
to 12 digits.
The solution is:
•
•
1770
Enable Add Carrier End Point Prefix.
Set the Prefix to 44, which is the country code that you want to add. If you are
operating with multiple virtual domains, you can set HTTP header options differently for
each virtual domain. So you could add different country codes to different virtual
domains.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic profiles and profile groups
Cookie Override configuration
Figure 278: Example carrier end point prefix options
•
Set Minimum Length to 6 so that all numbers with 6 or fewer digits are not changed.
•
Set Maximum Length to 12 so that all numbers with 12 or more digits are not changed.
Cookie Override configuration
Cookie Override, also known as browser-based override, can identify different users with
differing levels of URL access, for example an adult and a child, if both users have the
same IP address. One reason for this situation to occur is when multiple users are behind
the same NAT device.
To use cookie based overrides, you need to use RADIUS and dynamic profiles to assign a
protection profile to the NAT IP address. A simple method would be to use the most
restrictive settings, such as for children, as the default and require authentication to
access the restricted URLs, such as for adults.
When the Dynamic Profile is in place for the the NAT IP End point, the following sequence
of events happens.
•
Adult user requests access to an adult site.
•
The HTTP proxy sends a redirect to http://auth.foritnet.com which is caught by a
second proxy.
•
The user authenticates at this point
•
Once authenticated, FortiOS Carrier unit sends a cookie from .fortinet.com with a
duration and level that determines the use for the cookie. The level is a combination of
the web filter category and the website domain.
•
A key is made from the information in the cookie, and the new redirect including the
key is used.
•
The proxy verifies the new key with the FortiOS Carrier unit and sends a second cookie
to the user’s PC for the requested domain.
•
The rest of the communication is authorized by the cookie for that domain for its
duration.
When the user requests access to another website in the same category, the system will
see the previously saved cookie used for that category. The user will not have to reauthenticate, but everything else happens in the same way.
NOte
Tip: If you have many users using the cookie overrides, you may experience a system
slowdown. If this happens, you can increase the life of the cookie to use less resources.
Use this method sparingly as longer life cookies are more of a security risk.
To configure cookie based override
1 Go to UTM & gt; Web Filter & gt; Configuration.
2 Enter the Override Validation Hostname.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1771
�Cookie override commands - CLI
Dynamic profiles and profile groups
Note: This value must be set for cookie override to function. This is the FQDN or IP address of a
website that will have all traffic to it permanently intercepted by your FortiOS Carrier unit,
and cookie override applied.
3 Enter the Override Validation Port.
4 Select Apply.
5 Configure RADIUS server. See “Accounting system RADIUS configuration” on
page 1756.
6 Configure users and user groups to use RADIUS authentication. See “About the user
context list” on page 1757.
7 Configure Dynamic Profiles. See “Configuring the dynamic profile” on page 1759.
Cookie override commands - CLI
The following commands are used to configure the cookie override feature in the CLI.
config vdom
edit & lt; vdom_name & gt;
config webfilter cookie-ovrd
set auth-epoch & lt; int & gt;
set redir-host & lt; ipv4_fqdn & gt;
set redir-port & lt; int & gt;
set cookie-name & lt; string & gt;
end
config user group
edit & lt; group_name & gt;
set group-type firewall
set ftgd-wf-ovrd allow
set ftgd-wf-ovrd-cookie allow
set ftgd-wf-ovrd-scope browser
set ftgd-wf-ovrdprofile & lt; profile_list & gt;
next
end
Variable
Description
Default
webfilter cookie-ovrd
auth-epoch & lt; int & gt;
Used in generating the encrypted cookie values. Changing
this value will automatically invalidate all previously issued
override cookies
none
redir-host
& lt; ipv4_fqdn & gt;
All traffic for this host will pass through the FortiOS Carrier and none
used for cookie override.
Note: This variable must be set before cookie override will
function.
redir-port & lt; int & gt;
Port number associated with the redir-host. Valid range is from 20080
1 to 65535.
cookie-name
& lt; string & gt;
The name used for the cookie.
The default cookie name is randomly generated if not
specified.
user group
group-type firewall Select firewall group type.
ftgd-wf-ovrd allow
1772
Allow FortiGuard Webfiltering overrides.
n/a
n/a
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Dynamic profiles and profile groups
Cookie override commands - CLI
ftgd-wf-ovrd-cookie Allow FortiGuard Webfiltering cookie overrides.
allow
n/a
ftgd-wf-ovrd-scope
browser
ftgd-wf-ovrdprofile
& lt; profile_list & gt;
n/a
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1773
�Cookie override commands - CLI
1774
Dynamic profiles and profile groups
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS Carrier End Point features
The FortiOS Carrier term for customer identifying information is carrier end point. The
carrier end point can be any information that the service provider uses to identify a
customer and the device that the customer is using to connect to the network. For
example, if the customer is using a mobile phone, the carrier end point could be the
phone’s MSISDN number. The carrier end point information must be included in the
RADIUS Start record and must be available in the customer communication session (for
example, in the HTTP header).
This section includes:
•
Controlling access to MMS services based on a user’s carrier end point
•
Blocking network access for IP addresses based on carrier end points
•
Extracting carrier end points for user and administrative notifications
Controlling access to MMS services based on a user’s carrier end
point
You can control access to MMS services for users according to their carrier end point by
configuring carrier end point filtering (also called carrier end point blocking). Carrier end
point filtering can filter MM1, MM3, MM4, and MM7 messages according to the carrier end
points in the From or To addresses of the messages.
For a definition of carrier end points, see “About carrier end points” on page 1756.
You configure carrier end point filtering by creating a carrier end point filter list containing
carrier end point patterns. A carrier end point pattern can match one carrier end point or
can use wildcards or regular expressions to match multiple carrier end points.
For each pattern, you select the action that FortiOS Carrier takes on a message when the
pattern matches a carrier end point in the message. Actions include blocking the
message, exempting the message from mass MMS scanning and exempting the message
from all scanning. You can also intercept the message and archive the message to a
FortiAnalyzer unit.
To apply a carrier end point filter list, you need to add the list to the MMS Scanning & gt;
Carrier End Point Block section of an MMS protection profile.
Configuring carrier end point filtering
To apply carrier end point filtering
1 Go to UTM & gt; Carrier End Point & gt; Carrier End point Filter Lists.
2 Add or edit a carrier end point filter list.
3 Add or edit carrier end point patterns in the list.
4 Go to UTM & gt; Carrier & gt; MMS Profile and add or edit an MMS protection profile.
5 Expand MMS Scanning and select Carrier End Point Block.
6 Select the MMS protocols to apply the carrier end point filter list to (MM1, MM3, MM4
and MM7).
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1775
�Controlling access to MMS services based on a user’s carrier end point
MMS Carrier End Point features
7 Select the carrier end point filter list to apply.
8 Add the MMS protection profile to a protection profile.
9 Add the protection profile to a firewall policy that accepts the MMS messages that you
want to filter.
1776
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS Carrier End Point features
Blocking network access for IP addresses based on carrier end points
To configure a carrier end point filter list
To configure a carrier end point filter list go to UTM & gt; Carrier & gt; Carrier End Point Filter
Lists.
Name
Name of the carrier end point filter list. You select this name in an MMS
protection profile.
Comments
Optional description of the carrier end point filter list.
Check/Uncheck All
Select the check box to enable all carrier end point patterns in the MMS
filter list.
Clear the check box to disable all entries on the MMS filter list.
You can also select or clear individual check boxes to enable or disable
individual carrier end point patterns.
Pattern
The pattern that FortiOS Carrier uses to match with carrier end points. The
pattern can be a single carrier end point or consist of wildcards or Perl
regular expressions that will match more than one carrier end point. See
“Using wildcards and Perl regular expressions” on page 73.
Action
Select the action taken by FortiOS Carrier for messages from a carrier end
point that matches the carrier end point pattern:
None - No action is taken.
Block - MMS messages from the carrier end point are not delivered and
FortiOS Carrier records a log message.
Exempt from mass MMS - MMS messages from the carrier end point are
delivered and are exempt from mass MMS filtering. Mass MMS filtering is
configured in MMS protection profiles and is also called MMS Bulk Email
Filtering and includes MMS message flood protection and MMS duplicate
message detection.
Exempt from all scanning - MMS messages from the carrier end point
are delivered and are exempt from all MMS protection profile scanning.
Note: MMS messages are not subject to protection profile filtering, just
MMS protection profile filtering.
Content Archive
MMS messages from the carrier end point are delivered, the message
content is DLP archived according to MMS DLP archive settings. Content
archiving is also called DLP archiving.
Intercept
MMS messages from the carrier end point are delivered. Based on the
quarantine configuration, attached files may be removed and quarantined.
Pattern Type
The pattern type: Wildcard, Regular Expression, or Single Carrier End
Point. See “Using wildcards and Perl regular expressions” on page 73.
Enable
Select to enable this carrier end point filter pattern.
Blocking network access for IP addresses based on carrier end
points
You can use carrier end point IP filtering to block traffic from source IP addresses
associated with carrier end points. You can also configure FortiOS Carrier to record log
messages whenever carrier end point IP filtering blocks traffic. Carrier end point IP filtering
blocks traffic at the IP level, before the traffic is accepted by a firewall policy.
For a definition of carrier end points, see “About carrier end points” on page 1756.
To configure carrier end point IP filtering, go to UTM & gt; Carrier & gt; IP Filter and add carrier
end points to the IP filter list. For each carrier end point you can enable or disable both
blocking traffic and logging blocked traffic.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1777
�Blocking network access for IP addresses based on carrier end points
MMS Carrier End Point features
Note: You cannot add carrier end point patterns to the carrier end point IP filter list. You
must enter complete and specific carrier end points that are valid for your network.
Note: The only action available is block. You cannot use carrier end point IP filtering to
exempt carrier end points from IP filtering or to content archive or quarantine
communication sessions.
FortiOS Carrier looks in the current user context list for the carrier end points in the IP filter
list and extracts the source IP addresses for these carrier end points. Then any
communication session with a source IP address that matches one of these IP addresses
is blocked at the IP level, before the communication session is accepted by a firewall
policy.
FortiOS Carrier dynamically updates the list of IP addresses to block as the user context
list changes. Only these updated IP addresses are blocked by carrier end point IP filtering.
For information about the user context list and how entries are added to and removed from
this list, see “About the user context list” on page 1757.
Configuring end point IP filtering
Viewing and defining a carrier end point IP filter list
To view the carrier end point IP filter list, go to UTM & gt; Carrier & gt; IP Filter.
You define a carrier end point IP filter list by adding IP addresses to it. From this list, you
can select Create New to add a new IP address or select the Edit icon beside an entry that
you want to change.
There is only one IP filter list, and each entry can be blocked or allowed. The single list
prevents configuration issues by applying all IP filters to all MMS protection profiles that
use IP filtering.
Once the IP filters are configured, it is applied to all Carrier Endpoints as their traffic hits
the firewall policies.
Figure 279: Carrier end point IP filter list and Create new entry
Check/Uncheck All
Carrier end point IP filter list
Create New
1778
Add a carrier end point to the carrier end point IP filter list.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS Carrier End Point features
Blocking network access for IP addresses based on carrier end points
Edit
Edit the IP filter list entry. You can change the carrier end point, enable or
disable blocking, and enable or disable logging blocked traffic.
If multiple entries are selected, Edit is not available.
Delete
Delete one or more selected carrier end points from the list.
Enable
Select an end point entry, and select enable to enable blocking for that entry.
The Enable icon will be green with a checkmark.
Disable
Select an end point entry, and select disable to disable blocking for that entry.
This effectively turns off this entry.
The Enable Icon will be grey with an X.
Remove All
Entries
Remove all entries from the carrier end point IP filter list.
Check /
uncheck all
entries on this
page
Select the check box to enable all entries on the carrier end point IP filter list.
FortiOS Carrier will then block all communication sessions from source IP
addresses associated with these carrier end points.
Clear the check box to disable all entries on the IP filter list. Disabling all
entries disables carrier end point IP filtering.
You can also select or clear individual check boxes to enable or disable
individual carrier end points.
Create new entry
Adding or
modifying a
carrier end
point pattern
Select Create New to add a new carrier end point IP address or select Edit to
change an existing address. The carrier end point and logging selections will
appear in the carrier end point filter list.
Carrier End
Point
Enter the carrier end point. You must enter a single carrier end point and not a
carrier end point pattern.
Log Blocked
Traffic
Select to record a log message when carrier end point IP filtering blocks a
communication session.
Block Traffic
Select to block traffic from the carrier end point. Block Traffic is selected by
default.
Example
You can use IP filtering on Carrier Endpoints when a handheld on your carrier network is
known to be sending spam or malware. You can easily use IP filtering to block the traffic
from that unit, log it, or both. This allows you to escalate your response, and even monitor
afterwards as well.
In this example the hand held IP address is 10.11.101.99 and since they are sending
malware this IP address will be both logged and blocked. .
To create an IP filter list entry to block an address
1 Go to UTM & gt; Carrier & gt; IP Filter.
2 Select Create New.
3 Enter 10.11.101.199 for the Carrier End Point.
4 Select Log Blocked Traffic and Block Traffic.
5 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1779
�Extracting carrier end points for user and administrative notifications
MMS Carrier End Point features
Adding additional blocked IP addresses
In the future, additional IP filters can be added both to the Carrier End Point filtering list,
and to the firewall address list. To add additional filters to the filtering list repeat general
step 1 for each new additional IP address to be filtered. To add additional firewall
addresses to match in the firewall policy, enter each additional new IP address as a
separate firewall address, and in the firewall policy for the address select multiple and then
select all the IP_Filter_xx addresses. Using a logical naming convention for additional IP
filters such as IP_Filter_02, IP_Filter_xx, etc. will help with configuration.
Extracting carrier end points for user and administrative
notifications
The sender’s carrier end point is used to provide logging and reporting details to the
mobile operator and to identify the sender of infected content.
When MMS messages are transmitted, the From field may or may not contain the
sender's address. When the address is not included, the sender information will not be
present in the logs and the FortiOS Carrier unit will not be able to notify the user if the
message is blocked unless the sender's address is made available elsewhere in the
request. One reason for this is if multiple users are behind the same NAT device.
Beyond logging, the sender address is also important for billing, end point control, and
applying firewall policies. It is also important for differing levels of URL access.
FortiOS Carrier can extract the sender's address from an extended HTTP header field in
the HTTP request. This field must be added to the HTTP request before it is received by
FortiOS Carrier. If this field is present, it will be used instead of the sender's address in the
MMS message for logging and notification. If this header field is present when a message
is retrieved, it will be used instead of the To address in the message. If this header field is
not present the content of the To header field is used instead.
Alternatively, FortiOS Carrier can extract the sender’s address from a cookie. The cookie
is sent as part of the HTTP header.
You can configure MMS address translation to extract the sender’s carrier end point so
that it can be added to log and notification messages. You can configure MMS address
translation settings to extract carrier end points from HTTP header fields or from cookies.
You can also configure MMS address translation to add an end point prefix to the
extracted carrier end points.
To configure MMS address translation, go to Firewall & gt; MMS Profile. Select Create New or
select the Edit icon beside an existing profile. Expand MMS Address Translation.
Complete the fields as described in the following table and select OK.
Configuring MMS address translation
MMS address translation changes the address from using the one embedded in the MMS
message to using the additional HTTP Header Field (if present) or a cookie to get the
address.
This applies to MM1 and MM7 messages — messages sent to or from handsets, and
messages sent to or from content providers. These are the only message types that use
the HTTP headers that enable this feature.
To configure MMS address translation
1 Go to UTM & gt; Carrier & gt; MMS Profile.
2 Select Create New.
1780
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS Carrier End Point features
Extracting carrier end points for user and administrative notifications
3 Expand MMS Address Translation.
4 Select settings for MM1 and MM7 as required.
5 Select OK.
Sender Address
Source
Select to extract the sender’s address from the HTTP Header Field or a
Cookie. You must also specify the identifier that contains the carrier end point.
Sender Address
Identifier
Enter the sender address identifier that includes the carrier end point. The
default identifier is x-up-calling-line-id.
If the Sender Address Source is HTTP Header Field, the address and its
identifier in the HTTP request header takes the format:
& lt; Sender Address Identifier & gt; : & lt; MSISDN_value & gt;
If the Sender Address Source is Cookie, the address and its identifier in the
HTTP request header’s Cookie field takes the format of attribute-value pairs:
Cookie: id= & lt; cookie-id & gt; ;
& lt; Sender Address Identifier & gt; = & lt; MSISDN Value & gt;
Convert Sender
Select to convert the sender address from ASCII to hexadecimal or from
Address From / To hexadecimal to ASCII. This is required by some applications.
Hex
Add End Point Prefix for Logging / Notification
Enable
Select to enable adding the country code to the extracted carrier end point,
such as the MSISDN, for logging and notification purposes. You can limit the
number length for the test numbers used for internal monitoring without a
country code.
Prefix
Enter a carrier end point prefix that should be added to all carrier end points.
Use the prefix to add extra information to the carrier end point in the log entry.
Minimum
Length
Enter the minimum length of the number. If this and Maximum Length are set
to zero (0), length is not limited.
Maximum
Length
Enter the maximum length of the number. If this and Minimum Length are set
to zero (0), length is not limited.
HTTP header field example
For this example we are concerned about MMS traffic between content providers — MM7
traffic only. The default x-up-calling-line-id will be used in the HTTP header along
with a country code of 9811. The Sender Address does need converting from hex. The
prefix will be added to Logging/Notification using the MSISDN for the prefix.
To configure MMS address translation using HTTP header field
1 Go to UTM & gt; Carrier & gt; MMS Profile.
2 Select Create New.
3 Enter MMS_addr_http_header for the Profile Name.
4 Expand MMS Address Translation.
5 Under MM7, select HTTP Header Field for Sender Address Source.
6 Under MM7, enter x-up-calling-line-id for Sender Address Identifier.
7 Under MM7, select Convert Sender Address From / To HEX.
8 Select Enable for Add End Point Prefix for Logging / Notification.
9 Enter 9811 for Prefix.
10 Select OK.
If the Sender Address Source is HTTP Header Field, the address and its identifier in the
HTTP request header takes the format:
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1781
�Extracting carrier end points for user and administrative notifications
MMS Carrier End Point features
& lt; Sender Address Identifier & gt; : & lt; MSISDN_value & gt;
Where the & lt; MSISDN_value & gt; is the carrier end point. For example, the HTTP header
might contain:
x-up-calling-line-id: 9811301234
where x-up-calling-line-id would be the Sender Address Identifier, and
9811301234 would be the MSISDN.
Cookie example
If you want the address to persist, then you should use a cookie. Keep in mind that
cookies are a less secure method than the HTTP header field option because of their
persistence.
For this example we are concerned about traffic to and from handsets and will only be
using MM1. A non-standard field for Sender Address Identifier will be used: x-upcalling-cookie, and a country code of 467. The Sender Address does not need
converting from hex. The prefix will be added to Logging/Notification using the MSISDN
for the prefix.
To configure MMS address translation using cookies
1 Go to UTM & gt; Carrier & gt; MMS Profile.
2 Select Create New.
3 Enter MMS_addr_cookie for the Profile Name.
4 Expand MMS Address Translation.
5 Under MM1, select Cookie for Sender Address Source.
6 Under MM1, enter x-up-calling-cookie for Sender Address Identifier.
7 Select Enable for Add End Point Prefix for Logging / Notification.
8 Enter 467 for Prefix.
9 Select OK.
For MM1 messages, a cookie can now be referenced for the Sender’s address. Any
messages that trigger logging or notification that use this address translation will include
the 467 prefix for added identification.
A sample HTTP request header resulting from this configuration would be:
Cookie: id=0123jf!a; x-up-calling-cookie=467301297
where 0123jf!a is the cookie id, x-up-calling-cookie is the Sender Address
Identifier, and 467301297 is the MSISDN.
1782
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS UTM features
FortiOS Carrier includes all the UTM features of FortiOS with extra features specific to
MMS carrier networks.
This section includes:
•
MMS virus scanning
•
/special[\+\-\*= & lt; & gt; \.\,;!\?% & ~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i
•
MMS content-based Antispam protection
•
MMS DLP archiving
MMS virus scanning
You can use MMS virus scanning to scan content contained within MMS messages for
viruses. FortiOS Carrier virus scanning can be applied to the MM1, MM3, MM4, and MM7
interfaces to detect and remove content containing viruses at many points in an MMS
network. Perhaps the most useful interface to apply virus scanning would be the MM1
interface to block viruses sent by mobile users before they get into the service provider
network.
Why scan MMS messages?
The requirement for scanning MM1 content comes from the fact that MMS is an
increasingly popular technique for propagating malware between mobile devices.
Example: COMMWARRIOR
This is a virus for Series 60 type cell phones, such as Nokia, operating Symbian OS
version 6 [or higher]. The object of the virus is to spread to other phones using Bluetooth
and MMS as transport avenues. The targets are selected from the contact list of the
infected phone and also sought via Bluetooth searching for other Bluetooth-enabled
devices (phones, printers, gaming devices etc.) in the proximity of the infected phone.
This virus is slightly more than a proof of concept - it has proven successfully its ability to
migrate from a zoo collection to being in-the-wild. Currently, this virus is being reported in
over 18 different countries around Europe, Asia and North America.
The following variants among others are currently scanned by the FortiOS Carrier devices,
in addition to more signatures that cover all known threats.
•
SymbOS/Commwar.B!wm
Aliases: Commwarrior.B, SymbOS.Commwarrior.B [NAV], SymbOS/Commwar.B,
SymbOS/Commwar.B-net, SymbOS/Commwarrior.b!exe [McAfee],
SymbOS/Commwarrior.b!sis [McAfee], SymbOS/Comwar.B-wm,
SYMBOS_COMWAR.B [Trend]
First Discovered In The Wild: Mar 7 2005
Impact Level: 1
Virus Class: Worm
Virus Name Size: 23,320
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1783
�MMS virus scanning
MMS UTM features
•
SymbOS/Commwar.A!worm
Aliases: Commwarrior-A, SymbOS.Commwarrior.A [NAV], SymbOS/Commwar.A-net,
SymbOS/Commwar_ezboot.A-ne, SymbOS/Comwar.A, SymbOS/Comwar.A-wm,
SYMBOS_COMWAR.A [Trend]
First Discovered In The Wild: May 16 2005
Impact Level: 1
Virus Class: Worm
Virus Name Size: 27,936
•
SymbOS/Commwarriie.C-wm
Aliases: None
First Discovered In The Wild: Oct 17 2005
Impact Level: 1
Virus Class: File Virus
Virus Name Size: None
For the latest list of threats Fortinet devices detect, go to the FortiGuard Center Resource
Library’s Mobile index.
MMS virus monitoring
Selecting Monitor only causes the FortiOS Carrier unit to record log messages when MMS
scanning options find a virus, match a file name, or match content using any of the other
MMS scanning options. Selecting this option enables reporting on viruses and other
problems in MMS traffic without affecting users.
MMS virus scanning blocks messages (not just attachments)
Because MM1 and MM7 use HTTP, the oversize limits for HTTP and the HTTP antivirus
port configurations also apply to MM1 and MM7 scanning.
MM3 and MM4 use SMTP and the oversize limits for SMTP and the SMTP antivirus port
configurations also apply to MM3 and MM4 scanning.
The message contents will be scanned for viruses, matched against the file extension
blocking lists and scanned for banned words. All these items will be configured via the
standard GUI interfaces available for the other protocols and will be controlled at the
protection profile level with new options specifically for the MM1 messages.
The FortiOS Carrier unit extracts the sender’s Mobile Subscriber Integrated Services
Digital Network Number (MSISDN) from the HTTP headers if available. The POST payload
will be sent to the scanunits which will parse the MMS content and scan each message
data section. If any part of the data should be blocked, the proxy will be informed, the
connection to the MMSC will be reset and the FortiOS Carrier unit will return an HTTP 200
OK message with an m-send-conf payload to the client to prevent a retry. Finally the
appropriate logging, alert, and replacement message events will be triggered.
For client notification, the x-mms-response-status and x-mms-response-text
fields can also be customized as required.
Removing or replacing blocked messages
Select Remove Blocked remove blocked content from each protocol and replace it with
the replacement message. If FortiOS Carrier should preserve the length of the message
when removing blocked content, as may occur when billing is affected by the length of the
message, select Constant.
1784
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS UTM features
MMS virus scanning
If you only want to monitor blocked content, select Monitor Only.
Scanning MM1 retrieval messages
Select to scan message retrievals that use MM1. If you enable Virus Scan for all MMS
interfaces, messages are also scanned while being sent. In this case, you can disable
MM1 message retrieval scanning to improve performance.
Passing or blocking fragmented messages
Select to pass fragmented MM3 and MM4 messages. Fragmented MMS messages
cannot be scanned for viruses. If you do not select these options, fragmented MM3 and
MM4 message are blocked.
The Interval is the time in seconds before client comforting starts after the download has
begun, and the time between sending subsequent data.
The Amount is the number of bytes sent by client or server comforting at each interval.
Client comforting
In general, client comforting is available for for MM1 and MM7 messaging and provides a
visual display of progress for web page loading or HTTP or FTP file downloads. Client
comforting does this by sending the first few packets of the file or web page being
downloaded to the client at configured time intervals so that the client is not aware that the
download has been delayed. The client is the web browser or FTP client. Without client
comforting, clients and their users have no indication that the download has started until
the FortiOS Carrier unit has completely buffered and scanned the download. During this
delay users may cancel or repeatedly retry the transfer, thinking it has failed.
The appearance of a client comforting message (for example, a progress bar) is clientdependent. In some instances, there will be no visual client comforting cue.
During client comforting, if the file being downloaded is found to be infected, then the
FortiOS Carrier unit caches the URL and drops the connection. The client does not
receive any notification of what happened because the download to the client had already
started. Instead the download stops, and the user is left with a partially downloaded file.
If the user tries to download the same file again within a short period of time, then the
cached URL is matched and the download is blocked. The client receives the Infection
cache message replacement message as a notification that the download has been
blocked. The number of URLs in the cache is limited by the size of the cache.
Caution: Client comforting can send unscanned and therefore potentially infected content
to the client. You should only enable client comforting if you are prepared to accept this risk.
Keeping the client comforting interval high and the amount low will reduce the amount of
potentially infected data that is downloaded.
MM1 and MM7 client comforting steps
Since MM1 and MM7 messages use HTTP, MM1 and MM7 client comforting operates like
HTTP client comforting.
The following steps show how client comforting works for a download of a 1 Mbyte file with
the client comforting interval set to 20 seconds and the client comforting amount set to 512
bytes.
1 The client requests the file.
2 The FortiOS Carrier unit buffers the file from the server. The connection is slow, so
after 20 seconds about one half of the file has been buffered.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1785
�MMS virus scanning
MMS UTM features
3 The FortiOS Carrier unit continues buffering the file from the server, and also sends
512 bytes to the client.
4 After 20 more seconds, the FortiGate unit sends the next 512 bytes of the buffered file
to the client.
5 When the file has been completely buffered, the client has received the following
amount of data:
ca * (T/ci) bytes == 512 * (40/20) == 512 * 2 == 1024 bytes,
where ca is the client comforting amount, T is the buffering time and ci is the client
comforting interval.
6 If the file does not contain a virus, the FortiOS Carrier unit sends the rest of the file to
the client. If the file is infected, the FortiOS Carrier unit closes the data connection but
cannot send a message to the client.
Server comforting
Server comforting can be selected for each protocol.
Similar to client comforting, you can use server comforting to prevent server connection
timeouts that can occur while waiting for FortiOS Carrier to buffer and scan large POST
requests from slow clients.
The Interval is the time in seconds before client and server comforting starts after the
download has begun, and the time between sending subsequent data.
The Amount is the number of bytes sent by client or server comforting at each interval.
Handling oversized MMS messages
Select Block or Pass for files and email messages exceeding configured thresholds for
each protocol.
The oversize threshold refers to the final size of the message, including attachments, after
encoding by the client. Clients can use a variety of encoding types; some result in larger
file sizes than the original attachment. As a result, a file may be blocked or logged as
oversized even if the attachment is several megabytes smaller than the oversize
threshold.
MM1 sample messages
Internet Protocol, Src Addr: 10.128.206.202 (10.128.206.202), Dst
Addr: 10.129.192.190 (10.129.192.190)
Transmission Control Protocol, Src Port: 34322 (34322), Dst Port:
http (80), Seq: 1, Ack: 1, Len: 1380
Source port: 34322 (34322)
Destination port: http (80)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 24840
Checksum: 0x63c1 (correct)
HTTP proxy
Hypertext Transfer Protocol
POST / HTTP/1.1\r\n
Request Method: POST
Request URI: /
Request Version: HTTP/1.1
1786
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS UTM features
MMS virus scanning
Host: 10.129.192.190\r\n
Accept: */*, application/vnd.wap.sic,application/vnd.wap.mmsmessage,text/x-hdml,image/mng,image/x-mng,video/mng,video/xmng,image/bmp\r\n
Accept-Charset: utf-8,*\r\n
Accept-Language: en\r\n
Content-Length: 25902\r\n
Content-Type: application/vnd.wap.mms-message\r\n
User-Agent: Nokia7650/1.0 SymbianOS/6.1 Series60/0.9
Profile/MIDP-1.0 Configuration/CLDC-1.0 UP.Link/6.2.1\r\n
x-up-devcap-charset: utf-8\r\n
x-up-devcap-max-pdu: 102400\r\n
x-up-uplink: magh-ip.mi.vas.omnitel.it\r\n
x-wap-profile: " http://nds.nokia.com/uaprof/N7650r200.xml " \r\n
x-up-subno: 1046428312-826\r\n
x-up-calling-line-id: 393475171234\r\n
x-up-forwarded-for: 10.211.4.12\r\n
x-forwarded-for: 10.211.4.12\r\n
Via: 1.1 magh-ip.mi.vas.omnitel.it\r\n
\r\n
Scan engine
MMS Message Encapsulation, Type: m-send-req
X-Mms-Message-Type: m-send-req (0x80)
X-Mms-Transaction-ID: 1458481935
X-Mms-MMS-Version: 1.0
From: & lt; insert address & gt;
To: 3475171234/TYPE=PLMN
X-Mms-Message-Class: Personal (0x80)
X-Mms-Expiry: 21600.000000000 seconds
X-Mms-Priority: Normal (0x81)
X-Mms-Delivery-Report: No (0x81)
X-Mms-Read-Report: No (0x81)
Content-Type: application/vnd.wap.multipart.related;
start= & lt; 1822989907 & gt; ; type=application/smil
Start: & lt; 1822989907 & gt;
Type: application/smil
Data (Post)
Multipart body
Part: 1, content-type: text/plain
Content-Type: text/plain; charset=iso-10646-ucs-2;
name=Ciao.txt
Charset: iso-10646-ucs-2
Name: Ciao.txt
Headers
Content-Location: Ciao.txt
Line-based text data: text/plain
\377\376C\000i\000a\000o\000
[Unreassembled Packet: MMSE]
Configuring MMS virus scanning
To apply MMS virus scanning you must configure MMS virus scanning in the MMS
protection profile, and add the MMS protection profile to a firewall policy.
The MMS protection profile then applies to the traffic accepted by the firewall policy.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1787
�MMS virus scanning
MMS UTM features
To apply MMS virus scanning
1 Go to UTM & gt; Carrier & gt; MMS Profile.
2 Select Create New to add an MMS protection profile called MMS_virus_scan.
3 Configure antivirus settings and save the new MMS protection profile.
4 Go to Firewall & gt; Policy.
5 Select Create New to add a firewall policy, or select Edit for the policy to which you
want to add the protection profile.
6 Configure the firewall policy as required.
7 Select UTM & gt; MMS Profile and select MMS_virus_scan.
8 Select OK.
Replacement messages
FortiOS Carrier generates replacement messages to notify the sending client that they
have sent a virus.
FortiOS Carrier can generate an SMS/SMTP replacement message and an MMS/HTTP
POST replacement message. In each case the recipient will be the sender of the initial
virus message and a configurable MSISDN parameter will be available to determine the
sender (From) – i.e. the FortiOS Carrier unit. See “Configuring MMS address translation”
on page 111.
For SMS/SMTP notification a destination email address is configurable and can contain
the marker %%MSISDN%% which will be replaced with the sender’s MSISDN thereby
allowing the message to be routed properly.
You need to clarify whether specific headers are required in the SMTP message and
whether a predefined format for the message must to be followed. For the MMS message
the body will be configurable and this could be specified in WML or SMIL.
Logging and reporting
With each virus infection, or file block, a syslog message should be generated. The format
of this syslog message should be:
2005-09-22 19:15:47 device_id=FGT5001ABCDEF1234 log_id=0211060ABC
type=virus subtype=infected pri=warning src=10.1.2.3 dst=10.2.3.4
src_int=port1 dst_int=port2 service=mm1 status=blocked
from= " & lt; sending MSISDN & gt; " to= " & lt; receiving MSISDN & gt; ”
file= " eicar.com.txt " virus= " EICAR_TEST_FILE " msg= " The file
eicar.com.txt is infected with EICAR_TEST_FILE. ref
http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearc
h.do?method=quickSearchDirectly & virusName=EICAR_TEST_FILE.
Note that the from and to fields are samples and not real values.
MMS logging options
You can enable logging in an MMS protection profile to write event log messages when
the MMS protection profile options that you have enabled perform an action. For example,
if you enable MMS antivirus protection, you could also use the MMS protection profile
logging options to write an event log message every time a virus is detected.
To record these log messages you must first configure how the FortiOS Carrier unit stores
log messages.
1788
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS UTM features
MMS file filtering
To configure MMS content archiving, go to UTM & gt; Carrier & gt; MMS Profile. Select Create
New or select the Edit icon beside an existing profile. Expand MMS Bulk AntiSpam
Detection & gt; Logging. Complete the fields as described in the following table and select
OK.
MMS AntiVirus
If antivirus settings are enabled for this MMS protection profile,
select the following options to record Antivirus Log messages.
Viruses
Record a log message when this MMS protection profile detects a
virus.
Blocked Files
Record a log message when antivirus file filtering enabled in this
MMS protection profile blocks a file.
Intercepted Files
Record a log message when this MMS protection profile intercepts a
file.
Oversized Files/E-mails
Record a log message when this MMS protection profile encounters
an oversized file or email message. Oversized files and email
messages cannot be scanned for viruses.
MMS Scanning
If MMS scanning settings are enabled for this MMS protection
profile, select the following options to record Email Filter Log
messages.
Notification Messages
Select to log the number of MMS notification messages sent.
Bulk Messages
Select to log MMS Bulk AntiSpam events. You must also select
which protocols to write log messages for in the MMS bulk email
filtering part of the MMS protection profile.
Carrier End Point Filter
Block
Select to log MMS carrier end point filter events, such as MSISDN
filtering.
Content block
Select to log content blocking events.
SNMP
A simple SNMP trap will be generated to inform the operators alerting system that a virus
has been detected. This SNMP trap could contain the sending and receiving MSISDN
however the initial solution would reflect the current behavior, i.e. only the fact that a virus
has been detected will be communicated.
MMS file filtering
Use MMS file filtering to apply antivirus file filtering to MMS traffic. Select a file filter list to
apply.
Configure the FortiGate file filter to block files by:
•
File pattern: Files can be blocked by name, extension, or any other pattern. File pattern
blocking provides the flexibility to block potentially harmful content.
File pattern entries are not case sensitive. For example, adding *.exe to the file
pattern list also blocks any files ending in .EXE.
In addition to the built-in patterns, you can specify more file patterns to block.
•
File type: Files can be blocked by type, without relying on the file name to indicate what
type of files they are. When blocking by file type, the FortiGate unit analyzes the file
and determines the file type regardless of the file name.
For standard operation, you can choose to disable file filter in the protection profile, and
enable it temporarily to block specific threats as they occur.
The FortiGate unit can take either of these actions toward files that match a configured file
pattern or type:
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1789
�MMS file filtering
MMS UTM features
•
Allow: the file is allowed to pass.
•
Block: the file is blocked and a replacement messages will be sent to the user. If both
file filter and virus scan are enabled, the FortiGate unit blocks files that match the
enabled file filter and does not scan these files for viruses.
The FortiGate unit also writes a message to the virus log and sends an alert email
message if configured to do so.
Files are compared to the enabled file patterns and then the file types from top to bottom.
If a file does not match any specified patterns or types, it is passed along to antivirus
scanning (if enabled). In effect, files are passed if not explicitly blocked.
Using the allow action, this behavior can be reversed with all files being blocked unless
explicitly passed. Simply enter all the file patterns or types to be passed with the allow
attribute. At the end of the list, add an all-inclusive wildcard (*.*) with a block action.
Allowed files continue to antivirus scanning (if enabled) while files not matching any
allowed patterns are blocked by the wildcard at the end.
Built-in patterns and supported file types
The FortiGate unit is preconfigured with a default list of file patterns:
•
executable files (*.bat, *.com, and *.exe)
•
compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip)
•
dynamic link libraries (*.dll)
•
HTML application (*.hta)
•
Microsoft Office files (*.doc, *.ppt, *.xl?)
•
Microsoft Works files (*.wps)
•
Visual Basic files (*.vb?)
•
screen saver files (*.scr)
•
program information files (*.pif)
•
control panel files (*.cpl)
The FortiGate unit can take actions against the following file types:
Table 119: Supported file types
arj
activemime
aspack
base64
bat
binhex
bzip
bzip2
cab
class
cod
elf
exe
fsg
gzip
hlp
hta
html
jad
javascript
lzh
mime
msc
msoffice
petite
prc
rar
sis
tar
upx
uue
zip
unknown
ignored
Note: The “unknown” type is any file type that is not listed in the table. The “ignored” type is
the traffic the FortiGate unit typically does not scan. This includes primarily streaming audio
and video.
Filtering based on file name
There are filenames that are known to be associated with malware such as viruses and
trojans. There are filenames you may associate with other undesirable content in addition
to malware. In these situations you want to select specific filenames to filter.
1790
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS UTM features
MMS file filtering
You do not have to match the entire filename. For example if you wanted to block all files
with the word trojan in them you could use wildcards to accomplish this - *trojan* .
This allows you to select the entire filename, part of the filename, or just the file type to
match.
The following procedure creates a filter list called filterExampleFiles that filters two
files called exampleTrojanFile.abc and *trojan*.def . When completed, this file
filter list can be included in an MMS profile.
To create a file filter based on file name
1 Go to UTM & gt; AntiVirus & gt; File Filtering.
2 Select Create New, to create a new file filtering list.
3 Name the list filterExampleFiles.
4 Select Create New to add a filter to the list.
5 Select File Name Pattern for Filter Type.
6 Enter exampleTrojanFile.abc .
7 Enter Block for the Action.
8 Select Enable, and OK.
9 Select Create New to add a filter to the list.
10 Select File Name Pattern for Filter Type.
11 Enter *trojan*.def .
12 Enter Block for the Action.
13 Select Enable, and OK.
Filtering based on file type
When filtering files, it is often useful to filter based on the file type. When malware finds a
file type that allows them access to a system, the filename will change but the file type will
remain the same. Even for preventing applications that are not malware but simply
undesirable, filtering based on file type is often the easiest method.
Simply matching the file type, .zip for example, may not be as accurate a method as using
the built-in patterns. If users see that .zip attachments are blocked, they may simply
rename the file so the filters will allow it through. Checking against patterns can help
prevent this bypassing.
There are two possible methods available to filter based on file type. If the file type is one
of the built-in patterns, you can use them - for example blocking PalmOS files on your
network since Palm devices are not supported. Otherwise, you can simply use wildcards
to match the file type.
The following example will filter all batch files (.bat).
To filter files based on file type using file name pattern
1 Go to UTM & gt; AntiVirus & gt; File Filter.
2 Select Create New and name the list blockedFileTypes.
3 Select Create New to add files to the list.
4 Select File name pattern for Filter Type.
5 Enter *.bat for Pattern.
6 Select an Action of Block.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1791
�MMS file filtering
MMS UTM features
7 Select Enable and OK.
8 At the file filter list, select OK.
The file filter is now available to be used in an MMS profile, and will block all .bat files
that MMS profile matches.
To filter files based on file type using file type
1 Go to UTM & gt; AntiVirus & gt; File Filter.
2 Select Create New and name the list blockedFileTypes.
3 Select Create New to add files to the list.
4 Select File Type for Filter Type.
5 Select Batch File (bat) for File Type.
6 Select an Action of Block.
7 Select Enable and OK.
8 At the file filter list, select OK.
The file filter is now available to be used in an MMS profile, and will block all batch files
(that use .bat file extension) that the MMS profile matches.
MMS file filtering blocks messages (not just attachments)
When MMS file filtering finds a matching file in an MMS message, the entire message is
blocked. This action is more secure, and can reduce the amount of processing required
for that message. For example if one MMS message includes three files, and the first one
is blocked then the other files won’t be scanned or attempted to be matched because the
whole message is already being blocked.
Configuring MMS file filtering
To apply MMS file filtering you must begin with a file filter list. You can create your own list
or use the built-in patterns list. You then must create the file filter, then add the file filter list
to an MMS profile, and then add the MMS profile to a firewall policy. The MMS profile, and
the corresponding file filter then applies to the traffic accepted by the firewall policy.
The following procedure creates a file filtering list called MMS_file_filter that is used
in the MMS profile called filtering_profile. The filter will be applied to all MMS
message types.
To apply MMS file filtering
1 Go to UTM & gt; Antivirus & gt; File Filter and create a file filter list called MMS_file_filter.
2 Select Create New to add entries to filter specific file types.
3 Select OK.
4 Go to UTM & gt; Carrier & gt; MMS Profile and create a new profile called
filtering_profile.
5 Expand MMS Scanning, and select all the MMS message types.
6 Select MMS_file_filter from the Option drop down menu.
7 Set other settings as required in the MMS profile.
8 Select OK.
9 Go to Firewall & gt; Policy, and select Create New.
10 Within the new policy select UTM & gt; MMS Profile, and select filtering_profile.
1792
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS UTM features
MMS file filtering
11 Configure the firewall policy as required.
12 Select OK.
Configuring sender notifications
In most cases the sender should be notified that they are causing problems on the
network — either by sending malware content, flooding the network, or some other
unwanted activity. The notification assumes the sender is unaware of their activity and will
stop or correct it when notified.
However, senders who are notified may use this information to circumvent administration’s
precautions. For example if flood notification is set to 1000 messages per minute, a
notified user may simply reduce their message to 990 messages per minute if this flood is
intentional. For this reason, not all problems include sender notifications.
There are two methods of notifying senders:
•
MMS notifications
•
Replacement messages
MMS notifications
MMS notifications enable you to customize notifications for many different situations and
differently for all the supported MMS message protocols — MM1, MM3, MM4, and MM7.
MMS notification types include:
•
Content Filter
•
File Block
•
Carrier End Point Block
•
Flood
•
Duplicate
•
MMS Content Checksum
•
Virus Scan
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1793
�MMS file filtering
MMS UTM features
Day of Week, Window start time and Window Duration define what days and what time of
day alert notifications will be sent. This allows you to control what alerts are sent on
weekends. It also lets you control when to start sending notifications each day. This can be
useful if system maintenance is performed at the same time each night — you might want
to start alert notifications after maintenance has completed. Another reason to limit the
time alert messages are sent could be to limit message traffic to business hours.
Message protocol
Select one of MM1, MM3, MM4, or MM7 for the protocol of the
notification. Multiples of the same protocol are allowed.
Message Type
Select one of deliver.REQ or submit.REQ for the type of
message being sent.
This option only available for MM7.
Detect Server Details Select to automatically detect information about the server.
Hostname
URL
Port
Enter information to identify the destination server.
Hostname is in FQDN format or IP address.
URL is available when the message protocol is MM1 or MM7.
Port is the port number on the destination server.
Username
Password
Enter the user name and password required for sending
messages using this server (optional).
This option is available only when Message Protocol is MM7.
VASP ID
Enter the value-added-service-provider ID (VASP ID) to be used
when sending a notification message.
This option is available only when Message Protocol is MM7.
VAS ID
Enter the value-added-service ID (VAS ID) to be used when
sending a notification message.
This option is available only when Message Protocol is MM7.
All notification types Check to enable notifications for all types. Once enabled select
the number of either hours or minutes between notice intervals.
Optionally expand All notification types and set the notification
intervals for the following categories: Content Filter, File Block,
Carrier End Point Block, Flood, Duplicate, MMS Content
Checksum, and Virus Scan.
1794
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS UTM features
MMS content-based Antispam protection
Notifications per
second limit
Enter a maximum number of notifications allowed per second.
This value prevents messing flooding from this notification service.
Set this value to zero for no limit.
Day of the Week
Select each day of the week that this notification will be enabled.
Window start time
Select the time of day to begin the message alert window. By
default, the message window starts at 00:00. You can change this
if you want to start the message window later in the day.
Window duration
Select the length of time the message alert window will be
available. For example 24:00 would indicate the window would be
open all day, where a value of 1:30 would only be open for one
and a half hours.
Replacement messages
FortiOS Carrier units and FortiGate units alike send replacement messages when
messages or content is blocked, quarantined, or otherwise diverted from the receiver. In
it’s place a message is sent to notify the receiver what happened.
With FortiOS Carrier MMS replacement messages, send and receive message types are
supported separately and receive their own custom replacement messages. This allows
the network to potentially notify both the sender and reciever of the problem.
For example the replacement message MM1 send-req file block message is sent to the
device that sent one or more files that were banned. The default message that is sent is
This device has sent %%NUM_MSG%% messages containing banned files
in the last %%DURATION%% hours. The two variables are replaced by the
appropriate values.
Replacement messages are not as detailed or specific as MMS notifications, but they are
also not as complicated to configure. They are also useful when content has been
removed from an MMS message that was still delivered.
For more information on replacement messages, see “MMS Replacement messages” on
page 1825.
MMS content-based Antispam protection
Expand MMS Scanning and select Content Filter in an MMS protection profile to create
content filter black/white lists that block or allow MMS messages based on the content of
the message.
Overview
A school computer lab may block age-inappropriate content. A place of business may
block unproductive content. A public access internet cafe may block offensive and graphic
content. Each installation has its own requirements for what content needs to be blocked,
and in what language.
FortiOS Carrier provides the ability to create custom local dictionaries, black lists, and
white lists in multiple languages enables you to protect your customers from malicious
content around the world.
Content-based protection includes:
•
Configurable dictionary
•
Black listing
•
White listing
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1795
�MMS content-based Antispam protection
MMS UTM features
Configurable dictionary
You can add a dictionary of configurable terms and phrases by going to UTM & gt; Web FIlter
& gt; Web Content FIlter. The text of MMS messages can be searched for these terms and
phrases. Add content filter lists that contain content that you want to match in MMS
messages. For every match found, a score is added. If enough matches are found to set
the total score above the configured threshold, the MMS message is blocked.
You can add words, phrases, wild cards and Perl regular expressions to create content
patterns that match content in MMS messages. See “Using wildcards and Perl regular
expressions” on page 1798.
For each pattern you can select Block or Exempt.
•
Block adds an antispam black list pattern. A match with a block pattern blocks a
message depending on the score of the pattern and the content filter threshold.
•
Exempt adds an antispam white list pattern. A match with an exempt pattern allows the
message to proceed through the FortiOS Carrier unit, even if other content patterns in
the same content filter list would block it.
If a pattern contains a single word, the FortiOS Carrier unit searches for the word in MMS
messages. If the pattern contains a phrase, the FortiOS Carrier unit searches for all of the
words in the phrase. If the pattern contains a phrase in quotation marks, the FortiOS
Carrier unit searches for the whole phrase.
You can create patterns with Simplified Chinese, Traditional Chinese, Cyrillic, French,
Japanese, Korean, Spanish, Thai, or Western character sets.
Black listing
Black listing is the practice of banning entries on the list. For example if an IP address
continuously sends viruses, it may be added to the black list. That means any computers
that consult that list will not communicate with that IP address.
Sometimes computers or devices can be added to black lists for a temporary problem,
such as a virus that is removed when notified. However, as a rule short of contacting the
administrator in person to manually be removed form the black list, users have to wait and
they generally will be removed after a period without problem.
White listing
White listing is the practice of adding all critical IP addresses to a list, such as company
email and web servers. Then if those servers become infected and start sending spam or
viruses, those servers are not blocked. This allows the critical traffic through, even if there
might be some malicious traffic as well. Blocking all traffic from your company servers
would halt company productivity.
Scores and thresholds
Each content pattern incudes a score. When a MMS message is matched with a pattern
the score is recorded. If a message matches more than one pattern or matches the same
pattern more than once, the score for the message increases. When the total score for a
message equals or exceeds the threshold the message is blocked.
1796
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS UTM features
MMS content-based Antispam protection
The default score for a content filter list entry is 10 and the default threshold is 10. This
means that by default a message is blocked by a single match. You can change the
scores and threshold so that messages can only be blocked if there are multiple matches.
For example, you may only want to block messages that contain the phrase “example” if it
appears twice. To do this, add the “example” pattern, set action to block and score to 5.
Keep the threshold at 10. If “example” is found twice or more in a message the score adds
up 10 (or more) and the message is blocked.
Configuring content-based antispam protection
To apply content-based antispam protection
1 Go to UTM & gt; Web Filter & gt; Web Content Filter and create or edit a web content filter list.
2 Go to UTM & gt; Carrier & gt; MMS Profile and add or edit an MMS protection profile.
3 Select MMS Scanning & gt; Content Filter and select the web content filter list.
4 Optionally change the content filter Threshold and save the MMS protection profile.
5 Go to Firewall & gt; Policy and create or edit a policy.
6 Expand UTM heading and select MMS profile added above.
7 Select OK.
8 Configure the rest of the firewall policy as required, and select OK.
Configuring sender notifications
When someone on the MMS network sends an MMS message that is blocked, in most
cases the sender should be notified. Also usually an administrator is notified so they can
take any action required.
There are two types of sender notifications available in FortiOS Carrier:
•
MMS notifications
•
Replacement messages
MMS notifications
MMS notifications to senders are configured in UTM & gt; Carrier & gt; MMS profile, under MMS
Notifications.
In this section you can configure up to four different notification recipients for any
combination of MM1/3/4/7 protocol MMS messages. Also for MM7 messages the
message type can be submit.REQ or deliver.REQ.
Useful settings include:
•
delay in message based on notification type
•
limit on notifications per second to prevent a flood
•
schedules for notifications
•
log in details for MM7 messages.
For more information on MMS notifications, see “MMS notifications” on page 78.
Replacement messages
Replacement messages are features common to both FortiOS and FortiOS Carrier,
however FortiOS Carrier has additional messages for the MMS traffic.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1797
�MMS content-based Antispam protection
MMS UTM features
While each MMS protocol has its own different rec placement messages, the one common
to all MMS protocols is the MMS blocked content replacement message. This is the
message that the receiver of the message sees when their content is blocked.
For more information on replacement messages, see “MMS Replacement messages” on
page 1825.
Using wildcards and Perl regular expressions
Email address list, MIME headers list, and banned word list entries can include wildcards
or Perl regular expressions.
See http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular
expressions.
Regular expression vs. wildcard match pattern
A wildcard character is a special character that represents one or more other characters.
The most commonly used wildcard characters are the asterisk (*), which typically
represents zero or more characters in a string of characters, and the question mark (?),
which typically represents any one character.
In Perl regular expressions, the ‘.’ character refers to any single character. It is similar to
the ‘?’ character in wildcard match pattern. As a result:
•
fortinet.com not only matches fortinet.com but also fortinetacom, fortinetbcom,
fortinetccom, and so on.
Note: To add a question mark (?) character to a regular expression from the FortiGate CLI,
enter Ctrl+V followed by ?. To add a single backslash character (\) to a regular expression
from the CLI you must add precede it with another backslash character. For example,
fortinet\\.com.
To match a special character such as '.' and ‘*’ use the escape character ‘\’. For example:
•
To match fortinet.com, the regular expression should be: fortinet\.com
In Perl regular expressions, ‘*’ means match 0 or more times of the character before it, not
0 or more times of any character. For example:
•
forti*.com matches fortiiii.com but does not match fortinet.com
To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’
means 0 or more times. For example, the wildcard match pattern forti*.com should
therefore be fort.*\.com.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For
example, the regular expression “test” not only matches the word “test” but also any word
that contains “test” such as “atest”, “mytest”, “testimony”, “atestb”. The notation “\b”
specifies the word boundary. To match exactly the word “test”, the expression should be
\btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and Email Filter filters.
To make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of “bad language”, regardless of case.
Perl regular expression formats
Table 120 lists and describes some example Perl regular expression formats.
1798
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS UTM features
MMS content-based Antispam protection
Table 120: Perl regular expression formats
Expression
Matches
abc
“abc” (the exact character sequence, but anywhere in the string)
^abc
“abc” at the beginning of the string
abc$
“abc” at the end of the string
a|b
Either “a” or “b”
^abc|abc$
The string “abc” at the beginning or at the end of the string
ab{2,4}c
“a” followed by two, three or four “b”s followed by a “c”
ab{2,}c
“a” followed by at least two “b”s followed by a “c”
ab*c
“a” followed by any number (zero or more) of “b”s followed by a “c”
ab+c
“a” followed by one or more b's followed by a c
ab?c
“a” followed by an optional “b” followed by a” c”; that is, either “abc” or” ac”
a.c
“a” followed by any single character (not newline) followed by a” c “
a\.c
“a.c” exactly
[abc]
Any one of “a”, “b” and “c”
[Aa]bc
Either of “Abc” and “abc”
[abc]+
Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”, ”acbabcacaa”)
[^abc]+
Any (nonempty) string which does not contain any of “a”, “b”, and “c” (such as
“defg”)
\d\d
Any two decimal digits, such as 42; same as \d{2}
/i
Makes the pattern case insensitive. For example, /bad language/i blocks any
instance of bad language regardless of case.
\w+
A “word”: A nonempty sequence of alphanumeric characters and low lines
(underscores), such as foo and 12bar8 and foo_1
100\s*mk
The strings “100” and “mk” optionally separated by any amount of white space
(spaces, tabs, newlines)
abc\b
“abc” when followed by a word boundary (for example, in “abc!” but not in “abcd”)
perl\B
“perl” when not followed by a word boundary (for example, in “perlert” but not in
“perl stuff”)
\x
Tells the regular expression parser to ignore white space that is neither preceded
by a backslash character nor within a character class. Use this to break up a
regular expression into (slightly) more readable parts.
/x
Used to add regular expressions within other text. If the first character in a pattern
is forward slash '/', the '/' is treated as the delimiter. The pattern must contain a
second '/'. The pattern between ‘/’ will be taken as a regular expressions, and
anything after the second ‘/’ will be parsed as a list of regular expression options
('i', 'x', etc). An error occurs if the second '/' is missing. In regular expressions, the
leading and trailing space is treated as part of the regular expression.
Example regular expressions
Block any word in a phrase:
/block|any|word/
Block purposely misspelled words (Spammers often insert other characters between the
letters of a word to fool spam blocking software.):
/^.*v.*i.*a.*g.*r.*o.*$/i
/cr[eéèêë][\+\-\*= & lt; & gt; \.\,;!\?% & §@\^°\$£€\{\}()\[\]\|\\_01]dit/i
Block common spam phrases: (The following phrases are some examples of common
phrases found in spam messages.)
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1799
�MMS DLP archiving
MMS UTM features
/try it for free/i
/student loans/i
/you’re already approved/i
/special[\+\-\*= & lt; & gt; \.\,;!\?% & ~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i
MMS DLP archiving
You can use DLP archiving to collect and view historical logs that have been archived to a
FortiAnalyzer unit or the FortiGuard Analysis and Management service. DLP archiving is
available for FortiAnalyzer when you add a FortiAnalyzer unit to the FortiOS Carrier
configuration. The FortiGuard Analysis and Management server becomes available when
you subscribe to the FortiGuard Analysis and Management Service.
You can configure full DLP archiving and summary DLP archiving. Full DLP archiving
includes all content, for example, full email DLP archiving includes complete email
messages and attachments. Summary DLP archiving includes just the meta data about
the content, for example, email message summary records include only the email header.
You can archive MM1, MM3, MM4, and MM7 content:
Configuring MMS DLP archiving
Select DLP archive options to archive MM1, MM3, MM4, and MM7 sessions. For each
protocol you can archive just session metadata (Summary), or metadata and a copy of the
associated file or message (Full).
In addition to MMS protection profile DLP archive options you can:
•
Archive MM1 and MM7 message floods
•
Archive MM1 and MM7 duplicate messages
•
Select DLP archiving for carrier end point patterns in a Carrier End Point List and
select the Carrier End Point Block option in the MMS Scanning section of an MMS
Protection Profile
FortiOS Carrier only allows one sixteenth of its memory for transferring content archive
files. For example, for FortiOS Carrier units with 128MB RAM, only 8MB of memory is
used when transferring content archive files. It is recommended not to enable full content
archiving if antivirus scanning is also configured because of these memory constraints.
To configure MMS DLP archiving
1 Go to UTM & gt; Carrier & gt; MMS Profile.
2 Select Create New or select the Edit icon beside an existing profile.
3 Expand MMS Bulk AntiSpam Detection & gt; Content Archive.
4 Complete the fields as described in the following table.
5 Select OK.
1800
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS UTM features
MMS DLP archiving
Display DLP metainformation on the system
dashboard
Select each required protocol to display the content archive
summary in the Log and Archive Statistics dashboard widget.
Archive to
FortiAnalyzer/FortiGuard
Select each required protocol to send a full or partial content
archive, or no archive to the FortiAnalyzer unit or FortiGuard
Analysis and Management Service.
In some cases, FortiOS Carrier may not archive content, or may
make only a partial content archive, regardless of your selected
option. This behavior varies by prerequisites for each protocol.
This option is available only if a FortiAnalyzer unit or FortiGuard
Analysis and Management Service is configured.
None
Do not send content archives.
Summary
Send content archive metadata only. Includes information such as
date and time, source and destination, request and response size,
and scan result.
Full
Send content archive both metadata and copies of files or
messages.
Viewing DLP archives
You can view DLP archives from the FortiOS Carrier unit web-based manager. Archives
are historical logs that are stored on a log device that supports archiving, such as a
FortiAnalyzer unit.
These logs are accessed from either Log & Report & gt; DLP Archive or if you subscribed to
the FortiGuard Analysis and Management Service, you can view log archives from there.
The DLP Archive menu is only visible if one of the following is true.
•
You have configured the FortiGate unit for remote logging and archiving to a
FortiAnalyzer unit.
•
You have subscribed to the FortiGuard Analysis and Management Service.
The following tabs are available when you are viewing DLP archives for one of these
protocols.
•
E-mail to view POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS, and spam email
archives.
•
Web to view HTTP and HTTPS archives.
•
FTP to view FTP archives.
•
IM to view AIM, ICQ, MSN, and Yahoo! archives.
•
MMS to view MMS archives.
•
VoIP to view session control (SIP, SIMPLE and SCCP) archives.
If you need to view log archives in Raw format, select Raw beside the Column Settings
icon.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1801
�MMS DLP archiving
1802
MMS UTM features
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Message flood protection
The convenience offered by MM1 and MM4 messaging can be abused by users sending
spam or attempting to overload the network with an excess of messages. MMS flood
prevention can help prevent this type of abuse.
Flood protection for MM1 messages prevents your subscribers from sending too many
messages to your MMSC. Configuring flood protection for MM4 messages prevents
another service provider from sending too many messages from the same subscriber to
your MMSC.
Figure 280: MM1 and MM4 flood protection
FortiOS Carrier
MM1 flood
MM1 flood
protection
Subscriber
MM4 flood
protection
FortiOS Carrier
MM4 flood
Other
Operator
The FortiOS Carrier unit keeps track of the number of messages each subscriber sends
for the length of time you specify. If the number of messages a subscriber sends exceeds
the threshold, a configured action is taken. Possible actions are logging the flood, blocking
or intercepting messages in the flood, archiving the flood messages, and sending an alert
message to inform the administrator that the flood is occurring.
You can create three different thresholds to take different levels of action at different levels
of activity.
With this highly configurable system, you can prevent subscribers from sending more
messages than you determine is acceptable, or monitor anyone who exceeds the
thresholds.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1803
�Setting message flood thresholds
Message flood protection
Setting message flood thresholds
A message flood occurs when a single subscriber sends a volume of messages that
exceeds the flood threshold you set. The threshold defines the maximum number of
messages allowed, the period during which the subscriber sent messages are considered,
and the length of time the sender is restricted from sending messages after a flood is
detected.
If a subscriber exceeds the message flood threshold and is blocked from sending more
messages, any further attempts to send messages will re-start the block period. You must
also enable logging for MMS Scanning & gt; Bulk Messages in the Logging section of the
MMS protection profile.
Note: A subscriber is still able to receive messages while they are blocked from sending
messages.
Example
For example, for the first threshold you may determine that any subscriber who sends
more than 100 MM1 messages in an hour (60 minutes) will have all messages blocked for
30 minutes.
Using this example, if the subscriber exceeds the flood threshold, they are blocked from
sending message for 30 minutes. If the subscriber tries to send any message after 15
minutes, the message will be blocked and the block period will be reset again to 30
minutes. The block period must expire with no attempts to send a message. Only then will
the subscriber be allowed to send more messages.
To configure MM1 message flood threshold - web-based manager
1 Go to UTM & gt; Carrier & gt; MMS Profile.
2 Select Create New.
3 Enter MM1 flood for Profile Name.
4 Expand MMS Bulk Email Filtering Detection.
5 Enter the following information, and select OK.
MM1 (first column)
Enable
Enable
Message Flood
Window
60 minutes
Message Flood Limit 100
Message Flood Block 30 minutes
Time
Message Flood
Action
Block
To configure MM1 message flood threshold - CLI
config firewall mms-profile
edit profile_name
config flood mm1
set status1 enable
set window1 60
set limit1 100
1804
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Message flood protection
Setting message flood thresholds
set action1 block
set block-time1 30
end
end
The threshold values that you set for your network will depend on factors such as how
busy your network is and the kinds of problems that your network and your subscribers
encounter. For example, if your network is not too busy you may want to set message
flood thresholds relatively high so that only an exceptional situation will exceed a flood
threshold. Then you can use log messages and archived MMS messages to determine
what caused the flood.
If your subscribers are experiencing problems with viruses that send excessive amounts
of messages, you may want to set thresholds lower and enable blocking to catch
problems as quickly as possible and block access to keep the problem from spreading.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1805
�Flood actions
Message flood protection
Flood actions
When the FortiOS Carrier unit detects a message flood, it can take any combination of the
five actions that you can configure for the flood threshold.
Table 121: MMS flood protection flood actions
Action
Description
Log
Add a log entry indicating that a message flood has occurred. You
must also enable logging for MMS Scanning & gt; Bulk Messages in the
Logging section of the MMS protection profile.
DLP Archive
Save the first message to exceed the flood threshold, or all the
messages that exceed the flood threshold, in the DLP archive. DLP
archiving flood messages may not always produce useful results.
Since different messages can be causing the flood, reviewing the
archived messages may not be a good indication of what is causing
the problem since the messages could be completely random.
All messages
All the messages that exceed the flood threshold will be saved in the
DLP archive.
First message only
Save only the first message to exceed the flood threshold in the DLP
archive. Other messages in the flood are not saved. For message
floods this may not produce much useful information since a
legitimate message could trigger the flood threshold.
Intercept
Messages that exceed the flood threshold are passed to the
recipients, but if quarantine is enabled for intercepted messages, a
copy of each message will also quarantined for later examination. If
the quarantine of intercepted messages is disabled, the Intercept
action has no effect.
Block
Messages that exceed the flood threshold are blocked and will not be
delivered to the message recipients. If quarantine is enabled for
blocked messages, a copy of each message will quarantined for later
examination.
Alert Notification
If the flood threshold is exceeded, the FortiOS Carrier unit will send
an MMS flood notification message.
In the web-based manager when Alert Notification is selected it
displays the fields to configure the notification.
Notifying administrators of floods
You can configure alert notifications for message floods by selecting the Alert Notification
message flood action. The FortiOS Carrier unit sends alert notifications to administrators
using the MM1, MM3, MM4, or MM7 content interface. To send an alert notification you
must configure addresses and other settings required for the content interface.
For example, to send notifications using the MM1 content interface you must configure a
source MSISDN, hostname, URL, and port to which to send the notification. You can also
configure schedules for when to send the notifications.
Finally you can add multiple MSIDSN numbers to the MMS protection profile and set
which flood thresholds to send to each MSISDN.
1806
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Message flood protection
Example of using three flood threshold levels and different sets of actions for each threshold
Example of using three flood threshold levels and different sets of
actions for each threshold
You can set up to three threshold levels to take different actions at different levels of
activity.
The first example threshold records log messages when a subscriber’s handset displays
erratic behavior by sending multiple messages using MM1 at a relatively low threshold.
The erratic behavior could indicate a problem with the subscriber’s handset. For example,
you may have determined for your network that if a subscriber sends more the 45
messages in 30 minutes that you want to record log messages as a possible indication or
erratic behavior.
From the web-based manager in an MMS profile set message Flood Threshold 1 to:
Enable
Selected
Message Flood Window
30 minutes
Message Flood Limit
45
Message Flood Action
Log
From the CLI:
config firewall mms-profile
edit profile_name
config flood mm1
set status1 enable
set window1 30
set limit1 45
set action1 log
end
end
Set a second higher threshold to take additional actions when a subscriber sends more
that 100 messages in 30 minutes. Set the actions for this threshold to log the flood,
archive the message that triggered the second threshold, and block the sender for 15
minutes.
From the web-based manager in an MMS profile set message Flood Threshold 2 to:
Enable
Selected
Message Flood Window
30 minutes
Message Flood Limit
100
Message Block Time
15 minutes
Message Flood Action
Log, DLP archive First message only, Block
From the CLI:
config firewall mms-profile
edit profile_name
config flood mm1
set status2 enable
set window2 30
set limit2 100
set action2 block log archive-first
set block-time2 15
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1807
�Example of using three flood threshold levels and different sets of actions for each threshold
Message flood protection
Set the third and highest threshold to block the subscriber for an extended period and
sand an administrator alert if the subscriber sends more than 200 messages in 30
minutes. Set the actions for this threshold to block the sender for 4 hours (240 minutes),
log the flood, archive the message that triggered the third threshold, and send an alert to
the administrator.
From the web-based manager in an MMS profile set message Flood Threshold 3 to:
Enable
Selected
Message Flood Window
30 minutes
Message Flood Limit
200
Message Block Time
240 minutes
Message Flood Action
Log, Block, Alert Notification
Because you have selected the Alert Notification action you must also configure alert
notification settings. For this example, the source MSISDN is 5551234. When
administrators receive MMS messages from this MSIDSN they can assume a message
flood has been detected.
In this example, alert notifications are sent by the FortiOS Carrier unit to the MMSC using
MM1. The host name of the MMSC is mmscexample, the MMSC URL is /, and the port
used by the MMSC is 80. In this example, the alert notification window starts at 8:00 and
extends for 8 hours on weekdays (Monday-Friday) and the minimum interval between
message flood notifications is 2 hours.
Source MSISDN
5551234
Message Protocol
MM1
Hostname
mmscexample
URL
/
Port
80
Notifications Per Second Limit
0
Window Start Time
8:00
Window Duration
8:00
Day of Week
Mon, Tue, Wed, Thu, Fri, Sat
Interval
2 hours
From the CLI:
config firewall mms-profile
edit profile_name
config notification alert-flood-1
set alert-src-msisdn 5551234
set set msg-protocol mm1
set mmsc-hostname mmscexample
set mmsc-url /
set mmsc-port 80
set rate-limit 0
set tod-window-start 8:00
set tod-window-duration 8:00
set days-allowed monday tuesday wednesday thursday friday
set alert-int 2
set alert-int-mode hours
end
end
1808
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Message flood protection
Notifying message flood senders and receivers
You must also add the MSISDNs of the administrators to be notified of the message flood.
In this example, the administrator flood threshold 3 alert notifications are sent to one
administrator with MSISDN 5554321.
To add administrator’s MSISDNs for flood threshold 3 from the web-based manager when
configuring a protection profile, select MMS Bulk Email Filtering Detection & gt; Recipient
MSISDN & gt; Create New.
MSISDN
5554321
Flood Level 3
Select
From the CLI:
config firewall mms-profile
edit profile_name
config notif-msisdn
edit 5554321
set threshold flood-thresh-3
end
end
Notifying message flood senders and receivers
The FortiOS Carrier unit does not send notifications to the sender or receiver that cause a
message flood. If the sender or receiver is an attacker and is explicitly informed that they
have exceeded a message threshold, the attacker may try to determine the exact
threshold value by trial and error and then find a way around flood protection. For this
reason, no notification is set to the sender or receiver.
However, the FortiOS Carrier unit does have replacement messages for sending reply
confirmations to MM1 senders and receivers and for MM4 senders for blocked messages
identified as message floods. For information about how FortiOS Carrier responds when
message flood detection blocks a message, see “FortiOS Carrier and MMS duplicate
message and message floods” on page 1742.
Responses to MM1 senders and receivers
When the FortiOS Carrier unit identifies an MM1 message sent by a sender to an MMSC
as a flood message and blocks it, the FortiOS Carrier unit returns a message submission
confirmation (m-send.conf) to the sender — otherwise the sender’s handset would keep
retrying the message. The m-send.conf message is sent only when the MM1 message
flood action is set to Block. For other message flood actions the message is actually
delivered to the MMSC and the MMSC sends the m-send.conf message.
You can customize the m-send.conf message by editing the MM1 send-conf flood
message MM1 replacement message (from the CLI the mm1-send-conf-flood
replacement message). You can customize the response status and message text for this
message. The default response status is “Content not accepted”. To hide the fact that the
FortiOS Carrier unit is responding to a flood, you can change the response status to
“Success”. The default message text informs the sender that the message was blocked.
You could change this to something more generic.
For example, the following command sets the submission confirmation response status to
“Success” and changes the message text to “Message Sent OK”:
config system replacemsg mm1 mm1-send-conf-flood
set rsp-status ok
set rsp-text “Message Sent OK”
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1809
�Viewing DLP archived messages
Message flood protection
end
When the FortiOS Carrier unit identifies an MM1 message received by a receiver from an
MMSC as a flood message and blocks it, the FortiOS Carrier unit returns a message
retrieval confirmation (m-retrieve.conf) to the sender (otherwise the sender’s handset
would keep retrying the message). The m-retrieve.conf message is sent only when the
MM1 message flood action is set to Block. For other message flood actions the message
is actually delivered to the receiver, so the MMSC sends the m-retrieve.conf message.
You can customize the m-retrive.conf message by editing the MM1 retrieve-conf flood
message MM1 replacement message (from the CLI the mm1-retr-conf-flood
replacement message). You can customize the class, subject, and message text for this
message.
For example, you could use the following command make the response more generic:
config system replacemsg mm1 mm1-retr-conf-flood
set subject “Message blocked”
set message “Message temporarily blocked by carrier”
end
Forward responses for MM4 message floods
When the FortiOS Carrier unit identifies an MM4 message as a flood message and blocks
it, the FortiOS Carrier unit returns a message forward response (MM4_forward.res) to the
forwarding MMSC (otherwise the forwarding MMSC would keep retrying the message).
The MM4_forward.res message is sent only when the MM4 message flood action is set to
Block and the MM4-forward.req message requested a response. For more information,
see “FortiOS Carrier and MMS duplicate message and message floods” on page 1742.
You can customize the MM4_forward.res message by editing the MM4 flood message
MM4 replacement message (from the CLI the mm4-flood replacement message). You
can customize the response status and message text for this message. The default
response status is “Content not accepted” (err-content-not-accept). To hide the
fact that the FortiOS Carrier unit is responding to a flood, you can change the response
status to “Success”. The default message text informs the sender that the message was
blocked. You could change this to something more generic.
For example, the following command sets the submission confirmation response status to
“Success” and changes the message text to “Message Sent OK” for the MM4 message
forward response
config system replacemsg mm4 mm4-flood
set rsp-status ok
set rsp-text “Message Forwarded OK”
end
Viewing DLP archived messages
If DLP Archive is a selected message flood action, the messages that exceed the
threshold are saved to the MMS DLP archive. The default behavior is to save all of the
offending messages, but you can configure the DLP archive setting to save only the first
message that exceeds the threshold. This still provides a sample of the offending
messages without requiring as requiring as much storage.
To select only the first message in a flood for DLP archiving - web-based manager
1 Go to UTM & gt; Carrier & gt; MMS Profile.
2 Select an existing MMS Profile
1810
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Message flood protection
Order of operations: flood checking before duplicate checking
Order of operations: flood checking before duplicate checking
Although duplicate checking involves only examination and comparison of message
contents and not the sender or recipient, and flood checking involves only totalling the
number of messages sent by each subscriber regardless of the message content, there
are times when a selection of messages exceed both flood and duplicate thresholds.
The FortiOS Carrier unit checks for message floods before checking for duplicate
messages. Flood checking is less resource-intensive and if the flood threshold invokes a
Block action, the blocked messages are stopped before duplicate checking occurs. This
saves both time and FortiOS Carrier system resources.
Note: The duplicate scanner will only scan content. It will not scan headers. Content must
be exactly the same. If there is any difference at all in the content, it will not be considered
a duplicate.
Bypassing message flood protection based on user’s carrier end
points
You can use carrier end point filtering to exempt MMS sessions from message flood
protection. Carrier end point filtering matches carrier end points in MMS sessions with
carrier end point patterns. If you add a carrier end point pattern to a filter list and set the
action to exempt from mass MMS, all messages from matching carrier end points bypass
message flood protection. See “Controlling access to MMS services based on a user’s
carrier end point” on page 87.
Configuring message flood detection
To have the FortiOS Carrier unit check for message floods, you must first configure the
flood threshold in an MMS profile, select the MMS profile in a protection profile, and select
the protection profile in a firewall policy. All the traffic examined by the firewall policy will be
checked for message floods according to the threshold values you set in the MMS profile.
Configure the MMS profile
1 Go to Firewall & gt; MMS Profile.
2 If you are editing an MMS profile, select the Edit icon of the MMS profile.
If you are create a new MMS profile, select Create New and enter a profile name.
3 Expand MMS Bulk Email Filtering Detection.
4 Expand Message Flood.
5 Expand Flood Threshold 1.
6 Select the Enable check box for MM1 messages, MM4 messages, or both.
7 In the Message Flood Window field, enter the length of time the FortiOS Carrier unit
will keep track of the number of messages each subscriber sends.
If the FortiOS Carrier unit detects the quantity of messages specified in the Message
Flood Limit sent during the number of minutes specified in the Message Flood Window,
a message flood is in progress.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1811
�Sending administrator alert notifications
Message flood protection
8 In the Message Flood Limit field, enter the number of messages required to trigger the
flood.
9 In the Message Flood Block Time field, enter the length of time a user will be blocked
from sending messages after causing the message flood.
10 Select the message flood actions the FortiOS Carrier unit will take when the message
flood is detected.
11 Select OK.
Configure the protection profile
1 Go to Firewall & gt; Protection Profile.
2 If you are editing a protection profile, select the Edit icon of the protection profile.
If you are create a new protection profile, select Create New and enter a profile name.
3 Expand MMS Profile.
4 Select the MMS profile from the list.
5 Select OK.
Configure the Firewall policy
1 Go to Firewall & gt; Policy.
2 Select the Edit icon of the firewall policy that controls the traffic in which you want to
detect message floods.
3 Select the Protection Profile check box to enable the use of a protection profile.
4 Select the protection profile from the protection profile list.
5 Select OK.
Sending administrator alert notifications
Configuring how and when to send alert notifications
When message floods are detected, the FortiOS Carrier unit can be configured to notify
you immediately with an MMS message. Enable this feature by selecting Alert Notification
in the message flood action. Each message flood threshold can be configured separately.
You can configure different alert notifications for MM1 and MM4 message floods. You can
configure the FortiOS Carrier unit to send these alert notifications using the MM1, MM3,
MM4, or MM7 content interface. Each of these content interfaces requires alert notification
settings that the FortiOS Carrier unit uses to communicate with a server using the
selected content interface.
For the MM1 content interface you require:
•
The hostname of the server
•
The URL of the server (usually “/”)
•
The server port (usually 80)
For the MM3 and MM4 content interfaces you require:
•
The hostname of the server
•
The server port (usually 80)
•
The server user domain
For the MM7 content interface you require:
1812
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Message flood protection
Sending administrator alert notifications
•
The message type
•
submit.REQ to send a notification message to the sender in the form of a submit
request. The message goes from a VAS application to the MMSC.
•
deliver.REQ to send a notification message to the sender in the form of a deliver
request. The message goes from the MMSC to a VAS application.
•
The hostname of the server
•
The URL of the server (usually “/”)
•
The server port (usually 80)
•
A user name and password to connect to the server
•
The value-added-service-provider (VASP) ID
•
The value-added-service (VAS) ID
For more information, see “MMS notifications” on page 78.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1813
�Sending administrator alert notifications
Message flood protection
To configure administrator alert notifications
1 Go to Firewall & gt; MMS Profile and edit or add a new MMS protection profile.
2 Expand MMS Bulk Email Filtering Detection.
There are three message flood thresholds.
3 Expand the threshold that you want to configure alert notification for.
4 For Message Flood Action, select the Alert Notification check box. Alert notification
options appear.
5 For the Source MSISDN, enter the MSISDN from which the alert notification message
will be sent.
6 Select the Message Protocol the alert notification will use: MM1, MM3, MM4, or MM7.
7 Add the information required by FortiOS Carrier to send messages using the selected
message protocol:
8 For Notifications Per Second Limit, enter the number of notifications to send per
second.
Use this setting to reduce control the number of notifications sent by the FortiOS
Carrier unit. If you enter zero (0), the notification rate is not limited.
9 If required, change Window Start Time and Window Duration configure when the
FortiOS Carrier unit sends alert notifications.
By default, notifications are sent at any time of the day. You can change the Window
Start Time if you want to delay sending alert messages. You can also reduce the
Window Duration if you want to stop sending alert notifications earlier.
For example, you might not want FortiOS Carrier sending notifications except during
business hours. In this case the Window Start Time could be 9:00 and the Window
Duration could be 8:00 hours.
You can set different alert notifications for each message threshold. For example, you
could limit the message window for lower thresholds and set it to 24 hours for higher
thresholds. This way administrators will only receive alert notifications outside of
business hours for higher thresholds.
10 For Day of Week, select the days of the week to send notifications.
For example, you may only want to send alert notifications on weekends for higher
thresholds.
11 In the Interval field, enter the maximum frequency that alert notification messages will
be sent, in minutes or hours.
All alerts occurring during the interval will be included in a single alert notification
message to reduce the number of alert messages that are sent.
Configuring who to send alert notifications to
In each MMS protection profile you add a list of recipient MSISDNs. For each of these
MSISDNs you select the message flood threshold that triggers sending notifications to this
MSISDN.
To configure the alert notification recipients
1 Go to Firewall & gt; MMS Profile.
2 Select the Edit icon of the MMS profile in which you want to configure the alert
notification recipients.
3 Expand MMS Bulk Email Filtering Detection.
1814
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Message flood protection
Sending administrator alert notifications
4 Expand Recipient MSISDN.
5 Select Create New.
6 In the New MSISDN window, enter the MSISDN to use for flood threshold alert
notification.
7 Select the duplicate thresholds at which to send alert notifications to the MSISDN.
Note: For the flood threshold to be able to send an alert notification to the MSISDN, the
alert notification action must be enabled and configured within the flood threshold.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1815
�Sending administrator alert notifications
1816
Message flood protection
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Duplicate message protection
The convenience offered by MM1 and MM4 messaging can be abused by users sending
spam or other unwanted messages. Often, the same message will be sent by multiple
subscribers. The message can be spam, viral marketing, or worm-generated messages.
MMS duplicate prevention can help prevent this type of abuse by keeping track of the
messages being sent.
Duplicate message protection for MM1 messages prevents multiple subscribers from
sending duplicate messages to your MMSC. Duplicate message protection for MM4
messages prevents another service provider from sending duplicate messages from the
same subscriber to your MMSC. This can help prevent a potential flood that would
otherwise become widespread between carriers.
Figure 281: MM1 and MM4 duplicate message protection
FortiOS Carrier
Multiple subscribers
sending the same message
MM1 duplicate
message protection
MM4 duplicate
messate protection
FortiOS Carrier
MM4 duplicate
messages
Other
Operator
Multiple subscribers
sending the same message
The FortiOS Carrier unit keeps track of the sent messages. If the same message appears
more often than the threshold value you configure, then action is taken. Possible actions
are logging the duplicates, blocking or intercepting duplicate messages, archiving the
duplicate messages, and sending an alert to inform an administrator that duplicates are
occurring.
With this highly configurable system, you can prevent the transmission of duplicate
messages when there are more than you determine is acceptable.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1817
�Using message fingerprints to identify duplicate messages
Duplicate message protection
Using message fingerprints to identify duplicate messages
The FortiOS Carrier unit detects duplicates by keeping a record of all the messages
travelling on the network and comparing new messages to those that have already been
sent.
Rather than save the messages, the FortiOS carrier creates a checksum using the
message body and subject. This serves as a fingerprint to identify the message. If another
message with the same message body and subject appears, the fingerprint will also be
the same and the FortiOS Carrier unit will recognize it as a duplicate.
By creating and saving message fingerprints instead of saving the messages, the FortiOS
Carrier unit can save resources and time.
Messages from any sender to any recipient
Duplicate message detection will detect duplicate messages regardless of the sender or
recipient. To do this, message fingerprints are generated using only the message body
and subject. The sender, recipient, and other header information is not included.
If multiple messages appear with the same subject and message body, the FortiOS
Carrier unit will recognize them as being the same.
Setting duplicate message thresholds
The FortiOS Carrier recognizes all duplicate messages, but it will take action when it
detects a volume of duplicate messages that exceed the duplicate threshold you set. The
threshold defines the maximum number of duplicate messages allowed, the period during
which the messages are considered, and the length of time the duplicate message can not
be sent by anyone.
For example, you may determine that once a duplicate message is sent more than 300
times in an hour, any attempt to send the same duplicate message will be blocked for 30
minutes.
If a particular duplicate message exceeds the duplicate message threshold and is
blocked, any further attempts to send the same message will re-start the block period.
Using the example above, if the duplicate message count exceeds the duplicate
threshold, any attempt to send a copy of the duplicate message will be blocked for 30
minutes. If a subscriber tries to send a copy of the message after waiting 15 minutes, the
message will be blocked and the block period will be reset to 30 minutes. The block period
must expire with no attempts to send a duplicate message. Only then will a subscriber be
allowed to send the message. Non-duplicate messages will not reset the block period.
Duplicate message actions
When the FortiOS Carrier unit detects that a duplicate message has exceeded duplicate
threshold, it can take any combination of the five actions you configure for the duplicate
threshold.
Action
Description
Log
Add a log entry indicating that a duplicate message event has
occurred. You must also enable logging for MMS Scanning & gt; Bulk
Messages in the Logging section of the MMS protection profile.
DLP Archive
1818
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Duplicate message protection
Notifying duplicate message senders and receivers
All messages
Save all the messages that exceed the duplicate threshold in the DLP
archive.
First message only
Save the first message to exceed the duplicate threshold in the DLP
archive. Subsequent messages that exceed the duplicate threshold
will not be saved.
Intercept
Messages that exceed the duplicate threshold are passed to the
recipients, but if quarantine is enabled for intercepted messages, a
copy of each message is also quarantined for later examination. If the
quarantine of intercepted messages is disabled, the Intercept action
has no effect.
Block
Messages that exceed the duplicate threshold are blocked and will not
be delivered to the message recipients. If quarantine is enabled for
blocked messages, a copy of each blocked message is quarantined
for later examination.
Alert Notification
If the duplicate threshold is exceeded, the FortiOS Carrier unit will
send an MMS duplicate message notification message.
Notifying duplicate message senders and receivers
The FortiOS Carrier unit does not send notifications to the sender or receiver of duplicate
messages. If the sender or receiver is an attacker and is explicitly informed that they have
exceeded a message threshold, the attacker may try to determine the exact threshold
value by trial and error and then find a way around duplicate message protection. For this
reason, no notification is set to the sender or receiver.
However, the FortiOS Carrier unit does have replacement messages for sending reply
confirmations to MM1 senders and receivers and for MM4 senders for blocked messages
identified as duplicate messages. For information about how FortiOS Carrier responds
when message flood detection blocks a message, see “FortiOS Carrier and MMS
duplicate message and message floods” on page 1742.
Responses to MM1 senders and receivers
When the FortiOS Carrier unit identifies an MM1 message sent by a sender to an MMSC
as a duplicate message and blocks it, the FortiOS Carrier unit returns a message
submission confirmation (m-send.conf) to the sender (otherwise the sender’s handset
would keep retrying the message). The m-send.conf message is sent only when the MM1
duplicate message action is set to Block. For other duplicate message actions the
message is actually delivered to the MMSC and the MMSC sends the m-send.conf
message.
You can customize the m-send.conf message by editing the MM1 send-conf duplicate
message MM1 replacement message (from the CLI the mm1-send-conf-dupe
replacement message). You can customize the response status and message text for this
message. The default response status is “Content not accepted”. To hide the fact that the
FortiOS Carrier unit is responding to a duplicate message, you can change the response
status to “Success”. The default message text informs the sender that the message was
blocked. You could change this to something more generic.
For example, the following command sets the submission confirmation response status to
“Success” and changes the message text to “Message Sent OK”:
config system replacemsg mm1 mm1-send-conf-dupe
set rsp-status ok
set rsp-text “Message Sent OK”
end
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1819
�Viewing DLP archived messages
Duplicate message protection
When the FortiOS Carrier unit identifies an MM1 message received by a receiver from an
MMSC as a duplicate message and blocks it, the FortiOS Carrier unit returns a message
retrieval confirmation (m-retrieve.conf) to the sender (otherwise the sender’s handset
would keep retrying). The m-retrieve.conf message is sent only when the MM1duplicate
message action is set to Block. For other message flood actions the message is actually
received by the receiver, so the MMSC sends the m-retrieve.conf message.
You can customize the m-retrive.conf message by editing the MM1 retrieve-conf duplicate
message MM1 replacement message (from the CLI the mm1-retr-conf-dupe
replacement message). You can customize the class, subject, and message text for this
message.
For example, you could use the following command make the response more generic:
config system replacemsg mm1 mm1-retr-conf-dupe
set subject “Message blocked”
set message “Message temporarily blocked by carrier”
end
Forward responses for duplicate MM4 messages
When the FortiOS Carrier unit identifies an MM4 message as a duplicate message and
blocks it, the FortiOS Carrier unit returns a message forward response (MM4_forward.res)
to the forwarding MMSC (otherwise the forwarding MMSC would keep retrying the
message). The MM4_forward.res message is sent only when the MM4 duplicate message
action is set to Block and the MM4-forward.req message requested a response. For more
information, see “FortiOS Carrier and MMS duplicate message and message floods” on
page 1742.
You can customize the MM4_forward.res message by editing the MM4 duplicate message
MM4 replacement message (from the CLI the mm4-dupe replacement message). You can
customize the response status and message text for this message. The default response
status is “Content not accepted” (err-content-not-accept). To hide the fact that the
FortiOS Carrier unit is responding to a duplicate message, you can change the response
status to “Success”. The default message text informs the sender that the message was
blocked. You could change this to something more generic.
For example, the following command sets the submission confirmation response status to
“Success” and changes the message text to “Message Sent OK”:
config system replacemsg mm4 mm4-dupe
set rsp-status ok
set rsp-text “Message Forwarded OK”
end
Viewing DLP archived messages
If DLP Archive is a selected duplicate message action, the messages that exceed the
threshold are saved to the MMS DLP archive. The default behavior is to save all of the
offending messages but you can configure the DLP archive setting to save only the first
message that exceeds the threshold. See “MMS DLP archiving” on page 121.
1820
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Duplicate message protection
Order of operations: flood checking before duplicate checking
Order of operations: flood checking before duplicate checking
Although duplicate checking involves only examination and comparison of message
contents and not the sender or recipient, and flood checking involves only totalling the
number of messages sent by each subscriber regardless of the message content, there
are times when a selection of messages exceed both flood and duplicate thresholds.
The FortiOS Carrier unit checks for message floods before checking for duplicate
messages. Flood checking is less resource-intensive and if the flood threshold invokes a
Block action, the blocked messages are stopped before duplicate checking occurs. This
saves both time and FortiOS Carrier system resources.
Bypassing duplicate message detection based on user’s carrier
end points
You can use carrier end point filtering to exempt MMS sessions from duplicate message
detection. Carrier end point filtering matches carrier end points in MMS sessions with
carrier end point patterns. If you add a carrier end point pattern to a filter list and set the
action to exempt from mass MMS, all messages from matching carrier end points bypass
duplicate message detection. See “Controlling access to MMS services based on a user’s
carrier end point” on page 87.
Configuring duplicate message detection
To have the FortiOS Carrier unit check for duplicate messages, configure the duplicate
threshold in an MMS profile, select the MMS profile in a protection profile, and select the
protection profile in a firewall policy.
1 Create an MMS profile and configure one or more of the duplicate thresholds as
required.
2 Select the MMS profile in a protection profile.
3 Select the protection profile in a firewall policy.
All traffic matching the firewall policy will be checked for duplicate messages according to
the settings in the MMS profile.
Note: The duplicate scanner will only scan content. It will not scan headers. Content must
be exactly the same. If there is any difference at all in the content, it will not be considered
a duplicate.
The modular nature of the profiles allows you great flexibility in how you configure the
scanning options. MMS profiles can be used in any number of protection profiles.
Similarly, protection profiles can be used in any number of firewall policies.
In a complex configuration, there may be many firewall policies, each with a different
protection profile and MMS profile. For a simpler network, you may have many firewall
policies all using the same protection profile and MMS profile.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1821
�Sending administrator alert notifications
Duplicate message protection
Sending administrator alert notifications
Configuring how and when to send alert notifications
When duplicate messages are detected, the FortiOS Carrier unit can be configured to
notify you immediately with an MMS message. Enable this feature by selecting Alert
Notification in the duplicate message action. Each duplicate message threshold can be
configured separately.
You can configure different alert notifications for MM1 and MM4 duplicate messages. You
can configure the FortiOS Carrier unit to send these alert notifications using the MM1,
MM3, MM4, or MM7 content interface. Each of these content interfaces requires alert
notification settings that the FortiOS Carrier unit uses to communicate with a server using
the selected content interface.
For the MM1 content interface you require:
•
The hostname of the server
•
The URL of the server (usually “/”)
•
The server port (usually 80)
For the MM3 and MM4 content interfaces you require:
•
The hostname of the server
•
The server port (usually 80)
•
The server user domain
For the MM7 content interface you require:
•
The message type
•
submit.REQ to send a notification message to the sender in the form of a submit
request. The message goes from a VAS application to the MMSC.
•
deliver.REQ to send a notification message to the sender in the form of a deliver
request. The message goes from the MMSC to a VAS application.
•
•
The URL of the server (usually “/”)
•
The server port (usually 80)
•
A user name and password to connect to the server
•
The value-added-service-provider (VASP) ID
•
1822
The hostname of the server
The value-added-service (VAS) ID
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Duplicate message protection
Sending administrator alert notifications
To configure administrator alert notifications
1 Go to Firewall & gt; MMS Profile and edit or add a new MMS protection profile.
2 Expand MMS Bulk Email Filtering Detection.
There are three duplicate message thresholds.
3 Expand the threshold that you want to configure alert notification for.
4 For Duplicate Message Action, select the Alert Notification check box. Alert notification
options appear.
5 For the Source MSISDN, enter the MSISDN from which the alert notification message
will be sent.
6 Select the Message Protocol the alert notification will use: MM1, MM3, MM4, or MM7.
7 Add the information required by FortiOS Carrier to send messages using the selected
message protocol:
8 For Notifications Per Second Limit, enter the number of notifications to send per
second.
Use this setting to reduce control the number of notifications sent by the FortiOS
Carrier unit. If you enter zero (0), the notification rate is not limited.
9 If required, change Window Start Time and Window Duration configure when the
FortiOS Carrier unit sends alert notifications.
By default, notifications are sent at any time of the day. You can change the Window
Start Time if you want to delay sending alert messages. You can also reduce the
Window Duration if you want to stop sending alert notifications earlier.
For example, you might not want FortiOS Carrier sending notifications except during
business hours. In this case the Window Start Time could be 9:00 and the Window
Duration could be 8:00 hours.
You can set different alert notifications for each message threshold. For example, you
could limit the message window for lower thresholds and set it to 24 hours for higher
thresholds. This way administrators will only receive alert notifications outside of
business hours for higher thresholds.
10 For Day of Week, select the days of the week to send notifications.
For example, you may only want to send alert notifications on weekends for higher
thresholds.
11 In the Interval field, enter the maximum frequency that alert notification messages will
be sent, in minutes or hours.
All alerts occurring during the interval will be included in a single alert notification
message to reduce the number of alert messages that are sent.
Configuring who to send alert notifications to
In each MMS protection profile you add a list of recipient MSISDNs. For each of these
MSISDNs you select the duplicate threshold that triggers sending notifications to this
MSISDN.
To configure the alert notification recipients
1 Go to Firewall & gt; MMS Profile.
2 Select the Edit icon of the MMS profile in which you want to configure the alert
notification recipients.
3 Expand MMS Bulk Email Filtering Detection.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1823
�Sending administrator alert notifications
Duplicate message protection
4 Expand Recipient MSISDN.
5 Select Create New.
6 In the New MSISDN window, enter the MSISDN to use for duplicate threshold alert
notification.
7 Select the duplicate thresholds at which to send alert notifications to the MSISDN.
Note: For the duplicate threshold to be able to send an alert notification to the MSISDN, the
duplicate message threshold alert notification action must be enabled and configured.
1824
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS Replacement messages
Go to System & gt; Config & gt; Replacement Message to change replacement messages and
customize notifications that the FortiOS Carrier unit adds to MMS content streams and for
administrator alert notifications.
The replacement messages configured here are the default replacement message group
selected in a protection profile. To add a replacement message to a protection profile go to
Firewall & gt; Protection Profile, add or edit a protection profile and in the and under
Replacement Messages select a replacement message group. The default replacement
message group is selected by default.
Note: Disclaimer replacement messages provided by Fortinet are examples only.
This section includes:
•
Changing replacement messages
•
Multimedia content for MMS replacement messages
•
MMS replacement message types
•
Replacement message tags
•
Replacement message groups
Changing replacement messages
To change a replacement message list go to System & gt; Config & gt; Replacement Message.
Use the expand arrows to view the replacement message that you want to change. You
can change the content of the replacement message by editing the text and HTML codes
and by working with replacement message tags.
Replacement messages can be text or HTML messages. You can add HTML code to
HTML messages. Allowed Formats shows you which format to use in the replacement
message. There is a limit of 8192 characters for each replacement message. The
following fields and options are available when editing a replacement message. Different
replacement messages have different sets of fields and options.
Message Setup
The name of the replacement message.
Allowed Formats
The type of content that can be included in the replacement message.
Allowed formats can be either Text or HTML.
You can include replacement message tags in text and HTML messages.
You should not use HTML code in Text messages as it will be incorrectly
displayed.
Size
The number of characters allowed in the replacement message. A typical
size is 8192 characters. This is the combined total size of the messages
text, any SMIL content, and image.
Each part of the MMS replacement message is limited to smaller sizes —
1023 characters for message text, 1023 characters for SMIL content, and
6000 bytes for an image if included.
Response Status
Select a response status for the replacement message. Many options are
available including Content not accepted, Success, and
Unspecified error.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1825
�Multimedia content for MMS replacement messages
MMS Replacement messages
Priority
Set the priority used by the protocol for sending the message. This priority
is not used by FortiOS Carrier — it is added to the message. Options
include Not Specified, Low, Normal, and High.
Class
Select the classification used by the protocol for the message. The
classification is not used by FortiOS Carrier but is added to the message.
Select Not Specified, Personal, Advertisement, Information, or
Automatic.
Note that not all MMS replacement messages include this field.
Sender Visibility
Select whether to show or hide the message sender. You can also select
Not Specified.
Use Sender MSISDN Select to include the sender’s MSISDN in the replacement message.
If the From field is used, the Use Sender MSISDN field is disabled.
From
Enter the name that should appear as the sender of the replacement
message.
You cannot include replacement message tags in the From field.
If the Use Sender MSISDN field is selected, the From field is disabled.
Subject
Enter or edit the subject for the replacement message. You cannot include
replacement message tags in the subject field.
Character Set
Select the character set to use for the replacement message. You can
select UTF-8 or US ASCII.
Add SMIL Part
Select to include Synchronized Multimedia Integration Language (SMIL)
code in the message. Enter SMIL code into the SMIL Contents part of the
replacement message.
The Image and SMIL Contents fields are disabled unless Add SMIL Part is
selected.
Image
Select a replacement message image to include in the replacement
message. Use the %%IMAGE_CID%% tag to include the image in the SMIL
contents.
Any image you select must be 6000 bytes or less in size.
SMIL Contents
Enter SMIL code for the replacement message to allow multimedia content
presentation.
The size limit on the SMIL contents is limited to 1023 characters.
Message Text
The editable text of the replacement message. The message text can
include text, HTML codes (if HTML is the allowed format) and replacement
message tags.
The size limit on this message is 1023 characters.
Multimedia content for MMS replacement messages
One of the main differences MMS replacement messages have is the addition of the
Synchronized Multimedia Integration Language (SMIL) message portion. SMIL is a markup
language, based on XML, that controls the personation of media items such as text,
images, audio, video, or even links to other SMIL presentations. This allows you to create
a multimedia replacement message that includes your company colors and logo, an
animated company logo, or other more advanced personations as appropriate. For more
information on SMIL, see the W3C website http://www.w3.org/AudioVideo/.
The most important limit to be aware of is the size limit. The SMIL code portion can only be
1023 characters which is the same maximum size for the regular message portion of the
replacement message. If you include an image, its maximum size is 6000 bytes and it can
only be a GIF, JPEG, PNG, or TIFF file.
The following procedure will create an entry for a PNG image file called test_image1. It
will then be included in the MM1 send-req virus message replacement message.
1826
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS Replacement messages
Multimedia content for MMS replacement messages
To upload an image for a SMIL message - web-based manager
1 In the web-based manager, go to System & gt; Config & gt; Replacement Message Group.
2 Select Manage Images, and select Create New.
3 Enter test_image1 for Name.
4 For Content Type select PNG.
5 Browse to the file location on your local computer using Browse next to Upload.
6 Select OK.
At this point, you should be able to see your image displayed with a tag of
test_image1.
To use an image in an MMS replacement message - web-based manager
1 Go to System & gt; Config & gt; Replacement Messages.
2 Expand MM1.
3 Edit the MM1 send-req virus message replacement message.
4 Enable Add SMIL Part.
5 For Image, select test_image1 from the drop down list.
6 Enter SMIL code to display the image as required.
7 Enter message text including any replacement message tags required.
8 Enter rest of information as required.
9 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1827
�MMS replacement message types
MMS Replacement messages
MMS replacement message types
There are three types of replacement message used with MMS. The three types are:
Table 122: MMS replacement messages
m-send-conf
These messages are sent in response to an m-send-req message initiated
by the mobile client. This message can only contain a response code and
a plain-text response message to the client.
m-retrieve-conf
These messages are sent in response to a GET request resulting in the
return of an MMS message. A new message is built using the options
specified in these replacement messages, including a WML format
message, and sent back to the user to inform them of what has occurred.
m-send-req
These messages are sent to notify the user of how many messages have
been sent from their phone that violate the message content rules. A
message is built from the options specified in these replacement
messages, including a WML format message, and sent to the MMSC for
delivery to the client.
Replacement message tags
Replacement messages can include replacement message tags. When users receive the
replacement message, the replacement message tag is replaced with content relevant to
the message. Table 123 lists the replacement message tags that you can add.
Table 123: Replacement message tags
Tag
Description
%%AUTH_LOGOUT%%
The URL that will immediately delete the current policy and close the
session. Used on the auth-keepalive page.
%%AUTH_REDIR_URL%% The auth-keepalive page can prompt the user to open a new window
which links to this tag.
%%CATEGORY%%
The name of the content category of the web site.
%%DEST_IP%%
The IP address of the request destination from which a virus was
received. For email this is the IP address of the email server that sent
the email containing the virus. For HTTP this is the IP address of web
page that sent the virus.
%%DURATION%%
The amount of time in the reporting period. This is user defined in the
protection profile.
%%EMAIL_FROM%%
The email address of the sender of the message from which the file was
removed.
%%EMAIL_TO%%
The email address of the intended receiver of the message from which
the file was removed.
%%FAILED_MESSAGE%% The failed to login message displayed on the auth-login-failed page.
%%FILE%%
%%FORTIGUARD_WF%%
The FortiGuard - Web Filtering logo.
%%FORTINET%%
The Fortinet logo.
%%IMAGE_CID%%
The reference name of an image you have uploaded to the FortiOS
Carrier unit. Use this to display the image in the message. The message
with the image is generated as a MIME multipart message
For example if you upload a file called example.jpg, and call it
example_logo, then %%IMAGE_CID%% would resolve to
example_logo.
%%LINK%%
1828
The name of a file that has been removed from a content stream. This
could be a file that contained a virus or was blocked by antivirus file
blocking. %%FILE%% can be used in virus and file block messages.
The link to the FortiClient Host Security installs download for the
Endpoint Control feature.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS Replacement messages
Replacement message groups
Table 123: Replacement message tags (Continued)
Tag
Description
%%HTTP_ERR_CODE%%
The HTTP error code. “404” for example.
%%HTTP_ERR_DESC%%
The HTTP error description.
%%KEEPALIVEURL%%
auth-keepalive-page automatically connects to this URL every
%%TIMEOUT%% seconds to renew the connection policy.
%%MMS_SENDER%%
Senders MSISDN from message header.
%%MMS_RECIPIENT%%
Recipients MSISDN from message header.
%%MMS_SUBJECT%%
MMS Subject line to help with message identity.
%%MMS_HASH_CHECKSU Value derived from hash calculation - will only be shown on duplicate
M%%
message alerts.
%%MMS_THRESH%%
Mass MMS alert threshold that triggered this alert.
%%NIDSEVENT%%
The IPS attack message. %%NIDSEVENT%% is added to alert email
intrusion messages.
%%NUM_MSG%%
The number of times the device tried to send the message with banned
content within the reporting period.
%%OVERRIDE%%
The link to the FortiGuard Web Filtering override form. This is visible
only if the user belongs to a group that is permitted to create FortiGuard
web filtering overrides.
%%OVRD_FORM%%
The FortiGuard web filter block override form. This tag must be present
in the FortiGuard Web Filtering override form and should not be used in
other replacement messages.
%%PROTOCOL%%
The protocol (http, ftp, pop3, imap, or smtp) in which a virus was
detected. %%PROTOCOL%% is added to alert email virus messages.
%%QUARFILENAME%%
The name of a file that has been removed from a content stream and
added to the quarantine. This could be a file that contained a virus or
was blocked by antivirus file blocking. %%QUARFILENAME%% can be
used in virus and file block messages. Quarantining is only available on
FortiGate units with a local disk.
%%QUOTA_INFO%%
Display information about the traffic shaping quota setting that is
blocking the user. Used in traffic quota control replacement messages.
%%QUESTION%%
Authentication challenge question on auth-challenge page.
Prompt to enter username and password on auth-login page.
%%SERVICE%%
The name of the web filtering service.
%%SOURCE_IP%%
The IP address of the request originator who would have received the
blocked file. For email this is the IP address of the user’s computer that
attempted to download the message from which the file was removed.
%%TIMEOUT%%
Configured number of seconds between authentication keepalive
connections. Used on the auth-keepalive page.
%%URL%%
The URL of a web page. This can be a web page that is blocked by web
filter content or URL blocking. %%URL%% can also be used in http virus
and file block messages to be the URL of the web page from which a
user attempted to download a file that is blocked.
%%VIRUS%%
The name of a virus that was found in a file by the antivirus system.
%%VIRUS%% can be used in virus messages
Replacement message groups
You can add up to five replacement message groups that can be applied to specific
protection profiles allowing the customizing of messages for specific groups of users.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1829
�Replacement message groups
MMS Replacement messages
For example if your network has residential, corporate, and administrator users each
group could have their own set of customized replacement messages with different
information, graphics, and design. Another example could be if you provide services to
five different companies, you could customize the replacement message groups for each
company with their logo, colors, and so on.
You configure the default replacement message group from System & gt; Config & gt;
Replacement Message. This replacement message group is the default replacement
message group selected in a protection profile. All new replacement message groups that
you add inherit their configuration from the default group.
Note: Modifying messages in the default group automatically changes any messages that
are unmodified in the other groups.
If you enable virtual domains (VDOMs) on the FortiOS Carrier unit, replacement message
groups are configured separately for each virtual domain. Each virtual domain has its own
default replacement message group, configured from System & gt; Config & gt; Replacement
Message. When you modify a message in a replacement message group, a Reset icon
appears beside the message in the group. You can select this Reset icon to reset the
message in the replacement message group to the default version.
All MM1/4/7 notification messages (and MM1 retrieve-conf messages) can contain a SMIL
layer and all MM4 notification messages can contain an HTML layer in the message.
These layers can be used to brand messages by using logos uploaded to the unit via the
Manage Images link found on the replacement message group configuration page. See
“Multimedia content for MMS replacement messages” on page 1826.
Replacement message group example
In this example, the message group is for a customer company called Example.com. Your
company is called MyCarrier. Their group will be named example_group. Their logo is in
a file called example_logo.jpg. Their employees do not want excessive information in
the messages, so three replacement messages will be changed (mm1 send-req, sendconf, and retrieve-conf virus) to just the barebones information as part of this example.
To upload the logo image
1 Go to System & gt; Config & gt; Replacement Message Group & gt; Manage Images.
2 Select Create New.
3 Enter example_logo for Name, and select JPEG for Content Type.
4 Browse to the file location of the file example_logo.jpg on your computer.
5 Select OK.
6 Select Return to return to the Replacement Message Group list.
To create the message group
1 Go to System & gt; Config & gt; Replacement Message Group.
2 Select Create New.
3 Enter example_group for Name.
4 Select OK.
5 Select example_group, and select Edit.
6 Expand MM1.
7 Select MM1 send-req virus message.
1830
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�MMS Replacement messages
Replacement message groups
8 Enter the following information.
Priority
Normal
Class
Information
Sender Visibility
Show
From
%%MSISDN%% MyCarrier
Subject
Virus infected message(s) detected
Add SMIL Part
Enable
Image
example_logo
9 Enter the following SMIL code:
& lt; smil & gt; & lt; head & gt; & lt; meta name=”author” content=”MyCarrier” / & gt; & lt; /head & gt;
& lt; body & gt; & lt; img src= " cid:%%IMAGE_CID%% " longdesc=”Example.com logo”
/ & gt; & lt; /body & gt;
& lt; /smil & gt;
10 Enter the following replacement message code:
This device has sent %%NUM_MSG%% virus infected messages in the
last %%DURATION%% hours. Contact MyCarrier customer support
for farther instructions.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1831
�Replacement message groups
1832
MMS Replacement messages
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring GTP on FortiOS Carrier
Configuring GTP support on FortiOS Carrier involves configuring a number of areas of
features. Some features require longer explanations, and have their own chapters. The
other features are addressed here.
This section includes:
•
GTP support on the FortiOS Carrier unit
•
Configuring General Settings on the FortiOS Carrier unit
•
Configuring Encapsulated Filtering on the FortiOS Carrier unit
•
Configuring Protocol Anomaly on the FortiOS Carrier unit
•
Configuring Anti-overbilling in FortiOS Carrier
•
Logging events on the FortiOS Carrier unit
GTP support on the FortiOS Carrier unit
The FortiCarrier unit must be placed centrally on your carrier network. It needs to have
access to all traffic entering and exiting the carrier network for scanning, filtering, and
logging purposes. This promotes a hub and spoke configuration with the FortiOS Carrier
unit at the hub and the other GPRS devices on the spokes.
The FortiOS Carrier can now access all traffic on the network. It can also verify traffic
between devices, and that the proper GPRS interface is being used. For example there is
no reason for a Gn interface to be used to communicate with a mobile station — the
mobile station will not know what to do with the data.
Note: When you are configuring your FortiOS Carrier unit’s GTP profile, you must first configure the
APN. It is critical to GTP communications and without it no traffic will flow.
The FortiOS Carrier unit does more than just forward and route GTP packets over the
network. It also performs:
•
Packet sanity checking
•
GTP stateful inspection
•
Protocol anomaly detection and prevention
•
HA
Packet sanity checking
The FortiOS Carrier firewall checks the following items to determine if a packet confirms to
the UDP and GTP standards:
•
GTP release version number
•
Settings of predefined bits
•
Protocol type
•
UDP packet length
If the packet in question does not confirm to the standards, the FortiOS Carrier firewall
drops the packet, so that the malformed or forged traffic will not be processed.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1833
�Configuring General Settings on the FortiOS Carrier unit
Configuring GTP on FortiOS Carrier
GTP stateful inspection
Apart from the static inspection (checking the packet header), the FortiOS Carrier firewall
performs stateful inspection.
Stateful inspection provides enhanced security by keeping track of communications
packets over a period of time. Both incoming and outgoing packets are examined.
Outgoing packets that request specific types of incoming packets are tracked; only those
incoming packets constituting a proper response are allowed through the firewall.
The FortiOS Carrier firewall can also keep track of all the GTP tunnels by indexing the
tunnels.
Using the enhanced traffic policy, the FortiOS Carrier firewall can filter unwanted
encapsulated traffic in GTP tunnels, such as infrastructure attacks. Infrastructure attacks
involve attempts by an attacker to connect to restricted machines, such as GSN devices,
network management systems, or other mobile stations. This traffic should not normally
occur in a production environment and if detected, should be flagged immediately by the
firewall. See
Protocol anomaly detection and prevention
The FortiOS Carrier firewall detects and optionally drops protocol anomalies according to
GTP standards and specific tunnel state.
Protocol anomaly attacks involve malformed or corrupt packets that typically fall outside of
protocol specifications. These packets should not be seen on a production network.
Protocol anomaly attacks exploit poor programming practices when decoding packets,
and are typically used to impair system performance or elevate privileges.
FortiOS Carrier also detects spoofing IP addresses inside GTP data channel.
See “Configuring Protocol Anomaly on the FortiOS Carrier unit” on page 1838..
HA
FortiOS Carrier active-passive HA provides failover protection for the GTP tunnels. This
means that an active-passive cluster can provide FortiOS Carrier firewall services even
when one of the cluster units encounters a problem that would result in complete loss of
connectivity for a stand-alone FortiOS Carrier firewall. This failover protection provides a
backup mechanism that can be used to reduce the risk of unexpected downtime,
especially in a mission-critical environment.
FortiOS HA will sync TCP sessions by default but UDP sessions are not synchronized by
default. However synchronizing a session is only part of the solution if the goal is to
continue to do GTP processing on a synchronized session after a HA switch. For that to
work we need to synch the GTP tunnel state. So, once the master completes tunnel setup
then the GTP tunnel is synchronized to the slave.
For more information on HA in FortiOS, see the High Availability (HA) Guide or the
FortiOS Administration Guide.
Configuring General Settings on the FortiOS Carrier unit
To configure the GTP General Settings, go to UTM & gt; Carrier & gt; GTP Profile, and edit a
GTP profile. Expand General Settings to configure settings.
1834
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring GTP on FortiOS Carrier
Configuring General Settings on the FortiOS Carrier unit
Sequence Number
Validation
Enable to check packets are not duplicated or out of order. GTP packets
contain a Sequence Number field. This number
tells the receiving GGSN the order of the packets it is receiving. Normally
the GGSN compares this sequence number in the packets with its own
sequence counter — if the two do not match, the packet is dropped. This
sequence number validation can be off-loaded to the FortiOS Carrier
freeing up resources on the GGSN.
GTP-in-GTP
Select Allow to enable GTP packets to be allowed to contain GTP packets,
or a GTP tunnel inside another GTP tunnel.
If this situation should not occur on your network, select Deny to disable
this feature.
Minimum Message
Length
Enter the shortest possible message. Normally this is controlled by the
protocol, and will vary for different message types.
If a packet is smaller than this limit, it is discarded as it is likely malformed.
Maximum Message
Length
Enter the maximum allowed length of a GTP packet in bytes.
A GTP packet contains three headers and corresponding parts GTP, UDP,
and IP. If a packet is larger than the maximum transmission unit (MTU)
size, it is fragmented to be delivered in multiple packets. This is inefficient,
resource intensive, and may cause problems with some applications.
By default the maximum message length is 1452 bytes.
Tunnel Limit
Enter the maximum number of tunnels allowed open at one time. For
additional GTP tunnels to be opened, existing tunnels must first be closed.
This feature can help prevent a form of denial of service attack on your
network. This attack involves opening more tunnels than the network can
handle and consuming all the network resources doing so. By limiting the
number of tunnels at any one time, this form of attack will be avoided.
The tunnel limiting applies to the Handover Group, and Authorized SGSNs
and GGSNs.
Tunnel Timeout
Enter the maximum number of seconds that a GTP tunnel is allowed to
remain active. A GTP tunnel may hang for various reasons. For example,
during the GTP tunnel tear-down stage, the " delete pdap context
response " message may get lost. By setting a timeout value, you can
configure the FortiOS Carrier firewall to remove the hanging tunnels.
The default is 86400 seconds, or 24 hours.
Control plane
message rate limit
Enter the maximum number of control plane packets, part of GTP-C,
allowed per second.
The FortiOS Carrier firewall can limit the traffic rate to protect the GSNs
from possible Denial of Service (DoS) attacks, such as:
• Border gateway bandwidth saturation: A malicious operator can
connect to your GRX and generate high traffic towards your Border
Gateway to consume all the bandwidth.
• GTP flood: A GSN can be flooded by illegitimate traffic.
Handover Group
Select the allowed list of IP addresses allowed to take over a GTP session
when the mobile device moves locations.
Handover is a fundamental feature of GPRS/UMTS, which enables
subscribers to seamlessly move from one area of coverage to another with
no interruption of active sessions. Session hijacking can come from the
SGSN or the GGSN, where a fraudulent GSN can intercept another GSN
and redirect traffic to it. This can be exploited to hijack GTP tunnels or
cause a denial of service.
By setting handover group, which is typically a group of trusted IP
addresses, you can configure the FortiOS Carrier firewall to stop handover
request from an untrusted GSN.
Authorized SGSNs
Select the allowed list of IP addresses for allowed SGSNs.
Packets coming from other PLMN's SGSN that do not have a roaming
agreement should not be able to send packets to the GGSN.
Authorized GGSNs
Select the allowed list of IP addresses for allowed GGSNs.
Some message types includes the SGSN IP address, and this authorized
list allows the FortiOS Carrier unit to only allow messages from valid
GGSNs.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1835
�Configuring Encapsulated Filtering on the FortiOS Carrier unit
Configuring GTP on FortiOS Carrier
Configuring Encapsulated Filtering on the FortiOS Carrier unit
Encapsulated traffic on the GPRS network can come in a number of forms as it includes
traffic that is “wrapped up” in another protocol. This detail is important for firewalls
because it requires “unwrapping” to properly scan the data inside. If encapsulated packets
are treated as regular packets, that inside layer will never be scanned and may allow
malicious data into your network.
On FortiOS Carrier units, GTP related encapsulated filtering falls under encapsulated IP
traffic filtering, and encapsulated non-IP end user address filtering.
Configuring Encapsulated IP Traffic Filtering
Generally there are a very limited number of IP addresses that should be allowed to
encapsulate GPRS traffic for example GTP tunnels are a valid type of encapsulation when
used properly. This is the GTP tunnel which uses the Gp or Gn interfaces between SGSNs
and GGSNs.
The ability to filter GTP sessions is based on information contained in the data stream and
provides operators with a powerful mechanism to control data flows within their
infrastructure. You can also configure IP filtering rules to filter encapsulated IP traffic from
Mobile Stations.
To configure the Encapsulated IP Traffic Filtering, go to UTM & gt; Carrier & gt; GTP Profile, and
edit a GTP profile. Expand Encapsulated IP Traffic Filtering to configure settings.
Enable IP Filter
Enable to turn on IP filtering
Default IP Action
Select Deny to block all encapsulated traffic detected that does
not match entries in the list.
Source
Select a source IP address from the configured firewall IP address
or address group lists. Any encapsulated traffic originating from
this IP address will be a match if the destination also matches.
Destination
Select a destination IP address from the configured firewall IP
address or address group lists. Any encapsulated traffic being
sent to this IP address will be a match if the destination also
matches.
Action
Select to Allow or Deny encapsulated traffic between this source
and Destination.
When to use encapsulated IP traffic filtering
The following are the typical cases that need encapsulated IP traffic filtering:
Mobile station IP pools
In a well-designed network, the mobile station address pool should be completely
separate from the GPRS network infrastructure range of addresses. Encapsulated IP
packets, originating from a mobile station, should not contain source or destination
addresses that fall within the address range of GPRS infrastructures. In addition, traffic
originating from the users handset should not have destination/source IP addresses that
fall within any Network Management System (NMS) or Charging Gateway (CG) networks.
Communication between mobile stations
Mobile stations on the same GPRS network should not be able to communicate with other
mobile stations. Packets that contain both source and destination addresses that fall
within the mobile station's range of addresses should be dropped.
1836
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring GTP on FortiOS Carrier
Configuring Encapsulated Filtering on the FortiOS Carrier unit
Direct mobile device or internet attacks
It may be possible for attackers to wrap attack traffic in GTP and submit the resulting GTP
traffic directly to a GPRS network element from their mobile stations or a node on the
Internet. It is possible that the receiving SGSN or GGSN would then strip off the GTP
header and attempt to route the underlying attack. This underlying attack could have any
destination address and would probably have a source address spoofed as if it were valid
from that PLMN.
Note: You cannot add an IE removal policy when you are creating a new profile.
Relayed network attacks
Depending on the destination, the attack could be directly routed, such as to another node
of the PLMN, or rewrapped in GTP for transmission to any destination on the Internet
outside the PLMN, depending on the routing table of the GSN enlisted as the unwitting
relay. The relayed attack could have any source or destination addresses and could be
any of the numerous IP network attacks, such as an attack to hijack a PDP context, or a
direct attack against a management interface of a GSN or other device within the PLMN.
Any IP traffic originating on the Internet or a MS with a destination address within the
PLMN should be filtered.
Configuring Encapsulated Non-IP End User Address Filtering
Much of the traffic on the GPRS network is in the form of IP traffic. However some parts of
the network do not used IP based addressing, so the FortiOS Carrier unit is unable to
perform Encapsulated IP Traffic Filtering.
Depending on the installed environment, it may be beneficial to detect GTP packets that
encapsulate non-IP based protocols. You can configure the FortiGate firewall to permit a
list of acceptable protocols, with all other protocols denied.
The encoded protocol is determined in the PDP Type Organization and PDP Type Number
fields within the End User Address Information Element. The PDP Type Organization is a
4-bit field that determines if the protocol is part of the ETSI or IETF organizations. Values
are zero and one, respectively. The PDP Type field is one byte long. Both GTP
specifications only list PPP, with a PDP Type value of one, as a valid ETSI protocol. PDP
Types for the IETF values are determined in the " Assigned PPP DLL Protocol Numbers "
sections of RFC 1700. The PDP types are compressed, meaning that the most significant
byte is skipped, limiting the protocols listed from 0x00 to 0xFF.
To configure the Encapsulated Non-IP End User Address Filtering, go to UTM & gt; Carrier & gt;
GTP Profile, and edit a GTP profile. Expand Encapsulated Non-IP End User Address
Filtering to configure settings.
Enable Non-IP filter
Enable to turn on non-IP filtering
Default Non-IP Action Select Deny to block all encapsulated traffic detected that does
not match entries in the list.
Type
Type can be one of ESTI or IETF. The protocols used for start and
end protocols belong to one of these two families.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1837
�Configuring Protocol Anomaly on the FortiOS Carrier unit
Start Protocol
End Protocol
Action
Configuring GTP on FortiOS Carrier
Select a start and end protocol from the list of protocols in RFC
1700. Allowed range includes 0 to 255 (0x00 to 0xff). Some
common protocols includes:
• 33 (0x0021) Internet Protocol
• 35 (0x0023) OSI Network Layer
• 63 (0x003f) NETBIOS Framing
• 65 (0x0041) Cisco Systems
• 79 (0x004f) IP6 Header Compression
• 83 (0x0053) Encryption
Select to Allow or Deny encapsulated traffic.
Configuring Protocol Anomaly on the FortiOS Carrier unit
Anomalies should never happen, but when they do if precautions are not taken it is
possible for them to interrupt network traffic or consume network resources. Anomalies
can be generated by accident or maliciously, but both methods have the same results.
To configure GTP protocol anomalies, go to UTM & gt; Carrier & gt; GTP Profile, and edit a GTP
profile. Expand the Protocol Anomaly option.
All protocol anomaly options are set to Deny by default.
Invalid Reserved Field
The reserved bit in the packet header must be set to zero. Otherwise
this packet will be blocked when set to Deny.
Reserved IE
Select to allow or deny GTP messages with reserved or undefined
information elements.
Miss Mandatory IE
Set to deny to block the packet if one of the mandatory IEs is
missing.
Out of State Message
Select to allow or deny out of state messages. The GTP protocol
requires a certain state to be kept by both the GGSN and SGSN.
Since the GTP has a state, some message types can only be sent
when in specific states. Packets that do not make sense in the
current state should be filtered or rejected
Out of State IE
Select Deny for GTP Packets with out of order Information Elements
to be discarded.
Spoofed Source Address
The End User Address Information Element in the PDP Context
Create & Response messages contains the address that the mobile
station (MS) will use on the remote network. As the MS address is
negotiated within the PDP Context creation handshake, any packets
originating from the MS that contain a different source address will
be detected and dropped if this keyword is set to deny.
Configuring Anti-overbilling in FortiOS Carrier
This section includes:
•
Overbilling in GPRS networks
•
Anti-overbilling with FortiOS Carrier
•
Configuring anti-overbilling with FortiOS Carrier
Overbilling in GPRS networks
GPRS overbilling attacks can be prevented with a properly configured FortiOS Carrier
unit.
1838
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring GTP on FortiOS Carrier
Logging events on the FortiOS Carrier unit
Overbilling can occur when a subscriber returns his IP address to the IP pool. The
subscriber's session is still open, and vulnerable. If an attacker takes control of the
subscriber's IP address, he can send or receive data and the subscriber will be billed for
the traffic.
Overbilling can also occur when an available IP address is reassigned to a new mobile
station (MS). Subsequent traffic by the previous MS may be forwarded to the new MS.
The new MS would then be billed for traffic it did not initiate.
Anti-overbilling with FortiOS Carrier
The FortiOS Carrier unit can be configured to assist with anti-overbilling measures. These
ensure that the customer is only billed for connection time and data transfer that they
actually use.
Anti-overbilling on the FortiOS Carrier unit involves:
•
the unit uses the overbilling settings in the GTP profile to notify the Gi firewall when a
GTP tunnel is deleted
•
the unit clears the sessions when the Gi firewall receives a notification from the Gn/Gp
firewall about a GTP tunnel being deleted This way, the Gi firewall prevents overbilling
by blocking traffic initiated by other users.
Configuring anti-overbilling with FortiOS Carrier
To configure GTP anti-overbilling, go to UTM & gt; Carrier & gt; GTP Profile, and edit a GTP
profile. Expand the Anti-overbilling option to configure it.
Gi Firewall IP
Address
Select the IP address of the firewall on the GPRS network for the
Gi interface.
Port
Select the port to access the Gi interface through the firewall. The
default port number is 21123.
Interface
Select the FortiCarrier unit interface connected to client firewall’s
local interface whose IP address will be used to send the “clear
session” message.
Security Context ID
Select the security context ID used when connecting with the Gi
firewall. The default value is 696.
Logging events on the FortiOS Carrier unit
Logging on the FortiOS Carrier unit is just like logging on any other FortiOS unit. The only
difference with FortiOS Carrier is that there are a few additional events that you can log
beyond the regular ones. These additional events are covered here. For more information
on other logging issues, see the log and report chapters of FortiOS 4.0 MR2
Administration Guide and FortiOS CLI Reference.
Configuring FortiOS Carrier logging events
To enable FortiOS Carrier logging, go to Log & Report & gt; Event Log, and ensure GTP
service event is enabled. Once this option is selected, the logging options under UTM & gt;
Carrier & gt; GTP Profile will be active.
To change FortiOS Carrier specific logging event settings, go to UTM & gt; Carrier & gt; GTP
Profile and edit a GTP profile. Expand the Log section to change the settings.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1839
�Logging events on the FortiOS Carrier unit
Configuring GTP on FortiOS Carrier
Log Frequency
Enter the number of messages to drop between logged messages.
An overflow of log messages can sometimes occur when logging ratelimited GTP packets exceed their defined threshold. To conserve
resources on the syslog server and the FortiOS Carrier unit, you can
specify that some log messages are dropped. For example, if you want
only every twentieth message to be logged, set a logging frequency of 20.
This way, 20 messages are skipped and the next message is logged.
Acceptable frequency values range from 0 to 2147483674. When set to ‘0’,
no messages are skipped.
Forwarded Log
a packet that FortiOS Carrier transmits because the GTP policy allows it
Denied Log
a packet that FortiOS Carrier drops because the GTP policy denies it
Rate Limited Log
packet that FortiOS Carrier drops because it exceeds the maximum rate
limit of the destination GSN
State Invalid Log
a packet that FortiOS Carrier drops because it failed stateful inspection
Tunnel Limit Log
a packet that FortiOS Carrier drops because the maximum limit of GTP
tunnels for the destination GSN is reached
Extension Log
Select to log extended information about GTP packets.
When enabled, this additional information will be included in log entries:
• IMSI
• MSISDN
• APN
• Selection Mode
• SGSN address for signaling
• SGSN address for user data
• GGSN address for signaling
• GGSN address for user data
Traffic count Log
Enable or disable logging the total number of control and
user data messages received from and forwarded to the
GGSNs and SGSNs the FortiGate unit protects.
The following information is contained in each log entry:
Timestamp
The time and date when the log entry was recorded
Source IP address
The sender’s IP address.
Destination IP
address
The reciever’s IP address. The sender-receiver pair includes a
mobile phone on the GPRS local network, and a device on a
network external to the GPRS network, such as the Internet.
Tunnel Identifier (TID) An identifier for the start and end points of a GTP tunnel. This
information uniquely defines all tunnels. It is important for billing
Tunnel Endpoint
information based on the length of time the tunnel was active and
Identifier (TEID
how much data passed over the tunnel.
Message type
Packet status
1840
For available message types, see “Common message types on
carrier networks” on page 1843.
What action was performed on the packet. This field
matches the logging options while you are configuring GTP
logging. See “Configuring FortiOS Carrier logging events”
on page 1839.
The status can be one of forwarded, prohibited, stateinvalid, rate-limited, or tunnel-limited
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring GTP on FortiOS Carrier
Virtual domain ID or
name
Logging events on the FortiOS Carrier unit
A FortiOS Carrier unit can be divided into multiple virtual units,
each being a complete and self-contained virtual FortiCarrier unit.
This field indicates which virtual domain (VDOM) was responsible
for the log entry. If VDOMs are not enabled on your unit, this field
will be root.
Reason to be denied If the packet that generated this log entry was denied or blocked,
this field will include what part of FortiOS denied or blocked that
if applicable
packet. Such as firewall, antivirus, webfilter, or spamfilter.
An example of the above log message format is for a Tunnel deleted log entry. When a
tunnel is deleted, the log entry contains the following information:
•
Timestamp
•
Interface name (if applicable)
•
SGSN IP address (source IP)
•
GGSN IP address (destination IP)
•
TID
•
Tunnel duration time in seconds
•
Number of messages sent to the SGSN
•
Number of messages sent to the GGSN
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1841
�Logging events on the FortiOS Carrier unit
1842
Configuring GTP on FortiOS Carrier
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�GTP message type filtering
FortiOS Carrier supports message type filtering in GTP.
This section includes:
•
Common message types on carrier networks
•
Configuring message type filtering in FortiOS Carrier
Common message types on carrier networks
Carrier networks include many types of messages — some concern the network itself,
others are content moving across the network, and still others deal with handshaking,
billing, or other administration based issues.
GTP contains two major parts GTP for the control plane (GTP-C) and GTP for user data
tunnelling (GTP-U). Outside of those areas there are only unknown message types.
GTP-C messages
GTP-C contains the networking layer messages. These address routing, versioning, and
other similar low level issues.
When a subscriber requests a Packet Data Protocol (PDP) context, the SGSN will send a
create PDP context request GTP-C message to the GGSN giving details of the
subscriber's request. The GGSN will then respond with a create PDP context response
GTP-C message which will either give details of the PDP context actually activated or will
indicate a failure and give a reason for that failure. This is a UDP message on port 212
GTP-C message types include Path Management Messages, Location Management
Messages, and Mobility Management Messages.
Path Management Messages
The path management is used by a GSN A to detect if a GSN B, with which the GSN A is
in contact, is alive, or if a GSN has restarted after a failure.
The path management procedure checks if a given GSN is alive or has been restarted
after a failure. In case of SGSN restart, all MM and PDP contexts are deleted in the SGSN,
since the associated data is stored in a volatile memory. In the case of GGSN restart, all
PDP contexts are deleted in the GGSN.
See “Path Management Messages” on page 1843.
Tunnel Management Messages
The tunnel management procedures are used to create, update, and delete GTP tunnels
in order to route IP PDUs between an MS and an external PDN via the GSNs.
The PDP context contains the subscriber's session information when the subscriber has
an active session. When a mobile wants to use GPRS, it must first attach and then
activate a PDP context. This allocates a PDP context data structure in the SGSN that the
subscriber is currently visiting and the GGSN serving the subscriber's access point.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1843
�Common message types on carrier networks
GTP message type filtering
Tunnel management procedures are defined to create, update, and delete tunnels within
the GPRS backbone network. A GTP tunnel is used to deliver packets between an SGSN
and a GGSN. A GTP tunnel is identified in each GSN node by a TEID, an IP address, and
a UDP port number.
See “Tunnel Management Messages” on page 1843.
Location Management Messages
The location-management procedure is performed during the network-requested PDP
context activation procedure if the GGSN does not have an SS7 MAP interface (i.e., Gc
interface). It is used to transfer location messages between the GGSN and a GTP-MAP
protocol-converting GSN in the GPRS backbone network.
Location management subprocedures are used between a GGSN that does not support
an SS7 MAP interface (i.e., Gc interface) and a GTP-MAP protocol-conversing GSN. This
GSN supports both Gn and Gc interfaces and is able to perform a protocol conversing
between GTP and MAP.
See “Location Management Messages” on page 1844.
Mobility Management Messages
The MM procedures are used by a new SGSN in order to retrieve the IMSI and the
authentication information or MM and PDP context information in an old SGSN. They are
performed during the GPRS attach and the inter-SGSN routing update procedures.
The MM procedures are used between SGSNs at the GPRS-attach and inter-SGSN
routing update procedures. An identity procedure has been defined to retrieve the IMSI
and the authentication information in an old SGSN. This procedure may be performed at
the GPRS attach. A recovery procedure enables information related to MM and PDP
contexts in an old SGSN to be retrieved. This procedure is started by a new SGSN during
an inter-SGSN RA update procedure.
See “Mobility Management Messages” on page 1844.
GTP-U messages
GTP-U is focused on user related issues including tunneling, and billing. GTP-U message
types include MBMS messages, and GTP-U and Charging Management Messages
MBMS messages
Multimedia Broadcast and Multicast Services (MBMS) have recently begun to be offered
over GSM and UMTS networks on UTRAN and GERAN radio access technologies.
MBMS is mainly used for mobile TV, using up to four GSM timeslots for one MBMS
connection. One MBMS packet flow is replicated by GGSN, SGSN and RNCs.
MBMS is split into the MBMS Bearer Service and the MBMS User Service. The MBMS
User Service is basically the MBMS Service Layer and offers a Streaming- and a
Download Delivery Method. The Streaming Delivery method can be used for continuous
transmissions like Mobile TV services. The Download Method is intended for " Download
and Play " services.
See “MBMS messages” on page 1844.
GTP-U and Charging Management Messages
SGSNs and GGSNs listen for GTP-U messages on UDP port 2152.
1844
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�GTP message type filtering
Configuring message type filtering in FortiOS Carrier
GTP‘ (GTP prime) is used for billing messages. It uses the common GTP messages (GTP
Version Not Supported, Echo Request and Echo Response) and adds additional
messages related to billing procedures.
See “GTP-U and Charging Management Messages” on page 1844
Unknown Action messages
If the system doesn’t know what type of message it is, it falls into this category. This is an
important category of message because malformed messages may appear and need to
be handled with security in mind.
See “Unknown Message Action” on page 1845.
Tip: We recommend that you set Unknown Action messages to deny for security reasons.
Configuring message type filtering in FortiOS Carrier
GPRS Tunnelling Protocol (GTP) is a group of IP-based communications protocols used
to carry General Packet Radio Service (GPRS) within Global System for Mobile
Communications (GSM) and Universal Mobile Telecommunications System (UMTS)
networks. It allows carriers to transport actual cellular packets over their network via
tunneling.
Message Type Fields
Each of the following message types can be allowed or denied by your FortiOS Carrier
unit depending on your carrier network and GTP traffic.
The message types include:
•
Unknown Message Action
•
Path Management Messages
•
Tunnel Management Messages
•
Location Management Messages
•
Mobility Management Messages
•
MBMS messages
•
GTP-U and Charging Management Messages
Unknown Message Action
This message type should be set to deny.
Many attempts to hack into a carrier network will result in this unknown message type and
therefore should be denied for security reasons.
Path Management Messages
Message Type
Used by
Description
Echo
Request/Response
GTP-C,
GTP-U,
GTP’
Echo Request is sent on a path to another GSN to determine if
the other node is alive. Echo Response is the reply.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1845
�Configuring message type filtering in FortiOS Carrier
GTP message type filtering
Version not Supported GTP-C,
GTP-U,
GTP’
There are multiple versions of GTP. Both devices communicating
must use the same version of GTP, or this message will be the
response.
Support Extension
Headers Notification
Extensions are optional parts that a device can choose to support
or not. If a device includes these extensions, it must include
headers for the extensions to sure ensure proper formatting.
Tunnel Management Messages
Message Type
Used by
Description
Create PDP Context
Request/ Response
GTP-C
Sent from an SGSN to a GGSN node as part of a GPRS PDP
Context Activation procedure or the Network-Requested PDP
Context Activation procedure. A valid request initiates the
creation of a tunnel.
Update PDP Context
Request/ Response
GTP-C
Used when PDP Context information changes, such as when
a mobile device changes location.
Delete PDP Context
Request/ Response
GTP-C
Used to terminate a PDP Context, and confirm the context has
been deleted.
Create AA PDP Context GTP-C
Request/ Response
Sent as part of the GPRS Anonymous Access PDP Context
Activation. It is used to create a tunnel between a context in
the SGSN and a context in the GGSN.
Delete AA PDP Context GTP-C
Request/ Response
Sent as part of the GPRS PDP Anonymous Access Context
Deactivation procedure to deactivate an activated PDP
Context. It contains Cause and Private Extension Information
Elements
Error Indication
GTP-U
Sent to the GGSN when a tunnel PDU is received for the
following conditions:
— No PDP context exists
— PDP context is inactive
— No MM context exists
— GGSN deletes its PDP context when the message is
received.
PDU Notification
Request/ Response/
Reject Request/ Reject
Response
GTP-C
When receiving a Tunneled PDU (T-PDU), the GGSN checks
if a PDP context is established for the given PDP address. If
no PDP context has been established, the GGSN may initiate
the Network-requested PDP Context Activation procedure by
sending a PDU Notification Request to the SGSN.
Reject Request - Sent when the PDP context requested by
the GGSN cannot be established.
Location Management Messages
Message Type
Description
Send Routing
Information for GPRS
Request/ Response
1846
Used By
GTP-C
Sent by the GGSN to obtain location information for the MS.
This message type contains the IMSI of the MS and Private
Extension.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�GTP message type filtering
Configuring message type filtering in FortiOS Carrier
Failure Report Request/ GTP-C
Response
Sent by the GGSN to the HLR when a PDU reject message is
received.
The GGSN requests the HLR to set the flag and add the
GGSN to the list of nodes to report to when activity from the
subscriber that owns the PDP address is detected.
The message contains the subscriber IMSI and Private
Extension
Note MS GPRS Present GTP-C
Request/ Response
When the HLR receives a message from a mobile with MDFG
set, it clears the MDFG and sends the Note MS Present
message to all GGSN’s in the subscriber’s list.
This message type contains subscriber IMSI, GSN Address
and Private Extension
Mobility Management Messages
Message Type
Used By
Description
Identification
Request/Response
GTP-C
Sent by the new SGSN to the old SGSN to request the IMSI
for a MS when a GPRS Attach is done with a P-TMSI and the
MS has changed SGSNs since the GPRS Detach was done.
SGSN context Request/ GTP-C
Response/ Acknowledge
Sent by the new SGSN to the old SGSN to request the MM
and PDP Contexts for the MS.
Forward Relocation
Request/ Response/
Complete/ Complete
Acknowledge
GTP-C
Indicates mobile activation/deactivation within a Routing Area.
This prevents paging of a mobile that is not active (visited VLR
rejects calls from the HLR or applies Call Forwarding). Note
that the mobile station does not maintain an attach/detach
state.
SRNS contexts contain for each concerned RAB the
sequence numbers of the GTP-PDUs next to be transmitted in
uplink and downlink directions.
Relocation Cancel
Request/ Response
GTP-C
Send to cancel the relocation of a connection.
Forward SRNS Context/ GTP-C
Context Acknowledge
This procedure may be used to trigger the transfer of SRNS
contexts from RNC to CN (PS domain) in case of inter system
forward handover.
RAN Information Relay
Forward the Routing Area Network (RAN) information.
A Routing Area (RA) is a subset of a GSM Location Area (LA).
A RA is served by only one SGSN. Ensures that regular radio
contact is maintained by the mobile
GTP-C
MBMS messages
Message Type
Used By
Description
MBMS Notification
Request/ Response/
Reject Request/ Reject
Response
GTP-C
Nictitation of the radio access devices.
Create MBMS Context
Request/ Response
GTP-C
Request to create an active MBMS context. The context will
be pending until the response is received.
Once active, the MBMS context allows the MS to receive data
from a specific MBMS source
Update MBMS Context
Request/ Response
GTP-C
Delete MBMS Context
Request/ Response
GTP-C
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Request to deactivate the MBMS context. When the response
is received, the MBMS context will be inactive.
1847
�Configuring message type filtering in FortiOS Carrier
GTP message type filtering
GTP-U and Charging Management Messages
Message Type
Description
G-PDU
GTP-C,
GTP-U
GPRS Packet data unit delivery message.
Node Alive
Request/Response
GTP-C,
GTP-U
Used to inform rest of network when a node starts
service
Redirection
Request/Response
GTP-C,
GTP-U
Used to divert the flow of CDRs from the CDFs to
another CGF when the sender is being removed, or they
are used when the CGF has lost its connection to a
downstream system
Data Record Transfer
Request/Response
1848
Used By
GTP-C,
GTP-U
Used to reliably transport CDRs from the point of
generation (SGSN/GGSN) to non-volatile storage in the
CGF
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�GTP identity filtering
FortiOS Carrier supports a number of filtering methods based on subscriber identity such
as APN filtering, IMSI filtering, and advanced filtering.
This section includes:
•
IMSI on carrier networks
•
Other identity and location based information elements
•
Configuring APN filtering in FortiOS Carrier
•
Configuring IMSI filtering in FortiOS Carrier
•
Configuring advanced filtering in FortiOS Carrier
IMSI on carrier networks
The International Mobile Subscriber Identity (IMSI) number is central to identifying users
on a carrier network. It is a unique number that is assigned to a cell phone or mobile
device to identify it on the GMS or UTMS network.
Typical the IMSI number is stored on the SIM card of the mobile device and is sent to the
network as required.
An IMSI number is 15 digits long, and includes the Mobile Country Code (MCC), Mobile
Network Code (MNC), and Mobile Station Identification Number (MSIN).
Figure 282:
Mobile Country Code (MCC) (3 digits)
Mobile Network Code (MNC) (3 digits)
Mobile Station Identification Number (MSIN) (9 digits)
012345678901234
The Home Network Identity (HNI) is made up of the MCC and MNC. The HNI is used to
fully identify a user’s home network. This is important because some large countries have
more than one country code for a single carrier. For example a customer with a mobile
carrier on the East Coast of the United States would have a different MCC than a
customer on the West Coast with the same carrier because even through the MNC would
be the same the MCC would be different — the United States uses MCCs 310 to 316 due
to its size.
If an IMSI number is not from the local carrier’s network, IMSI analysis is performed to
resolve the number into a Global Title which is used to access the user’s information
remotely on their home carrier’s network for things like billing and international roaming.
Other identity and location based information elements
IMSI focuses on the user, their location, and carrier network. There are other numbers
used to identify different user related Information Elements (IE).
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1849
�Other identity and location based information elements
GTP identity filtering
These identity and location based elements include:
•
Access Point Number (APN)
•
Mobile Subscriber Integrated Services Digital Network (MSISDN)
•
Radio Access Technology (RAT) type
•
User Location Information (ULI)
•
Routing Area Identifier (RAI)
•
International Mobile Equipment Identity (IMEI)
Access Point Number (APN)
The Access Point Number (APN) is used in GPRS networks to identify an IP packet data
network that a user wants to communicate with. The Network Identifier describes the
network and optionally the service on that network that the GGSN is connected to. The
APN also includes the MCC and MCN, which together locate the network the GGSN
belongs to. An example of an APN in the Barbados using Digicel as the carrier that is
connecting to the Internet is internet.mcc342.mnc750.gprs.
When you are configuring your FortiOS Carrier unit’s GTP profiles, you must first
configure the APN. It is critical to GTP communications and without it no traffic will flow.
The access point can then be used in a DNS query to a private DNS network. This
process (called APN resolution) gives the IP address of the GGSN which should serve the
access point. At this point a PDP context can be activated. See “Configuring APN filtering
in FortiOS Carrier” on page 1852.
Mobile Subscriber Integrated Services Digital Network (MSISDN)
This is a 15-digit number that ,along with the IMSI, uniquely identifies a mobile user.
Normally this number includes a 2-digit country code, a 3-digit national destination code,
and a 10-digit subscriber number or the phone number of the mobile device, and because
of that may change over time if the user changes their phone number. The MSISDN
number follows the ITU-T E.164 numbering plan recommendation.
Radio Access Technology (RAT) type
The RAT type represents the radio technology used by the mobile device. This can be
useful in determining what services or content can be sent to a specific mobile device.
FortiOS Carrier supports:
•
•
GSM EDGE Radio Access Network (GERAN) is a key part of the GSM network
which routes both phone calls and data.
•
Wireless LAN (WLAN) is used but not as widely as the other types. It is possible for
the mobile device to move from one WLAN to another such as from an internal WLAN
to a commercial hot spot.
•
Generic Access Network (GAN) can also be called unlicensed mobile access (UMA).
It routes voice, data, and SIP over IP networks. GAN is commonly used for mobile
devices that have a dual-mode and can hand-off between GSM and WLANs.
•
1850
UMTS Terrestrial Radio Access Network (UTRAN), commonly referred to as 3G,
routes many types of traffic including IP traffic. This is one of the faster types.
High Speed Packet Access (HSPA) includes two other protocols High Speed
Downlink and Uplink Packet Access protocols (HSDPA and HSUPA respectively). It
improves on the older WCDMA protocols by better using the radio bandwidth between
the mobile device and the radio tower. This results in an increased data transfer rate
for the user.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�GTP identity filtering
Other identity and location based information elements
User Location Information (ULI)
Gives Cell Global Identity/Service Area Identity (CGI/SAI) of where the mobile station is
currently located. The ULI and the RAI are commonly used together to identify the location
of the mobile device.
Routing Area Identifier (RAI)
Routing Areas (RAs) divide the carrier network and each has its own identifier (RAI). When a mobile
device moves from one routing area to another, the connection is handled by a different part of the
network. There are normally multiple cells in a routing area. There is only one SSGN per routing
area. The RAI and ULI are commonly used to determine a user’s location.
International Mobile Equipment Identity (IMEI)
IMEI is a unique 15-digit number used to identify mobile devices on mobile networks. It is
very much like the MAC address of a TCP/IP network card for a computer. It can be used
to prevent network access by a stolen phone — the carrier knows the mobile phone’s
IMEI, and when it is reported stolen that IMEI is blocked from accessing the carrier
network no matter if it has the same SIM card as before or not. It is important to note that
the IMEI stays with the mobile phone or device where the other information is either
location based or stored on the removable SIM card.
When to use APN, IMSI, or advanced filtering
At first glance APN, IMSI, and advanced filtering have parts in common. For example two
can filter on APN, and another two can filter on IMSI. The difficulty is knowing when to use
which type of filtering.
Figure 283: Identity filtering comparison
Filtering type
Filter on the following data:
When to use this type of filtering
APN
APN
Filter based on GTP tunnel start or
destination
IMSI
IMSI, MCC-MNC
Filter based on subscriber information
Advanced
PDP context, APN, IMSI, MSISDN, When you want to filter based on:
RAT type, ULI, RAI, IMEI
• user phone number (MSISDN)
• what wireless technology the user
employed to get on the network (RAT
type)
• user location (ULI and RAI)
• handset ID, such as for stolen phones
(IMEI)
APN filtering is very specific — the only identifying information that is used to filter is the
APN itself. This will always be present in GTP tunnel traffic, so all GTP traffic can be
filtered using this value. See “Configuring APN filtering in FortiOS Carrier” on page 1852.
IMSI filtering can use a combination of the APN and MCC-MNC numbers. The MCC and
MNC are part of the APN, however filtering on MCC-MNC separately allows you to filter
based on country and carrier instead of just the destination of the GTP Tunnel. See
“Configuring IMSI filtering in FortiOS Carrier” on page 1852.
Advanced filtering can go into much deeper detail covering PDP contexts, MSISDN, IMEI,
and more not to mention APN, and IMSI as well. If you can’t find the information in APN or
IMSI that you need to filter on, then use Advanced filtering. See “Configuring advanced
filtering in FortiOS Carrier” on page 1853.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1851
�Configuring APN filtering in FortiOS Carrier
GTP identity filtering
Configuring APN filtering in FortiOS Carrier
To configure APN filtering go to UTM & gt; Carrier & gt; GTP and expand APN filtering.
Note: When you are configuring your FortiOS Carrier unit’s GTP profiles, you must first configure
the APN. It is critical to GTP communications and without it no traffic will flow.
For more information on APN, see “Access Point Number (APN)” on page 1850.
Enable APN Filter
Select to enable filtering based on APN value.
Default APN Action
Select either Allow or Deny for all APNs that are not found in the list. The
default is Allow.
Value
Displays the APN value for this entry. Partial matches are allowed using
wildcard. For example *.mcc333.mcn111.gprs would match all APNs
from country 333 and carrier 111 on the gprs network.
Mode
Select one or more of the methods used to obtain APN values.
Mobile Station provided - The APN comes from the mobile station where
the mobile device connected. This is the point of entry into the carrier
network for the user’s connection.
Network provided - The APN comes from the carrier network.
Subscription Verified - The user’s subscription has been verified for this
APN. This is the most secure option.
Action
One of allow or deny to allow or block traffic associated with this APN.
Delete icon
Select to remove this APN entry from the list.
Edit icon
Select to change the information for this APN entry.
Add APN
Select to add an APN to the list.
Note: You will see a message warning you that by leaving the GTP screen
you are discarding any unsaved changes. If you have made changes you
should save them first before adding one or more APN entries.
Configuring IMSI filtering in FortiOS Carrier
In many ways the IMSI on a GPRS network is similar to an IP address on a TCP/IP
network. Different parts of the number provide different pieces of information. This concept
is used in IMSI filtering on FortiOS Carrier.
To configure IMSI filtering go to UTM & gt; Carrier & gt; GTP and expand IMSI filtering.
Note: While both the APN and MCC-MCN fields are optional without using one of these fields the
IMSI entry will not be useful as there is not information for the filter to match.
Enable IMSI Filter
Default IMSI Action
Select Allow or Deny. This action will be applied to all IMSI numbers except
as indicated in the IMSI list that is displayed.
The default value is Allow.
APN
The Access Point Number (APN) to filter on.
This field is optional.
MCC-MNC
1852
Select to turn on IMSI filtering.
The Mobile Country Code (MCC) and Mobile Network Code (MNC) to filter
on. Together these numbers uniquely identify the carrier and network of the
GGSN being used.
This field is optional.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�GTP identity filtering
Configuring advanced filtering in FortiOS Carrier
Mode
Select the source of the IMSI information as one or more of the following:
Mobile Station provided - the IMSI number comes from the mobile station
the mobile device is connecting to.
Network provided - the IMSI number comes from the GPRS network
which could be a number of sources such as the SGSN, or HLR.
Subscription Verified - the IMSI number comes from the user’s home
network which has verified the information.
Note: While Subscription Verified is the most secure option, it may not
always be available. Selecting all three options will ensure the most
complete coverage.
Action
Select the action to take when this IMSI information is encountered. Select
one of Allow or Deny.
Delete Icon
Select the delete icon to remove this IMSI entry.
Edit Icon
Select the edit icon to change information for this IMSI entry.
Add IMSI
Select to add an IMSI to the list.
Note: You will see a message warning you that by leaving the GTP screen
you are discarding any unsaved changes. If you have made changes you
should save them first before adding one or more IMSI entries.
Configuring advanced filtering in FortiOS Carrier
Compared to ADN or IMSI filtering, advanced filtering is well named. Advanced filtering
can be viewed as a catch-all filtering option — if ADN or IMSI filtering doesn’t do what you
want, then advanced filtering will. The advanced filtering can use more information
elements to provide considerably more granularity for your filtering.
Enable
Select to turn on advanced filtering.
Default Action
Select Allow or Deny as the default action to take when traffic does not
match an entry in the advanced filter list .
Messages
Optionally select one or more types of messages this filter applies to:
Create PDP Context Request, Create PDP Context Response, Update
PDP Context Request, or Update PDP Context Response.
Selecting Create PDP Context Response or Update PDP Context
Response limits RAT type to only GAN and HSPA, and disables the APN,
APN Mode, IMSI, MSISDN, ULI, RAI, and IMEI fields.
To select Update PDP Context Request, APN Restriction must be set to all.
Selecting Update PDP Context Request disables the APN, MSISDN, and
IMEI fields.
if all message types are selected, only the RAT Types of GAN and HSPA
are available to select.
APN Restriction
APN Restriction either allows all APNs or restricts the APNs to one of four
categories — Public-1, Public-2, Private-1, or Private-2. This can also be
combined with a specific APN or partial APN as well as specifying the APN
mode.
RAT Type
Select one or more of the Radio Access Technology Types listed. These
fields control how a user accesses the carrier’s network. You can select
one or more of UTRAN, GERAN, WLAN, GAN, HSPA, or any. See “Radio
Access Technology (RAT) type” on page 1850.
ULI
The user location identifier. Often the ULI is used with the RAI to locate a
user geographically on the carrier’s network.
The ULI is disabled when Create PDP Context Response or Update PDP
Context Response messages are selected.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1853
�Configuring advanced filtering in FortiOS Carrier
GTP identity filtering
RAI
The router area identifier. There is only one SGSN per routing area on a
carrier network. This is often used with ULI to locate a user geographically
on a carrier network.
The RAI is disabled when Create PDP Context Response or Update PDP
Context Response messages are selected.
IMEI
The International Mobile Equipment Identity. The IMEI uniquely identifies
mobile hardware, and can be used to block stolen equipment.
The IMEI is only available when Create PDP Context Request or no
messages are selected.
Action
Select Allow or Deny as the action when this filter matches traffic.
The default is Allow.
Delete Icon
Select to delete this entry from the list.
Edit Icon
Select to edit this entry.
Add
Select to add an advanced filter to the list.
Note: You will see a message warning you that by leaving the GTP screen
you are discarding any unsaved changes. If you have made changes you
should save them first before adding one or more advanced filtering
entries.
1854
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting
This section highlights troubleshooting for Carrier related issues.
This section includes:
•
FortiOS Carrier diagnose commands
•
Applying Intrusion and Prevention System (IPS) signatures to IP packets within GTP-U
tunnels
•
GTP packets are not moving along your network
FortiOS Carrier diagnose commands
This section includes diagnose commands specific to FortiOS Carrier features such as
dynamic profiles, and GTP.
•
Dynamic Profile diagnose commands
•
GTP related diagnose commands
Dynamic Profile diagnose commands
You can use the following FortiOS Carrier diagnose commands to debug communication
between the RADIUS server and FortiOS Carrier:
•
diagnose test application radiusd 2 clears the user context list
•
diagnose test application radiusd 3 shows the user context list (user,
profile, ip)
•
diagnose test application radiusd 5 displays RADIUS statistics such as the
number of RADIUS Start and Stop packets received, the number of packet errors and
so on.
•
diagnose dynamic-profile query ip 10.0.0.1 is a filter that displays the
same kind of information as diagnose test application radiusd 3.
•
diagnose dynamic-profile query profile-usage & lt; vdom_name & gt; displays a
summary of profile usage for the named VDOM.
•
diagnose debug application radiusd 3 displays carrier end points and their
associated profile group names. An example entry for carrier end point 5551231234
and profile group name profile_name could be:
& lt; 000.000000 & gt; [49]: received from radiusd -- msgId=41,
profile=profile_name, endpoint=5551231234 [49]: delayed setup
for profile profile_name)
In the following example, the command diagnose test application radiusd 3
displays three entries in the user context list. In this example, the carrier end points are
listed under endpoint and they are all email addresses. This example output uses example
IP addresses and domain names.
index, " time left (hh:mm:ss) " ,ip,endpoint,profile,rc, " Default
Profile? " ,Blacklist?
1,07:08:07, " 192.168.23.7 " , " 33example@example.com " , " PackageVAS2 " ,1,No,No
2,07:23:32, " 192.168.33.112 " , " 45example@example.com " , " PackageVAS2 " ,1,No,No
3,07:28:32, " 172.20.123.71 " , " 332example@example.com " , " PackageVAS1 " ,1,No,No
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1855
�Applying Intrusion and Prevention System (IPS) signatures to IP packets within GTP-U tunnels
Troubleshooting
GTP related diagnose commands
This CLI command allows you to gain information on GTP packets, logs, statistics, and
other information.
diag firewall gtp & lt; command & gt;
apn list & lt; gtp_profile & gt;
The APN list entries in the specified GTP profile
auth-ggsns show
& lt; gtp_profile & gt;
The authorized GGSNs list entries for the specified GTP profile.
auth-sgsns show
& lt; gtp_profile & gt;
The authorized SGSNs list entries for the specified GTP profile.
handover-grp show
& lt; gtp_profile & gt;
The handover group showing the range of allowed handover group IP
addresses.
ie-remove-policy list
& lt; gtp_profile & gt;
List of IE policies in the IE removal policy for this GTP profile. The
information displayed includes the message count for this policy, the
length of the SGSN, the list of IEs, and list of SGSN IP addresses.
imsi list & lt; gtp_profile & gt;
IMSI filter entries for this GTP profile. The information displayed
includes the message count for this filter, length of the IMSI, the length
of the APN and IMSI, and of course the IMSI and APN values.
invalid-sgsns-to-long list List of SGSNs that do not match the filter criteria. These SGSNs will
be logged.
& lt; gtp_profile & gt;
ip-policy list
& lt; gtp_profile & gt;
List the IP policies including message count for each policy, the action
to take, the source and destination IP addresses or ranges, and
masks.
noip-policy & lt; gtp_profile & gt; List the non-IP policies including the message count, which mode, the
action to take, and the start and end protocols to be used by decimal
number.
path {list | flush}
Select list or flush.
List the GTP related paths in FortiOS Carrier memory.
Flush the GTP related paths from memory.
policy list & lt; gtp_policy & gt;
The GTP advanced filter policy information for this GTP profile. The
information displayed for each entry includes a count for messages
matching this filter, a hexidecimal mask of which message types to
match, the associated flags, action to take on a match, APN selection
mode, MSISDN, RAT types, RAI, ULI, and IMEI.
profile list
Displays
runtime-stat flush
Select to flush the runtime statistics from memory.
stat
Display the runtime statistics. This information includes how many
tunnels are active, how many GTP profiles exist, how many IMSI filter
entries, how many APN filter entries, advanced policy filter entries, IE
remove policy filter entries, IP policy filter entries, and number of
dropped packets.
tunnel {list | flush}
Select one of list or flush.
List lists all the GTP tunnels currently active.
Flush clears the list of active GTP tunnels.
Applying Intrusion and Prevention System (IPS) signatures to IP
packets within GTP-U tunnels
GTP-U (GTP user data tunnelling) tunnels carry user data packets, signalling messages
and error information. GTP-U uses UDP port 2152. FortiOS Carrier units can apply IPS
intrusion protection and detection to GTP-U user data sessions.
1856
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting
GTP packets are not moving along your network
To apply IPS to GTP-U user data sessions, add an IPS Sensor to a profile and add the
profile to a firewall policy that accepts GTP-U tunnels. The firewall policy Service must be
set to GTP or ANY to accept GTP-U packets.
The FortiOS Carrier unit intercepts packets with destination port 2152, removes the GTP
header and handles the packets as regular IP packets. Applying an IPS sensor to the IP
packets, the FortiOS Carrier unit can log attacks and pass or drop packets depending on
the configuration of the sensor.
To apply an IPS sensor to GTP-U tunnels
1 Go to UTM & gt; Intrusion Protection & gt; IPS Sensor and select Create New to add an IPS
Sensor.
2 Configure the IPS Sensor to detect attacks and log, drop, or pass attack packets.
See the Intrusion Protection and IPS sensors sections of the FortiOS 4.0 MR2
Administration Guide, and FortiOS 4.0 MR2 UTM Guide.
3 Go to Firewall & gt; Policy & gt; Policy and apply the IPS sensor to the firewall policy.
4 Go to Firewall & gt; Policy & gt; Policy and select Create New to add a firewall policy or select
a firewall policy.
5 Configure the firewall policy to accept GTP traffic.
In the firewall policy configure the source and destination settings to match the GTP
traffic. Service to GTP or ANY so that the firewall policy accepts GTP traffic.
6 Select the GTP profile within the firewall policy.
7 Configure any other required firewall policy settings.
8 Select OK to save the firewall policy.
GTP packets are not moving along your network
When GTP packets are not getting to their destination, this could be caused by any one of
a number of issues. General troubleshooting principals apply here.
The following sections provide some suggestions on how to troubleshoot this issue:
•
Attempt to identify the section of your network with the problem
•
Ensure you have an APN configured
•
Check the logs and adjust their settings if required
•
Check the routing table
•
Perform a sniffer trace
•
Generate specific packets to test the network
Attempt to identify the section of your network with the problem
The first step is to determine how widespread this problem is. Does it affect the whole
GTP network, or just one or two devices on the network?
If the entire network is has this problem, the solution is likely a more general one such as
ensuring the firewall policies allow GTP traffic to pass, or ensuring the GTP general
settings are not overly limiting.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1857
�GTP packets are not moving along your network
Troubleshooting
If one part of the network is affected, the problem is more likely centered around
configurations with those network devices specified such as the handover group, or
authorized SGSNs/GGSNs. It is also possible that small portions of the network may have
other hardware related issues such as cabling or faulty hardware. This section does not
address those issues, and assumes hardware is not the problem.
Ensure you have an APN configured
When you configure your GTP profile, ensure you first configure the APN. Without it, there
will be no flow of traffic. The APN is used in nearly all GTP communications and without it,
the FortiOS Carrier unit doesn’t have the information it needs.
Check the logs and adjust their settings if required
During normal operation, the log settings will show any problems on the network but may
not provide the level of details required to fully troubleshoot the problem. The reason for
this is that the level of detail required for troubleshooting would quickly overwhelm the
daily logs without any real benefit.
Once there is a problem to troubleshoot, check the logs to trace the traffic patterns and
narrow down the possible sources of the problem. There may be enough detail for you to
locate and fix the problem without changing the log settings.
Tip: Remember to set any changes you made to the log settings back to their original
values when you are done troubleshooting. Otherwise, the amount of detail will overwhelm
your logging.
However, if more detail is required you can change settings such as:
•
Lower the Log Frequency number in GTP Profiles so fewer or no log messages are
dropped. This will allow a more accurate picture of everything happening on the
network, where you may have had only a partial picture before.
•
Ensure all the GTP log events are enabled to provide you with a complete picture.
•
Increase the minimum log level to Information or Debug to ensure you are seeing all
possible log entries. This is found if you go to Log & Report & gt; Log Config & gt; Log Setting & gt;
Local Logging & Archiving & gt; Minimum log level.
•
Ensure that all relevant event types are enabled under Log & Report & gt; Log Config & gt;
Event Log.
For more information on GTP related logging, see “Logging events on the FortiOS Carrier
unit” on page 1839. For more information on logging in general, see the log and report
chapters of FortiOS 4.0 MR2 Administration Guide and FortiOS CLI Reference.
General information you should be looking for in the logs includes:
•
Are all packets having problems or just certain types?
•
Are all devices on the network having problem, or just certain devices?
•
Is it just GTP traffic that is having problems or are all types of traffic having the same
problem?
Check the routing table
On any network, the routing table determines how packets reach their destination. This is
also true on a carrier network.
1858
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting
GTP packets are not moving along your network
If the FortiOS Carrier unit is running in NAT mode, verify that all desired routes are in the
routing table : local subnets, default routes, specific static routes, and dynamic routing
protocols. For complete information, it is best to check the routing table in the CLI. This
method provides more complete information.
Note: If VDOMs are enabled on your FortiOS Carrier unit, all routing related CLI commands
must be performed within a VDOM and not in the global context.
To check the routing table using the CLI
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default
S*
S
S
C
B
C
0.0.0.0/0 [10/0] via 192.168.183.254, port2
1.0.0.0/8 [10/0] via 192.168.183.254, port2
2.0.0.0/8 [10/0] via 192.168.183.254, port2
10.142.0.0/23 is directly connected, port3
10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m
192.168.182.0/23 is directly connected, port2
Examining an entry from the routing table above:
B
10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m
B
BGP. The routing protocol used.
10.160.0.0/23
The destination of this route including netmask.
[20/0]
20 indicates and administrative distance of 20 out of a range of 0
to 255.
0 is an additional metric associated with this route, such as in
OSPF
10.142.0.74
The gateway, or next hop.
port3
The interface used by this route.
2d18h02m
How old this route is, in this case almost three days old.
Perform a sniffer trace
When troubleshooting network traffic, it helps to look inside the headers of packets to
determine if they are traveling along the route you expect that they are. Packet sniffing can
also be called a network tap, packet capture, or logic analyzing.
Note: If your FortiOS Carrier unit has NP2 interfaces that are offloading traffic, this will
change the sniffer trace. Before performing a trace on any NP2 interfaces, you should
disable offloading on those interfaces.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1859
�GTP packets are not moving along your network
Troubleshooting
What can sniffing packets tell you
If you are running a constant traffic application such as ping, packet sniffing can tell you if
the traffic is reaching the destination, what the port of entry is on the FortiOS Carrier unit, if
the ARP resolution is correct, and if the traffic is being sent back to the source as
expected.
Sniffing packets can also tell you if the FortiOS Carrier unit is silently dropping packets for
reasons such as RPF (Reverse Path Forwarding), also called Anti Spoofing, which
prevents an IP packet from being forwarded if its Source IP does not either belong to a
locally attached subnet (local interface), or be part of the routing between the FortiOS
Carrier and another source (static route, RIP, OSPF, BGP). Note that RPF can be disabled
by turning on asymmetric routing in the CLI (config system setting, set
asymmetric enable), however this will disable stateful inspection on the FortiOS
Carrier unit and cause many features to be turned off.
Note If you configure virtual IP addresses on your FortiOS Carrier unit, it will use those
addresses in preference to the physical IP addresses. You will notice this when you are
sniffing packets because all the traffic will be using the virtual IP addresses. This is due to
the ARP update that is sent out when the VIP address is configured.
How do you sniff packets
The general form of the internal FortiOS packet sniffer command is:
diag sniffer packet & lt; interface_name & gt; & lt; ‘filter’ & gt; & lt; verbose & gt;
& lt; count & gt;
To stop the sniffer, type CTRL+C.
& lt; interface_name & gt;
The name of the interface to sniff, such as port1 or internal.
This can also be any to sniff all interfaces.
& lt; ‘filter’ & gt;
What to look for in the information the sniffer reads. none
indicates no filtering, and all packets will be displayed as the other
arguments indicate.
The filter must be inside single quotes (‘).
& lt; verbose & gt;
The level of verbosity as one of:
1 - print header of packets
2 - print header and data from IP of packets
3 - print header and data from Ethernet of packets
& lt; count & gt;
The number of packets the sniffer reads before stopping. If you
don’t put a number here, the sniffer will run forever unit you stop it
with & lt; CTRL C & gt; .
For a simple sniffing example, enter the CLI command diag sniffer packet port1
none 1 3. This will display the next 3 packets on the port1 interface using no filtering,
and using verbose level 1. At this verbosity level you can see the source IP and port, the
destination IP and port, action (such as ack), and sequence numbers.
In the output below, port 443 indicates these are HTTPS packets, and 172.20.120.17 is
both sending and receiving traffic.
Head_Office_620b # diag sniffer packet port1 none 1 3
interfaces=[port1]
filters=[none]
0.545306 172.20.120.17.52989 - & gt; 172.20.120.141.443: psh
3177924955 ack 1854307757
1860
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Troubleshooting
GTP packets are not moving along your network
0.545963 172.20.120.141.443 - & gt; 172.20.120.17.52989: psh
1854307757 ack 3177925808
0.562409 172.20.120.17.52988 - & gt; 172.20.120.141.443: psh
4225311614 ack 3314279933
Generate specific packets to test the network
If some packets are being delivered as expected while others are not, or after you believe
you have fixed the problem, it is a good idea to generate specific traffic to test your
network.
For example if you discover through log messages and packet sniffing that Create PDP
Context Request messages are not being delivered between two SGSNs, you can
generate those specific messages on your network to confirm they are the problem, and
later that you have solved the problem and they are now being delivered as expected.
This step requires a third party traffic generation tool, either hardware or software, that will
not be supported by Fortinet.
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1861
�GTP packets are not moving along your network
1862
Troubleshooting
FortiOS™ Handbook FortiOS 4.0 MR2 FortiOS Carrier
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 16 Deploying Wireless
Networks
This FortiOS Handbook chapter contains the following sections:
•
Introduction to wireless networking explains the basic concepts of wireless networking
and how to plan your wireless network.
•
Configuring a wireless LAN explains how to set up a basic wireless network, prior to
deploying access point hardware.
•
Access point deployment explains how to deploy access point hardware and add it to
your wireless network configuration.
•
Wireless network monitoring explains how to monitor your wireless clients and how to
monitor other wireless access points, potentially rogues, in your coverage area.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1863
�1864
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to wireless networking
This chapter introduces some concepts you should understand before working with
wireless networks, describes Fortinet’s wireless equipment, and then describes the factors
you need to consider in planning deployment of a wireless network.
The following topics are included in this section:
•
Wireless concepts
•
Security
•
Authentication
•
Wireless networking equipment
•
Deployment considerations
Wireless concepts
Wireless networking is radio technology, subject to the same characteristics and
limitations as the familiar audio and video radio communications. Various techniques are
used to modulate the radio signal with a data stream.
Bands and channels
Depending on the wireless protocol selected, you have specific channels available to you,
depending on what region of the world you are in.
•
IEEE 802.11a,b,and g protocols provide up to 14 channels in the 2.400-2.500 GHz
Industrial, Scientific and Medical (ISM) band.
•
IEEE 802.11a,n (5.150-5.250, 5.250-5.350, 5.725–5.875 GHz, up to 16 channels) in
portions of Unlicensed National Information Infrastructure (U-NII) band
Note that the width of these channels exceeds the spacing between the channels. This
means that there is some overlap, creating the possibility of interference from adjacent
channels, although less severe than interference on the same channel. Truly nonoverlapping operation requires the use of every fourth or fifth channel, for example ISM
channels 1, 6 and 11.
The capabilities of your wireless clients is the deciding factor in your choice of wireless
protocol. If your clients support it, 5GHz protocols have some advantages. The 5GHz
band is less used than 2.4GHz and its shorter wavelengths have a shorter range and
penetrate obstacles less. All of these factors mean less interference from other access
points, including your own.
When configuring your WAP, be sure to correctly select the Geography setting to ensure
that you have access only to the channels permitted for WiFi use in your part of the world.
The following tables list the channel assignments for wireless networks for each supported
wireless protocol.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1865
�Wireless concepts
Introduction to wireless networking
IEEE 802.11a/n channels
Table 124 lists the channels supported on FortiWiFi products that support the IEEE
802.11a and 802.11n wireless standards. 802.11a is available on FortiWiFi models 60B
and higher. 802.11n is available on FortiWiFi models 80CM and higher.
All channels are restricted to indoor usage except in the Americas, where both indoor and
outdoor use is permitted on channels 52 through 64 in the United States.
Table 124: IEEE 802.11a (5-GHz Band) channel numbers
Channel
number
34
5170
36
5180
38
5190
40
5200
42
5210
44
5220
46
5230
48
5240
•
•
52
5260
•
•
•
56
5280
•
•
•
60
5300
•
•
•
64
5320
•
•
•
149
5745
153
5765
157
5785
161
1866
Frequency
(MHz)
Regulatory Areas
5805
Americas
Europe
Taiwan
Singapore Japan
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to wireless networking
Wireless concepts
IEEE 802.11b channel numbers
Table 125 lists IEEE 802.11b channels. All FortiWiFi units support 802.11b.
Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor
use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure
that the channel number complies with the regulatory standards of Mexico.
Table 125: IEEE 802.11b (2.4-Ghz Band) channel numbers
Channel
number
Frequency
(MHz)
Regulatory Areas
Americas
EMEA
1
2412
•
•
•
2
2417
•
•
•
3
2422
•
•
4
2427
•
•
•
•
5
2432
•
•
•
•
6
2437
•
•
•
•
7
2442
•
•
•
•
8
2447
•
•
•
•
9
2452
•
•
•
•
10
2457
•
•
•
•
11
2462
•
•
•
12
2467
•
•
13
2472
•
•
14
2484
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Israel
Japan
•
•
1867
�Wireless concepts
Introduction to wireless networking
IEEE 802.11g channel numbers
Table 126 lists IEEE 802.11g channels. All FortiWiFi products support 802.11g.
Table 126: IEEE 802.11g (2.4-GHz Band) channel numbers
Channel Frequency Regulatory Areas
number (MHz)
Americas
EMEA
Israel
CCK
ODFM CCK
ODFM CCK
Japan
ODFM CCK
ODFM
1
2412
•
•
•
•
•
•
2
2417
•
•
•
•
•
•
3
2422
•
•
•
•
•
•
4
2427
•
•
•
•
•
•
5
2432
•
•
•
•
•
•
•
•
6
2437
•
•
•
•
•
•
•
•
7
2442
•
•
•
•
•
•
•
•
8
2447
•
•
•
•
•
•
•
•
9
2452
•
•
•
•
•
•
10
2457
•
•
•
•
•
•
11
2462
•
•
•
•
•
•
12
2467
•
•
•
•
13
2472
•
•
•
•
14
2484
•
Power
Wireless LANs operate on frequencies that require no license but are limited by
regulations to low power. As with other unlicensed radio operations, the regulations
provide no protection against interference from other users who are in compliance with the
regulations.
Power is often quoted in dBm. This is the power level in decibels compared to one
milliwatt. 0dBm is one milliwatt, 10dBm is 10 milliwatts, 17dBm, the maximum setting on
Fortinet WiFi equipment, is 50 milliwatts.
Received signal strength is almost always quoted in dBm because the received power is
very small. The numbers are negative because they are less than the one milliwatt
reference. A received signal strength of -60dBm is one millionth of a milliwatt or one
nanowatt.
Antennas
Transmitted signal strength is a function of transmitter power and antenna gain.
Directional antennas concentrate the signal in one direction, providing a stronger signal in
that direction than would an omnidirectional antenna.
FortiWiFi units have detachable antennas. However, these units receive regulatory
approvals based on the supplied antenna. Changing the antenna might cause your unit to
violate radio regulations.
1868
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to wireless networking
Security
Security
There are several security issues to consider when setting up a wireless network.
Whether to broadcast SSID
The wireless service set identifier (SSID) or network name for this wireless interface.
Users who want to use the wireless network must configure their computers with this
network name. Broadcasting the SSID enables clients to connect to your wireless network
without first knowing the SSID. For better security, do not broadcast the SSID.
Encryption
Wireless networking supports the following security modes for protecting wireless
communication, listed in order of increasing security.
None — Open system. Any wireless user can connect to the wireless network.
WEP64 — 64-bit Web Equivalent Privacy (WEP). This encryption requires a key
containing 10 hexadecimal digits.
WEP128 — 128-bit WEP. This encryption requires a key containing 26 hexadecimal digits.
WPA — 256-bit Wi-Fi Protected Access (WPA) security. This encryption can use either the
TKIP or AES encryption algorithm and requires a key of either 64 hexadecimal digits or a
text phrase of 8 to 63 characters. It is also possible to use a RADIUS server to store a
separate key for each user.
WPA2 — WPA with security improvements fully meeting the requirements of the IEEE
802.11i standard. Configuration requirements are the same as for WPA.
For best security use the WPA2 with the AES encryption algorithm and a RADIUS server
to verify individual credentials for each user.
Separate access for employees and guests
Wireless access for guests or customers should be separate from wireless access for your
employees. This does not require additional hardware. Both FortiWiFi units and FortiAP
units support multiple wireless LANs on the same access point. Each of the two networks
can have its own SSID, security settings, firewall policies, and user authentication.
A good security practice would be to broadcast the SSID for the guest network, but not for
the employee network.
Two separate wireless networks are possible because multiple virtual APs can be
associated with an AP profile. The same physical APs can provide two or more virtual
WLANs.
Captive portal
As part of authenticating your users, you might want them to view a web page containing
your acceptable use policy or other information. This is called a captive portal. No matter
what URL the user initially requested, the portal page is returned. Only after authenticating
and agreeing to usage terms can the user access other web resources.
For information about setting up a captive portal, see “Adding a disclaimer page to the
captive portal” on page 1882.
Power
Reducing power reduces unwanted coverage and potential interference to other WLANs.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1869
�Authentication
Introduction to wireless networking
Authentication
Wireless networks usually require authenticated access. FortiOS authentication methods
apply to wireless networks the same as they do to wired networks because authentication
is applied in the firewall policy.
The types of authentication that you might consider include:
•
user accounts stored on the FortiGate unit
•
user accounts managed and verified on an external RADIUS, LDAP or TACACS+
server
•
Windows Active Directory authentication, in which users logged on to a Windows
network are transparently authenticated to use the wireless network.
This Wireless chapter of the FortiOS Handbook will provide some information about each
type of authentication, but more detailed information is available in the Authentication
chapter.
What all of these types of authentication have in common is the use of user groups to
specify who is authorized. For each wireless LAN, you will create a user group and add to
it the users who can use the WLAN. In the identity-based firewall policies that you create
for your wireless LAN, you will specify this user group.
Wireless networking equipment
Fortinet produces two types of wireless networking equipment:
•
FortiWiFi units, which are FortiGate units with a built-in wireless access point/client
•
FortiAP units, which are wireless access points compliant with the CAPWAP standard
that you can control from any FortiGate unit that supports the Wireless Controller
feature.
FortiWiFi units
FortiWiFi units support the following wireless network standards:
•
IEEE 802.11a (5-GHz Band) (except FortiWiFi models 30B and 50B)
•
IEEE 802.11b (2.4-GHz Band)
•
IEEE 802.11g (2.4-GHz Band)
•
IEEE 802.11n (5-GHz and 2.4-GHz Band) (except FortiWiFi models 30B, 50B)
•
WEP64 and WEP128 Wired Equivalent Privacy (WEP)
•
Wi-Fi Protected Access (WPA), WPA2 and WPA2 Auto using pre-shared keys or
individual keys stored on a RADIUS server
FortiWiFi units support up to four wireless interfaces with four different SSIDs. Each
wireless interface can have different security settings. FortiAP units support two wireless
interfaces.
You can configure the FortiWiFi unit to:
•
Provide an access point that clients with wireless network cards can connect to. This is
called Access Point mode, which is the default mode. All FortiWiFi units can have up to
4 wireless interfaces.
or
•
1870
Connect the FortiWiFi unit to another wireless network. This is called Client mode. A
FortiWiFi unit operating in client mode can only have one wireless interface.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to wireless networking
Deployment considerations
or
•
Monitor access points within radio range. This is called Monitoring mode. You can
designate the detected access points as Accepted or Rogue for tracking purposes. No
access point or client operation is possible in this mode. But, you can enable
monitoring as a background activity while the unit is in Access Point mode.
Using a FortiWiFi unit as a managed WAP
To use a FortiWiFi unit as a managed WAP, you need to switch it to wireless terminal
mode by using the CLI as follows:
config system global
set wireless-terminal enable
end
The wireless functionality of a FortiWiFi unit in wireless terminal mode cannot be
controlled from the unit itself.
If there are firewall devices between the wireless controller FortiGate unit and the
managed FortiWiFi units, make sure that ports 5246 and 5247 are open. These ports
carry, respectively, the encrypted control channel data and the wireless network data. If
needed, you can change these ports in the CLI:
config system global
set wireless-controller-port & lt; port_int & gt; (access controller)
set wireless-terminal-port & lt; port_int & gt; (access point)
end
These commands set the control channel port. The data channel port is always the control
port plus one. The port setting must match on the access controller and all access points.
FortiAP units
The FortiAP-220 unit is a wireless access point that is controlled by a FortiGate unit over
Ethernet. It has the same radio capabilities as FortiWiFi models 60B and higher.
Third-party WAPs
FortiOS implements the CAPWAP standard.
Deployment considerations
Several factors need to be considered when planning a wireless deployment.
Types of wireless deployment
This Handbook chapter describes two main types of wireless deployment: single WAP and
multiple WAP. You will know which type of deployment you need after you have evaluated
the coverage area environment.
Deployment methodology
1 Evaluate the coverage area environment.
2 Select access point hardware.
3 Plan
4 Install and configure the equipment.
5 Test and tune the network.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1871
�Deployment considerations
Introduction to wireless networking
Evaluating the coverage area environment
Consider the following factors:
•
Size of coverage area — Even under ideal conditions, reliable wireless service is
unlikely beyond 100 metres outdoors or 30 metres indoors. Indoor range can be further
diminished by the presence of large metal objects that absorb or reflect radio
frequency energy. If wireless users are located on more than one floor of a building, a
minimum of one WAP for each floor will be needed.
•
Bandwidth required — Wireless interface data rates are between 11 and 150 Mb/s,
depending on the 802.11 protocol that is used. This bandwidth is shared amongst all
users of the wireless data stream. If wireless clients run network-intensive applications,
fewer of them can be served satisfactorily by a single WAP.
Note that on some FortiWiFi units you can define up to four wireless interfaces,
increasing the available total bandwidth.
•
Client wireless capabilities — Each WAP radio can support only one of the 802.11
wireless protocols at a time. The 802.11n protocol provides the highest data rates and
has channels in the less interference-prone 5GHz band, but it is supported only on the
latest consumer devices. The 802.11g protocol is more common but offers lower
bandwidth. Some older wireless client equipment supports only 802.11b with a
maximum data rate of 11Mb/s.
The most important conclusion from these considerations is whether more than one WAP
is required.
Selecting access point hardware
For a single WAP installation, you could deploy a single FortiWiFi unit. If the site already
has a FortiGate unit that supports the wireless controller feature, adding a FortiAP unit is
the most economical solution.
For a multiple WAP deployment you need a FortiGate unit as a wireless controller and
multiple FortiAP units. A FortiWiFi unit can be used as a managed WAP, but it is more
expensive.
The FortiAP unit offers more flexible placement. FortiWiFi units either sit on a shelf or are
rack mounted. FortiAP units can be attached to any wall or ceiling, enabling you to locate
them where they will provide the best coverage.
Single access point networks
A single access point is appropriate for a limited number of users in a small area. For
example, you might want to provide wireless access for a group of employees in one area
on one floor of an office building.
A good rule of thumb is that one access point for can serve 3000 to 4000 square feet of
space, with no user more than 60 feet from the access point. Walls and floors reduce the
coverage further, depending on the materials from which they are made.
Multiple access point networks
To cover a larger area, such as multiple floors of a building, or multiple buildings, multiple
access points are required.
In the wireless controller, you configure a single virtual access point, but the controller
manages multiple physical access points that share the same configuration. A feature
known as “fast roaming” enables users to move from one physical access point coverage
area to another while retaining their authentication.
1872
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Introduction to wireless networking
Deployment considerations
Fast Roaming
Users in a multi-AP network, especially with mobile devices, can move from one AP
coverage area to another. But, the process of re-authentication can often take seconds to
complete and this can impair wireless voice traffic and time sensitive applications. The
FortiAP fast roaming feature solves this problem and is available only when moving
between FortiAP units managed by the same FortiGate unit.
Fast roaming uses two standards-based techniques:
•
Pairwise Master Key (PMK) Caching enables a RADIUS-authenticated user to roam
away from an AP and then roam back without having to re-authenticate. To accomplish
this, the FortiGate unit stores in a cache a master key negotiated with the first AP. This
enables the 802.11i-specified method of " fast roam-back. "
•
Pre-authentication or " fast-associate in advance " enables an 802.11 AP associated to
a client to bridge to other APs over the wired network and pre-authenticate the client to
the " next " AP to which the client might roam. This enables the PMK to be derived in
advance of a roam and cached. When the client does roam, it will already have
negotiated authentication in advance and will use its cached PMK to quickly associate
to the next AP. This capability will ensure that wireless clients that support Preauthentication to continue the data transfer without noticeable connection issues.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1873
�Deployment considerations
1874
Introduction to wireless networking
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring a wireless LAN
When working with a FortiGate wireless controller, you can configure your wireless
network before you install any access points. If you are working with a standalone
FortiWiFi unit, the access point hardware is already present but the configuration is quite
similar. Both are covered in this section.
The following topics are included in this section:
•
Overview of wireless controller configuration
•
Creating a virtual access point (wireless controller)
•
Creating an AP Profile (wireless controller)
•
Configuring a WLAN interface (standalone FortiWiFi unit)
•
Configuring the WLAN interface (wireless controller)
•
Configuring DHCP on the WLAN
•
Creating a wireless user group
•
Configuring firewall policies for the WLAN
•
Adding a disclaimer page to the captive portal
Overview of wireless controller configuration
The FortiGate wireless controller configuration is composed of three types of object, the
Virtual AP, the AP Profile and the physical Access Point.
Figure 284: Conceptual view of FortiGate wireless controller configuration
Security settings
Radio settings
Physical AP
units
Virtual AP 1
Virtual AP 2
AP Profile 1
AP 1
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
AP 2
AP 3
AP 4
1875
�Creating a virtual access point (wireless controller)
Configuring a wireless LAN
•
Virtual AP defines the security settings for your wireless network. This is similar to the
wlan interface settings on a FortiWiFi unit and it creates a virtual network interface. You
need only one virtual access point definition for a wireless network, regardless how
many physical access points are provided.
•
AP Profile defines the radio settings, such as band (802.11g for example) and channel
selection. The AP Profile names the virtual APs to which it applies.
•
Access Points represent the FortiAP units that the FortiGate unit has discovered.
There is one access point definition for each FortiAP unit. An access point definition
names the AP Profile that provides its settings.
One reason to have more than one virtual access point is to provide different levels of
service to different groups of users. Because each virtual AP creates its own virtual
network interface, the firewall policies and authentication are separate, even though the
radio facility defined in the AP Profile is the same.
To set up your wireless network, you will need to perform the following steps.
•
On a FortiGate wireless controller
•
Configure the Virtual Access Point (VAP), defining the security settings for your
wireless LAN (WLAN).
•
Configure an Access Point (AP) profile, specifying the radio settings and the VAP to
which they apply.
•
On a standalone FortiWiFi unit, configure the radio and security settings for your
WLAN interface.
•
Configure DHCP to assign addresses to wireless clients.
•
Configure DNS settings.
•
Configure routing for the wireless LAN.
•
Configure the user group and users for authentication on the WLAN.
•
Configure the firewall policy for the WLAN.
•
Configure the captive portal for authentication.
After completing these steps, your standalone FortiWiFi unit is ready for use. If you are
configuring a wireless controller, you will need to connect and enable your physical AP
units. This is covered in the next sections, “Access point deployment” and “Multi-AP
deployments”.
Creating a virtual access point (wireless controller)
A virtual AP defines the SSID and security settings that can be applied to one or more
physical APs. On the FortiGate unit, this creates a virtual network interface with the virtual
AP’s name. With this interface you can define the DHCP services, firewall policies, and
other settings for your wireless LAN.
To configure a virtual access point - web-based manager
1 Go to Wireless Controller & gt; Configuration & gt; Virtual AP and select Create New.
2 Enter a Name for the Virtual AP.
This will also be the name of the virtual network interface for your WLAN.
3 Enter the SSID for your WLAN and choose whether to enable SSID Broadcast or not.
For more information, see “Whether to broadcast SSID” on page 1869.
1876
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring a wireless LAN
Creating an AP Profile (wireless controller)
4 Select the Security Mode and configure the encryption key.
For more information, see “Encryption” on page 1869.
5 Optionally, set the Maximum Clients limit.
The default of 0 sets no limit on the number of clients.
6 Select OK.
to configure the SSID and security settings for your network. Each Virtual AP that you
create is a wireless interface that establishes a wireless LAN. Go to System & gt; Network & gt;
Interface to configure its IP address.
To configure a virtual access point - CLI
config wireless-controller vap
edit example_wlan
set ssid " example "
set broadcast-ssid enable
set security WPA2
set passphrase " hardtoguess”
end
Creating an AP Profile (wireless controller)
An AP Profile configures radio settings, and selects the Virtual APs to which the settings
apply. FortiAP units contain two radio transceivers, making it possible, for example, to
provide both 802.11g and 802.11n service from the same access point.
FortiAP units also provide a monitoring function for the Rogue AP feature.
To configure an AP Profile - web-based manager
1 Go to Wireless Controller & gt; Configuration & gt; AP Profile and select Create New.
2 Enter a Name for the AP Profile.
3 Select your region from the Geography list.
This is important for regulatory compliance.
4 In Mode, select Access Point.
5 Optionally, select Background Scan to support the Rogue AP feature.
For more information see “Wireless network monitoring” on page 1891.
6 In Band, select the 802.11 wireless protocol that you want to support.
Note that there are two choices for 802.11n. Select 802.11n for 2.4GHz operation or
802.11n_5G for 5GHz operation.
7 Optionally, select a Channel.
The default Auto setting is usually the best option.
8 Leave the TX Power at its default setting. You can adjust this later.
9 In Virtual AP, select use the arrow buttons to move the Virtual APs (wireless LANs) to
which these settings apply into the Selected list.
10 Repeat steps 4 though 9 for Radio 2, if required.
Note that on the FortiAP-220 unit Radio 1 is 2.4GHz and Radio 2 is 5GHz.
11 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1877
�Configuring a WLAN interface (standalone FortiWiFi unit)
Configuring a wireless LAN
To configure an AP Profile - CLI
This example configures only Radio 1 for 802.11g operation with automatic channel
selection, applied to virtual AP example_wlan.
config wireless-controller wtp-profile
edit guest_prof
config radio-1
set mode ap
set band 802.11g
set channel 0
set vaps example_wlan
end
end
Configuring a WLAN interface (standalone FortiWiFi unit)
As the standalone FortiWiFi unit contains and controls its own AP hardware, there are no
virtual APs or AP Profiles. There is a single set of radio settings and the security settings
are part of the wireless virtual network interface configuration.
To configure the radio settings - web-based manager
1 Go to System & gt; Wireless & gt; Radio Settings.
2 Make sure that In Operation Mode is set to Access Point.
3 In Band, select the 802.11 wireless protocol that you want to support.
Note that there are two choices for 802.11n. Select 802.11n for 2.4GHz operation or
802.11n_5G for 5GHz operation.
4 Select your region from the Geography list.
This is important for regulatory compliance.
5 Optionally, select a Channel.
The default Auto setting is usually the best option.
6 Leave the TX Power and Beacon Interval at their default settings. You can adjust them
later.
7 Select Apply.
To configure the radio settings - CLI
config system wireless settings
set geography Americas
set mode AP
set band 802.11g
set channel 0
end
To configure the security settings - web-based manager
1 Go to System & gt; Wireless & gt; Radio Settings and select wlan from the list of wireless
interfaces.
wlan is the default WLAN interface. Optionally, you can create up to three more
wireless network interfaces in System & gt; Network & gt; Interface. These will be added to
the list on the radio settings page. All wireless interfaces use the same radio settings.
2 Enter the IP/Netmask for your wireless network.
1878
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring a wireless LAN
Configuring the WLAN interface (wireless controller)
3 Select Enable DNS Query and select Recursive.
4 Enter the SSID for your WLAN and choose whether to enable SSID Broadcast or not.
For more information, see “Whether to broadcast SSID” on page 1869.
5 Select the Security Mode and configure the encryption key.
For more information, see “Encryption” on page 1869.
6 Select OK.
To configure the security settings - CLI
config system interface
edit wlan
set mode static
set ip 192.168.254.1 255.255.255.0
set dns-query recursive
set wifi-security WPA-PSK
set wifi-encrypt AES
set wifi-passphrase hardtoguess
set wifi-ssid fortinet
set wifi-broadcast-ssid enable
end
Configuring the WLAN interface (wireless controller)
When you configure a virtual AP, you create a virtual network interface with the same
name. Like any other network interface, it requires configuration, such as assignment of
an IP address.
To configure the WLAN interface - web-based manager
1 Go to System & gt; Network & gt; Interface, and edit the virtual AP interface.
2 Set the Addressing Mode to Manual and enter the IP address for the interface.
3 Select the Enable DNS Query check box and select Recursive.
4 In Administrative Access, select Ping.
Ping is useful for testing. For security it is better not to enable access for
administration.
5 Select OK.
To configure the WLAN interface - CLI
config system interface
edit wlan
set mode static
set ip 192.168.254.1 255.255.255.0
set dns-query recursive
end
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1879
�Configuring DHCP on the WLAN
Configuring a wireless LAN
Configuring DHCP on the WLAN
Wireless clients need to have IP addresses. You need to configure a DHCP server on the
WLAN interface to assign IP addresses to wireless clients.
To configure a DHCP server for WLAN clients - web-based manager
1 Go to System & gt; DHCP Server & gt; Service and select Create New.
2 Select your WLAN interface (same name as your virtual AP) from the Interface Name
list.
3 In Mode, select Server.
4 Ensure that the Enable check box is selected.
5 Set Type to Regular.
6 Enter the IP Range and Netmask that is assigned to clients.
The address range needs to be in the same subnet as the WLAN interface IP address,
but not include that address.
7 Set the Default Gateway to the WLAN interface IP address.
8 Set DNS Service to Use System DNS Setting.
9 Select OK.
To configure a DHCP server for WLAN clients - CLI
config system dhcp server
edit 0
set default-gateway 192.168.254.1
set dns-service default
set interface " FortiWAP "
config ip-range
edit 1
set end-ip 192.168.254.9
set start-ip 192.168.254.2
end
set lease-time 1800
set netmask 255.255.255.0
end
Creating a wireless user group
Most wireless networks require authenticated access. To enable creation of identity-based
firewall policies, you should create at least one user group for your wireless users. You
can add or remove users later. There are two types of user group to consider:
•
•
1880
A Firewall user group can contain user accounts stored on the FortiGate unit or
external authentication servers such as RADIUS that contain and verify user
credentials.
A Directory Services user group is used for integration with Windows Active Directory
or Novell eDirectory. The group can contain Windows or Novell user groups who will be
permitted access to the wireless LAN. FSAE must be installed on the network.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring a wireless LAN
Configuring firewall policies for the WLAN
Configuring firewall policies for the WLAN
For users on the wireless LAN to communicate with other networks, firewall policies are
required. If authentication is required, as is usually the case, identity-based firewall
policies are needed. The following procedure assumes that you need a policy to allow
wireless users authenticated access to the Internet on port 1.
To create a firewall policy - web-based manager
1 Go to Firewall & gt; Policy and select Create New.
2 In Source Interface/Zone, select the wireless LAN interface.
3 In Source Address, select All.
4 In Destination Interface/Zone, select the Internet interface, for example, port1.
5 In Destination Address, select All.
6 In Action, select ACCEPT.
7 In NAT, select Enable NAT.
8 Select Enable Identity Based Policy.
9 Select Add.
10 In Available User Groups, select the wireless user group that you created earlier and
then select the right arrow button to move the user group to the Selected User Groups
list.
11 In Service, select ANY, or select the particular services that you want to allow, and then
select the right arrow button to move the service to the Selected Services list.
12 In Schedule, select Always, unless you want to define a schedule for limited hours.
13 Optionally, select UTM and set up UTM features for wireless users.
14 Select OK.
15 Select OK.
To create a firewall policy - CLI
config firewall policy
edit 0
set srcintf " wlan "
set dstintf " port1 "
set srcaddr " all "
set dstaddr " all "
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule " always "
set groups " wireless_users "
set service " ANY "
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1881
�Adding a disclaimer page to the captive portal
Configuring a wireless LAN
Adding a disclaimer page to the captive portal
The term captive portal is often used to describe the authentication challenge page that
users see when first connecting to the wireless network. The FortiGate unit also provides
a optional disclaimer page in which you can present your acceptable use policy, perhaps
even requiring the user to indicate agreement with it.
FortiOS provides a disclaimer page option in identity-based firewall policies. The
disclaimer page is a replacement message that you can modify to suit your organization’s
needs.
After accepting the disclaimer and authenticating, the user is redirected to the page
originally requested, or optionally to a redirect page that you specified.
To present a disclaimer, you need to:
•
Modify the User Authentication Disclaimer to suit your organization’s needs.
•
Optionally, modify the Declined Disclaimer page.
•
Enable the disclaimer page in the identity-based firewall policy that controls the
WLAN’s traffic and optionally specify a redirect URL.
Modifying the Disclaimer page
The default Disclaimer page contains an example of the kind of terms of use agreement
that you might use. The Disclaimer Agreement is an HTML form that appears centred in
the browser window.
Figure 285: Default Disclaimer page
The visible disclaimer is formatted as a table. Preceding this table are form INPUT fields
containing special tags enclosed in double percentage (%) marks, %%ANSWERID%%,
for example. These hidden fields should not be removed or modified.
The title and disclaimer text are easily modified.
The text on the two buttons can be altered. One button must call the agree() function and
the other must call the decline() function and the code for the two Javascript functions at
the bottom of the page must be retained unaltered.
1882
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring a wireless LAN
Adding a disclaimer page to the captive portal
To modify the Disclaimer page - web-based manager
1 Go to System & gt; Config & gt; Replacement Message.
2 Expand Authentication and select the Edit button for Disclaimer page.
3 Make the desired modifications in the Message Text box and select OK.
If major changes are needed, it might be easier to copy the message HTML content to
an external editor for modification and then paste the modified content into the
Message Text box.
To modify the Disclaimer page - CLI
Modifying replacement messages through the CLI is more difficult than using the webbased manager. The page content is contained in the buffer field. It is unformatted text
that might run past the edge of your screen or wrap around, depending on your terminal.
1 Enter the following CLI command:
config system replacemsg auth auth-disclaimer-page-1
get
2 Copy the content of the buffer field to another editor for modification.
3 Use the set buffer command to enter the new page content.
Paste the page content into the command as a quoted string.
Do not modify the other fields.
4 Enter the end command.
The buffer field of auth-disclaimer-page-1 is limited to 8 192 bytes, which can
accommodate the default page. If your replacement page is longer, you can enter the
remainder of the content into the buffer field of auth-disclaimer-page-2 and, if
necessary, auth-disclaimer-page-3.
Modifying the Declined Disclaimer page
If a user selects the No button on the Disclaimer page, the Declined Disclaimer page is
displayed. This HTML page informs the user that network access requires acceptance of
the disclaimer.
Figure 286: Default Declined Disclaimer page
Optionally, you can modify this page. You must preserve:
•
the FORM declaration and INPUT fields at the beginning of the page body,
•
the INPUT type=submit field for the Return to Disclaimer button, although you can
change the button label,
•
the /FORM closing tag.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1883
�Adding a disclaimer page to the captive portal
Configuring a wireless LAN
To modify the Disclaimer page - web-based manager
1 Go to System & gt; Config & gt; Replacement Message.
2 Expand Authentication and select the Edit button for Declined disclaimer page.
3 Make the desired modifications in the Message Text box and select OK.
To modify the Disclaimer page - CLI
Modifying replacement messages through the CLI is more difficult than using the webbased manager. The page content is contained in the buffer field. It is unformatted text
that might run past the edge of your screen or wrap around, depending on your terminal.
1 Enter the following CLI command:
config system replacemsg auth auth-reject-page
get
2 Copy the content of the buffer field to another editor for modification.
3 Use the set buffer command to enter the new page content.
Paste the page content into the command as a quoted string.
Do not modify the other fields.
4 Enter the end command.
Enabling the disclaimer page
The disclaimer page is enabled in the firewall policy.
To enable the disclaimer - web-based manager
1 Go to Firewall & gt; Policy & gt; Policy.
2 Find the policy for your wireless network and open it for editing.
3 Scroll down to the Identity-based policy section.
4 Select the Enable Disclaimer and Redirect URL check box.
5 Optionally, enter a redirect URL.
To enable the disclaimer - CLI
In this example, policy 1 is the wireless network to Internet policy.
config firewall policy
edit 1
set disclaimer enable
set redirect-url " http://example.com/ "
end
1884
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Access point deployment
This chapter describes how to configure access points for your wireless network.
The following topics are included in this section:
•
Network topology for managing APs
•
Attaching an AP unit as a WAP
•
Configuring a FortiWiFi unit as a WAP
•
Discovering and adding APs
Network topology for managing APs
The FortiAP unit can be connected to the FortiGate unit using the following methods.
Direct connection: The FortiAP unit is directly connected to the FortiGate unit with no
switches between them. This configuration is common for locations where the number of
FortiAP’s matches up with the number of ‘internal’ ports available on the FortiGate. In this
configuration the FortiAP unit requests an IP address from the FortiGate unit, enters
discovery mode and should quickly find the FortiGate wireless controller. This is also
known as a wirecloset deployment. See Figure 287, below.
Switched Connection: The FortiAP unit is connected to the FortiGate wireless controller
by an Ethernet switch operating in L2 switching mode or L3 routing mode. There must be
a routable path between the FortiAP unit and the FortiGate unit and that ports 5246 and
5247 are open. This is also known as a gateway deployment. See Figure 287, below
Connection over WAN: The FortiGate wireless controller is off-premises and connected
by a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure
each FortiAP with the static IP address of the WLC. Each FortiAP can be configured with
three WLC IP addresses for redundant failover. This is also known as a datacenter remote
management deployment. See Figure 288, below.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1885
�Attaching an AP unit as a WAP
Access point deployment
Figure 287: Wirecloset and Gateway deployments
Figure 288: Remote deployment
Attaching an AP unit as a WAP
Unless your FortiGate unit has built-in wireless capabilities (FortiWiFi or FortiGate80CM,
for example), you need to connect a FortiAP unit. The FortiGate unit’s wireless controller
feature will manage the FortiAP unit. Both FortiAP and FortiWiFi units configured as APs
can be directly connected to the FortiGate unit or connected through the network.
By default, FortiAP units cycle through all four of the discovery methods described below.
When configuring a FortiWiFi unit to act as an AP, you must choose which discovery
method it will use.
1886
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Access point deployment
Attaching an AP unit as a WAP
Controller discovery methods
A FortiAP or FortiWiFi unit can use any of four methods to locate a controller.
Broadcast request
The AP unit broadcasts a discovery request message to the network and the controller
replies. The AP and the controller must be in the same broadcast domain.
Multicast request
The AP unit sends a multicast discovery request and the controller replies with a unicast
discovery response message. The AP and the controller do not need to be in the same
broadcast domain if multicast routing is properly configured.
The default multicast destination address is 224.0.1.140. It can be changed through the
CLI. The address must be same on the controller and AP. For information about
connecting to the FortiAP CLI, see “Connecting to the FortiAP CLI” on page 1888.
To change the multicast address on the controller
config wireless-controller global
set discovery-mc-addr 224.0.1.250
end
To change the multicast address on a FortiAP unit
cfg –a AC_DISCOVERY_MC_ADDR=”224.0.1.250”
To change the multicast address on a FortiWiFi unit used as an AP
config system global
set wireless-terminal enable
end
config wireless-controller global
set discovery-mc-addr 224.0.1.250
end
Static IP configuration
If FortiAP and the controller are not in the same subnet, broadcast and multicast packets
cannot reach the controller. The admin can specify the controller’s static IP on the AP unit.
The AP unit sends a discovery request message in unicast to the controller. Routing must
be properly configured in both directions.
To specify the controller’s IP address on a FortiAP unit
cfg –a AC_IPADDR_1=”192.168.0.1”
DHCP
If you use DHCP to assign an IP address to your FortiAP unit, you can also provide the
wireless controller IP address at the same time. This is useful if the AP is located remotely
from the wireless controller and other discovery techniques will not work.
When you configure the DHCP server, configure Option 138 to specify the wireless
controller IP address. You need to convert the address into hexadecimal. Convert each
octet value separately from left to right and concatenate them. For example, 192.168.0.1
converts to C0A80001.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1887
�Discovering and adding APs
Access point deployment
If Option 138 is used for some other purpose on your network, you can use a different
option number if you configure the AP units to match.
To change the FortiAP DHCP option code
To use option code 139 for example, enter
cfg –a AC_DISCOVERY_DHCP_OPTION_CODE=139
For information about connecting to the FortiAP CLI, see “Connecting to the FortiAP CLI”
below.
Connecting to the FortiAP CLI
The FortiAP unit has a CLI through which some configuration options can be set.
To access the FortiAP unit CLI
1 Connect your computer to the FortiAP directly with a cross-over cable or through a
separate switch or hub.
2 Change your computer’s IP address to 192.168.1.3
3 Telnet to IP address 192.168.1.2.
Ensure that FortiAP is in a private network with no DHCP server for the static IP
address to be accessible.
4 Login with user name admin and no password.
5 Enter commands as needed.
6 Save the configuration by entering the following command:
cfg –c .
7 Unplug the FortiAP and plug it back in order for the configuration to take effect.
Configuring a FortiWiFi unit as a WAP
In the CLI, enter
config system global
set wireless-terminal enable
The rest of the configuration is in config wireless-controller and is similar to the
FortiGate wireless controller configuration.
Discovering and adding APs
After you prepare your FortiGate unit, you can connect your APs to discover them using
the discovery methods described earlier. To prepare the FortiGate unit, you need to
•
configure the network interface to which the AP will connect
•
configure DHCP service on the interface to which the AP will connect
•
connect the AP units and let the FortiGate unit discover them
•
enable each discovered AP and assign it to an AP profile
Configuring the network interface for the AP unit
The interface to which you connect your wireless access point needs an IP address. No
administrative access, DNS Query service or authentication should be enabled.
1888
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Access point deployment
Discovering and adding APs
To configure the interface for the AP unit - web-based manager
1 Go to System & gt; Network & gt; Interface and edit the interface to which the AP unit
connects.
2 Set Addressing Mode to Manual and enter the IP address and netmask to use.
3 Select OK.
To configure the interface for the WAP unit - CLI
config system interface
edit wlan
set mode static
set ip 192.168.254.1 255.255.255.0
end
Configure the DHCP server for the AP unit
Whatever method AP units use to discover the controller, they must first be assigned an IP
address.
To configure the DHCP server for AP unit - web-based manager
1 Go to System & gt; DHCP Server & gt; Service and select Create New.
2 Select the interface to which the AP unit connects from the Interface Name list.
3 In Mode, select Server.
4 Ensure that the Enable check box is selected.
5 Set Type to Regular.
6 Enter the IP Range and Netmask that is assigned to AP units.
The address range needs to be in the same subnet as the interface IP address, but not
include that address.
7 Select OK.
To configure the DHCP server for AP unit - CLI
config system dhcp server
edit 0
set default-gateway 192.168.8.1
set dns-service default
set interface " FortiWAP "
config ip-range
edit 1
set end-ip 192.168.8.9
set start-ip 192.168.8.2
end
set lease-time 1800
set netmask 255.255.255.0
end
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1889
�Discovering and adding APs
Access point deployment
Enabling the discovered APs
Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit
should be listed on Wireless Controller & gt; Configuration & gt; Access Points page.
Figure 289: Discovered access point unit
To add the discovered AP unit - web-based manager
1 On the Wireless Controller & gt; Configuration & gt; Access Points page, select the access
point and then select Edit.
2 Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
3 Select the AP Profile that you created earlier.
4 Change Admin from Discovered to Enabled.
5 Select OK.
The physical access point is now added to the system. If the Join Time column shows
“N/A”, the access point was not added. Check that your AP Profile settings are compatible
with the access point hardware. A common error is selecting the wrong bands for the
FortiAP-220 radios. Radio 1 is for 2.4GHz only, Radio 2 is for 5GHz only.
If the rest of the configuration is complete, it should be possible to connect to the wireless
network through the AP.
To add the discovered AP unit - CLI
First get a list of the discovered access point unit serial numbers:
get wireless-controller wtp
Add a discovered unit and associate it with AP-profile1, for example:
config wireless-controller wtp
edit FAP22A3U10600118
set admin enable
set wtp-profile AP-profile1
end
To view the status of the added AP unit
config wireless-controller wtp
edit FAP22A3U10600118
get
The join-time field should show a time, not “N/A”. See the preceding web-based
manager procedure for more information.
1890
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Wireless network monitoring
You can monitor both your wireless clients and other wireless networks that are available
in your coverage area.
The following topics are included in this section:
•
Monitoring wireless clients
•
Monitoring rogue APs
Monitoring wireless clients
To view connected clients on a FortiWiFi unit
•
On a FortiWiFi unit, go to System & gt; Wireless & gt; Monitor. Look at the Clients list.
•
On a FortiGate wireless controller, go to Wireless Controller & gt; Monitor & gt;
Wireless Clients.
FortiWiFi wireless client list information
MAC Address
The MAC address of the connected wireless client.
IP Address
The IP address assigned to the connected wireless client.
AP Name
The name of the wireless interface that the client is connected
to.
FortiGate wireless controller client list information
Association Time
How long the client has been connected to this access point.
Bandwidth Rx
Received bandwidth used by the client, in Kbps.
Bandwidth Tx
Transmit bandwidth used by the client, in Kbps.
Bandwidth Tx/Rx
Bandwidth Rx + Bandwidth Tx.
Idle Time
The total time this session that the client was idle.
IP
The IP address assigned to the wireless client.
MAC
The MAC address of the wireless client.
Manufacturer
Physical AP
The name of the physical access point with which the client is
associated.
Rate
Signal Strength/Noise
The signal-to-noise ratio in deciBels calculated from signal strength and
noise level.
Virtual AP
The name of the virtual access point with which the client is associated.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1891
�Monitoring rogue APs
Wireless network monitoring
Monitoring rogue APs
The access point radio equipment can scan for other available access points, either as a
dedicated monitor or as a background scan performed while the access point is idle.
Discovered access points are listed in the Unknown Access Points list until you mark them
as either Accepted or Rogue access points. This designation helps you to track access
points. It does not affect anyone’s ability to use these access points.
You need to:
•
Enable either dedicated monitoring or background scanning on the radio.
•
View the list of detected access points.
•
Designate the unknown access points as either Accepted or Rogue.
The procedures for doing this differ slightly between FortiWiFi units and FortiGate wireless
controllers.
Monitoring with a FortiWiFi unit
To enable the monitoring mode
1 Go to System & gt; Wireless & gt; Settings.
2 Select Change beside the current operation mode.
3 Select Monitoring and then select OK.
4 Select OK to confirm the mode change.
5 Select Apply.
To enable background scanning
1 While in Access Point mode, go to System & gt; Wireless & gt; Settings.
2 Enable Background Rogue AP Scan and then select Apply.
To view discovered access points
Go to System & gt; Wireless & gt; Rogue AP to view detected access points.
To designate APs as Rogue or Accepted
Monitoring with a FortiGate wireless controller
To enable monitoring
1 Go to Wireless Controller & gt; Configuration & gt; AP Profile and edit the AP Profile.
2 For the radio that you will use for monitoring, change the Mode to Dedicated Monitor.
3 Select OK.
To enable background scanning
1 Go to Wireless Controller & gt; Configuration & gt; AP Profile and edit the AP Profile.
2 For the radio that you will use for monitoring, select Background Scan.
The radio Mode must be Access Point.
3 Select OK.
1892
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Wireless network monitoring
Monitoring rogue APs
To view discovered access points
Go to Wireless Controller & gt; Wireless Client & gt; Wireless Client to view information about the
wireless clients of your managed access points.
To designate APs as Rogue or Accepted
In the rightmost column of the Unknown Access Points, Rogue Access Points, and
Accepted Access Points lists, there are icons to manage designating access points:
Mark as Rogue AP. Move the AP to the Rogue AP list.
Mark as Accepted AP. Move AP to the Accepted AP list.
Forget AP. Return the AP to the Unknown Access Points list.
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1893
�Monitoring rogue APs
1894
Wireless network monitoring
FortiOS™ Handbook FortiOS 4.0 MR2 Deploying Wireless Networks
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 17 VoIP Solutions: SIP
This FortiOS Handbook chapter contains the following sections:
FortiGate VoIP solutions: SIP describes FortiGate SIP support.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1895
�1896
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
This chapter includes the following sections:
•
SIP overview
•
Common SIP VoIP configurations
•
SIP messages and media protocols
•
The SIP session helper
•
The SIP ALG
•
How the SIP ALG performs NAT
•
Hosted NAT traversal
•
SIP over IPv6
•
Deep SIP message inspection
•
Blocking SIP request messages
•
SIP rate limiting
•
SIP logging and DLP archiving
•
SIP and HA: session failover and geographic redundancy
•
SIP debugging
SIP overview
The Session Initiation Protocol (SIP) is an IETF application layer signaling protocol used
for establishing, conducting, and terminating multiuser multimedia sessions over TCP/IP
networks using any media. SIP is often used for Voice over IP (VoIP) calls but can be used
for establishing streaming communication between end points.
SIP employs a request and response transaction model similar to HTTP for
communicating between endpoints. SIP sessions being with a SIP client sending a
SIP request message to another client to initiate a multimedia session. The other client
responds with a SIP response message. Using these request and response messages,
the clients engage in a SIP dialog to negotiate how to communicate and then start,
maintain, and end the communication session.
SIP commonly uses TCP or UDP port 5060 and/or 5061. Port 5060 is used for nonencrypted SIP signaling sessions and port 5061 is typically used for SIP sessions
encrypted with Transport Layer Security (TLS).
Devices involved in SIP communications are called SIP User Agents (UAs) (also
sometimes called a User Element (UE)). UAs include User Agent Clients (UACs) that
communicate with each other and User Agent Servers (UASs) that facilitate
communication between UACs. For a VoIP application, an example of a UAC would be a
SIP phone and an example of a UAS would be a SIP proxy server.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1897
�Common SIP VoIP configurations
FortiGate VoIP solutions: SIP
A SIP message contain headers that include client and server names and addresses
required for the communication sessions. The body of a SIP message contains Session
Description Protocol (SDP) statements that establish the media communication (port
numbers, protocols and codecs) that the SIP UAs use. SIP VoIP most commonly uses the
Real Time Protocol (RTP) and the Real Time Control Protocol (RTCP) for voice
communication. Once the SIP dialog establishes the SIP call the VoIP stream can run
independently, although SIP messages can affect the VoIP stream by changing port
numbers or addresses and by ending it.
Once SIP communication and media settings are established, the UAs communicate with
each using the established media settings. When the communication session is
completed, one of the UAs ends the session by sending a final SIP request message and
the other UA sends a SIP response message and both UAs end the SIP call and stop the
media stream.
FortiGate units provide security for SIP communications using the SIP session helper and
the SIP ALG:
•
The SIP session-helper provides basic high-performance support for SIP calls passing
through the FortiGate unit by opening SIP and RTP pinholes and performing source
and destination IP address and port translation for SIP and RTP packets and for the IP
addresses and port numbers in the SIP headers and the SDP body of the SIP
messages. For more about the SIP session helper, see “The SIP session helper” on
page 1912.
•
The SIP Application Layer Gateway (ALG) provides the same features as the session
helper plus additional advanced features such as deep SIP message inspection, SIP
logging, SIP IPv6 support, SIP message checking, HA failover of SIP sessions, and
SIP rate limiting. For more about the SIP ALG, see “The SIP ALG” on page 1917.
There are a large number of SIP-related Internet Engineering Task Force (IETF)
documents (Request for Comments) that define behavior of SIP and related applications.
FortiGate units provide complete support of RFC 3261 for SIP and RFC 4566 for SDP.
FortiGate units also provide support for other SIP and SIP-related RFCs and performs
“Deep SIP message inspection” on page 1961 for SIP statements defined in other SIP
RFCs.
Common SIP VoIP configurations
This section describes some common SIP VoIP configurations and simplified SIP dialogs
for these configurations. This section also shows some examples of how adding a
FortiGate unit affects SIP processing.
Peer to peer configuration
In the peer to peer configuration shown in Figure 290, two SIP phones communicate
directly with each other. The phones send SIP request and response messages back and
forth between each other to establish the SIP session.
Figure 290: SIP peer to peer configuration
1. Phone A dials Phone B
by sending an INVITE request
2. Phone B is notified of incoming
call – phone rings
SIP Phone A
(PhoneA@10.31.101.20)
1898
3. RTP Media session opens when
SIP Phone B
Phone B answers
(PhoneB@10.31.101.30)
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
Common SIP VoIP configurations
Peer to peer configurations are not very common because they require the SIP phones to
keep track of the names and addresses of all of the other SIP phones that they can
communicate with. In most cases a SIP proxy or re-direct server maintains addresses of a
large number of SIP phones and a SIP phone starts a call by contacting the SIP proxy
server.
SIP proxy server configuration
A SIP proxy server act as intermediary between SIP phones and between SIP phones and
other SIP servers. As shown in Figure 291, SIP phones send request and response
messages the SIP proxy server. The proxy server forwards the messages to other clients
or to other SIP proxy servers. Proxy servers can hide SIP phones by proxying the
signaling messages. To the other users on the VoIP network, the signaling invitations look
as if they come from the SIP proxy server.
Figure 291: SIP in proxy mode
SIP Proxy Server
3. The proxy server looks up the SIP address
of Phone B and forwards the
INVITE request to Phone B
1. SIP phones register with
SIP proxy server
2. Phone A dials Phone B
by sending an INVITE request
to the SIP proxy server
4. Phone B is
notified of incoming
call by proxy server
– phone rings
5. RTP Media session opens when
Phone B answers
SIP Phone A
(PhoneA@10.31.101.20)
SIP Phone B
(PhoneB@10.31.101.30)
A common SIP configuration would include multiple networks of SIP phones. Each of the
networks would have its own SIP server. Each SIP server would proxy the communication
between phones on its own network and between phones in different networks.
SIP redirect server configuration
A SIP redirect server accepts SIP requests, maps the addresses in the request into zero
or more new addresses and returns those addresses to the client. The redirect server
does not initiate SIP requests or accept calls. As shown in Figure 292, SIP clients send
INVITE requests to the redirect server, which then looks up the destination address. The
redirect server returns the destination address to the client. The client uses this address to
send the INVITE request directly to the destination SIP client.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1899
�Common SIP VoIP configurations
FortiGate VoIP solutions: SIP
Figure 292: SIP in redirect mode
SIP Redirect Server
3. The redirect server looks up the
SIP address of Phone B and
sends Phone B’s address
back to Phone A
2. Phone A dials Phone B
by sending an INVITE
request to the redirect
server
1. SIP phones register with
SIP redirect server
4. Phone A sends the INVITE
request to Phone B
5. Phone B is
notified of incoming
call by Phone A
– phone rings
6. RTP Media session opens when
SIP Phone A
Phone B answers
SIP Phone B
(PhoneB@10.31.101.30)
(PhoneA@10.31.101.20)
SIP registrar configuration
A SIP registrar accepts SIP REGISTER requests from SIP phones for the purpose of
updating a location database with this contact information. This database can then
become a SIP location service that can be used by SIP proxy severs and redirect servers
to locate SIP clients. As shown in Figure 293, SIP clients send REGISTER requests to the
SIP registrar.
Figure 293: SIP registrar and proxy servers
SIP Proxy Server
2. Phone A dials Phone B
by sending an INVITE request
to the SIP proxy server
3. The SIP proxy server
looks up Phone A and
Phone B on the registrar
4. Phone B is
notified of incoming
call by proxy server
– phone rings
5. RTP Media session opens when
Phone B answers
SIP Phone B
SIP Phone A
(PhoneB@10.31.101.30)
(PhoneA@10.31.101.20)
1. SIP phones register
with the SIP registrar
SIP Registrar
1900
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
Common SIP VoIP configurations
SIP with a FortiGate unit
Depending on your security requirements and network configuration FortiGate units may
be in many different places in a SIP configuration. This section shows a few examples.
Figure 294 shows a FortiGate unit installed between a SIP proxy server and SIP phones
on the same network. The FortiGate unit is operating in Transparent mode so both the
proxy server and the phones are on the same subnet. In this configuration, called SIP
inspection without address translation, the FortiGate unit could be protecting the SIP
proxy server on the private network by implementing SIP security features for SIP
sessions between the SIP phones and the SIP proxy server.
Figure 294: SIP network with FortiGate unit in Transparent mode
1. SIP phones register with
SIP proxy server
SIP Phone A
(PhoneA@10.31.101.20)
2. Phone A dials Phone B
by sending an INVITE request
to the SIP proxy server
5. RTP media session
opens when Phone B
answers
SIP Phone B
(PhoneB@10.31.101.30)
4. Phone B is
notified of incoming
call by proxy server
– phone rings
FortiGate unit
in Transparent mode
SIP proxy server
10.31.101.50
3. The proxy server looks up the SIP
address of Phone B and forwards
the INVITE request to Phone B
The phones and server use the same SIP dialogs as they would if the FortiGate unit was
not present. However, the FortiGate unit can be configured to control which devices on the
network can connect to the SIP proxy server and can also protect the SIP proxy server
from SIP vulnerabilities.
Figure 295 shows a FortiGate unit operating in NAT/Route mode and installed between a
private network and the Internet. Some SIP phones and the SIP proxy server are
connected to the private network and some SIP phones are connected to the Internet. The
SIP phones on the Internet can connect to the SIP proxy server through the FortiGate unit
and communication between SIP phones on the private network and SIP phones on the
Internet must pass through the FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1901
�Common SIP VoIP configurations
FortiGate VoIP solutions: SIP
Figure 295: SIP network with FortiGate unit in NAT/Route mode
FortiGate-620B
Cluster
In NAT/Route mode
Port2
10.11.101.100
Internet
Port1
172.20.120.141
SIP proxy server
Virtual IP: 172.20.120.50
SIP Phone A
(PhoneA@10.31.101.20)
SIP proxy server
10.31.101.50
1. SIP phone A registers with
SIP proxy server
2. Phone A dials Phone B
by sending an INVITE request
to the SIP proxy server
SIP Phone B
(PhoneB@172.20.120.30)
1. SIP phone B registers with
SIP proxy server
using the SIP proxy server virtual IP
3. The proxy server looks up the SIP
address of Phone B and forwards
the INVITE request to Phone B
4. Phone B is
notified of incoming
call by proxy server
– phone rings
5. RTP Media session opens when
between Phone A and Phone B whe Phone B answers
The phones and server use the same SIP dialog as they would if the FortiGate unit was
not present. However, the FortiGate unit can be configured to control which devices on the
network can connect to the SIP proxy server and can also protect the SIP proxy server
from SIP vulnerabilities. In addition, the FortiGate unit has a firewall virtual IP that
forwards packets sent to the SIP proxy server Internet IP address (172.20.120.50) to the
SIP proxy server internal network IP address (10.31.101.30).
Since the FortiGate unit is operating in NAT/Route mode it must translate packet source
and destination IP addresses (and optionally ports) as the sessions pass through the
FortiGate unit. Also, the FortiGate unit must translate the addresses contained in the SIP
headers and SDP body of the SIP messages. As well the FortiGate unit must open SIP
and RTP pinholes through the FortiGate unit. SIP pinholes allow SIP signalling sessions to
pass through the FortiGate between phones and between phones and SIP servers. RTP
pinholes allow direct RTP communication between the SIP phones once the SIP dialog
has established the SIP call. Pinholes are opened automatically by the FortiGate unit.
Administrators do not add firewall policies for pinholes or for RTP sessions. All that is
required is a firewall policy that accepts SIP traffic.
Opening an RTP pinhole means opening a port on a FortiGate interface to allow RTP
traffic to use that port to pass through the FortiGate unit between the SIP phones on the
Internet and SIP phones on the internal network. A pinhole only accepts packets from one
RTP session. Since a SIP call involves at least two media streams (one from Phone A to
Phone B and one from Phone B to Phone A) the FortiGate unit opens two RTP pinholes.
Phone A sends RTP packets through a pinhole in port2 and Phone B sends RTP packets
through a pinhole in port1. The FortiGate unit opens the pinholes when required by the
SIP dialog and closes the pinholes when the SIP call is completed. The FortiGate unit
opens new pinholes for each SIP call.
Each RTP pinhole actually includes two port numbers. The RTP port number as defined in
the SIP message and an RTCP port number, which is the RTP port number plus 1. For
example, if the SIP call used RTP port 3346 the FortiGate unit would create a pinhole for
ports 3346 and 3347.
1902
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
SIP messages and media protocols
SIP messages and media protocols
This section provides an overview of SIP messages and how they communicate
information about SIP sessions and how SDP, RTP, and RTCP fits in with SIP
communications.
SIP uses clear text messages to start, maintain, and end media sessions between SIP
user agent clients (UACs) and user agent servers (UASs). These messages form a SIP
dialog. A typical SIP dialog begins with an INVITE request message sent from a UAC to
another UAC or to a UAS. The first INVITE request message attempts to start a SIP call
and includes information about the sending UAC and the receiving UAC as well as
information about the communication session.
If only two UACs are involved as shown in Figure 296, the receiving UAC (Phone B)
responds with a 180 Ringing and then a 200 OK SIP response message that informs
Phone A that Phone B received and accepted the request. Phone A then sends an ACK
message to notify Phone B that the SIP response was received. Phone A and Phone B
can then participate in the RTP media session set up by the SIP messages.
When the phone call is complete, one of the UACs (in the example Phone B) hangs up
sending a BYE request message to Phone A. Phone A then sends a 200 OK response to
Phone B acknowledging that the session has ended.
Figure 296: Basic SIP dialog between two UACs
SIP Phone A
(Sending UAC
PhoneA@10.31.101.20)
SIP Phone B
(Receiving UAC
PhoneB@10.31.101.30)
1. INVITE (SIP request message to invite
SIP Phone B to start a SIP session)
2. 180 Ringing (SIP ringing response to the
INVITE request)
3. 200 OK (SIP response to the INVITE request
to inform SIP Phone A
that the request is accepted)
4. ACK (SIP request message to confirm that
SIP Phone A received the response
from SIP Phone B)
5. RTP Media session between Phone A
and Phone B.
6. BYE (SIP request message from SIP Phone B
to end the SIP session)
7. 200 OK (SIP response to the BYE request
to end the SIP session)
If a UAS in the form of a SIP proxy server is involved, similar messages are sent and
received, but the proxy server participates as an intermediary in the initial call setup. In the
example in Figure 297 the SIP proxy server receives the INVITE request from Phone A
and forwards it to Phone B. The proxy server then sends a 100 Trying response to Phone
A. Phone B receives the INVITE request and responds with a 180 Ringing and then a 200
OK SIP response message. These messages are received by the proxy server and
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1903
�SIP messages and media protocols
FortiGate VoIP solutions: SIP
forwarded to Phone A to notify Phone A that Phone B received and accepted the request.
Phone A then sends an ACK message to notify Phone B that the SIP response was
received. This response is received by the proxy server and forwarded to Phone B. Phone
A and Phone B can then participate in the media session independently of the proxy
server.
When the phone call is complete Phone B hangs up sending a BYE request message to
Phone A. Phone A then sends a 200 OK response to Phone B acknowledging that the
session has ended.
Figure 297: Basic SIP dialog between UACs with a SIP proxy server UAS
SIP Phone A
(Sending UAC
PhoneA@10.31.101.20)
SIP Proxy Server
(UAS
10.31.101.40)
SIP Phone B
(Receiving UAC
PhoneB@10.31.101.30)
1. INVITE (SIP request message to invite
SIP Phone B to start a SIP session)
2. INVITE (Forwarded by the UAS to Phone B)
3. 100 Trying (UAS informs Phone A of trying
to contact Phone B)
4. 180 Ringing (SIP ringing response to the
INVITE request)
5. 180 Ringing (Forwarded by the UAS
to Phone A)
6. 200 OK (SIP response to the INVITE request
to inform SIP Phone A
that the request is accepted)
7. 200 OK (Forwarded by the UAS
to Phone A)
8. ACK (SIP request message to confirm that
SIP Phone A received the response
from SIP Phone B)
9. RTP Media session between Phone A
and Phone B.
10. BYE (SIP request message from SIP Phone B
to end the SIP session)
11. 200 OK (SIP response to the BYE request
to end the SIP session)
The SIP messages include SIP headers that contain names and addresses of Phone A,
Phone B and the proxy server. This addressing information is used by the UACs and the
proxy server during the call set up.
The SIP message body includes Session Description Protocol (SDP) statements that
Phone A and Phone B use to establish the media session. The SDP statements specify
the type of media stream to use for the session (for example, audio for SIP phone calls)
and the protocol to use for the media stream (usually the Real Time Protocol (RTP) media
streaming protocol).
Phone A includes the media session settings that it would like to use for the session in the
INVITE message. Phone B includes its response to these media settings in the 200 OK
response. Phone A’s ACK response confirms the settings that Phone A and Phone B then
use for the media session.
1904
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
SIP messages and media protocols
SIP request messages
SIP sessions always start with a SIP request message (also just called a SIP request).
SIP request messages also establish, maintain, and terminate SIP communication
sessions. Table 127 lists some common SIP request message types.
Table 127: Common SIP request message types
Message Type Description
INVITE
A client sends an INVITE request to invite another client to participate in a
multimedia session. The INVITE request body usually contains the description of
the session.
ACK
The originator of an INVITE message sends an ACK request to confirm that the
final response to an INVITE request was received. If the INVITE request did not
contain the session description, it must be included in the ACK request.
PRACK
In some cases, SIP uses provisional response messages to report on the
progress of the response to a SIP request message. The provisional response
messages are sent before the final SIP response message. Similar to an ACK
request message, a PRACK request message is sent to acknowledge that a
provisional response message has been received.
OPTIONS
The UA uses OPTIONS messages to get information about the capabilities of a
SIP proxy. The SIP proxy server replies with a description of the SIP methods,
session description protocols, and message encoding that are supported.
BYE
A client sends a BYE request to end a session. A BYE request from either end of
the SIP session terminates the session.
CANCEL
A client sends a CANCEL request to cancel a previous INVITE request. A
CANCEL request has no effect if the SIP server processing the INVITE sends a
final response to the INVITE before receiving the CANCEL.
REGISTER
A client sends a REGISTER request to a SIP registrar server with information
about the current location (IP address and so on) of the client. A SIP registrar
server saves the information it receives in REGISTER requests and makes this
information available to any SIP client or server attempting to locate the client.
Info
For distributing mid-session signaling information along the signaling path for a
SIP call. I
Subscribe
For requesting the current state and state updates of a remote node.
Notify
Informs clients and servers of changes in state in the SIP network.
Refer
Refers the recipient (identified by the Request-URI) to a third party according to
the contact information in the request.
Update
Opens a pinhole for new or updated SDP information.
Response
Indicates the status of a transaction. For example: 200 OK, 202 Accepted, or 400
Bad Request.
codes (1xx,
202, 2xx, 3xx,
4xx, 5xx, 6xx)
SIP response messages
SIP response messages (often just called SIP responses) provide status information in
response to SIP request messages. All SIP response messages include a response code
and a reason phrase. There are five SIP response message classes. They are described
below.
There are also two types of SIP response messages, provisional and final. Final response
messages convey the result of the request processing, and are sent reliably. Provisional
responses provide information on the progress of the request processing, but may not be
sent reliably. Provisional response messages start with 1xx and are also called
informational response messages.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1905
�SIP messages and media protocols
FortiGate VoIP solutions: SIP
Informational (or provisional)
Informational or provisional responses indicate that a request message was received and
imply that the endpoint is going to process the request. Information messages may not be
sent reliably and may not require an acknowledgement.
If the SIP implementation uses Provisional Response Acknowledgement (PRACK) (RFC
3262) then informational or provisional messages are sent reliably and require a PRACK
message to acknowledge that they have been received.
Informational responses can contain the following reason codes and reason phrases:
100 Trying
180 Ringing
181 Call is being forwarded
182 Queued
183 Session progress
Success
Success responses indicate that a request message was received, understood, and
accepted. Success responses can contain the following reason codes and reason
phrases:
200 OK
202 Accepted
Redirection
Redirection responses indicate that more information is required for the endpoint to
respond to a request message. Redirection responses can contain the following reason
codes and reason phrases:
300 Multiple choices
301 Moved permanently
302 Moved temporarily
305 Use proxy
380 Alternative service
Client error
Client error responses indicate that a request message was received by a server that
contains syntax that the server cannot understand (i.e. contains a syntax error) or cannot
comply with. Client error responses include the following reason codes and reason
phrases:
400 Bad request
401 Unauthorized
402 Payment required
403 Forbidden
404 Not found
405 Method not allowed
406 Not acceptable
407 Proxy authentication required
408 Request time-out
409 Conflict
410 Gone
411 Length required
413 Request entity too large 414 Request-URL too large
415 Unsupported media type
420 Bad extension
480 Temporarily not available
481 Call leg/transaction does not exist
482 Loop detected
483 Too many hops
484 Address incomplete
485 Ambiguous
486 Busy here
487 Request canceled
488 Not acceptable here
1906
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
SIP messages and media protocols
Server error
Server error responses indicate that a server was unable to respond to a valid request
message. Server error responses include the following reason codes and reason phrases:
500 Server internal error
501 Not implemented
502 Bad gateway
502 Service unavailable
504 Gateway time-out
505 SIP version not supported
Global failure
Global failure responses indicate that there are no servers available that can respond to a
request message. Global failure responses include the following reason codes and reason
phrases:
600 Busy everywhere
603 Decline
604 Does not exist anywhere
606 Not acceptable
SIP message start line
The first line in a SIP message is called the start line. The start line in a request message
is called the request-line and the start line in a response message is called the status-line.
Request-line
The first line of a SIP request message. The request-line includes the SIP
message type, the SIP protocol version, and a Request URI that indicates the
user or service to which this request is being addressed. The following
example request-line specifies the INVITE message type, the address of the
sender of the message (inviter@example.com), and the SIP version:
INVITE sip:inviter@example.com SIP/2.0
Status-line
The first line of a SIP response message. The status-line includes the SIP
protocol version, the response code, and the reason phrase. The example
status-line includes the SIP version, the response code (200) and the reason
phrase (OK).
SIP/2.0 200 OK
SIP headers
Following the start line, SIP messages contain SIP headers (also called SIP fields) that
convey message attributes and to modify message meaning. SIP headers are similar to
HTTP header fields and always have the following format:
& lt; header_name & gt; : & lt; value & gt;
SIP messages can include the SIP headers listed in Table 128:
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1907
�SIP messages and media protocols
FortiGate VoIP solutions: SIP
Table 128: SIP headers
SIP Header
Allow
Lists the set of SIP methods supported by the UA generating the message.
All methods, including ACK and CANCEL, understood by the UA MUST be
included in the list of methods in the Allow header field, when present. For
example:
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE
Call-ID
A globally unique identifier for the call, generated by the combination of a
random string and the sender’s host name or IP address. The combination of
the To, From, and Call-ID headers completely defines a peer-to-peer SIP
relationship between the sender and the receiver. This relationship is called
a SIP dialog.
Call-ID: ddeg45e793@10.31.101.30
Contact
Included in SIP request messages, the Contact header contains the SIP URI
of the sender of the SIP request message. The receiver uses this URI to
contact the sender. For example:
Contact: Sender & lt; sip:sender@10.31.100.20 & gt;
Content-Length
The number of bytes in the message body (in bytes).
Content-Length: 126
Content-Type
In addition to SIP headers, SIP messages include a message body that
contains information about the content or communication being managed by
the SIP session. The Content-Type header specifies what the content of the
SIP message is. For example, if you are using SIP with SDP, the content of
the SIP message is SDP code.
Content-Type: application/sdp
CSeq
The command sequence header contains a sequence integer that is
increased for each new SIP request message (but is not incremented in the
response message). This header also incudes the request name found in the
request message request-line. For example:
CSeq: 1 INVITE
Expires
Gives the relative time after which the message (or content) expires. The
actual time and how the header is used depends on the SIP method. For
example:
Expires: 5
From
Identifies the sender of the message. Responses to a message are sent to
the address of the sender. The following example includes the sender’s
name (Sender) and the sender’s SIP address (sender@10.31.101.20.):
From: Sender & lt; sip:sender@10.31.101.20 & gt;
Max-forwards
An integer in the range 0-255 that limits the number of proxies or gateways
that can forward the request message to the next downstream server. Also
called the number of hops, this value is decreased every time the message
is forwarded. This can also be useful when the client is attempting to trace a
request chain that appears to be failing or looping in mid-chain. For example:
Max-Forwards: 30
P-AssertedIdentity
The P-Asserted-Identity header is used among trusted SIP entities to carry
the identity of the user sending a SIP message as it was verified by
authentication. See RFC 3325. The header contains a SIP URI and an
optional display-name, for example:
P-Asserted-Identity: " Example Person "
& lt; sip:10.31.101.50 & gt;
RAck
Sent in a PRACK request to support reliability of information or provisional
response messages. It contains two numbers and a method tag. For
example:
RAck: 776656 1 INVITE
Record-Route
1908
Description
Inserted into request messages by a SIP proxy to force future requests to be
routed through the proxy. In the following example, the host at IP address
10.31.101.50 is a SIP proxy. The lr parameter indicates the URI of a SIP
proxy in Record-Route headers.
Record-Route: & lt; sip:10.31.101.50;lr & gt;
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
SIP messages and media protocols
Table 128: SIP headers (Continued)
SIP Header
Description
Route
Forces routing for a request message through one or more SIP proxies. The
following example includes two SIP proxies:
Route: & lt; sip:172.20.120.10;lr & gt; , & lt; sip:10.31.101.50;lr & gt;
RSeq
The RSeq header is used in information or provisional response messages
to support reliability of informational response messages. The header
contains a single numeric value. For example:
RSeq: 33456
To
Identifies the receiver of the message. The address in this field is used to
send the message to the receiver. The following example includes the
receiver’s name (Receiver) and the receiver’s SIP address
(receiver@10.31.101.30.):
To: Receiver & lt; sip:receiver@10.31.101.30 & gt;
Via
Indicates the SIP version and protocol to be used for the SIP session and the
address to which to send the response to the message that contains the Via
field. The following example Via field indicates to use SIP version 2, UDP for
media communications, and to send the response to 10.31.101.20 using port
5060.
Via: SIP/2.0/UDP 10.31.101.20:5060
The SIP message body and SDP session profiles
The SIP message body describes the session to be initiated. For example, in a SIP phone
call the body usually includes audio codec types, sampling rates, server IP addresses and
so on. For other types of SIP session the body could contain text or binary data of any type
which relates in some way to the session. The message body is included in request and
response messages.
Two possible SIP message body types:
•
Session Description Protocol (SDP), most commonly used for SIP VoIP.
•
Multipurpose Internet Mail Extensions (MIME)
SDP is most often used for VoIP and FortiGate units support SDP content in SIP message
bodies. SDP is a text-based protocol used by SIP to control media sessions. SDP does
not deliver media but provides a session profile that contains media details, transport
addresses, parameter negotiation, and other session description metadata for the
participants in a media session. The participants use the information in the session profile
to negotiate how to communicate and to manage the media session. SDP is described by
RFC 4566.
An SDP session profile always contains session information and may contain media
information. Session information appears at the start of the session profile and media
information (using the m= attribute) follows.
SDP session profiles can include the attributes listed in Table 129.
Table 129: SDP session profile attributes
Attribute
Description
a=
Attributes to extend SDP in the form a= & lt; attribute & gt; or a= & lt; attribute & gt; : & lt; value & gt; .
b=
Contains information about the bandwidth required for the session or media in the form
b= & lt; bandwidth_type & gt; : & lt; bandwidth & gt; .
c=
Connection data about the session including the network type (usually IN for Internet),
address type (IPv4 or IPv6), the connection source address, and other optional
information. For example:
c=IN IPv4 10.31.101.20
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1909
�SIP messages and media protocols
FortiGate VoIP solutions: SIP
Table 129: SDP session profile attributes (Continued)
Attribute
Description
i=
A text string that contains information about the session. For example:
i=A audio presentation about SIP
k=
Can be used to convey encryption keys over a secure and trusted channel. For
example:
k=clear:444gdduudjffdee
m=
Media information, consisting of one or more lines all starting with m= and containing
details about the media including the media type, the destination port or ports used by
the media, the protocol used by the media, and a media format description.
m=audio 49170 RTP 0 3
m-video 3345/2 udp 34
m-video 2910/2 RTP/AVP 3 56
Multiple media lines are needed if SIP is managing multiple types of media in one
session (for example, separate audio and video streams).
Multiple ports for a media stream are indicated using a slash. 3345/2 udp means UDP
ports 3345 and 3346. Usually RTP uses even-numbered ports for data with the
corresponding one-higher odd ports used for the RTCP session belonging to the RTP
session. So 2910/2 RTP/AVP means ports 2910 and 2912 are used for RTP and
2911 and 2913 are used for RTCP.
Media types include udp for an unspecified protocol that uses UDP, RTP or RTP/AVP
for standard RTP and RTP/SAVP for secure RTP.
o=
The sender’s username, a session identifier, a session version number, the network
type (usually IN for Internet), the address type (for example, IPv4 or IPv6), and the
sending device’s IP address. The o= field becomes a universal identifier for this
version of this session description. For example:
o=PhoneA 5462346 332134 IN IP4 10.31.101.20
r=
Repeat times for a session. Used if a session will be repeated at one or more timed
intervals. Not normally used for VoIP calls. The times can be in different formats. For
example.
r=7d 1h 0 25h
r=604800 3600 0 90000
s=
Any text that describes the session or s= followed by a space. For example:
s=Call from inviter
t=
The start and stop time of the session. Sessions with no time restrictions (most VoIP
calls) have a start and stop time of 0.
t=0 0
v=
SDP protocol version. The current SDP version is 0 so the v= field is always:
v=0
z=
Time zone adjustments. Used for scheduling repeated sessions that span the time
between changing from standard to daylight savings time.
z=2882844526 -1h 2898848070 0
Example SIP messages
The following example SIP INVITE request message was sent by PhoneA to PhoneB. The
first nine lines are the SIP headers. The SDP profile starts with v=0 and the media part of
the session profile is the last line, starting with m=.
INVITE sip:PhoneB@172.20.120.30 SIP/2.0
Via: SIP/2.0/UDP 10.31.101.50:5060
From: PhoneA & lt; sip:PhoneA@10.31.101.20 & gt;
To: PhoneB & lt; sip:PhoneB@172.20.120.30 & gt;
Call-ID: 314159@10.31.101.20
CSeq: 1 INVITE
Contact: sip:PhoneA@10.31.101.20
Content-Type: application/sdp
1910
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
SIP messages and media protocols
Content-Length: 124
v=0
o=PhoneA 5462346 332134 IN IP4 10.31.101.20
s=Let's Talk
t=0 0
c=IN IP4 10.31.101.20
m=audio 49170 RTP 0 3
The following example shows a possible 200 OK SIP response message in response to
the previous INVITE request message. The response includes 200 OK which indicates
success, followed by an echo of the original SIP INVITE request followed by PhoneB’s
SDP profile.
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.31.101.50:5060
From: PhoneA & lt; sip:PhoneA@10.31.101.20 & gt;
To: PhoneB & lt; sip:PhoneB@172.20.120.30 & gt;
Call-ID: 314159@10.31.101.20
CSeq: 1 INVITE
Contact: sip:PhoneB@10.31.101.30
Content-Type: application/sdp
Content-Length: 107
v=0
o=PhoneB 124333 67895 IN IP4 172.20.120.30
s=Hello!
t=0 0
c=IN IP4 172.20.120.30
m=audio 3456 RTP 0
SIP can support multiple media streams for a single SIP session. Each media steam will
have its own c= and m= lines in the body of the message. For example, the following
message includes three media streams:
INVITE sip:PhoneB@172.20.120.30 SIP/2.0
Via: SIP/2.0/UDP 10.31.101.20:5060
From: PhoneA & lt; sip:PhoneA@10.31.101.20 & gt;
To: PhoneB & lt; sip:PhoneB@172.20.120.30 & gt;
Call-ID: 314159@10.31.101.20
CSeq: 1 INVITE
Contact: sip:PhoneA@10.31.101.20
Content-Type: application/sdp
Content-Length: 124
v=0
o=PhoneA 5462346 332134 IN IP4 10.31.101.20
s=Let's Talk
t=0 0
c=IN IP4 10.31.101.20
m=audio 49170 RTP 0 3
c=IN IP4 10.31.101.20
m=audio 49172 RTP 0 3
c=IN IP4 10.31.101.20
m=audio 49174 RTP 0 3
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1911
�The SIP session helper
FortiGate VoIP solutions: SIP
The SIP session helper
The SIP session-helper is a high-performance solution that provides basic support for SIP
calls passing through the FortiGate unit by opening SIP and RTP pinholes and by
performing NAT of the addresses in SIP messages.
The SIP session helper:
•
Understands SIP dialog messages.
•
Keeps the states of the SIP transactions between SIP UAs and SIP servers.
•
Translates SIP header and SDP information to account for NAT operations performed
by the FortiGate unit.
•
Opens up and closes dynamic SIP pinholes for SIP signalling traffic.
•
Opens up and closes dynamic RTP and RTSP pinholes for RTP and RTSP media
traffic.
•
Provides basic SIP security as an access control device.
•
Uses the intrusion protection (IPS) engine to perform basic SIP protocol checks.
SIP session helper configuration overview
The SIP session helper is enabled by default and set to listen for SIP traffic on TCP or
UDP port 5060. SIP sessions using port 5060 accepted by a firewall policy that does not
include a VoIP profile are processed by the SIP session helper.
You can enable and disable the SIP session helper, change the TCP or UDP port that the
session helper listens on for SIP traffic, and enable or disable SIP NAT tracing. If the
FortiGate unit is operating with multiple VDOMs, each VDOM can have a different SIP
session helper configuration.
To have the SIP session helper process SIP sessions you need to add a firewall policy
that accepts SIP sessions on the configured SIP UDP or TCP ports. The firewall policies
can have service set to ANY, or to the SIP pre-defined firewall service, or a custom firewall
service. The SIP pre-defined firewall service restricts the firewall policy to only accepting
sessions on UDP port 5060.
If NAT is enabled for firewall policies that accept SIP traffic, the SIP session helper
translates addresses in SIP headers and in the RDP profile and opens up pinholes as
required for the SIP traffic. This includes firewall policies that perform source NAT and
firewall policies that contain virtual IPs that perform destination NAT and port forwarding.
No special SIP configuration is required for this address translation to occur, it is all
handled automatically by the SIP session helper according to the NAT configuration of the
firewall policy that accepts the SIP session.
To use the SIP session helper you must not add a VoIP profile to the firewall policy. If you
add a VoIP profile, SIP traffic bypasses the SIP session helper and is processed by the
SIP ALG.
Note: In most cases you would want to use the SIP ALG since the SIP session helper
provides limited functionality. However, the SIP session helper is available and can be
useful for high-performance solutions where a high level of SIP security is not a
requirement.
1912
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
The SIP session helper
Disabling and enable the SIP session helper
You can use the following steps to disable the SIP session helper. You might want to
disable the SIP session helper if you don’t want the FortiGate unit to apply NAT or other
SIP session help features to SIP traffic. With the SIP session helper disabled, the
FortiGate unit can still accept SIP sessions if they are allowed by a firewall policy, but the
FortiGate unit will not be able to open pinholes or NAT the addresses in the SIP
messages.
To disable the sip session helper
1 Enter the following command to find the sip session helper entry in the session-helper
list:
show system session-helper
.
.
.
edit 13
set name sip
set port 5060
set protocol 17
next
.
.
.
This command output shows that the sip session helper listens in UDP port 5060 for
SIP sessions.
2 Enter the following command to delete session-helper list entry number 13 to disable
the sip session helper:
config system session-helper
delete 23
If you want to use the SIP session helper you can verify whether it is enabled or disabled
using the show system session-hlper command.
Note: You do not have to disable the SIP session helper to use the SIP ALG.
If the SIP session helper has been disable by being removed from the session-helper list
you can use the following command to enable the SIP session helper by adding it back to
the session helper list:
config system session-helper
edit 0
set name sip
set port 5060
set protocol 17
end
Changing the port numbers that the SIP session helper listens on
You can use the following command to change the port number that the SIP session
helper listens on for SIP traffic to 5061. The SIP session helper listens on the same port
number for UDP and TCP SIP sessions. In this example, the SIP session helper is session
helper 13:
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1913
�The SIP session helper
FortiGate VoIP solutions: SIP
config system session-helper
edit 13
set port 5061
end
Note: The config system settings options sip-tcp-port and sip-udp-port
control the ports that the SIP ALG listens on for SIP sessions. See “Changing the port
numbers that the SIP ALG listens on” on page 1920.
Your FortiGate unit may use a different session helper number for SIP. Enter the following
command to view the session helpers:
show system session-helper
.
.
.
edit 13
set name sip
set port 5060
set protocol 17
end
.
.
.
Configuration example: SIP session helper in Transparent Mode
Figure 298 shows an example SIP network consisting of a FortiGate unit operating in
Transparent mode between two SIP phones. Since the FortiGate unit is operating in
Transparent mode both phones are on the same network and the FortiGate unit and the
SIP session helper does not perform NAT. Even though the SIP session helper is not
performing NAT you can use this configuration to apply SIP session helper security
features to the SIP traffic.
The FortiGate unit requires two firewall policies that accept SIP packets. One to allow SIP
Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a
session with SIP Phone A.
Figure 298: SIP network with FortiGate unit in Transparent mode
Port1
SIP Phone A
(PhoneA@10.31.101.20)
Port2
FortiGate unit
in Transparent mode
SIP Phone B
(PhoneB@10.31.101.30)
General configuration steps
The following general configuration steps are required for this SIP configuration. This
example includes firewall policies that specifically allow SIP sessions using UDP port
5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would
have more than two phones so would use more general firewall policies. Also, you can set
the firewall service to ANY to allow traffic other than SIP on UDP port 5060.
1 Add firewall addresses for Phone A and Phone B.
2 Add a firewall policy that accepts SIP sessions initiated by Phone A.
3 Add a firewall policy that accepts SIP sessions initiated by Phone B.
1914
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
The SIP session helper
Configuration steps - web-based manager
To add firewall addresses for the SIP phones
1 Go to Firewall & gt; Address.
2 Add the following addresses for Phone A and Phone B:
Address Name
Phone_A
Type
Subnet / IP Range
Subnet / IP Range
10.31.101.20/255.255.255.255
Interface
port1
Address Name
Phone_B
Type
Subnet / IP Range
Subnet / IP Range
10.31.101.30/255.255.255.255
Interface
port2
To add firewall policies to accept SIP sessions
1 Go to Firewall & gt; Policy.
2 Select Create New to add a firewall policy.
3 Add a firewall policy to allow Phone A to send SIP request messages to Phone B:
Source Interface/Zone
port1
Source Address
Phone_A
Destination Interface/Zone
port2
Destination Address
Phone_B
Schedule
always
Service
SIP
Action
ACCEPT
4 Select OK.
5 Add a firewall policy to allow Phone B to send SIP request messages to Phone A:
Source Interface/Zone
port2
Source Address
Phone_B
Destination Interface/Zone
port1
Destination Address
Phone_A
Schedule
always
Service
SIP
Action
ACCEPT
6 Select OK.
Configuration steps - CLI
To add firewall addresses for Phone A and Phone B and firewall policies to accept
SIP sessions
1 Enter the following command to add firewall addresses for Phone A and Phone B.
config firewall address
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1915
�The SIP session helper
FortiGate VoIP solutions: SIP
edit Phone_A
set associated interface port1
set type ipmask
set subnet 10.31.101.20 255.255.255.255
next
edit Phone_B
set associated interface port2
set type ipmask
set subnet 10.31.101.30 255.255.255.255
end
2 Enter the following command to add firewall policies to allow Phone A to send SIP
request messages to Phone B and Phone B to send SIP request messages to Phone
A.
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr Phone_A
set dstaddr Phone_B
set action accept
set schedule always
set service SIP
next
edit 0
set srcintf port2
set dstintf port1
set srcaddr Phone_B
set dstaddr Phone_A
set action accept
set schedule always
set service SIP
set utm-status enable
end
SIP session helper diagnose commands
You can use the diagnose sys sip commands to display diagnostic information for the
SIP session helper.
Use the following command to set the debug level for the SIP session helper. Different
debug masks display different levels of detail about SIP session helper activity.
diagnose sys sip debug-mask & lt; debug_mask_int & gt;
Use the following command to display the current list of SIP dialogs being processed by
the SIP session help. You can also use the clear option to delete all active SIP dialogs
being processed by the SIP session helper.
diagnose sys sip dialog {clear | list}
Use the following command to display the current list of SIP NAT address mapping tables
being used by the SIP session helper.
diagnose sys sip mapping list
Use the following command to display the current SIP session helper activity including
information about the SIP dialogs, mappings, and other SIP session help counts. This
command can be useful to get an overview of what the SIP session helper is currently
doing.
1916
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
The SIP ALG
diagnose sys sip status
The SIP ALG
In most cases you should use the SIP Application Layer Gateway (ALG) for processing
SIP sessions. The SIP ALG provides the same basic SIP support as the SIP session
helper. Additionally, the SIP ALG provides a wide range of features that protect your
network from SIP attacks, can apply rate limiting to SIP sessions, can check the syntax of
SIP and SDP content of SIP messages, and provide detailed logging and reporting of SIP
activity.
You apply the SIP ALG to SIP traffic by adding a VoIP profile with SIP enabled to a firewall
policy that accepts SIP traffic. The SIP session helper is automatically bypassed by traffic
accepted by a firewall policy that includes a VoIP profile.
As shown in Figure 299, the FortiGate SIP ALG intercepts SIP packets after they have
been routed by the routing module, accepted by a firewall policy and passed through DoS
and IPS Sensors (if DoS and IPS are enabled). The ALG raises SIP packets to the
application layer, analyzes the SIP and SDP addressing information in the SIP messages,
makes adjustments (for example, NAT) to this addressing if required, and then sends the
packets out the egress interface to their destination.
Figure 299: The SIP ALG works at the application level after ingress packets are accepted by
a firewall policy
SIP
Egress
Router
SIP ALG
IPS
Signatures
Opt.
Firewall
DoS
Sensor
•
•
IP Routing and forwarding
IPsec VPN encryption, decryption
•
•
•
•
•
•
Rate limiting and message blocking
Stateful SIP tracking
Message, header, and SDP syntax checking
Network surveillance
NAT and IP topology Hiding
Logging and debugging
•
•
•
Intrusion Detection and Prevention
Defined by Fortinet and Enterprise signatures
SIP decoder identifies SIP sessions
•
•
•
Firewall Policy
IPsec VPN encryption, decryption
Access control
•
•
Native (D)DoS prevention
Anomaly Detection and Prevention
SIP
The SIP ALG provides:
•
All the same features as the SIP session help including NAT and SIP and RTP
Pinholes.
In addition for the ALG you can enable or disable RTP pinholing, SIP register pinholing
and SIP contact pinholing. In a signalling only environment where the RTP stream
bypasses the FortiGate unit, you can disable RTP pinholing to improve performance.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1917
�The SIP ALG
FortiGate VoIP solutions: SIP
•
SIP TCP and UDP support
•
SIP Message order checking
•
Configurable Header line length maximums
•
Message fragment assembly (TCP)
If SIP messages are fragmented across multiple packets, the FortiGate unit assembles
the fragments, does inspection and pass the message in its entirety to the SIP server
as one packet. This offloads the server from doing all the TCP processing of
fragments.
•
L4 Protocol Translation
•
Message Flood Protection
Protects a SIP server from intentional or unintentional DoS of flooding INVITE,
REGISTER, and other SIP methods by allowing control of the rate that these
massages pass through the FortiGate unit.
•
SIP message type filtering
The FortiGate unit can prevent specified SIP message types from passing through the
FortiGate unit to a SIP server. For example In a voice only SIP implementation, there
may be no need to permit a SUBSCRIBE message to ever make it’s way to the SIP call
processor. Also, if a SIP server cannot process some SIP message types you can use
SIP message type filtering to block them. For example, a SIP server could have a bug
that prevents it from processing certain SIP messages. In this case you can
temporarily block these message types until problem with the SIP server has been
fixed.
•
•
SIP over IPv6
•
Deep SIP message syntax checking (also called deep SIP header inspection or SIP
fuzzing protection). Prevents attacks that use malformed SIP messages. Can check
many SIP headers and SDP statements. Configurable bypass and modification
options.
•
Hosted NAT traversal, Resolves IP address issue in SIP and SDP lines due to NAT-PT
in far end firewall. Important feature for VoIP access networks.
•
SIP High Availability (HA), including active-passive clustering and session pickup
(session failover) for SIP sessions.
•
Geographical Redundancy. In an HA configuration, if the active SIP server fails
(missing SIP heartbeat messages or SIP traffic) SIP sessions can be redirected to a
secondary SIP server in another location.
•
SIP per request method message rate limitation with configurable threshold for SIP
message rates per request method. Protects SIP servers from SIP overload and DoS
attacks.
•
RTP Bypass, Supports configurations with and without RTP pinholing. May inspect and
protect SIP signaling only.
•
1918
SIP statistics and logging
SIP NAT with IP address conservation. Performs SIP and RTP aware IP Network
Address translation. Preserves the lost IP address information in the SDP profile i= line
for later processing/debugging in the SIP server. See “NAT with IP address
conservation” on page 1947.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
The SIP ALG
•
IP topology hiding
The IP topology of a network can be hidden through NAT and NAPT manipulation of IP
and SIP level addressing. For example, see “SIP NAT configuration example:
destination address translation (destination NAT)” on page 1942.
•
SIP inspection without address translation
The SIP ALG inspects SIP messages but addresses in the messages are not
translated. This feature can be applied to a FortiGate unit operating in Transparent
mode or in NAT/Route mode. In Transparent mode you add normal Transparent mode
firewall policies that enable the SIP ALG and include a VoIP profile that causes the SIP
ALG to inspect SIP traffic as required. For an example configuration, see
“Configuration example: SIP in Transparent Mode” on page 1926.
For a FortiGate unit operating in NAT/Route mode, if SIP traffic can pass between
different networks without requiring NAT because is supported by the routing
configuration, you can add firewall policies that accept SIP traffic without enabling NAT.
In the VoIP profile you can configure the SIP ALG to inspect SIP traffic as required.
SIP ALG configuration overview
To apply the SIP ALG, you add a SIP VoIP profile to a firewall policy that accepts SIP
sessions. All SIP sessions accepted by the firewall policy will be processed by the SIP
ALG using the settings in the VoIP profile. The VoIP profile contains settings that are
applied to SIP, Session Initiation Protocol for Instant Messaging and Presence Leveraging
Extensions (SIMPLE) and Skinny Call Control Protocol (SCCP) sessions. You configure
SIP and SCCP settings separately. SIP settings also apply to SIMPLE sessions.
VoIP profiles
To add a new VoIP profile from the web-based manager go to UTM & gt; VoIP & gt; Profile and
select Create New.
For SIP, from the web-based manager you can configure the VoIP profile to limit the
number of SIP REGISTER and INVITE requests and enable logging of SIP sessions and
SIP violations. Many additional options for configuring how the ALG processes SIP
sessions are available from the CLI.
Use the following command to add a VoIP profile named VoIP_Pro_1 from the CLI:
config voip profile
edit VoIP_Pro_1
end
FortiGate units include two pre-defined VoIP profiles. On the web-based manager these
profiles look identical. However, the CLI-only settings result in the following functionality.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1919
�The SIP ALG
FortiGate VoIP solutions: SIP
default
The most commonly used VoIP profile. This profile enables both SIP and SCCP and
places the minimum restrictions on what calls will be allowed to negotiate. This profile
allows normal SCCP, SIP and RTP sessions and enables the following security settings:
• block-long-lines to block SIP messages with lines that exceed maximum line
lengths.
• block-unknown to block unrecognized SIP request messages.
• log-call-summary to write log messages that record SIP call progress (similar to
DLP archiving).
• nat-trace (see “NAT with IP address conservation” on page 1947).
• contact-fixup perform NAT on the IP addresses and port numbers in SIP
headers in SIP CONTACT messages even if they don’t match the session’s IP
address and port numbers.
strict
This profile is available for users who want to validate SIP messages and to only allow
SIP sessions that are compliant with RFC 3261. In addition to the settings in the default
VoIP profile, the strict profile sets all SIP deep message inspection header checking to
block and drop SIP messages that contain malformed SIP or SDP lines that can be
detected by the ALG. For more information about SIP deep header inspection, see
“Deep SIP message inspection” on page 1961.
Neither of the default profiles applies SIP rate limiting or message blocking. To apply more
ALG features to SIP sessions you can clone (copy) the pre-defined VoIP profiles and
make your own modifications to them. For example, to clone the default profile and
configure the limit for SIP NOTIFY request messages to 1000 messages per second per
firewall policy and block SIP INFO request messages.
config voip profile
clone default to my_voip_pro
edit my_voip_pro
config sip
set notify-rate 1000
set block-info enable
end
end
Changing the port numbers that the SIP ALG listens on
Most SIP configurations use TCP or UDP port 5060 for SIP sessions. If your SIP network
uses different ports for SIP sessions you can use the following command to configure the
SIP ALG to listen on a different TCP or UDP ports. For example, to change the TCP port
to 5061 and the UDP port to 5065.
config system settings
set sip-tcp-port 5061
set sip-udp-port 5065
end
Disabling the SIP ALG in a VoIP profile
SIP is enabled by default in a VoIP profile. Usually you would want SIP to be enabled in a
VoIP profile. But in some cases if you are just using the VoIP profile for SCCP you can use
the following command to disable SIP in a VoIP profile.
config voip profile
edit VoIP_Pro_2
config sip
set status disable
end
end
1920
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
The SIP ALG
SIP ALG get and diagnose commands
You can use the following commands to display diagnostic information for the SIP ALG.
Use the following commands to enter a test level to display information about the SIP ALG.
get test sip & lt; test_level_int & gt;
diagnose test application sip & lt; test_level_int & gt;
Use the following command to list all active SIP calls being processed by the SIP ALG.
You can also use the clear option to delete all active SIP calls being processed by the
SIP ALG.
diagnose sys sip-proxy calls {clear | list}
Use the following commands to use filters to display specific information about the SIP
ALG and the session that it is processing.
diagnose sys sip-proxy filter & lt; filter_options & gt;
diagnose sys sip-proxy log-filter & lt; filter_options & gt;
Use the following command to display the active SIP rate limiting meters and their current
settings.
diagnose sys sip-proxy meters list
Use the following command to display status information about the SIP sessions being
processed by the SIP ALG. You can also clear all SIP ALG statistics.
diagnose sys sip-proxy stats {clear | list}
Conflicts between the SIP ALG and the session helper
Even if the SIP session helper is enabled, if a firewall policy with a VoIP profile that has
SIP enabled accepts a SIP session on the TCP or UDP port that the SIP ALG listens on
the ALG is used. You don’t need to turn off the session helper to use the ALG.
You may find that the session helper is being used for some SIP sessions even when you
only want to use the ALG. This happens if a policy that does not include a VoIP profile is
accepting SIP sessions. The VoIP profile could have been left out of the policy by mistake
or the wrong policy could be accepting SIP sessions.
Consider a configuration with a SIP server on a private network that is contacted by SIP
phones on the Internet and on the private network (similar to the configuration in
Figure 295 on page 1902). The FortiGate unit that provides NAT between the private
network and the Internet requires a firewall policy with a firewall virtual IP that allows the
SIP phones on the Internet to contact the SIP server. The FortiGate unit also requires
outgoing firewall policies to allow the SIP phones and the SIP server to contact the SIP
phones on the Internet.
If a VoIP profile is not added to one of the outgoing firewall policies the SIP sessions
accepted by that policy will be processed by the SIP session helper instead of the SIP
ALG. Also, its possible that some of the SIP sessions could be accepted by a general
outgoing policy instead of the policy intended for SIP traffic. You can fix the first problem
by adding a VoIP profile to the policy. You can fix the second problem by reviewing the
firewall policy order and source and destination addresses in the firewall policies and
determining if there is a conflict between these and the IP addresses of the SIP server or
SIP phones on the Internal network.
You can use diagnose sys sip commands to determine if the SIP session helper is
processing SIP sessions. For example, the following command displays the overall status
of the SIP sessions being processed by the SIP session helper:
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1921
�The SIP ALG
FortiGate VoIP solutions: SIP
Note: The diagnose sys sip commands only display current status information. To see
activity the SIP session helper has to actually be processing SIP sessions when you enter
the command. For example, if the SIP session helper had been used for processing calls
that ended 5 minutes ago, the command output would show no SIP session helper activity.
diagnose sys sip status
dialogs: max=32768, used=0
mappings: used=0
dialog hash by ID: size=2048, used=0, depth=0
dialog hash by RTP: size=2048, used=0, depth=0
mapping hash: size=2048, used=0, depth=0
count0: 0
count1: 0
count2: 0
count3: 0
count4: 0
This command output shows that the session helper is not processing SIP sessions
because all of the used and count fields are 0. If any of these fields contains non-zero
values then the SIP session helper may be processing SIP sessions.
Also, you can check to see if some ALG-only features are not being applied to all SIP
sessions. For example, the VoIP usage widget on the FortiGate dashboard displays
statistics for SIP and SCCP calls processed by the ALG but not for calls processed by the
session helper. So if you see fewer calls than expected the session helper may be
processing some of them.
Other logging and monitoring features such as log messages and DLP archiving are only
supported by the ALG.
Finally, you can check the policy usage and session information dashboard widgets to see
if SIP sessions are being accepted by the wrong firewall policies.
Stateful SIP tracking, call termination, and session inactivity timeout
The SIP ALG tracks SIP dialogs over their lifespan between the first INVITE message and
the Final 200 OK and ACK messages. For every SIP dialog, stateful SIP tracking reviews
every SIP message and makes adjustment to SIP tracking tables as required. These
adjustments include source and destination IP addresses, address translation, dialog
expiration information, and media stream port changes. Such changes can also result in
dynamically opening and closing pinholes. You can use the diagnose sys sip-proxy
stats list and the diagnose sys sip-proxy filter command to view the SIP
call data being tracked by the SIP ALG.
The SIP ALG uses the SIP Expires header line to time out a SIP dialog if the dialog is idle
and a Re-INVITE or UPDATE message is not received. The SIP ALG gets the SessionExpires value, if present, from the 200 OK response to the INVITE message. If the SIP
ALG receives an INVITE before the session times out, all timeout values are reset to the
settings in the new INVITE message or to default values. As a precautionary measure, the
SIP ALG uses hard timeout values to set the maximum amount of time a call can exist.
This ensures that the FortiGate unit is protected if a call ends prematurely.
When a SIP dialog ends normally, the SIP ALG deletes the SIP call information and closes
open pinholes. A SIP call can also end abnormally due to an unexpected signaling or
transport event that cuts off the call. When a call ends abnormally the SIP messages to
end the call may not be sent or received. A call can end abnormally for the following
reasons:
•
1922
Phones or servers crash during a call and a BYE message is not received.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
The SIP ALG
•
To attack a SIP system, a malicious user never send a BYE message.
•
Poor implementations of SIP fail to process Record-Route messages and never send a
BYE message.
•
Network failures prevent a BYE message from being received.
Any phone or server in a SIP call can cancel the call by sending a CANCEL message.
When a CANCEL message is received by the FortiGate unit, the SIP ALG closes open
pinholes. Before terminating the call, the ALG waits for the final 200 OK message.
The SIP ALG can be configured to terminate SIP calls if the SIP dialog message flow or
the call RTP (media) stream is interrupted and does not recover. You can use the following
commands to configure terminating inactive SIP sessions and to set timers or counters to
control when the call is terminated by the SIP ALG.
Adding a media stream timeout for SIP calls
Use the following command in a VoIP profile to terminate SIP calls accepted by a firewall
policy containing the VoIP profile when the RTP media stream is idle for 100 seconds.
config voip profile
edit VoIP_Pro_Name
config sip
set call-keepalive 100
end
end
You can adjust this setting between 1 and 10,080 seconds. The default call keepalive
setting of 0 disables terminating a call if the media stream is interrupted. Set call keepalive
higher if your network has latency problems that could temporarily interrupt media
streams. If you have configured call keepalive and the FortiGate unit terminates calls
unexpectedly you can increase the call keepalive time to resolve the problem.
Caution: Call keep alive should be used with caution because enabling this feature results
in extra FortiGate CPU overhead and can cause delay/jitter for the VoIP call. Also, the
FortiGate unit terminates the call without sending SIP messages to end the call. And if the
SIP endpoints send SIP messages to terminate the call they will be blocked by the
FortiGate unit if they are sent after the FortiGate unit terminates the call.
Adding an idle dialog setting for SIP calls
Use the following command in a VoIP profile to terminate SIP calls when for a single
firewall policy, when the configured number of SIP calls (or dialogs) has stopped receiving
SIP messages or has not received legitimate SIP messages. Using this command you can
configure how many dialogs that have been accepted by a firewall policy that the VoIP
profile is added to become idle before the SIP ALG deletes the oldest ones. The following
command sets the maximum number of idle dialogs to 200:
config voip profile
edit VoIP_Pro_Name
config sip
set max-idle-dialogs 200
end
end
Idle dialogs would usually be dialogs that have been interrupted because of errors or
problems or as the result of a SIP attack that opens a large number of SIP dialogs without
closing them. This command provides a way to remove these dialogs from the dialog table
and recover memory and resources being used by these open and idle dialogs.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1923
�The SIP ALG
FortiGate VoIP solutions: SIP
You can adjust this setting between 1 and a very high number. The default maximum idle
dialogs setting of 0 disables this feature. Set maximum dialogs higher if your network has
latency problems that could temporarily interrupt SIP messaging. If you have configured
max idle dialogs and the FortiGate unit terminates calls unexpectedly you can increase
the max idle dialogs number to resolve the problem.
Changing how long to wait for call setup to complete
In some cases and some configurations your SIP system may experience delays during
call setup. If this happens, some SIP ALG timers may expire before call setup is complete
and drop the call. In some cases you may also want to reduce the amount of time the SIP
ALG allows for call setup to complete.
You can use the provisional-invite-expiry-time SIP VoIP profile option to
control how long the SIP ALG waits for provisional INVITE messages before assuming
that the call setup has been interrupted and the SIP call should be dropped. The default
value for this timer is 210 seconds. You can change it to between 10 and 3600 seconds.
Use the following command to change the expiry time to 100 seconds.
config voip profile
edit Profile_name
config sip
set provisional-invite-expiry-time 100
end
end
SIP and RTP/RTCP
FortiGate units support the Real Time Protocol (RTP) application layer protocol for the
VoIP call audio stream. RTP uses dynamically assigned port numbers that can change
during a call. SIP control messages that start a call and that are sent during the call inform
callers of the port number to use and of port number changes during the call.
During a call, each RTP session will usually have a corresponding Real Time Control
Protocol (RTCP) session. By default, the RTCP session port number is one higher than
the RTP port number.
The RTP port number is included in the m= part of the SDP profile. In the example above,
the SIP INVITE message includes RTP port number is 49170 so the RTCP port number
would be 49171. In the SIP response message the RTP port number is 3456 so the RTCP
port number would be 3457.
How the SIP ALG creates RTP pinholes
The SIP ALG requires the following information to create a pinhole. The SIP ALG finds this
information in SIP messages and some is provided by the SIP ALG:
Protocol
Any
Source port
Any
Destination IP
1924
UDP (Extracted from SIP messages by the SIP ALG.)
Source IP
The SIP ALG extracts the destination IP address from the c= line in the SDP
profile. The c= line can appear in either the session or media part of the SDP
profile. The SIP ALG uses the IP address in the c= line of the media part of the
SDP profile first. If the media part does not contain a c= line, the SIP ALG
checks the c= line in the session part of the SDP profile. If the session part of
the profile doesn’t contain a c= line the packet is dropped. Pinholes for RTP
and RTCP sessions share the same destination IP address.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
The SIP ALG
Destination port
The SIP ALG extracts the destination port number for RTP from the m= field
and adds 1 to this number to get the RTCP port number.
Lifetime
The length of time during which the pinhole will be open. When the lifetime
ends, the SIP ALG removes the pinhole.
The SIP ALG keeps RTP pinholes open as long as the SIP session is alive. When the
associated SIP session is terminated by the SIP ALG or the SIP phones or servers
participating in the call, the RTP pinhole is closed.
Figure 300 shows a simplified call setup sequence that shows how the SIP ALG opens
pinholes. Phone A and Phone B are installed on either side of a FortiGate unit operating in
Transparent mode. Phone A and Phone B are on the same subnet. The FortiGate unit
includes a firewall policy that accepts SIP sessions from port1 to port2 and from port2 to
port1. The FortiGate unit does not require an RTP firewall policy, just the SIP policy.
You can see from this diagram that the SDP profile in the INVITE request from Phone A
indicates that Phone A is expecting to receive a media stream sent to its IP address using
port 4000 for RTP and port 4001 for RTCP. The SIP ALG creates pinhole 1 to allow this
media traffic to pass through the FortiGate unit. Pinhole 1 is opened on the Port2 interface
and will accept media traffic sent from Phone B to Phone A.
When Phone B receives the INVITE request from Phone A, Phone B will know to send
media streams to Phone A using destination IP address 10.31.101.20 and ports 4000 and
4001. The 200 OK response sent from Phone B indicates that Phone B is expecting to
receive a media stream sent to its IP address using ports 8000 and 8001. The SIP ALG
creates pinhole 2 to allow this media traffic to pass through the FortiGate unit. Pinhole 2 is
opened on the Port1 interface and will accept media traffic sent from Phone A to Phone B.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1925
�The SIP ALG
FortiGate VoIP solutions: SIP
Figure 300: SIP call setup with a FortiGate unit in Transparent mode
Port1
SIP Phone A
(PhoneA@10.31.101.20)
Port2
FortiGate unit
in Transparent mode
SIP Phone B
(PhoneB@10.31.101.30)
1. Phone A sends an INVITE request
to Phone B
(SDP 10.31.101.20:4000)
2. SIP ALG creates Pinhole 1.
Accepts traffic on Port2 with
destination address:port numbers
10.31.101.20:4000 and 4001
3. The SIP ALG forwards the
INVITE request Phone B.
4. Phone B sends a 200 OK
response to Phone A
(SDP: 10.31.101.30:8000)
5. SIP ALG creates Pinhole 2.
Accepts traffic on Port1 with
destination address:port numbers
10.31.101.30:8000 and 8001
6. Phone B sends RTP and RTCP
media sessions to Phone A through
pinhole 1. Destination address:port
number 172.20.120.20:4000 and 4001
Pinhole 1
7. Phone A sends RTP and RTCP
media sessions to Phone B through
pinhole 2. Destination address:port
number 172.20.120.30:8000 and 8001
Pinhole 2
Configuration example: SIP in Transparent Mode
Figure 301 shows an example SIP network consisting of a FortiGate unit operating in
Transparent mode between two SIP phones. Since the FortiGate unit is operating in
Transparent mode both phones are on the same network and the FortiGate unit and the
SIP ALG does not perform NAT. Even though the SIP ALG is not performing NAT you can
use this configuration to apply SIP security features to the SIP traffic.
The FortiGate unit requires two firewall policies that accept SIP packets. One to allow SIP
Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a
session with SIP Phone A.
Figure 301: SIP network with FortiGate unit in Transparent mode
Port1
SIP Phone A
(PhoneA@10.31.101.20)
1926
Port2
FortiGate unit
in Transparent mode
SIP Phone B
(PhoneB@10.31.101.30)
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
The SIP ALG
General configuration steps
The following general configuration steps are required for this SIP configuration. This
example uses the default VoIP profile. The example also includes firewall policies that
specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from
Phone B to Phone A. In most cases you would have more than two phones so would use
more general firewall policies. Also, you can set the firewall service to ANY to allow traffic
other than SIP on UDP port 5060.
1 Add firewall addresses for Phone A and Phone B.
2 Add a firewall policy that accepts SIP sessions initiated by Phone A and includes the
default VoIP profile.
3 Add a firewall policy that accepts SIP sessions initiated by Phone B and includes the
default VoIP profile.
Configuration steps - web-based manager
To add firewall addresses for the SIP phones
1 Go to Firewall & gt; Address.
2 Add the following addresses for Phone A and Phone B:
Address Name
Phone_A
Type
Subnet / IP Range
Subnet / IP Range
10.31.101.20/255.255.255.255
Interface
port1
Address Name
Phone_B
Type
Subnet / IP Range
Subnet / IP Range
10.31.101.30/255.255.255.255
Interface
port2
To add firewall policies to apply the SIP ALG to SIP sessions
1 Go to Firewall & gt; Policy.
2 Select Create New to add a firewall policy.
3 Add a firewall policy to allow Phone A to send SIP request messages to Phone B:
Source Interface/Zone
port1
Source Address
Phone_A
Destination Interface/Zone
port2
Destination Address
Phone_B
Schedule
always
Service
SIP
Action
ACCEPT
UTM
Select
Protocol Options
default
Enable VoIP
Select and select the default VoIP profile.
4 Select OK.
5 Add a firewall policy to allow Phone B to send SIP request messages to Phone A:
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1927
�The SIP ALG
FortiGate VoIP solutions: SIP
Source Interface/Zone
port2
Source Address
Phone_B
Destination Interface/Zone
port1
Destination Address
Phone_A
Schedule
always
Service
SIP
Action
ACCEPT
UTM
Select
Protocol Options
default
Enable VoIP
Select (And select the default VoIP profile)
6 Select OK.
Configuration steps - CLI
To add firewall addresses for Phone A and Phone B and firewall policies to apply
the SIP ALG to SIP sessions
1 Enter the following command to add firewall addresses for Phone A and Phone B.
config firewall address
edit Phone_A
set associated interface port1
set type ipmask
set subnet 10.31.101.20 255.255.255.255
next
edit Phone_B
set associated interface port2
set type ipmask
set subnet 10.31.101.30 255.255.255.255
end
2 Enter the following command to add firewall policies to allow Phone A to send SIP
request messages to Phone B and Phone B to send SIP request messages to Phone
A.
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr Phone_A
set dstaddr Phone_B
set action accept
set schedule always
set service SIP
set utm-status enable
set profile-protocol-options default
set voip-profile default
next
edit 0
set srcintf port2
set dstintf port1
set srcaddr Phone_B
set dstaddr Phone_A
1928
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
The SIP ALG
set
set
set
set
set
set
end
action accept
schedule always
service SIP
utm-status enable
profile-protocol-options default
voip-profile default
RTP enable/disable (RTP bypass)
You can configure the SIP ALG to stop from opening RTP pinholes. Called RTP bypass,
this configuration can be used when you want to apply SIP ALG features to SIP signalling
messages but do not want the RTP media streams to pass through the FortiGate unit. The
FortiGate unit only acts as a signalling firewall and RTP media session bypass the
FortiGate unit and no pinholes need to be created.
Enter the following command to enable RTP bypass in a VoIP profile by disabling opening
RTP pinholes:
config voip profile
edit VoIP_Pro_1
config sip
set rtp disable
end
end
Opening and closing SIP register and non-register pinholes
You can use the open-register-pinhole and open-contact-pinhole VoIP profile
CLI options to control whether the FortiGate unit opens register and non-register pinholes.
Non-register pinholes are usually opened for SIP INVITE requests.
By default for new VoIP profiles and for both pre-defined VoIP profiles
open-register-pinhole is enabled and the FortiGate unit opens pinholes for SIP
Register request messages. You can disable open-register-pinhole so that the
FortiGate unit does not open pinholes for SIP Register request messages.
By default for new VoIP profiles and for the default pre-defined VoIP profile opencontact-pinhole is enabled and the FortiGate unit opens pinholes for non-Register
SIP request messages. You can disable open-contact-pinhole so that the FortiGate
unit does not open pinholes for non-register requests. This option is not enabled for the
strict pre-defined VoIP profile.
Usually you would want to open these pinholes. Keeping them closed may prevent SIP
from functioning properly through the FortiGate unit. They can be disabled, however, for
interconnect scenarios (where all SIP traffic is between proxies and traveling over a single
session). In some cases these settings can also be disabled in access scenarios if it is
known that all users will be registering regularly so that their contact information can be
learned from the register request.
You might want to prevent pinholes from being opened to avoid creating a pinhole for
every register or non-register request. Each pinhole uses additional system memory,
which can affect system performance if there are hundreds or thousands of users, and
requires refreshing which can take a relatively long amount of time if there are thousands
of active calls.
To configure a VoIP profile to prevent opening register and non-register pinholes:
config voip profile
edit VoIP_Pro_1
config sip
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1929
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
set open-register-pinhole disable
set open-contact-pinhole disable
end
end
In some cases you may not want to open pinholes for the port numbers specified in SIP
Contact headers. For example, in an interconnect scenario when a FortiGate unit is
installed between two SIP servers and the only SIP traffic through the FortiGate unit is
between these SIP servers pinholes may not need to be opened for the port numbers
specified in the Contact header lines.
If you disable open-register-pinhole then pinholes are not opened for ports in
Contact header lines in SIP Register messages. If you disable open-contact-pinhole
then pinholes are not opened for ports in Contact header lines in all SIP messages except
SIP Register messages.
Accepting SIP register responses
You can enable the VoIP profile reg-diff-port options to accept a SIP Register
response message from a SIP server even if the source port of the Register response
message is different from the destination port.
Most SIP servers use 5060 as the source port in the SIP register response. Some SIP
servers, however, may use a different source port. If your SIP server uses a different
source port, you can enable reg-diff-port and the SIP ALG will create a temporary
pinhole when Register request from a SIP client includes a different source port. The
FortiGate unit will accept a SIP Register response with any source port number from the
SIP server.
Enter the following command to enable accepting any source port from a SIP server:
config voip profile
edit VoIP_Pro_1
config sip
set reg-diff-port enable
end
end
How the SIP ALG performs NAT
In most Network Address Translation (NAT) configurations, multiple hosts in a private
network share a single public IP address to access the Internet. For sessions originating
on the private network for the Internet, NAT replaces the private IP address of the PC in
the private subnet with the public IP address of the NAT device. The NAT device converts
the public IP address for responses from the Internet back into the private address before
sending the response over the private network to the originator of the session.
Using NAT with SIP is more complex because of the IP addresses and media stream port
numbers used in SIP message headers and bodies. When a caller on the private network
sends a SIP message to a phone or SIP server on the Internet, the SIP ALG must
translate the private network addresses in the SIP message to IP addresses and port
numbers that are valid on the Internet. When the response message is sent back to the
caller, the SIP ALG must translate these addresses back to valid private network
addresses.
1930
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
In addition, the media streams generated by the SIP session are independent of the SIP
message sessions and use varying port numbers that can also change during the media
session. The SIP ALG opens pinholes to accept these media sessions, using the
information in the SIP messages to determine the pinholes to open. The ALG may also
perform port translation on the media sessions.
When an INVITE message is received by the SIP ALG, the FortiGate unit extracts
addressing and port number information from the message header and stores it in a SIP
dialog table. Similar to an IP session table the data in the dialog table is used to translate
addresses in subsequent SIP messages that are part of the same SIP call.
When the SIP ALG receives a response to the INVITE message arrives, (for example, an
ACK or 200 OK), the SIP ALG compares the addresses in the message fields against the
entries in the SIP dialog table to identify the call context of the message. The SIP ALG
then translates addresses in the SIP message before forwarding them to their destination.
The addressing and port number information in SDP fields is used by the ALG to reserve
ports for the media session and create a NAT mapping between them and the ports in the
SDP fields. Because SDP uses sequential ports for the RTP and RTCP channels, the ALG
provides consecutive even-odd ports.
Source address translation
When a SIP call is started by a phone on a private network destined for a phone on the
Internet, only source address translation is required. The phone on the private network
attempts to contact the actual IP address of the phone on the Internet. However, the
source address of the phone on the private network is not routable on the Internet so the
SIP ALG must translate all private IP addresses in the SIP message into public IP
addresses.
To configure the FortiGate for source address translation you add firewall policy that
accepts sessions from the internal network destined for the Internet. You must enable NAT
for the firewall policy and add a VoIP profile.
When a SIP request is received from the internal to the external network, the SIP ALG
replaces the private network IP addresses and port numbers in the SIP message with the
IP address of the FortiGate interface connected to the Internet. Depending on the content
of the message, the ALG translates addresses in the Via:, Contact:, Route:, and RecordRoute: SIP header fields. The message is then forwarded to the destination (either a VoIP
phone or a SIP server on the Internet).
The VoIP phone or server in the Internet sends responses to these SIP messages to the
external interface of the FortiGate unit. The addresses in the response messages are
translated back into private network addresses and the response is forwarded to the
originator of the request.
For the RTP communication between the SIP phones, the SIP ALG opens pinholes to
allow media through the FortiGate unit on the dynamically assigned ports negotiated
based on information in the SDP and the Via:, Contact:, and Record-Route: header fields.
The pinholes also allow incoming packets to reach the Contact:, Via:, and Record-Route:
IP addresses and ports. When processing return traffic, the SIP ALG inserts the original
Contact:, Via:, Route:, and Record-Route: SIP fields back into the packets.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1931
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
Destination address translation
Incoming calls are directed from a SIP phone on the Internet to the interface of the
FortiGate unit connected to the Internet. To receive these calls you must add a firewall
policy to accept SIP sessions from the Internet. The firewall policy requires a firewall
virtual IP. SIP INVITE messages from the Internet connect to the external IP address of
the virtual IP. The SIP ALG uses the destination address translation defined in the virtual
IP to translated the addresses in the SIP message to addresses on the private network.
When a 200 OK response message arrives from the private network, the SIP ALG
translates the addresses in the message to Internet addresses and opens pinholes for
media sessions from the private network to the Internet.
When the ACK message is received for the 200 OK, it is also intercepted by the SIP ALG.
If the ACK message contains SDP information, the SIP ALG checks to determine if the IP
addresses and port numbers are not changed from the previous INVITE. If they are, the
SIP ALG deletes pinholes and creates new ones as required. The ALG also monitors the
Via:, Contact:, and Record-Route: SIP fields and opens new pinholes as required.
Call Re-invite messages
SIP Re-INVITE messages can dynamically add and remove media sessions during a call.
When new media sessions are added to a call the SIP ALG opens new pinholes and
update SIP dialog data. When media sessions are ended, the SIP ALG closes pinholes
that are no longer needed and removes SIP dialog data.
How the SIP ALG translates IP addresses in SIP headers
The SIP ALG applies NAT to SIP sessions by translating the IP addresses contained in
SIP headers. For example, the following SIP message contains most of the SIP fields that
contain addresses that need to be translated:
INVITE PhoneB@172.20.120.30 SIP/2.0
Via: SIP/2.0/UDP 172.20.120.50:5434
From: PhoneA@10.31.101.20
To: PhoneB@172.20.120.30
Call-ID: a12abcde@172.20.120.50
Contact: PhoneA@10.31.101.20:5434
Route: & lt; sip:example@172.20.120.50:5060 & gt;
Record-Route: & lt; sip:example@172.20.120.50:5060 & gt;
How IP address translation is performed depends on whether source NAT or destination
NAT is applied to the session containing the message:
Source NAT translation of IP addresses in SIP messages
Source NAT translation occurs for SIP messages sent from a phone or server on a private
network to a phone or server on the Internet. The source addresses in the SIP header
fields of the message are typically set to IP addresses on the private network. The SIP
ALG translates these addresses to the address the FortiGate unit interface connected to
the Internet.
Table 130: Source NAT translation of IP addresses in SIP request messages
SIP header
To:
None
From:
1932
NAT action
Replace private network address with IP address of FortiGate unit
interface connected to the Internet.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
Table 130: Source NAT translation of IP addresses in SIP request messages
SIP header
NAT action
Call-ID:
Replace private network address with IP address of FortiGate unit
interface connected to the Internet.
Via:
Replace private network address with IP address of FortiGate unit
interface connected to the Internet.
Request-URI:
None
Contact:
Replace private network address with IP address of FortiGate unit
interface connected to the Internet.
Record-Route:
Replace private network address with IP address of FortiGate unit
interface connected to the Internet.
Route:
Replace private network address with IP address of FortiGate unit
interface connected to the Internet.
Response messages from phones or servers on the Internet are sent to the FortiGate unit
interface connected to the Internet where the destination addresses are translated back to
addresses on the private network before forwarding the SIP response message to the
private network.
Table 131: Source NAT translation of IP addresses in SIP response messages
SIP header
NAT action
To:
None
From:
Replace IP address of FortiGate unit interface connected to the Internet
with private network address.
Call-ID:
Replace IP address of FortiGate unit interface connected to the Internet
with private network address.
Via:
Replace IP address of FortiGate unit interface connected to the Internet
with private network address.
Request-URI:
N/A
Contact:
None
Record-Route:
Replace IP address of FortiGate unit interface connected to the Internet
with private network address.
Route:
Replace IP address of FortiGate unit interface connected to the Internet
with private network address.
Destination NAT translation of IP addresses in SIP messages
Destination NAT translation occurs for SIP messages sent from a phone or server on the
Internet to a firewall virtual IP address. The destination addresses in the SIP header fields
of the message are typically set to the virtual IP address. The SIP ALG translates these
addresses to the address of a SIP server or phone on the private network on the other
side of the FortiGate unit.
Table 132: Destination NAT translation of IP addresses in SIP request messages
SIP header
NAT action
To:
Replace VIP address with address on the private network as defined in the
firewall virtual IP.
From:
None
Call-ID:
None
Via:
None
Request-URI:
Replace VIP address with address on the private network as defined in the
firewall virtual IP.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1933
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
Table 132: Destination NAT translation of IP addresses in SIP request messages
SIP header
NAT action
Contact:
None
Record-Route:
None
Route:
None
SIP response messages sent in response to the destination NAT translated messages are
sent from a server or a phone on the private network back to the originator of the request
messages on the Internet. These reply messages are accepted by the same firewall policy
that accepted the initial request messages, The firewall VIP in the original firewall policy
contains the information that the SIP ALG uses to translate the private network source
addresses in the SIP headers into the firewall virtual IP address.
Table 133: Destination NAT translation of IP addresses in SIP response messages
SIP header
NAT action
To:
None
From:
Replace private network address with firewall VIP address.
Call-ID:
None
Via:
None
Request-URI:
N/A
Contact:
Replace private network address with firewall VIP address.
Record-Route:
Replace private network address with firewall VIP address.
Route:
None
How the SIP ALG translates IP addresses in the SIP body
The SDP session profile attributes in the SIP body include IP addresses and port numbers
that the SIP ALG uses to create pinholes for the media stream.
The SIP ALG translates IP addresses and port numbers in the o=, c=, and m= SDP lines.
For example, in the following lines the ALG could translate the IP addresses in the o= and
c= lines and the port number (49170) in the m= line.
o=PhoneA 5462346 332134 IN IP4 10.31.101.20
c=IN IP4 10.31.101.20
m=audio 49170 RTP 0 3
If the SDP session profile includes multiple RTP media streams, the SIP ALG opens
pinholes and performs the required address translation for each one.
The two most important SDP attributes for the SIP ALG are c= and m=. The c= attribute is
the connection information attribute. This field can appear at the session or media level.
The syntax of the connection attribute is:
c=IN {IPV4 | IPV6} & lt; destination_ip_address & gt;
Where
•
•
{IPV4 | IPV6} is the address type. FortiGate units support IPv4 or IPv6 addresses
in SDP statements. However, FortiGate units do not support all types of IPv6 address
translation. See “SIP over IPv6” on page 1960.
•
1934
IN is the network type. FortiGate units support the IN or Internet network type.
& lt; destination_IP_address & gt; is the unicast numeric destination IP address or
domain name of the connection in either IPv4 or IPv6 format.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
The syntax of the media attribute is:
m=audio & lt; port_number & gt; RTP & lt; format_list & gt;
Where
•
audio is the media type. FortiGate units support the audio media type.
•
& lt; port_number & gt; is the destination port number used by the media stream.
•
RTP is the application layer transport protocol used for the media stream. FortiGate
units support the Real Time Protocol (RTP) transport protocol.
•
& lt; format_list & gt; is the format list that provides information about the application layer
protocol that the media uses.
SIP NAT scenario: source address translation (source NAT)
Figure 302 and Figure 303 show a source address translation scenario involving two SIP
phones on different networks, separated by a FortiGate unit. In the scenario, SIP Phone A
sends an INVITE request to SIP Phone B and SIP Phone B replies with a 200 OK
response and then the two phones start media streams with each other.
To simplify the diagrams, some SIP messages are not included (for example, the Ringing
and ACK response messages) and some SIP header lines and SDP profile lines have
been removed from the SIP messages.
Figure 302: SIP source NAT scenario part 1: INVITE request sent from Phone A to Phone B
Internal
10.31.101.100
SIP Phone A
(PhoneA@10.31.101.20)
WAN1
172.20.120.122
FortiGate unit
in NAT/Route mode
SIP Phone B
(PhoneB@172.20.120.30)
1. Phone A sends an INVITE request
to Phone B
(SDP 10.31.101.20:4000).
INVITE sip:PhoneB@172.20.120.30 SIP/2.0
Via: SIP/2.0/UDP 10.31.101.20:5060
From: PhoneA & lt; sip:PhoneA@10.31.101.20 & gt;
To: PhoneB & lt; sip:PhoneB@172.20.120.30 & gt;
Call-ID: 314159@10.31.101.20
CSeq: 1 INVITE
Contact: sip:PhoneA@10.31.101.20
v=0
o=PhoneA 5462346 332134 IN IP4 10.31.101.20
c=IN IP4 10.31.101.20
m=audio 49170 RTP 0 3
2. SIP ALG creates Pinhole 1.
Accepts traffic on WAN1 with
destination address:port numbers
172.20.120.122:49170 and 49171
3. The SIP ALG performs source NAT
on the INVITE request and forwards it
to Phone B.
INVITE sip:PhoneB@172.20.120.30 SIP/2.0
Via: SIP/2.0/UDP 172.20.120.122:5060
From: PhoneA & lt; sip:PhoneA@172.20.120.122 & gt;
To: PhoneB & lt; sip:PhoneB@172.20.120.30 & gt;
Call-ID: 314159@172.20.120.122
CSeq: 1 INVITE
Contact: sip:PhoneA@172.20.120.122
v=0
o=PhoneA 5462346 332134 IN IP4 172.20.120.122
c=IN IP4 172.20.120.122
m=audio 49170 RTP 0 3
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1935
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
For the replies to SIP packets sent by Phone A to be routable on Phone Bs network, the
FortiGate unit uses source NAT to change their source address to the address of the
WAN1 interface. The SIP ALG makes similar changes the source addresses in the SIP
headers and SDP profile. For example, the original INVITE request from Phone A includes
the address of Phone A (10.31.101.20) in the from header line. After the INVITE request
passes through the FortiGate unit, the address of Phone A in the From SIP header line is
translated to 172.20.120.122, the address of the FortiGate unit WAN1 interface. As a
result, Phone B will reply to SIP messages from Phone A using the WAN1 interface IP
address.
The FortiGate unit also opens a pinhole so that it can accept media sessions sent to the
WAN1 IP address using the port number in the m= line of the INVITE request and forward
them to Phone A after translating the destination address to the IP address of Phone A.
Phone B sends the 200 OK response to the INVITE message to the WAN1 interface. The
SDP profile includes the port number that Phone B wants to use for its media stream. The
FortiGate unit forwards 200 OK response to Phone A after translating the addresses in the
SIP and SDP lines back to the IP address of Phone A. The SIP ALG also opens a pinhole
on the Internal interface that accepts media stream sessions from Phone A with
destination address set to the IP address of Phone B and using the port that Phone B
added to the SDP m= line.
Figure 303: SIP source NAT scenario part 2: 200 OK returned and media streams established
Internal
10.31.101.100
SIP Phone A
(PhoneA@10.31.101.20)
WAN1
172.20.120.122
FortiGate unit
in NAT/Route mode
SIP Phone B
(PhoneB@172.20.120.30
4. Phone B sends a 200 OK response to
Phone A (SDP: 172.20.120.30:3456).
SIP/2.0 200 OK
Via: SIP/2.0/UDP 172.20.120.122:5060
From: PhoneA & lt; sip:PhoneA@172.20.120.122 & gt;
To: PhoneB & lt; sip:PhoneB@172.20.120.30 & gt;
Call-ID: 314159@172.20.120.122
CSeq: 1 INVITE
Contact: sip:PhoneB@172.20.120.30
v=0
o=PhoneB 124333 67895 IN IP4 172.20.120.30
c=IN IP4 172.20.120.30
m=audio 3456 RTP 0
5. SIP ALG creates Pinhole 2.
Accepts traffic on Internal with
destination address:port numbers
172.20.120.30: 3456 and 3457..
6. The SIP ALG performs source NAT
on the 200 OK response and forwards
it to Phone A.
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.31.101.20:5060
From: PhoneA & lt; sip:PhoneA@10.31.101.20 & gt;
To: PhoneB & lt; sip:PhoneB@172.20.120.30 & gt;
Call-ID: 314159@10.31.101.20
CSeq: 1 INVITE
Contact: sip:PhoneB@172.20.120.30
v=0
o=PhoneB 124333 67895 IN IP4 172.20.120.30
c=IN IP4 172.20.120.30
m=audio 3456 RTP 0
7. Phone B sends RTP and RTCP
media sessions to Phone A through
pinhole 1. Destination address:port
number 172.20.120.122:49170
and 49171.
Pinhole 1
8. Phone A sends RTP and RTCP
media sessions to Phone B through
pinhole 2. Destination address:port
number 172.20.120.30:3456
and 3457.
Pinhole 2
1936
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
SIP NAT scenario: destination address translation (destination NAT)
Figure 304 and Figure 305 show how the SIP ALG translates addresses in a SIP INVITE
message sent from SIP Phone B on the Internet to SIP Phone A on a private network
using the SIP proxy server. Because the addresses on the private network are not visible
from the Internet, the firewall policy on the FortiGate unit that accepts SIP sessions
includes a virtual IP. Phone A sends SIP the INVITE message to the virtual IP address.
The FortiGate unit accepts the INVITE message packets and using the virtual IP,
translates the destination address of the packet to the IP address of the SIP proxy server
and forwards the SIP message to it.
To simplify the diagrams, some SIP messages are not included (for example, the Ringing
and ACK response messages) and some SIP header lines and SDP profile lines have
been removed from the SIP messages.
The SIP ALG also translates the destination addresses in the SIP message from the
virtual IP address (172.20.120.50) to the SIP proxy server address (10.31.101.50). For
this configuration to work, the SIP proxy server must be able to change the destination
addresses for Phone A in the SIP message from the address of the SIP proxy server to
the actual address of Phone A.
The SIP ALG also opens a pinhole on the Port2 interface that accepts media sessions
from the private network to SIP Phone B using ports 4900 and 4901.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1937
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
Figure 304: SIP destination NAT scenario part 1: INVITE request sent from Phone B to Phone
A
FortiGate-620B
Cluster
In NAT/Route mode
Port2
10.11.101.100
Internet
Port1
172.20.120.141
SIP Virtual IP: 172.20.120.50
SIP Phone A
(PhoneA@10.31.101.20)
SIP proxy server
10.31.101.50
SIP Phone B
(PhoneB@172.20.120.30)
1. Phone B sends an INVITE request
for Phone A to the SIP Proxy Server
Virtual IP (SDP 172.20.120.30:4900)
INVITE sip:PhoneA@172.20.120.50 SIP/2.0
Via: SIP/2.0/UDP 172.20.120.50:5060
From: PhoneB & lt; sip:PhoneB@172.20.120.30 & gt;
To: PhoneA & lt; sip:PhoneA@172.20.120.50 & gt;
Call-ID: 314134@172.20.120.30
CSeq: 1 INVITE
Contact: sip:PhoneB@172.20.120.30
v=0
o=PhoneB 2346 134 IN IP4 172.20.120.30
c=IN IP4 172.20.120.30
m=audio 4900 RTP 0 3
2. SIP ALG creates Pinhole 1.
Accepts traffic on Port2 with
destination address:port numbers
172.20.120.30:4900 and 4901
3. The SIP ALG performs destination
NAT on the INVITE request and
forwards it to the SIP proxy server.
INVITE sip:PhoneA@10.31.101.50 SIP/2.0
Via: SIP/2.0/UDP 10.31.101.50:5060
From: PhoneB & lt; sip:PhoneB@172.20.120.30 & gt;
To: PhoneA & lt; sip:PhoneA@10.31.101.50 & gt;
Call-ID: 314134@172.20.120.30
CSeq: 1 INVITE
Contact: sip:PhoneB@172.20.120.30
v=0
4. The SIP proxy server forwards o=PhoneB 2346 134 IN IP4 172.20.120.30
the INVITE request to Phone A c=IN IP4 172.20.120.30
m=audio 4900 RTP 0 3
(SDP: 172.20.120.30:4900)
Phone A sends a 200 OK response back to the SIP proxy server. The SIP proxy server
forwards the response to Phone B. The FortiGate unit accepts the 100 OK response. The
SIP ALG translates the Phone A addresses back to the SIP proxy server virtual IP address
before forwarding the response back to Phone B. The SIP ALG also opens a pinhole using
the SIP proxy server virtual IP which is the address in the o= line of the SDP profile and
the port number in the m= line of the SDP code.
1938
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
Figure 305: SIP destination NAT scenario part 2: 200 OK returned to Phone B and media
streams established
FortiGate-620B
Cluster
In NAT/Route mode
Port2
10.11.101.100
Internet
Port1
172.20.120.141
SIP proxy server
Virtual IP: 172.20.120.50
SIP Phone A
(PhoneA@10.31.101.20)
SIP proxy server
10.31.101.50
5. Phone A sends a 200 OK
response to the SIP proxy server
(SDP: 10.31.101.20:8888)
SIP Phone B
(PhoneB@172.20.120.30)
6. The SIP proxy server
forwards the response to
Phone B
(SDP: 10.31.101.20:8888)
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.31.101.50:5060
From: PhoneB & lt; sip:PhoneB@172.20.120.30 & gt;
To: PhoneA & lt; sip:PhoneA@10.31.101.50 & gt;
Call-ID: 314134@172.20.120.30
CSeq: 1 INVITE
Contact: sip:PhoneB@172.20.120.30
v=0
o=PhoneB 2346 134 IN IP4 172.20.120.30
c=IN IP4 10.31.101.20
m=audio 5500 RTP 0
7. The SIP ALG NATs the SDP
address to the Virtual IP address
before forwarding the response to
Phone B (SDP: 172.20.120.50:5500)
SIP/2.0 200 OK
Via: SIP/2.0/UDP 172.20.120.50:5060
From: PhoneB & lt; sip:PhoneB@172.20.120.30 & gt;
To: PhoneA & lt; sip:PhoneA@172.20.120.50 & gt;
Call-ID: 314134@172.20.120.30
CSeq: 1 INVITE
Contact: sip:PhoneB@172.20.120.30
v=0
o=PhoneB 2346 134 IN IP4 172.20.120.30
c=IN IP4 172.20.120.50
m=audio 5500 RTP 0
9. Phone A sends RTP and RTCP
media sessions to Phone B through
pinhole 1. Destination address:port
number 172.20.120.30:4900 and 4901
8. Pinhole 2 created. Accepts traffic
on Port1 with destination
address:port numbers
172.20.120.50:5500 and 5501
Pinhole 1
10. Phone B sends RTP and RTCP
media sessions to Phone A through
11. The SIP ALG NATs the
pinhole 2. Destination address:port
destination address to
number 172.20.120.50:5500 and 5501.
10.31.101.20.
Pinhole 2
The media stream from Phone A is accepted by pinhole one and forwarded to Phone B.
The source address of this media stream is changed to the SIP proxy server virtual IP
address. The media stream from Phone B is accepted by pinhole 2 and forwarded to
Phone B. The destination address of this media stream is changed to the IP address of
Phone A.
SIP NAT configuration example: source address translation (source NAT)
This configuration example shows how to configure the FortiGate unit to support the
source address translation scenario shown in Figure 306. The FortiGate unit requires two
firewall policies that accept SIP packets. One to allow SIP Phone A to start a session with
SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A. Both of
these policies must include source NAT. In this example the networks are not hidden from
each other so destination NAT is not required.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1939
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
Figure 306: SIP source NAT configuration
Internal
10.31.101.100
SIP Phone A
(PhoneA@10.31.101.20)
WAN1
172.20.120.122
FortiGate unit
in NAT/Route mode
SIP Phone B
(PhoneB@172.20.120.30)
General configuration steps
The following general configuration steps are required for this SIP configuration. This
example uses the default VoIP profile. The example also includes firewall policies that
specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from
Phone B to Phone A. In most cases you would have more than two phones so would use
more general firewall policies. Also, you can set the firewall service to ANY to allow traffic
other than SIP on UDP port 5060.
1 Add firewall addresses for Phone A and Phone B.
2 Add a firewall policy that accepts SIP sessions initiated by Phone A and includes the
default VoIP profile.
3 Add a firewall policy that accepts SIP sessions initiated by Phone B and includes the
default VoIP profile.
Configuration steps - web-based manager
To add firewall addresses for the SIP phones
1 Go to Firewall & gt; Address.
2 Add the following addresses for Phone A and Phone B:
Address Name
Phone_A
Type
Subnet / IP Range
Subnet / IP Range
10.31.101.20/255.255.255.255
Interface
Internal
Address Name
Phone_B
Type
Subnet / IP Range
Subnet / IP Range
172.20.120.30/255.255.255.255
Interface
wan1
To add firewall policies to apply the SIP ALG to SIP sessions
1 Go to Firewall & gt; Policy.
2 Select Create New to add a firewall policy.
3 Add a firewall policy to allow Phone A to send SIP request messages to Phone B:
Source Interface/Zone
Source Address
Phone_A
Destination Interface/Zone
wan1
Destination Address
Phone_B
Schedule
always
Service
1940
internal
SIP
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
Action
ACCEPT
Enable NAT
Select
UTM
Select
Protocol Options
default
Enable VoIP
Select and select the default VoIP profile.
4 Select OK.
5 Add a firewall policy to allow Phone B to send SIP request messages to Phone A:
Source Interface/Zone
wan1
Source Address
Phone_B
Destination Interface/Zone
internal
Destination Address
Phone_A
Schedule
always
Service
SIP
Action
ACCEPT
Enable NAT
Select
UTM
Select
Protocol Options
default
Enable VoIP
Select (And select the default VoIP profile)
6 Select OK.
Configuration steps - CLI
To add firewall addresses for Phone A and Phone B and firewall policies to apply
the SIP ALG to SIP sessions
1 Enter the following command to add firewall addresses for Phone A and Phone B.
config firewall address
edit Phone_A
set associated interface internal
set type ipmask
set subnet 10.31.101.20 255.255.255.255
next
edit Phone_B
set associated interface wan1
set type ipmask
set subnet 172.20.120.30 255.255.255.255
end
2 Enter the following command to add firewall policies to allow Phone A to send SIP
request messages to Phone B and Phone B to send SIP request messages to Phone
A.
config firewall policy
edit 0
set srcintf internal
set dstintf wan1
set srcaddr Phone_A
set dstaddr Phone_B
set action accept
set schedule always
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1941
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options default
set voip-profile default
next
edit 0
set srcintf wan1
set dstintf internal
set srcaddr Phone_B
set dstaddr Phone_A
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options default
set voip-profile default
end
SIP NAT configuration example: destination address translation (destination
NAT)
This configuration example shows how to configure the FortiGate unit to support the
destination address translation scenario shown in Figure 307. The FortiGate unit requires
two SIP firewall policies:
•
A destination NAT firewall policy that allows SIP messages to be sent from the Internet
to the private network. This policy must include destination NAT because the
addresses on the private network are not routable on the Internet.
•
A source NAT firewall policy that allows SIP messages to be sent from the private
network to the Internet.
Figure 307: SIP destination NAT scenario part two: 200 OK returned to Phone B and media
streams established
FortiGate-620B
Cluster
In NAT/Route mode
Port2
10.11.101.100
Internet
Port1
172.20.120.141
SIP proxy server
Virtual IP: 172.20.120.50
SIP Phone A
(PhoneA@10.31.101.20)
SIP proxy server
10.31.101.50
SIP Phone B
(PhoneB@172.20.120.30)
General configuration steps
The following general configuration steps are required for this destination NAT SIP
configuration. This example uses the default VoIP profile.
1 Add the SIP proxy server firewall virtual IP.
2 Add a firewall address for the SIP proxy server on the private network.
3 Add a destination NAT firewall policy that accepts SIP sessions from the Internet
destined for the SIP proxy server virtual IP and translates the destination address to
the IP address of the SIP proxy server on the private network.
1942
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
4 Add a firewall policy that accepts SIP sessions initiated by the SIP proxy server and
destined for the Internet.
Configuration steps - web-based manager
To add the SIP proxy server firewall virtual IP
1 Go to Firewall & gt; Virtual IP & gt; Virtual IP.
2 Add the SIP proxy server virtual IP.
Name
SIP_Proxy_VIP
External Interface
port1
Type
Static NAT
External IP Address/Range
172.20.120.50
Mapped IP Address/Range
10.31.101.50
To add a firewall address for the SIP proxy server
1 Go to Firewall & gt; Address.
2 Add the following for the SIP proxy server:
Address Name
SIP_Proxy_Server
Type
Subnet / IP Range
Subnet / IP Range
10.31.101.50/255.255.255.255
Interface
port2
To add the firewall policies
1 Go to Firewall & gt; Policy.
2 Add a destination NAT firewall policy that includes the SIP proxy server virtual IP that
allows Phone B (and other SIP phones on the Internet) to send SIP request messages
to the SIP proxy server.
Source Interface/Zone
port1
Source Address
all
Destination Interface/Zone
port2
Destination Address
SIP_Proxy_VIP
Schedule
always
Service
SIP
Action
ACCEPT
Enable NAT
Select
UTM
Select
Protocol Options
default
Enable VoIP
Select and select the default VoIP profile.
3 Select OK.
4 Add a source NAT firewall policy to allow the SIP proxy server to send SIP request
messages to Phone B and the Internet:
Source Interface/Zone
port2
Source Address
SIP_Proxy_Server
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1943
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
Destination Interface/Zone
port1
Destination Address
all
Schedule
always
Service
SIP
Action
ACCEPT
Enable NAT
Select
UTM
Select
Protocol Options
default
Enable VoIP
Select (And select the default VoIP profile)
5 Select OK.
Configuration steps - CLI
To add the SIP proxy server firewall virtual IP and firewall address
1 Enter the following command to add the SIP proxy server firewall virtual IP.
config firewall vip
edit SIP_Proxy_VIP
set type static-nat
set extip 172.20.120.50
set mappedip 10.31.101.50
set extintf port1
end
2 Enter the following command to add the SIP proxy server firewall address.
config firewall address
edit SIP_Proxy_Server
set associated interface port2
set type ipmask
set subnet 10.31.101.50 255.255.255.255
end
To add firewall policies
1 Enter the following command to add a destination NAT firewall policy that includes the
SIP proxy server virtual IP that allows Phone B (and other SIP phones on the Internet)
to send SIP request messages to the SIP proxy server.
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr SIP_Proxy_VIP
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options default
set voip-profile default
end
1944
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
2 Enter the following command to add a source NAT firewall policy to allow the SIP proxy
server to send SIP request messages to Phone B and the Internet:
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr SIP_Proxy_Server
set dstaddr all
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options default
set voip-profile default
end
Additional SIP NAT scenarios
This section lists some additional SIP NAT scenarios.
Source NAT (SIP and RTP)
In the source NAT scenario shown in Figure 308, a SIP phone connects to the Internet
through a FortiGate unit with and IP address configured using PPPoE. The SIP ALG
translates all private IPs in the SIP contact header into public IPs.
You need to configure an internal to external SIP firewall policy with NAT selected, and
include a VoIP profile with SIP enabled.
Figure 308: SIP source NAT
217.10.79.9
217.10.69.11
SIP Proxy
Server
RTP Media
Server
SIP service provider has a SIP server
and a separate RTP server
217.233.122.132
Internet
10.72.0.57
FortiGate Unit
Destination NAT (SIP and RTP)
In the following destination NAT scenario, a SIP phone can connect through the FortiGate
unit to private IP address using a firewall virtual IP (VIP). The SIP ALG translates the SIP
contact header to the IP of the real SIP proxy server located on the Internet.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1945
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
Figure 309: SIP destination NAT
217.10.79.9
217.10.69.11
RTP Media
Server
SIP Proxy
Server
SIP service provider has a SIP server
and a separate RTP server
217.233.122.132
10.72.0.60
Internet
10.72.0.57
FortiGate Unit
In the scenario, shown in Figure 309, the SIP phone connects to a VIP (10.72.0.60). The
SIP ALG translates the SIP contact header to 217.10.79.9, opens RTP pinholes, and
manages NAT.
The FortiGate unit also supports a variation of this scenario where the RTP media server’s
IP address is hidden on a private network or DMZ.
Figure 310: SIP destination NAT-RTP media server hidden
192.168.200.99
219.29.81.21
RTP Media
Server
10.0.0.60
217.233.90.60
Internet
SIP Proxy Server
FortiGate Unit
In the scenario shown in Figure 310, a SIP phone connects to the Internet. The VoIP
service provider only publishes a single public IP. The FortiGate unit is configured with a
firewall VIP. The SIP phone connects to the FortiGate unit (217.233.90.60) and using the
VIP the FortiGate unit translates the SIP contact header to the SIP proxy server IP
address (10.0.0.60). The SIP proxy server changes the SIP/SDP connection information
(which tells the SIP phone which RTP media server IP it should contact) also to
217.233.90.60.
Source NAT with an IP pool
You can choose NAT with the Dynamic IP Pool option when configuring a firewall policy if
the source IP of the SIP packets is different from the interface IP. The FortiGate ALG
interprets this configuration and translates the SIP header accordingly.
1946
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
This configuration also applies to destination NAT.
Different source and destination NAT for SIP and RTP
This is a more complex scenario that a SIP service provider may use. It can also be
deployed in large-scale SIP environments where RTP has to be processed by the
FortiGate unit and the RTP server IP has to be translated differently than the SIP
server IP.
Figure 311: Different source and destination NAT for SIP and RTP
RTP Servers
219.29.81.10
192.168.0.21 - 192.168.0.23
219.29.81.20
RTP Server
10.0.0.60
RTP-1: 217.233.90.65
RTP-2: 217.233.90.70
Internet
SIP Server
SIP: 217.233.90.60
In this scenario, shown in Figure 311, assume there is a SIP server and a separate media
gateway. The SIP server is configured so that the SIP phone (219.29.81.20) will connect
to 217.233.90.60. The media gateway (RTP server: 219.29.81.10) will connect to
217.233.90.65.
What happens is as follows:
1 The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP contact
header to the SIP server: 219.29.81.20 & gt; 217.233.90.60 ( & gt; 10.0.0.60).
2 The SIP server carries out RTP to 217.233.90.65.
3 The FortiGate ALG opens pinholes, assuming that it knows the ports to be opened.
4 RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the SIP
contact header to 192.168.0.21.
NAT with IP address conservation
In a source or destination NAT firewall policy that accepts SIP sessions, you can configure
the SIP ALG or the SIP session helper to preserve the original source IP address of the
SIP message in the i= line of the SDP profile. NAT with IP address conservation (also
called SIP NAT tracing) changes the contents of SIP messages by adding the source IP
address of the originator of the message into the SDP i= line of the SIP message. The
SDP i= line is used for free-form text. However, if your SIP server can retrieve information
from the SDP i= line, it can be useful for keeping a record of the source IP address of the
originator of a SIP message when operating in a NAT environment. You can use this
feature for billing purposes by extracting the IP address of the originator of the message.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1947
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
Configuring SIP IP address conservation for the SIP ALG
You can use the following command to enable or disable SIP IP address conservation in a
VoIP profile for the SIP ALG. SIP IP address conservation is enabled by default in a VoIP
profile.
config voip profile
edit VoIP_Pro_1
config sip
set nat-trace disable
end
end
If the SIP message does not include an i= line and if the original source IP address of the
traffic (before NAT) was 10.31.101.20 then the FortiGate unit would add the following i=
line.
i=(o=IN IP4 10.31.101.20)
You can also use the preserve-override option to configure the SIP ALG to either add
the original o= line to the end of the i= line or replace the i= line in the original message
with a new i= line in the same form as above for adding a new i= line.
By default, preserver-override is disabled and the SIP ALG adds the original o= line
to the end of the original i= line. Use the following command to configure the SIP ALG to
replace the original i= line:
config voip profile
edit VoIP_Pro_1
config sip
set preserve-override enable
end
end
Configuring SIP IP address conservation for the SIP session helper
You can use the following command to enable or disable SIP IP address conservation for
the SIP session helper. IP address conservation is enabled by default for the SIP session
helper.
config system settings
set sip-nat-trace disable
end
If the SIP message does not include an i= line and if the original source IP address of the
traffic (before NAT) was 10.31.101.20 then the FortiGate unit would add the following i=
line.
i=(o=IN IP4 10.31.101.20)
Controlling how the SIP ALG NATs SIP contact header line addresses
You can enable contact-fixup so that the SIP ALG performs normal SIP NAT
translation to SIP contact headers as SIP messages pass through the FortiGate unit.
Disable contact-fixup if you do not want the SIP ALG to perform normal NAT
translation of the SIP contact header if a Record-Route header is also available. If
contact-fixup is disabled, the FortiGate ALG does the following with contact headers:
•
•
1948
For Contact in Requests, if a Record-Route header is present and the request comes
from the external network, the SIP Contact header is not translated.
For Contact in Responses, if a Record-Route header is present and the response
comes from the external network, the SIP Contact header is not translated.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
If contact-fixup is disabled, the SIP ALG must be able to identify the external network.
To identify the external network, you must use the config system interface
command to set the external keyword to enable for the interface that is connected to
the external network.
Enter the following command to perform normal NAT translation of the SIP contact
header:
config voip profile
edit VoIP_Pro_1
config sip
set contact-fixup enable
end
end
Controlling NAT for addresses in SDP lines
You can use the no-sdp-fixup option to control whether the FortiGate unit performs
NAT on addresses in SDP lines in the SIP message body.
The no-sdp-fixup option is disabled by default and the FortiGate unit performs NAT on
addresses in SDP lines. Enable this option if you don’t want the FortiGate unit to perform
NAT on the addresses in SDP lines.
config voip profile
edit VoIP_Pro_1
config sip
set no-sdp-fixup enable
end
end
Translating SIP session destination ports
Using port forwarding virtual IPs you can change the destination port of SIP sessions as
they pass through the FortiGate unit.
This section describes:
•
Translating SIP sessions to a different destination port
•
Translating SIP sessions to multiple destination ports
•
Server load balancing with multiple SIP ports
Translating SIP sessions to a different destination port
To configure translating SIP sessions to a different destination port you must add a static
NAT virtual IP that translates tie SIP destination port to another port destination. In the
example the destination port is translated from 5060 to 50601. This configuration can be
used if SIP sessions uses different destination ports on different networks.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1949
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
Figure 312: Example translating SIP sessions to a different destination port
SIP Server
IP: 192.168.10.20
TCP Port 50601
IP Phone
Virtual Server
IP Address
172.20.120.20
TCP Port 5060
port2
port1
172.20.120.1
To translate SIP sessions to a different destination port
1 Add the static NAT virtual IP.
This virtual IP forwards traffic received at the port1 interface for IP address
172.20.120.20 and destination port 5060 to the SIP server at IP address
192.168.10.20 with destination port 5061.
config firewall vip
edit " sip_port_trans_vip "
set type static-nat
set portforward enable
set protocol tcp
set extip 172.20.120.20
set extport 5060
set extintf " port1 "
set mappedip 192.168.10.20
set mappedport 50601
set comment " Translate SIP destination port "
end
2 Add a firewall policy that includes the virtual IP and the default VoIP profile.
config firewall policy
edit 1
set srcintf " port1 "
set dstintf " port2 "
set srcaddr " all "
set dstaddr " sip_port_trans_vip "
set action accept
set schedule " always "
set service " ANY "
set utm-status enable
set profile-protocol-options default
set voip-profile default
set comments " Translate SIP destination port "
1950
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
end
Translating SIP sessions to multiple destination ports
You can use a load balance virtual IP to translate SIP session destination ports to a range
of destination ports. In this example the destination port is translated from 5060 to the
range 50601 to 50603. This configuration can be used if your SIP server is configured to
receive SIP traffic on multiple ports.
Figure 313: Example translating SIP traffic to multiple destination ports
SIP Server
IP: 192.168.10.20
TCP Ports: 50601
50602
IP Phone
Virtual Server
IP Address
172.20.120.20
TCP Port 5060
50603
port2
port1
172.20.120.1
To translated SIP sessions to multiple destination ports
1 Add the load balance virtual IP.
This virtual IP forwards traffic received at the port1 interface for IP address
172.20.120.20 and destination port 5060 to the SIP server at IP address
192.168.10.20 with destination port 5061.
config firewall vip
edit " sip_port_ldbl_vip "
set type load-balance
set portforward enable
set protocol tcp
set extip 172.20.120.20
set extport 5060
set extintf " port1 "
set mappedip 192.168.10.20
set mappedport 50601-50603
set comment " Translate SIP destination port range "
end
2 Add a firewall policy that includes the virtual IP and VoIP profile.
config firewall policy
edit 1
set srcintf " port1 "
set dstintf " port2 "
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1951
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
set
set
set
set
set
set
set
set
set
end
srcaddr " all "
dstaddr " sip_port_ldbl_vip "
action accept
schedule " always "
service " ANY "
utm-status enable
profile-protocol-options default
voip-profile default
comments " Translate SIP destination port "
Server load balancing with multiple SIP ports
The scenario shown in Figure 314 consists of two real SIP servers connected to a
FortiGate unit. The IP phone can connect to the real servers using the virtual server IP
address. Each SIP server uses a different UDP port for SIP traffic.
Using the server load balancing virtual IP configuration described below, the FortiGate unit
load balances sessions for the 172.20.120.20 virtual server between the real SIP servers.
The UDP destination port of the sessions for the real server at 192.168.0.20 is translated
from 5060 to 50605. The UDP destination port of the sessions for the real server at
192.168.0.21 is translated from 5060 to 50610. If one of the real SIP servers fails, the
FortiGate unit forwards all traffic to the real SIP server that is still operating.
Note: This configuration uses the passive-sip load balancing health monitor that is
available only for FortiOS Carrier. The passive-sip load balancing health monitor only
works with some SIP servers (for example, Alcatel SIP servers).
Figure 314: Example server load balancing with multiple SIP ports configuration
Real Primary and Secondary SIP servers
192.168.0.20
192.168.0.21
UDP Ports: 50605
50610
IP Phone
Virtual Server
IP Addresses
172.20.120.20
UDP Port 5060
port2
port1
172.20.120.1
To configure SIP load balancing you add SIP settings to an application control list and add
this application control list to a protection profile. You must also add a health monitor for
each of the real SIP servers and configure a server load balancing virtual IP that includes
these real servers.
1952
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
General configuration steps
1 Enable SIP in an application control list and select the application control list in a
protection profile.
2 Add one passive SIP health monitor that can be used for both real SIP servers.
The passive-sip load balancing health monitor is available only for FortiOS Carrier.
The passive-sip load balancing health monitor only works with some SIP servers
(for example, Alcatel SIP servers).
3 Add a server load balancing virtual IP that use first alive load balancing. Configure the
virtual IP to use the passive SIP health monitor that you added in step 2.
Set server-type to udp.
Note: You must set server-type to udp enable port forwarding.
Set ldb-method to first-alive.
Note: By setting ldb-method to first-alive, you can add the real servers to the virtual
IP in priority order. The first server has higher priority than the second one and so on. This
example includes two real servers but you can add up to 8 real servers to a virtual IP.
4 Add a firewall policy that includes the server load balancing virtual IP and the
protection profile that the SIP application control list has been added to.
To configure this example server load balancing with multiple SIP ports
configuration
1 Add a passive-sip health monitor.
config firewall ldb-monitor
edit " sip_serv_mon "
set type passive-sip
set interval 30
end
The passive-sip load balancing health monitor is available only for FortiOS Carrier.
The passive-sip load balancing health monitor only works with some SIP servers
(for example, Alcatel SIP servers).
2 Add the server load balance virtual IP.
This virtual IP load balances traffic received at the port1 interface for IP address
172.20.120.20 to the real SIP server at 192.168.0.20 using destination port 50605.
If this SIP server fails, traffic fails over to the SIP server at 192.168.0.21 using
destination port 50610.
Use the first-alive load balancing method and the passive SIP health monitor that you
added in step 1.
config firewall vip
edit " sip_port_vip "
set type server-load-balance
set extip 172.20.120.20
set extintf " port1 "
set server-type udp
set ldb-method first-alive
set monitor " sip_serv_mon "
config realservers
edit 1
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1953
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
set healthcheck enable
set ip 192.168.0.20
set port 50605
set monitor sip_serv_mon
next
edit 2
set healthcheck enable
set ip 192.168.0.21
set port 50610
set monitor sip_serv_mon
end
end
3 Add a firewall policy that includes the virtual IP and a VoIP profile.
config firewall policy
edit 1
set srcintf " port1 "
set dstintf " port2 "
set srcaddr " all "
set dstaddr " sip_port_vip "
set action accept
set schedule " always "
set service " ANY "
set utm-status enable
set profile-protocol-options default
set voip-profile default
set comments " SIP multiple port translation "
end
Enhancing SIP pinhole security
You can use the strict-register option in a SIP VoIP profile to open smaller pinholes.
As shown in Figure 315 when FortiGate unit is protecting a SIP server on a private
network, the FortiGate unit does not have to open a pinhole for the SIP server to send
INVITE requests to a SIP Phone on the Internet after the SIP Phone has registered with
the server.
1954
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
How the SIP ALG performs NAT
Figure 315: FortiGate unit protecting a SIP server on a private network
FortiGate unit
In NAT/Route mode
Internet
Port1
172.20.120.141
Port2
10.11.101.100
SIP Server Virtual IP: 172.20.120.50
SIP Phone A
(PhoneA@172.20.120.20)
SIP server
10.11.101.50
1. Phone A sends a REGSTER
message to the SIP Server
Client IP: 172.20.120.20
Server IP: 172.20.120.50
Port: UDP (x,5060)
REGISTER Contact: 172.20.120.20:y
2. The FortiGate unit forwards the
REGSTER message to the
SIP Server
Client IP: 172.20.120.20
Server IP: 10.11.101.50
Port: UDP (x,5060)
REGISTER Contact: 172.20.120.20:y
3. The SIP server sends a
200 OK response to Phone A
5. The FortiGate unit accepts the
session from the SIP server and
forwards the INVITE request to
Phone A
4. The SIP server sends an
INVITE request to Phone A
In the example, a client (SIP Phone A) sends a REGISTER request to the SIP server with
the following information:
Client IP: 10.31.101.20
Server IP: 10.21.101.50
Port: UDP (x,5060)
REGISTER Contact: 10.31.101.20:y
Where x and y are ports chosen by Phone A.
As soon as the server sends the 200 OK reply it can forward INVITE requests from other
SIP phones to SIP Phone A. If the SIP proxy server uses the information in the
REGISTER message received from SIP Phone A the INVITE messages sent to Phone A f
will only get through the FortiGate unit if an policy has been added to allow the server to
send traffic from the private network to the Internet. Or the SIP ALG must open a pinhole
to allow traffic from the server to the Internet. In most cases the FortiGate unit is protecting
the SIP server so there is no reason not to add a firewall policy to all the SIP server to
send outbound traffic to the Internet.
In a typical SOHO scenario shown in Figure 316, SIP Phone A is being protected from the
Internet by a FortiGate unit. In most cases the FortiGate unit would not allow incoming
traffic from the Internet to reach the private network. So the only way that an INVITE
request from the SIP server can reach SIP Phone A is if the SIP ALG creates an incoming
pinhole. All pinholes have three attributes:
(source address, destination address, destination port)
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1955
�How the SIP ALG performs NAT
FortiGate VoIP solutions: SIP
Figure 316: SOHO configuration, FortiGate unit protecting a network with SIP phones
FortiGate unit
In NAT/Route mode
Port1
172.20.120.141
Internet
Port2
10.11.101.100
SIP proxy server
172.20.120.50
SIP Phone A
(PhoneA@10.11.101.20)
1. Phone A sends a REGSTER
message to the SIP Proxy Server
2. The FortiGate unit forwards the
REGSTER message to the
SIP Proxy Server
Client IP: 10.11.101.20
Server IP: 172.20.120.50
Port: UDP (x,5060)
REGISTER Contact: 10.11.101.20:y
3. The FortiGate unit opens a pinhole
to accept sessions from the SIP server.
If strict-register is enabled the pinhole is
(172.20.120.50, 172.20.120.141,y)
If strict-register is disabled the pinhole
is (ANY, x,y)
4. The SIP Proxy server sends a
200 OK response to Phone A
5. The FortiGate unit accepts the
response through the open pinhole
and forwards the response to
Phone A
The more specific a pinhole is the more secure it is because it will accept less traffic. In
this situation, the pinhole would be more secure if it only accepted traffic from the SIP
server. This is what happens if strict-register is enabled in the VoIP profile that
accepts the REGISTER request from Phone A.
(SIP server IP address, client IP address, destination port)
If strict-register is disabled (the default configuration) the pinhole is set up with the
following attributes
(ANY IP address, client IP address, destination port)
This pinhole allows connections through the FortiGate unit from ANY source address
which is a much bigger and less secure pinhole. In most similar network configurations
you should enable strict-register to improve pinhole security.
Enabling strict-register can cause problems when the SIP registrar and SIP proxy
server are separate entities with separate IP addresses.
Enter the following command to enable strict-register in a VoIP profile.
config voip profile
edit Profile_name
config SIP
set strict-register enable
end
1956
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
Hosted NAT traversal
Hosted NAT traversal
With the increase in the use of VoIP and other media traffic over the Internet, service
provider network administrators must defend their networks from threats while allowing
voice and multimedia traffic to flow transparently between users and servers and among
users. A common scenario could involve providing SIP VoIP services for customers with
SIP phones installed behind NAT devices that are not SIP aware. NAT devices that are not
SIP aware cannot translate IP addresses in SIP headers and SDP lines in SIP packets but
can and do perform source NAT on the source or addresses of the packets. In this
scenario the user’s SIP phones would communicate with a SIP proxy server to set up calls
between SIP phones. Once the calls are set up RTP packets would be communicated
directly between the phones through each user’s NAT device.
The problem with this configuration is that the SIP headers and SDP lines in the SIP
packets sent from the phones and received by the SIP proxy server would contain the
private network addresses of the VoIP phones that would not be routable on the service
provider network or on the Internet. One solution could be to for each customer to install
and configure SIP aware NAT devices. If this is not possible, another solution requires
implement hosted NAT traversal.
In a hosted NAT traversal (HNT) configuration (for example, see Figure 317), a FortiGate
unit is installed between the NAT device and the SIP proxy server and configured with a
VoIP profile that enables SIP hosted NAT traversal. Firewall policies that include the VoIP
profile also support destination NAT using a firewall virtual IP. When the SIP phones
connect to the SIP server IP address the firewall policy accepts the SIP packets, the virtual
IP translates the destination addresses of the packets to the SIP server IP address, and
the SIP ALG NAT traversal configuration translates the source IP addresses on the SIP
headers and SDP lines to the source address of the SIP packets (which would be the
external IP address of the NAT devices). The SIP server then sees the SIP phone IP
address as the external IP address of the NAT device. As a result SIP and RTP media
sessions are established using the external IP addresses of the NAT devices instead of
the actual IP addresses of the SIP phones.
Note: FortiGate units do not support SIP NAT traversal for two SIP UAs behind the same
FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1957
�Hosted NAT traversal
FortiGate VoIP solutions: SIP
Figure 317: SIP Hosted NAT traversal
VoIP Session Controller
(SIP server)
(For example FortiGate Voice unit)
FortiGate unit
with SIP ALG
Configured for Hosted
NAT Traversal
Service
Provider
Network
SIP + RTP
SIP + RTP
10.11.101.10
NAT device
(not SIP aware)
FortiGate unit
with SIP ALG
Configured for Hosted
NAT Traversal
10.21.101.20
RTP Media session
SIP Phone A
(PhoneA@192.168.10.1)
NAT device
(not SIP aware)
SIP Phone B
(PhoneB@192.168.20.1)
Configuration example: Hosted NAT traversal for calls between SIP Phone A and
SIP Phone B
The following address translation takes place to allow a SIP call from SIP Phone A to SIP
Phone B in Figure 317.
1 SIP Phone A sends a SIP Invite message to the SIP server. Packet source IP address:
192.168.10.1, destination IP address: 10.21.101.10.
2 The SIP packets are received by the NAT device which translates the source address
of the SIP packets from 192.168.10.1 to 10.11.101.20.
3 The SIP packets are received by the FortiGate unit which translates the packet
destination IP address to 10.30 120.20. The SIP ALG also translates the IP address of
the SIP phone in the SIP header and SDP lines from 192.168.10.1 to 10.11.101.20.
4 The SIP server accepts the Invite message and forwards it to SIP Phone B at IP
address10.11.101.20. The SIP server has this address for SIP Phone B because SIP
packets from SIP Phone B have also been translated using the hosted NAT traversal
configuration of the SIP ALG.
5 When the SIP call is established, the RTP session is between 10.11.101.10 and
10.11.101.20 and does not pass through the FortiGate unit. The NAT devices
translated the destination address of the RTP packets to the private IP addresses of
the SIP phones.
1958
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
Hosted NAT traversal
General configuration steps
The following general configuration steps are required for this destination NAT SIP
configuration.
1 Add a VoIP profile that enables hosted NAT translation.
2 Add a SIP proxy server firewall virtual IP.
3 Add a firewall address for the SIP proxy server on the private network.
4 Add a destination NAT firewall policy that accepts SIP sessions from the Internet
destined for the SIP proxy server virtual IP and translates the destination address to
the IP address of the SIP proxy server on the private network.
5 Add a firewall policy that accepts SIP sessions initiated by the SIP proxy server and
destined for the Internet.
Configuration steps - CLI
To add a VoIP profile that enables hosted NAT translation.
1 Enter the following command to add a VoIP profile named HNT that enables hosted
NAT traversal. This command shows how to clone the default VoIP profile and enable
hosted NAT traversal.
config voip profile
clone default to HNT
edit HNT
config sip
set hosted-nat-traversal enable
end
end
To add the SIP proxy server firewall virtual IP and firewall address
2 Enter the following command to add the SIP proxy server firewall virtual IP.
config firewall vip
edit SIP_Proxy_VIP
set type static-nat
set extip 10.21.101.10
set mappedip 10.30.120.20
set extintf port1
end
3 Enter the following command to add the SIP proxy server firewall address.
config firewall address
edit SIP_Proxy_Server
set associated interface port2
set type ipmask
set subnet 10.30.120.20 255.255.255.255
end
To add firewall policies
1 Enter the following command to add a destination NAT firewall policy that includes the
SIP proxy server virtual IP that allows Phone A to send SIP request messages to the
SIP proxy server.
config firewall policy
edit 0
set srcintf port1
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1959
�SIP over IPv6
FortiGate VoIP solutions: SIP
set
set
set
set
set
set
set
set
set
set
end
dstintf port2
srcaddr all
dstaddr SIP_Proxy_VIP
action accept
schedule always
service SIP
nat enable
utm-status enable
profile-protocol-options default
voip-profile HNT
2 Enter the following command to add a source NAT firewall policy to allow the SIP proxy
server to send SIP request messages to Phone B:
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr SIP_Proxy_Server
set dstaddr all
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options default
set voip-profile default
end
Restricting the RTP source IP
Use the following command in a VoIP profile to restrict the RTP source IP to be the same
as the SIP source IP when hosted NAT traversal is enabled.
config voip profile
edit VoIP_HNT
config sip
set hosted-nat-traversal enable
set hnt-restrict-source-ip enable
end
end
SIP over IPv6
FortiGate units operating in NAT/Route and in Transparent mode support SIP over IPv6.
The SIP ALG can process SIP messages that use IPv6 addresses in the headers, bodies,
and in the transport stack. The SIP ALG cannot modify the IPv6 addresses in the SIP
headers so FortiGate units cannot perform SIP or RTP NAT over IPv6 and also cannot
translate between IPv6 and IPv4 addresses.
In the scenario shown in Figure 318, a SIP phone connects to the Internet through a
FortiGate unit operating. The phone and the SIP and RTP servers all have IPv6
addresses.
1960
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
Deep SIP message inspection
The FortiGate unit has IPv6 firewall policies that accept SIP sessions. The SIP ALG
understands IPv6 addresses and can forward IPv6 sessions to their destinations. Using
SIP application control features the SIP ALG can also apply rate limiting and other settings
to SIP sessions.
Figure 318: SIP support for IPv6
IPv6 address
IPv6 address
SIP Server
RTP Server
IPv6 addresses
IPv6 firewall policy
Internet
IPv6 address
To enable SIP support for IPv6 add an IPv6 firewall policy that accepts SIP packets and
includes a VoIP profile.
Deep SIP message inspection
Deep SIP message syntax inspection (also called Deep SIP header inspection or SIP
fuzzing protection) provides protection against malicious SIP messages by applying SIP
header and SDP profile syntax checking. SIP Fuzzing attacks can be used by attackers to
discover and exploit vulnerabilities of a SIP entity (for example a SIP proxy server). Most
often these attacks could crash or compromise the SIP entity.
Figure 319: Deep SIP message inspection
SIP message
Blade
Malformed SIP header
field detected
•
Checks the SIP request message
Request-line
•
Message compliant
FortiCarrier
SIP
Parser
Active
Checks the following SIP
header fields:
•
Yes: Check next
header field
Configured:
“Pass” ?
Allow, Call-id, Contact, Contentlength, Content-type, CSeq,
Expires, From, Max-Forwards,
P-asserted-identity, Rack,
Record-Route, Route, Rseq, To, Via
•
Checks all SDP profile lines
•
Configurable header and body
length checks
Optional logging of message
violations
No
Yes: Return
SIP client error
Response message
•
400 Bad Request
or
413 Request entity too large
Configured:
“Respond”
?
If no
Discard message
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1961
�Deep SIP message inspection
FortiGate VoIP solutions: SIP
Deep SIP message inspection checks the syntax of each SIP header and SDP profile line
to make sure they conform to the syntax defined in the relevant RFC and IETF standard.
You can also configure the SIP ALG to inspect for:
•
Unknown SIP message types (message types not defined in a SIP RFC) this option is
enabled by default and can be disabled. When enabled unknown message types are
discarded. Configured using the block-unknown option.
•
Unknown line types (message line types that are not defined in any SIP or SDP RFC).
Configured using the unknown-header option.
•
Messages that are longer than a configured maximum size. Configured using the
max-body-length option.
•
Messages that contain one or more lines that are longer that a set maximum line length
(default 998 characters). Configured using the max-line-length option.
Actions taken when a malformed message line is found
When a malformed message line or other error is found the SIP ALG can be configured to
discard the message containing the error, pass the message without any other actions, or
responding to the message with a 400 Bad Request or 413 Request entity too large client
error SIP response message and then discard the message. (For information about client
error SIP response messages, see “Client error” on page 1906.)
If a message line is longer than the configured maximum, the SIP ALG sends the following
message:
SIP/2.0 413 Request Entity Too Large, & lt; optional_info & gt;
If a message line is incorrect or in an unknown message line is found, the SIP ALG sends
the following message:
SIP/2.0 400 Bad Request, & lt; optional_info & gt;
The & lt; optional_info & gt; provides more information about why the message was rejected.
For example, if the SIP ALG finds a malformed Via header line, the response message
may be:
SIP/2.0 400 Bad Request, malformed Via header
If the SIP ALG finds a malformed message line, and the action for this message line type
is discard, the message is discarded with no further checking or responses. If the action is
pass, the SIP ALG continues parsing the SIP message for more malformed message
lines. If the action is respond, the SIP ALG sends the SIP response message and discards
the message containing the malformed line with no further checking or response. If only
malformed message line types with action set to pass are found, the SIP ALG extracts as
much information as possible from the message (for example for NAT and opening
pinholes, and forwards the message to its destination).
If a SIP message containing a malformed line is discarded the SIP ALG will not use the
information in the message for call processing. This could result in the call being
terminated. If a malformed line in a SIP message includes information required for the SIP
call that the SIP ALG cannot interpret (for example, if an IP address required for SIP NAT
is corrupted) the SIP ALG may not be able to continue processing the call and it could be
terminated. Discarded messages are counted by SIP ALG static message counters.
Logging and statistics
To record a log message each time the SIP ALG finds a malformed header, enable logging
SIP violations in a VoIP profile. In all cases, when the SIP ALG finds an error the FortiGate
unit records a malformed header log message that contains information about the error.
This happens even if the action is set to pass.
1962
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
Deep SIP message inspection
If, because of recording log messages for deep message inspection, the CPU
performance is affected by a certain amount, the FortiGate unit records a critical log
message about this event and stops writing log messages for deep SIP message
inspection.
The following information is recorded in malformed header messages:
•
The type of message line in which the error was found.
•
The content of the message line in which the error was found (it will be truncated if it
makes the log message too long)
•
The column or character number in which the error was found (to make it easier to
determine what caused the error)
Recommended configurations
Because of the risks imposed by SIP header attacks or incorrect data being allowed and
because selecting drop or respond does not require more CPU overhead that pass you
would want to set all tests to drop or respond. However, in some cases malformed lines
may be less of a threat or risk. For example, the SDP i= does not usually contain
information that is parsed by any SIP device so a malformed i= line may not pose a threat.
You can also used the pre-defined VoIP profiles to apply different levels of deep message
inspection. The default VoIP profile sets all deep message inspection options to pass and
the strict VoIP profile sets all deep message inspection options to discard. From the CLI
you can use the clone command to copy these pre-defined VoIP profiles and then
customize them for your requirements.
Configuring deep SIP message inspection
You configure deep SIP message inspection in a VoIP profile. All deep SIP message
inspection options are available only from the CLI.
Enter the following command to configure deep SIP message inspection to discard
messages with malformed Request-lines (the first line in a SIP request message):
config voip profile
edit VoIP_Pro_Name
config sip
set malformed-request-line respond
end
end
Note: You cannot configure message inspection for the Status-line, which is the first line in
a SIP response message.
Table 134 lists the SIP header lines that the SIP ALG can inspect and the CLI command
for configuring the action for each line type. The table also lists the RFC that the header
line is defined in.
Table 134: SIP header lines that the SIP ALG can inspect for syntax errors
SIP Header line
VoIP profile option
RFC
Allow
malformed-header-allow
RFC 3261
Call-ID
malformed-header-call-id
RFC 3261
Contact
malformed-header-contact
RFC 3261
Content-Length
malformed-header-content-length
RFC 3261
Content-Type
malformed-header-content-type
RFC 3261
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1963
�Deep SIP message inspection
FortiGate VoIP solutions: SIP
Table 134: SIP header lines that the SIP ALG can inspect for syntax errors
SIP Header line
VoIP profile option
RFC
CSeq
malformed-header-cseq
RFC 3261
Expires
malformed-header-expires
RFC 3261
From
malformed-header-from
RFC 3261
Max-forwards
malformed-header-max-forwards
RFC 3261
P-Asserted-Identity
malformed-header-p-asserted-identity
RFC 3325
RAck
malformed-header-rack
RFC 3262
Record-Route
malformed-header-record-route
RFC 3261
Route
malformed-header-route
RFC 3261
RSeq
malformed-header-rseq
RFC 3262
To
malformed-header-to
RFC 3261
Via
malformed-header-via
RFC 3261
Table 135 lists the SDP profile lines that the SIP ALG inspects and the CLI command for
configuring the action for each line type. SDP profile lines are defined by RFC 4566 and
RFC 2327.
Table 135: SDP profile lines that the SIP ALG can inspect for syntax errors
Attribute
VoIP profile option
a=
malformed-header-a
b=
malformed-header-b
c=
malformed-header-c
i=
malformed-header-i
k=
malformed-header-k
m=
malformed-header-m
o=
malformed-header-o
r=
malformed-header-r
s=
malformed-header-s
t=
malformed-header-t
v=
malformed-header-v
z=
malformed-header-z
Discarding SIP messages with some malformed header and body lines
Enter the following command to configure deep SIP message inspection to discard SIP
messages with a malformed Via line, a malformed route line or a malformed m= line but to
pass messages with a malformed i= line or a malformed Max-Forwards line
config voip profile
edit VoIP_Pro_Name
config sip
set malformed-header-via discard
set malformed-header-route discard
set malformed-header-m discard
set malformed-header-i pass
set malformed-header-max-forwards pass
end
end
1964
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
Blocking SIP request messages
Discarding SIP messages with an unknown SIP message type
Enter the following command to discard SIP messages with an unknown SIP message
line type as defined in all current SIP RFCs:
config voip profile
edit VoIP_Pro_Name
config sip
set unknown-header discard
end
end
Discarding SIP messages that exceed a message size
Enter the following command to set the maximum size of a SIP message to 200 bytes.
Messages longer than 200 bytes are discarded.
config voip profile
edit VoIP_Pro_Name
config sip
set max-body-length 200
end
end
The max-body-length option checks the value in the SIP Content-Length header line to
determine body length. The Content-Length can be larger than the actual size of a SIP
message if the SIP message content is split over more than one packet. SIP message
sizes vary widely. The size of a SIP message can also change with the addition of Via and
Record-Route headers as the message is transmitted between users and SIP servers.
Discarding SIP messages with lines longer than 500 characters
Enter the following command to set the length of a SIP message line to 500 characters
and to block messages that include lines with 500 or more characters:
config voip profile
edit VoIP_Pro_Name
config sip
set max-line-length 500
set block-long-lines enable
end
end
Blocking SIP request messages
You may want to block different types of SIP requests:
•
to prevent SIP attacks using these messages.
•
If your SIP server cannot process some SIP messages because of a temporary issue
(for example a bug that crashes or compromises the server when it receives a
message of a certain type).
•
Your SIP implementation does not use certain message types.
When you enable message blocking for a message type in a VoIP profile, whenever a
firewall policy containing the VoIP profile accepts a SIP message of this type, the SIP ALG
silently discards the message and records a log message about the action.
Use the following command to configure a VoIP profile to block SIP CANCEL and Update
request messages:
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1965
�Blocking SIP request messages
FortiGate VoIP solutions: SIP
config voip profile
edit VoIP_Pro_Name
config sip
set block-cancel enable
set block-update enable
end
end
SIP uses a variety of text-based messages or requests to communicate information about
SIP clients and servers to the various components of the SIP network. Since SIP requests
are simple text messages and since the requests or their replies can contain information
about network components on either side of the FortiGate unit, it may be a security risk to
allow these messages to pass through.
Table 136 lists all of the VoIP profile SIP request message blocking options. All of these
options are disabled by default.
Table 136: Options for blocking SIP request messages
SIP request message
ACK
block-ack
BYE
block-bye
Cancel
block-cancel
INFO
block-info
INVITE
block-invite
Message
block-message
Notify
block-notify
Options
block-options
PRACK
block-prack
Publish
block-publish
Refer
block-refer
Register
block-register
Subscribe
block-subscribe
Update
1966
SIP message blocking CLI Option
block-update
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
SIP rate limiting
SIP rate limiting
Configurable threshold for SIP message rates per request method. Protects SIP servers
from SIP overload and DoS attacks.
Figure 320: SIP rate limiting
•
•
INVITE
REGISTER
•
SUBSCRIBE
NOTIFY
•
REFER
SIP
SIP
UPDATE
•
OPTIONS
•
SIP message rate limitation
Individually configurable per SIP
method
When threshold is hit additional
messages with this method will be
discarded
Prevents SIP server from getting
overloaded by flash crowds or
Denial-of-Service attacks.
May block some methods at all
(with extra “block” option)
Can be disabled (unlimited rate)
MESSAGE
ACK
PRACK
INFO
FortiGate units support rate limiting for the following types of VoIP traffic:
•
Session Initiation Protocol (SIP)
•
Skinny Call Control Protocol (SCCP) (most versions)
•
Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions
(SIMPLE).
You can use rate limiting of these VoIP protocols to protect the FortiGate unit and your
network from SIP and SCCP Denial of Service (DoS) attacks. Rate limiting protects
against SIP DoS attacks by limiting the number of SIP REGISTER and INVITE requests
that the FortiGate unit receives per second. Rate limiting protects against SCCP DoS
attacks by limiting the number of SCCP call setup messages that the FortiGate unit
receives per minute.
You configure rate limiting for a message type by specifying a limit for the number of
messages that can be received per second. The rate is limited per firewall policy. When
VoIP rate limiting is enabled for a message type, if the a single firewall policy accepts more
messages per second than the configured rate, the extra messages are dropped and log
messages are written when the messages are dropped.
Use the following command to configure a VoIP profile to limit the number of INVITE
messages accepted by each firewall policy that the VoIP profile is added to 100 INVITE
messages a second:
config voip profile
edit VoIP_Pro_Name
config sip
set invite-rate 100
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1967
�SIP rate limiting
FortiGate VoIP solutions: SIP
end
end
If you are experiencing denial of service attacks from traffic using these VoIP protocols,
you can enable VoIP rate limiting and limit the rates for your network. Limit the rates
depending on the amount of SIP and SCCP traffic that you expect the FortiGate unit to be
handling. You can adjust the settings if some calls are lost or if the amount of SIP or SCCP
traffic is affecting FortiGate unit performance.
Table 137 lists all of the VoIP profile SIP rate limiting options. All of these options are set to
0 so are disabled by default.
Table 137: Options for SIP rate limiting
SIP request message
Rate Limiting CLI Option
ACK
ack-rate
BYE
bye-rate
Cancel
cancel-rate
INFO
info-rate
INVITE
invite-rate
Message
message-rate
Notify
notify-rate
Options
options-rate
PRACK
prack-rate
Publish
publish-rate
Refer
refer-rate
Register
register-rate
Subscribe
subscribe-rate
Update
update-rate
Limiting the number of SIP dialogs accepted by a firewall policy
In addition to limiting the rates for receiving SIP messages, you can use the following
command to limit the number of SIP dialogs (or SIP calls) that the FortiGate unit accepts.
config voip profile
edit VoIP_Pro_Name
config sip
set max-dialogs 2000
end
end
This command sets the maximum number of SIP dialogs that can be open for SIP
sessions accepted by any firewall policy that you add the VoIP profile to. The default
setting of 0 does not limit the number of dialogs. You can add a limit to control the number
of open dialogs and raise and lower it as required. You might want to limit the number of
open dialogs for protection against SIP-based attackers opening large numbers of SIP
dialogs. Every dialog takes memory and FortiGate CPU resources to process. Limiting the
number of dialogs may improve the overall performance of the FortiGate unit. Limiting the
number of dialogs will not drop calls in progress but may prevent new calls from
connecting.
1968
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
SIP logging and DLP archiving
SIP logging and DLP archiving
You can enable SIP logging and logging of SIP violations, and SIP DLP archiving a VoIP
profile. To record SIP log messages you must also enable VoIP event logging in the
FortiGate unit event logging configuration.
To view SIP log messages go to Log & Report & gt; Log Access & gt; Event.
To view SIP DLP archive messages to go Log & Report & gt; Archive Access & gt; VoIP.
Use the following command enable SIP logging, SIP archiving, and logging of SIP
violations in a VoIP profile:
config voip profile
edit VoIP_Pro_Name
config sip
set log-call-summary enable
set log-violations enable
end
end
SIP and HA: session failover and geographic redundancy
FortiGate high availability supports SIP session failover (also called stateful failover) for
active-passive HA. To support SIP session failover, create a standard HA configuration
and select the Enable Session Pick-up option.
SIP session failover replicates SIP states to all cluster units. If an HA failover occurs, all in
progress SIP calls (setup complete) and their RTP flows are maintained and the calls will
continue after the failover with minimal or no interruption.
SIP calls being set up at the time of a failover may lose signaling messages. In most cases
the SIP clients and servers should use message retransmission to complete the call setup
after the failover has completed. As a result, SIP users may experience a delay if their
calls are being set up when an HA a failover occurs. But in most cases the call setup
should be able to continue after the failover.
Figure 321: SIP HA session failover
primary
ENET/VP
Ethernet /
LS
VPLS
Switch
(1)
Ethernet /
ENET/VPL
VPLS
S
Switch
Switch
(2)
(2)
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
FortiCarri
FortiOS
er
GE
Active
Active
Blade
Blade
Floating
Mac/IP
SIP Interconnect
secondary
(optional)
GE
GE
Heart
GE beat GE
FortiCarri
FortiOS
er
Standby
Standby
Blade
Blade
ENET/VPL /
Ethernet
S
VPLS
Switch
Switch
(1)
(1)
SIP
SIP
Server
Server
Floating
Mac/IP
GE
ENET/VP /
Ethernet
VPLS
LS
Switch
Switch
(2)
(2)
1969
�SIP and HA: session failover and geographic redundancy
FortiGate VoIP solutions: SIP
SIP geographic redundancy
Maintains a active-standby SIP server configuration, which even supports geographical
distribution. If the active SIP server fails (missing SIP heartbeat messages or SIP traffic)
FortiOS will redirect the SIP traffic to a secondary SIP server.
Figure 322: SIP geographic redundancy
Primary Server
Secondary Server
Primary Server
SIP
SIP
Server
Server
SIP
SIP
Server
Server
SIP
Server
SIP
SIP
Heartbeat
(SIP
OPTION)
Secondary Server
Failover
SIP
Server
SIP
Heartbeat
SIP Heartbeat
SIP
Failover
SIP is forwarded to
primary SIP Server, as
long as it’s successfully
sending heartbeats
SIP
Signaling
Firewall
SIP
In the case of SIP
heartbeat absence, the
SFW will forward the SIP
traffic to the secondary
SIP Server.
SIP
Signaling
Firewall
SIP
Supporting geographic redundancy when blocking OPTIONS messages
For some geographic redundant SIP configurations, the SIP servers may use SIP
OPTIONS messages as heartbeats to notify the FortiGate unit that they are still operating
(or alive). This is a kind of passive SIP monitoring mechanism where the FortiGate unit
isn’t actively monitoring the SIP servers and instead the FortiGate unit passively receives
and analyzes OPTIONS messages from the SIP servers.
If FortiGate units block SIP OPTIONS messages because block-options is enabled,
the configuration may fail to operate correctly because the OPTIONS messages are
blocked by one or more FortiGate units.
However, you can work around this problem by enabling the block-geo-red-options
application control list option. This option causes the FortiGate unit to refresh the local SIP
server status when it receives an OPTIONS message before dropping the message. The
end result is the heartbeat signals between geographically redundant SIP servers are
maintained but OPTIONS messages do not pass through the FortiGate unit.
Use the following command to block OPTIONS messages while still supporting
geographic redundancy:
config voip profile
edit VoIP_Pro_Name
config sip
set block-options disable
set block-geo-red-options enable
end
end
1970
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
SIP and HA: session failover and geographic redundancy
Note: The block-options option setting overrides the block-geo-red-options
option. If block-options is enabled the FortiGate unit only blocks SIP OPTIONS
messages and does not refresh local SIP server status.
Support for RFC 2543-compliant branch parameters
RFC 3261 is the most recent SIP RFC, it obsoletes RFC 2543. However, some SIP
implementations may use RFC 2543-compliant SIP calls.
The rfc2543-branch VoIP profile option allows the FortiGate unit to support SIP calls
that include an RFC 2543-compliant branch parameter in the SIP Via header. This option
also allows FortiGate units to support SIP calls that include Via headers that are missing
the branch parameter.
config voip profile
edit VoIP_Pro_Name
config sip
set rfc2543-branch enable
end
end
Multiple RTP server redundancy, health monitoring, and failover
configuration
The scenario shown in Figure 323 consists of two real RTP servers connected to a
FortiGate unit. The IP phone can connect to the real servers using either of the virtual
server IP addresses.
Using the server load balancing virtual IP configuration described below, the FortiGate unit
forwards packets for the 172.20.120.20 virtual server to the real server at 192.168.0.20
and packets for the virtual server at 172.20.120.21 to the real server at 192.168.0.21. If
one of the real servers fails, the FortiGate unit forwards all traffic to the real RTP server
that is still operating.
Note: Because the IP phone can connect to two external IP addresses (172.20.120.20 and
172.30.120.21) you need two virtual server virtual IPs. However, the number of virtual IPs
does not have to match the number of real servers. In most cases you would have one
virtual IP load balancing to multiple real servers.
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1971
�SIP and HA: session failover and geographic redundancy
FortiGate VoIP solutions: SIP
Figure 323: Example RTP server health monitoring and failover configuration
Real Primary and Secondary RTP servers
192.168.0.20
IP Phone
192.168.0.21
Virtual Server
IP Addresses
172.20.120.20
172.20.120.21
port2
port1
172.20.120.1
To configure SIP load balancing you add SIP settings to an application control list and add
this application control list to a protection profile. You must also add a health monitor for
each of the real RTP servers and configure server load balancing virtual IPs that include
these real servers.
You must add two server load balancing virtual IPs that use the first-active load balancing
method, one for each virtual server. Each load balancing virtual IP includes both real
servers. In this configuration the 172.20.120.20 virtual IP primary real server IP address is
192.168.0.20 and the 172.20.120.21 virtual IP primary real server IP address is
192.168.0.21.
General configuration steps
1 Add a passive SIP health monitor that can be used for both real RTP servers.
The passive-sip load balancing health monitor is available only for FortiOS Carrier.
The passive-sip load balancing health monitor only works with some SIP servers
(such as Alcatel SIP servers).
2 Add two server load balancing virtual IPs that use first alive load balancing. Configure
the virtual IPs to use the passive SIP health monitor that you added in step 1.
Set server-type to ip.
Note: By setting server-type to ip you do not have to use the extport keyword to
define the port for the traffic to be load balanced. This also means that all traffic will be load
balanced. Even though RTP traffic uses multiple ports, you could set server-type to udp
or http and use the extport keyword to specify the SIP port in the virtual IP. RTP
sessions are created through expectation sessions which are initiated by SIP traffic, so the
FortiGate unit does not use the extport definition to control the RTP traffic. As long as the
SIP traffic can work using the settings in the virtual IPs defined with udp or tcp
server-type, RTP traffic will be able to go through the FortiGate unit.
Set ldb-method to first-alive.
Note: By setting ldb-method to first-alive, you can add the real servers to the virtual
IP in priority order. The first server has higher priority than the second one and so on. This
example includes two real servers but you can add up to 8 real servers to a virtual IP.
1972
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
SIP and HA: session failover and geographic redundancy
3 Add two firewall policies, one for each virtual IP, that also include a VoIP profile.
To configure this example server health monitoring and failover configuration
1 Add a passive-sip health monitor.
config firewall ldb-monitor
edit " sip_serv_mon "
set type passive-sip
end
The passive-sip load balancing health monitor is available only for FortiOS Carrier.
The passive-sip load balancing health monitor only works with some SIP servers
(for example, Alcatel SIP servers).
2 Add the 172.20.120.20 server load balance virtual IP.
This virtual IP forwards traffic received at the port1 interface for IP address
172.20.120.20 to the real RTP server at 192.168.0.20. If this RTP server fails, traffic
fails over to the RTP server at 192.168.0.21.
Use the first-alive load balancing method and the passive SIP health monitor that you
added in step 1.
config firewall vip
edit " sip_health_20_vip "
set type server-load-balance
set extip 172.20.120.20
set extintf " port1 "
set server-type ip
set ldb-method first-alive
set monitor sip_serv_mon
config realservers
edit 1
set ip 192.168.0.20
next
edit 2
set ip 192.168.0.21
end
end
3 Add the 172.20.120.21 server load balance virtual IP.
This virtual IP forwards traffic received at the port1 interface for IP address
172.20.120.21 to the real RTP server at 192.168.0.21. If this RTP server fails, traffic
fails over to the RTP server at 192.168.0.20.
Use the first-alive load balancing method and the passive SIP health monitor that you
added in step 1.
config firewall vip
edit " sip_health_20_vip "
set type server-load-balance
set extip 172.20.120.21
set extintf " port1 "
set server-type ip
set ldb-method first-alive
set monitor sip_serv_mon
config realservers
edit 1
set ip 192.168.0.21
next
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1973
�SIP debugging
FortiGate VoIP solutions: SIP
edit 2
set ip 192.168.0.20
end
end
4 Add firewall policies that include the virtual IPs and the protection profile with SIP
added to the application control list.
config firewall policy
edit 1
set srcintf " port1 "
set dstintf " port2 "
set srcaddr " all "
set dstaddr " sip_health_20_vip "
set action accept
set schedule " always "
set service " ANY "
set utm-status enable
set profile-protocol-options default
set voip-profile default
set comments " port1 - port2 SIP primary-secondary
172.20.120.20 "
next
edit 2
set srcintf " port1 "
set dstintf " port2 "
set srcaddr " all "
set dstaddr " sip_health_21_vip "
set action accept
set schedule " always "
set service " ANY "
set utm-status enable
set profile-protocol-options default
set voip-profile default
set comments " port1 - port2 SIP primary-secondary
172.20.120.21”
next
SIP debugging
SIP debug log format
Assuming that diagnose debug console timestamp is enabled then the following
shows the debug that is generated for an INVITE if diag debug appl sip -1 is
enabled:
2010-01-04 21:39:59 sip port 26 locate session for 192.168.2.134:5061 - & gt;
172.16.67.192:5060
2010-01-04 21:39:59 sip sess 0x979df38 found for 192.168.2.134:5061 - & gt;
172.16.67.192:5060
2010-01-04 21:39:59 sip port 26 192.168.2.134:5061 - & gt; 172.16.67.192:5060
2010-01-04 21:39:59 sip port 26 read [(0,515)
(494e56495445207369703a73657276696365403139322e3136382e322e3130303a35303630205349502f322e300d0
a5669613a205349502f322e302f554450203132372e302e312e313a353036313b6272616e63683d7a39684734624b2
d363832372d3632302d300d0a46726f6d3a2073697070203c7369703a73697070403132372e302e312e313a3530363
13e3b7461673d363832375349507054616730303632300d0a546f3a20737574203c7369703a7365727669636540313
9322e3136382e322e3130303a353036303e0d0a43616c6c2d49443a203632302d36383237403132372e302e312e310
d0a435365713a203120494e564954450d0a436f6e746163743a207369703a73697070403132372e302e312e313a353
036310d0a4d61782d466f7277617264733a2037300d0a5375626a6563743a20506572666f726d616e6365205465737
40d0a436f6e74656e742d547970653a206170706c69636174696f6e2f7364700d0a436f6e74656e742d4c656e67746
83a20203132390d0a0d0a763d300d0a6f3d7573657231203533363535373635203233353336383736333720494e204
1974
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
SIP debugging
95034203132372e302e312e310d0a733d2d0d0a633d494e20495034203132372e302e312e310d0a743d3020300d0a6
d3d617564696f2036303031205254502f41565020300d0a613d7274706d61703a302050434d552f383030300d0a)(I
NVITE
sip:service@192.168.2.100:5060 SIP/2.0..Via: SIP/2.0/UDP
127.0.1.1:5061;branch=z9hG4bK-6827-620-0..From: sipp
%lt;sip:sipp@127.0.1.1:5061 & gt; ;tag=6827SIPpTag00620..To: sut
%lt;sip:service@192.168.2.100:5060 & gt; ..Call-ID: 620-6827@127.0.1.1..CSeq: 1
INVITE..Contact: sip:sipp@127.0.1.1:5061..Max-Forwards: 70..Subject: Performance
Test..Content-Type: application/sdp..Content-Length: 129....v=0..o=user1 53655765
2353687637 IN IP4 127.0.1.1..s=-..c=IN IP4 127.0.1.1..t=0 0..m=audio 6001 RTP/AVP
0..a=rtpmap:0 PCMU/8000..)]
2010-01-04 21:39:59 sip port 26 len 515
2010-01-04 21:39:59 sip port 26 INVITE '192.168.2.100:5060' addr 192.168.2.100:5060
2010-01-04 21:39:59 sip port 26 CSeq: 1 INVITE
2010-01-04 21:39:59 sip port 26 Via: UDP 127.0.1.1:5061 len 14 received 0 rport 0 0 branch
'z9hG4bK-6827-620-0'
2010-01-04 21:39:59 sip port 26 From: 'sipp ;tag=6827SIPpTag00620' URI
'sip:sipp@127.0.1.1:5061' tag '6827SIPpTag00620'
2010-01-04 21:39:59 sip port 26 To: 'sut ' URI 'sip:service@192.168.2.100:5060' tag ''
2010-01-04 21:39:59 sip port 26 Call-ID: '620-6827@127.0.1.1'
2010-01-04 21:39:59 sip port 26 Contact: '127.0.1.1:5061' addr 127.0.1.1:5061 expires 0
2010-01-04 21:39:59 sip port 26 Content-Length: 129 len 3
2010-01-04 21:39:59 sip port 26 sdp o=127.0.1.1 len=9
2010-01-04 21:39:59 sip port 26 sdp c=127.0.1.1 len=9
2010-01-04 21:39:59 sip port 26 sdp m=6001 len=4
2010-01-04 21:39:59 sip port 26 find call 0 '620-6827@127.0.1.1'
2010-01-04 21:39:59 sip port 26 not found
2010-01-04 21:39:59 sip port 26 call 0x97a47c0 open (collision (nil))
2010-01-04 21:39:59 sip port 26 call 0x97a47c0 open txn 0x979f7f8 INVITE dir 0
2010-01-04 21:39:59 sip port 26 sdp i: 127.0.1.1:6001
2010-01-04 21:39:59 sip port 26 policy id 1 is_client_vs_policy 1 policy_dir_rev 0
2010-01-04 21:39:59 sip port 26 policy 1 not RTP policy
2010-01-04 21:39:59 sip port 26 learn sdp from stream address
2010-01-04 21:39:59 sip port 26 call 0x97a47c0 sdp 172.16.67.198:43722
2010-01-04 21:39:59 sip port 26 call 0x97a47c0 txn 0x979f7f8 127.0.1.1:5061 find new address
and port
2010-01-04 21:39:59 sip port 26 call 0x97a47c0 txn 0x979f7f8 127.0.1.1:5061 find new address
and port
2010-01-04 21:39:59 sip port 26 call 0x97a47c0 txn 0x979f7f8 127.0.1.1:5061 find new address
and port
2010-01-04 21:39:59 sip port 30 write 192.168.2.134:5061 - & gt; 172.16.67.192:5060 (13,539)
2010-01-04 21:39:59 sip port 30 write [(13,539)
(494e56495445207369703a73657276696365403137322e31362e36372e3139323a35303630205349502f322e300d0
a5669613a205349502f322e302f554450203137322e31362e36372e3139383a35323036353b6272616e63683d7a396
84734624b2d363832372d3632302d300d0a46726f6d3a2073697070203c7369703a73697070403137322e31362e363
72e3139383a34333732343e3b7461673d363832375349507054616730303632300d0a546f3a20737574203c7369703
a73657276696365403137322e31362e36372e3139323a353036303e0d0a43616c6c2d49443a203632302d363832374
03132372e302e312e310d0a435365713a203120494e564954450d0a436f6e746163743a207369703a7369707040313
7322e31362e36372e3139383a34333732350d0a4d61782d466f7277617264733a2037300d0a5375626a6563743a205
06572666f726d616e636520546573740d0a436f6e74656e742d547970653a206170706c69636174696f6e2f7364700
d0a436f6e74656e742d4c656e6774683a20203133380d0a0d0a763d300d0a6f3d75736572312035333635353736352
03233353336383736333720494e20495034203137322e31362e36372e3139380d0a733d2d0d0a633d494e204950342
03137322e31362e36372e3139380d0a743d3020300d0a6d3d617564696f203433373232205254502f41565020300d0
a613d7274706d61703a302050434d552f383030300d0a)(INVITE sip:service@172.16.67.192:5060
SIP/2.0..Via: SIP/2.0/UDP 172.16.67.198:52065;branch=z9hG4bK-6827-620-0..From: sipp
;tag=6827SIPpTag00620..To: sut ..Call-ID: 620-6827@127.0.1.1..CSeq: 1 INVITE..Contact:
sip:sipp@172.16.67.198:43725..Max-Forwards: 70..Subject: Performance Test..Content-Type:
application/sdp..Content-Length: 138....v=0..o=user1 53655765 2353687637 IN IP4
172.16.67.198..s=-..c=IN IP4 172.16.67.198..t=0 0..m=audio 43722 RTP/AVP 0..a=rtpmap:0
PCMU/8000..)]
SIP-proxy filter per VDOM
You can use the diagnose sys sip-proxy xxx command in a VDOM to get info
about how SIP is operating in each VDOM.
SIP-proxy filter command
Use the diagnose system sip-proxy filter to filter diagnose information for the
SIP ALG. The following filters are available:
diag sys sip-proxy filter vd
diag sys sip-proxy filter dst-addr4
diag sys sip-proxy filter dst-addr6
diag sys sip-proxy filter dst-port
diag sys sip-proxy filter identity-policy
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1975
�SIP debugging
FortiGate VoIP solutions: SIP
diag
diag
diag
diag
diag
diag
diag
diag
diag
sys
sys
sys
sys
sys
sys
sys
sys
sys
sip-proxy
sip-proxy
sip-proxy
sip-proxy
sip-proxy
sip-proxy
sip-proxy
sip-proxy
sip-proxy
filter
filter
filter
filter
filter
filter
filter
filter
filter
negate
policy
policy-type
profile-group
src-addr4
src-addr6
src-port
vd
voip-profile
You can clear, view and negate/invert the sense of a filter using these commands:
diag sys sip-proxy filter clear
diag sys sip-proxy filter list
diag sys sip-proxy filter negate
SIP debug log filtering
You can filter by VDOM/IP/PORT and by policy and VoIP profile. The filtering can be
controlled by:
diagnose system sip-proxy log-filter
The list of filters is:
diag sys sip-proxy
diag sys sip-proxy
diag sys sip-proxy
diag sys sip-proxy
diag sys sip-proxy
diag sys sip-proxy
diag sys sip-proxy
diag sys sip-proxy
diag sys sip-proxy
diag sys sip-proxy
diag sys sip-proxy
diag sys sip-proxy
diag sys sip-proxy
log-filter
log-filter
log-filter
log-filter
log-filter
log-filter
log-filter
log-filter
log-filter
log-filter
log-filter
log-filter
log-filter
vd
dst-addr4
dst-addr6
dst-port
identity-policy
policy
policy-type
profile-group
src-addr4
src-addr6
src-port
vd
voip-profile
You can clear, view and negate/invert the sense of a filter using these commands:
diag sys sip-proxy log-filter clear
diag sys sip-proxy log-filter list
diag sys sip-proxy log-filter negate
SIP debug setting
Control of the SIP debug output is governed by the following command
diagnose debug application sip & lt; debug_level_int & gt;
Where the & lt; debug_level_int & gt; is a bitmask and the individual values determine
whether the listed items are logged or not. The & lt; debug_level_int & gt; can be
1 - configuration changes. Mainly addition/deletion/modification of virtual domains.
2 - (TCP) connection accepts or connects, redirect creation
4 - create or delete a session
16 - any IO read or write
32 - an ASCII dump of all data read or written
64 - Include HEX dump in the above output
1976
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate VoIP solutions: SIP
SIP debugging
128 - any activity related to the use of the FortiCarrier dynamic profile feature to determine
the correct profile-group to use
256 - log summary of interesting fields in a SIP call
1024 - any activity related to SIP geo-redundancy.
2048 - any activity related to HA syncing of SIP calls.
SIP test commands
Use the following command to control or inspect the behavior of the SIP ALG.
diagnose test application sip & lt; test_level_int & gt;
Where & lt; test_level_int & gt; can be
1 - Display memory statistics summary
2 - Display all memory statistics
3 - Display debug consoles
4 - Display all SIP redirects
20 - Display SIP per-policy configurations
21 - Display SIP VoIP profiles
22 - Display SIP meters
23 - Display SIP VIPs
24 - Display SIP RTP policies
30 - Display SIP stats summary
31 - Display per VDOM SIP stats
50 - Display all SIP idle calls
51 - Display all SIP sessions
70 - Start measuring scheduler times
71 - Stop measuring scheduler times
72 - Display scheduler times
99 - Restart SIP -- this will drop all SIP calls as well as all IM and SCCP
Display SIP rate-limit data
You can use the diagnose sys sip-proxy meters command to display SIP rate
limiting data.
For the following command output rate 1 shows that the current (over last second)
measured rate for INVITE/ACK and BYTE was 1 per second, the peak 1 shows that the
peak rate recorded is 1 per second, the max 0 shows that there is no maximum limit set,
the count 18 indicates that 18 messages were received and drop 0 indicates that none
were dropped due to being over the limit.
diag sys sip-proxy meters
sip
sip vd: 0
sip policy: 1
sip identity-policy: 0
sip policy-type: IPv4
sip profile-group:
sip dialogs: 18
sip dialog-limit: 0
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1977
�SIP debugging
FortiGate VoIP solutions: SIP
sip
sip
sip
sip
sip
sip
sip
sip
sip
sip
sip
sip
sip
sip
sip
sip
sip
1978
UNKNOWN: rate 0 peak 0 max 0 count 0 drop 0
ACK: rate 1 peak 1 max 0 count 18 drop 0
BYE: rate 1 peak 1 max 0 count 18 drop 0
CANCEL: rate 0 peak 0 max 0 count 0 drop 0
INFO: rate 0 peak 0 max 0 count 0 drop 0
INVITE: rate 1 peak 1 max 0 count 18 drop 0
MESSAGE: rate 0 peak 0 max 0 count 0 drop 0
NOTIFY: rate 0 peak 0 max 0 count 0 drop 0
OPTIONS: rate 0 peak 0 max 0 count 0 drop 0
PRACK: rate 0 peak 0 max 0 count 0 drop 0
PUBLISH: rate 0 peak 0 max 0 count 0 drop 0
REFER: rate 0 peak 0 max 0 count 0 drop 0
REGISTER: rate 0 peak 0 max 0 count 0 drop 0
SUBSCRIBE: rate 0 peak 0 max 0 count 0 drop 0
UPDATE: rate 0 peak 0 max 0 count 0 drop 0
PING: rate 0 peak 0 max 0 count 0 drop 0
YAHOOREF: rate 0 peak 0 max 0 count 0 drop 0
FortiOS™ Handbook FortiOS 4.0 MR2 VoIP Solutions: SIP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 18 WAN Optimization, Web
Cache, Explicit Proxy, and WCCP
The FortiOS Handbook chapter contains the following sections:
WAN optimization, web cache, and web proxy concepts: Provides an overview of
FortiGate WAN optimization best practices and technologies and some of the concepts
and rules for using them. We recommend that you begin with this chapter before
attempting to configure your FortiGate unit to use WAN optimization.
WAN optimization and Web cache storage: Describes how to configure WAN optimization
storage settings to control how data is stored for web caching and byte caching.
WAN optimization peers and authentication groups: Describes how to use WAN
optimization peers and authentication groups to control access to WAN optimization
tunnels.
Configuring WAN optimization rules: Provides basic configuration for WAN optimization
rules, including adding rules, organizing rules in the rule list and using WAN optimization
addresses. This chapter also explains how WAN optimization accepts sessions, as well as
how and when you can apply UTM features to WAN optimization traffic.
WAN optimization configuration examples: Describes basic active-passive and peer-topeer WAN optimization configuration examples. This chapter is a good place to start
learning how to put an actual WAN optimization network together.
Web caching: Describes how WAN optimization web caching works to cache different
session types, including HTTPS, and includes web caching configuration examples.
Advanced configuration example: Provides a configuration example that combines WAN
optimization, web caching, out-of-path WAN optimization, and the use of multiple VDOMs
to apply UTM features to sessions being optimized.
SSL offloading for WAN optimization and web caching: Describes how to offload SSL
processing from web sites to FortiGate units to improve WAN performance for
SSL-protected web sites on a WAN.
FortiClient WAN optimization: Describes how FortiGate and FortiClient WAN optimization
work together and includes an example configuration.
The FortiGate explicit web proxy: Describes the FortiGate web proxy and how to add web
caching to a proxy configuration. This chapter includes guidance to pass to end-users
when they need to configure their web browsers to use the proxy.
FortiGate WCCP: Describes FortiGate WCCP and how to configure WCCP and the
WCCP client.
WAN optimization, web cache and WCCP get and diagnose commands: describes get
and diagnose commands available for troubleshooting WAN optimization, web cache, and
WCCP.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1979
�1980
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization, web cache, and
web proxy concepts
FortiGate WAN optimization consists of a number of techniques that you can apply to
improve the efficiency of communication across your WAN. These techniques include
protocol optimization, byte caching, web caching, SSL offloading, and secure tunnelling.
Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP,
or MAPI protocol, as well as general TCP traffic. Byte caching caches files and other data
on FortiGate units to reduce the amount of data transmitted across the WAN. Web caching
stores web pages on FortiGate units to reduce latency and delays between the WAN and
web servers. SSL offloading offloads SSL decryption and encryption from web servers
onto FortiGate SSL acceleration hardware. Secure tunnelling secures traffic as it crosses
the WAN.
You can apply different combinations of these WAN optimization techniques to a single
traffic stream depending on the traffic type. For example, you can apply byte caching and
secure tunneling to any TCP traffic. For HTTP traffic, you can also apply protocol
optimization and web caching.
Web proxy is a feature related to WAN optimization and web caching. You can configure a
FortiGate unit to be a web proxy server. Users on your internal network can browse the
Internet through the FortiGate web proxy server. If your FortiGate unit supports web
caching, you can add web caching to the web proxy.
This chapter describes:
•
WAN optimization topologies
•
Explicit Web proxy topology
•
WCCP topology
•
WAN optimization client/server architecture
•
WAN optimization tunnels
•
Protocol optimization
•
Byte caching
•
WAN optimization and HA
•
Monitoring WAN optimization
WAN optimization topologies
This section describes some common WAN optimization topologies:
•
“Basic WAN optimization topologies” on page 1982
•
“Out-of-path topology” on page 1982
•
“Web-cache-only WAN optimization” on page 1984
•
“WAN optimization with web caching” on page 1985
•
“WAN optimization and web caching with FortiClient peers” on page 1986
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1981
�WAN optimization topologies
WAN optimization, web cache, and web proxy concepts
Basic WAN optimization topologies
The basic FortiGate WAN optimization topology consists of two FortiGate units operating
as WAN optimization peers intercepting and optimizing traffic crossing the WAN between
the private networks.
Figure 324: Security device and WAN optimization topology
Private network
WAN optimization tunnel
Security and
WAN optimization
Private network
Security and
WAN optimization
WAN
As shown in Figure 324, the FortiGate units can be deployed as security devices that
protect private networks connected to the WAN and also perform WAN optimization. In
this configuration, the FortiGate units are configured as typical security devices for the
private networks and are also configured for WAN optimization. The WAN optimization
configuration intercepts traffic to be optimized as it passes through the FortiGate unit and
uses a WAN optimization tunnel with another FortiGate unit to optimize the traffic that
crosses the WAN.
As shown in Figure 325, you can also deploy WAN optimization on single-purpose
FortiGate units that only perform WAN optimization. In Figure 325, the WAN optimization
FortiGate units are located on the WAN outside of the private networks. You can also
install the WAN optimization FortiGate units behind the security devices on the private
networks.
Figure 325: Single-purpose WAN optimization topology
Private network
WAN optimization tunnel
Private network
Security
WAN optimization
WAN optimization
Security
WAN
The WAN optimization configuration is the same for FortiGate units deployed as security
devices and for single-purpose WAN optimization FortiGate units. The only differences
would result from the different network topologies.
Out-of-path topology
In an out-of-path topology, one or both of the FortiGate units configured for WAN
optimization are not directly in the main data path. Instead, the out-of-path FortiGate unit is
connected to a device on the data path, and the device is configured to redirect sessions
to be optimized to the out-of-path FortiGate unit.
1982
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization, web cache, and web proxy concepts
WAN optimization topologies
Figure 326 shows out-of-path FortiGate units configured for WAN optimization and
connected directly to FortiGate units in the data path. The FortiGate units in the data path
use a method such as policy routing to redirect traffic to be optimized to the out-of-path
FortiGate units. The out-of-path FortiGate units establish a WAN optimization tunnel
between each other and optimize the redirected traffic.
Figure 326: Out-of-path WAN optimization
Private network
Private network
Security
Security
WAN
WAN optimization tunnel
Out-of-path
WAN optimization
Out-of-path
WAN optimization
One of the benefits of out-of-path WAN optimization is that out-of-path FortiGate units only
perform WAN optimization and do not have to process other traffic. An in-path FortiGate
unit configured for WAN optimization also has to process other non-optimized traffic on the
data path.
The out-of-path FortiGate units can operate in NAT/Route or Transparent mode.
Other out-of-path topologies are also possible. For example, you can install the out-ofpath FortiGate units on the private networks instead of on the WAN. Also, the out-of-path
FortiGate units can have one connection to the network instead of two. In a one-arm
configuration such as this, firewall policies and routing have to be configured to send the
WAN optimization tunnel out the same interface as the one that received the traffic.
Topology for multiple networks
As shown in Figure 327, you can create multiple WAN optimization configurations
between many private networks. Whenever WAN optimization occurs, it is always
between two FortiGate units, but you can configure any FortiGate unit to perform WAN
optimization with any of the other FortiGate units that are part of your WAN.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1983
�WAN optimization topologies
WAN optimization, web cache, and web proxy concepts
Figure 327: WAN optimization among multiple networks
Private network
Security and
WAN optimization
Private network
WAN optimization
tunnels
Security and
WAN optimization WAN
Private network
WAN optimization
Security
Private network
Security
Out-of-path
WAN optimization
You can also configure WAN optimization between FortiGate units with different roles on
the WAN. FortiGate units configured as security devices and for WAN optimization can
perform WAN optimization as if they are single-purpose FortiGate units just configured for
WAN optimization.
Web-cache-only WAN optimization
A WAN optimization web-cache-only topology includes one FortiGate unit that acts as
both a proxy server and web cache server. The FortiGate unit intercepts web page
requests sent by users, requests web pages from the web servers, caches the web page
contents, and returns the web page contents to the users. When the FortiGate unit
intercepts subsequent requests for cached web pages, the FortiGate unit contacts the
destination web server just to check for changes.
1984
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization, web cache, and web proxy concepts
WAN optimization topologies
Figure 328: Web-cache-only topology
Web server
network
Private network
WAN optimization
web cache
WAN, LAN,
or Internet
You can also configure a reverse proxy web-cache-only WAN optimization (Figure 329). In
this configuration, users on the Internet browse to a web server installed behind a
FortiGate unit. The FortiGate unit intercepts the web traffic and caches pages from the
web server. Reverse proxy web caching on the FortiGate unit reduces the number of
requests that the web server must handle, leaving it free to process new requests that it
has not serviced before.
Figure 329: Reverse proxy web caching
Web server
network
Reverse proxy
WAN optimization
web cache
WAN, LAN,
or Internet
Internet
users
WAN optimization with web caching
You can add web caching to a WAN optimization topology when users on a private
network communicate with web servers located across the WAN on another private
network.
Figure 330: WAN optimization with web caching topology
Private network
WAN optimization tunnel
Security and
WAN optimization
Security, WAN
optimization,
and web caching
Private network
with
web servers
WAN
The topology in Figure 330 is the same as that of Figure 324 on page 1982 with the
addition of web caching to the FortiGate unit in front of the private network that includes
the web servers. In a similar way, you can add web caching to all of the topologies shown
in “WAN optimization topologies” on page 1981.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1985
�Explicit Web proxy topology
WAN optimization, web cache, and web proxy concepts
WAN optimization and web caching with FortiClient peers
FortiClient WAN optimization works with FortiGate WAN optimization to accelerate remote
user access to the private networks behind FortiGate units. The FortiClient application
requires a simple WAN optimization configuration to automatically detect if WAN
optimization is enabled on the FortiGate unit. Once WAN optimization is enabled, the
FortiClient application transparently makes use of the WAN optimization and web caching
features available.
Figure 331: FortiClient WAN optimization topology
Private network
WAN optimization
tunnels
WAN optimization
WAN or
Internet
Remote
FortiClient
users
Explicit Web proxy topology
You can configure a FortiGate unit to be an explicit web proxy server for Internet web
browsing. To use the explicit web proxy, users must add the IP address of the FortiGate
interface configured for the explicit proxy to their web browser proxy configuration.
Figure 332: Explicit web proxy topology
Private
Network
Explicit
Web Proxy
Internet
FortiGate Unit
10.31.101.0
If the FortiGate unit supports web caching, you can also add web caching to the explicit
web proxy. The FortiGate unit will then caches Internet web pages to improve web
browsing performance.
1986
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization, web cache, and web proxy concepts
WCCP topology
Figure 333: Explicit web proxy with web caching topology
Private network
Explicit
web proxy
server
with web caching
Internet
Internet
web sites
WCCP topology
You can operate a FortiGate unit as a Web Cache Communication Protocol (WCCP)
router or cache engine. As a router the FortiGate unit intercepts web browsing requests
from client web browsers and forwards them to a WCCP cache engine. The cache engine
returns the required cached content to the client web browser. If the cache server does not
have the required content it accesses the content, caches it and returns the content to the
client web browser.
FortiGate units can also operate as WCCP cache servers, communicating with WCCP
routers, caching web content and providing it to client web browsers as required.
WCCP is transparent to client web browsers. The web browsers do not have to be
configured to use a web proxy.
Figure 334: WCCP topology
Client Web Browsers
FortiGate Unit
Operating as a
WCCP Router
LAN
Internet
Internet
web sites
FortiGate Unit WCCP Cache Engines
Operating as a
WCCP Cache Engine
WAN optimization client/server architecture
Traffic across a WAN typically consists of clients on a client network communicating
across a WAN with a remote server network. The clients do this by starting communication
sessions from the client network to the server network. To optimize these sessions, you
add firewall policies to the client-side FortiGate unit (which is located between the client
network and the WAN, see Figure 335) to accept sessions from the client network that are
destined for the server network. To apply WAN optimization to these sessions, you must
also add WAN optimization rules to the client-side FortiGate unit. The WAN optimization
rules intercept sessions accepted by firewall policies and apply WAN optimization to them.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1987
�WAN optimization client/server architecture
WAN optimization, web cache, and web proxy concepts
Figure 335: Client/server architecture
Server-side
FortiGate unit
Client-side
FortiGate unit
Client
Server
WAN
Client connects to server
Server receives connection from client
When a client-side FortiGate unit matches a session with a WAN optimization rule, it uses
the information in the rule to attempt to start a WAN optimization tunnel with a server-side
FortiGate unit installed in front of the server network. This FortiGate unit must include a
WAN optimization rule to accept WAN optimization tunnel requests from the client-side
FortiGate unit.
Firewall policies are not required on the server-side FortiGate unit. Sessions from the
client-side to the server-side FortiGate unit are WAN optimization tunnel requests. As long
as the server-side FortiGate unit contains WAN optimization rules, it will accept WAN
optimization tunnel requests. These tunnel requests, however, will only result in an
operating tunnel if the FortiGate unit peers can authenticate with each other.
WAN optimization peers
The client-side and server-side FortiGate units are called WAN optimization peers (see
Figure 336) because all of the FortiGate units in a WAN optimization network have the
same peer relationship with each other. The client and server roles just relate to how a
session is started. Any FortiGate unit configured for WAN optimization can be a client-side
and a server-side FortiGate unit at the same time, depending on the direction of the traffic.
Client-side FortiGate units initiate WAN optimization sessions and server-side FortiGate
units respond to the session requests. Any FortiGate unit can simultaneously be a clientside FortiGate unit for some sessions and a server-side FortiGate unit for others.
Figure 336: WAN optimization peer and tunnel architecture
Client network
Peer
(client-side
FortiGate unit)
Server network
WAN optimization tunnel
Peer
(server-side
FortiGate unit)
WAN
Peer
(client-side FortiClient
application)
WAN
optimization
tunnel
To identify all of the WAN optimization peers that a FortiGate unit can perform WAN
optimization with, you add host IDs and IP addresses of all of the peers to the FortiGate
unit configuration. The peer IP address is actually the IP address of the peer unit interface
that communicates with the FortiGate unit.
1988
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization, web cache, and web proxy concepts
WAN optimization tunnels
Peer-to-peer and active-passive WAN optimization
You can create peer-to-peer and active-passive WAN optimization configurations. Peer-topeer configurations are less complex because they only require the creation of a WAN
optimization rule in the client side FortiGate unit. Active-passive WAN optimization
configurations require an active rule on the client side FortiGate unit and a passive rule on
the server-side FortiGate unit.
WAN optimization and the FortiClient application
PCs running the FortiClient application are client-side peers that initiate WAN optimization
tunnels with server-side peer FortiGate units. However, you can have an ever-changing
number of FortiClient peers with IP addresses that also change regularly. To avoid
maintaining a list of such peers, you can instead configure WAN optimization to accept
any peer and use authentication to identify FortiClient peers.
Together, the WAN optimization peers apply the WAN optimization features to optimize the
traffic flow over the WAN between the clients and servers. WAN optimization reduces
bandwidth requirements, increases throughput, reduces latency, offloads SSL
encryption/decryption and improves privacy for traffic on the WAN.
Operating modes and VDOMs
To use WAN optimization, the FortiGate units can operate in either NAT/Route or
Transparent mode. The client-side and server-side FortiGate units do not have to be
operating in the same mode.
As well, the FortiGate units can be configured for multiple virtual domain (VDOM)
operation. You configure WAN optimization for each VDOM and configure one or both of
the units to operate with multiple VDOMs enabled.
If a FortiGate unit or VDOM is operating in Transparent mode with WAN optimization
enabled, WAN optimization uses the management IP address as the peer IP address of
the FortiGate unit instead of the address of an interface.
WAN optimization tunnels
All optimized traffic passes between the FortiGate units or between a FortiClient peer and
a FortiGate unit over a WAN optimization tunnel. Traffic in the tunnel can be sent in plain
text or encrypted using AES-128bit-CBC SSL.
Both plain text and the encrypted peer-to-peer tunnels use TCP destination port 7810.
Figure 337: WAN optimization tunnels
3
1
2
Client network
3
1
2
Encrypted packets in WAN
optimization tunnel
(Peer-to-peer: port 7810)
3
1
Server network
2
Packets
Packets
WAN
Client-side
FortiGate unit
Server-side
FortiGate unit
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1989
�Protocol optimization
WAN optimization, web cache, and web proxy concepts
Before a tunnel can be started, the peers must be configured to authenticate with each
other and to agree on the tunnel configuration. Then, the client-side peer attempts to start
a WAN optimization tunnel with the server-side peer. Once the peers authenticate with
each other, they bring up the tunnel and WAN optimization communication over the tunnel
starts. After a tunnel has been established, multiple WAN optimization sessions can start
and stop between peers without restarting the tunnel.
Tunnel sharing
You can use the tunnel-sharing WAN optimization rule CLI keyword to configure
tunnel sharing for WAN optimization rules with auto-detect set to off. Tunnel sharing
means multiple WAN optimization sessions share the same WAN optimization tunnel.
Tunnel sharing can improve WAN performance by reducing the number of WAN
optimization tunnels between FortiGate units. Having fewer tunnels means less data to
manage. Also, tunnel setup requires more than one exchange of information between the
ends of the tunnel. Once the tunnel is set up, each new session that shares the tunnel
avoids tunnel setup delays.
Tunnel sharing also uses bandwidth more efficiently by reducing the chances that small
packets will be sent down the tunnel. Processing small packets reduces network
throughput, so reducing the number of small packets improves performance. A shared
tunnel can combine all the data from the sessions being processed by the tunnel and send
the data together. For example, suppose a FortiGate unit is processing five WAN
optimization sessions and each session has 100 bytes to send. If these sessions use a
shared tunnel, WAN optimization combines the packets from all five sessions into one
500-byte packet. If each session uses its own private tunnel, five 100-byte packets will be
sent instead. Each packet also requires a TCP ACK reply. The combined packet in the
shared tunnel requires one TCP ACK packet. The separate packets in the private tunnels
require five.
Tunnel sharing is not always recommended. Aggressive and non-aggressive protocols
should not share the same tunnel. An aggressive protocol can be defined as a protocol
that is able to get more bandwidth than a non-aggressive protocol. (The aggressive
protocols can “starve” the non-aggressive protocols.) HTTP and FTP are considered
aggressive protocols. If aggressive and non-aggressive protocols share the same tunnel,
the aggressive protocols may take all of the available bandwidth. As a result, the
performance of less aggressive protocols could be reduced. To avoid this problem, rules
for HTTP and FTP traffic should have their own tunnel. To do this, set tunnel-sharing
to private for WAN optimization rules that accept HTTP or FTP traffic.
It is also useful to set tunnel-sharing to express-sharing for applications, such as
Telnet, that are very interactive but not aggressive. Express sharing optimizes tunnel
sharing for Telnet and other interactive applications where latency or delays would
seriously affect the user’s experience with the protocol.
Set tunnel-sharing to sharing for applications that are not aggressive and are not
sensitive to latency or delays. WAN optimization rules set to sharing and expresssharing can share the same tunnel.
Protocol optimization
Protocol optimization techniques optimize bandwidth use across the WAN. These
techniques can improve the efficiency of communication across the WAN optimization
tunnel by reducing the amount of traffic required by communication protocols. You can
apply protocol optimization to Common Internet File System (CIFS), FTP, HTTP, MAPI,
and general TCP sessions.
1990
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization, web cache, and web proxy concepts
Byte caching
For example, CIFS provides file access, record locking, read/write privileges, change
notification, server name resolution, request batching, and server authentication. CIFS is a
fairly “chatty” protocol, requiring many background transactions to successfully transfer a
single file. This is usually not a problem across a LAN. However, across a WAN, latency
and bandwidth reduction can slow down CIFS performance.
When you set Protocol to CIFS in a WAN optimization rule, the FortiGate units at both
ends of the WAN optimization tunnel use a number of techniques to reduce the number of
background transactions that occur over the WAN for CIFS traffic.
You can select only one protocol in a WAN optimization rule. For best performance, you
should separate the traffic by protocol by creating different WAN optimization rules for
each protocol. For example, to optimize HTTP traffic, you should set Port to 80 so that
only HTTP traffic is accepted by this WAN optimization rule. For an example configuration
that uses multiple rules for different protocols, see “Example: Active-passive WAN
optimization” on page 2019.
If the WAN optimization accepts a range of different types of traffic, you can set Protocol to
TCP to apply general optimization techniques to TCP traffic. However, applying this TCP
optimization to a range of different types of traffic is not as effective as applying more
protocol-specific optimization to specific types of traffic. TCP protocol optimization uses
techniques such as TCP SACK support, TCP window scaling and window size
adjustment, and TCP connection pooling to remove TCP bottlenecks.
Byte caching
Byte caching breaks large units of application data (for example, a file being downloaded
from a web page) into small chunks of data, labelling each chunk of data with a hash of the
chunk and storing those chunks and their hashes in a database. The database is stored
on a WAN optimization storage device. Then, instead of sending the actual data over the
WAN tunnel, the FortiGate unit sends the hashes. The FortiGate unit at the other end of
the tunnel receives the hashes and compares them with the hashes in its local byte
caching database. If any hashes match, that data does not have to be transmitted over the
WAN optimization tunnel. The data for any hashes that does not match is transferred over
the tunnel and added to that byte caching database. Then the unit of application data (the
file being downloaded) is reassembled and sent to its destination.
Byte caching is not application specific. Bytes cached from a file in an email can be used
to optimize downloading that same file or a similar file from a web page.
The result is less data transmitted over the WAN. Initially, byte caching may reduce
performance until a large enough byte caching database is built up.
To enable byte caching, you select Enable Byte Cache in a WAN optimization rule. The
Protocol setting does not affect byte caching. Data is byte cached when it is processed by
a WAN optimization rule that includes byte caching.
Byte caching cannot determine whether or not a file is compressed (for example a zip file),
and caches compressed and non-compressed versions of the same file separately.
WAN optimization and HA
You can configure WAN optimization on a FortiGate HA cluster. The recommended HA
configuration for WAN optimization is active-passive mode. When the cluster is operating,
all WAN optimization sessions are processed by the primary unit only. Even if the cluster is
operating in active-active mode, HA does not load-balance WAN optimization sessions.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1991
�Monitoring WAN optimization
WAN optimization, web cache, and web proxy concepts
You can also form a WAN optimization tunnel between a cluster and a standalone
FortiGate unit or between two clusters.
In a cluster, the primary unit stores only web cache and byte cache databases. These
databases are not synchronized to the subordinate units. So, after a failover, the new
primary unit must rebuild its web and byte caches.
Rebuilding the byte caches can happen relatively quickly because the new primary unit
gets byte cache data from the other FortiGate units that it is participating with in WAN
optimization tunnels.
Monitoring WAN optimization
Using WAN optimization monitoring, you can confirm that WAN optimization is accepting
traffic and view WAN optimization performance. The monitor presents collected log
information in a graphical format to show network traffic summary and bandwidth
optimization information.
To view the WAN optimization monitor, go to WAN Opt. & Cache & gt; Monitor & gt; Monitor.
Figure 338: WAN optimization monitor
Refresh Traffic Summary
Refresh Bandwidth Optimization
1992
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization, web cache, and web proxy concepts
Traffic Summary
Monitoring WAN optimization
This section provides traffic optimization information. The piechart illustrates
the percentage of traffic for supported applications processed during the
selected Period. The table displays how much traffic has been reduced by
WAN optimization by comparing the amount of LAN and WAN traffic for each
protocol.
Refresh icon
Refresh the Traffic Summary.
Period
Select a time period to show traffic summary for. You can select:
• Last 10 Minutes
• Last 1 Hour
• Last 1 Day
• Last 1 Week
• Last 1 Month
Protocol
The name of the protocol for which sessions are optimized.
Reduction Rate Displays each application’s optimization rate. For example, a rate of 80%
means the amount of data processed by that application has been reduced
by 20%.
LAN
The amount of data in MB received from the LAN for each application.
WAN
The amount of data in MB sent across the WAN for each application. The
greater the difference between the LAN and WAN data, the greater the
amount of data reduced by WAN optimization byte caching, web caching, and
protocol optimization.
Bandwidth
Optimization
This section shows network bandwidth optimization per time period. A line or
column chart compares an application’s pre-optimized (LAN data) size with
its optimized size (WAN data).
Refresh icon
Select to refresh the Bandwidth Optimization display.
Period
Select a time frame to show bandwidth optimization. You can select:
• Last 10 Minutes
• Last 1 Hour
• Last 1 Day
• Last 1 Week
• Last 1 Month
Protocol
Select All to display bandwidth optimization for all applications. Select an
individual protocol to display bandwidth optimization for that individual
protocol.
Chart Type
Select to display bandwidth optimization with a line chart or a column chart.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1993
�Monitoring WAN optimization
1994
WAN optimization, web cache, and web proxy concepts
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization and Web cache
storage
WAN optimization storage is used for storing the byte cache and Web cache databases. In
most cases, you can accept the default WAN optimization storage configuration because
all of the disk space available on the FortiGate unit is in one partition. By default WAN
optimization and logging and archiving are configured to use this partition.
You only have to configure WAN optimization storage if you have more than one possible
storage location. This can happen if you have multiple partitions that you can use for
storage locations. If you have more than one storage location you can move WAN
optimization storage to it. You can also configure WAN optimization to use multiple
storage locations.
This chapter contains the following topics:
• Formatting the hard disk
• Configuring WAN optimization and Web cache storage
Formatting the hard disk
In most cases the hard disks on your FortiGate unit should be formatted with one partition
that is used for WAN optimization and Logging and Archiving. If for some reason the hard
disk is not formatted you can use the following information to format it. In some cases you
might also want to use the following commands to erase all data from the hard disk by
reformatting it.
From the web-based manager go to System & gt; Maintenance & gt; Disk to display information
about the hard disk or disks in the FortiGate unit. To format the hard disk, select the format
icon. The hard disk format takes a few minutes and the FortiGate unit restarts after
formatting is complete.
Fro this web-based manager page you can also change the WAN optimization and Web
Cache Storage size. By default the entire disk can be used for WAN optimization and Web
Cache storage. You can also change the WAN optimization storage setting to reduce the
amount of storage available for WAN optimization and web caching.
From the CLI you can use the following command to view the current disk format and
partition status. See the following example for a FortiGate-51B unit.
execute disk list
Device I1
partition 1
29.9 GB
29.9 GB
ref: 256
ref: 257
SUPER TALENT (IDE)
label: 2B6375792136C707
You can use the following command to reformat the hard disk. Use this command if for
some reason the disk is not formatted correctly. The command includes the device
partition reference number (256) so formats the entire disk and not just the partition.
execute disk format 256
You can use the following command to reformat the partition. The command includes the
partition reference number so formats the partition, removing add data from it. You can
use this command to delete all data from the partition and to fix partition errors.
execute disk format 257
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1995
�Configuring WAN optimization and Web cache storage
WAN optimization and Web cache storage
Configuring WAN optimization and Web cache storage
You can use the following command to add multiple WAN optimization storage locations if
your FortiGate unit has multiple disk partitions and you want to use more than one for
WAN optimization storage:
config system storage
Enter get to see the name of the default storage location. You cannot edit this storage
location, but you can add new ones:
config system storage
edit new_storage
set partition & lt; partition_number & gt;
end
Where & lt; partition_number & gt; is the number of the partition to create a storage location
in. This cannot be the same as the partition added to the default storage location. This
command automatically adds a WAN optimization storage location with the name
new_storage.
Changing the amount of space allocated for WAN optimization and Web cache
storage
From the web-based manager you can go to System & gt; Maintenance & gt; Disk to edit the
WAN optimization & Web Cache storage and change the allocation size to limit the
amount of storage available for WAN optimization byte caching and web caching. The size
is in Mbytes.
You can use the following command to change the size of any WAN optimization storage
location. For example, in the FortiGate-51B the default WAN optimization storage is
Internal. Use the following command to limit the amount of space allocated for WAN
optimization to 20 Gbytes
config wanopt storage
edit Internal
set size 20000
end
1996
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization peers and
authentication groups
All communication between WAN optimization peers begins with one WAN optimization
peer (or client-side FortiGate unit) sending a WAN optimization tunnel request to another
peer (or server-side FortiGate unit). During this process, the WAN optimization peers
identify and authenticate with each other.
This chapter describes:
•
Basic WAN optimization peer authentication requirements
•
How FortiGate units process tunnel requests for peer authentication
•
Configuring peers
•
Configuring authentication groups
•
Secure tunneling
Basic WAN optimization peer authentication requirements
Peer authentication requires the following configuration on each peer for best results.
•
All peers must have a unique host ID that identifies each peer. You can add the host ID
to a peer from the web-based manager by going to WAN Opt. & Cache & gt; Peer,
entering a host ID in the Local Host ID field and selecting Apply. The host ID can
contain up to 25 characters and can include spaces. Do not leave the host ID at its
default value.
•
All peers must know the host IDs and IP addresses of all of the other peers that they
can start WAN optimization tunnels with. You add these host IDs and IP addresses
from the web-based manager by going to WAN Opt. & Cache & gt; Peer and selecting
Create New. You then enter the other peer’s host ID in the Peer Host ID field, enter the
other peer’s IP address in the IP Address field and select OK. The IP address will be
the source IP address of tunnel requests sent by the peer. Usually this is the IP
address of the peer’s interface that is connected to the WAN—the IP address of the
interface from which tunnel requests are sent.
•
All peers must have the same local certificate installed on their FortiGate units if the
units authenticate by local certificate. Similarly, if the units authenticate by pre-shared
key (password), administrators must know the password. For more information, see
the FortiGate Certificate Management Guide.
Accepting any peers
Strictly speaking, you do not need to add peers. Instead you can configure authentication
groups that accept any peer. However, for this to work, both peers must have the same
authentication group (with the same name) and both peers must have the same certificate
or pre-shared key.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1997
�How FortiGate units process tunnel requests for peer authentication
WAN optimization peers and authentication groups
Accepting any peer is useful if you have many peers or if peer IP addresses change. For
example, you could have many travelling FortiClient peers with IP addresses that are
always changing as the users travel to different customer sites. This configuration is also
useful if you have FortiGate units with dynamic external IP addresses (using DHCP or
PPPoE). For most other situations, this method is not recommended as it is less secure
than accepting defined peers or a single peer. For more information, see “Configuring
authentication groups” on page 2000.
How FortiGate units process tunnel requests for peer
authentication
When a client-side FortiGate unit attempts to start a WAN optimization tunnel with a peer
server-side FortiGate unit, the tunnel request includes the following information:
•
the client-side local host ID
•
the name of an authentication group if included in the rule that initiates the tunnel
•
the authentication method defined in the authentication group: pre-shared key or
certificate
•
the type of tunnel (secure or not).
For information about configuring the local host ID, peers and authentication groups, see
“Configuring peers” on page 1999 and “Configuring authentication groups” on page 2000.
The authentication group is optional unless the tunnel is a secure tunnel. For more
information, see “Secure tunneling” on page 2002.
If the tunnel request includes an authentication group, the authentication will be based on
the settings of this group as follows:
•
The server-side FortiGate unit searches its own configuration for the name of the
authentication group in the tunnel request. If no match is found, the authentication fails.
•
If a match is found, the server-side FortiGate unit compares the authentication method
in the client and server authentication groups. If the methods do not match, the
authentication fails.
•
If the authentication methods match, the server-side FortiGate unit tests the peer
acceptance settings in its copy of the authentication group.
•
If the setting is Accept Any Peer, the authentication is successful.
•
If the setting is Specify Peer, the server-side FortiGate unit compares the client-side
local host ID in the tunnel request with the peer name in the server-side
authentication group. If the names match, authentication is successful. If a match is
not found, authentication fails.
•
If the setting is Accept Defined Peers, the server-side FortiGate unit compares the
client-side local host ID in the tunnel request with the server-side peer list. If a
match is found, authentication is successful. If a match is not found, authentication
fails.
If the tunnel request does not include an authentication group, authentication will be based
on the client-side local host ID in the tunnel request. The server-side FortiGate unit
searches its peer list to match the client-side local host ID in the tunnel request. If a match
is found, authentication is successful. If a match is not found, authentication fails.
If the server-side FortiGate unit successfully authenticates the tunnel request, the serverside FortiGate unit sends back a tunnel setup response message. This message includes
the server-side local host ID and the authentication group that matches the one in the
tunnel request.
1998
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization peers and authentication groups
Configuring peers
The client-side FortiGate unit then performs the same authentication procedure as the
server-side FortiGate unit did. If both sides succeed, tunnel setup continues.
Configuring peers
When you configure peers, you first need to add the local host ID that identifies the
FortiGate unit for WAN optimization and then add the peer host ID and IP address of each
FortiGate unit with which a FortiGate unit can create WAN optimization tunnels.
To configure WAN optimization peers - web-based manager
1 Go to Wan Opt. & Cache & gt; Peer & gt; Peer.
2 For Local Host ID, enter the local host ID of this FortiGate unit and select Apply. If you
add this FortiGate unit as a peer to another FortiGate unit, use this ID as its peer host
ID.
3 Select Create New to add a new peer.
4 For Peer Host ID, enter the peer host ID of the peer FortiGate unit. This is the local
host ID added to the peer FortiGate unit.
5 For IP Address, add the IP address of the FortiGate unit. Usually this is the IP address
of the FortiGate interface connected to the WAN.
6 Select OK.
To configure WAN optimization peers - CLI
In this example, the local host ID is named HQ_Peer and has an IP address of
172.20.120.100. Three peers are added, but you can add any number of peers that are
on the WAN.
1 Enter the following command to set the local host ID to HQ_Peer.
config wanopt settings
set host-id HQ_peer
end
2 Enter the following commands to add three peers.
config wanopt peer
edit Wan_opt_peer_1
set ip 172.20.120.100
next
edit Wan_opt_peer_2
set ip 172.30.120.100
next
edit Wan_opt_peer_3
set ip 172.40.120.100
end
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
1999
�Configuring authentication groups
WAN optimization peers and authentication groups
Configuring authentication groups
You need to add authentication groups to support authentication and secure tunneling
between WAN optimization peers.
To perform authentication, WAN optimization peers use a certificate or a pre-shared key
added to an authentication group so they can identify each other before forming a WAN
optimization tunnel. Both peers must have an authentication group with the same name
and settings. You add the authentication group to a peer-to-peer or active rule on the
client-side FortiGate unit. When the server-side FortiGate unit receives a tunnel start
request from the client-side FortiGate unit that includes an authentication group, the
server-side FortiGate unit finds an authentication group in its configuration with the same
name. If both authentication groups have the same certificate or pre-shared key, the peers
can authenticate and set up the tunnel.
Authentication groups are also required for secure tunneling. See “Secure tunneling” on
page 2002.
To add authentication groups, go to WAN Opt. & Cache & gt; Peer & gt; Authentication Group.
To add an authentication group - web-based manager
Use the following steps to add any kind of authentication group. It is assumed that if you
are using a local certificate to authenticate, it is already added to the FortiGate unit. For
more information, see the FortiGate Certificate Management Guide.
1 Go to Wan Opt. & Cache & gt; Peer & gt; Authentication Group.
2 Select Create New.
3 Add a Name for the authentication group.
You will select this name when you add the authentication group to a WAN optimization
rule.
4 Select the Authentication Method.
Select Certificate if you want to use a certificate to authenticate and encrypt WAN
optimization tunnels. You must also select a local certificate that has been added to
this FortiGate unit. (To add a local certificate, go to System & gt; Certificates & gt; Local
Certificates.) Other FortiGate units that participate in WAN optimization tunnels with
this FortiGate unit must have an authentication group with the same name and
certificate.
Select Pre-shared key if you want to use a pre-shared key or password to authenticate
and encrypt WAN optimization tunnels. You must also add a Password (or pre-shared
key) used by the authentication group. Other FortiGate units that participate in WAN
optimization tunnels with this FortiGate unit must have an authentication group with the
same name and password. The password must contain at least 6 printable characters
and should be known only by network administrators. For optimum protection against
currently known attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
2000
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization peers and authentication groups
Configuring authentication groups
5 Configure Peer Acceptance for the authentication group.
Select Accept Any Peer if you do not know the peer host IDs or IP addresses of the
peers that will use this authentication group. This setting is most often used for WAN
optimization with the FortiClient application or with FortiGate units that do not have
static IP addresses, for example units that use DHCP.
Select Accept Defined Peers if you want to authenticate with peers added to the peer
list only.
Select Specify Peer and select one of the peers added to the peer list to authenticate
with the selected peer only.
For more information, see “Configuring peers” on page 1999.
6 Select OK.
7 Add the authentication group to a WAN optimization rule to apply the authentication
settings in the authentication group to the rule.
For more information, see “Configuring WAN optimization rules” on page 2008.
To add an authentication group that uses a certificate- CLI
Enter the following command to add an authentication group that uses a certificate and
can authenticate all peers added to the FortiGate unit configuration.
In this example, the authentication group is named auth_grp_1 and uses a certificate
named Example_Cert.
config wanopt auth-group
edit auth_grp_1
set auth-method cert
set cert Example_Cert
set peer-accept defined
end
To add an authentication group that uses a pre-shared key - CLI
Enter the following command to add an authentication group that uses a pre-shared key
and can authenticate only the peer added to the authentication group.
In this example, the authentication group is named auth_peer, the peer that the group
can authenticate is named Server_net, and the authentication group uses 123456 as
the pre-shared key. In practice you should use a more secure pre-shared key.
config wanopt auth-group
edit auth_peer
set auth-method psk
set psk 123456
set peer-accept one
set peer Server_net
end
To add an authentication group that accepts WAN optimization connections from
any peer - web-based manager
Add an authentication group that accepts any peer for situations where you do not have
the Peer Host IDs or IP Addresses of the peers that you want to perform WAN
optimization with. This setting is most often used for WAN optimization with the FortiClient
application or with FortiGate units that do not have static IP addresses, for example units
that use DHCP. An authentication group that accepts any peer is less secure than an
authentication group that accepts defined peers or a single peer.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2001
�Secure tunneling
WAN optimization peers and authentication groups
The example below sets the authentication method to Pre-shared key. You must add the
same password to all FortiGate units using this authentication group.
1 Go to Wan Opt. & Cache & gt; Peer & gt; Authentication Group.
2 Select Create New to add a new authentication group.
3 Configure the authentication group:
Name
Specify any name.
Authentication Method
Pre-shared key
Password
Enter a pre-shared key.
Peer Acceptance
Accept Any Peer
To add an authentication group that accepts WAN optimization connections from
any peer - CLI
In this example, the authentication group is named auth_grp_1. It uses a certificate
named WAN_Cert and accepts any peer.
config wanopt auth-group
edit auth_grp_1
set auth-method cert
set cert WAN_Cert
set peer-accept any
end
Secure tunneling
You can configure WAN optimization rules to use AES-128bit-CBC SSL to encrypt the
traffic in the WAN optimization tunnel. WAN optimization uses FortiASIC acceleration to
accelerate SSL decryption and encryption of the secure tunnel. Peer-to-peer secure
tunnels use the same TCP port as a non-secure peer-to-peer tunnels (TCP port 7810).
To use secure tunneling, you must select Enable Secure Tunnel in a WAN optimization
rule and add an authentication group. The authentication group specifies the certificate or
pre-shared key used to set up the secure tunnel. You can add a new authentication group
to support secure tunneling or you can use an authentication group that was already
added for tunnel authentication. The Peer Acceptance setting of the authentication group
does not affect secure tunneling.
The FortiGate units at each end of the secure tunnel must have the same authentication
group with the same name and the same configuration, including the same pre-shared key
or certificate. To use certificates you must install the same certificate on both FortiGate
units.
For active-passive WAN optimization you select Enable Secure Tunnel only in the active
rule. In peer-to-peer WAN optimization you select Enable Secure Tunnel in the WAN
optimization rule on both FortiGate units. For information about active-passive and peerto-peer WAN optimization, see “Configuring WAN optimization rules” on page 2003.
For a secure tunneling configuration example, see “Example: Adding secure tunneling to
an active-passive WAN optimization configuration” on page 2026. Secure tunneling is also
used in the configuration example: “Example: SSL offloading for a WAN optimization
tunnel” on page 2069.
2002
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring WAN optimization rules
To configure WAN optimization, you add WAN optimization rules. Similar to firewall
policies, when a FortiGate unit receives a connection packet, it analyzes the packet’s
source address, destination address, and service (by destination port number), and
attempts to locate a matching WAN optimization rule that decides how to optimize the
traffic over the WAN. WAN optimization rules also apply features such as byte-caching
and protocol optimization to optimized traffic.
You can add one of two types of WAN optimization rules: active-passive and peer-to-peer.
A peer-to-peer WAN optimization rule includes a peer host ID. WAN optimization
sessions matched by a client-side peer-to-peer rule can only connect to the named
server-side peer. When the client-side peer unit initiates a tunnel with the server-side peer,
the packets that initiate the tunnel include extra information so that the server-side peer
can determine that it is a peer-to-peer tunnel request. This extra information is required
because the server-side peer does not require a WAN optimization rule; you just need to
add the client peer host ID and IP address to the server-side FortiGate unit peer list. Peer
to peer WAN optimization tunnels use port 7810.
For active-passive WAN optimization, you add active rules to client-side FortiGate units
and passive rules to server-side FortiGate units. A single passive rule can accept tunnel
requests from multiple active rules. The configuration of the active rule enables WAN
optimization features. The passive rule uses the configuration of the active rules. The one
exception is web caching, which is enabled in passive rules.
This chapter describes:
•
WAN optimization rules, firewall policies, and UTM protection
•
WAN optimization transparent mode
•
WAN optimization rule list
•
WAN optimization address formats
•
Configuring WAN optimization rules
WAN optimization rules, firewall policies, and UTM protection
The FortiGate unit applies firewall policies to communication sessions before WAN
optimization rules. A WAN optimization rule can be applied to a packet only after the
packet is accepted by a firewall policy. WAN optimization processes all sessions accepted
by a firewall policy that also match a WAN optimization rule.
However, if the firewall policy includes a UTM features, communication sessions accepted
by the policy are processed by the UTM and not by WAN optimization. To apply WAN
optimization to traffic that is accepted by a firewall policy containing a UTM features, you
can use multiple FortiGate units or multiple VDOMs. You apply the UTM features in the
first FortiGate unit or VDOM and then apply WAN optimization in the second FortiGate unit
or VDOM. You also add inter-VDOM links between the VDOMs. See the configuration
example “Out-of-path WAN optimization with inter-VDOM routing” on page 2047.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2003
�WAN optimization transparent mode
Configuring WAN optimization rules
WAN optimization does not apply source and destination NAT settings included in firewall
policies. This means that selecting NAT or adding virtual IPs in a firewall policy does not
affect WAN optimized traffic. WAN optimization is also not compatible with firewall load
balancing. However, traffic accepted by these policies that is not WAN optimized is
processed as expected.
WAN optimization is compatible with identity-based firewall policies. If a session is allowed
after authentication and if the identity-based policy that allows the session does not
include UTM features, the session can be processed by matching WAN optimization rules.
Firewall traffic shaping is compatible with client/server (active-passive) transparent mode
WAN optimization rules. Traffic shaping is ignored for peer-to-peer WAN optimization and
for client/server WAN optimization not operating in transparent mode.
WAN optimization transparent mode
WAN optimization is transparent to users. This means that with WAN optimization in place,
clients connect to servers in the same way as they would without WAN optimization.
However, servers receiving packets after WAN optimization “see” different source
addresses depending on whether or not transparent mode is selected for WAN
optimization. If transparent mode is selected, WAN optimization keeps the original source
address of the packets, so servers appear to receive traffic directly from clients. Routing
on the server network should be configured to route traffic with client source IP addresses
from the server-side FortiGate unit to the server and back to the server-side FortiGate
unit.
Note: Some protocols, for example CIFS, may not function as expected if transparent
mode is not selected. In most cases, for CIFS WAN optimization you should select
transparent mode and make sure the server network can route traffic as described to
support transparent mode.
If transparent mode is not selected, the source address of the packets received by servers
is changed to the address of the server-side FortiGate unit interface that sends the
packets to the servers. So servers appear to receive packets from the server FortiGate
unit. Routing on the server network is simpler in this case because client addresses are
not involved. All traffic appears to come from the server FortiGate unit and not from
individual clients.
Note: Do not confuse WAN optimization transparent mode with FortiGate Transparent
mode. WAN optimization transparent mode is configured in individual WAN optimization
rules. FortiGate Transparent mode is a system setting that controls how the FortiGate unit
(or a VDOM) processes traffic.
WAN optimization rule list
The WAN optimization rule list displays WAN optimization rules in their order of matching
precedence. You can add, delete, edit, and re-order rules in the rule list. WAN optimization
rule order affects rule matching. For details about arranging rules in the rule list, see “How
list order affects rule matching” on page 2006 and “Moving a rule to a different position in
the rule list” on page 2007.
Before you add WAN optimization rules, you must add firewall policies to accept the traffic
that you want to optimize. For information about WAN optimization rules and firewall
policies, see “WAN optimization rules, firewall policies, and UTM protection” on
page 2003.
2004
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring WAN optimization rules
WAN optimization rule list
Then you add WAN optimization rules that:
•
match WAN traffic to be optimized that is accepted by a firewall policy according to
source and destination addresses and destination port of the traffic
•
add the WAN optimization techniques to be applied to the traffic.
To view the WAN optimization rule list, go to WAN Opt. & Cache & gt; Rule & gt; Rule.
Figure 339: WAN optimization rule list
Edit
Delete
Insert WAN Optimization
Rule Before
Enable/
Disable
Rules
Create New
Status
ID
Source
Destination
Port
Method
Auto-Detect
Protocol
Peer
Move To
Add a new WAN optimization rule. New rules are added to the bottom of the list.
Select to enable a rule or clear to disable a rule. A disabled rule is out of service.
The rule identifier. Rules are numbered in the order they are added to the rule
list.
The source address or address range that the rule matches. For more
information, see “WAN optimization address formats” on page 2007.
The destination address or address range that the rule matches. For more
information, see “WAN optimization address formats” on page 2007.
The destination port number or port number range that the rule matches.
Indicates whether you have selected byte caching in the WAN optimization rule.
Indicates whether the rule is an active (client) rule, a passive (server) rule or if
auto-detect is off. If auto-detect is off, the rule can be peer-to-peer or Web Cache
Only.
The protocol optimization WAN optimization technique applied by the rule. For
more information, see “Protocol optimization” on page 1990.
For a peer-to-peer rule, the name of the peer WAN optimizer at the other end of
the link.
Indicates whether the rule applies Full Optimization or Web Cache Only.
Indicates whether the rule is configured for SSL offloading.
Indicates whether the rule is configured to used a WAN optimization tunnel.
Delete a rule from the list.
Edit a rule.
Add a new rule above the corresponding rule (the New rule screen appears).
Mode
SSL
Secure Tunnel
Delete icon
Edit icon
Insert WAN
Optimization
Rule Before icon
Move To icon
Move the corresponding rule before or after another rule in the list. For more
information, see “How list order affects rule matching” on page 2006 and
“Moving a rule to a different position in the rule list” on page 2007.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2005
�WAN optimization rule list
Configuring WAN optimization rules
How list order affects rule matching
Similar to firewall policies, you add WAN optimization rules to the WAN optimization rule
list. The FortiGate unit uses the first-matching technique to select the WAN optimization
rule to apply to a communication session.
When WAN optimization rules have been added, each time the FortiGate firewall accepts
a communication session, it then searches the WAN optimization rule list for a matching
rule. The search begins at the top of the rule list and progresses in order towards the
bottom. Each rule in the rule list is compared with the communication session until a
match is found. When the FortiGate unit finds the first matching rule, it applies that rule’s
specified WAN optimization features to the session and disregards subsequent rules.
Matching rules are determined by comparing the rule with the session source, destination
addresses and destination port.
If no WAN optimization rule matches, the session is processed according to the firewall
policy that originally accepted the session.
As a general rule, you should order the WAN optimization rule list from most specific to
most general because of the order in which rules are evaluated for a match, and because
only the first matching rule is applied to a session. Subsequent possible matches are not
considered or applied. Ordering rules from most specific to most general prevents rules
that match a wide range of traffic from superseding and effectively masking rules that
match exceptions.
For example, you might have a general WAN optimization rule that applies WAN
optimization features but does not apply secure tunneling to most WAN traffic; however,
you want to apply secure tunneling to FTP traffic (FTP traffic uses port 21). In this case,
you would add a rule that creates a secure tunnel for FTP sessions above the general
rule.
Figure 340:Example: secure tunneling for FTP — correct rule order
Exception
General
FTP sessions (using port 21) would immediately match the secure tunnel rule. Other kinds
of services would not match the FTP rule, so rule evaluation would continue until the
search reaches the matching general rule. This rule order has the intended effect. But if
you reversed the order of the two rules, positioning the general rule before the FTP rule,
all session, including FTP, would immediately match the general rule, and the rule to
secure FTP would never be applied. This rule order would not have the intended effect.
Figure 341:Example: secure tunneling for FTP — incorrect rule order
General
Exception
Similarly, if specific traffic requires exceptional WAN optimization rule settings, you would
position those rules above other potential matches in the rule list. Otherwise, the other
matching rules would take precedence, and the required exceptional settings might never
be used.
2006
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring WAN optimization rules
WAN optimization address formats
Moving a rule to a different position in the rule list
You can arrange the WAN optimization rule list to influence the order in which rules are
evaluated for matches with incoming traffic. When more than one rule has been defined,
the first matching rule will be applied to the traffic session. For more information, see “How
list order affects rule matching” on page 2006.
Moving a rule in the rule list does not change its ID, which only indicates the order in which
the rule was created.
To move a rule in the WAN optimization rule list - web-based manager
1 Go to WAN Opt & Cache & gt; Rule & gt; Rule.
2 In the rule list, note the ID of a rule that is before or after your intended destination.
3 In the row corresponding to the rule that you want to move, select the Move To icon.
4 Select Before or After, and enter the ID of the rule that is before or after your intended
destination. This specifies the rule’s new position in the WAN optimization rule list.
5 Select OK.
To move a rule in the WAN optimization rule list - CLI
1 Use the following command to move a WAN optimization rule with ID 34 above the rule
in the rule list with ID 10.
config wanopt rule
move 34 before 10
end
2 Use the following command to move a WAN optimization rule with ID 5 after the rule in
the rule list with ID 1.
config wanopt rule
move 5 after 1
end
WAN optimization address formats
A WAN optimization source or destination address can contain one or more network
addresses. Network addresses can be represented by an IP address with a netmask or an
IP address range.
When representing hosts by an IP address with a netmask, the IP address can represent
one or more hosts. For example, a source or destination address can be:
•
a single computer, for example, 192.45.46.45
•
a subnetwork, for example, 192.168.1.* for a class C subnet
•
0.0.0.0, matches any IP address.
The netmask corresponds to the subnet class of the address being added, and can be
represented in either dotted decimal or CIDR format. The FortiGate unit automatically
converts CIDR-formatted netmasks to dotted decimal format. Example formats:
•
netmask for a single computer: 255.255.255.255, or /32
•
netmask for a class A subnet: 255.0.0.0, or /8
•
netmask for a class B subnet: 255.255.0.0, or /16
•
netmask for a class C subnet: 255.255.255.0, or /24
•
netmask including all IP addresses: 0.0.0.0
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2007
�Configuring WAN optimization rules
Configuring WAN optimization rules
Valid IP address and netmask formats include:
•
x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
•
x.x.x.x/x, such as 192.168.1.0/24
Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid source or
destination address.
When representing hosts by an IP range, the range indicates hosts with continuous IP
addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the
complete range of hosts on that subnet. You can also indicate the complete range of hosts
on a subnet by entering 192.168.1.[0-255] or 192.168.1.0-192.168.1.255. Valid IP range
formats include:
•
x.x.x.x-x.x.x.x, for example, 192.168.110.100-192.168.110.120
•
x.x.x.[x-x], for example, 192.168.110.[100-120]
•
x.x.x.*, for a complete subnet, for example: 192.168.110.*
•
x.x.x.[0-255] for a complete subnet, such as 192.168.110.[0-255]
•
x.x.x.0 -x.x.x.255 for a complete subnet, such as 192.168.110.0 192.168.110.255
Note: You cannot use square brackets [] or asterisks * when adding addresses to the CLI.
Instead you must enter the start and end addresses of the subnet range separated by a
dash -. For example, 192.168.20.0-192.168.20.255 for a complete subnet and
192.168.10.10-192.168.10.100 for a range of addresses.
Configuring WAN optimization rules
This section describes all the details that you can configure for the WAN optimization
rules. The options available depend on how you configure a specific rule. The conditions
are noted.
To add a WAN optimization rule - web-based manager
1 Go to WAN Opt. & Cache & gt; Rule & gt; Rule and select Create New.
2 Configure the WAN optimization rule, using the guidance in the following table, and
select OK.
Mode
Source
2008
Select Full Optimization to add a rule that can apply all WAN optimization
features.
Select Web Cache Only to add a rule that just applies web caching. If you
select Web Cache Only, you can configure the source and destination address
and port for the rule. You can also select Transparent Mode and Enable SSL.
Enter an IP address, followed by a forward slash (/), then subnet mask, or enter
an IP address range separated by a hyphen. For more information, see “WAN
optimization address formats” on page 2007.
Only packets whose source address header contains an IP address matching
this IP address or address range will be accepted by and subject to this rule.
For a passive rule, the server (passive) source address range should be
compatible with the source addresses of the matching client (active) rule. To
match one passive rule with many active rules, the passive rule source address
range should include the source addresses of all of the active rules.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring WAN optimization rules
Destination
Configuring WAN optimization rules
Enter an IP address, followed by a forward slash (/), then subnet mask, or enter
an IP address range separated by a hyphen. For more information, see “WAN
optimization address formats” on page 2007.
Only a packet whose destination address header contains an IP address
matching this IP address or address range will be accepted by and subject to
this rule.
Tip: For a Web Cache Only rule, if you set Destination to 0.0.0.0, the rule
caches web pages on the Internet or any network.
For a passive rule, the server (passive) destination address range should be
compatible with the destination addresses of the matching client (active) rule.
To match one passive rule with many active rules, the passive rule destination
address range should include the destination addresses of all of the active
rules.
Port
Enter a single port number or port number range. Only packets whose
destination port number matches this port number or port number range will be
accepted by and subject to this rule.
For a passive rule, the server (passive) port range should be compatible with
the port range of the matching client (active) rule. To match one passive rule
with many active rules, the passive rule port range should include the port
ranges of all of the active rules.
Auto-Detect
Available only if Mode is set to Full Optimization.
Specify whether the rule is Active (client), Passive (server) or if Auto-Detect is
Off. If Auto-Detect is Off, the rule is a peer-to-peer rule.
• For an Active (client) rule, you must select all of the WAN optimization
features to be applied by the rule. You can select the protocol to optimize,
transparent mode, byte caching, SSL offloading, secure tunneling, and an
authentication group.
• A Passive (server) rule uses the settings in the active rule on the client
FortiGate unit to apply WAN optimization settings. You can also select web
caching for a passive rule.
• If Auto-Detect is Off, the rule must include all required WAN optimization
features and you must select a Peer for the rule. Select this option to
configure peer-to-peer WAN optimization where this rule can start a WAN
optimization tunnel with this peer only.
Protocol
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off
or Active.
Select CIFS, FTP, HTTP, or MAPI to apply protocol optimization for one of
these protocols. For information about protocol optimization, see “Protocol
optimization” on page 1990.
Select TCP if the WAN optimization tunnel accepts sessions that use more
than one protocol or that do not use the CIFS, FTP, HTTP, or MAPI protocol.
Peer
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off.
Select the peer host ID of the peer that this peer-to-peer WAN optimization rule
will start a WAN optimization tunnel with. You can also select [Create New...]
from the list to add a new peer.
Enable Web
Cache
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off
or Passive. If Auto-Detect is set to Off, then Protocol must be set to HTTP.
Select to apply WAN optimization web caching to the sessions accepted by this
rule. For more information, see “Web caching” on page 2031.
Transparent
Mode
Available only if Mode is set to Full Optimization and Auto-Detect is set to
Active or Off, or if Mode is set to Web Cache Only.
Servers receiving packets after WAN optimization “see” different source
addresses depending on whether or not you select Transparent Mode.
For more information, see “WAN optimization transparent mode” on page 2004.
Enable Byte
Caching
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off
or Active.
Select to apply WAN optimization byte caching to the sessions accepted by this
rule. For more information, see “Byte caching” on page 1991.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2009
�Configuring WAN optimization rules
Enable SSL
Configuring WAN optimization rules
Available only if Auto-Detect is set to Active or Off.
Select to apply SSL offloading for HTTPS traffic. You can use SSL offloading to
offload SSL encryption and decryption from one or more HTTP servers to the
FortiGate unit. If you enable this option, you must configure the rule to accept
SSL-encrypted traffic. For example, you can configure the rule to accept
HTTPS traffic by setting Port to 443.
If you enable SSL offloading, you must also use the CLI command config
wanopt ssl-server to add an SSL server for each HTTP server that you
want to offload SSL encryption/decryption for. For more information, see “SSL
offloading for WAN optimization and web caching” on page 2069.
Enable Secure Available only if Mode is set to Full Optimization, and Auto-Detect is set to
Active or Off.
Tunnel
If you select Enable Secure Tunnel, the WAN optimization tunnel is encrypted
using SSL encryption. You must also add an authentication group to the rule.
For more information, see “Secure tunneling” on page 2002.
Authentication Available only if Mode is set to Full Optimization, and Auto-Detect is set to
Active or Off.
Group
Select this option and select an authentication group from the list if you want
groups of FortiGate units to authenticate with each other before starting the
WAN optimization tunnel. You must also select an authentication group if you
select Enable Secure Tunnel.
You must add identical authentication groups to both of the FortiGate units that
will participate in the WAN optimization tunnel started by the rule. For more
information, see “Configuring authentication groups” on page 2000.
To add a WAN optimization rule - CLI
Using the guidance in the previous table, enter the following commands. For more
information, see the wanopt and rules listings in the FortiGate CLI Reference.
config wanopt rule
edit & lt; index_int & gt;
set auth-group & lt; auth_group_name & gt;
set auto-detect {active | off | passive}
set byte-caching {disable | enable}
set dst-ip & lt; address_ipv4 & gt; [- & lt; address-ipv4 & gt; ]
set mode {full | webcache-only}
set peer & lt; peer_name & gt;
set port & lt; port_int & gt; [- & lt; port-int & gt; ]
set proto {cifs | ftp | http | mapi | tcp}
set secure-tunnel {disable | enable}
set src-ip & lt; address_ipv4 & gt; [- & lt; address-ipv4 & gt; ]
set ssl {disable | enable}
set status {disable | enable}
set transparent {disable | enable}
set tunnel-non-http {disable | enable}
set tunnel-sharing {express-shared | private | shared}
set unknown-http-version {best-effort | reject | tunnel}
set webcache {disable | enable}
end
Processing non-HTTP sessions accepted by an HTTP rule
From the CLI, use the tunnel-non-http keyword of the config wanopt rule
command to configure how to process non-HTTP sessions when a rule configured to
accept and optimize HTTP traffic accepts a non-HTTP session. This can occur if an
application sends non-HTTP sessions using an HTTP destination port.
2010
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Configuring WAN optimization rules
Configuring WAN optimization rules
You can set tunnel-non-http to disable to drop non-HTTP sessions accepted by the
rule or you can set it to enable to pass non-HTTP sessions through the tunnel without
applying protocol optimization, byte-caching, or web caching. In this case, the FortiGate
unit applies TCP protocol optimization to non-HTTP sessions.
Processing unknown HTTP sessions
Unknown HTTP sessions are HTTP sessions that do not comply with HTTP 0.9, 1.0, or
1.1. From the CLI, use the unknown-http-version keyword of the config wanopt
rule command to specify how a rule handles such HTTP sessions.
You can select best-effort to assume that all HTTP sessions accepted by the rule
comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, WAN
optimization may not parse it correctly. As a result, the FortiGate unit may stop forwarding
the session and the connection may be lost.
You can select reject to reject HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.
You can also select tunnel to pass HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1,
but without applying HTTP protocol optimization, byte-caching, or web caching. TCP
protocol optimization is applied to these HTTP sessions.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2011
�Configuring WAN optimization rules
2012
Configuring WAN optimization rules
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization configuration
examples
This chapter provides the following basic examples to illustrate WAN optimization
configurations introduced in the previous chapters:
•
Example: Basic peer-to-peer WAN optimization configuration
•
Example: Active-passive WAN optimization
•
Example: Adding secure tunneling to an active-passive WAN optimization
configuration
Example: Basic peer-to-peer WAN optimization configuration
Peer-to-peer WAN optimization is the simplest WAN optimization configuration. In a peer
to peer configuration the WAN optimization tunnel can be set up only between one clientside FortiGate unit and one server-side FortiGate unit named in the WAN optimization rule
added to the client-side FortiGate unit. When the client-side FortiGate unit initiates a
tunnel with the server-side FortiGate unit, the packets that initiate the tunnel include extra
information so that this server-side FortiGate unit can determine that it is a peer-to-peer
tunnel request. This extra information is required because the server-side FortiGate unit
does not require a WAN optimization rule; you just need to add the client peer host ID and
IP address to the server-side FortiGate unit peer list.
The extra information in the communication session plus the peer list entry allow the
server-side FortiGate unit to set up the WAN optimization tunnel with the client-side
FortiGate unit by using only the settings on the client-side WAN optimization rule.
Note: Traffic shaping is ignored for peer-to-peer WAN optimization.
In a peer-to-peer WAN optimization configuration you create a peer-to-peer WAN
optimization rule on the client-side FortiGate unit with Auto-Detect to Off and include the
peer host ID of the server-side FortiGate unit. Using this rule, the client-side FortiGate unit
can create a WAN optimization tunnel only with the peer that is added to the rule.
You do not have to add a rule to the server-side FortiGate unit. But the server-side
FortiGate unit peer list must include the Peer Host ID and IP address of the client
FortiGate unit. The server-side FortiGate unit uses the WAN optimization settings in the
client-side rule.
Network topology and assumptions
This example configuration includes a client-side FortiGate unit called Peer_Fgt_1 with a
WAN IP address of 172.20.34.12. This unit is in front of a network with IP address
172.20.120.0. The server-side FortiGate unit is called Peer_Fgt_2 with a WAN IP address
of 192.168.30.12. This unit is in front of a web server network with IP address
192.168.10.0.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2013
�Example: Basic peer-to-peer WAN optimization configuration
WAN optimization configuration examples
Figure 342: Example peer-to-peer topology
Web server
network
192.168.10.0
Client network
172.20.120.0
WAN optimization
client
(Local Host ID: Peer_Fgt_1)
WAN optimization
server
(Local Host ID: Peer_Fgt_2)
WAN
IP address
172.20.34.12
IP address
192.168.30.12
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For
best results, follow the procedures in the order given:
1 Configure the client-side FortiGate unit by adding peers and a firewall policy that
accepts traffic to be optimized.
2 Configure the server-side FortiGate unit.
Also note that if you perform any additional actions between procedures, your
configuration may have different results.
Configuring basic peer-to-peer WAN optimization - web-based manager
Use the following steps to configure the example WAN optimization configuration from the
client-side and server-side FortiGate unit web-based manager. (CLI steps follow.)
To configure the client-side FortiGate unit and firewall policy
1 Go to WAN Opt. & Cache & gt; Peer & gt; Peer and enter a Local Host ID for the client-side
FortiGate unit:
Local Host ID
Peer_Fgt_1
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the server-side
FortiGate unit:
Peer Host ID
Peer_Fgt_2
IP Address
192.168.30.12
4 Select OK.
5 Go to Firewall & gt; Policy & gt; Policy and add a firewall policy to the client-side FortiGate
unit that accepts traffic to be optimized:
Source Interface/Zone
all
Destination Interface/Zone
port2
Destination Address
all
Schedule
always
Service
ANY
Action
2014
port1
Source Address
ACCEPT
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization configuration examples
Example: Basic peer-to-peer WAN optimization configuration
6 Go to WAN Opt. & Cache & gt; Rule & gt; Rule and select Create New.
7 Configure the rule:
Mode
Full Optimization
Source
172.20.120.*
Destination
192.168.10.*
Port
1-65535
Auto-Detect
Off
Protocol
MAPI
Peer
Peer_Fgt_2
Transparent Mode
Select
Enable Byte Caching
Select
8 Select OK.
The rule is added to the bottom of the WAN optimization list.
9 If required, move the rule to a different position in the list so that the rule accepts the
required MAPI sessions. Depending on your rule list configuration, this may involve
moving the rule above more general rules that would also match MAPI traffic.
For more information, see “How list order affects rule matching” on page 2006 and
“Moving a rule to a different position in the rule list” on page 2007.
To configure the server-side FortiGate unit
1 Go to WAN Opt. & Cache & gt; Peer & gt; Peer and enter a Local Host ID for the server-side
FortiGate unit:
Local Host ID
Peer_Fgt_2
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the peer side
FortiGate unit:
Peer Host ID
Peer_Fgt_1
IP Address
172.20.34.12
4 Select OK.
Configuring basic peer-to-peer WAN optimization - CLI
Use the following steps to configure the example WAN optimization configuration from the
client-side and server-side FortiGate unit CLI.
To configure the client-side FortiGate unit and firewall policy
1 Add the Local Host ID to the client-side FortiGate configuration:
config wanopt settings
set host-id Peer_Fgt_1
end
2 Add the server-side Local Host ID to the client-side peer list:
config wanopt peer
edit Peer_Fgt_2
set ip 192.168.30.12
end
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2015
�Example: Basic peer-to-peer WAN optimization configuration
WAN optimization configuration examples
3 Add a firewall policy to the client-side FortiGate unit to accept the traffic to be
optimized:
config firewall policy
edit 23
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
end
end
4 Add the following peer-to-peer rule:
config wanopt rule
edit 2
set src-ip 172.20.120.0-172.20.120.255
set dst-ip 192.168.10.0-192.168.10.255
set port 1-65535
set proto mapi
set peer Peer_Fgt_2
end
Accept default settings for auto-detect (off), transparent (enable), status
(enable), mode (full), byte-caching (enable), ssl (disable),
secure-tunnel (disable), auth-group (null), unknown-http-version
(tunnel), and tunnel-non-http (disable).
5 If required, move the rule to a different position in the list.
For more information, see “Moving a rule to a different position in the rule list” on
page 2007.
6 If required, use the move command to change the order of the rules in the list so that
the rule accepts the required MAPI sessions. Depending on your rule list configuration,
this may involve moving the rule above more general rules that would also match MAPI
traffic.
For more information, see “How list order affects rule matching” on page 2006 and
“Moving a rule to a different position in the rule list” on page 2007.
To configure the server-side FortiGate unit
1 Add the Local Host ID to the server-side FortiGate configuration:
config wanopt settings
set host-id Peer_Fgt_2
end
2 Add the client-side Local Host ID to the server-side peer list:
config wanopt peer
edit Peer_Fgt_1
set ip 192.168.30.12
end
2016
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization configuration examples
Example: Basic peer-to-peer WAN optimization configuration
Testing and troubleshooting the configuration
To test the configuration attempt to start a web browsing session between the user
network and the web server network. For example, from a PC on the user network browse
to the IP address of a web server on the web server network, for example
http://192.168.10.100. Even though this address is not on the user network you should be
able to connect to this web server over the WAN optimization tunnel.
If you can connect, check WAN optimization monitoring (go to WAN Opt. & Cache & gt;
Monitor & gt; Monitor). If WAN optimization has been forwarding the traffic the WAN
optimization monitor should show the protocol that has been optimized (in this case
HTTP) and the reduction rate in WAN bandwidth usage.
If you can’t connect you can try the following to diagnose the problem:
•
Review your configuration and make sure all details such as address ranges, peer
names, and IP addresses are correct.
•
Confirm that the firewall policy on the Client-Side FortiGate unit is accepting traffic for
the 192.168.10.0 network and that this firewall policy does not include UTM options.
You can do this by checking the FortiGate session table from the dashboard. Look for
sessions that use the policy ID of this policy
•
Check routing on the FortiGate units and on the user and web server networks to make
sure packets can be forwarded as required. The FortiGate units must be able to
communicate with each other, routing on the user network must allow packets destined
for the web server network to be received by the client side FortiGate unit, and packets
from the server side FortiGate unit must be able to reach the web servers etc.
You can use the following get and diagnose commands to display information about
how WAN optimization is operating
Enter the following command on the client-side FortiGate unit to display WAN optimization
tunnel protocol statistics. The http tunnel and tcp tunnel parts of the command output
below shows that WAN optimization has been processing HTTP and TCP packets.
get test wad 11
wad tunnel protocol stats:
http tunnel
bytes_in=1751767 bytes_out=325468
ftp tunnel
bytes_in=0 bytes_out=0
cifs tunnel
bytes_in=0 bytes_out=0
mapi tunnel
bytes_in=0 bytes_out=0
tcp tunnel
bytes_in=3182253 bytes_out=200702
maintenance tunnel
bytes_in=11800 bytes_out=15052
Enter the following command to display the current WAN optimization peers. You can use
this command to make sure all peers are configured correctly. The command output for
the client side FortiGate unit shows one peer with IP address 192.168.20.1, peer name
Web_servers, and with 10 active tunnels.
get test wad 26
peer name=Web_servers ip=192.168.20.1 vd=0 version=1
tunnels(active/connecting/failover)=10/0/0
sessions=0 n_retries=0 version_valid=true
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2017
�Example: Basic peer-to-peer WAN optimization configuration
WAN optimization configuration examples
Enter the following command to list all of the running WAN optimization tunnels and
display information about each one. The command output for the client-side FortiGate unit
shows 10 tunnels all created by peer-to-peer WAN optimization rules (auto-detect set to
off).
diagnose wad tunnel list
Tunnel: id=100 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=100 ip=192.168.30.12
SSL-secured-tunnel=no auth-grp=
bytes_in=348 bytes_out=384
Tunnel: id=99 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=99 ip=192.168.30.12
SSL-secured-tunnel=no auth-grp=
bytes_in=348 bytes_out=384
Tunnel: id=98 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=98 ip=192.168.30.12
SSL-secured-tunnel=no auth-grp=
bytes_in=348 bytes_out=384
Tunnel: id=39 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=39 ip=192.168.30.12
SSL-secured-tunnel=no auth-grp=
bytes_in=1068 bytes_out=1104
Tunnel: id=7 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=7 ip=192.168.30.12
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
Tunnel: id=8 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=8 ip=192.168.30.12
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
Tunnel: id=5 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=5 ip=192.168.30.12
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
Tunnel: id=4 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=4 ip=192.168.30.12
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
2018
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization configuration examples
Example: Active-passive WAN optimization
Tunnel: id=1 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=1 ip=192.168.30.12
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
Tunnel: id=2 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=2 ip=192.168.30.12
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
Tunnels total=10 manual=10 auto=0
Example: Active-passive WAN optimization
In active-passive WAN optimization you add active WAN optimization rules on the clientside FortiGate unit by setting WAN optimization Auto-Detect to Active. You configure
passive WAN optimization rules on the server-side FortiGate unit by setting WAN
optimization Auto-Detect to Passive.
You can add multiple active rules for one passive rule to optimize different protocols. Since
you do not configure the protocol in the passive rule, one passive rule can be used for
each of the active rules. Adding fewer passive rules simplifies the WAN optimization
configuration.
Network topology and assumptions
This example configuration includes three active rules on the client-side FortiGate unit and
one passive rule in the server-side FortiGate unit. The active rules do the following:
•
optimize CIFS traffic from IP addresses 172.20.120.100 to 172.20.120.200
•
optimize HTTP traffic from IP addresses 172.20.120.100 to 172.20.120.150
•
optimize FTP traffic from IP addresses 172.20.120.151 172.20.120.200.
You can do this by adding three active WAN optimization rules to the client-side FortiGate
unit, one for each protocol—with port set to 80 for the HTTP rule, 21 for the FTP rule and
1-65535 for the CIFS rule. Then you arrange the rules in the WAN optimization rule list
with the CIFS rule last because the HTTP and FTP rules include single port numbers.
Figure 343: Example active-passive WAN optimization topology
User network
172.20.120.100 to
172.20.120.200
Web server
network
192.168.10.0
Client-side
(active rule)
Local Host ID: User_net
Server-side
(passive rule)
Local Host ID: Web_servers
WAN
IP address
172.30.120.1
IP address
192.168.20.1
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2019
�Example: Active-passive WAN optimization
WAN optimization configuration examples
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For
best results, follow the procedures in the order given:
1 Configure the client-side FortiGate unit by adding peers and a firewall policy that
accepts traffic to be optimized.
2 Add WAN optimization rules to the FortiGate unit.
3 Configure the server-side FortiGate unit.
Also note that if you perform any additional actions between procedures, your
configuration may have different results.
Configuring basic active-passive WAN optimization - web-based manager
Use the following steps to configure the example WAN optimization configuration from the
client-side and server-side FortiGate unit web-based manager. (CLI steps follow.)
To configure peers on the client-side FortiGate unit and add a firewall policy
1 Go to WAN Opt. & Cache & gt; Peer & gt; Peer and enter a Local Host ID for the client-side
FortiGate unit:
Local Host ID
User_net
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the server-side
FortiGate unit:
Peer Host ID
Web_servers
IP Address
192.168.20.1
4 Select OK.
5 Go to Firewall & gt; Policy & gt; Policy and select Create New to add a firewall policy to the
client-side FortiGate unit to accept the traffic to be optimized:
Source
Interface/Zone
port1
Source Address
all
Destination
Interface/Zone
port2
Destination Address all
Schedule
always
Service
ANY
Action
ACCEPT
To add the active rules to the client-side FortiGate unit
1 Go to WAN Opt. & Cache & gt; Rule & gt; Rule.
2 Select Create New to add the active rule to optimize CIFS traffic from IP addresses
172.20.120.100 to 172.20.120.200:
Mode
Source
172.20.120.[100-200]
Destination
2020
Full Optimization
192.168.10.*
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization configuration examples
Example: Active-passive WAN optimization
Port
1 - 65535
Auto-Detect
Active
Protocol
CIFS
Transparent Mode
Select
Enable Byte Caching Select
3 Select OK.
4 Select Create New to add the active rule to optimize HTTP traffic for IP addresses
172.20.120.100 to 172.20.120.150:
Mode
Full Optimization
Source
172.20.120.[100-150]
Destination
192.168.10.*
Port
80
Auto-Detect
Active
Protocol
HTTP
Transparent Mode
Select
Enable Byte Caching Select
5 Select OK.
6 Select Create New to add the active rule to optimize FTP traffic from IP addresses
172.20.120.151 172.20.120.200:
Mode
Full Optimization
Source
172.20.120.[151-200]
Destination
192.168.10.*
Port
21
Auto-Detect
Active
Protocol
FTP
Transparent Mode
Select
Enable Byte Caching Select
7 Select OK.
8 If required, use the Move To icon to change the order of the rules in the list so that the
HTTP and FTP rules are above the CIFS rule in the list. You may need to do this if you
have other WAN optimization rules in the list.
For more information, see “How list order affects rule matching” on page 2006 and
“Moving a rule to a different position in the rule list” on page 2007.
To configure the server-side FortiGate unit
1 Go to WAN Opt. & Cache & gt; Peer & gt; Peer and enter a Local Host ID for the server-side
FortiGate unit:
Local Host ID
Web_servers
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the client-side
FortiGate unit:
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2021
�Example: Active-passive WAN optimization
WAN optimization configuration examples
Peer Host ID
User_net
IP Address
172.30.120.1
4 Select OK.
5 Go to WAN Opt. & Cache & gt; Rule & gt; Rule and select Create New.
6 Add the passive rule. The source address matches the 172.20.120.100 to
172.20.120.200 IP address range and the 1-65535 port range. You can also enable
web caching for the HTTP traffic:
Mode
Full Optimization
Source
172.20.120.[100-200]
Destination
192.168.10.*
Port
1-65535
Auto-Detect
Passive
Enable Web Cache
Select
7 Select OK.
The rule is added to the bottom of the rule list.
8 If required, move the rule to a different position in the list so that the tunnel request
from the client-side FortiGate unit matches with this rule.
For more information, see “Moving a rule to a different position in the rule list” on
page 2007.
Configuring basic active-passive WAN optimization - CLI
Use the following steps to configure the example WAN optimization configuration from the
client-side and server-side FortiGate unit CLI.
To configure peers on the client-side FortiGate unit and add a firewall policy
1 Add the Local Host ID to the client-side FortiGate configuration:
config wanopt settings
set host-id User_net
end
2 Add the server-side Local Host ID to the client-side peer list:
config wanopt peer
edit Web_servers
set ip 192.168.20.1
end
3 Add a firewall policy to the client-side FortiGate unit to accept the traffic to be
optimized:
config firewall policy
edit 20
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
end
2022
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization configuration examples
Example: Active-passive WAN optimization
end
To add the active rules to the client-side FortiGate unit
1 Add the following active rule to optimize CIFS traffic for IP addresses 172.20.120.100
to 172.20.120.200:
config wanopt rule
edit 2
set auto-detect active
set src-ip 172.20.120.100-172.20.120.200
set dst-ip 192.168.10.0-192.168.10.255
set port 1-65535
set proto cifs
end
Accept default settings for transparent (enable), status (enable), mode (full),
byte-caching (enable), ssl (disable), secure-tunnel (disable),
auth-group (null), unknown-http-version (tunnel), and tunnel-non-http
(disable).
2 Add the following active rule to optimize HTTP traffic for IP addresses 172.20.120.100
to 172.20.120.150:
config wanopt rule
edit 3
set auto-detect active
set src-ip 172.20.120.100-172.20.120.150
set dst-ip 192.168.10.0-192.168.10.255
set port 80
end
Accept default settings for transparent (enable), proto (http), status
(enable), mode (full), byte-caching (enable), ssl (disable), securetunnel (disable), auth-group (null), unknown-http-version (tunnel), and
tunnel-non-http (disable).
3 Add the following active rule to optimize FTP traffic from IP addresses 172.20.120.151
172.20.120.200:
config wanopt rule
edit 4
set auto-detect active
set src-ip 172.20.120.151-172.20.120.200
set dst-ip 192.168.10.0-192.168.10.255
set port 21
set proto ftp
end
Accept default settings for transparent (enable), status (enable), mode (full),
byte-caching (enable), ssl (disable), secure-tunnel (disable), authgroup (null), unknown-http-version (tunnel), and tunnel-non-http
(disable).
4 If required, use the move command to change the order of the rules in the list so that
the HTTP and FTP rules are above the CIFS rule in the list. You may need to do this if
you have other WAN optimization rules in the list.
For more information, see “How list order affects rule matching” on page 2006 and
“Moving a rule to a different position in the rule list” on page 2007.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2023
�Example: Active-passive WAN optimization
WAN optimization configuration examples
To configure the server-side FortiGate unit
1 Add the Local Host ID to the server-side FortiGate configuration:
config wanopt settings
set host-id Web_servers
end
2 Add the client-side Local Host ID to the server-side peer list:
config wanopt peer
edit User_net
set ip 172.20.120.1
end
3 Add the following passive rule to the server-side FortiGate unit:
config wanopt rule
edit 5
set auto-detect passive
set src-ip 172.20.120.[100-200]
set dst-ip 192.168.10.0-192.168.10.255
set port 1-65535
set webcache enable
end
Accept default settings for status (enable) and mode (full).
4 If required, use the move command to move the rule to a different position in the list so
that the tunnel request from the client-side FortiGate unit matches with this rule.
For more information, see “Moving a rule to a different position in the rule list” on
page 2007.
Testing and troubleshooting the configuration
To test the configuration attempt to start a web browsing session between the user
network and the web server network. For example, from a PC on the user network browse
to the IP address of a web server on the web server network, for example
http://192.168.10.100. Even though this address is not on the user network you should be
able to connect to this web server over the WAN optimization tunnel.
If you can connect, check WAN optimization monitoring (go to WAN Opt. & Cache & gt;
Monitor & gt; Monitor). If WAN optimization has been forwarding the traffic the WAN
optimization monitor should show the protocol that has been optimized (in this case
HTTP) and the reduction rate in WAN bandwidth usage.
If you can’t connect you can try the following to diagnose the problem:
•
Review your configuration and make sure all details such as address ranges, peer
names, and IP addresses are correct.
•
Confirm that the firewall policy on the Client-Side FortiGate unit is accepting traffic for
the 192.168.10.0 network and that this firewall policy does not include UTM options.
You can do this by checking the FortiGate session table from the dashboard. Look for
sessions that use the policy ID of this policy
•
Check routing on the FortiGate units and on the user and web server networks to make
sure packets can be forwarded as required. The FortiGate units must be able to
communicate with each other, routing on the user network must allow packets destined
for the web server network to be received by the client side FortiGate unit, and packets
from the server side FortiGate unit must be able to reach the web servers etc.
You can use the following get and diagnose commands to display information about
how WAN optimization is operating
2024
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization configuration examples
Example: Active-passive WAN optimization
Enter the following command to display WAN optimization tunnel protocol statistics. The
http tunnel and tcp tunnel parts of the command output below shows that WAN
optimization has been processing HTTP and TCP packets.
get test wad 11
wad tunnel protocol stats:
http tunnel
bytes_in=1751767 bytes_out=325468
ftp tunnel
bytes_in=0 bytes_out=0
cifs tunnel
bytes_in=0 bytes_out=0
mapi tunnel
bytes_in=0 bytes_out=0
tcp tunnel
bytes_in=3182253 bytes_out=200702
maintenance tunnel
bytes_in=11800 bytes_out=15052
Enter the following command to display the current WAN optimization peers. You can use
this command to make sure all peers are configured correctly. The command output for
the client side FortiGate unit shows one peer with IP address 192.168.20.1, peer name
Web_servers, and with 10 active tunnels.
get test wad 26
peer name=Web_servers ip=192.168.20.1 vd=0 version=1
tunnels(active/connecting/failover)=10/0/0
sessions=0 n_retries=0 version_valid=true
Enter the following command to list all of the running WAN optimization tunnels and
display information about each one. The command output shows 3 tunnels all created by
peer-to-peer WAN optimization rules (auto-detect set to on).
diagnose wad tunnel list
Tunnel: id=139 type=auto
vd=0 shared=no uses=0 state=1
peer name= id=0 ip=unknown
SSL-secured-tunnel=no auth-grp=test
bytes_in=744 bytes_out=76
Tunnel: id=141 type=auto
vd=0 shared=no uses=0 state=1
peer name= id=0 ip=unknown
SSL-secured-tunnel=no auth-grp=test
bytes_in=727 bytes_out=76
Tunnel: id=142 type=auto
vd=0 shared=no uses=0 state=1
peer name= id=0 ip=unknown
SSL-secured-tunnel=no auth-grp=test
bytes_in=727 bytes_out=76
Tunnels total=3 manual=0 auto=3
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2025
�Example: Adding secure tunneling to an active-passive WAN optimization configuration
WAN optimization configuration examples
Example: Adding secure tunneling to an active-passive WAN
optimization configuration
This example shows how to configure two FortiGate units for active-passive WAN
optimization with secure tunneling. The same authentication group is added to both
FortiGate units. The authentication group includes a password (or pre-shared key) and
has Peer Acceptance set to Accept any Peer. An active rule is added to the client-side
FortiGate unit and a passive rule to the server-side FortiGate unit. The active rule uses
secure tunneling, optimizes HTTP traffic, and uses Transparent Mode and byte caching.
The authentication group is named Auth_Secure_Tunnel and the password for the preshared key is 2345678. The topology for this example is shown in Figure 344. This
example includes web-based manager configuration steps followed by equivalent CLI
configuration steps. For information about secure tunneling, see “Secure tunneling” on
page 2002.
Network topology and assumptions
This example configuration includes a client-side FortiGate unit called User_net with a
WAN IP address of 172.30.120.1.This unit is in front of a network with IP address
172.20.120.0. The server-side FortiGate unit is called Web_servers and has a WAN IP
address of 192.168.20.1. This unit is in front of a web server network with IP address
192.168.10.0.
Figure 344: Example active-passive WAN optimization and secure tunneling topology
User network
172.20.120.0
Web server
network
192.168.10.0
Client-side
(active rule)
Local Host ID: User_net
Server-side
(passive rule)
Local Host ID: Web_servers
WAN
IP address
172.30.120.1
IP address
192.168.20.1
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For
best results, follow the procedures in the order given:
1 Configure the client-side FortiGate unit by adding peers and a firewall policy that
accepts traffic to be optimized.
2 Add an authentication group and WAN optimization rule to the client-side FortiGate
unit.
3 Configure peers on the server-side FortiGate unit.
4 Add the same authentication group and add a WAN optimization rule to the server-side
FortiGate unit.
Also note that if you perform any additional actions between procedures, your
configuration may have different results.
2026
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization configuration examples
Example: Adding secure tunneling to an active-passive WAN optimization configuration
Configuring WAN optimization with secure tunneling - web-based manager
Use the following steps to configure the example WAN optimization configuration from the
client-side and server-side FortiGate unit web-based manager. (CLI steps follow.)
To configure peers on the client-side FortiGate unit and add a firewall policy
1 Go to WAN Opt. & Cache & gt; Peer & gt; Peer and enter a Local Host ID for the client-side
FortiGate unit:
Local Host ID
User_net
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the server-side
FortiGate unit:
Peer Host ID
Web_servers
IP Address
192.168.20.1
4 Select OK.
5 Go to Firewall & gt; Policy & gt; Policy and select Create New to add a firewall policy to the
client-side FortiGate unit to accept the traffic to be optimized:
Source
Interface/Zone
port1
Source Address
all
Destination
Interface/Zone
port2
Destination Address all
Schedule
always
Service
ANY
Action
ACCEPT
To add the authentication group and WAN optimization rule to the client-side
FortiGate unit
1 Go to Wan Opt. & Cache & gt; Peer & gt; Authentication Group.
2 Select Create New to add a new authentication group to be used for secure tunneling:
Name
Auth_Secure_Tunnel
Authentication Method
Pre-shared key
Password
2345678
Peer Acceptance
Accept Any Peer
3 Select OK.
4 Go to Wan Opt. & Cache & gt; Rule & gt; Rule.
5 Select Create New to add an active rule that enables secure tunneling and includes the
authentication group:
Mode
Full Optimization
Source
172.20.120.[100-200]
Destination
192.168.10.*
Port
80
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2027
�Example: Adding secure tunneling to an active-passive WAN optimization configuration
Auto-Detect
Active
Protocol
HTTP
Transparent Mode
Select
Enable Byte Caching
Select
Enable Secure Tunnel
Select
Authentication Group
WAN optimization configuration examples
Auth_Secure_Tunnel
6 Select OK.
To configure peers on the server-side FortiGate unit
1 Go to WAN Opt. & Cache & gt; Peer & gt; Peer and enter a Local Host ID for the server-side
FortiGate unit:
Local Host ID
Web_servers
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the client-side
FortiGate unit:
Peer Host ID
User_net
IP Address
172.30.120.1
4 Select OK.
To add the authentication group and WAN optimization rule to the server-side
FortiGate unit
1 Go to Wan Opt. & Cache & gt; Peer & gt; Authentication Group.
2 Select Create New and add a new authentication group to be used for secure
tunneling:
Name
Auth_Secure_Tunnel
Authentication Method
Pre-shared key
Password
2345678
Peer Acceptance
Accept Any Peer
3 Go to WAN Opt. & Cache & gt; Rule and select Create New.
4 Add the passive rule. The source address matches the 172.20.120.100 to
172.20.120.200 IP address range and the 1-65535 port range. You can also enable
web caching for HTTP traffic:
Mode
Full Optimization
Source
172.20.120.[100-200]
Destination
192.168.10.*
Port
1-65535
Auto-Detect
Passive
Enable Web Cache
Select
5 Select OK.
2028
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization configuration examples
Example: Adding secure tunneling to an active-passive WAN optimization configuration
Configuring WAN optimization with secure tunneling - CLI
Use the following steps to configure the example WAN optimization configuration from the
client-side and server-side FortiGate unit CLI.
To configure peers on the client-side FortiGate unit and add a firewall policy
1 Add the Local Host ID to the client-side FortiGate configuration:
config wanopt settings
set host-id User_net
end
2 Add the server-side Local Host ID to the client-side peer list:
config wanopt peer
edit Web_servers
set ip 192.168.20.1
end
3 Add a firewall policy to the server-side FortiGate unit to accept the traffic to be
optimized:
config firewall policy
edit 20
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
end
end
To add the authentication group and WAN optimization rule to the client-side
FortiGate unit
1 Add a new authentication group to be used for secure tunneling:
config wanopt auth-group
edit Auth_Secure_Tunnel
set auth-method psk
set psk 2345678
end
Leave peer-accept at its default value.
2 Add the following active rule to optimize HTTP traffic for IP addresses 172.20.120.100
to 172.20.120.200:
config wanopt rule
edit 1
set auto-detect active
set src-ip 172.20.120.100-172.20.120.200
set dst-ip 192.168.10.0-192.168.10.255
set port 80
set proto http
set secure-tunnel enable
set auth-group Auth_Secure_Tunnel
end
Leave the rest of the settings at their default values.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2029
�Example: Adding secure tunneling to an active-passive WAN optimization configuration
WAN optimization configuration examples
To configure peers on the server-side FortiGate unit
1 Add the Local Host ID to the server-side FortiGate configuration:
config wanopt settings
set host-id Web_servers
end
2 Add the client-side Local Host ID to the server-side peer list:
config wanopt peer
edit User_net
set ip 172.20.120.1
end
To add the authentication group and WAN optimization rule to the server-side
FortiGate unit
1 Add a new authentication group to be used for secure tunneling:
config wanopt auth-group
edit Auth_Secure_Tunnel
set auth-method psk
set psk 2345678
end
Leave peer-accept at its default value.
2 Add the following passive rule to the server-side FortiGate unit:
config wanopt rule
edit 5
set auto-detect passive
set src-ip 172.20.120.[100-200]
set dst-ip 192.168.10.0-192.168.10.255
set port 1-65535
set webcache enable
end
Leave status (enable) and mode (full) at their default values.
2030
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web caching
FortiGate WAN optimization web caching is a form of object caching that accelerates web
applications and web servers by reducing bandwidth usage, server load, and perceived
latency. Web caching supports explicit and transparent proxy caching of HTTP 1.0 and
HTTP 1.1 web sites. See RFC 2616 for information about web caching for HTTP 1.1. Web
caching also supports caching HTTPS sessions provided that you import the correct
certificate.
Web caching involves storing HTML pages, images, servlet responses and other webbased objects for later retrieval. FortiGate units cache these objects on a WAN
optimization storage location.
There are three significant advantages to using web caching to improve WAN
performance:
•
reduced WAN bandwidth consumption because fewer requests and responses go over
the WAN
•
reduced web server load because there are fewer requests for web servers to handle
•
reduced latency because responses for cached requests are available from a local
FortiGate unit instead of from across the WAN or Internet.
You can use web caching to cache any web traffic that passes through the FortiGate unit,
including web pages from web servers on a LAN, WAN or on the Internet. The FortiGate
unit caches web objects for all HTTP traffic processed by WAN optimization rules that
include web caching.
You can add WAN optimization rules for web caching only. You can also add web caching
to WAN optimization rules for HTTP traffic that also include byte caching, protocol
optimization, and other WAN optimization features. If you use WAN optimization rules to
apply web caching, end users do not have to configure their web browsers to use the
FortiGate unit as a proxy server.
Note: You can also enable web caching for the FortiGate explicit web proxy. For more
information, see “To enable web caching for the explicit web proxy - web-based manager”
on page 2089.
Web caching cannot determine if a file is compressed (for example a zip file) and caches
compressed and non-compressed versions of the same file separately. If the HTTP
protocol considers the compressed and uncompressed versions of a file the same object,
only the compressed or uncompressed file will be cached.
This chapter contains the following topics:
•
Configuring Web Cache Only WAN optimization
•
Exempting web sites from web caching
•
Example: Web Cache Only WAN optimization
•
Configuring active-passive web caching
•
Example: Active-passive Web Caching
•
Configuring peer-to-peer web caching
•
Example: Peer-to-peer web caching
•
Changing web cache settings
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2031
�Configuring Web Cache Only WAN optimization
Web caching
Configuring Web Cache Only WAN optimization
You can use Web Cache Only WAN optimization to cache web pages from any web
server. In a Web Cache Only configuration, only one FortiGate unit is involved. All traffic
between a client network and one or more web servers is intercepted by a Web Cache
Only WAN optimization rule. This rule causes the FortiGate unit to cache pages from the
web servers on the FortiGate unit and makes the cached pages available to users on the
client network.
You can apply Web Cache Only WAN optimization in two configurations.
In the first configuration, the FortiGate unit caches pages for users on a client network.
The FortiGate unit is installed between the client network and the WAN or Internet, and the
web server or servers are located elsewhere on the WAN or Internet. See “Example: Web
Cache Only WAN optimization” on page 2033 for an example of this configuration.
You can also create a reverse proxy web caching configuration where the FortiGate unit is
dedicated to providing web caching for a single web server or server farm. In this second
configuration, the FortiGate unit is installed between the server network and the WAN or
Internet, and users are located elsewhere on the WAN or Internet. See “Example: SSL
offloading and reverse proxy web caching for an Internet web server” on page 2073 for an
example of this configuration.
To enable Web Cache Only, you need to go to WAN Opt. & Cache & gt; Rule & gt; Rule and
select Create New to add a WAN optimization rule. You then set the Mode to Web Cache
Only. If you select this mode, the WAN optimization rule does not perform byte caching or
protocol optimization.
WAN optimization rule order affects Web Cache Only rules in the same way as other WAN
optimization rules. For more information, see “How list order affects rule matching” on
page 2006 and “Moving a rule to a different position in the rule list” on page 2007.
Note: Since only one FortiGate unit is involved in a Web Cache Only configuration, you do
not need to change the WAN optimization peer configuration.
Exempting web sites from web caching
You may want to exempt some URLs from web caching for a number of reasons. For
example, if your users access websites that are not compatible with FortiGate web
caching you can add the URLs of these web sites to the web caching exempt list. All traffic
accepted by WAN optimization and the explicit proxy for these websites will not be
cached.
To exempt www.example.com from web caching - web-based manager
1 Go to WAN Opt. & Cache & gt; Cache & gt; Exempt List and select Create New.
2 Add the URL www.example.com to the URL Pattern field and select OK.
To exempt www.example.com from web caching - CLI
1 Enter the following command to add www.example.com to the exempt list.
config wanopt webcache
config cache-exemption enable
config cache-exemption-list
edit 1
set url-pattern www.example.com
set status enable
2032
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web caching
Example: Web Cache Only WAN optimization
end
end
2 Enter the following command to enable the web cache exempt list and add two IP
address URLs and a web page URL to the list.
config wanopt webcache
set explicit enable
set cache-exemption enable
config cache-exemption-list
edit 1
set url-pattern " 192.168.1.121 "
next
edit 2
set url-pattern " google.com/test123/321 "
next
edit 3
set url-pattern " 1.1.1.1 "
next
end
end
Example: Web Cache Only WAN optimization
This example describes how to configure web caching for users in a client network
connecting to a web server network across a WAN.
Network topology and assumptions
This example includes a client network with subnet address 172.20.120.0 connecting to
web servers on a network with subnet address 192.168.10.0. Only the communication
between the client network and the web server network using Port 80 is to be cached, so
the Web Cache Only WAN optimization rule includes the IP addresses of the networks
and the Port is set to 80. As well, the firewall policy used in this example includes the
addresses of the client and sever subnets instead of more general firewall addresses.
Figure 345: Example Web Cache Only topology
Web server
network
192.168.10.0
Client network
172.20.120.0
WAN optimization
web cache
WAN, LAN,
or Internet
11010010101
Web cache
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2033
�Example: Web Cache Only WAN optimization
Web caching
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For
best results, follow the procedures in the order given:
1 Add firewall addresses and a firewall policy that accepts traffic to be optimized to the
FortiGate unit.
2 Add a Web Cache Only WAN optimization rule to the FortiGate unit.
Also note that if you perform any additional actions between procedures, your
configuration may have different results.
Configuring Web Cache Only WAN optimization - web-based manager
Use the following steps to configure the example WAN optimization configuration from the
FortiGate unit web-based manager. (CLI steps follow.)
To add the firewall addresses and firewall policy
1 Go to Firewall & gt; Policy & gt; Address and select Create New to add the firewall address for
the client network:
Address Name
Client_Net
Type
Subnet/IP Range
Subnet / IP Range
172.20.120.*
Interface
Any
2 Add the firewall address for the web server network:
Address Name
Web_Server_Net
Type
Subnet/IP Range
Subnet / IP Range
192.168.10.*
Interface
Any
3 Go to Firewall & gt; Policy & gt; Policy and select Create New to add a firewall policy that
accepts traffic to be web cached:
Source
Interface/Zone
port1
Source Address
Client_Net
Destination
Interface/Zone
port2
Destination Address Web_Server_Net
Schedule
always
Service
HTTP
Action
ACCEPT
To add a Web Cache Only WAN optimization rule
1 Go to WAN Opt. & Cache & gt; Rule & gt; Rule and select Create New.
2 Select Web Cache Only.
3 Configure the Web Cache Only rule:
Mode
Source
2034
Web Cache Only
172.20.120.*
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web caching
Example: Web Cache Only WAN optimization
Destination
192.168.10.*
Port
80
Tip: Usually you would set the port to 80 to cache normal HTTP traffic.
But you can change the Port to a different number (for example 8080)
or to a port number range so that the FortiGate unit provides web
caching for HTTP traffic using other ports.
Transparent Mode
Select
Enable SSL
Do not select.
Tip: In this example SSL offloading is disabled. For an example of a
reverse proxy Web Cache Only configuration that also includes SSL
offloading, see “Example: SSL offloading for a WAN optimization
tunnel” on page 2069.
4 Select OK.
The rule is added to the bottom of the WAN optimization list.
5 If required, use the Move To icon to move the rule to a different position in the list.
The order of the rules in the list significantly affects how the rules are applied. For more
information, see “How list order affects rule matching” on page 2006 and “Moving a
rule to a different position in the rule list” on page 2007.
Configuring Web Cache Only WAN optimization - CLI
Use the following steps to configure the example WAN optimization configuration from the
FortiGate unit CLI.
To add the firewall addresses and firewall policy
1 Add the firewall address for the client network:
config firewall address
edit Client_Net
set type iprange
set start-ip 172.20.120.0
set end-ip 172.20.120.255
end
2 Add the firewall address for the web server network:
config firewall address
edit Web_Server_Net
set type iprange
set start-ip 192.168.10.0
set end-ip 192.168.10.255
end
3 Add a firewall policy that accepts traffic to be web cached:
config firewall policy
edit 2
set srcintf port1
set dstintf port2
set srcaddr Client_Net
set dstaddr Web_Server_Net
set action accept
set service HTTP
set schedule always
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2035
�Example: Web Cache Only WAN optimization
Web caching
To add a Web Cache Only WAN optimization rule
1 Add the following Web Cache Only rule:
config wanopt rule
edit 2
set mode webcache-only
set src-ip 172.20.120.0-172.20.120.255
set dst-ip 192.168.10.0-192.168.10.255
set port 80
set peer Peer_Fgt_2
end
Accept default settings for transparent (enable), status (enable), ssl
(disable), unknown-http-version (tunnel), and tunnel-non-http
(disable).
Tip: In this example, SSL offloading is disabled. For an example of a reverse proxy Web
Cache Only configuration that also includes SSL offloading, see “Example: SSL offloading
for a WAN optimization tunnel” on page 2069.
2 If required, use the move command to move the rule to a different position in the list.
The order of the rules in the list significantly affects how the rules are applied. For more
information, see “How list order affects rule matching” on page 2006 and “Moving a
rule to a different position in the rule list” on page 2007.
Testing and troubleshooting the configuration
To test the configuration attempt to start a web browsing session between the client
network and the web server network. For example, from a PC on the client network
browse to the IP address of a web server on the web server network, for example
http://192.168.10.100. Even though this address is not on the user network you should be
able to connect to this web server over the WAN optimization tunnel.
If you can connect, check WAN optimization monitoring (go to WAN Opt. & Cache & gt;
Monitor & gt; Monitor). If WAN optimization has been forwarding the traffic the WAN
optimization monitor should show the HTTP protocol that has been optimized and the
reduction rate in WAN bandwidth usage.
If you can’t connect you can try the following to diagnose the problem:
•
Review your configuration and make sure all details such as address ranges, peer
names, and IP addresses are correct.
•
Confirm that the firewall policy on the Client-Side FortiGate unit is accepting traffic for
the 192.168.10.0 network and that this firewall policy does not include UTM options.
You can do this by checking the FortiGate session table from the dashboard. Look for
sessions that use the policy ID of this policy
•
Check routing on the FortiGate units and on the user and web server networks to make
sure packets can be forwarded as required. The FortiGate units must be able to
communicate with each other, routing on the user network must allow packets destined
for the web server network to be received by the client side FortiGate unit, and packets
from the server side FortiGate unit must be able to reach the web servers etc.
You can use the following get and diagnose commands to display information about
how WAN optimization is operating
2036
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web caching
Configuring active-passive web caching
Enter the following command on the client-side FortiGate unit to display WAN optimization
tunnel protocol statistics. The http tunnel and tcp tunnel parts of the command output
below shows that WAN optimization has been processing HTTP packets. If the http bytes
in and bytes out fields are zero, then WAN optimization is not accepting HTTP packets.
get test wad 11
wad tunnel protocol stats:
http tunnel
bytes_in=1749865 bytes_out=25926
ftp tunnel
bytes_in=0 bytes_out=0
cifs tunnel
bytes_in=0 bytes_out=0
mapi tunnel
bytes_in=0 bytes_out=0
tcp tunnel
bytes_in=0 bytes_out=0
maintenance tunnel
bytes_in=0 bytes_out=0
You can use the following command to display information about the WAN optimization
web cache daemon. The command will only display information if the web cache daemon
is running and the statistics displayed show the number of open connections and other
indications of activity:
diagnose wacs stats
Disk 0 /Internal-2B6375792136C707/wa_cs
Current number of open connections: 2
Number of terminated connections: 7
Number of requests -- Adds: 206 (0 repetitive keys),
Lookups: 860, Conflict incidents: 0
Percentage of missed lookups: 88.49
Communication is blocked for 0 client(s)
Disk usage: 5196 KB (11%)
Configuring active-passive web caching
You add web caching support to the passive or server side of an active-passive WAN
optimization configuration. Web pages are cached on the server-side FortiGate unit so
you should also select Enable Byte Caching for optimum WAN optimization performance.
For web caching to work, the WAN optimization tunnel must accept HTTP (and optionally
HTTPS) traffic. To do this, the active rule on the client side must include the ports used for
HTTP (and HTTPS) traffic. Set Protocol to HTTP to perform protocol optimization of the
HTTP traffic. You can also enable SSL offloading and secure tunneling, as well as add an
authentication group.
Example: Active-passive Web Caching
This example describes how to configure active-passive web caching for users in a client
network connecting to a web server network across a WAN.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2037
�Example: Active-passive Web Caching
Web caching
Network topology and assumptions
This example configuration includes a client-side FortiGate unit called Client_Side with a
WAN IP address of 172.10.10.1 in front of a user network with IP address 172.20.120.0.
The server-side FortiGate unit is called Server_Side and has a WAN IP address of
172.20.20.1. This server-side unit is in front of a web server network with IP address
192.168.10.0. Web caching is enabled on the server-side FortiGate unit.
Figure 346: Example active-passive web cache topology
User network
172.20.120.0
Web server
network
192.168.10.0
Client-side
(active rule)
Protocol=HTTP
Local Host ID: Client_Side
Server-side
(passive rule)
Enable Web Cache
Local Host ID: Server_Side
WAN
IP address
172.10.10.1
IP address
172.20.20.1
11010010101
Web cache
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For
best results, follow the procedures in the order given:
1 Configure the client-side FortiGate unit by adding peers, a firewall policy that accepts
traffic to be optimized, and an active WAN optimization rule.
2 Configure the server-side FortiGate unit by adding peers and a passive WAN
optimization rule that includes web caching.
Also note that if you perform any additional actions between procedures, your
configuration may have different results.
Configuring active-passive web caching - web-based manager
Use the following steps to configure the example WAN optimization configuration from the
client-side and server-side FortiGate unit web-based manager. (CLI steps follow.)
To configure the client-side FortiGate unit
1 Go to WAN Opt. & Cache & gt; Peer & gt; Peer and enter a Local Host ID for the client
FortiGate unit:
Local Host ID
Client_Side
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the server-side
FortiGate unit:
Peer Host ID
Server_Side
IP Address
172.20.20.1
4 Select OK.
2038
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web caching
Example: Active-passive Web Caching
5 Go to Firewall & gt; Policy & gt; Policy and add a firewall policy that accepts traffic to be web
cached:
Source
Interface/Zone
port1
Source Address
all
Destination
Interface/Zone
port2
Destination Address all
Schedule
always
Service
ANY
Action
ACCEPT
6 Go to WAN Opt. & Cache & gt; Rule & gt; Rule and select Create New.
7 Configure the rule:
Mode
Full Optimization
Source
172.20.120.*
Destination
192.168.10.*
Port
1-65535
Auto-Detect
Active
Protocol
HTTP
Transparent Mode
Select
Enable Byte Caching
Select
8 Select OK.
The rule is added to the bottom of the WAN optimization list.
9 If required, use the Move To icon to move the rule to a different position in the list.
The order of the rules in the list significantly affects how the rules are applied. For more
information, see “How list order affects rule matching” on page 2006 and “Moving a
rule to a different position in the rule list” on page 2007.
To configure the server-side FortiGate unit
1 Go to WAN Opt. & Cache & gt; Peer & gt; Peer and enter a Local Host ID for the server-side
FortiGate unit:
Local Host ID
Server_Side
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the client-side
FortiGate unit:
Peer Host ID
Client_Side
IP Address
172.10.10.1
4 Go to WAN Opt. & Cache & gt; Rule & gt; Rule and select Create New.
5 Configure the passive web cache rule:
Mode
Full Optimization
Source
172.20.120.*
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2039
�Example: Active-passive Web Caching
Web caching
Destination
192.168.10.*
Port
1-65535
Auto-Detect
Passive
Enable Web Cache
Select
6 Select OK.
The rule is added to the bottom of the WAN optimization rule list.
7 If required, use the Move To icon to move the rule to a different position in the list.
For more information, see “Moving a rule to a different position in the rule list” on
page 2007.
Configuring active-passive web caching - CLI
Use the following steps to configure the example WAN optimization configuration from the
client-side and server-side FortiGate unit CLI.
To configure the client-side FortiGate unit
1 Add the Local Host ID to the client-side FortiGate configuration:
config wanopt settings
set host-id Client_Side
end
2 Add the server-side Local Host ID to the client-side peer list:
config wanopt peer
edit Server_Side
set ip 172.20.20.1
end
3 Add a firewall policy to the server-side FortiGate unit to accept the traffic to be
optimized:
config firewall policy
edit 23
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
end
end
4 Configure the following active rule:
config wanopt rule
edit 2
set auto-detect active
set src-ip 172.20.120.0-172.20.120.255
set dst-ip 192.168.10.0-192.168.10.255
set port 1-65535
set proto http
2040
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web caching
Configuring peer-to-peer web caching
end
Accept default settings for transparent (enable), status (enable), mode (full),
byte-caching (enable), ssl (disable), secure-tunnel (disable), authgroup (null), unknown-http-version (tunnel), and tunnel-non-http
(disable).
5 If required, use the move command to move the rule to a different position in the list.
The order of the rules in the list significantly affects how the rules are applied. For more
information, see “How list order affects rule matching” on page 2006 and “Moving a
rule to a different position in the rule list” on page 2007.
To configure the server-side FortiGate unit
1 Add the Local Host ID to the server-side FortiGate configuration:
config wanopt settings
set host-id Server_Side
end
2 Add the client-side Local Host ID to the server-side peer list:
config wanopt peer
edit Client_Side
set ip 172.10.10.1
end
3 Add the following passive web cache rule:
config wanopt rule
edit 5
set auto-detect passive
set src-ip 172.20.120.0-172.20.120.255
set dst-ip 192.168.10.0-192.168.10.255
set port 1-65535
set webcache enable
end
Accept default settings for status (enable) and mode (full).
4 If required, use the move command to move the rule to a different position in the list so
that the tunnel request from the client-side FortiGate unit matches with this rule.
For more information, see “Moving a rule to a different position in the rule list” on
page 2007.
Configuring peer-to-peer web caching
In a peer-to-peer web caching configuration, you create a peer-to-peer WAN optimization
rule on the client-side FortiGate unit and include the peer host ID of the server-side
FortiGate unit. In the rule, you set Auto-Detect to Off and select Enable Web Cache. Using
this rule, the client-side FortiGate unit can create a WAN optimization tunnel only with the
peer that is added to the rule.
In a peer-to-peer configuration, you do not have to add a rule to the server-side FortiGate
unit. If the server-side FortiGate unit peer list contains the client FortiGate unit, the server
FortiGate unit accepts WAN optimization tunnel connections from the client FortiGate unit
and the two units can form a WAN optimization tunnel. The server-side FortiGate unit uses
the settings in the rule added to the client-side FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2041
�Example: Peer-to-peer web caching
Web caching
For web caching to work, the WAN optimization tunnel must allow HTTP (and optionally
HTTPS) traffic. To do this, the WAN optimization rule must include the ports used for
HTTP (and HTTPS) traffic. Set Protocol to HTTP to perform protocol optimization of the
HTTP traffic. You can also enable WAN optimization transparent mode, byte caching, SSL
offloading, and secure tunneling, as well as add an authentication group.
Example: Peer-to-peer web caching
This example describes how to configure peer-to-peer web caching for users in a client
network connecting to a web server network across a WAN.
Network topology and assumptions
This example configuration includes a client-side FortiGate unit called Client_Side with a
WAN IP address of 172.10.10.1 in front of a user network with IP address 172.20.120.0
The server-side FortiGate unit is called Server_Side and has a WAN IP address of
172.20.20.1. This server-side unit is in front of a web server network with IP address
192.168.10.0. Web caching is enabled on the server-side FortiGate unit.
Figure 347: Example peer-to-peer web cache topology
Web server
network
192.168.10.0
Client-side
(peer-to-peer rule)
Client network
Protocol=HTTP
172.20.120.0
Enable Web Cache
Local Host ID: Client_Side
Server-side
(no rule required)
Local Host ID: Server_Side
WAN
IP address
172.20.34.12
IP address
192.168.30.12
11010010101
Web Cache
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For
best results, follow the procedures in the order given:
1 Configure the client-side FortiGate unit by adding peers, a firewall policy that accepts
traffic to be optimized, and a peer-to-peer WAN optimization rule that includes web
caching.
2 Configure the server-side FortiGate unit.
Also note that if you perform any additional actions between procedures, your
configuration may have different results.
Configuring peer-to-peer web caching - web-based manager
Use the following steps to configure the example WAN optimization configuration from the
client-side and server-side FortiGate unit web-based manager. (CLI steps follow.)
To configure the client-side FortiGate unit
1 Go to WAN Opt. & Cache & gt; Peer & gt; Peer and enter a Local Host ID for the client
FortiGate unit:
2042
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web caching
Example: Peer-to-peer web caching
Local Host ID
Client_Side
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the server-side
FortiGate unit:
Peer Host ID
Server_Side
IP Address
192.168.30.12
4 Select OK.
5 Go to Firewall & gt; Policy & gt; Policy and add a firewall policy that accepts traffic to be web
cached:
Source
Interface/Zone
port1
Source Address
all
Destination
Interface/Zone
port2
Destination Address all
Schedule
always
Service
ANY
Action
ACCEPT
6 Go to WAN Opt. & Cache & gt; Rule & gt; Rule and select Create New.
7 Configure the rule:
Mode
Full Optimization
Source
172.20.120.*
Destination
192.168.10.*
Port
80
Auto-Detect
Off
Protocol
HTTP
Peer
Server_Side
Enable Web Cache
Select
Transparent Mode
Select
Enable Byte Caching
Select
8 Select OK.
The rule is added to the bottom of the WAN optimization list.
9 If required, use the Move To icon to move the rule to a different position in the list.
The order of the rules in the list significantly affects how the rules are applied. For more
information, see “How list order affects rule matching” on page 2006 and “Moving a
rule to a different position in the rule list” on page 2007.
To configure the server-side FortiGate unit
1 Go to WAN Opt. & Cache & gt; Peer & gt; Peer and enter a Local Host ID for the server
FortiGate unit:
Local Host ID
Server_Side
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2043
�Example: Peer-to-peer web caching
Web caching
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the client-side
FortiGate unit:
Peer Host ID
Client_Side
IP Address
172.20.34.12
4 Select OK.
Configuring peer-to-peer web caching - CLI
Use the following steps to configure the example WAN optimization configuration from the
client-side and server-side FortiGate unit CLI.
To configure the client-side FortiGate unit
1 Add the Local Host ID to the client-side FortiGate configuration:
config wanopt settings
set host-id Client_Side
end
2 Add the server-side Local Host ID to the client-side peer list:
config wanopt peer
edit Server_Side
set ip 192.168.30.12
end
3 Add a firewall policy to the server-side FortiGate unit to accept the traffic to be
optimized:
config firewall policy
edit 23
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
end
end
4 Configure the following active rule:
config wanopt rule
edit 5
set auto-detect off
set src-ip 172.20.120.*
set dst-ip 192.168.10.*
set port 80
set proto http
set peer Server_Side
set web cache enable
end
Accept default settings for transparent (enable), status (enable), mode (full),
byte-caching (enable), ssl (disable), secure-tunnel (disable), authgroup (null), unknown-http-version (tunnel), and tunnel-non-http
(disable).
2044
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Web caching
Changing web cache settings
5 If required, use the move command to the rule to a different position in the list.
The order of the rules in the list significantly affects how the rules are applied. For more
information, see “How list order affects rule matching” on page 2006 and “Moving a
rule to a different position in the rule list” on page 2007.
To configure the server-side FortiGate unit
1 Add the Local Host ID to the server-side FortiGate configuration:
config wanopt settings
set host-id Server_Side
end
2 Add the client-side Local Host ID to the server-side peer list:
config wanopt peer
edit Client_Side
set ip 172.20.34.12
end
Changing web cache settings
In most cases, the default settings for the WAN optimization web cache are acceptable.
However, you may want to change them to improve performance or optimize the cache for
your configuration. To change these settings, go to WAN Opt. & Cache & gt; Cache & gt;
Settings.
From the FortiGate CLI, you can use the config wanopt webcache command to
change these WAN optimization web cache settings. For more information, see the
FortiGate CLI Reference.
Note: For more information about many of these web cache settings, see RFC 2616.
Always revalidate
Select to always revalidate requested cached objects with content on the
server before serving them to the client.
Max Cache Object
Size
Set the maximum size of objects (files) that are cached. The default size is
512000 KB. This setting determines the maximum object size to store in the
web cache. Objects that are larger than this size are still delivered to the
client but are not stored in the FortiGate web cache.
Negative Response Set how long in minutes that the FortiGate unit caches error responses from
web servers. If error responses are cached, then subsequent requests to the
Duration
web cache from users will receive the error responses regardless of the
actual object status.
The default is 0, meaning error responses are not cached. The content
server might send a client error code (4xx HTTP response) or a server error
code (5xx HTTP response) as a response to some requests. If the web
cache is configured to cache these negative responses, it returns that
response in subsequent requests for that page or image for the specified
number of minutes.
Fresh Factor
Set the fresh factor as a percentage. The default is 100, and the range is 1 to
100. For cached objects that do not have an expiry time, the web cache
periodically checks the server to see if the objects have expired. The higher
the Fresh Factor the less often the checks occur.
For example, if you set the Max TTL value and Default TTL to 7200 minutes
(5 days) and set the Fresh Factor to 20, the web cache check the cached
objects 5 times before they expire, but if you set the Fresh Factor to 100, the
web cache will check once.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2045
�Changing web cache settings
Web caching
Max TTL
The maximum amount of time (Time to Live) an object can stay in the web
cache without the cache checking to see if it has expired on the server. The
default is 7200 minutes (120 hours or 5 days).
Min TTL
The minimum amount of time an object can stay in the web cache before the
web cache checks to see if it has expired on the server. The default is 5
minutes.
Default TTL
The default expiry time for objects that do not have an expiry time set by the
web server. The default expiry time is 1440 minutes (24 hours).
Explicit Proxy
Indicates whether the explicit web proxy has been enabled for the FortiGate
unit. See “The FortiGate explicit web proxy” on page 2079.
Enable Cache
Explicit Proxy
Select to use WAN optimization web caching to cache content received by
the explicit web proxy.
Ignore
Select the following options to ignore some web caching features.
If-modified-since By default, if the time specified by the if-modified-since (IMS) header in the
client's conditional request is greater than the last modified time of the object
in the cache, it is a strong indication that the copy in the cache is stale. If so,
HTTP does a conditional GET to the Overlay Caching Scheme (OCS), based
on the last modified time of the cached object.
Enable ignoring if-modified-since to override this behavior.
HTTP 1.1
Conditionals
HTTP 1.1 provides additional controls to the client over the behavior of
caches toward stale objects. Depending on various cache-control headers,
the FortiGate unit can be forced to consult the OCS before serving the object
from the cache. For more information about the behavior of cache-control
header values, see RFC 2616.
Enable ignoring HTTP 1.1 Conditionals to override this behavior.
Pragma-nocache
Typically, if a client sends an HTTP GET request with a pragma no-cache
(PNC) or cache-control no-cache header, a cache must consult the OCS
before serving the content. This means that the FortiGate unit always refetches the entire object from the OCS, even if the cached copy of the object
is fresh.
Because of this behavior, PNC requests can degrade performance and
increase server-side bandwidth utilization. However, if you enable ignoring
Pragma-no-cache, then the PNC header from the client request is ignored.
The FortiGate unit treats the request as if the PNC header is not present.
IE Reload
Some versions of Internet Explorer issue Accept / header instead of Pragma
no-cache header when you select Refresh. When an Accept header has only
the / value, the FortiGate unit treats it as a PNC header if it is a type-N object.
Enable ignoring IE reload to cause the FortiGate unit to ignore the PNC
interpretation of the Accept / header.
Cache Expired
Objects
Applies only to type-1 objects. When this option is selected, expired type-1
objects are cached (if all other conditions make the object cacheable).
Revalidated Pragma- The pragma-no-cache (PNC) header in a client's request can affect how
efficiently the FortiGate unit uses bandwidth. If you do not want to completely
no-cache
ignore PNC in client requests (which you can do by selecting to ignore
Pragma-no-cache, above), you can nonetheless lower the impact on
bandwidth usage by selecting Revalidate Pragma-no-cache.
When you select Revalidate Pragma-no-cache, a client's non-conditional
PNC-GET request results in a conditional GET request sent to the OCS if the
object is already in the cache. This gives the OCS a chance to return the 304
Not Modified response, which consumes less server-side bandwidth,
because the OCS has not been forced to otherwise return full content.
By default, Revalidate Pragma-no-cache is disabled and is not affected by
changes in the top-level profile.
Most download managers make byte-range requests with a PNC header. To
serve such requests from the cache, you should also configure byte-range
support when you configure the Revalidate pragma-no-cache option.
2046
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced configuration example
This chapter contains an advanced WAN optimization configuration example that
combines many of the concepts described in the previous chapters of this document. The
configuration example described here includes active-passive rules, web caching, policy
routes for out-of-path WAN optimization, and multiple VDOMs with inter-VDOM routing to
apply virus scanning (an optionally other UTM feature) to traffic before it is optimized.
Out-of-path WAN optimization with inter-VDOM routing
This example describes how to configure out-of-path WAN optimization to optimize web
browsing and FTP file transfers between a client network and a server network.
Network topology and assumptions
The client network connects to the Internet through a FortiGate-300A unit, and the server
network connects to the Internet through a cluster of two FortiGate-1000A units.
Adding in-path WAN optimization requires replacing these FortiGate units with models that
support WAN optimization or adding new FortiGate units in the data path. In either of
these in-path configurations, the optimizing FortiGate units would also be required to
support all traffic on the data path plus provide WAN optimization.
The out-of-path topology shown in Figure 348 offloads WAN optimization to out-of-path
FortiGate units that only process sessions to be optimized. The topology includes a
FortiGate-311B unit installed at the client network and a single FortiGate-620B unit
installed at the server network.
Note: The FortiGate-620B unit is installed at the server network because other client
networks also use it for WAN optimization. The configuration for those other client networks
is not described in this example.
Figure 348: Out-of-path WAN optimization
Server network
192.168.10.0
Client network
172.20.120.0
FortiGate-1000A
cluster
FortiGate-300A
port6
port5
10.10.10.1
port2
10.20.20.1
port1
WAN
port4
172.10.10.1
port1
172.10.10.2
port5
192.20.20.1
port10
10.10.10.2
FortiGate-311B
Local Host ID: Client_Fgt
port16
10.20.20.2
port1
192.20.20.2
FortiGate-620B
Local Host ID: Server_Fgt
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2047
�Out-of-path WAN optimization with inter-VDOM routing
Advanced configuration example
The client-side FortiGate-300A unit uses policy routing to offload WAN optimization of
HTTP and FTP sessions by re-directing all HTTP and FTP sessions to the FortiGate-311B
unit. The FortiGate-311B and 620B units work together to apply web caching, byte
caching, and HTTP and FTP protocol optimization to HTTP and FTP sessions. The WAN
optimization tunnel between the 311B and the 620B operates in Transparent mode. The
FortiGate-311B unit also web caches all Internet HTTP traffic from the client network.
The client-side FortiGate-311B unit also applies virus scanning (and optionally other UTM
features) to the HTTP and FTP traffic. To do this, the FortiGate-311B unit is configured for
multiple VDOM operation. A new VDOM named Wanopt is added to the FortiGate-311B.
HTTP and FTP sessions are received by the “root” VDOM. Firewall policies in the root
VDOM accept HTTP and FTP sessions and apply virus scanning (and optionally other
UTM features) to them. To preserve the source addresses of the HTTP and FTP sessions,
NAT is not enabled for these policies.
The sessions are then routed through an inter-VDOM link to the Wanopt VDOM. The
Wanopt VDOM includes firewall policies that accept the HTTP and FTP sessions and
WAN optimization rules that apply WAN optimization and web caching to the sessions.
The server-side FortiGate-620B unit includes a passive WAN optimization rule that
accepts WAN optimization tunnel requests from the FortiGate-311B unit. Only one passive
rule is required on the FortiGate-620B unit. The FortiGate-620B unit also forwards
sessions to the server-side FortiGate-1000A cluster which forwards them to the server
network.
WAN optimization is operating in Transparent mode, so the packets from the client
network include their client network source IP addresses. To preserve these source IP
addresses, the firewall policies on the FortiGate-1000A cluster that accept the sessions
from the FortiGate- 620B unit should not apply NAT. If the firewall policies were to apply
NAT, the client network addresses would be replaced with the port1 IP address of the
FortiGate-1000A cluster and the client network source IP addresses would be lost.
The optimizing FortiGate units operate in NAT/Route mode and are directly connected to
the Internet. This configuration requires two Internet connections and two Internet IP
addresses for each network. (Reminder: All of the example IP addresses shown in
Figure 348 are private IP addresses because all Fortinet documentation examples use
only private IP addresses.) If these extra Internet IP addresses are not available, you can
install a router between the WAN and the FortiGate units or install the optimizing FortiGate
units out of path on the private networks and configure routing on the private networks to
route HTTP and FTP sessions to the optimizing FortiGate units.
Configuration steps
This example is divided into client-side and the server-side steps, as configured through
the web-based manager and the CLI. Use either method, but for best results, follow the
procedures in the order given. Also, note that if you perform any additional actions
between procedures, your configuration may have different results.
This example includes the following sections:
• “Client-side configuration steps - web-based manager” on page 2049
•
•
“Client-side configuration steps - CLI” on page 2059
•
2048
“Server-side configuration steps - web-based manager” on page 2056
“Server-side configuration steps - CLI” on page 2066
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced configuration example
Out-of-path WAN optimization with inter-VDOM routing
Client-side configuration steps - web-based manager
This section describes the configuration steps required to redirect HTTP and FTP
sessions from the client-side FortiGate-300A unit and to configure the client-side
FortiGate-311B unit to optimize HTTP and FTP sessions to the server network and to
apply web caching to all other HTTP sessions from the client network.
The section breaks down the client-side configuration into smaller procedures. For best
results, follow the procedures in the order given:
1 Configure the FortiGate-300A unit to redirect all HTTP and FTP sessions to the
FortiGate-311B unit.
2 Configure the FortiGate-311B unit for multiple VDOM operation and add an interVDOM link.
3 Configure routing for the FortiGate-311B root VDOM.
4 Add firewall policies to the FortiGate-311B root VDOM to accept HTTP and FTP
sessions received at port1 and destined for Vlink0, and apply virus scanning (and
optionally other UTM features).
5 Configure routing for the FortiGate-311B Wanopt VDOM.
6 Add firewall policies to the FortiGate-311B Wanopt VDOM to accept HTTP and FTP
sessions received at the Vlink1 interface of the inter-VDOM link and destined for
port10.
7 Configure peers for the FortiGate-311B Wanopt VDOM.
8 Add WAN optimization rules for HTTP and FTP to the FortiGate-311B Wanopt VDOM.
Also note that if you perform any additional actions between procedures, your
configuration may have different results.
To configure the FortiGate-300A unit to redirect all HTTP and FTP sessions to the
FortiGate-311B unit
1 Go to System & gt; Network & gt; Interface, edit port4, and set the port4 IP address to
172.10.10.1/24.
2 Go to Firewall & gt; Policy & gt; Policy and select Create New to add a firewall policy that
allows all port5 to port4 HTTP sessions:
Source Interface/Zone
port5
Source Address
all
Destination Interface/Zone
port4
Destination Address
all
Schedule
always
Service
HTTP
Action
ACCEPT
NAT
Select
Configure other policy settings that you may require.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2049
�Out-of-path WAN optimization with inter-VDOM routing
Advanced configuration example
3 Select Create New to add a firewall policy that allows all port5 to port4 FTP sessions:
Source Interface/Zone
port5
Source Address
all
Destination Interface/Zone
port4
Destination Address
all
Schedule
always
Service
FTP
Action
ACCEPT
NAT
Select
Configure other policy settings that you may require.
4 Select OK.
5 If required, use the Move To icon to change the order of the firewall policies.
Follow the normal rules for ordering firewall policies in the policy list. For example,
move specific rules above general rules. For more information about these rules, see
the FortiGate Administration Guide.
6 Go to Router & gt; Static & gt; Policy Route and select Create New to add a policy route to
redirect HTTP traffic received at port5 to exit the FortiGate unit using port4. Set the
gateway address of the route to 172.10.10.2 so that the HTTP sessions are directed to
the FortiGate-311B port1 interface. For HTTP traffic, the protocol is 6 (TCP) and the
destination port is 80:
Protocol
6
Incoming interface
port5
Source address / mask
0.0.0.0/0.0.0.0
Destination address / mask 0.0.0.0/0.0.0.0
Destination Ports
From 80 to 80
Type of Service
bit pattern: 00 (hex) bit mask: 00 (hex)
Outgoing interface
port4
Gateway Address
172.10.10.2
7 Select OK.
8 Select Create New to add a policy route to redirect FTP traffic received at port5 to exit
the FortiGate unit using port4. Set the gateway address of the route to 172.10.10.2 so
that the HTTP sessions are directed to the FortiGate-311B port1 interface. For FTP
traffic, the protocol is 6 (TCP) and the destination port is 21:
Protocol
6
Incoming interface
port5
Source address / mask
0.0.0.0/0.0.0.0
Destination address / mask 0.0.0.0/0.0.0.0
Destination Ports
From 21 to 21
Type of Service
bit pattern: 00 (hex) bit mask: 00 (hex)
Outgoing interface
port4
Gateway Address
172.10.10.2
9 Select OK.
2050
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced configuration example
Out-of-path WAN optimization with inter-VDOM routing
To configure the FortiGate-311B unit for multiple VDOM operation and add an interVDOM link
1 Go to System & gt; Status & gt; Dashboard.
2 In the System Information widget, select Enable beside Virtual Domain to enable
multiple VDOM operation and log back in to the web-based manager.
3 Go to System & gt; VDOM and select Create New to add a new virtual domain named
Wanopt.
4 Select OK twice to add the Wanopt VDOM with default resource limits.
5 Go to System & gt; Network, edit the port10 interface, and configure the following settings
to add the port10 interface to the Wanopt VDOM:
Virtual Domain
Wanopt
Addressing Mode
Manual
IP/Netmask
10.10.10.2/24
Configure other settings that you may require.
6 Select OK.
7 Select Create New & gt; VDOM Link and add an inter-VDOM link with the following
settings:
Name
Vlink
Interface #0
Virtual Domain
root
IP/Netmask
172.1.1.1/24
Interface #1
Virtual Domain
Wanopt
IP/Netmask
172.1.1.2/24
8 Select OK.
To configure routing for the FortiGate-311B root VDOM
1 Log in to the root VDOM.
2 Go to Router & gt; Static and select Create New to add a default route. The destination of
the default route is the inter-VDOM link interface in the root VDOM. The gateway of the
default route is the IP address of the inter-VDOM link interface in the Wanopt VDOM.
The result is the default route sends all traffic out the inter-VDOM link and into the
Wanopt VDOM:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
Vlink0
Gateway
172.1.1.2
Distance
10
3 Select OK.
4 Select Create New to add a route to send return traffic from the server network
destined for the client network out the port1 interface to the port4 interface of the
FortiGate-300A which has IP address 172.10.10.1:
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2051
�Out-of-path WAN optimization with inter-VDOM routing
Advanced configuration example
Destination IP/Mask
172.20.120.0/24
Device
port1
Gateway
172.10.10.1
Distance
10
5 Select OK.
To add firewall policies to the FortiGate-311B root VDOM to accept HTTP and FTP
sessions received at port1 destined for Vlink0 and apply virus scanning (and
optionally other UTM features)
1 Log in to the root VDOM.
2 Go to Firewall & gt; Policy & gt; Policy and select Create New to add a firewall policy that
accepts HTTP sessions received at port1 destined for Vlink0 and applies virus
scanning and other UTM features:
Source Interface/Zone
port1
Source Address
all
Destination Interface/Zone
Vlink0
Destination Address
all
Schedule
always
Service
HTTP
Action
ACCEPT
NAT
Do not select.
Tip: To preserve the source addresses of the HTTP sessions,
NAT should not be enabled for this policy.
UTM
Select UTM, select a protocol options profile and select an
antivirus profile. Optionally select other UTM profiles.
Configure other policy settings that you may require. You can also use more specific
firewall addresses or add one firewall policy that accepts both FTP and HTTP traffic.
3 Select OK.
4 Go to Firewall & gt; Policy & gt; Policy and select Create New to add a firewall policy that
accepts FTP sessions received at port1 and destined for Vlink0 and applies virus
scanning and other UTM features to them:
2052
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced configuration example
Out-of-path WAN optimization with inter-VDOM routing
Source Interface/Zone
port1
Source Address
all
Destination Interface/Zone
Vlink0
Destination Address
all
Schedule
always
Service
FTP
Action
ACCEPT
NAT
Do not select.
Tip: To preserve the source addresses of the FTP sessions,
NAT should not be enabled for this policy.
UTM
Select UTM, select a protocol options profile and select an
antivirus profile. Optionally select other UTM profiles.
Configure other policy settings that you may require. You can also use more specific
firewall addresses or add one firewall policy that accepts both FTP and HTTP traffic.
5 Select OK.
To configure routing for the FortiGate-311B Wanopt VDOM
1 Log in to the Wanopt VDOM.
2 Go to Router & gt; Static and select Create New to add a default route. The destination of
the default route is the port10 interface. The gateway of the default route is the next
hop router that the port10 interface connects with:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port10
Gateway
(next hop router IP address)
Distance
10
3 Select OK.
4 Select Create New to add a route to send return traffic from the server network
destined for the client network out the Vlink1 interface to the Vlink0 interface in the root
VDOM, which has the IP address 172.1.1.2:
Destination IP/Mask
172.20.120.0/24
Device
Vlink1
Gateway
172.1.1.2
Distance
10
5 Select OK.
To add firewall policies to the FortiGate-311B Wanopt VDOM to accept HTTP and
FTP sessions received at the Vlink1 interface of the inter-VDOM link and destined
for port10
1 Log in to the Wanopt VDOM.
2 Go to Firewall & gt; Policy & gt; Policy and select Create New to add a firewall policy that
accepts HTTP sessions received at Vlink1 and destined for port10:
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2053
�Out-of-path WAN optimization with inter-VDOM routing
Advanced configuration example
Source Interface/Zone
Vlink1
Source Address
all
Destination Interface/Zone
port10
Destination Address
all
Schedule
always
Service
HTTP
Action
ACCEPT
NAT
Select
Tip: NAT is ignored for all HTTP sessions for the server network
because these sessions are intercepted by a full optimization
WAN optimization rule. However, HTTP sessions for the Internet
are intercepted by the Web Cache Only rule, so source NAT is
required for replies.
UTM
Do not select.
Tip: Do not select UTM because you cannot apply UTM and
WAN optimization to the same session in the same VDOM. UTM
was applied to the session in the root VDOM.
Configure other settings that you may require.
3 Select OK.
4 Go to Firewall & gt; Policy and select Create New to add a firewall policy that accepts FTP
sessions received at Vlink1 and destined for port10:
Source Interface/Zone
Vlink1
Source Address
all
Destination Interface/Zone
port10
Destination Address
all
Schedule
always
Service
FTP
Action
ACCEPT
NAT
Select
Tip: NAT is ignored for all FTP sessions for the server network
because these sessions are intercepted by a full optimization
WAN optimization rule. However, FTP sessions for the Internet
are allowed to reach their destination, so source NAT is required
for replies.
UTM
Do not select.
Tip: Do not select UTM because you cannot apply UTM and
WAN optimization to the same session in the same VDOM. UTM
was applied to the session in the root VDOM.
Configure other settings that you may require.
5 Select OK.
To configure peers for the FortiGate-311B Wanopt VDOM
1 Log in to the Wanopt VDOM.
2 Go to WAN Opt. & Cache & gt; Peer and enter a Local Host ID for the client-side
FortiGate-311B unit:
2054
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced configuration example
Out-of-path WAN optimization with inter-VDOM routing
Local Host ID
Client_Fgt
3 Select Apply to save your setting.
4 Select Create New and add a Peer Host ID and the IP Address for the server-side
FortiGate-620B unit:
Peer Host ID
Server_Fgt
IP Address
10.20.20.2
5 Select OK.
To add WAN optimization rules for HTTP and FTP to the FortiGate-311B Wanopt
VDOM
1 Log in to the Wanopt VDOM.
2 Go to WAN Opt. & Cache & gt; Rule.
3 Select Create New to add an active rule to optimize HTTP traffic from IP addresses on
the Client network (172.20.120.0) with a destination address on the server network
(192.168.10.0):
Mode
Full Optimization
Source
172.20.120.*
Destination
192.168.10.*
Port
80
Auto-Detect
Active
Protocol
HTTP
Transparent Mode
Select
Enable Byte Caching
Select
Enable SSL
Do not select.
Enable Secure Tunnel
Do not select.
Tip: For improved privacy you can select this option and add an
authentication group to both optimizing FortiGate units.
Authentication Group
Do not select.
4 Select OK.
5 Select Create New to add an active rule to optimize FTP traffic from IP addresses on
the Client network (172.20.120.0) with a destination address on the server network
(192.168.10.0):
Mode
Full Optimization
Source
172.20.120.*
Destination
192.168.10.*
Port
21
Auto-Detect
Active
Protocol
FTP
Transparent Mode
Select
Enable Byte Caching
Select
Enable SSL
Do not select.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2055
�Out-of-path WAN optimization with inter-VDOM routing
Enable Secure Tunnel
Advanced configuration example
Do not select.
Tip: For improved privacy you can select this option and add an
authentication group to both optimizing FortiGate units.
Authentication Group
Do not select.
6 Select OK.
7 Select Create New to add a rule to web cache HTTP traffic from IP addresses on the
Client network (172.20.120.0) with any destination address:
Mode
Web Cache Only
Source
172.20.120.*
Destination
0.0.0.0
Port
80
Transparent Mode
Select
Enable SSL
Do not select.
8 Select OK.
9 If required, use the Move To icon to move the Web Cache Only rule below the full
optimization HTTP and FTP rules in the list. The Web Cache Only rule should be below
the full optimization rules because it will match all HTTP traffic and you need HTTP
sessions with destination address 192.168.10.0 to match the full optimization HTTP
rule.
Server-side configuration steps - web-based manager
This section describes the configuration steps required for the server-side FortiGate-620B
unit to perform WAN optimization with the client-side FortiGate-311B unit and to send
HTTP and FTP sessions to the server-side FortiGate-1000A cluster. This section also
describes how to configure the FortiGate-1000A cluster to forward HTTP and FTP
sessions from the client network to the server network.
The section breaks down the client-side configuration into smaller procedures. For best
results, follow the procedures in the order given:
1 Configure routing for the FortiGate-620B unit.
2 Configure peers for the server-side FortiGate-620B unit.
3 Add a passive WAN optimization rule to the server-side FortiGate-620B unit.
4 Configure the FortiGate-1000A cluster to accept HTTP and FTP connections at port5
and forward them out port1 to the server network.
Also note that if you perform any additional actions between procedures, your
configuration may have different results.
To configure routing for the FortiGate-620B unit
1 Go to Router & gt; Static and select Create New to add a default route. The destination of
the default route is the port16 interface. The gateway of the default route is the next
hop router that the port16 interface connects with:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port16
Gateway
(next hop router IP address)
Distance
10
2 Select OK.
2056
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced configuration example
Out-of-path WAN optimization with inter-VDOM routing
3 Select Create New to add a route to send traffic for the server network out port1 to the
port5 interface of the FortiGate-1000A cluster, which has the IP address 192.20.20.1:
Destination IP/Mask
192.168.10.0/24
Device
port1
Gateway
192.20.20.1
Distance
10
4 Select OK.
To configure peers for the server-side FortiGate-620B unit
1 Go to WAN Opt. & Cache & gt; Peer and enter a Local Host ID for the server-side
FortiGate-620B unit:
Local Host ID
Server_Fgt
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the client-side
FortiGate-311B unit:
Peer Host ID
Client_Fgt
IP Address
10.10.10.2
4 Select OK.
To add a passive WAN optimization rule to the server-side FortiGate-620B unit
You can add one passive WAN optimization rule to the server-side FortiGate-620B unit for
both active rules on the FortiGate-311B unit. This rule can also allow the FortiGate-620B
to perform WAN optimization with other client-side devices as long as the required Peer
Host IDs are added to the FortiGate-620B configuration and to the client-side
configurations.
1 Go to WAN Opt. & Cache & gt; Rule and select Create New to add a passive rule that
accepts any WAN optimization tunnel request:
Mode
Full Optimization
Source
0.0.0.0
Destination
192.168.10.*
Port
1-65535
Tip: You can also use a narrower port range such as 21-80 or add
two rules, one with port set to 80 and one with port set to 21.
Auto-Detect
Passive
Enable Web Cache
Select
2 Select OK.
3 If required, use the Move To icon to move the rule to a different position in the list so
that the tunnel request from the client-side FortiGate unit matches with this rule.
For more information, see “Moving a rule to a different position in the rule list” on
page 2007.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2057
�Out-of-path WAN optimization with inter-VDOM routing
Advanced configuration example
To configure the FortiGate-1000A cluster to accept HTTP and FTP connections at
port5 and forward them out port1 to the server network
1 Go to Firewall & gt; Address and select Create New to add an address for the server
network:
Address Name
Server_Net
Type
Subnet / IP Range
Subnet / IP Range
192.168.10.*
Interface
Any
2 Select OK.
3 Go to Firewall & gt; Address and select Create New to add an address for the client
network:
Address Name
Client_Net
Type
Subnet / IP Range
Subnet / IP Range
172.20.120.*
Interface
Any
4 Select OK.
5 Go to Firewall & gt; Policy and select Create New to add an firewall policy that accepts
HTTP sessions at port5 destined for port1 and the server network:
Source Interface/Zone
port5
Source Address
Client_Net
Destination Interface/Zone
port1
Destination Address
Server_Net
Schedule
always
Service
HTTP
Action
ACCEPT
NAT
Do not select.
Tip: WAN optimization is operating in Transparent mode so the
packets from the client network include their client network
source IP addresses. To preserve these source IP addresses
the firewall policies on the FortiGate-1000A cluster that accept
the sessions from the FortiGate- 620B unit should not apply
NAT. If the policies were to apply NAT, the client network
addresses would be replaced with the port1 IP address of the
FortiGate-1000A cluster and the client network source IP
addresses would be lost.
6 Select OK.
7 Go to Firewall & gt; Policy and select Create New to add an firewall policy that accepts
FTP sessions at port5 destined for port1 and the server network:
Source Interface/Zone
Client_Net
Destination Interface/Zone
port1
Destination Address
Server_Net
Schedule
2058
port5
Source Address
always
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced configuration example
Out-of-path WAN optimization with inter-VDOM routing
Service
FTP
Action
ACCEPT
NAT
Do not select
Tip: As described above, selecting NAT would cause the loss of
client network source IP addresses.
8 Select OK.
Client-side configuration steps - CLI
This section describes the configuration steps required to redirect HTTP and FTP
sessions from the client-side FortiGate-300A unit and to configure the client-side
FortiGate-311B unit to optimize HTTP and FTP sessions to the server network and to
apply web caching to all other HTTP sessions from the client network.
The section breaks down the client-side configuration into smaller procedures. For best
results, follow the procedures in the order given:
1 Configure the FortiGate-300A unit to redirect all HTTP and FTP sessions to the
FortiGate-311B unit.
2 Configure the FortiGate-311B unit for multiple VDOM operation and add an interVDOM link.
3 Configure routing for the FortiGate-311B root VDOM.
4 Add firewall policies to the FortiGate-311B root VDOM to accept HTTP and FTP
sessions received at port1 and destined for Vink0, and apply virus scanning (and
optionally other UTM features).
5 Configure routing for the FortiGate-311B Wanopt VDOM.
6 Add firewall policies to the FortiGate-311B Wanopt VDOM to accept HTTP and FTP
sessions received at the Vlink1 interface of the inter-VDOM link and destined for
port10.
7 Configure peers for the FortiGate-311B Wanopt VDOM.
8 .Add WAN optimization rules for HTTP and FTP to the FortiGate-311B Wanopt VDOM.
Also note that if you perform any additional actions between procedures, your
configuration may have different results.
To configure the FortiGate-300A unit to redirect all HTTP and FTP sessions to the
FortiGate-311B unit
1 Set the FortiGate-300A port4 IP address to 172.10.10.1:
config system interface
edit port4
set ip 172.10.10.1/24
end
end
2 Add a firewall policy that allows all port5 to port4 HTTP sessions:
config firewall policy
edit 1
set srcintf port5
set dstintf port4
set srcaddr all
set dstaddr all
set action accept
set service HTTP
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2059
�Out-of-path WAN optimization with inter-VDOM routing
Advanced configuration example
set schedule always
set nat enable
end
end
Configure other policy settings that you may require. For example, you could add virus
scanning (and optionally other UTM features).
3 Add a firewall policy that allows all port5 to port4 FTP sessions:
config firewall policy
edit 2
set srcintf port5
set dstintf port4
set srcaddr all
set dstaddr all
set action accept
set service FTP
set schedule always
set nat enable
end
end
Configure other policy settings that you may require.
4 If required, use the move command to change the order of the policies in the policy list.
Follow the normal rules for ordering firewall policies in the policy list. For example,
move specific rules above general rules. For more information about these rules, see
the FortiGate Administration Guide.
5 Add a policy route to redirect HTTP traffic received at port5 to exit the FortiGate unit
using port4. Set the gateway address of the route to 172.10.10.2 so that the HTTP
sessions are directed to the FortiGate-311B port1 interface. For HTTP traffic, the
protocol is 6 (TCP) and the destination port is 80:
config router policy
edit 1
set protocol 6
set input-device port5
set output-device port4
set src 0.0.0.0/0.0.0.0
set dst 0.0.0.0/0.0.0.0
set start-port 80
set end port 80
set gateway 172.10.10.2
end
end
Accept default settings for tos (0x00) and tos-mask (0x00).
6 Add a policy route to redirect FTP traffic received at port5 to exit the FortiGate unit
using port4. Set the gateway address of the route to 172.10.10.2 so that the FTP
sessions are directed to the FortiGate-311B port1 interface. For FTP traffic, the
protocol is 6 (TCP) and the destination port is 21:
config router policy
edit 1
set protocol 6
set input-device port5
set output-device port4
set src 0.0.0.0/0.0.0.0
2060
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced configuration example
Out-of-path WAN optimization with inter-VDOM routing
set
set
set
set
end
end
dst 0.0.0.0/0.0.0.0
start-port 21
end port 21
gateway 172.10.10.2
Accept default settings for tos (0x00) and tos-mask (0x00).
To configure the FortiGate-311B unit for multiple VDOM operation and add an interVDOM link
1 Enable multiple VDOM operation and log back in to the web-based manager:
config system global
set vdom-admin enable
end
2 Log back in to the CLI.
3 Add a new virtual domain named Wanopt.
config vdom
edit Wanopt
end
4 Add the port10 interface to the Wanopt VDOM:
config global
config system interface
edit port10
set vdom Wanopt
set IP 10.10.10.2/24
end
end
5 Add an inter-VDOM named Vlink and configure the Vlink0 and Vlink1 interfaces:
config global
config system vdom-link
edit Vlink
end
config system interface
edit Vlink0
set vdom root
set ip 172.1.1.1/24
next
edit Vlink1
set vdom Wanopt
set ip 172.1.1.2/24
end
end
To configure routing for the FortiGate-311B root VDOM
1 Log in to the root VDOM from the CLI.
2 Add a default route. The destination of the default route is the inter-VDOM link
interface in the root VDOM. The gateway of the default route is the IP address of the
inter-VDOM link interface in the Wanopt VDOM. The result is the default route sends
all traffic out the inter-VDOM link and into the Wanopt VDOM:
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2061
�Out-of-path WAN optimization with inter-VDOM routing
Advanced configuration example
config router static
edit 1
set dst 0.0.0.0/0.0.0.0
set device Vlink0
set gateway 172.1.1.2
set distance 10
end
3 Add a route to send return traffic from the server network destined for the client
network out the port1 interface to the port4 interface of the FortiGate-300A which has
IP address 172.10.10.1:
config router static
edit 2
set dst 172.20.120.0/24
set device port1
set gateway 172.10.10.1
set distance 10
end
To add firewall policies to the FortiGate-311B root VDOM to accept HTTP and FTP
sessions received at port1 and destined for Vlink0 and apply virus scanning and
optionally other UTM features)
1 Log in to the root VDOM from the CLI.
2 Add a firewall policy that accepts HTTP sessions received at port1 and applies virus
scanning to them:
config firewall policy
edit 20
set srcintf port1
set dstintf Vlink0
set srcaddr all
set dstaddr all
set action accept
set service HTTP
set schedule always
set utm-status enable
set profile-protocol-options default
set av-profile scan
end
Tip: To preserve the source addresses of the HTTP sessions, NAT should not be enabled
for this policy.
Configure other policy settings that you may require. You can also use more specific
firewall addresses or add one firewall policy that accepts both FTP and HTTP traffic.
2062
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced configuration example
Out-of-path WAN optimization with inter-VDOM routing
3 Add a firewall policy that accepts FTP sessions received at port1 and applies virus
scanning to them:
config firewall policy
edit 20
set srcintf port1
set dstintf Vlink0
set srcaddr all
set dstaddr all
set action accept
set service FTP
set schedule always
set utm-status enable
set profile-protocol-options default
set av-profile scan
end
Tip: To preserve the source addresses of the HTTP sessions, NAT should not be enabled
for this policy.
Configure other policy settings that you may require. You can also use more specific
firewall addresses or add one firewall policy that accepts both FTP and HTTP traffic.
To configure routing for the FortiGate-311B Wanopt VDOM
1 Log in to the Wanopt VDOM from the CLI.
2 Add a default route. The destination of the default route is the port10 interface. The
gateway of the default route is the next hop router that the port10 interface connects
with:
config router static
edit 1
set dst 0.0.0.0/0.0.0.0
set device port10
set gateway (next hop router IP address)
set distance 10
end
3 Add a route to send return traffic from the server network destined for the client
network out the Vlink1 interface to the Vlink0 interface in the root VDOM, which has the
IP address 172.1.1.2:
config router static
edit 2
set dst 172.20.120.0/24
set device Vlink1
set gateway 172.1.1.2
set distance 10
end
To add firewall policies to the FortiGate-311B Wanopt VDOM to accept HTTP and
FTP sessions received at the Vlink1 interface of the inter-VDOM link destined for
port10
1 Log in to the Wanopt VDOM from the CLI.
2 Add a firewall policy that accepts HTTP sessions received at Vlink1 and destined for
port10:
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2063
�Out-of-path WAN optimization with inter-VDOM routing
Advanced configuration example
config firewall policy
edit 20
set srcintf Vlink1
set dstintf port10
set srcaddr all
set dstaddr all
set action accept
set service HTTP
set schedule always
set nat enable
end
Tip: NAT is ignored for all HTTP sessions for the server network because these sessions
are intercepted by a full optimization WAN optimization rule. However, HTTP sessions for
the Internet are intercepted by the Web Cache Only rule, so source NAT is required for
replies.
Tip: Do not enable UTM because you cannot apply UTM features and WAN optimization to
the same session in the same VDOM. Virus scanning was applied to the session in the root
VDOM.
Configure other settings that you may require.
3 Go to Firewall & gt; Policy and select Create New to add a firewall policy that accepts FTP
sessions received at Vlink1 and destined for port10:
config firewall policy
edit 20
set srcintf Vlink1
set dstintf port10
set srcaddr all
set dstaddr all
set action accept
set service FTP
set schedule always
set nat enable
end
Tip: NAT is ignored for all HTTP sessions for the server network because these sessions
are intercepted by a full optimization WAN optimization rule. However, HTTP sessions for
the Internet are intercepted by the Web Cache Only rule, so source NAT is required for
replies.
Tip: Do not enable UTM because you cannot apply UTM features and WAN optimization to
the same session in the same VDOM. Virus scanning was applied to the session in the root
VDOM.
Configure other settings that you may require.
To configure peers for the FortiGate-311B Wanopt VDOM
1 Log in to the Wanopt VDOM from the CLI.
2 Add the Local Host ID for the client-side FortiGate-311B unit:
config wanopt settings
set host-id Client_Fgt
end
2064
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced configuration example
Out-of-path WAN optimization with inter-VDOM routing
3 Add a Peer Host ID and the IP Address for the server-side FortiGate-620B unit.
config wanopt peer
edit Server_Fgt
set ip 10.20.20.2
end
To add WAN optimization rules for HTTP and FTP to the FortiGate-311B Wanopt
VDOM
1 Log in to the Wanopt VDOM from the CLI.
2 Add an active rule to optimize HTTP traffic from IP addresses on the Client network
(172.20.120.0) with a destination address on the server network (192.168.10.0):
config wanopt rule
edit 4
set auto-detect active
set src-ip 172.20.120.0-172.20.120.255
set dst-ip 192.168.10.0-192.168.10.255
set port 80
set proto http
end
Accept default settings for transparent (enable), status (enable), mode (full),
byte-caching (enable), ssl (disable), secure-tunnel (disable), authgroup (null), unknown-http-version (tunnel), and tunnel-non-http
(disable).
Tip: For improved privacy you can enable secure-tunnel and add an authentication
group to both optimizing FortiGate units.
3 Add an active rule to optimize FTP traffic from IP addresses on the Client network
(172.20.120.0) with a destination address on the server network (192.168.10.0):
config wanopt rule
edit 5
set auto-detect active
set src-ip 172.20.120.0-172.20.120.255
set dst-ip 192.168.10.0-192.168.10.255
set port 21
set proto ftp
end
Accept default settings for transparent (enable), status (enable), mode (full),
byte-caching (enable), ssl (disable), secure-tunnel (disable), authgroup (null), unknown-http-version (tunnel), and tunnel-non-http
(disable).
Tip: For improved privacy you can enable secure-tunnel and add an authentication
group to both optimizing FortiGate units.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2065
�Out-of-path WAN optimization with inter-VDOM routing
Advanced configuration example
4 Add a rule to web cache HTTP traffic from IP addresses on the Client network
(172.20.120.0) with any destination address:
config wanopt rule
edit 6
set mode webcache-only
set src-ip 172.20.120.0-172.20.120.255
set dst-ip 0.0.0.0
set port 80
set proto http
end
Accept default settings for transparent (enable), status (enable), ssl
(disable), unknown-http-version (tunnel), and tunnel-non-http
(disable).
5 If required, use the move command to move the Web Cache Only rule below the full
optimization HTTP and FTP rules in the list. The Web Cache Only rule should be below
the full optimization rules because it will match all HTTP traffic and you need HTTP
sessions with destination address 192.168.10.0 to match the full optimization HTTP
rule
For more information, see “Moving a rule to a different position in the rule list” on
page 2007.
Server-side configuration steps - CLI
This section describes the configuration steps required for the server-side FortiGate-620B
unit to perform WAN optimization with the client-side FortiGate-311B unit and to send
HTTP and FTP sessions to the server-side FortiGate-1000A cluster. This section also
describes how to configure the FortiGate-1000A cluster to forward HTTP and FTP
sessions from the client network to the server network.
The section breaks down the client-side configuration into smaller procedures. For best
results, follow the procedures in the order given:
1 Configure routing for the FortiGate-620B unit.
2 Configure peers for the server-side FortiGate-620B unit.
3 Add a passive WAN optimization rule to the server-side FortiGate-620B unit.
4 Configure the FortiGate-1000A cluster to accept HTTP and FTP connections at port5
and forward them out port1 to the server network.
Also note that if you perform any additional actions between procedures, your
configuration may have different results.
To configure routing for the FortiGate-620B unit
1 Add a default route. The destination of the default route is the port16 interface. The
gateway of the default route is the next hop router that the port16 interface connects
with:
config router static
edit 1
set dst 0.0.0.0/0.0.0.0
set device port16
set gateway (next hop router IP address)
set distance 10
end
2066
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Advanced configuration example
Out-of-path WAN optimization with inter-VDOM routing
2 Add a route to send traffic for the server network out port1 to the port5 interface of the
FortiGate-1000A cluster, which has the IP address 192.20.20.1:
config router static
edit 2
set dst 192.168.10.0/24
set device port1
set gateway 192.20.20.1
set distance 10
end
To configure peers for the server-side FortiGate-620B unit
1 Add the Local Host ID for the server-side FortiGate-620B unit:
config wanopt settings
set host-id Server_Fgt
end
2 Add a Peer Host ID and the IP Address for the client-side FortiGate-311B unit:
config wanopt peer
edit Client_Fgt
set ip 10.10.10.2
end
To add a passive WAN optimization rule to the server-side FortiGate-620B unit
You can add one passive WAN optimization rule to the server-side FortiGate-620B unit for
both active rules on the FortiGate-311B unit. This rule can also allow the FortiGate-620B
to perform WAN optimization with other client-side devices as long as the required Peer
Host IDs are added to the FortiGate-620B configuration and to the client-side
configurations.
1 Go to WAN Opt. & Cache & gt; Rule and select Create New to add a passive rule that
accepts any WAN optimization tunnel request:
config wanopt rule
edit 5
set auto-detect passive
set src-ip 0.0.0.0
set dst-ip 192.168.10.0-192.168.10.255
set port 1-65535
set webcache enable
end
Accept default settings for status (enable) and mode (full).
Tip: You can also use a narrower port range such as 21-80 or add two rules, one with port
set to 80 and one with port set to 21.
2 If required, use the move command to move the rule to a different position in the list so
that the tunnel request from the client-side FortiGate unit matches with this rule.
For more information, see “Moving a rule to a different position in the rule list” on
page 2007.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2067
�Out-of-path WAN optimization with inter-VDOM routing
Advanced configuration example
To configure the FortiGate-1000A cluster to accept HTTP and FTP connections at
port5 and forward them out port1 to the server network
1 Add a firewall address for the server network:
config firewall address
edit Server_Net
set type iprange
set start-ip 192.168.10.0
set end-ip 192.168.10.255
end
2 Add a firewall address for the client network:
config firewall address
edit Client_Net
set type iprange
set start-ip 172.20.120.0
set end-ip 172.20.120.255
end
3 Go to Firewall & gt; Policy and select Create New to add an firewall policy that accepts
HTTP sessions at port5 destined for port1 and the server network:
config firewall policy
edit 10
set srcintf port5
set dstintf port1
set srcaddr Client_Net
set dstaddr Server_Net
set action accept
set service HTTP
set schedule always
end
end
Tip: WAN optimization is operating in Transparent mode so the packets from the client
network include their client network source IP addresses. To preserve these source IP
addresses, the firewall policies on the FortiGate-1000A cluster that accept the sessions
from the FortiGate- 620B unit should not apply NAT. If the policies were to apply NAT, the
client network addresses would be replaced with the port1 IP address of the FortiGate1000A cluster and the client network source IP addresses would be lost.
4 Go to Firewall & gt; Policy and select Create New to add an firewall policy that accepts
FTP sessions at port5 destined for port1 and the server network:
config firewall policy
edit 11
set srcintf port5
set dstintf port1
set srcaddr Client_Net
set dstaddr Server_Net
set action accept
set service FTP
set schedule always
end
end
Tip: As described above, selecting NAT would cause the loss of the client network source
IP addresses.
2068
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�SSL offloading for WAN optimization
and web caching
WAN optimization SSL offloading uses the FortiGate unit to encrypt and decrypt SSL
sessions. WAN optimization supports SSL offloading for HTTP and HTTPS sessions to
and from web servers. The FortiGate unit intercepts HTTPS traffic from clients and
decrypts it before sending it as HTTP clear text to the web server. The HTTP clear text
response from the web server is encrypted by the FortiGate unit and returned to the client
as an HTTPS session. The result should be a performance improvement because SSL
encryption and decryption is offloaded from the server to the FortiGate unit’s FortiASIC
SSL encryption/decryption engine. You can also combine SSL offloading with other WAN
optimization techniques such as HTTP protocol optimization, byte caching, and web
caching to further enhance web server performance.
You enable SSL offloading by selecting Enable SSL in a WAN optimization rule. You must
also add SSL servers to support SSL offloading by using the CLI command config
wanopt ssl-server.
You must add one WAN optimization SSL server configuration to a FortiGate unit for each
HTTP server for which you are configuring SSL offloading. This SSL server configuration
must also include the HTTP server CA. You load this certificate into the FortiGate unit as a
local certificate and then add it to the SSL server configuration using the ssl-cert
keyword. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not
supported.
You can configure one WAN optimization rule to offload SSL encryption/decryption for
multiple HTTP servers. To do this, you configure the WAN optimization rule source and
destination addresses, so that the rule accepts packets destined for all of the HTTP
servers for which you want offloading. Then you add one SSL server configuration for
each of the HTTP servers.
A number of SSL offloading configurations are possible. This chapter demonstrates two:
•
Example: SSL offloading for a WAN optimization tunnel
•
Example: SSL offloading and reverse proxy web caching for an Internet web server
Example: SSL offloading for a WAN optimization tunnel
This example shows how to configure basic SSL offloading for a WAN optimization tunnel.
This basic SSL offloading configuration can be applied to many network configurations.
Network topology and assumptions
In this example, clients on a client network use https://192.168.10.20 to browse to a web
server. A WAN optimization rule with Auto-Detect set to Off on the client-side FortiGate
unit accepts sessions from the clients with source addresses on the 172.20.120.0 network
and with a destination address of 192.168.10.0 and a destination port of 443. In this rule,
Enable Secure Tunnel is selected so that the tunnel is encrypted. To support the encrypted
tunnel, the configuration also includes an authentication group with a pre-shared key. Both
FortiGate units must have the same authentication group with the same pre-shared key.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2069
�Example: SSL offloading for a WAN optimization tunnel
SSL offloading for WAN optimization and web caching
The server-side FortiGate unit includes an SSL server configuration with ip set to
192.168.10.20 and port to 443. The unit also includes the web server CA.
Figure 349: SSL offloading WAN optimization configuration
Client network
172.20.120.0
Web server
Server side
(port 80)
SSL server and Web server CA
Local Host ID: Web_servers IP:192.168.10.20
Client side
Rule: autodetect: off
Local Host ID: User_net
WAN
IP address
172.20.120.1
Encrypted
traffic
3
1
IP address
192.168.10.1
Decrypted
traffic
protected by the
encrypted tunnel
2
3
Decrypted
traffic
3
1
2
1
2
When the client-side FortiGate unit accepts an HTTPS connection for 192.168.10.20, the
SSL server configuration provides the information that the client-side unit needs to decrypt
the traffic and send it in clear text across a WAN optimization tunnel to the server-side
unit. The server-side unit then forwards the clear text packets to the web server.
The web server CA is not downloaded from the server side to the client-side FortiGate
unit. Instead, the client-side FortiGate unit proxies the SSL parameters from the client side
to the server side, which returns an SSL key and other required information to the clientside unit so that it can decrypt and encrypt HTTPS traffic.
Note: In this peer-to-peer configuration you do not need to add a WAN optimization rule to
the server-side FortiGate unit as long as this server-side unit includes the peer host ID of
the client-side FortiGate unit in its peer list. However, you can set Auto-Detect to Active on
the client-side FortiGate unit and then add a passive rule to the server-side unit.
In this example, you do not require the secure tunnel and the authentication group
configurations, but they are included to show how to protect the privacy of the WAN
optimization tunnel.Alternataively, you could configure a route-based IPsec VPN between
the FortiGate units and use IPSec to protect the privacy of the WAN optimization tunnel.
In this example, it is assumed that you have a local CA named Web_Server_Cert_1.crt
stored in a file that you will import when you configure the server-side FortiGate unit.
General configuration steps
This example is divided into client-side and server-side steps, as configured through the
web-based manager, and with CLI instructions provided for CLI-only steps. For best
results, follow the procedures in the order given. Also, note that if you perform any
additional actions between procedures, your configuration may have different results.
You also need access to the CLI to perform CLI-only steps.
2070
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�SSL offloading for WAN optimization and web caching
Example: SSL offloading for a WAN optimization tunnel
Client-side configuration steps
To configure the client-side FortiGate unit
1 Go to WAN Opt. & Cache & gt; Peer and enter a Local Host ID for the server-side
FortiGate unit:
Local Host ID
User_net
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the peer side
FortiGate unit:
Peer Host ID
Web_servers
IP Address
192.168.10.1
4 Select OK.
5 Go to WAN Opt. & Cache & gt; Peer & gt; Authentication Group and select Create New to add
an authentication group named SSL_auth_grp to the client-side FortiGate unit.
The authentication group includes a pre-shared key and the peer added in step 3. An
authentication group with the same name and the same pre-shared key must also be
added to the server-side FortiGate unit. This authentication group is required for the
secure tunnel:
Name
SSL_auth_grp
Authentication Method Pre-shared key
Password
& lt; pre-shared_key & gt;
Peer Acceptance
Specify Peer: Web_servers
6 Select OK.
7 Go to WAN Opt. & Cache & gt; Rule and select Create New to add the WAN optimization
rule:
Mode
Full Optimization
Source
172.20.120.*
Destination
192.168.10.*
Port
443
Auto-Detect
Off
Protocol
HTTP
Peer
Web_servers
Transparent Mode
Select
Enable Byte Caching
Select
Enable SSL
Select
Enable Secure Tunnel
Select
Authentication Group
SSL_auth_grp
8 Select OK.
The rule is added to the bottom of the WAN optimization list.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2071
�Example: SSL offloading for a WAN optimization tunnel
SSL offloading for WAN optimization and web caching
9 If required, move the rule to a different position in the list.
The order of the rules in the list significantly affects how the rules are applied. For more
information, see “How list order affects rule matching” on page 2006 and “Moving a
rule to a different position in the rule list” on page 2007.
Server-side configuration steps
To configure the server-side FortiGate unit
1 Go to WAN Opt. & Cache & gt; Peer and enter a Local Host ID for the server-side
FortiGate unit:
Local Host ID
Web_servers
2 Select Apply to save your setting.
3 Select Create New and add a Peer Host ID and the IP Address for the peer side
FortiGate unit:
Peer Host ID
User_net
IP Address
172.20.120.1
4 Select OK.
5 Go to WAN Opt. & Cache & gt; Peer & gt; Authentication Group and select Create New to add
an authentication group named SSL_auth_grp to the server-side FortiGate unit.
The authentication group includes a pre-shared key and the peer added to the serverside FortiGate unit in step 3:
Name
SSL_auth_grp
Authentication Method Pre-shared key
Password
& lt; pre-shared_key & gt;
Peer Acceptance
Specify Peer: User_net
6 Select OK.
7 Go to System & gt; Certificates & gt; Local Certificates and select Import to import the web
server’s CA.
For Type, select Local Certificate. Select the Browse button to locate the file,
Web_Server_Cert_1.crt.
The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
8 From the CLI, enter the following command to add the SSL server to the server-side
FortiGate unit:
config wanopt ssl-server
edit example_server
set ip 192.168.10.20
set port 443
set ssl-cert Web_Server_Cert_1
end
Configure other ssl-server settings that you may require for your configuration.
2072
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�SSL offloading for WAN optimization and web caching Example: SSL offloading and reverse proxy web caching for an Internet web
Example: SSL offloading and reverse proxy web caching for an
Internet web server
This example shows how to configure SSL offloading for a reverse proxy Web Cache Only
WAN optimization configuration.
Network topology and assumptions
In this configuration, clients on the Internet use HTTPS to browse to a web server. The
FortiGate unit intercepts the HTTPS traffic, and a Web Cache Only WAN optimization rule
with SSL offloading enabled decrypts the traffic before sending it to the web server. The
FortiGate unit also caches pages from the web server. Replies from the web server are
encrypted by the FortiGate unit before returning to the web browsing clients.
The Web Cache Only rule enables transparent mode because the FortiGate unit is
performing NAT between the Internet and the HTTP server and the web server network is
not configured to route Internet traffic between the FortiGate unit and the web server.
In this configuration, the FortiGate unit is operating in reverse proxy mode. Reverse proxy
caches can be placed directly in front of a particular server. Web caching on the FortiGate
unit reduces the number of requests that the web server must handle, therefore leaving it
free to process new requests that it has not serviced before.
Using a reverse proxy configuration:
•
avoids the capital expense of additional web servers by increasing the capacity of
existing servers
•
serves more requests for static content from web servers
•
serves more requests for dynamic content from web servers
•
reduces operating expenses including the cost of bandwidth required to serve content
•
accelerates the response time of web servers and of page download times to end
users.
When planning a reverse proxy implementation, the web server's content should be
written so that it is “cache aware” to take full advantage of the reverse proxy cache.
In reverse proxy mode, the FortiGate unit functions more like a web server for the clients it
services. Unlike internal clients, external clients are not reconfigured to access the proxy
server. Instead, the site URL routes the client to the FortiGate unit as if it were a web
server. Replicated content is delivered from the proxy cache to the external client without
exposing the web server or the private network residing safely behind the firewall.
In this example, the site URL translates to IP address 192.168.10.1, which is the port2 IP
address of the FortiGate unit. The port2 interface is connected to the Internet.
This example also includes two Web Cache Only rules, one that accepts the HTTP traffic
for web caching and one that accepts the HTTPS traffic for SSL offloading and web
caching. You could instead add only one rule for both the HTTP and HTTPS traffic.
For this example, it is also assumed that all HTTP traffic uses port 80 and all HTTPS traffic
uses port 443.
The FortiGate unit includes the web server CA and an SSL server configuration for IP
address 172.10.20.30 and port to 443. The name of the file containing the CA is
Rev_Proxy_Cert_1.crt.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2073
�Example: SSL offloading and reverse proxy web caching for an Internet web server
SSL offloading for WAN optimization and web
Figure 350: SSL offloading for web caching
Web cache
only rule that
includes SSL offloading
HTTP
Web server
(port 80)
IP address: 172.10.20.30
Internet
port2
IP address
192.168.10.1
port1
IP address
172.10.20.2
Decrypted
traffic
Encrypted
traffic
3
3
1
2
1
2
Configuration steps
To configure the FortiGate unit as a reverse proxy web cache server
1 Go to Firewall & gt; Virtual IP and select Create New to add a virtual IP that translates the
destination IP address from 192.168.10.1 to 172.10.20.30:
Name
Reverse_proxy_VIP
External Interface
port2
Type
Read only description of currently mode,
usually Static NAT.
External IP Address/Range
192.168.10.1
Mapped IP Address/Range
172.10.20.30
Port Forwarding
Do not select.
2 Select OK to save your settings.
3 Go to Firewall & gt; Policy and select Create New to add a port2 to port1 firewall policy
that accepts HTTP and HTTPS traffic from the Internet:
Do not select UTM features. Set the destination address to the virtual IP. You do not
have to enable NAT.
Source Interface/Zone
port2
Source Address
all
Destination Interface/Zone
port1
Destination Address
Reverse_proxy_VIP
Service
HTTP and HTTPS
Note: Select Multiple to display a screen for entering more than
one service.
Action
ACCEPT
4 Select OK to save your settings.
5 Go to WAN Opt. & Cache & gt; Rule and select Create New to add a Web Cache Only
WAN optimization rule.
6 Configure the rule to accept the HTTP traffic accepted by the firewall policy:
2074
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�SSL offloading for WAN optimization and web caching Example: SSL offloading and reverse proxy web caching for an Internet web
Mode
Web Cache Only
Source
0.0.0.0
Destination
192.168.10.1
Note: You need to set Destination to the IP address that is translated by
the virtual IP (192.168.10.1) and not to the server IP (172.10.20.30).
Port
80
Transparent Mode
Select
Enable SSL
Do not select
7 Select OK.
The rule is added to the bottom of the WAN optimization list.
8 If required, move the rule to a different position in the list.
The order of the rules in the list significantly affects how the rules are applied. For more
information, see “How list order affects rule matching” on page 2006 and “Moving a
rule to a different position in the rule list” on page 2007.
To configure the FortiGate unit for SSL offloading of HTTPS traffic
The firewall policy added in the first procedure accepts HTTPS traffic so you do not have
to add another one.
1 Go to WAN Opt. & Cache & gt; Rule and select Create New to add a Web Cache Only
WAN optimization rule.
2 Configure the rule to accept the HTTPS traffic accepted by the firewall policy:
Mode
Web Cache Only
Source
0.0.0.0
Destination
192.168.10.1
Note: You need to set Destination to the IP address that is translated by
the virtual IP (192.168.10.1) and not to the server IP (172.10.20.30).
Port
443
Transparent Mode
Select.
Enable SSL
Select.
3 Select OK.
The rule is added to the bottom of the WAN optimization list.
4 If required, move the rule to a different position in the list.
The HTTPS rule can be above or below the HTTP rule.
The order of the rules in the list significantly affects how the rules are applied. For more
information, see “How list order affects rule matching” on page 2006 and “Moving a
rule to a different position in the rule list” on page 2007.
To add an SSL server to offload SSL encryption and decryption for the web server.
1 Go to System & gt; Certificates & gt; Local Certificates and select Import to import the web
server’s CA.
For Type, select Local Certificate. Select the Browse button to locate the file
Rev_Proxy_Cert_1.crt.
The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2075
�Example: SSL offloading and reverse proxy web caching for an Internet web server
SSL offloading for WAN optimization and web
2 From the CLI, enter the following command to add the SSL server.
config wanopt ssl-server
edit rev_proxy_server
set ip 172.10.20.30
set port 443
set ssl-cert Rev_Proxy_Cert_1
end
3 Configure other ssl-server settings that you may require for your configuration.
The order of the rules in the list significantly affects how the rules are applied. For more
information, see “How list order affects rule matching” on page 2006 and “Moving a
rule to a different position in the rule list” on page 2007.
2076
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiClient WAN optimization
FortiClient WAN optimization works together with WAN optimization on a FortiGate unit to
accelerate network traffic between a PC running version 4.0 or greater of the FortiClient
application and a network behind a FortiGate unit. When a user of a PC with FortiClient
WAN optimization enabled attempts to connect to network resources behind a server-side
FortiGate unit, the FortiClient application automatically detects if WAN optimization is
enabled on the FortiGate unit. If WAN optimization is detected and the FortiClient
application can successfully negotiate a WAN optimization tunnel with the FortiGate unit, a
WAN optimization tunnel starts.
FortiClient WAN optimization includes protocol optimization settings selected in the
FortiClient application and byte caching (byte caching is enabled by default in the
FortiClient application and cannot be disabled). Web caching is applied if selected in the
passive rule on the FortiGate unit that accepts FortiClient WAN optimization tunnel
requests.
This chapter describes how to configure the FortiClient application for WAN optimization
and how to configure a FortiGate unit to accept WAN optimization tunnel requests from
the FortiClient application.
Figure 351: FortiClient WAN optimization topology
Private network
WAN optimization
tunnels
Remote
FortiClient
users
WAN optimization
WAN or
Internet
Configuring FortiClient WAN optimization
Configuring WAN optimization with the FortiClient application consists of enabling WAN
optimization for the FortiClient application and configuring the FortiGate unit to accept
WAN optimization tunnel requests from the FortiClient application.
FortiClient configuration steps
To configure WAN Optimization for the FortiClient application
1 From the FortiClient user interface, go to Status & gt; WAN Optimization.
2 Select Enable WAN Optimization.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2077
�Configuring FortiClient WAN optimization
FortiClient WAN optimization
3 Enable the protocols to be optimized: HTTP (web browsing), CIFS (Windows file
sharing), MAPI (Microsoft Exchange) and FTP (file transfers).
4 Set Maximum Disk Cache to 512, 1024, or 2048 MB.
The default is 512 MB. If the PC hard disk can accommodate a larger cache, better
optimization performance is possible.
5 Select Apply.
FortiGate unit configuration steps
To configure FortiClient WAN Optimization on the FortiGate unit
Because PCs running the FortiClient application can have IP addresses that change often,
it is usually not practical to add PCs running the FortiClient application to the WAN
optimization peer list. Instead, a FortiGate unit that accepts WAN optimization tunnel
requests from the FortiClient application should be configured to accept any peer (see
“Accepting any peers” on page 1997) by adding an authentication group named auth-fc
with Peer acceptance set to Accept Any Peer.
On the FortiGate unit, you also need to add a passive rule that includes source and
destination addresses that will accept connections from the IP addresses of PCs running
the FortiClient application. If these PCs can be anywhere on the Internet, the source
address for this rule is 0.0.0.0. You can also use a more restrictive address range if the
PCs running the FortiClient application have a restricted range of addresses.
You do not need to add firewall policies to the FortiGate unit because it is on the server
side of the WAN optimization tunnel.
1 Go to WAN Opt. & Cache & gt; Peer & gt; Authentication Group and select Create New.
2 Configure the authentication group:
Name
auth-fc
Authentication
Method
Certificate
Certificate
Fortinet_Firmware
Peer Acceptance
Accept Any Peer
3 Select OK.
4 Go to WAN Opt. & Cache & gt; Rule and select Create New.
5 Configure a rule to accept FortiClient WAN optimization sessions:
Mode
Full Optimization
Source
0.0.0.0
Destination
0.0.0.0
Port
1-65535
Auto-Detect
Passive
6 Select OK.
2078
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The FortiGate explicit web proxy
You can use the FortiGate explicit web proxy to enable explicit HTTP, and HTTPS
proxying on one or more FortiGate interfaces. The explicit web proxy also supports
proxying FTP sessions from a web browser and proxy auto-config (PAC) to provide
automatic proxy configurations for explicit web proxy users. From the CLI you can also
configure the explicit web proxy to support SOCKS sessions from a web browser.
Note: Web proxies are configured for each VDOM when multiple VDOMs are enabled.
In most cases you would configure the explicit web proxy for users on a network by
enabling the explicit web proxy on the FortiGate interface connected to that network.
Users on the network would configure their web browsers to use a proxy server for HTTP
and HTTPS, FTP, or SOCKS and set the proxy server IP address to the IP address of the
FortiGate interface connected to their network. Users could also enter the PAC URL into
their web browser PAC configuration to automate their web proxy configuration using a
PAC file stored on the FortiGate unit.
Caution: Enabling the explicit web proxy on an interface connected to the Internet is a
security risk because anyone on the Internet who finds the proxy could use it to hide their
source address.
If the FortiGate unit is operating in Transparent mode, users would configure their
browsers to use a proxy server with the FortiGate unit management IP address.
The web proxy receives web browser sessions to be proxied at FortiGate interfaces with
the explicit web proxy enabled. The web proxy uses FortiGate routing to route sessions
through the FortiGate unit to a destination interface. Before a session leaves the exiting
interface, the explicit web proxy changes the source addresses of the session packets to
the IP address of the exiting interface. When the FortiGate unit is operating in Transparent
mode the explicit web proxy changes the source addresses to the management IP
address. For more information about explicit web proxy sessions, see “Explicit web proxy
sessions and user limits” on page 2093.
Figure 352: Example explicit web proxy topology
Private
Network
Explicit
Web Proxy
Internet
FortiGate Unit
10.31.101.0
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2079
�Configuration overview
The FortiGate explicit web proxy
To allow all explicit web proxy traffic to pass through the FortiGate unit you can set the
explicit web proxy default firewall proxy action to accept. However, in most cases you
would want to use firewall policies to control explicit web proxy traffic and apply firewall
features such as access control/authentication, UTM, and traffic logging. You can do this
by keeping the default explicit web proxy firewall policy action to deny and then adding
web-proxy firewall policies.
Web-proxy firewall policies can selectively allow or deny traffic, apply authentication using
identity-based policies, enable traffic logging, and use UTM options to apply virus
scanning, web filtering, and DLP to explicit web proxy traffic. There are some limitations to
the UTM features that can be applied to explicit web proxy sessions. See “UTM features
and the explicit web proxy” on page 2086.
You cannot configure IPsec, SSL VPN, and Traffic shaping for explicit web proxy traffic.
Firewall policies for the web proxy can only include firewall addresses not assigned to a
FortiGate unit interface or with interface set to any.
Authentication of explicit web proxy sessions uses HTTP authentication and can be based
on the user’s source IP address or on cookies from the user’s web browser. For more
information, see “Explicit web proxy authentication” on page 2084.
To use the explicit proxy, users must add the IP address of a FortiGate interface on which
the explicit proxy is enabled and the explicit proxy port number (default 8080) to the proxy
configuration settings of their web browsers.
On FortiGate units that support WAN optimization, you can also enable web caching for
explicit web proxy sessions.
This section describes:
•
Configuration overview
•
Explicit web proxy authentication
•
UTM features and the explicit web proxy
•
Example: users on an internal network browsing the Internet through the explicit proxy
with web caching, RADIUS authentication, web filtering and virus scanning
•
Explicit web proxy sessions and user limits
Configuration overview
You can use the following general steps to configure the explicit web proxy.
To enable the explicit web proxy - web-based manager
1 Go to System & gt; Network & gt; Interface and enable the explicit web proxy for one or more
FortiGate interfaces.
Caution: Enabling the explicit web proxy on an interface connected to the Internet is a
security risk because anyone on the Internet who finds the proxy could use it to hide their
source address.
2 Go to System & gt; Network & gt; Web Proxy. Select Enable Explicit Web Proxy to turn on the
explicit web proxy for HTTP and HTTPS traffic.
You can also select FTP to enable the web proxy for FTP sessions in a web browser
and PAC to enable automatic proxy configuration.
2080
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The FortiGate explicit web proxy
Configuration overview
3 Select OK.
The default explicit web proxy configuration has Default Firewall Policy Action set to
Deny and requires you to add a firewall policy to allow access to the explicit proxy. This
configuration is recommended because you can use firewall policies to control access
to the explicit web proxy and also apply firewall features such as logging, UTM, and
authentication (by adding identity-based policies).
4 Go to Firewall & gt; Policy & gt; Policy and select Create New and set the Source
Interface/Zone to web-proxy.
You can add multiple web-proxy firewall policies.
5 Configure the firewall policy as required to accept the traffic that you want to be
processed by the explicit web proxy.
The source address of the policy should match client source IP addresses. The firewall
address selected as the source address cannot be assigned to a FortiGate interface.
Either the Interface field must be blank or it must be set to Any.
The destination address of the policy should match the IP addresses of web sites that
clients are connecting to. Usually the destination address would be all if proxying
Internet web browsing.
Traffic sent to the explicit web proxy that is not accepted by a web-proxy firewall policy
is dropped. If Default Firewall Policy Action is set to Allow then all web-proxy sessions
are allowed.
For example the following firewall policy allows users on an internal network to access
the Internet through the wan1 interface of a FortiGate unit.
Source Interface/Zone
web-proxy
Source Address
Internal_subnet
Destination Interface/Zone
wan1
Destination Address
all
Action
ACCEPT
6 You can select other firewall policy options as required.
For example, you can apply UTM protection to web proxy sessions and log allowed
web proxy traffic.
7 You can also select Enable Identity Based Policy to apply authentication to explicit web
proxy sessions.
8 You can add multiple identity based policies to apply different authentication for
different user groups and also apply different UTM and logging settings for different
user groups.
To enable the explicit web proxy - CLI
1 Enter the following command to enable the explicit web proxy for the internal interface.
config system interface
edit internal
set explicit-web-proxy enable
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2081
�Configuration overview
The FortiGate explicit web proxy
2 Enter the following command to turn on the explicit web proxy for HTTP and HTTPS
traffic.
config web-proxy explicit
set status enable
end
You can also enter the following command to enable the web proxy for FTP sessions in
a web browser.
config web-proxy explicit
set ftp-over-http enable
end
The default explicit web proxy configuration has sec-default-action set to deny
and requires you to add a firewall policy to allow access to the explicit proxy.
3 Use the following command to add a firewall address that matches the source address
of users who connect to the explicit proxy.
config firewall address
edit Internal_subnet
set type iprange
set start-ip 10.31.101.1
set end-ip 10.31.101.255
end
The source address for a web-proxy firewall policy cannot be assigned to a FortiGate
unit interface.
4 Use the following command to add a firewall policy that allows all users on the
10.31.101.0 subnet to use the explicit web proxy for connections through the wan1
interface to the Internet.
config firewall policy
edit 2
set srcintf web-proxy
set dstintf wan1
set scraddr Internal_subnet
set dstaddr all
set action accept
set identity-based enable
set schedule always
config identity-based-policy
edit 1
set groups Internal_users
set utm-status enable
set profile-protocol-options default
set av-profile Scan
set logtraffic enable
set schedule always
set service ANY
end
end
The firewall address selected as the source address cannot be assigned to a FortiGate
unit interface. Either the field must be blank or it must be set to Any.
5 Use the following command to change global web proxy settings, for example to set
the maximum request length for the explicit web proxy to 10:
config web-proxy global
set max-request-length 10
end
2082
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The FortiGate explicit web proxy
Configuration overview
Proxy auto-config (PAC) configuration
A proxy auto-config (PAC) file defines how web browsers can choose a proxy server for
for receiving HTTP content. PAC files include the FindProxyForURL(url, host) JavaScript
function that returns a string with one or more access method specifications. These
specifications cause the web browser to use a particular proxy server or to connect
directly.
To configure PAC for explicit web proxy users, you can the port that PAC traffic from client
web browsers use to connect to the explicit proxy. Explicit proxy users must configure their
web browser’s PAC proxy settings to use the PAC port.
PAC File Content
You can edit the default PAC file from the web-based manager or use the following
command to upload a custom PAC file:
config web-proxy explicit
set pac-file-server-status enable
set pac-file data & lt; pac_file_str & gt;
end
Where & lt; pac_file_str & gt; is the contents of the PAC file. Enter the contents of the PAC
file. Enclose the PAC file text in quotes. You can copy the contents of a PAC text file and
paste the contents into the CLI using this option. Enter the command followed by two sets
of quotes then place the cursor between the quotes and paste the file content.
The maximum PAC file size is 8192 bytes. You can use any PAC file syntax that is
supported by your users’s browsers. The FortiGate unit does not parse the PAC file.
To use PAC, users must add an automatic proxy configuration URL (or PAC URL) to their
web browser proxy configuration. The default PAC file URL is:
http:// & lt; interface_ip & gt; : & lt; PAC_port_int & gt; / & lt; pac_file_str & gt;
For example, if the interface with the explicit web proxy has IP address 172.20.120.122,
the PAC port is the same as the default HTTP explicit proxy port (8080) and the PAC file
name is proxy.pac the PAC file URL would be:
http://172.20.120.122:8080/proxy.pac
From the CLI you can use the following command to display the PAC file url:
get web-proxy explicit
Unknown HTTP version
You can select the action to take when the proxy server must handle an unknown HTTP
version request or message. Set unknown HTTP version to Reject or Best Effort. Best
Effort attempts to handle the HTTP traffic as best as it can. Reject treats known HTTP
traffic as malformed and drops it. The Reject option is more secure.
Authentication realm
You can enter an authentication realm to identify the explicit web proxy. The realm can be
any text string of up to 63 characters. If the realm includes spaces enclose it in quotes.
When a user authenticates with the explicit proxy the HTTP authentication dialog includes
the realm so you can use the realm to identify the explicitly web proxy for your users.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2083
�Explicit web proxy authentication
The FortiGate explicit web proxy
Global explicit web proxy options
Proxy FQDN
Enter the fully qualified domain name (FQDN) for the proxy server. This is
the domain name to enter into browsers to access the proxy server.
Max HTTP request
length
Enter the maximum length of an HTTP request. Larger requests will be
rejected.
Max HTTP message
length
Enter the maximum length of an HTTP message. Larger messages will be
rejected.
Add headers to
The web proxy server will forward HTTP requests to the internal network.
Forwarded Requests You can include the following headers in those requests:
Client IP Header
Enable to include the Client IP Header from the original HTTP request.
Via Header
Enable to include the Via Header from the original HTTP request.
X-forwarded-for
Header
Enable to include the X-Forwarded-For (XFF) HTTP header. The XFF
HTTP header identifies the originating IP address of a web client or
browser that is connecting through an HTTP proxy, and the remote
addresses it passed through to this point.
Front-end HTTPS
Header
Enable to include the Front-end HTTP Header from the original HTTPS
request.
Explicit web proxy authentication
You can add identity-based policies to apply authentication to explicit web proxy sessions.
You can use authentication to control access to the explicit proxy. You can also use
identity-based policies to identify users and apply different UTM features to different users.
Authentication of web proxy sessions uses HTTP basic and digest authentication as
described in RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication)
and prompts the user for credentials from the browser allowing individual users to be
identified by their web browser instead of IP address. HTTP authentication allows the
FortiGate unit to identify multiple users accessing services from a shared IP address. You
can also select IP-based authentication to authenticate users according to their source IP
address.
IP Based authentication
IP-based authentication applies authentication by source IP address. Once a user
authenticates, all sessions to the explicit web proxy from that IP address are assumed to
be from that user and are accepted until the authentication timeout ends or the session
times out.
This method of authentication is similar to standard (non-web proxy) firewall
authentication and may not produce the desired results if multiple users share IP
addresses (such as in a network that uses virtualization solutions or includes a NAT
device between the users and the explicit web proxy).
To configure IP based authentication, add a firewall policy for the explicit web proxy, set
the source interface/zone to web-proxy, select Enable Identify Based Policy, and make
sure IP Based is selected before adding identity-based policies. You can also set the
authentication method to basic, digest, NTLM or FSAE.
2084
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The FortiGate explicit web proxy
Explicit web proxy authentication
Use the following CLI command to add IP based authentication to a firewall policy. IP
based authentication is selected by setting ip-based to enable.
config firewall policy
edit 3
set srcintf web-proxy
set dstintf port1
set scraddr User_network
set dstaddr all
set action accept
set identity-based enable
set ip-based enable
config identity-based-policy
edit 1
set groups Internal_users
set service ANY
set schedule always
end
end
Per session authentication
If you don’t select IP Based the FortiGate unit applies HTTP authentication per session.
This authentication is browser-based. When a client enters a user name and password in
their browser to authenticate with the explicit web proxy, this information is stored by the
browser. Each new session started by the same web browser also has to be authenticated
but the browser does this automatically. If the user starts another browser on the same PC
or closes and then re-opens their browser they have to authenticate again.
Figure 353: Per session HTTP authentication
User
Web Browser
1. User Starts New Session
4. Web Browser Prompts the User
to Authenticate
FortiGate Explicit proxy
2. Web Browser Starts New Session
with Explicit Proxy
3. Explicit Web Proxy
Requests Authentication
5. User Enters Credentials
6. Web Browser
Stores Credentiats
7. Web browser sends credentials
to Explicit Proxy
8. User Starts Another New Session
9. Web Browser Starts New Session
with Explicit Proxy
10. Explicit Web Proxy
Requests Authentication
11. Web browser sends credentials
to Explicit Proxy
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2085
�UTM features and the explicit web proxy
The FortiGate explicit web proxy
Since the authentication is browser-based, multiple clients with the same IP address can
authenticate with the proxy using their own credentials. HTTP authentication provides
authentication for multiple user sessions from the same source IP address. This can
happen if there is a NAT device between the users and the FortiGate unit. HTTP
authentication also supports authentication for other configurations that share one IP
address among multiple users. These includes Citrix products and Windows Terminal
Server and other similar virtualization solutions.
To configure per session authentication, add a firewall policy for the explicit proxy, set the
source interface/zone to web-proxy, select Enable Identify Based Policy, and make sure IP
Based is not selected before adding identity-based policies. You can also set the
authentication method to basic, digest, NTLM or FSAE.
Use the following CLI command to add per session authentication to a firewall policy. Per
session authentication is selected by setting ip-based to disable.
config firewall policy
edit 5
set srcintf web-proxy
set dstintf port1
set scraddr User_network
set dstaddr all
set action accept
set identity-based enable
set ip-based disable
config identity-based-policy
edit 1
set groups Internal_users
set service ANY
set schedule always
end
end
UTM features and the explicit web proxy
You can apply protocol options, antivirus, web filtering, FortiGuard Web Filtering and data
leak prevention (DLP) including DLP archiving to explicit web proxy sessions. UTM
features are applied by selecting them in a web proxy firewall policy or an identity based
policy in a web proxy firewall policy. You cannot apply intrusion protection (IPS), email
filtering, application control, or VoIP UTM features to explicit web proxy sessions.
To apply intrusion protection to explicit web proxy traffic you can add DoS policies to the
FortiGate interfaces that receive and send explicit proxy traffic. However, you cannot apply
application control to explicit web proxy traffic, so you cannot filter explicit web proxy traffic
by application and explicit proxy traffic does not contribute to application control
monitoring or reporting.
Explicit proxy sessions and protocol options
Since the traffic accepted by the explicit web proxy is known to be either HTTP, HTTPS, or
FTP over HTTP and since the ports are already known by the proxy, the explicit proxy
does not use the HTTP or HTTPS port protocol options settings.
When adding UTM features to a web proxy firewall policy, you must select a protocol
options profile. In most cases you can select the default protocol options profile. You could
also create a custom protocol options profile.
The explicit web proxy supports the following protocol options:
2086
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The FortiGate explicit web proxy
UTM features and the explicit web proxy
•
Enable chunked bypass
•
HTTP oversized file action and threshold
The explicit web proxy does not support the following protocol options:
•
Client comforting
•
Server comforting
•
Monitor content information from dashboard. URLs visited by explicit users are not
added to dashboard usage and log and archive statistics widgets.
Explicit proxy sessions web filtering and FortiGuard web filtering
For explicit proxy sessions, the FortiGate unit applies web filtering to an HTTP request
when it receives the headers of the request. If web filtering allows the HTTP request, it is
forwarded to the web server. If web filtering blocks the HTTP request is, the request is
dropped and a blocking HTTP response is generated by the FortiGate unit and returned to
the client web browser.
The explicit web proxy completely supports the following web filter options and their
configuration settings. For example, all web filter content filtering and URL filtering actions
and types are supported:
•
Web content filtering
•
Web URL filtering
•
Advanced filtering
•
FortiGuard Web Filtering to allow, block, and log web pages according to FortiGuard
categories and classifications
•
FortiGuard local categories
•
FortiGuard web filtering reports
•
Block invalid URLs
•
HTTP POST Action
•
Provide details for HTTP 4xx and 5xx errors
•
Allow websites when a rating error occurs
•
Strict blocking
•
Rate URLs by domain and IP address
•
Block HTTP redirects by rating
The explicit web proxy does not support:
•
Safe search
•
FortiGuard Web Filtering overrides
•
FortiGuard Web Filtering quotas
•
Web resume download block
•
Daily log of remaining quota
Also the web page displayed when FortiGuard Web Filtering blocks a web page through
the explicit proxy may be different than the page displayed through a normal firewall
session.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2087
�Example: users on an internal network browsing the Internet through the explicit proxy with web caching, RADIUS authentication,
Explicit proxy sessions and antivirus
For explicit proxy sessions, the FortiGate unit applies antivirus scanning to HTTP POST
requests and HTTP responses. The FortiGate unit starts virus scanning a file in an HTML
session when it receives a file in the body of an HTML request. The explicit proxy can
receive HTTP responses from either the originating web server or the FortiGate web
cache module.
Flow-based virus scanning is not available for explicit web proxy sessions. Even if the
FortiGate unit is configured to use flow-based antivirus, explicit web proxy sessions use
the regular virus database.
Example: users on an internal network browsing the Internet
through the explicit proxy with web caching, RADIUS
authentication, web filtering and virus scanning
This example describes how to configure the explicit proxy for the example network shown
in Figure 354. In this example, users on the internal network connect to the explicit proxy
through the Internal interface of the FortiGate-51B unit. The explicit web proxy is
configured to use port 8888 so users must configure their web browser proxy settings to
use port 8888 and IP address 10.31.101.100.
Figure 354: Example explicit web proxy network topology
RADIUS Server
10.31.101.200
Private
Network
WAN1
172.20.120.122
Internal
10.31.101.100
User Web
Browsers Proxy
Settings
IP: 10.31.101.100
Port:8888
Internet
FortiGate-51B Explicit
Web Proxy
Enabled in the
Internal Interface
10.31.101.0
In this example, explicit web proxy users must authenticate with a RADIUS server before
getting access to the proxy. To apply authentication, the firewall policy that accepts explicit
web proxy traffic includes an identity based policy that applies per session authenticating
to explicit proxy users and includes a user group with the RADIUS server in it. The identity
based policy also applies UTM web filtering and virus scanning.
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For
best results, follow the procedures in the order given:
1 Enable the explicit proxy on one or more interfaces.
2 Enable the explicit proxy for HTTP and HTTPS and change the HTTP and HTTPS
ports to 8888.
3 Enable web caching for the explicit proxy.
4 Add a RADIUS server and user group for the explicit proxy.
2088
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The FortiGate explicit web proxy
Example: users on an internal network browsing the Internet through the explicit proxy with web
5 Add web filtering and antivirus profiles for the explicit proxy.
6 Add a firewall policy for the explicit proxy.
Configuring the explicit web proxy - web-based manager
Use the following steps to configure the explicit web proxy from FortiGate web-based
manager.
To enable the explicit web proxy on the Internal interface - web-based manager
1 Go to System & gt; Network & gt; Interface.
2 Edit the internal interface.
3 Select Enable Explicit Web Proxy.
4 Select OK.
To enable and configure the explicit web proxy - web-based manager
1 Go to System & gt; Network & gt; Web Proxy and change the following settings:
Enable Explicit Web Proxy
Select for HTTP/HTTPS.
Listen on Interfaces
Should show internal to indicate that the explicit web proxy is
enabled on the internal interface.
HTTP Port
8888
HTTPS Port
8888
Realm
You are authenticating with the explicit web proxy.
Default Firewall Policy Action Deny
2 Select Apply.
To enable web caching for the explicit web proxy - web-based manager
1 Go to WAN Opt. & Cache & gt; Cache & gt; Settings.
2 Select Enable Cache Explicit Proxy.
3 Select Apply.
To add a RADIUS server and user group for the explicit proxy - web-based manager
1 Go to User & gt; Remote & gt; Radius.
2 Select Create New to add a new RADIUS server:
Name
RADIUS_1
Primary Server Name/IP
10.31.101.200
Primary Server Secret
RADIUS_server_secret
3 Go to User & gt; User Group & gt; User Group and select Create New.
Name
Explict_proxy_user_group
Type
Firewall
Members
RADIUS_1
4 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2089
�Example: users on an internal network browsing the Internet through the explicit proxy with web caching, RADIUS authentication,
To add web filtering and antivirus profiles for the explicit proxy - web-based
manager
1 Go to UTM & gt; Web Filter & gt; Profile and select Create New.
2 Configure a web filter profile with the required options.
For example, you could configure FortiGuard web filtering.
3 Go to UTM & gt; AntiVirus & gt; Profile and select Create New.
4 Configure an antivirus profile with the required options.
For example, you should select virus scanning for HTTP.
To add a firewall policy for the explicit proxy - web-based manager
1 Go to Firewall & gt; Address & gt; Address and select Create New.
2 Add a firewall address for the internal network:
Address Name
Internal_subnet
Type
Subnet / IP Range
Subnet / IP Range
10.31.101.[1-255]
3 Go to Firewall & gt; Policy & gt; Policy and select Create New.
4 Configure the explicit web proxy firewall policy.
Source Interface/Zone
web-proxy
Source Address
Internal_subnet
Destination Interface/Zone
wan1
Destination Address
all
Action
ACCEPT
5 Select Enable Identity Based Policy, make sure IP Based is not selected and Auth
Method is set to Basic.
6 Select Add and configure the following settings for the identity based policy:
User Group
Explicit_policy
UTM
Select
Protocol Options
default
Enable Antivirus
Scan
Enable Web Filter
Explicit_proxy_wf_profile
7 Select OK.
Configuring the explicit web proxy - CLI
Use the following steps to configure the example explicit web proxy configuration from the
CLI.
To enable the explicit web proxy on the Internal interface - CLI
1 Enter the following command to enable the explicit web proxy on the internal interface.
config system interface
edit internal
set explicit-web-proxy enable
end
2090
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The FortiGate explicit web proxy
Example: users on an internal network browsing the Internet through the explicit proxy with web
To enable and configure the explicit web proxy - CLI
1 Enter the following command to enable the explicit proxy and set the TCP port that
proxy accepts HTTP and HTTPS connections on to 8888.
config web-proxy explicit
set status enable
set http-incoming-port 8888
set https-incoming-port 8888
set realm “You are authenticating with the explicit web
proxy”
set sec-default-action deny
end
To enable web caching for the explicit web proxy - CLI
1 Enter the following command to enable web caching for the explicit web proxy.
config wanopt webcache
set explicit enable
end
To add a RADIUS server and user group for the explicit proxy - CLI
1 Enter the following command to add a RADIUS server:
config user radius
edit RADIUS_1
set server 10.31.101.200
set secret RADIUS_server_secret
end
2 Enter the following command to add a user group for the RADIUS server.
config user group
edit Explicit_proxy_user_group
set group-type firewall
set member RADIUS_1
end
To add web filtering and antivirus profiles for the explicit proxy - CLI
1 Enter the following command to add a web filter profile that enables HTTP URL filtering
for the explicit web proxy.
config webfilter profile
edit Explicit_wf_pro
config http
set options urlfilter
end
config web
set urlfilter-table 1
end
end
2 Enter the following command to add an antivirus profile:
config antivirus profile
edit Explicit_av_pro
config http
set options scan
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2091
�Example: users on an internal network browsing the Internet through the explicit proxy with web caching, RADIUS authentication,
To add a firewall policy for the explicit proxy - CLI
1 Enter the following command to add a firewall address for the internal subnet:
config firewall address
edit Internal_subnet
set type iprange
set start-ip 10.31.101.1
set end-ip 10.31.101.255
end
2 Enter the following command to add the explicit web proxy firewall policy:
config firewall policy
edit 0
set srcintf web-proxy
set dstintf wan1
set srcaddr Internal_subnet
set dstaddr all
set action accept
set schedule always
set identity-based enable
set ipbased disable
set auth-method basic
config identity-based-policy
edit 1
set groups Explicit_Proxy_user_group
set schedule always
set utm-status enable
set av-profile Explicit_av_pro
set webfilter-profile Explicit_wf_pro
set profile-protocol-options default
set groups Explicit_proxy_user_group
end
end
Testing and troubleshooting the configuration
You can use the following steps to verify that the explicit web proxy configuration is
working as expected:
To test the explicit web proxy configuration
1 Configure a web browser on the internal subnet to use a proxy at IP address
10.31.101.100 and port 8888.
2 Browse to an Internet web page.
The web browser should pop up an authentication window that includes the phrase
that you added to the Realm option.
3 Enter the username and password for an account on the RADIUS server.
If the account is valid you should be allowed to browse web pages on the Internet.
4 Close the browser and clear its cache and cookies.
5 Restart the browser and connect to the Internet.
You could also start a second web browser on the same PC.
You should have to authenticate again because identity-based policies are set to
session-based authentication.
2092
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The FortiGate explicit web proxy
Explicit web proxy sessions and user limits
6 If this basic functionality does not work, check your FortiGate and web browser
configuration settings.
7 Browse to a URL on the URL filter list and confirm that the web page is blocked.
8 Browse to http://eicar.org and attempt to download an anti-malware test file.
The antivirus configuration should block the file.
Sessions for web-proxy firewall policies do not appear on the Top Sessions dashboard
widget and the count column for firewall policies does not display a count for explicit
web proxy firewall policies.
9 You can use the following command to display explicit web proxy sessions
get test wad 60
IP based users:
Session based users:
user:0x9c20778, username:User1, vf_id:0, ref_cnt:9
Total allocated user:1
Total user count:3, shared user quota:50, shared user count:3
This command output shows one explicit web proxy user with user name User1
authenticated using session-based authentication.
Explicit web proxy sessions and user limits
Web browsers and web servers open and close multiple sessions with the explicit proxy.
Some sessions open and close very quickly. HTTP 1.1 keepalive sessions are persistent
and can remain open for long periods of time. Sessions can remain on the explicit web
proxy session list after a user has stopped using the proxy (and has, for example, closed
their browser). If an explicit web proxy session is idle for more than 3600 seconds it is torn
down by the explicit web proxy. See RFC 2616 for information about HTTP
keepalive/persistent HTTP sessions.
The FortiGate unit adds two sessions to its session table for every explicit web proxy
session started by a web browser. An entry is added to the session table for the session
from the web browser to the explicit web proxy. All of these sessions have the same
destination port as the explicit web proxy port (usually 8080). An entry is also added to the
session table for the session between the exiting FortiGate interface and the web server
destination of the session. All of these sessions have a FortiGate interface IP address and
the source address of the session and usually have a destination port of 80.
Web Proxy sessions that appear in the Top sessions dashboard widget do not include the
Policy ID of the web-proxy firewall policy that accepted them. However, the web-proxy
sessions appear in the Top Sessions dashboard widget with a destination port that
matches the explicit web proxy port number (usually 8080). The proxied sessions from the
FortiGate unit have their source address set to the IP address of the FortiGate unit
interface that the sessions use to connect to their destinations (for example, for
connections to the Internet the source address would be the IP address of the FortiGate
interface connected to the Internet).
FortiOS limits the number of explicit web proxy users. The number of users varies by
FortiGate model from as low as 10 to up to 5000. You can use the following command to
display the limit on the number of explicit web proxy users for a FortiGate unit:
get test wad 62
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2093
�Explicit web proxy sessions and user limits
The FortiGate explicit web proxy
Total user count:3, shared user quota:50, shared user count:3
vd=root max=0 guarantee=0 used=3
This command output shows that the explicit web proxy user limit (the shared user
quota) for this FortiGate unit is 50 users.
You can’t change this limit. If your FortiGate unit is configured for multiple VDOMs this limit
must be shared by all VDOMs. You can also use VDOM resource limiting to limit the
number of explicit web proxy users for the FortiGate unit and for each VDOM. To limit the
number of explicit web proxy users for the FortiGate unit from the web-based manager
enable multiple VDOMs and go to System & gt; VDOM & gt; Global Resources or use the
following command:
config global
config system resource-limits
set webproxy 50
end
end
To limit the number of explicit web proxy users for a VDOM, from the web-based manager
enable multiple VDOMs and go to System & gt; VDOM & gt; VDOM and edit a VDOM or use the
following command to change the number of explicit web proxy users for VDOM_1:
config global
config system vdom-property
edit VDOM_1
set webproxy 25
end
end
The VDOM resource limit pages on the web-based manager also display the current
number of explicit web proxy users. You can also use the get test wad 60 CLI
command to view the number of explicit web proxy users. For example:
get test wad 60
IP based users:
user:0x9ab8350 username:User1, vf_id:0, ip_addr:10.31.101.10, ref_cnt:9
Session based users:
user:0x9ac3c40, username:User2, vf_id:0, ref_cnt:3
user:0x9ab94f0, username:User3, vf_id:0, ref_cnt:1
Total allocated user:3
Total user count:3, shared user quota:50, shared user count:3
Users may be displayed with this command even if they are no longer actively using the
proxy. All idle sessions time out after 3600 seconds.
The command output shows three explicit web proxy users. The user named User1 has
authenticated with a firewall policy that includes IP-based authentication and the user’s
source IP address is 10.31.101.10. The users named User2 and User3 have
authenticated with a firewall policy that includes session-based authentication.
You can use the following command to flush all current explicit web proxy users. This
means delete information about all users and force them re-authenticate.
get test wad 61
Note: Users that authenticate with explicit web-proxy firewall policies do not appear in the
User & gt; Monitor & gt; Firewall list and selecting De-authenticate All Users has no effect on
explicit web proxy users.
2094
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�The FortiGate explicit web proxy
Explicit web proxy sessions and user limits
How the number of concurrent explicit proxy users is determined depends on their
authentication method:
•
For session-based authenticated users, each authenticated user is counted as a single
user. Since multiple users can have the same user name, the proxy attempts to identify
users according to their authentication membership (based upon whether they were
authenticated using RADIUS, LADAP, FSAE, local database etc.). If a user of one
session has the same name and membership as a user of another session, the explicit
proxy assumes this is one user.
•
For IP Based authentication, or no authentication, or if no web-proxy firewall policy has
been added, the source IP address is used to determine a user. All sessions from a
single source address are assumed to be from the same user.
The explicit web proxy does not limit the number of active sessions for each user. As a
result the actual explicit web proxy session count is usually much higher than the number
of explicit web proxy users. If an excessive number of explicit web proxy sessions is
compromising system performance you can limit the amount of users if the FortiGate unit
is operating with multiple VDOMs.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2095
�Explicit web proxy sessions and user limits
2096
The FortiGate explicit web proxy
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate WCCP
The Web Cache Communication Protocol (WCCP) is a content-routing technology that to
integrates cache engines into network infrastructure. FortiGate units support WCCPv1
and WCCPv2. This chapter describes how to configure FortiGate unit to operate as a
WCCP router or WCCP client. As a WCCP router a FortiGate unit redirects HTTP traffic to
WCCP cache engines (web caches). As a WCCP client you can add firewall policies to a
FortiGate unit to filter WCCP sessions.
A FortiGate unit in NAT/Route or transparent mode can operate as a WCCP router. To
operate as a WCCP client a FortiGate unit must be in NAT/Route mode. WCCP
communication between routers and clients uses UDP port 2048. This communication can
be a GRE tunnel or just use layer 2 forwarding.
Note: A WCCP router can also be called a WCCP server. A WCCP cache engine can also
be called a WCCP client.
How WCCP works
The following sequence assumes you have configured a FortiGate unit to be a WCCP
router and another FortiGate unit to be a WCCP client. In many networks a FortiGate unit
will be filling one of the router or client roles and the other role would be filled by another
device. For example, a third-party device could be the WCCP router and the FortiGate unit
would be the WCCP client.
1 A client web browser sends a request for web content.
2 The FortiGate unit is configured as a WCCP router intercepts the request and forwards
it to the FortiGate unit configured as a WCCP client.
The communication between the router and the client is over a GRE tunnel using port
2048.
3 The FortiGate unit configured as a WCCP client intercepts the WCCP session and
applies a firewall policy to the session. This firewall policy can apply FortiGate features
such as UTM to the WCCP session.
4 The FortiGate unit configuration as a WCCP client forwards the request to its
destination.
5 Replies to the session are returned to the FortiGate unit configured as a WCCP client.
6 The client caches the reply to a configured cache server and returns it to the WCCP
router.
This communication is also over the GRE tunnel.
7 The WCCP router returns the request to the client web browser.
Subsequent requests for the same content may be served from the cache servers
connected to the WCCP client instead of from the Internet.
The client we browser is not aware that all this is taking place and does not have to be
configured to use a web proxy.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2097
�Example: WCCP router and client configuration
FortiGate WCCP
Figure 355: FortiGate WCCP router and cache engine configuration
FortiGate Unit
Operating as a
WCCP Router
Client Web Browsers
Internal
LAN
FortiGate Unit
Operating as a
WCCP Client
Wan1
172.20.120.10
Port2
Internet
Port1
172.20.120.20
Port3
10.51.101.100
Internet
web sites
IP addresses
10.51.101.10
10.51.101.20
10.51.101.30
WCCP Caches
The WCCP configuration requires HTTP traffic from client web browsers to be directed
through the FortiGate unit operating as the WCCP router. You must enable WCCP on the
FortiGate interface that receives the HTTP traffic.
Example: WCCP router and client configuration
This example describes how to configure the FortiGate units in Figure 355. One to operate
as a WCCP router and the other to operate as a WCCP client. All WCCP settings are
configured from the CLI.
WCCP router configuration
Use the following steps to configure the FortiGate unit as a WCCP router.
To configure a FortiGate unit as a WCCP router
1 Enable WCCP on the wan1 interface because this interfaces will handle WCCP traffic.
config system interface
edit wan1
set wccp enable
end
2 Add a WCCP service group that controls the communication between the router and
the client:
config system wccp
edit 1
set router-id 172.20.120.10
set server list 172.20.120.20
set authentication enable
set password Passw8rd
end
2098
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate WCCP
Example: WCCP router and client configuration
3 Add a firewall policy that accepts traffic from the LAN heading for the Internet and
enables WCCP. The result is traffic accepted by this firewall policy is processed by the
WCCP router.
config firewall policy
edit 1
set srcintf port2
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service HTTP
set wccp enable
set nat enable
end
WCCP client configuration
Use the following steps to configure a FortiGate unit as a WCCP client.
To configure a FortiGate unit as a WCCP client
1 Enable WCCP on the port1 and port3 interfaces. The port1 interface accepts WCCP
packets from the WCCP router and the port3 interface communicates with the cache
servers using WCCP.
config system interface
edit port1
set wccp enable
next
edit port3
set wccp enable
end
2 Configure the FortiGate unit to operate as a WCCP client.
config system settings
set wccp-cache-engine enable
end
You cannot enter this command if you have already added a WCCP service group to
the FortiGate configuration.
When you enter this command an interface named w. & lt; vdom_name & gt; is added to the
FortiGate configuration (for example w.root). All traffic redirected from a WCCP router
is considered to be received at this interface of the FortiGate unit operating as a WCCP
client. A default route to this interface with lowest priority is added.
3 Add a WCCP service group that controls the communication between the router and
the client.
config system wccp
edit 3
set router-list 172.20.120.10
set assignment-weight 100
set authentication enable
set password Passw8rd
end
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2099
�Configuring the forward and return methods and adding authentication
FortiGate WCCP
4 Add a firewall policy that accepts WCCP traffic from the WCCP router. This policy
applies virus scanning and traffic logging to the WCCP traffic as it passes through the
FortiGate unit configured as a WCCP client.
config firewall policy
edit 4
set srcintf w.root
set dstintf port2
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
set nat enable
set utm-status enable
set av-profile web
set profile-protocol-options enable
set logtraffic enable
end
Configuring the forward and return methods and adding
authentication
The WCCP forwarding method determines how intercepted traffic is transmitted from the
WCCP router to the WCCP cache engine. There are two different forwarding methods:
•
GRE forwarding (the default) encapsulates the intercepted packet in an IP GRE header
with a source IP address of the WCCP router and a destination IP address of the target
WCCP cache engine. The results is a tunnel that allows the WCCP router to be
multiple hops away from the WCCP cache server.
•
L2 forwarding rewrites the destination MAC address of the intercepted packet to match
the MAC address of the target WCCP cache engine. L2 forwarding requires that the
WCCP router is Layer 2 adjacent to the WCCP client.
You can use the following command on a FortiGate unit configured as a WCCP router to
change the forward and return methods to L2:
config system wccp
edit 1
set forward-method L2
set return-method L2
end
You can also set the forward and return methods to any in order to match the cache server
configuration.
By default the WCCP communication between the router and cache servers is
unencrypted. If you are concerned about attackers sniffing the information in the WCCP
stream you can use the following command to enable hash-based authentication of the
WCCP traffic. You must enable authentication on the router and the cache engines and all
must have the same password.
config system wccp
edit 1
set authentication enable
set password & lt; password & gt;
end
2100
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate WCCP
WCCP Messages
WCCP Messages
When the WCCP service is active on a web cache server it periodically sends a WCCP
HERE I AM broadcast or unicast message to the FortiGate unit operating as a WCCP
router. This message contains the following information:
•
Web cache identity (the IP address of the web cache server).
•
Service info (the service group to join).
If the information received in the previous message matches what is expected, the
FortiGate unit replies with a WCCP I SEE YOU message that contains the following
details:
• Router identity (the FortiGate unit’s IP address.
• Sent to IP (the web cache IP addresses to which the packets are addressed)
When both ends receive these two messages the connection is established, the service
group is formed and the designated web cache is elected.
Troubleshooting WCCP
Two types of debug commands are available for debugging or troubleshooting a WCCP
connection between a FortiGate unit operating as a WCCP router and its WCCP cache
engines.
Real time debugging
The following commands can capture live WCCP messages:
diag debug en
diag debug application wccpd & lt; debug level & gt;
Application debugging
The following commands display information about WCCP operations:
get test wccpd & lt; integer & gt;
diag test application wccpd & lt; integer & gt;
Where & lt; integer & gt; is a value between 1 and 5:
1 Display WCCP stats
2 Display WCCP config
3 Display WCCP cache servers
4 Display WCCP services
5 Display WCCP assignment
Enter the following command to view debugging output:
diag test application wccpd 3
Sample output from a successful WCCP connection:
service-0 in vdom-root: num=1, usable=1
cache server ID:
len=44, addr=172.16.78.8, weight=4135, status=0
rcv_id=6547, usable=1, fm=1, nq=0, dev=3(k3),
to=192.168.11.55
ch_no=0, num_router=1:
192.168.11.55
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2101
�Troubleshooting WCCP
FortiGate WCCP
Sample output from the same command from an unsuccessful WCCP connection
(because of a service group password mismatch):
service-0 in vdom-root: num=0, usable=0
diag debug application wccpd -1
Sample output:
wccp_on_recv()-98: vdom-root recv: num=160, dev=3(3),
172.16.78.8- & gt; 192.168.11.55
wccp2_receive_pkt()-1124: len=160, type=10, ver=0200,
length=152
wccp2_receive_pkt()-1150: found component:t=0, len=20
wccp2_receive_pkt()-1150: found component:t=1, len=24
wccp2_receive_pkt()-1150: found component:t=3, len=44
wccp2_receive_pkt()-1150: found component:t=5, len=20
wccp2_receive_pkt()-1150: found component:t=8, len=24
wccp2_check_security_info()-326: MD5 check failed
2102
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization, web cache and
WCCP get and diagnose commands
The following get and diagnose commands are available for troubleshooting WAN
optimization, web cache, and WCCP.
•
get test {wa_cs | wa_dbd | wad | wad_diskd | wccpd} & lt; test_level & gt;
•
diagnose wad
•
diagnose wacs
•
diagnose wadbd
•
diagnose debug application {wa_cs | wa_dbd | wad | wad_diskd | wccpd}
[ & lt; debug_level & gt; ]
get test {wa_cs | wa_dbd | wad | wad_diskd | wccpd} & lt; test_level & gt;
Display usage information about WAN optimization and web-cache-related applications.
Use & lt; test_level & gt; to display different information.
get test wa_cs & lt; test_level & gt;
get test wa_dbd & lt; test_level & gt;
get test wad & lt; test_level & gt;
get test wad_diskd & lt; test_level & gt;
get test wccpd & lt; test_level & gt;
Variable
Description
wad
Display information about the WAN optimization application.
wa_cs
Display information about the WAN optimization web cache server.
wa_dbd
Display information about the WAN optimization storage server application.
wad_diskd
Display information about the WAN optimization disk access daemon
application.
wccp
Display information about the WCCP application.
Examples
Enter the following command to display WAN optimization tunnel protocol statistics. The
http tunnel and tcp tunnel parts of the command output below shows that WAN
optimization has been processing HTTP and TCP packets.
get test wad 11
wad tunnel protocol stats:
http tunnel
bytes_in=1751767 bytes_out=325468
ftp tunnel
bytes_in=0 bytes_out=0
cifs tunnel
bytes_in=0 bytes_out=0
mapi tunnel
bytes_in=0 bytes_out=0
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2103
�get test {wa_cs | wa_dbd | wad | wad_diskd | wccpd} & lt; test_level & gt;
WAN optimization, web cache and WCCP get and diagnose
tcp tunnel
bytes_in=3182253 bytes_out=200702
maintenance tunnel
bytes_in=11800 bytes_out=15052
Enter the following command to display the current WAN optimization peers. You can use
this command to make sure all peers are configured correctly. The command output
shows one peer with IP address 172.20.120.141, peer name Web_servers, with 10 active
tunnels.
get test wad 26
peer name=Web_servers ip=172.20.120.141 vd=0 version=1
tunnels(active/connecting/failover)=10/0/0
sessions=0 n_retries=0 version_valid=true
Enter the following command to restart the WAN optimization web cache server.
get test wa_cs 99
Enter the following command to display all test options:
get test wad
WAD Test Usage
1: display total memory usage
3: display proxy status
4: display all stats and connections
8: display all fix-sized advanced memory stats
9: display all variable advanced memory stats
10: toggle cifs read-ahead
11: display tunnel protocol stats
12: flush tunnel protocol stats
13: display http protocol stats
14: flush http protocol stats
15: display cifs protocol stats
16: flush cifs protocol stats
17: display ftp protocol stats
18: flush ftp protocol stats
19: display mapi protocol stats
20: flush mapi protocol stats
21: display tcp protocol stats
22: flush tcp protocol stats
23: display all protocols stats
24: flush all protocols stats
25: display all listeners
26: display all peers
27: display DNS stats
30: display Byte Cache DB state
31: flush Byte Cache DB stats
32: display Web Cache DB state
33: flush Web Cache DB stats
35: display tunnel compressor state
36: flush tunnel compressor stats
38: display rules
40: display cache state
41: flush cache stats
42: display all fix-sized advanced memory stats in details
43: display all variable advanced memory stats in details
2104
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization, web cache and WCCP get and diagnose commands
get test {wa_cs | wa_dbd | wad | wad_diskd | wccpd}
45: display memory cache state
46: flush memory cache stats
47: display SSL stats
48: flush SSL stats
49: display SSL mem stats
50: display Web Cache stats
51: flush Web Cache stats
52: flush idle Web cache objects
53: display firewall policies
54: display WAD tunnel stats.
55: display WAD fsae state.
56yxxx: set xxx concurrent Web Cache session for object
storage y.
57yxxx: set xxxK(32K, 64K,...) unconfirmed write/read size per
Web Cache object for object storage y.
58yxxxx: set xxxxK maximum ouput buffer size for object
storage y.
59yxx: set lookup lowmark(only if more to define busy status)
to be xx for object storage y.
60: display current web proxy users
61: flush current web proxy users
62: display current web proxy user summary
65: display cache exemption patterns
66: toggle dumping URL when daemon crashes.
70yxxx: set xxxK maximum ouput buffer size for byte storage y.
71yxxx: set number of buffered add requests to be xxx for byte
storage y.
72yxxxx: set number of buffered query requests to be xxxx for
byte storage y.
73yxxxxx: set number of concurrent query requests to be xxxxx
for byte storage y.
800..899: mem_check/cmem commands (800 for help & usage)
80000..89999: mem_check/cmem commands with 1 arg (800 for help
& usage)
8000000..8999999: mem_check/cmem commands with 2 args (800 for
help & usage)
90: set to test disk failure
91: unset to test disk failure
92: trigger a disk failure event
98: gracefully stopping wad proxy
99: restart proxy
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2105
�diagnose wad
WAN optimization, web cache and WCCP get and diagnose commands
diagnose wad
Display diagnostic information about the WAN optimization daemon (wad).
diagnose wad console-log {disable | enable)
diagnose wad filter {clear | dport | dst | list | negate |
protocol | sport | src | vd}
diagnose wad history
diagnose wad session
diagnose wad stats {cache | cifs | clear | crypto | ftp | http |
list | mapi | mem | summary | tcp | tunnel}
diagnose wad tunnel
Variable
Description
console-log
Enable or disable displaying WAN optimization log messages on the CLI
console.
filter
Set a filter for listing WAN optimization daemon sessions or tunnels.
clear reset or clear the current log filter settings.
dport enter the destination port range to filter by.
dst enter the destination address range to filter by.
list display the current log filter settings
history
Display statistics for one or more WAN optimization protocols for a specified
period of time (the last 10 minutes, hour, day or 30 days).
session
Display diagnostics for WAN optimization sessions or clear active sessions.
stats
Display statistics for various parts of WAN optimization such as cache statistics,
CIFS statistics, MAPI statistics, HTTP statistics, tunnel statistics etc. You can
also clear WAN optimization statistics and display a summary.
tunnel
Display diagnostic information for one or all active WAN optimization tunnels.
Clear all active tunnels. Clear all active tunnels.
Examples
Enter the following command to list all of the running WAN optimization tunnels and
display information about each one. The command output shows 10 tunnels all created by
peer-to-peer WAN optimization rules (auto-detect set to off).
diagnose wad tunnel list
Tunnel: id=100 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=100 ip=172.20.120.141
SSL-secured-tunnel=no auth-grp=
bytes_in=348 bytes_out=384
Tunnel: id=99 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=99 ip=172.20.120.141
SSL-secured-tunnel=no auth-grp=
bytes_in=348 bytes_out=384
Tunnel: id=98 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=98 ip=172.20.120.141
SSL-secured-tunnel=no auth-grp=
bytes_in=348 bytes_out=384
2106
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�WAN optimization, web cache and WCCP get and diagnose commands
diagnose wad
Tunnel: id=39 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=39 ip=172.20.120.141
SSL-secured-tunnel=no auth-grp=
bytes_in=1068 bytes_out=1104
Tunnel: id=7 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=7 ip=172.20.120.141
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
Tunnel: id=8 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=8 ip=172.20.120.141
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
Tunnel: id=5 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=5 ip=172.20.120.141
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
Tunnel: id=4 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=4 ip=172.20.120.141
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
Tunnel: id=1 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=1 ip=172.20.120.141
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
Tunnel: id=2 type=manual
vd=0 shared=no uses=0 state=3
peer name=Web_servers id=2 ip=172.20.120.141
SSL-secured-tunnel=no auth-grp=
bytes_in=1228 bytes_out=1264
Tunnels total=10 manual=10 auto=0
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2107
�diagnose wacs
WAN optimization, web cache and WCCP get and diagnose commands
diagnose wacs
Display diagnostic information for the web cache database daemon (wacs).
diagnose
diagnose
diagnose
diagnose
wacs
wacs
wacs
wacs
clear
recents
restart
stats
Variable
Description
clear
Remove all entries from the web cache database.
recents
Display recent web cache database activity.
restart
Restart the web cache daemon and reset statistics.
stats
Display web cache statistics.
diagnose wadbd
Display diagnostic information for the WAN optimization database daemon (waddb).
diagnose wadbd {check | clear | recents | restart | stats}
Variable
Description
check
Check WAN optimization database integrity.
clear
Remove all entries from the WAN optimization database.
recents
Display recent WAN optimization database activity.
restart
Restart the WAN optimization daemon and reset statistics.
stats
Display WAN optimization statistics.
diagnose debug application {wa_cs | wa_dbd | wad | wad_diskd |
wccpd} [ & lt; debug_level & gt; ]
View or set the debug level for displaying WAN optimization and web cache-related
daemon debug messages. Include a & lt; debug_level & gt; to change the debug level. Leave
the & lt; debug_level & gt; out to display the current debug level. Default debug level is 0.
diagnose debug application wa_cs [ & lt; debug_level & gt; ]
diagnose debug application wa_dbd [ & lt; debug_level & gt; ]
diagnose debug application wad [ & lt; debug_level & gt; ]
diagnose debug application wccpd [ & lt; debug_level & gt; ]
Variable
wa_cs
Set the debug level for the web cache server.
wa_dbd
Set the debug level for the WAN optimization database server.
wad
Set the debug level for the WAN optimization daemon.
wccpd
2108
Description
Set the debug level for the WCCP daemon.
FortiOS™ Handbook FortiOS 4.0 MR2 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Chapter 19 Load Balancing
This FortiOS Handbook chapter contains the following sections:
Configuring load balancing describes FortiGate firewall load balancing.
Load balancing configuration examples describes includes basic and advanced load
balancing configurations.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2109
�FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2110
�Configuring load balancing
This section describes how to use the FortiGate firewall load balancing configuration to
load balance traffic to multiple backend servers.
This section describes:
•
Load balancing overview
•
Basic load balancing configuration example
•
HTTP and HTTPS load balancing, multiplexing, and persistence
•
SSL/TLS load balancing
•
IP, TCP, and UDP load balancing
Load balancing overview
You can configure FortiOS load balancing to intercept incoming traffic with a virtual server
and share it among one or more backend real servers. By doing so, the FortiGate unit
enables multiple real servers to respond as if they were a single device or virtual server.
This in turn means that more simultaneous requests can be handled.
Figure 356: Load balancing configuration
Internet
FortiGate unit
Session Persistence
HTTP/HTTPS cookie
SSL Session ID
Virtual Servers:
L7: HTTP, HTTPS, SSL
L4: TCP, UDP
L3: IP
Load balancing methods:
static, round robin, weighted,
first alive, least RTT, least session
Real Servers
Real Server Health Monitoring
TCP, HTTP, ICMP PING
Traffic can be balanced across multiple backend real servers based on a selection of load
balancing methods including static (failover), round robin, weighted to account for different
sized servers, or based on the health and performance of the server including round trip
time, number of connections. The load balancer can balance layer 7 HTTP, HTTPS, SSL,
generic layer 4 TCP, UDP and generic layer 3 IP protocols. Session persistence is
supported based on injected HTTP/HTTPS cookies or the SSL session ID.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2111
�Configuring load balancing
Load balancing overview
You can bind up to 8 real servers can to one virtual server. The real server topology is
transparent to end users, and the users interact with the system as if it were only a single
server with the IP address and port number of the virtual server. The real servers may be
interconnected by high-speed LAN or by geographically dispersed WAN. The FortiGate
unit schedules requests to the real servers and makes parallel services of the virtual
server to appear to involve a single IP address.
There are additional benefits to load balancing. First, because the load is distributed
across multiple servers, the service being provided can be highly available. If one of the
servers breaks down, the load can still be handled by the other servers. Secondly, this
increases scalability. If the load increases substantially, more servers can be added
behind the FortiGate unit in order to cope with the increased load.
Configuring load balancing virtual servers
A virtual server is a specialized firewall virtual IP that performs server load balancing.
From the web-based manager you add load balancing virtual server by going to Firewall & gt;
Load Balance & gt; Virtual Server. From the CLI you configure a virtual server by added a
firewall virtual IP and setting the virtual IP type to server load balance:
config firewall vip
edit Vserver-HTTP-1
set type server-load-balance
...
A virtual server includes a virtual server IP address bound to an interface. The virtual
server IP address is the destination address incoming packets to be load balanced and
the virtual server is bound to the interface that receives the packets to be load balanced.
For example, if you want to load balance incoming HTTP traffic from the Internet to a
group of web servers on a DMZ network, the virtual server IP address is the known
Internet IP address of the web servers and the virtual server binds this IP address to the
FortiGate interface connected to the Internet.
When you bind the virtual server’s external IP address to a FortiGate unit interface, by
default, the network interface responds to ARP requests for the bound IP address. Virtual
servers use proxy ARP, as defined in RFC 1027, so that the FortiGate unit can respond to
ARP requests on a network for a real server that is actually installed on another network.
In some cases you may not want the network interface sending ARP replies. You can use
the arp-reply option disable sending ARP replies:
config firewall vip
edit Vserver-HTTP-1
set type server-load-balance
set arp-reply disable
...
The load balancing virtual server configuration also includes the virtual server port. This is
the TCP port on the bound interface that the virtual server listens for traffic to be load
balanced on. The virtual server can listen on any port.
Load balancing method
The load balancing method defines how sessions are load balanced to real servers. A
number of load balancing methods are available as listed inTable 138.
All load balancing methods will not send traffic to real servers that are down or not
responding. However, the FortiGate unit can only determine if a real server is not
responding by using a health check monitor. You should always add at least one health
check monitor to a virtual server or to individual real servers, or load balancing methods
may attempt to distribute sessions to real servers that are not functioning.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2112
�Configuring load balancing
Load balancing overview
Table 138: Load balancing methods
Method
Description
Static
The traffic load is spread evenly across all real servers. However, sessions are
not assigned according to how busy individual real servers are. This load
balancing method provides some persistence because all sessions from the
same source address always go to the same real server. However, the
distribution is stateless, so if a real server is added or removed (or goes up or
down) the distribution is changed and persistence could be lost.
Round Robin
Directs new requests to the next real server, and treats all real servers as equals
regardless of response time or number of connections. Dead real servers or non
responsive real servers are avoided.
Weighted
Real servers with a higher weight value receive a larger percentage of
connections. Set the real server weight when adding a real server.
First Alive
Always directs sessions to the first alive real server. This load balancing
schedule provides real server failover protection by sending all sessions to the
first alive real server and if that real server fails, sending all sessions to the next
alive real server. Sessions are not distributed to all real servers so all sessions
are processed by the “first” real server only.
First refers to the order of the real servers in the virtual server configuration. For
example, if you add real servers A, B and C in that order, then all sessions
always go to A as long as it is alive. If A goes down then sessions go to B and if
B goes down sessions go to C. If A comes back up sessions go back to A. Real
servers are ordered in the virtual server configuration in the order in which you
add them, with the most recently added real server last. If you want to change
the order you must delete and re-add real servers in the required order.
Least RTT
Directs sessions to the real server with the least round trip time. The round trip
time is determined by a Ping health check monitor and is defaulted to 0 if no Ping
health check monitors are added to the virtual server.
Least Session
Directs requests to the real server that has the least number of current
connections. This method works best in environments where the real servers or
other equipment you are load balancing all have similar capabilities. This load
balancing method uses the FortiGate session table to track the number of
sessions being processed by each real server. The FortiGate unit cannot detect
the number of sessions actually being processed by a real server.
Session persistence
Use persistence to make sure that a user is connected to the same real server every time
they make an HTTP, HTTPS, or SSL request that is part of the same user session. For
example, if you are load balancing HTTP and HTTPS sessions to a collection of
eCommerce web servers, when a user is making a purchase they will be starting multiple
sessions as they navigate the eCommerce site. In most cases all of the sessions started
by this user during on eCommerce session should be processed by the same real server.
Typically, the HTTP protocol keeps track of these related sessions using cookies. HTTP
cookie persistence makes sure that all sessions that are part of the same user session are
processed by the same real server
When you configure persistence, the FortiGate unit load balances a new session to a real
server according to the load balance method. If the session has an HTTP cookie or an
SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP
cookie or SSL session ID to the same real server. For more information about HTTP and
HTTPS persistence, see “HTTP and HTTPS persistence” on page 2123.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2113
�Configuring load balancing
Load balancing overview
Real servers
Add real servers to a load balancing virtual server to provide the information the virtual
server requires to be able to send sessions to the server. A real server configuration
includes the IP address of the real server and port number that the real server receives
sessions on. The FortiGate unit sends sessions to the real server’s IP address using the
destination port number in the real server configuration.
When configuring a real server you can also specify the weight (used if the load balance
method is set to weighted) and you can limit the maximum number of open connections
between the FortiGate unit and the real server. If the maximum number of connections is
reached for the real server, the FortiGate unit will automatically switch all further
connection requests other real servers until the connection number drops below the
specified limit. Setting Maximum Connections to 0 means that the FortiGate unit does not
limit the number of connections to the real server.
By default the real server mode setting is active indicating that the real server is available
to receive connections. If the real server is removed from the network (for example, for
routine maintenance or because of a hardware or software failure) you can change the
mode to standby or disabled. In standby or disabled mode the FortiGate unit no longer
sends sessions to the real server.
To add a real server from the web-based manager go to Firewall & gt; Load Balance & gt; Real
Server. When you add the real server you select the virtual server that will send sessions
to it.
To add a real server from the CLI you configure a virtual server and add real servers to it.
For example, to add three real servers to a virtual server that load balances UDP sessions
on port 8190 using weighted load balancing. For each real server the port is not changed.
The default real server port is 0 resulting in the traffic being sent the real server with
destination port 8190. Each real sever is given a different weight. Servers with higher
weights have a max-connections limit to prevent too many sessions from being sent to
them.
config firewall vip
edit Vserver-UDP-1
set type server-load-balance
set server-type udp
set ldb-method weighted
set extip 172.20.120.30
set extintf wan1
set extport 8190
set monitor ping-mon-1
config realservers
edit 1
set ip 10.31.101.30
set weight 100
set max-connections 10000
next
edit 2
set ip 10.31.101.40
set weight 100
set max-connections 10000
next
edit 3
set ip 10.31.101.50
set weight 10
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2114
�Configuring load balancing
Load balancing overview
Health check monitoring
Using health check monitoring the FortiGate unit can verify that real servers are able
respond to network connection attempts. If a real server responds to connection attempts
the load balancer continues to send sessions to it. If a real server stops responding to
connection attempts the load balancer assumes that the server is down and does not send
sessions to it. The health check monitor configuration determines how the load balancer
tests the real servers. You can use a single health check monitor for multiple load
balancing configurations.
You can configure TCP, HTTP and Ping health check monitors. Usually you would want
the health check monitor to use the same protocol for checking the health of the server as
the traffic being load balanced to it. For example, for an HTTP load balancing
configuration you would normally use an HTTP health check monitor.
For the TCP and HTTP health check monitors you can specify the destination port to use
to connect to the real servers. If you set the port to 0, the health check monitor uses the
port defined in the real server. This allows you to use the same health check monitor for
multiple real servers using different ports. You can also configure the interval, timeout and
retry. A health check occurs every number of seconds indicated by the interval. If a reply is
not received within the timeout period the health check is repeated. If no response is
received after the number of configured retires, the virtual server is considered
unresponsive, and load balancing will disabling traffic to that real server. The health check
monitor will continue to contact the real server and if successful, the load balancer can
resume sending sessions to the recovered real server.
For HTTP health check monitors, you can add URL that the FortiGate unit connects to
when sending a get request to check the health of a HTTP server. The URL should match
an actual URL for the real HTTP servers. The URL is optional.
The URL would not usually include an IP address or domain name. Instead it should start
with a “/” and be followed by the address of an actual web page on the real server. For
example, if the IP address of the real server is 10.31.101.30, the URL “/test_page.htm”
causes the FortiGate unit to send an HTTP get request to
“http://10.31.101.30/test_page.htm”.
For HTTP health check monitors, you can also add a matched content phrase that a real
HTTP server should include in response to the get request sent by the FortiGate unit using
the content of the URL option. If the URL returns a web page, the matched content should
exactly match some of the text on the web page. You can use the URL and Matched
Content options to verify that an HTTP server is actually operating correctly by responding
to get requests with expected web pages. Matched content is only required if you add a
URL.
For example, you can set matched content to “server test page” if the real HTTP server
page defined by the URL option contains the phrase “server test page”. When the
FortiGate unit receives the web page in response to the URL get request, the system
searches the content of the web page for the matched content phrase.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2115
�Configuring load balancing
Load balancing overview
Virtual IP, load balance virtual server and load balance real server
limitations
The following limitations apply when adding virtual IPs, Load balancing virtual servers, and
load balancing real servers. Load balancing virtual servers are actually server load
balancing virtual IPs. You can add server load balance virtual IPs from the CLI.
•
Virtual IP External IP Address/Range entries or ranges cannot overlap with each
other or with load balancing virtual server Virtual Server IP entries.
•
A virtual IP Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255.
•
A real server IP cannot be 0.0.0.0 or 255.255.255.255.
•
If a static NAT virtual IP External IP Address/Range is 0.0.0.0, the Mapped IP
Address/Range must be a single IP address.
•
If a load balance virtual IP External IP Address/Range is 0.0.0.0, the Mapped IP
Address/Range can be an address range.
•
When port forwarding, the count of mapped port numbers and external port
numbers must be the same. The web-based manager does this automatically but
the CLI does not.
•
Virtual IP and virtual server names must be different from firewall address or
address group names.
Monitoring load balancing
From the web-based manager you can go to Firewall & gt; Load Balance & gt; Monitor to monitor
the status of configured virtual servers and real server and start or stop the real servers.
You can also use the get test ipldb command from the CLI to display similar
information.
For each real server the monitor displays health status (up or down), active sessions,
round trip time and the amount of bytes of data processed. From the monitor page you can
also stop sending new sessions to any real server. When you select to stop sending
sessions the FortiGate unit performs of graceful stop by continuing to send data for
sessions that were established or persistent before you selected stop. However, no new
sessions are started.
Load balancing get command
The following get command is available to display testing and debug information for the
FortiGate virtual server process:
get test vs & lt; test-level_int & gt;
Where & lt; test-level_int & gt; can be:
3 to display the virtual server process id.
8 to display the virtual server log configuration.
30 to display the virtual server configuration statistics.
99 to restart the virtual server process.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2116
�Configuring load balancing
Load balancing overview
Load balancing diagnose commands
You can also use the following diagnose commands to view status information for load
balancing virtual servers and real servers:
diagnose firewall vip realserver {down | flush | healthcheck |
list | up}
diagnose firewall vip virtual-server {filter | log | real-server
| session | stats}
For example, the following command lists and displays status information for all real
servers:
diagnose firewall vip virtual-server real-server
vd root/0 vs vs/2 addr 10.31.101.30:80 status 1/1
conn: max 0 active 0 attempts 0 success 0 drop
0
fail 0
vd root/0 vs vs/2 addr 10.31.101.20:80 status 1/1
conn: max 0 active 0 attempts 0 success 0 drop
0
fail 0
Many of the diagnostic commands involve retrieving information about one or more virtual
servers. To control which servers are queried you can define a filter:
diagnose firewall vip virtual-server filter & lt; filter_str & gt;
Where & lt; filter_str & gt; can be:
clear erase the current filter
dst the destination address range to filter by
dst-port the destination port range to filter by
list display the current filter
name the vip name to filter by
negate negate the specified filter parameter
src the source address range to filter by
src-port the source port range to filter by
vd index of virtual domain. -1 matches all
The default filter is empty so no filtering is done.
Logging Diagnostics
The logging diagnostics provide information about two separate features:
diagnose firewall vip virtual-server log {console | filter}
Where
console {disable | enable} enables or disables displaying the event log
messages generated by virtual server traffic on the console to simplify debugging.
filter sets a filter for the virtual server debug log
The filter option controls what entries the virtual server daemon will log to the console if
diagnose debug application vs level is non-zero. The filtering can be done on
source, destination, virtual-server name, virtual domain, and so on:
diagnose firewall vip virtual-server log filter & lt; filter_str & gt;
where & lt; filter_str & gt; can be
clear erase the current filter
dst the destination address range to filter by
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2117
�Configuring load balancing
Basic load balancing configuration example
dst-port the destination port range to filter by
list display the current filter
name the virtual-server name to filter by
negate negate the specified filter parameter
src the source address range to filter by
src-port the source port range to filter by
vd index of virtual domain. -1 matches all
The default filter is empty so no filtering is done.
Real server diagnostics
Enter the following command to list all the real servers:
diag firewall vip virtual-server real-server list
In the following example there is only one virtual server called slb and it has two realservers:
diag firewall vip virtual-server server
vd root/0 vs slb/2 addr 172.16.67.191:80 status 1/1
conn: max 10 active 0 attempts 0 success 0 drop 0 fail 0
http: available 0 total 0
vd root/0 vs slb/2 addr 172.16.67.192:80 status 1/1
conn: max 10 active 1 attempts 4 success 4 drop 0
http: available 1 total 1
fail 0
The status indicates the administrative and operational status of the real-server.
max indicates that the real-server will only allow 10 concurrent connections.
active is the number of current connections to the server attempts is the total number of
connections attempted success is the total number of connections that were successful.
drop is the total number of connections that were dropped because the active count hit
max.
fail is the total number of connections that failed to complete due to some internal
problem (for example, lack of memory).
If the virtual server has HTTP multiplexing enabled then the HTTP section indicates how
many established connections to the real-sever are available to service a HTTP request
and also the total number of connections.
Basic load balancing configuration example
This section describes the steps required to configure the load balancing configuration
shown in Figure 357. In this configuration a FortiGate-51B unit is load balancing HTTP
traffic from the Internet to three HTTP servers on the Internal network. HTTP sessions are
accepted at the wan1 interface with destination IP address 172.20.120.121 on TCP port
8080 and forwarded from the internal interface to the web servers. When forwarded the
destination address of the sessions is translated to the IP address of one of the web
servers.
The load balancing configuration also includes session persistence using HTTP cookies,
round-robin load balancing, and TCP health monitoring for the real servers. Ping health
monitoring consists of the FortiGate unit using ICMP ping to make sure the web servers
can respond to network traffic.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2118
�Configuring load balancing
Basic load balancing configuration example
Figure 357: Virtual server and real servers setup
Internet
Wan1: 172.20.120.122
FortiGate-51B
HTTP cookie
session persistence
HTTP virtual server
IP address: 172.20.120.121
Internal: 10.31.101.100
Round-robin
load balancing
Ping health monitoring
Real Servers
10.31.101.30
10.31.101.50
10.31.101.40
To configure the example load balancing configuration - general configuration
steps
1 Add a load balance ping health check monitor
A ping health check monitor causes the FortiGate unit to ping the real servers every 10
seconds. If one of the servers does not respond within 2 seconds, the FortiGate unit
will retry the ping 3 times before assuming that the HTTP server is not responding.
2 Add a load balance virtual server.
3 Add the three load balance real servers. Include the virtual server in each real server
configuration.
4 Add a firewall policy that includes the load balance virtual server as the destination
address.
To configure the example load balancing configuration - web-based manager
1 Go to go to Firewall & gt; Load Balance & gt; Health Check Monitor and add the following
health check monitor.
Name
Ping-mon-1
Type
Ping
Interval
10 seconds
Timeout
2 seconds
Retry
3
2 Go to Firewall & gt; Load Balance & gt; Virtual Server and add virtual server that accepts the
traffic to be load balanced.
Name
Vserver-HTTP-1
Type
HTTP
Interface
wan1
Virtual Server IP
172.20.120.121
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2119
�Configuring load balancing
Basic load balancing configuration example
Virtual Server Port
8080
Load Balance Method Round Robin
Persistence
HTTP Cookie
HTTP Multiplexing
Do not select
Health Check
Move Ping-mon-1 to the Selected list.
3 Go to go to Firewall & gt; Load Balance & gt; Real Server and add the real servers.
Virtual Server
Vserver-HTTP-1
IP Address
10.31.101.30
Port
80
Weight
n/a
Max Connections
0
Mode
Active
Virtual Server
Vserver-HTTP-1
IP Address
10.31.101.40
Port
80
Weight
n/a
Max Connections
0
Mode
Active
Virtual Server
Vserver-HTTP-1
IP Address
10.31.101.50
Port
80
Weight
n/a
Max Connections
0
Mode
Active
4 Go to Firewall & gt; Policy & gt; Policy and add a wan1 to internal firewall policy that includes
the virtual server. This policy also applies an Antivirus profile to the load balanced
sessions.
Source Interface/Zone
wan1
Source Address
all
Destination
Interface/Zone
internal
Destination Address
Vserver-HTTP-1
Schedule
always
Service
ANY
Action
ACCEPT
NAT
Enable NAT
UTM
Select
Protocol Options
Select and select a protocol options profile.
Enable AntiVirus
Select and select an antivirus profile.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2120
�Configuring load balancing
Basic load balancing configuration example
To configure the example load balancing configuration- CLI
1 Use the following command to add a Ping health check monitor.
config firewall ldb-monitor
edit ping-mon-l
set type ping
set interval 10
set timeout 2
set retry 3
end
2 Use the following command to add the virtual server that accepts HTTP sessions on
port 8080 at the wan1 interface and load balances the traffic to three real servers.
config firewall vip
edit Vserver-HTTP-1
set type server-load-balance
set server-type http
set ldb-method round-robin
set extip 172.20.120.30
set extintf wan1
set extport 8080
set persistence http-cookie
set monitor tcp-mon-1
config realservers
edit 1
set ip 10.31.101.30
set port 80
next
edit 2
set ip 10.31.101.40
set port 80
end
end
3 Use the following command to add a firewall policy that includes the load balance
virtual server as the destination address.
config firewall policy
edit 0
set srcintf wan1
set srcaddr all
set dstintf internal
set dstaddr Vserver-HTTP-1
set action accept
set schedule always
set service ANY
set nat enable
set utm-status enable
set profile-protocol-options default
set av-profile scan
end
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2121
�Configuring load balancing
HTTP and HTTPS load balancing, multiplexing, and persistence
HTTP and HTTPS load balancing, multiplexing, and persistence
In a firewall load balancing virtual server configuration, you can select HTTP to load
balance only HTTP sessions. The virtual server will load balance HTTP sessions received
at the virtual server interface with destination IP address that matches the configured
virtual server IP and destination port number that matches the configured virtual server
port. The default virtual server port for HTTP load balancing is 80, but you can change this
to any port number. Similarly for HTTPS load balancing, set the virtual server type to
HTTPS and then select the interface, virtual server IP, and virtual server port that matches
the HTTPS traffic to be load balanced. Usually HTTPS traffic uses port 443.
You can also configure load balancing to offload SSL processing for HTTPS and SSL
traffic. See “SSL offloading” on page 2124 for more information.
HTTP and HTTPS multiplexing
For both HTTP and HTTPS load balancing you can multiplex HTTP requests and
responses over a single TCP connection. HTTP multiplexing is a performance saving
feature of HTTP/1.1 compliant web servers that provides the ability to pipeline many
unrelated HTTP or HTTPS requests on the same connection. This allows a single HTTPD
process on the server to interleave and serve multiple requests. The result is fewer idle
sessions on the web server so server resources are used more efficiently. HTTP
multiplexing can take multiple separate inbound sessions and multiplex them over the
same internal session. This reduces the load on the backend server and increases the
overall performance.
HTTP multiplexing combines requests from different clients and sends them to a backend
HTTP real server on few connections. When HTTP requests arrive at the FortiGate unit
through individual connections, HTTP multiplexing transmits them to the servers proxied
to reduce the number of connections between the FortiGate unit and each server (or more
accurately, each service if a server offers more than one service on its ports). This reduces
the overhead associated with the handling of multiple connections at the server.
Servers that support HTTP/1.1 are able to accept multiple requests on a single
connection. This connection will be kept alive, even when the client requests have
stopped coming into the FortiGate unit. In this way, TCP connection establish/finish
between the proxy and the server, as well as adjusting the appropriate TCP window-size
is saved. However, when a connection is busy and a new request arrives, another
connection to the server will be established. A connection is considered to be busy if a
request has been received by the proxy and the associated response has not entirely
returned to the client.
To enable HTTP multiplexing from the web-based manager, select multiplex HTTP
requests/responses over a single TCP connection. To enable HTTP multiplexing from the
CLI enable the http-multiplex option.
Preserving the client IP address
Select preserve client IP from the web-based manager or enable the http-ip-header
option from the CLI to preserve the IP address of the client in the X-Forwarded-For
HTTP header. This can be useful in an HTTP multiplexing configuration if you want log
messages on the real servers to the client’s original IP address. If this option is not
selected, the header will contain the IP address of the FortiGate unit.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2122
�Configuring load balancing
HTTP and HTTPS load balancing, multiplexing, and persistence
HTTP and HTTPS persistence
Configure load balancing persistence for HTTP or HTTPS to make sure that a user is
connected to the same server every time they make a request that is part of the same
session. HTTP cookie persistence uses injected cookies to enable persistence.
When you configure persistence, the FortiGate unit load balances a new session to a real
server according to the Load Balance Method. If the session has an HTTP cookie or an
SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP
cookie or SSL session ID to the same real server.
How HTTP cookie persistence options work
The following options are available for the config firewall vip command when
type is set to server-load-balance, server-type is set to http or https and
persistence is set to http-cookie:
http-cookie-domain
http-cookie-path
http-cookie-generation
http-cookie-age
http-cookie-share
https-cookie-share (appears when server-type is set to https)
When HTTP cookie persistence is enabled the FortiGate unit inserts a header of the
following form into each HTTP response unless the corresponding HTTP request already
contains a FGTServer cookie:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Max-Age=3600
The value of the FGTServer cookie encodes the server that traffic should be directed to.
The value is encoded so as to not leak information about the internal network.
Use http-cookie-domain to restrict the domain that the cookie should apply to. For
example, to restrict the cookie to.server.com, enter:
set http-cookie-domain .server.com
Now all generated cookies will have the following form:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Domain=.server.com; Max-Age=3600
Use http-cookie-path to limit the cookies to a particular path. For example, to limit
cookies to the path /sales, enter:
set http-cookie-path /sales
Now all generated cookies will have the following form:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Domain=.server.com; Path=/sales; Max-Age=3600
Use http-cookie-age to change how long the browser caches the cookie. You can
enter an age in minutes or set the age to 0 to make the browser keep the cookie
indefinitely:
set http-cookie-age 0
Now all generated cookies will have the following form:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Domain=.server.com; Path=/sales
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2123
�Configuring load balancing
SSL/TLS load balancing
Use http-cookie-generation to invalidate all cookies that have already been
generated. The exact value of the generation is not important, only that it is different from
any generation that has already been used for cookies in this domain. The simplest
approach is to increment the generation by one each time invalidation is required. Since
the default is 0, enter the following to invalidate all existing cookies:
set http-cookie-generation 1
Use http-cookie-share {disable | same-ip} to control the sharing of cookies
across virtual servers in the same virtual domain. The default setting same-ip means that
any FGTServer cookie generated by one virtual server can be used by another virtual
server in the same virtual domain. For example, if you have an application that starts on
HTTP and then changes to HTTPS and you want to make sure that the same server is
used for the HTTP and HTTPS traffic then you can create two virtual servers, one for port
80 (for HTTP) and one for port 443 (for HTTPS). As long as you add the same real servers
to both of these virtual servers (and as long as both virtual servers have the same number
of real servers with the same IP addresses), then cookies generated by accessing the
HTTP server are reused when the application changes to the HTTPS server.
If for any reason you do not want this sharing to occur then select disable to make sure
that a cookie generated for a virtual server cannot be used by other virtual servers.
Use https-cookie-secure to enable or disable using secure cookies. Secure cookies
are disabled by default because secure cookies can interfere with cookie sharing across
HTTP and HTTPS virtual servers. If enabled, then the Secure tag is added to the cookie
inserted by the FortiGate unit:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Max-Age=3600; Secure
SSL/TLS load balancing
In a firewall load balancing virtual server configuration, you can select SSL to load balance
only SSL and TLS sessions. The virtual server will load balance SSL and TLS sessions
received at the virtual server interface with destination IP address that matches the
configured virtual server IP and destination port number that matches the configured
virtual server port. Change this port to match the destination port of the sessions to be
load balanced.
For SSL load balancing you can also set persistence to SSL session ID. Persistence is
achieved by the FortiGate unit sending all sessions with the same SSL session ID to the
same real server. When you configure persistence, the FortiGate unit load balances a new
session to a real server according to the Load Balance Method. If the session has an SSL
session ID, the FortiGate unit sends all subsequent sessions with the same SSL session
ID to the same real server.
SSL offloading
Use SSL offloading to accelerate clients’ SSL or HTTPS connections to real servers by
using the FortiGate unit to perform SSL operations (offloading them from the real servers
using the FortiGate unit’s SSL acceleration hardware). FortiGate units can offload SSL 3.0
and TLS 1.0. SSL offloading is available on FortiGate units that support SSL acceleration.
To configure SSL offloading from the web-based manager go to Firewall & gt; Load Balance & gt;
Virtual Server. Add a virtual server and set the type to HTTPS or SSL and select the SSL
offloading type (Client & lt; - & gt; FortiGate or Client & lt; - & gt; FortiGate & lt; - & gt; Server).
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2124
�Configuring load balancing
SSL/TLS load balancing
Select Client & lt; - & gt; FortiGate to apply hardware accelerated SSL processing only to the part
of the connection between the client and the FortiGate unit. This mode is called half mode
SSL offloading. The segment between the FortiGate unit and the server will use clear text
communications. This results in best performance, but cannot be used in failover
configurations where the failover path does not have an SSL accelerator.
Select Client & lt; - & gt; FortiGate & lt; - & gt; Server to apply hardware accelerated SSL processing to
both parts of the connection: the segment between client and the FortiGate unit, and the
segment between the FortiGate unit and the server. This mode is called full mode SSL
offloading. The segment between the FortiGate unit and the server will use encrypted
communications, but the handshakes will be abbreviated. This results in performance
which is less than the other option, but still improved over communications without SSL
acceleration, and can be used in failover configurations where the failover path does not
have an SSL accelerator. If the server is already configured to use SSL, this also enables
SSL acceleration without requiring changes to the server’s configuration.
Figure 358: SSL Offloading modes
Client & lt; - & gt; FortiGate
(Half mode)
SSL Accelerator
Client & lt; -- & gt; FortiGate & lt; -- & gt; Server
(Full mode)
SSL Accelerator
Remote clients
Internet
FortiGate unit
SSL Accelerator
Internet
FortiGate unit
SSL Accelerator
Web Server
Cluster
NAT Router
Web Server
Cluster
Configuring SSL offloading also requires selecting a certificate to use for the SSL
offloading sessions. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are
not supported.
The following CLI command shows an example half mode HTTPS SSL offloading
configuration. In the example the ssl-mode option sets the SSL offload mode to half
(which is the default mode).
config firewall vip
edit Vserver-ssl-offload
set type server-load-balance
set server-type https
set ldb-method round-robin
set extip 172.20.120.30
set extintf wan1
set extport 443
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2125
�Configuring load balancing
SSL/TLS load balancing
set persistence ssl-session-id
set ssl-mode half
set ssl-certificate my-cert
set
set monitor tcp-mon-1
config realservers
edit 1
set ip 10.31.101.30
set port 443
next
edit 2
set ip 10.31.101.40
set port 443
end
end
Additional SSL load balancing options
The following SSL load balancing and SSL offloading options are only available from the
CLI:
ssl-client-session-state-max & lt; sessionstates_int & gt;
Enter the maximum number of SSL session states to keep for the segment of the SSL
connection between the client and the FortiGate unit.
ssl-client-session-state-timeout & lt; timeout_int & gt;
Enter the number of minutes to keep the SSL session states for the segment of the SSL
connection between the client and the FortiGate unit.
ssl-client-session-state-type {both | client | disable | time}
Select which method the FortiGate unit should use when deciding to expire SSL sessions
for the segment of the SSL connection between the client and the FortiGate unit.
•
both: Select to expire SSL session states when either ssl-client-sessionstate-max or ssl-client-session-state-timeout is exceeded, regardless of
which occurs first.
•
count: Select to expire SSL session states when ssl-client-session-statemax is exceeded.
•
disable: Select to keep no SSL session states.
•
time: Select to expire SSL session states when ssl-client-session-statetimeout is exceeded.
ssl-dh-bits & lt; bits_int & gt;
Enter the number of bits of the prime number used in the Diffie-Hellman exchange for RSA
encryption of the SSL connection. Larger prime numbers are associated with greater
cryptographic strength.
ssl-http-location-conversion {enable | disable}
Select to replace http with https in the reply’s Location HTTP header field. For
example, in the reply, Location: http://example.com/ would be converted to
Location: https://example.com/
ssl-http-match-host {enable | disable}
Select to apply Location conversion to the reply’s HTTP header only if the host name
portion of Location matches the request’s Host field, or, if the Host field does not exist,
the host name portion of the request’s URI. If disabled, conversion occurs regardless of
whether the host names in the request and the reply match.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2126
�Configuring load balancing
SSL/TLS load balancing
For example, if host matching is enabled, and a request contains Host: example.com
and the reply contains Location: http://example.cc/, the Location field does
not match the host of the original request and the reply’s Location field remains
unchanged. If the reply contains Location: http://example.com/, however, then
the FortiGate unit detects the matching host name and converts the reply field to
Location: https://example.com/.
This option appears only if ssl-http-location-conversion is enable.
ssl-max-version {ssl-3.0 | tls-1.0}
Enter the maximum version of SSL/TLS to accept in negotiation.
ssl-min-version {ssl-3.0 | tls-1.0}
Enter the minimum version of SSL/TLS to accept in negotiation.
ssl-send-empty-frags {enable | disable}
Select to precede the record with empty fragments to thwart attacks on CBC IV. You might
disable this option if SSL acceleration will be used with an old or buggy SSL
implementation which cannot properly handle empty fragments.
ssl-server-session-state-max & lt; sessionstates_int & gt;
Enter the maximum number of SSL session states to keep for the segment of the SSL
connection between the server and the FortiGate unit.
ssl-server-session-state-timeout & lt; timeout_int & gt;
Enter the number of minutes to keep the SSL session states for the segment of the SSL
connection between the server and the FortiGate unit. This option appears only if sslmode is full.
ssl-server-session-state-type {both | count | disable | time}
Select which method the FortiGate unit should use when deciding to expire SSL sessions
for the segment of the SSL connection between the server and the FortiGate unit. This
option appears only if ssl-mode is full.
•
both: Select to expire SSL session states when either ssl-server-sessionstate-max or ssl-server-session-state-timeout is exceeded, regardless of
which occurs first.
•
count: Select to expire SSL session states when ssl-server-session-statemax is exceeded.
•
disable: Select to keep no SSL session states.
•
time: Select to expire SSL session states when ssl-server-session-statetimeout is exceeded.
SSL offloading support or Internet Explorer 6
In some cases the Internet Explorer 6 web browser may be able to access real servers. To
resolve this issue, disable the ssl-send-empty-frags option:
config firewall vip
edit vip_name
set ssl-send-empty-frags disable
end
You can disable this option if SSL acceleration will be used with an old or buggy SSL
implementation that cannot properly handle empty fragments.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2127
�Configuring load balancing
SSL/TLS load balancing
Disabling SSL/TLS re-negotiation
The vulnerability CVE-2009-3555 affects all SSL/TLS servers that support re-negotiation.
FortiOS when configured for SSL/TLS offloading is operating as a SSL/TLS server. The
IETF is working on a TLS protocol change that will fix the problem identified by CVE-20093555 while still supporting re-negotiation. Until that protocol change is available, you can
use the ssl-client-renegotiation option to disable support for SSL/TLS renegotiation. The default value of this option is allow, which allows an SSL client to
renegotiate. You can change the setting to deny to abort any attempts by an SSL client to
renegotiate. If you select deny as soon as a ClientHello message indicating a renegotiation is received from the client FortiOS terminates the TCP connection.
Since SSL offloading does not support requesting client certificates the only circumstance
in which a re-negotiation is required is when more than 2^32 bytes of data are exchanged
over a single handshake. If you are sure that this volume of traffic will not occur then you
can disable re-negotiation and avoid any possibility of the attack described in CVE-20093555.
The re-negotiation behavior can be tested using OpenSSL. The OpenSSL s_client
application has the feature that the user can request that it do renegotiation by typing “R”.
For example, the following shows a successful re-negotiation against a FortiGate unit
configured with a VIP for 192.168.2.100:443:
$ openssl s_client -connect 192.168.2.100:443
CONNECTED(00000003)
depth=1
/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
--Certificate chain
0
s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Fortigate/CN=FW80C
M3909604325/emailAddress=support@fortinet.com
i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
1 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
--Server certificate
-----BEGIN CERTIFICATE-------certificate not shown-------END CERTIFICATE----subject=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Fortigate/CN
=FW80CM3909604325/emailAddress=support@fortinet.com
issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
--No client certificate CA names sent
--SSL handshake has read 2370 bytes and written 316 bytes
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2128
�Configuring load balancing
SSL/TLS load balancing
--New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher
: DHE-RSA-AES256-SHA
Session-ID:
02781E1E368DCCE97A95396FAA82E8F740F5BBA96CF022F6FEC3597B0CC88095
Session-ID-ctx:
Master-Key:
A6BBBD8477A2422D56E57C1792A4EA9C86F37D731E67D0A66E5CDB2B5C76650780
C0E7F01CFF851EC4466186F4C48397
Key-Arg
: None
Start Time: 1264453027
Timeout
: 300 (sec)
Verify return code: 19 (self signed certificate in
certificate
chain)
--GET /main.c HTTP/1.0
R
RENEGOTIATING
depth=1
/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
HTTP/1.0 200 ok
Content-type: text/plain
/*
* Copyright (C) 2004-2007 Fortinet
*/
#include & lt; stdio.h & gt;
#include " vsd_ui.h "
int main(int argc, char **argv)
{
return vsd_ui_main(argc, argv);
}
closed
$
The following is the same test, but this time with the VIP configuration changed to sslclient-renegotation deny:
$ openssl s_client -connect 192.168.2.100:443
CONNECTED(00000003)
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2129
�Configuring load balancing
SSL/TLS load balancing
depth=1
/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
--Certificate chain
0
s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Fortigate/CN=FW80C
M3909604325/emailAddress=support@fortinet.com
i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
1 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
--Server certificate
-----BEGIN CERTIFICATE-------certificate not shown-------END CERTIFICATE----subject=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Fortigate/CN
=FW80CM3909604325/emailAddress=support@fortinet.com
issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
--No client certificate CA names sent
--SSL handshake has read 2370 bytes and written 316 bytes
--New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher
: DHE-RSA-AES256-SHA
Session-ID:
8253331D266DDE38E4D8A04AFCA9CBDED5B1134932CE1718EED6469C1FBC7474
Session-ID-ctx:
Master-Key:
ED05A3EF168AF2D06A486362FE91F1D6CAA55CEFC38A3C36FB8BD74236BF2657D4
701B6C1456CEB5BB5EFAA7619EF12D
Key-Arg
: None
Start Time: 1264452957
Timeout
: 300 (sec)
Verify return code: 19 (self signed certificate in
certificate
chain)
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2130
�Configuring load balancing
SSL/TLS load balancing
--GET /main.c HTTP/1.0
R
RENEGOTIATING
19916:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:530:
Use the following command to check the SSL stats to see that the renegotiations
blocked counter is now 1:
firewall vip virtual-server stats ssl
ssl
client
connections total 0 active 0 max 0
handshakes total 4 active 0 max 0 completed 4 abbreviated 0
session states total 4 active 4 max 4
cipher-suite failures 0
embryonics total 0 active 0 max 0 terminated 0
renegotiations blocked 1
server
connections total 0 active 0 max 0
handshakes total 3 active 0 max 0 completed 2 abbreviated 1
session states total 1 active 1 max 1
cipher-suite failures 0
internal error 0
bad handshake length 0
bad change cipher spec length 0
pubkey too big 0
persistence
find 0 found 0 clash 0 addr 0 error 0
If the virtual server debug log is examined (diag debug appl vs -1) then at the point the renegotiation is blocked there is a log:
vs ssl 12 handshake recv ClientHello
vs ssl 12 handshake recv 1
(0100005403014b5e056c7f573a563bebe0258c3254bbaff7046a461164f34f94f
4f3d019c41800002600390038003500160013000a00330032002f0005000400150
012000900140011000800060003020100000400230000)
vs ssl 12 client renegotiation attempted rejected, abort
vs ssl 12 closing 0 up
vs src 12 close 0 in
vs src 12 error closing
vs dst 14 error closing
vs dst 14 closed
vs ssl 14 close
vs sock 14 free
vs src 12 closed
vs ssl 12 close
vs sock 12 free
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2131
�Configuring load balancing
IP, TCP, and UDP load balancing
IP, TCP, and UDP load balancing
You can load balance all IP, TCP or UDP sessions accepted by the firewall policy that
includes a load balancing virtual server with the type set to IP, TCP, or UDP. Traffic with
destination IP and port that matches the virtual server IP and port is load balanced. For
these protocol-level load balancing virtual servers you can select a load balance method
and add real servers and health checking. However, you can’t configure persistence,
HTTP multiplexing and SSL offloading.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2132
�Load balancing configuration
examples
This chapter includes the following examples:
•
Example: HTTP load balancing to three real web servers
•
Example: Basic IP load balancing configuration
•
Example: Adding a server load balance port forwarding virtual IP
•
Example: Weighted load balancing configuration
•
Example: HTTP and HTTPS persistence configuration
Example: HTTP load balancing to three real web servers
In this example, the virtual web server IP address 192.168.37.4 on the Internet, is mapped
to three real web servers connected to the FortiGate unit dmz1 interface. The real servers
have IP addresses 10.10.123.42, 10.10.123.43, and 10.10.123.44. The virtual server uses
the First Alive load balancing method. The configuration also includes an HTTP health
check monitor that includes a URL used by the FortiGate unit for get requests to monitor
the health of the real servers.
Connections to the virtual web server at IP address 192.168.37.4 from the Internet are
translated and load balanced to the real servers by the FortiGate unit. First alive load
balancing directs all sessions to the first real server. The computers on the Internet are
unaware of this translation and load balancing and see a single virtual server at IP
address 192.168.37.4 rather than the three real servers behind the FortiGate unit.
Figure 359: Virtual server configuration example
Source IP 10.10.10.2
Destination IP Range 10.10.10.[42-44]
3
1
HTTP load balancing
2
virtual server
3
1
2
Source IP 172.199.190.25
Destination IP 192.168.37.
DMZ network
Real HTTP
Server IP
10.10.10.42
Real HTTP
Server IP
10.10.10.43
Virtual Server IP
192.168.37.4
dmz1 IP
10.10.10.2
FortiGate Unit
Client IP
172.199.190.25
Real HTTP
Server IP
10.10.10.44
Web-based manager configuration
Use the following procedures to configure this load balancing setup from the web-based
manager.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2133
�Load balancing configuration examples
Example: HTTP load balancing to three real web servers
To add an HTTP health check monitor
In this example, the HTTP health check monitor includes the URL “/index.html” and the
Matched Phrase “Fortinet products”.
1 Go to Firewall & gt; Load Balance & gt; Health Check Monitor.
2 Select Create New.
3 Add an HTTP health check monitor that sends get requests to
http:// & lt; real_server_IP_address & gt; /index.html and searches the returned web page for
the phrase “Fortinet products”.
Name
HTTP_health_chk_1
Type
HTTP
Port
80
URL
/index.html
Matched Content
Fortinet products
Interval
10 seconds
Timeout
2 seconds
Retry
3
4 Select OK.
To add the HTTP virtual server
1 Go to Firewall & gt; Load Balance & gt; Virtual Server.
2 Select Create New.
3 Add an HTTP virtual server that allows users on the Internet to connect to the real
servers on the internal network. In this example, the FortiGate wan1 interface is
connected to the Internet.
Name
Load_Bal_VS1
Type
HTTP
Interface
wan1
Virtual Server IP
192.168.37.4
The public IP address of the web server.
The virtual server IP address is usually a static IP address
obtained from your ISP for your web server. This address must be
a unique IP address that is not used by another host and cannot be
the same as the IP address of the external interface the virtual IP
will be using. However, the external IP address must be routed to
the selected interface. The virtual IP address and the external IP
address can be on different subnets. When you add the virtual IP,
the external interface responds to ARP requests for the external IP
address.
Virtual Server Port
80
Load Balance Method
First Alive
Persistence
HTTP cookie
HTTP Multiplexing
Select.
The FortiGate unit multiplexes multiple client into a few
connections between the FortiGate unit and each real HTTP
server. This can improve performance by reducing server
overhead associated with establishing multiple connections.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2134
�Load balancing configuration examples
Example: HTTP load balancing to three real web servers
Preserve Client IP
Select
The FortiGate unit preserves the IP address of the client in the XForwarded-For HTTP header.
Health Check
Move the HTTP_health_chk_1 health check monitor to the
Selected list.
4 Select OK.
To add the real servers and associate them with the virtual server
1 Go to Firewall & gt; Load Balance & gt; Real Server.
2 Select Create New.
3 Configure three real servers that include the virtual server Load_Bal_VS1. Each real
server must include the IP address of a real server on the internal network.
Configuration for the first real server.
Virtual Server
Load_Bal_VS1
IP
10.10.10.42
Port
80
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
Configuration for the second real server.
Virtual Server
Load_Bal_VS1
IP
10.10.10.43
Port
80
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
Configuration for the third real server.
Virtual Server
Load_Bal_VS1
IP
10.10.10.44
Port
80
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2135
�Load balancing configuration examples
Example: HTTP load balancing to three real web servers
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
To add the virtual server to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual server so that when users on the
Internet attempt to connect to the web server’s IP address, packets pass through the
FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the
destination address of these packets from the virtual server IP address to the real server
IP addresses.
1 Go to Firewall & gt; Policy.
2 Select Create New.
3 Configure the firewall policy:
Source Interface/Zone
wan1
Source Address
all (or a more specific address)
Destination Interface/Zone dmz1
Destination Address
Load_Bal_VS1
Schedule
always
Service
HTTP
Action
ACCEPT
Log Allowed Traffic
Select to log virtual server traffic
NAT
Enable NAT
4 Select other firewall options as required.
5 Select OK.
CLI configuration
Use the following procedure to configure this load balancing setup from the CLI.
To configure HTTP load balancing
1 Use the following command to add an HTTP health check monitor that sends get
requests to http:// & lt; real_server_IP_address & gt; /index.html and searches the returned
web page for the phrase “Fortinet products”.
config firewall ldb-monitor
edit HTTP_health_chk_1
set type http
set port 80
set http-get /index.html
set http-match “Fortinet products”
set interval 10
set timeout 2
set retry 3
end
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2136
�Load balancing configuration examples
Example: Basic IP load balancing configuration
2 Use the following command to add an HTTP virtual server that allows users on the
Internet to connect to the real servers on the internal network. In this example, the
FortiGate wan1 interface is connected to the Internet.
config firewall vip
edit Load-Bal_VS1
set type server-load-balance
set server-type http
set ldb-method first-alive
set http-multiplex enable
set http-ip-header enable
set extip 192.168.37.4
set extintf wan1
set extport 80
set persistence http-cookie
set monitor HTTP_health_chk_1
config realservers
edit 1
set ip 10.10.10.42
set port 80
next
edit 2
set ip 10.10.10.43
set port 80
next
edit 3
set ip 10.10.10.44
set port 80
end
end
3 Use the following command to add a firewall policy that includes the load balance
virtual server as the destination address.
config firewall policy
edit 0
set srcintf wan1
set srcaddr all
set dstintf dmz1
set dstaddr Load-Bal_VS1
set action accept
set schedule always
set service ANY
set nat enable
end
Configure other firewall policy settings as required.
Example: Basic IP load balancing configuration
This example shows how to add a server load balancing virtual IP that load balances all
traffic among 3 real servers. In the example the Internet is connected to port2 and the
virtual IP address of the virtual server is 192.168.20.20. The load balancing method is
weighted. The IP addresses of the real servers are 10.10.10.1, 10.10.10.2, and
10.10.10.3. The weights for the real servers are 1, 2, and 3. The default weight is 1 and
does not have to be changed for the first real server.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2137
�Load balancing configuration examples
Example: Adding a server load balance port forwarding virtual IP
config firewall vip
edit All_Load_Balance
set type server-load-balance
set server-type ip
set extintf port2
set extip 192.168.20.20
set ldb-method weighted
config realservers
edit 1
set ip 10.10.10.1
next
edit 2
set ip 10.10.10.2
set weight 2
next
edit 3
set ip 10.10.10.3
set weight 3
end
end
Example: Adding a server load balance port forwarding virtual IP
This example is the same as the example described in “Example: HTTP load balancing to
three real web servers” on page 2133 except that each real server accepts HTTP
connections on a different port number. The first real server accepts connections on port
8080, the second on port 8081, and the third on 8082.
Figure 360: Server load balance virtual IP port forwarding
Source IP 10.10.10.2
Destination IP Range 10.10.10.[42-44]
Port Range 8080 - 8082
3
1
HTTP load balancing
2
virtual server
3
1
2
Source IP 172.199.190.25
Destination IP 192.168.37.4
Port 80
DMZ network
Real HTTP
Server IP
10.10.10.42
Real HTTP
Server IP
10.10.10.43
Real HTTP
Server IP
10.10.10.44
Virtual Server IP
192.168.37.4
dmz1 IP
10.10.10.2
Client IP
172.199.190.25
FortiGate Unit
To complete this configuration, all of the steps would be the same as in “Example: HTTP
load balancing to three real web servers” on page 2133 except for configuring the real
servers.
To add the real servers and associate them with the virtual server
Use the following steps to configure the FortiGate unit to port forward HTTP packets to the
three real servers on ports 8080, 8081, and 8082.
1 Go to Firewall & gt; Load Balance & gt; Real Server.
2 Select Create New.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2138
�Load balancing configuration examples
Example: Weighted load balancing configuration
3 Configure three real servers that include the virtual server Load_Bal_VS1. Each real
server must include the IP address of a real server on the internal network and have a
different port number.
Configuration for the first real server.
Virtual Server
Load_Bal_VS1
IP
10.10.10.42
Port
8080
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
Configuration for the second real server.
Virtual Server
Load_Bal_VS1
IP
10.10.10.43
Port
8081
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
Configuration for the third real server.
Virtual Server
Load_Bal_VS1
IP
10.10.10.44
Port
8082
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
Example: Weighted load balancing configuration
This example shows how to using firewall load balancing to load balances all traffic among
3 real servers. In the example the Internet is connected to port2 and the virtual IP
address of the virtual server is 192.168.20.20. The load balancing method is weighted.
The IP addresses of the real servers are 10.10.10.1, 10.10.10.2, and 10.10.10.3. The
weights for the real servers are 1, 2, and 3.
This configuration does not include an health check monitor.
Web-based manager configuration
Use the following procedures to configure this load balancing setup from the web-based
manager.
To add the HTTP virtual server
1 Go to Firewall & gt; Load Balance & gt; Virtual Server.
2 Select Create New.
3 Add an IP virtual server that allows users on the Internet to connect to the real servers
on the internal network. In this example, the FortiGate port2 interface is connected to
the Internet.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2139
�Load balancing configuration examples
Example: Weighted load balancing configuration
Name
HTTP_weghted_LB
Type
IP
Interface
port2
Virtual Server IP
192.168.20.20
Load Balance Method
Weighted
All other virtual server settings are not required or cannot be changed.
4 Select OK.
To add the real servers and associate them with the virtual server
1 Go to Firewall & gt; Load Balance & gt; Real Server.
2 Select Create New.
3 Configure three real servers that include the virtual server All_Load _Balance.
Because the Load Balancing Method is Weighted, each real server includes a weight.
Servers with a greater weight receive a greater proportion of forwarded connections,
Configuration for the first real server.
Virtual Server
HTTP_weghted_LB
IP
10.10.10.1
Port
Cannot be configured because the virtual server is an IP server.
Weight
1
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
Configuration for the second real server.
Virtual Server
HTTP_weghted_LB
IP
10.10.10.2
Port
Cannot be configured because the virtual server is an IP server.
Weight
2
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
Configuration for the third real server.
Virtual Server
HTTP_weghted_LB
IP
10.10.10.3
Port
Cannot be configured because the virtual server is an IP server.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2140
�Load balancing configuration examples
Example: Weighted load balancing configuration
Weight
3
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
To add the virtual server to a firewall policy
Add a prot2 to port1 firewall policy that uses the virtual server so that when users on the
Internet attempt to connect to the web server’s IP address, packets pass through the
FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the
destination address of these packets from the virtual server IP address to the real server
IP addresses.
1 Go to Firewall & gt; Policy.
2 Select Create New.
3 Configure the firewall policy:
Source Interface/Zone
port2
Source Address
all (or a more specific address)
Destination Interface/Zone port1
Destination Address
HTTP_weghted_LB
Schedule
always
Service
ANY
Action
ACCEPT
NAT
Select
4 Select other firewall options as required.
5 Select OK.
CLI configuration
Load balancing is configured from the CLI using the config firewall vip command
and by setting type to server-load-balance. The default weight is 1 and does not
have to be changed for the first real server.
Use the following command to add the virtual server and the three weighted real servers.
config firewall vip
edit HTTP_weghted_LB
set type server-load-balance
set server-type ip
set extintf port2
set extip 192.168.20.20
set ldb-method weighted
config realservers
edit 1
set ip 10.10.10.1
next
edit 2
set ip 10.10.10.2
set weight 2
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2141
�Load balancing configuration examples
Example: HTTP and HTTPS persistence configuration
next
edit 3
set ip 10.10.10.3
set weight 3
end
end
Example: HTTP and HTTPS persistence configuration
This example shows how to add a virtual server named Http_Load_Balance that load
balances HTTP traffic using port 80 and a second virtual server named
Https_Load_Balance that load balances HTTPS traffic using port 443. The Internet is
connected to port2 and the virtual IP address of the virtual server is 192.168.20.20. Both
server load balancing virtual IPs load balance sessions to the same three real servers with
IP addresses 10.10.10.2, 10.10.10.2, and 10.10.10.3. The real servers provide HTTP and
HTTPS services.
For both virtual servers, persistence is set to HTTP Cookie to enable HTTP cookie
persistence.
To add the HTTP and HTTPS virtual servers
1 Go to Firewall & gt; Load Balance & gt; Virtual Server.
2 Add the HTTP virtual server that includes HTTP Cookie persistence.
Name
HTTP_Load_Balance
Type
HTTP
Interface
port2
Virtual Server IP
192.168.20.20
Virtual Server Port
80
In this example the virtual server uses port 8080 for HTTP
sessions instead of port 80.
Load Balance Method
Static
Persistence
HTTP cookie
3 Select OK.
4 Select Create New.
5 Add the HTTPs virtual server that also includes HTTP Cookie persistence.
Name
HTTPS_Load_Balance
Type
HTTPS
Interface
port2
Virtual Server IP
192.168.20.20
Virtual Server Port
443
Load Balance Method
Static
Persistence
HTTP cookie
6 Select OK.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2142
�Load balancing configuration examples
Example: HTTP and HTTPS persistence configuration
To add the real servers and associate them with the virtual servers
1 Go to Firewall & gt; Load Balance & gt; Real Server.
2 Select Create New.
3 Configure three real servers for HTTP that include the virtual server
HTTP_Load_Balance.
Configuration for the first HTTP real server.
Virtual Server
HTTP_Load_Balance
IP
10.10.10.1
Port
80
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
Configuration for the second HTTP real server.
Virtual Server
HTTP_Load_Balance
IP
10.10.10.2
Port
80
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
Configuration for the third HTTP real server.
Virtual Server
HTTP_Load_Balance
IP
10.10.10.3
Port
80
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
4 Configure three real servers for HTTPS that include the virtual server
HTTPS_Load_Balance.
Configuration for the first HTTPS real server.
Virtual Server
HTTP_Load_Balance
IP
10.10.10.1
Port
443
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
Configuration for the second HTTPS real server.
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2143
�Load balancing configuration examples
Example: HTTP and HTTPS persistence configuration
Virtual Server
HTTP_Load_Balance
IP
10.10.10.2
Port
443
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
Configuration for the third HTTPS real server.
Virtual Server
HTTPS_Load_Balance
IP
10.10.10.3
Port
443
Weight
Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections
0
To add the virtual servers to firewall policies
Add a port2 to port1 firewall policy that uses the virtual server so that when users on the
Internet attempt to connect to the web server’s IP address, packets pass through the
FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the
destination address of these packets from the virtual server IP address to the real server
IP addresses.
1 Go to Firewall & gt; Policy.
2 Select Create New.
3 Configure the HTTP firewall policy:
Source Interface/Zone
port2
Source Address
all
Destination Interface/Zone port1
Destination Address
HTTP_Load_Balance
Schedule
always
Service
HTTP
Action
ACCEPT
NAT
Enable NAT
4 Select other firewall options as required.
5 Select OK.
6 Select Create New.
7 Configure the HTTP firewall policy:
Source Interface/Zone
port2
Source Address
all
Destination Interface/Zone port1
Destination Address
HTTPS_Load_Balance
Schedule
always
Service
HTTPS
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2144
�Load balancing configuration examples
Example: HTTP and HTTPS persistence configuration
Action
ACCEPT
NAT
Enable NAT
8 Select other firewall options as required.
9 Select OK.
CLI configuration: adding persistence for a specific domain
Load balancing is configured from the CLI using the config firewall vip command
and by setting type to server-load-balance.
For the CLI configuration, both virtual servers include setting http-cookie-domain to
.example.org because HTTP cookie persistence is just required for the example.org
domain.
First, the configuration for the HTTP virtual IP:
config firewall vip
edit HTTP_Load_Balance
set type server-load-balance
set server-type http
set extport 8080
set extintf port2
set extip 192.168.20.20
set persistence http-cookie
set http-cookie-domain .example.org
config realservers
edit 1
set ip 10.10.10.1
next
edit 2
set ip 10.10.10.2
next
edit 3
set ip 10.10.10.3
end
end
Second, the configuration for the HTTPS virtual IP. In this configuration you don’t have to
set extport to 443 because extport is automatically set to 443 when server-type
is set to https.
config firewall vip
edit HTTPS_Load_Balance
set type server-load-balance
set server-type https
set extport 443
set extintf port2
set extip 192.168.20.20
set persistence http-cookie
set http-cookie-domain .example.org
config realservers
edit 1
set ip 10.10.10.1
next
edit 2
set ip 10.10.10.2
next
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2145
�Load balancing configuration examples
Example: HTTP and HTTPS persistence configuration
edit 3
set ip 10.10.10.3
end
end
FortiOS™ Handbook FortiOS 4.0 MR2 Load Balancing
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2146
�Chapter 20 Hardware Acceleration
This FortiOS Handbook chapter contains the following sections:
•
FortiGate hardware accelerated processing describes packet processing differences
for the network processing path accelerated by a specialized network processor chip.
•
Examples contains sample configurations and network topologies whose traffic
processing is accelerated by the network processor contained in an installed
FortiGate-ASM-FB4 AMC module.
FortiOS™ Handbook FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2147
�2148
FortiOS™ Handbook FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate hardware accelerated
processing
Many FortiGate models can offload some types of network traffic processing from main
processing resources to specialized network processors. If your network has a significant
volume of traffic that is suitable for offloading, this hardware acceleration can significantly
improve your network throughput.
Some FortiGate models incorporate network processors in the main unit, others support
the addition of AMC (Advanced Mezzanine Card) modules. The FortiGate-5000 series
supports rear transition modules (RTMs) that incorporate network processors.
This chapter contains the following topics:
•
How hardware acceleration alters packet flow
•
Network processors overview
•
Content processors overview
•
Security processing modules overview
•
Configuring overall security priorities
•
Configuring traffic offloading
•
Configuring IPsec VPN offloading
•
Configuring IPS offloading
How hardware acceleration alters packet flow
Hardware acceleration generally alters packet processing flow as follows:
1 Packets initiating a session pass to the FortiGate unit’s main processing resources.
2 The FortiGate unit assesses whether the session matches fast path (offload)
requirements.
To be suitable for offloading, traffic must possess only characteristics that can be
processed by the fast path. For a list of requirements, see “Configuring traffic
offloading” on page 2156.
If the traffic is categorized as fast path friendly, the FortiGate unit sends the session
key or IPsec security association (SA) and configured processing action to the network
processor(s).
3 Network processors continuously match packets arriving on their attached ports
against the session keys and SAs they have received from the FortiGate unit’s main
processing resources.
• If a network processor’s network interface is configured to perform hardware
accelerated anomaly checks, the network processor drops or accepts packets which
match the configured anomaly patterns. These checks are separate from and in
advance of anomaly checks performed by IPS, which is not compatible with network
processor offloading. See “Configuring pre-IPS anomaly detection” on page 2165.
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2149
�How hardware acceleration alters packet flow
FortiGate hardware accelerated processing
• The network processor next checks for a matching session key or SA. If a matching
session key or SA is found, and if the packet meets packet requirements, the
network processor processes the packet according to the configured action and
then sends the resulting packet. Packet processing is hardware accelerated.
• If a matching session key or SA is not found, or if the packet does not meet packet
requirements, the traffic cannot be offloaded. The network processor sends the data
to the FortiGate unit’s main processing resources, which process the packet. Packet
processing is similar to normal network interfaces (that is, packet processing is not
hardware accelerated by the network processor, and requires main processing
resources). Packet forwarding occurs at normal rates.
Note: Network processors do not count offloaded packets, and offloaded packets will not
be included in traffic statistics, such as FortiAnalyzer traffic reports.
Figure 361: Deciding the packet flow for accelerated interfaces
Start
A packet arrives at
the NP interface
Does the
packet contain
known anomalies?
Yes
Discard the packet
End
No
Is this
session
fast-path
compatible?
Yes
Does this
packet
match a known
session key or
IPsec SA?
No
Yes
Packet follows
fast path
No
End
Send packet to CPU
for processing
End
Send session key
or IPsec SA
to NPU
End
Some traffic processing can still be hardware accelerated, even though it does not meet
general offloading requirements. For example, some IPsec traffic originates from the
FortiGate unit itself and does not follow the offloading requirement of ingress from a
network processor’s network interface, but FortiGate units can still utilize network
processor encryption capabilities. See “Configuring IPsec VPN offloading” on page 2160.
Packet forwarding rates vary by the percentage of offloadable processing and the type of
network processing required by your configuration, but are independent of frame size. For
optimal traffic types, network throughput can equal wire speed.
Offloading requirements vary slightly by the model of the network processor.
2150
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate hardware accelerated processing
Network processors overview
The following types of acceleration hardware are found on FortiGate units:
•
network processors: NP1 (formerly known as FA2), NP2, NP4
•
content processors: CP4, CP5, CP6
•
accelerated interface modules: ASM-FB4, ADM-FB8, ADM-XB2, ADM-XD4, RTM-XD2
•
security processor modules: ASM-CE4, ASM-XE2
Network processors overview
Many Fortinet products contain network processors. Some of these products contain NP1
network processors (also known as FortiAccel, or FA2), while others contain NP2 network
processors. Some newer models contain an NP4 processor. Network processor features,
and therefore offloading requirements, vary by network processor model. Differing
offloading requirements are noted in “Configuring traffic offloading” on page 2156 and
“Configuring IPsec VPN offloading” on page 2160.
Network processor models
FortiASIC network processors work at the interface level to support IPsec offload and
unicast UDP/TCP traffic forwarding. The maximum throughput and number of network
interfaces varies by processor model.
NP1: supports FW and VPN acceleration with 2Gbps capacity. It is found on FortiGate
units such models 1000A-FA2, 3600A, and 3810A, and also on FortiGate-5000 series
5001FA2 and 5005FA2 blades.
NP2: supports FW and VPN acceleration with 4Gbps capacity. It is found on newer,
B-series FortiGate units ranging from models 200B to 3016B, and on most AMC
accelerated interface cards.
NP4: supports FW and VPN acceleration with 40 Gbps capacity. It is found on the
ADM-XD4 AMC card and on the FortiGate-5000 series RTM-XD2 blade.
Table 139: Network processor models
Processor
Interfaces
NP1
2 x 1 Gb/s
NP2
1 x 10Gb/s, 4 x 1Gb/s
NP4
2 x 10Gb/s
Note: The NP1network processor does not support frames greater than 1500 bytes. If your
network uses jumbo frames, you may need to adjust the MTU (Maximum Transmission
Unit) of devices connected to NP1ports.Maximum frame size for NP2 and NP4 processors
is 9000 bytes.
Note: For both NP1 and NP2 network processors, ports attached to a network processor
cannot be used for firmware installation by TFTP.
Some Fortinet products contain multiple network processors. Depending on the product,
network processors may or may not be directly connected to each other on the circuit
board through an EEI (Enhanced Extension Interface).
•
Directly connected network processors have an EEI, and can pass traffic between
them without involving the FortiGate unit’s main processing resources.
•
Indirectly connected network processors have no EEI, and cannot pass traffic between
them without involving the FortiGate unit’s main processing resources.
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2151
�Content processors overview
FortiGate hardware accelerated processing
Sessions can only be offloaded if both the source and destination port are connected to
the same network processor or directly (EEI) connected network processor pair.
For information about the network processors in any specific FortiGate model, refer to the
product brochure.
Determining the network processors installed on your FortiGate unit
To list the network processors on your FortiGate unit, use the following CLI command.
get hardware npu & lt; model & gt; list
& lt; model & gt; can be np1, np2 or np4.
The output lists the interfaces that have the specified processor. For example,
# get hardware npu np1 list
ID
Interface
0
port9 port10
This command does not detect Security processing modules.
Content processors overview
The FortiASIC Content Processor (CP) works at the system level. Its main functions are
SSL VPN key generation and SSL offloading. Capabilities vary by model.
CP4
•
FIPS-compliant DES/3DES/AES encryption and decryption
•
SHA-1 and MD5 HMAC
•
IPSEC protocol processor
•
Random Number generator
•
Public Key Crypto Engine
•
Content processing engine
•
ANSI X9.31 and PKCS#1 certificate support
CP5
•
FIPS-compliant DES/3DES/AES encryption and decryption
•
SHA-1 and MD5 HMAC with RFC1321/2104/2403/2404 and FIPS180/FIPS198
•
IPsec protocol processor
•
High performance IPSEC Engine
•
Random Number generator compliant with ANSI X9.31
•
Public Key Crypto Engine supports high performance IKE and RSA computation
•
Script Processor
CP6
•
•
2152
Dual content processors
FIPS-compliant DES/3DES/AES encryption and decryption
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate hardware accelerated processing
Security processing modules overview
•
SHA-1 and MD5 HMAC with RFC1321 and FIPS180
•
HMAC in accordance with RFC2104/2403/2404 and FIPS198
•
IPsec protocol processor
•
High performance IPsec engine
•
Random Number generator compliance with ANSI X9.31
•
Key exchange processor for high performance IKE and RSA computation
•
Script Processor
•
SSL/TLS protocol processor for SSL content scanning and SSL acceleration
Determining the content processor in your FortiGate unit
Use the get hardware status CLI command to determine which content processor
your FortiGate unit contains. The output looks like this:
# get hardware status
Model name: Fortigate-620B
ASIC version: CP6
ASIC SRAM: 64M
CPU: Intel(R) Core(TM)2 Duo CPU
E4300 @ 1.80GHz
RAM: 2020 MB
Compact Flash: 493 MB /dev/sda
Hard disk: 76618 MB /dev/sdb
USB Flash: not available
Network Card chipset: Broadcom 570x Tigon3 Ethernet Adapter
(rev.0x5784100)
The ASIC version line lists the content processor model number.
If you have a CP6 processor, you can view the status of SSL acceleration using the
command get vpn status ssl hardware-acceleration.
Security processing modules overview
FortiGate Security Processing (SP) modules, such as the ASM-CE4 and ADM-XE2, work
at both the interface and system level to increase overall system performance by
accelerating some security and networking processing on the interfaces they provide. The
SP frees the FortiGate unit’s processor for other tasks by offloading firewall, application
control, and IPS processing, including flow-based antivirus protection. You can configure
the SP to favor IPS over firewall processing in hostile high-traffic environments.
The ASM-CE4 and ADM-XE2 are Advanced Mezzanine cards (AMCs) that are the first
generation of SP modules. The next generation of SP modules are Fortinet Mezzanine
cards (FMCs) found on newer FortiGate models, such as the 3950. FMC modules take
advantage of the Integrated Switch Fabric (ISF) backplane, meaning that accelerated
performance is available between any two interfaces, not just interfaces on the same FMC
module.
Security processor module models
The ADM-XE2 is a dual-width AMC card with two 10 Gb/s interfaces that can be used on
FortiGate-3810A and FortiGate-5001A-DW systems.
The ASM-CE4 is a single-width AMC card with four 10/100/1000 Mb/s interfaces that can
be used on FortiGate-3016B and FortiGate-3810A units.
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2153
�Security processing modules overview
FortiGate hardware accelerated processing
Displaying information about security processing modules
You can display information about installed AMC modules using the CLI command
diagnose hardware deviceinfo nic & lt; port name & gt;
The & lt; port name & gt; has a slightly different format than that used in the web-based
manager or the config system interface command. Replace the slash (“/”) with a
hyphen (“-”). For example, for amc-dw1/1, enter amc-dw1-1.
More detailed information is available by accessing the SP module’s internal CLI. The
FortiGate CLI command is
execute npu-cli & lt; amc_device_name & gt; & lt; command & gt;
Variable
Description
& lt; amc_device_name & gt;
Enter the name of the security processing device that you want to
display information for, in the format /dev/ & lt; device_name & gt; . For
example:
/dev/ce4_0 for the FortiGate-ASM-CE4 module.
/dev/xe2_0 for the FortiGate-ADM-XE4 module.
/dev/fe8_0 for the FortiGate-ADM-FE4 module.
& lt; command & gt;
Enter a command to display information. Use the help command to
display the complete list.
If the command contains spaces, enclose it in quotes.
Note: Security processing modules are also called network processing units
(NPUs).
Example
This example shows how to display details about how the module is processing sessions
using the syn proxy. (Partial output):
#/dev/ce4_0 showsynproxy
Total Proxied TCP Connections:
0
Working Proxied TCP Connections:
0
Retired TCP Connections:
0
Valid TCP Connections:
0
Attacks, No Ack From Client:
0
No SynAck From Server:
0
Rst By Server (service not supported):
0
Client timeout setting:
3 Seconds
Server timeout setting:
3 Seconds
2154
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate hardware accelerated processing
Configuring overall security priorities
Setting switch-mode mapping on the ADM-XD4
The ADM-XD4 SP has four 10 Gb/s ports, but the NP4 processor it contains has only two
10 Gb/s ports. You can select how the external ports are mapped to the NP4 ports to
optimize the SP for your application.
Figure 362: ADM-XD4 mapping modes
Trunk
Mapping 1
Mapping 2
•
In Trunk mode, traffic to and from the NP4 is trunked from all four SP ports
•
In Mapping 1 mode, ports 1 and 2 share one NP4 port, ports 3 and 4 share the other.
•
In Mapping 2 mode, ports 1 and 3 share one NP4 port, ports 2 and 4 share the other.
Trunk mode provides approximately equal performance between any two ports. The
Mapping 1 and Mapping 2 modes distribute the bandwidth asymmetrically. However, this
might be suitable, depending on your application. Performance for the three modes is
shown in Table 140.
Table 140: Mapping modes on the ADM-XD4
Performance (Mb/s)
Mode
Trunk
Port 1 & gt; Port 2 Port 1 & gt; Port 3 Port 3 & gt; Port 4 Port 2 & gt; Port 4
13193
13125
13193
13250
Mapping 1
9790
19750
9790
19750
Mapping 2
19750
9790
19750
9790
To select the switch-mode mapping on the ADM-XD4
config sys amc-slot
edit dw1
set sw-mode & lt; mapping1|mapping2|trunk & gt;
end
Configuring overall security priorities
You can set the priority for security processing using the CLI:
config system global
set optimize {antivirus | throughput | session}
end
antivirus - Allow all CPU cores to process traffic – typically used with proxy style
services (AntiX, content filtering)
throughput - Prevents code synchronisation delays from impacting raw throughput.
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2155
�Configuring traffic offloading
FortiGate hardware accelerated processing
session - Allows distributed session set up across all cores for high session per second
environments. This option is available on newer FortiGate models such as the 1240B.
Configuring traffic offloading
Offloading traffic to a network processor requires that the FortiGate unit configuration and
the traffic itself is suited to hardware acceleration. There are requirements for path the
sessions and the individual packets.
Session fast path requirements
Sessions must be fast path ready. Fast path ready session characteristics are:
•
Layer 2 type/length must be 0x0800 (IEEE 802.1q VLAN specification is supported);
link aggregation between any network interfaces sharing the same network
processor(s) may be used (IEEE 802.3ad specification is supported)
•
Layer 3 protocol must be IPv4
•
Layer 4 protocol must be UDP, TCP or ICMP
•
Layer 3 / Layer 4 header or content modification must not require a session helper (for
example, SNAT, DNAT, and TTL reduction are supported, but application layer content
modification is not supported)
•
FortiGate unit firewall policy must not require antivirus or IPS inspection
•
origin must not be local host (the FortiGate unit)
•
ingress and egress network interfaces are both attached to the same network
processor(s)
Note: If you disable anomaly checks by Intrusion Prevention (IPS), you can still enable
hardware accelerated anomaly checks using the fp-anomaly field of the
config system interface CLI command. See “Configuring pre-IPS anomaly
detection” on page 2165.
Note: For session offloading to NP1 network processors, the session must not use an
aggregated link or require QoS, including rate limits and bandwidth guarantees. Traffic
shaping and link aggregation are not supported.
If a session is not fast path ready, the FortiGate unit will not send the session key to the
network processor(s). Without the session key, all session key lookup by a network
processor for incoming packets of that session fails, causing all session packets to be sent
to the FortiGate unit’s main processing resources, and processed at normal speeds.
If a session is fast path ready, the FortiGate unit will send the session key to the network
processor(s). Session key lookup then succeeds for subsequent packets from the known
session.
Packet fast path requirements
Packets within the session must then also meet packet requirements.
•
•
2156
Incoming packets must not be fragmented.
Outgoing packets must not require fragmentation to a size less than 385 bytes.
Because of this requirement, the configured MTU (Maximum Transmission Unit) for
network processors’ network interfaces must also meet or exceed the network
processors’ supported minimum MTU of 385 bytes.
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate hardware accelerated processing
Configuring traffic offloading
If packet requirements are not met, an individual packet will use FortiGate unit main
processing resources, regardless of whether other packets in the session are offloaded to
the specialized network processor(s).
In some cases, due to these requirements, a protocol’s session(s) may receive a mixture
of offloaded and non-offloaded processing.
For example, FTP uses two connections: a control connection and a data connection. The
control connection requires a session helper, and cannot be offloaded, but the data
connection does not require a session helper, and can be offloaded. Within the offloadable
data session, fragmented packets will not be offloaded, but other packets will be offloaded.
Some traffic types differ from general offloading requirements, but still utilize some of the
network processors’ encryption and other capabilities. Exceptions include IPsec traffic and
active-active high availability (HA) load balanced traffic.
Session offloading in HA active-active configuration
Fortinet’s specialized network processors can improve network performance in activeactive (load balancing) high availability (HA) configurations, even though traffic deviates
from general offloading patterns, involving more than one network processor, each in a
separate FortiGate unit. No additional offloading requirements apply.
Once the primary FortiGate unit’s main processing resources send a session key to its
network processor(s), network processor(s) on the primary unit can redirect any
subsequent session traffic to other cluster members, reducing traffic redirection load on
the primary unit’s main processing resources.
As subordinate units receive redirected traffic, each network processor in the cluster
assesses and processes session offloading independently from the primary unit. Session
key states of each network processor are not part of synchronization traffic between HA
members.
Configuring traffic shaping offloading
Accelerated Traffic shaping is supported with some limitations on NP2 and NP4 interfaces.
Security processor modules do not perform any traffic shaping. Any traffic on which traffic
shaping is enabled is handled by the FortiGate unit’s main processing resources.
For traffic shaping and QoS through accelerated NP2 and NP4 ports,
•
Accelerated ports support policy-based traffic policing. However, fast path traffic and
traffic handled by the FortiGate CPU (slow path) are controlled separately, which
means the policy setting on fast path does not consider the traffic on the slow path.
•
The port based traffic policing as defined by the inbandwidth and outbandwidth CLI
commands is not supported on the NP2 processor and only outbandwidth traffic
policing is supported on the NP4 processor.
•
NP2 and NP4 ports support DSCP configurations.
•
Per-IP traffic shaping is not supported with NP2 interfaces due to hardware limitations.
•
QoS in general is not supported by NP2 and NP4.
You can also use the traffic shaping features of the FortiGate unit’s main processing
resources by disabling the acceleration features of the NP2 and NP4 ports. See “Disabling
offloading” on page 2158.
Network processing unit (npu) settings configure offloading for traffic shaping. Configured
behavior applies to all network processors contained by the FortiGate unit itself or any
installed AMC modules.
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2157
�Configuring traffic offloading
FortiGate hardware accelerated processing
config system npu
set traffic-shaping-mode {bidirection | unidirection}
end
Variables
Description
traffic-shaping-mode
{bidirection |
unidirection}
Select the offloaded traffic shaping bandwidth
Varies by
calculation method.
model.
• unidirection: The bandwidth limit applies per
direction. For example, a unidirectional limit of
10 KBps would result in an overall limit of
20 KBps — 10 KBps per direction.
• bidirection: The bandwidth limit applies to
both directions overall. For example, a
bidirectional limit of 10 KBps would result in an
overall limit of 10 KBps — 5 KBps per direction.
This option applies only if the FortiGate unit itself or
any installed AMC modules contain a network
processor that supports offloading of traffic shaping.
Default
Example
You could configure the traffic shaping limit to be applied as a bidirectional total limit during
hardware accelerated sessions.
config system npu
set traffic-shaping-mode bidirection
end
config system interface
edit & lt; interface_name & gt;
set outbandwidth & lt; real outbandwidth & gt;
end
Checking that traffic is offloaded
You can determine whether traffic is offloaded by using the CLI command:
diagnose sys session list
The output provides detailed information about each session. Look for the “state=” line. If
“npu npr” appears on that line, the session was offloaded to a network processor.
You can also you the diagnose command:
diagnose sniffer packet & lt; interface_name & gt;
Disabling offloading
If you want to completely disable offloading for test purposes or other reasons, you can do
so by interface.
config system interface
edit & lt; interface_name & gt;
set npu-fastpath disable
end
2158
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate hardware accelerated processing
Configuring traffic offloading
Multicast offloading / acceleration
Only security processor modules such as the CE4, CE8, or XE2 can offload multicast
traffic from the FortiGate unit’s CPU-based resources. To make use of this capability, the
multicast traffic must enter and exit the FortiGate unit on network interfaces on the same
SPM card. Also, the session fast path requirements must be met. These are the same
requirements that apply to unicast traffic. See “Session fast path requirements” on
page 2156.
Like any other traffic between interfaces, multicast traffic requires a firewall policy, in this
case a multicast firewall policy. These policies, for example, permit multicast traffic
between the first port and each of the other ports on an ASM-CE4 card:
config firewall multicast-policy
edit 1
set srcintf amc-sw1/1
set dstintf amc-sw11/2
set action accept
next
edit 2
set srcintf amc-sw1/1
set dstintf amc-sw11/3
set action accept
next
edit 3
set srcintf amc-sw1/1
set dstintf amc-sw11/4
set action accept
end
Note that simple forwarding of multicast packets is not accelerated. Also, if the FortiGate
unit or VDOM is in Transparent mode, multicast is not accelerated.
Use diagnose ip multicast npu-session list to verify the NPU session is
established
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2159
�Configuring IPsec VPN offloading
FortiGate hardware accelerated processing
Configuring IPsec VPN offloading
Fortinet’s specialized network processors contain features to improve IPsec tunnel
performance. For example, network processors can encrypt and decrypt packets,
reducing cryptographic load on the FortiGate unit’s main processing resources.
IPsec offloading requirements
Requirements for hardware accelerated IPsec encryption or decryption are a modification
of general offloading requirements. Differing characteristics are:
•
origin can be local host (the FortiGate unit)
•
in Phase I configuration, Local Gateway IP must be specified as an IP address of a
network interface for a port attached to a network processor
•
SA must have been received by the network processor
•
in Phase II configuration:
•
encryption algorithm must be DES, 3DES, AES-128, AES-192, AES-256, or null
•
authentication must be MD5, SHA1, or null
•
if encryption is null, authentication must not also be null
•
if replay detection is enabled, enc-offload-antireplay must also be enable
in the CLI
Note: If replay detection is enabled in the Phase II configuration, you can enable or disable
IPsec encryption and decryption offloading from the CLI. Performance varies by those CLI
options and the percentage of packets requiring encryption or decryption. For details, see
“Configuring VPN encryption/decryption offloading” on page 2161.
Note: For session offloading to NP1 network processors, in Phase II configuration, the
encryption algorithm must be 3DES and authentication must be MD5. Other encryption and
authentication algorithms are not supported.
To apply hardware accelerated encryption and decryption, the FortiGate unit’s main
processing resources must first perform Phase I negotiations to establish the security
association (SA). The SA includes cryptographic processing instructions required by the
network processor, such as which encryption algorithms must be applied to the tunnel.
After ISAKMP negotiations, the FortiGate unit’s main processing resources send the SA to
the network processor, enabling the network processor to apply the negotiated hardware
accelerated encryption or decryption to tunnel traffic.
Possible accelerated cryptographic paths are:
•
IPsec decryption offload
•
•
•
Ingress ESP packet & gt; Offloaded decryption & gt; Decrypted packet egress (fast path)
Ingress ESP packet & gt; Offloaded decryption & gt; Decrypted packet to FortiGate unit’s
main processing resources
IPsec encryption offload
•
•
2160
Ingress packet & gt; Offloaded encryption & gt; Encrypted (ESP) packet egress (fast path)
Packet from FortiGate unit’s main processing resources & gt; Offloaded encryption & gt;
Encrypted (ESP) packet egress
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate hardware accelerated processing
Configuring IPsec VPN offloading
Configuring HMAC check offloading
Hash-based Message Authentication Code (HMAC) checks can be offloaded to network
processors. To enable HMAC check offloading, enter
configure system global
set ipsec-hmac-offload (enable|disable)
end
Configuring VPN encryption/decryption offloading
Network processing unit (npu) settings configure offloading behavior for IPsec VPN.
Configured behavior applies to all network processors contained by the FortiGate unit
itself or any installed AMC modules.
config system npu
set enc-offload-antireplay {enable | disable}
set dec-offload-antireplay {enable | disable}
set offload-ipsec-host {enable | disable}
end
Variables
Description
enc-offload-antireplay
{enable | disable}
Enable or disable offloading of IPsec encryption.
disable
This option is used only when replay detection is
enabled in Phase II configuration. If replay detection
is disabled, encryption is always offloaded.
Default
dec-offload-antireplay
{enable | disable}
enable
Enable or disable offloading of IPsec decryption.
This option is used only when replay detection is
enabled in Phase II configuration. If replay detection
is disabled, decryption is always offloaded.
offload-ipsec-host
{enable | disable}
Enable or disable offloading of IPsec encryption of
disable
traffic from local host (FortiGate unit).
Note: For this option to take effect, the FortiGate unit
must have previously sent the security association
(SA) to the network processor. For details on SA
offloading, see “Configuring IPsec VPN offloading”
on page 2160.
Example
You could configure the offloading of encryption and decryption for an IPsec SA that was
sent to the network processor.
config system npu
set enc-offload-antireplay enable
set dec-offload-antireplay enable
set offload-ipsec-host enable
end
Examples of ASM-FB4 accelerated VPNs
This section contains example IPsec configurations whose IPsec encryption and
decryption processing is hardware accelerated by FortiGate-ASM-FB4 modules.
Figure 363 illustrates the example network topology. Table 141 lists the example network
interfaces and IP addresses.
Note: Hardware accelerated IPsec does not require both tunnel endpoints to have the
same network processor model. However, if hardware is not symmetrical, the packet
forwarding rate is limited by the slower side.
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2161
�Configuring IPsec VPN offloading
FortiGate hardware accelerated processing
Figure 363: Example network topology for offloaded IPsec processing
Internet
FortiGate-ASM-FB4
port 2
(IPSec)
3.3.3.1/24
Protected
network
FortiGate-ASM-FB4
port 2
(IPSec)
3.3.3.2/24
FortiGate_1
Protected
network
FortiGate_2
FortiGate-ASM-FB4
port 1
1.1.1.0/24
FortiGate-ASM-FB4
port 1
2.2.2.0/24
Table 141: Example ports and IP addresses for offloaded IPsec processing
FortiGate_1
Port
FortiGate_2
IP
Port
IP
IPsec tunnel FortiGate-ASM-FB4
port 2
3.3.3.1/24 FortiGate-ASM-FB4
port 2
3.3.3.2/24
Protected
network
1.1.1.0/24 FortiGate-ASM-FB4
port 1
2.2.2.0/24
FortiGate-ASM-FB4
port 1
Tunnel mode IPsec VPN example
The following steps create a hardware accelerated tunnel mode IPsec tunnel between two
FortiGate units, each containing a FortiGate-ASM-FB4 module.
To configure hardware accelerated tunnel mode IPsec
1 On FortiGate_1, go to VPN & gt; IPsec.
2 Configure Phase I.
For tunnel mode IPsec and for hardware acceleration, specifying the Local Gateway IP
is required.
Select Advanced. In the Local Gateway IP section, select Specify and type the VPN IP
address 3.3.3.2, which is the IP address of FortiGate_2’s FortiGate-ASM-FB4 module
port 2.
3 Configure Phase II.
If you enable the check box “Enable replay detection,” set enc-offloadantireplay to enable in the CLI. For details on encryption and decryption offloading
options available in the CLI, see “Configuring VPN encryption/decryption offloading” on
page 2161.
4 Go to Firewall & gt; Policy.
5 Configure one policy to apply the Phase 1 IPsec tunnel you configured in step 2 to
traffic between FortiGate-ASM-FB4 module ports 1 and 2.
6 Go to Router & gt; Static.
7 Configure a static route to route traffic destined for FortiGate_2’s protected network to
VPN IP address of FortiGate_2’s VPN gateway, 3.3.3.2, through the FortiGate-ASMFB4 module’s port 2 (device).
You can also configure the static route using the following CLI commands:
config router static
edit 2
2162
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate hardware accelerated processing
Configuring IPsec VPN offloading
set device " AMC-SW1/2 "
set dst 2.2.2.0 255.255.255.0
set gateway 3.3.3.2
end
8 On FortiGate_2, go to VPN & gt; IPsec.
9 Configure Phase I.
For tunnel mode IPsec and for hardware acceleration, specifying the Local Gateway IP
is required.
Select Advanced. In the Local Gateway IP section, select Specify and type the VPN IP
address 3.3.3.1, which is the IP address of FortiGate_1’s FortiGate-ASM-FB4 module
port 2.
10 Configure Phase II.
If you enable the check box “Enable replay detection,” set enc-offloadantireplay to enable in the CLI. For details on encryption and decryption offloading
options available in the CLI, see “Configuring VPN encryption/decryption offloading” on
page 2161
11 Go to Firewall & gt; Policy.
12 Configure one policy to apply the Phase 1 IPsec tunnel you configured in step 9 to
traffic between FortiGate-ASM-FB4 module ports 1 and 2.
13 Go to Router & gt; Static.
14 Configure a static route to route traffic destined for FortiGate_1’s protected network to
VPN IP address of FortiGate_1’s VPN gateway, 3.3.3.1, through the FortiGate-ASMFB4 module’s port 2 (device).
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device " AMC-SW1/2 "
set dst 1.1.1.0 255.255.255.0
set gateway 3.3.3.1
end
15 Activate the IPsec tunnel by sending traffic between the two protected networks.
To verify tunnel activation, go to VPN & gt; IPSEC & gt; Monitor.
Interface mode IPsec VPN example
The following steps create a hardware accelerated interface mode IPsec tunnel between
two FortiGate units, each containing a FortiGate-ASM-FB4 module.
To configure hardware accelerated interface mode IPsec
1 On FortiGate_1, go to VPN & gt; IPsec.
2 Configure Phase I.
For interface mode IPsec and for hardware acceleration, the following settings are
required.
• Select Advanced.
• Enable the check box “Enable IPsec Interface Mode.”
• In the Local Gateway IP section, select Specify and type the VPN IP address
3.3.3.2, which is the IP address of FortiGate_2’s FortiGate-ASM-FB4 module port 2.
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2163
�Configuring IPsec VPN offloading
FortiGate hardware accelerated processing
3 Configure Phase II.
If you enable the check box “Enable replay detection,” set enc-offloadantireplay to enable in the CLI. For details on encryption and decryption offloading
options available in the CLI, see “Configuring VPN encryption/decryption offloading” on
page 2161
4 Go to Firewall & gt; Policy.
5 Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration
you configured in step 2 to traffic leaving from or arriving on FortiGate-ASM-FB4
module port 1.
6 Go to Router & gt; Static.
7 Configure a static route to route traffic destined for FortiGate_2’s protected network to
the Phase 1 IPsec device, FGT_1_IPsec.
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device " FGT_1_IPsec "
set dst 2.2.2.0 255.255.255.0
end
8 On FortiGate_2, go to VPN & gt; IPsec.
9 Configure Phase I.
For interface mode IPsec and for hardware acceleration, the following settings are
required.
• Enable the check box “Enable IPsec Interface Mode.”
• In the Local Gateway IP section, select Specify and type the VPN IP address
3.3.3.1, which is the IP address of FortiGate_1’s FortiGate-ASM-FB4 module port 2.
10 Configure Phase II.
If you enable the check box “Enable replay detection,” set enc-offloadantireplay to enable in the CLI. For details on encryption and decryption offloading
options available in the CLI, see “Configuring VPN encryption/decryption offloading” on
page 2161
11 Go to Firewall & gt; Policy.
12 Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration
you configured in step 9 to traffic leaving from or arriving on FortiGate-ASM-FB4
module port 1.
13 Go to Router & gt; Static.
14 Configure a static route to route traffic destined for FortiGate_1’s protected network to
the Phase 1 IPsec device, FGT_2_IPsec.
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device " FGT_2_IPsec "
set dst 1.1.1.0 255.255.255.0
next
end
15 Activate the IPsec tunnel by sending traffic between the two protected networks.
To verify tunnel activation, go to VPN & gt; IPSEC & gt; Monitor.
2164
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�FortiGate hardware accelerated processing
Configuring IPS offloading
Configuring IPS offloading
Security modules (CE4) offload IPS. Requirements are:
•
Source port is on CE4
•
Destination port is on the same CE4
•
UTM configuration must enable only IPS, not AV or content archive.
•
Packet protocol is ICMP, UDP or TCP.
Configuring pre-IPS anomaly detection
Network interfaces associated with a port attached to a network processor can be
configured to use hardware acceleration to drop or allow certain anomaly types,
separately from and in advance of any anomaly checks specified by Intrusion Prevention
(IPS). Configured behavior applies separately to each of these network interfaces.
config system interface
edit & lt; name_str & gt;
set fp-anomaly
{drop_icmpland | pass_icmpland}
{drop_ipland | pass_ipland}
{drop_iplsrr | pass_iplsrr}
{drop_iprr | pass_iprr}
{drop_ipsecurity | pass_ipsecurity}
{drop_ipssrr | pass_ipssrr}
{drop_ipstream | pass_ipstream}
{drop_iptimestamp | pass_iptimestamp}
{drop_ipunknown_option | pass_ipunknown_option}
{drop_unknown_prot | pass_ipunknown_prot}
{drop_tcpland | pass_tcpland}
{drop_udpland | pass_udpland}
{drop_winnuke | pass_winnuke}
end
where:
icmpland
ICMP land
ipland
IP land
iplsrr
IP with loose source record route
iprr
IP with record route option
ipsecurity
IP with security option
ipssrr
IP with strict source record route option
ipstream
IP with stream option
iptimestamp
IP with timestamp option
ipunknown_option
IP with unknown option
ipunknown_prot
IP with unknown protocol
tcpland
TCP land
udpland
UDP land
winnuke
TCP WinNuke
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2165
�Configuring IPS offloading
FortiGate hardware accelerated processing
Example
You might configure a FortiGate-ASM-FB4 module to drop packets with TCP WinNuke or
unknown IP protocol anomalies, but to pass packets with an IP time stamp, using
hardware acceleration provided by the network processor.
config system interface
edit AMC-SW1/1
set fp-anomaly drop_winnuke drop_ipunknown_prot
pass_iptimestamp
end
Configuring policy-based IPS on SP modules
In the firewall policy, enable UTM, then enable IPS and select the desired IPS profile.
Configuring interface-based IPS on SP modules
1 Define the IPS sensor. This step is the same with current policy-based IPS. For system
predefined sensor, this step can be ignored.
2 Define on which interface IPS should be enabled and what sensor you want to use to
scan traffic. Both physical interface and VLAN interface are valid interface choices.
The followed is an example to enable IPS sensor “all_default” on physical port AMCSW1/2.
config ips interface
edit AMC-SW1/2
set ips-sensor all_default
end
This command will enable IPS on all traffic ingress and egress through AMC-SW1/2.
Do not enable policy-based IPS when either the source or destination port has interface
IPS enabled. Doing so provides no additional security and results in reduced performance.
2166
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
Hardware accelerated IPsec processing, involving either partial or full offloading, can be
achieved in either tunnel or interface mode IPsec configurations.
To achieve offloading for both encryption and decryption:
•
In Phase I configuration’s Advanced section, Local Gateway IP must be specified as
an IP address of a network interface associated with a port attached to a network
processor. (In other words, if Phase 1’s Local Gateway IP is Main Interface IP, or is
specified as an IP address that is not associated with a network interface associated
with a port attached to a network processor, IPsec network processing is not
offloaded.)
•
In Phase II configuration’s P2 Proposal section, if the checkbox “Enable replay
detection” is enabled, enc-offload-antireplay and dec-offloadantireplay must be set to enable in the CLI.
•
offload-ipsec-host must be set to enable in the CLI.
This section contains example IPsec configurations whose IPsec encryption and
decryption processing is hardware accelerated by FortiGate-ASM-FB4 modules.
Figure 364 illustrates the example network topology. Table 142 lists the example network
interfaces and IP addresses.
Note: Hardware accelerated IPsec does not require both tunnel endpoints to have the
same network processor model. However, if hardware is not symmetrical, the packet
forwarding rate is limited by the slower side.
Figure 364: Example network topology for offloaded IPsec processing
Internet
FortiGate-ASM-FB4
port 2
(IPSec)
3.3.3.1/24
Protected
network
FortiGate-ASM-FB4
port 2
(IPSec)
3.3.3.2/24
FortiGate_1
Protected
network
FortiGate_2
FortiGate-ASM-FB4
port 1
1.1.1.0/24
FortiGate-ASM-FB4
port 1
2.2.2.0/24
Table 142: Example ports and IP addresses for offloaded IPsec processing
FortiGate_1
Port
FortiGate_2
IP
Port
IP
IPsec tunnel FortiGate-ASM-FB4
port 2
3.3.3.1/24 FortiGate-ASM-FB4
port 2
3.3.3.2/24
Protected
network
1.1.1.0/24 FortiGate-ASM-FB4
port 1
2.2.2.0/24
FortiGate-ASM-FB4
port 1
This section includes the following topics:
•
Accelerated tunnel mode IPsec
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2167
�Examples
•
Accelerated interface mode IPsec
Accelerated tunnel mode IPsec
The following steps create a hardware accelerated tunnel mode IPsec tunnel between two
FortiGate units, each containing a FortiGate-ASM-FB4 module.
To configure hardware accelerated tunnel mode IPsec
1 On FortiGate_1, go to VPN & gt; IPsec.
2 Configure Phase I.
For tunnel mode IPsec and for hardware acceleration, specifying the Local Gateway IP
is required.
Select Advanced. In the Local Gateway IP section, select Specify and type the VPN IP
address 3.3.3.2, which is the IP address of FortiGate_2’s FortiGate-ASM-FB4 module
port 2.
3 Configure Phase II.
If you enable the checkbox “Enable replay detection,” set enc-offloadantireplay to enable in the CLI. For details on encryption and decryption offloading
options available in the CLI, see “Configuring VPN encryption/decryption offloading” on
page 2161
4 Go to Firewall & gt; Policy.
5 Configure one policy to apply the Phase 1 IPsec tunnel you configured in step 2 to
traffic between FortiGate-ASM-FB4 module ports 1 and 2.
6 Go to Router & gt; Static.
7 Configure a static route to route traffic destined for FortiGate_2’s protected network to
VPN IP address of FortiGate_2’s VPN gateway, 3.3.3.2, through the FortiGate-ASMFB4 module’s port 2 (device).
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device " AMC-SW1/2 "
set dst 2.2.2.0 255.255.255.0
set gateway 3.3.3.2
end
8 On FortiGate_2, go to VPN & gt; IPsec.
9 Configure Phase I.
For tunnel mode IPsec and for hardware acceleration, specifying the Local Gateway IP
is required.
Select Advanced. In the Local Gateway IP section, select Specify and type the VPN IP
address 3.3.3.1, which is the IP address of FortiGate_1’s FortiGate-ASM-FB4 module
port 2.
10 Configure Phase II.
If you enable the checkbox “Enable replay detection,” set enc-offloadantireplay to enable in the CLI. For details on encryption and decryption offloading
options available in the CLI, see “Configuring VPN encryption/decryption offloading” on
page 2161
11 Go to Firewall & gt; Policy.
2168
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Examples
12 Configure one policy to apply the Phase 1 IPsec tunnel you configured in step 9 to
traffic between FortiGate-ASM-FB4 module ports 1 and 2.
13 Go to Router & gt; Static.
14 Configure a static route to route traffic destined for FortiGate_1’s protected network to
VPN IP address of FortiGate_1’s VPN gateway, 3.3.3.1, through the FortiGate-ASMFB4 module’s port 2 (device).
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device " AMC-SW1/2 "
set dst 1.1.1.0 255.255.255.0
set gateway 3.3.3.1
end
15 Activate the IPsec tunnel by sending traffic between the two protected networks.
To verify tunnel activation, go to VPN & gt; IPSEC & gt; Monitor.
Accelerated interface mode IPsec
The following steps create a hardware accelerated interface mode IPsec tunnel between
two FortiGate units, each containing a FortiGate-ASM-FB4 module.
To configure hardware accelerated interface mode IPsec
1 On FortiGate_1, go to VPN & gt; IPsec.
2 Configure Phase I.
For interface mode IPsec and for hardware acceleration, the following settings are
required.
• Select Advanced.
• Enable the checkbox “Enable IPsec Interface Mode.”
• In the Local Gateway IP section, select Specify and type the VPN IP address
3.3.3.2, which is the IP address of FortiGate_2’s FortiGate-ASM-FB4 module port 2.
3 Configure Phase II.
If you enable the checkbox “Enable replay detection,” set enc-offloadantireplay to enable in the CLI. For details on encryption and decryption offloading
options available in the CLI, see “Configuring VPN encryption/decryption offloading” on
page 2161
4 Go to Firewall & gt; Policy.
5 Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration
you configured in step 2 to traffic leaving from or arriving on FortiGate-ASM-FB4
module port 1.
6 Go to Router & gt; Static.
7 Configure a static route to route traffic destined for FortiGate_2’s protected network to
the Phase 1 IPsec device, FGT_1_IPsec.
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device " FGT_1_IPsec "
set dst 2.2.2.0 255.255.255.0
end
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
2169
�Examples
8 On FortiGate_2, go to VPN & gt; IPsec.
9 Configure Phase I.
For interface mode IPsec and for hardware acceleration, the following settings are
required.
• Enable the checkbox “Enable IPsec Interface Mode.”
• In the Local Gateway IP section, select Specify and type the VPN IP address
3.3.3.1, which is the IP address of FortiGate_1’s FortiGate-ASM-FB4 module port 2.
10 Configure Phase II.
If you enable the checkbox “Enable replay detection,” set enc-offloadantireplay to enable in the CLI. For details on encryption and decryption offloading
options available in the CLI, see “Configuring VPN encryption/decryption offloading” on
page 2161
11 Go to Firewall & gt; Policy.
12 Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration
you configured in step 9 to traffic leaving from or arriving on FortiGate-ASM-FB4
module port 1.
13 Go to Router & gt; Static.
14 Configure a static route to route traffic destined for FortiGate_1’s protected network to
the Phase 1 IPsec device, FGT_2_IPsec.
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device " FGT_2_IPsec "
set dst 1.1.1.0 255.255.255.0
next
end
15 Activate the IPsec tunnel by sending traffic between the two protected networks.
To verify tunnel activation, go to VPN & gt; IPSEC & gt; Monitor.
2170
FortiOS 4.0 MR2 Hardware Acceleration
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
Symbols
_email, 393
_fqdn, 393
_index, 393
_int, 393
_ipv4, 393
_ipv4/mask, 393
_ipv4mask, 393
_ipv4range, 393
_ipv6, 393
_ipv6mask, 393
_name, 393
_pattern, 393
_str, 393
_v4mask, 393
_v6mask, 393
%passwd%, 1022
%username%, 1022
Numerics
3DES, 390, 958, 2160
802.11 standard, 420
802.11 wireless protocols, 1865
802.1Q, 1235, 1239, 1242
802.3ad, 188
aggregate interface, 1496
802.3ad aggregate interface
full mesh HA, 1546
HA MAC addresses, 1496
port monitoring, 1496
A
a-a
load balance schedule, 1647
abort, 395
accelerated interfaces, 1087, 1349, 1424
accept, 216
accept action
firewall policy, 1993
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
accept any peer, 1997
Accept peer ID in dialup group, 937
accept policy, 219
Accept this peer certificate group only, 935
Accept this peer certificate only, 935
Accept this peer ID, 936
access
guest users, 754
access controls, 396
access point, 419
adding, 1888
enabling, 1890
Access Point Number (APN), 1850
accounting system
RADIUS, 1756
Active Directory - see Directory Service
active sessions
HA statistics, 1579
active-active
device failover, 1643
IPsec VPN, 1643
link failover, 1643
load balancing, 1441, 1643
network processor accelerated interfaces, 1646
operation mode, 1441
recommended practice, 1454
redundant interfaces, 1508
session failover, 1644
SSL VPN, 1643
traffic processed by primary unit, 1643
UTM sessions continue after a failover, 1633
active-active HA, 2157
active-passive
device failover, 1440
failover, 1596
LACP, 1497
link failover, 1441
operating mode, 1440
WAN optimization rules, 2003
active-passive mode
redundant interfaces, 1508
adding a default route, 365
adding bookmarks, 1022
2171
�Index
adding configuring defining, 467
alert email message, 485
antivirus logging, 480
application control, 480
attack logging, 482
charts, 521
cloning a layout, 525
connecting using automatic discovery, FortiAnalyzer, 466
data leak prevention logging, 480
datasets, 521
DLP archiving, 483
email filter logging, 482
event logging, 479
executive summary reports, 527
explanation of log messages, 495
firewall policy traffic logging, 478
FortiAnalyzer reports, 526
FortiAnalyzer unit, 465
FortiGuard license expiry alert email, 486
generating a report, 526
hard disk, 464
images, 524
ips packet logging and archiving, 481
layout, 525
log messages, 495
log severity levels, 477
log types and subtypes, 475
logging, 457
logging practices, 457
multiple FortiAnalyzer units, 470
multiple syslog servers, 471
netscan logging, 482
overview, sql, 489
report schedule, FortiAnalyzer, 526
sql database reports, 527
styles, 523
syslog server, 467
system memory, 463
testing FortiAnalyzer configuration, 466
theme, 522
web filter logging, 481
webtrends server, 469
adding dashboards, 99
adding SCTP custom service, SIP, 113
adding SCTP policy route, SIP, 113
adding SCTP port forwarding virtual IP, 114
adding, configuring or defining
carrier end point HTTP header options, 1769
carrier end point IP filter, 1778
carrier end point MMS filter list, 1775, 1777
DHCP relay agent, 442
dynamic profile, 1759
log messages, FortiOS Carrier, 1762
policy route, 1229
RADIUS, 1756
server load balance port forwarding virtual IP, 2138
server load balance virtual IP, 2133
SNMP community, 429
Address, 1264
2172
address, 193
CIDR format, 193
DHCP, 200
FDQN, 195
groups, 200
IP pool, 202
IP range, 194
IPv6, 205
matching, IP pool, 204
Address Name
firewall address, 1008, 1299
Address Resolution Protocol (ARP), 1264, 1366
Address Translation, 1780
address, IP address example, 952
ADM, 1646
admin password, 371
administration
schools, 446
administrative access, 187
administrative distance, 1068, 1069, 1217, 1218
ADM-XD4
security processing module, 2155
AES-128, 958, 2160
AES-192, 958, 2160
AES-256, 958, 2160
age
displaying cluster unit age, 1445
primary unit selection, 1445
reset the cluster age, 1447
resetting cluster unit age, 1447
agent
sFlow, 118
aggregate interface
HA MAC addresses, 1496
interface monitoring, 1496
recommended practice, 1454
aggregate interfaces, 188
aggregated subnets
for hub-and-spoke VPN, 808
aggregation, link, 957, 2156
air flow, 413
alert email, 1347
HA, 1583, 1584
alert message widget enhancement, 101
Alert Notification, 1793, 1812
ALG
changing the port numbers that the SIP ALG listens on,
1920
all policies, 1706
allow
pattern, 570
allow access, 187
Allow inbound, encryption policy, 952
Allow outbound, encryption policy, 952
ambient temperature, 413
ambiguous routing
resolving in FortiGate dialup-client configuration, 844
AMC
hard disk, 1453
AMC (Advanced Mezzanine Card), 2149
AMC module support, 109
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
Amount, 1785
amount, comfort clients
protection profile, 1786
anomaly
checks, 2165
hardware checks, 2165
IPS checks, 2165
anomaly protection
DoS, 538
antenna, 1868
antireplay, 958, 959, 960, 961, 2160, 2161, 2162, 2163, 2164,
2167, 2168, 2169, 2170
antispam, about, 168
antispam, see email filtering and FortiGuard, AntiSpam
anti-spoofing, 1068, 1086, 1217, 1423, 1860
AntiVirus, 1279
antivirus, 559, 957, 2156
archive scan depth, 566
change default database, 565
concepts, 559
databases, 562
enabling scanning, 564
example, 573
explicit web proxy, 2086
file filtering, 537
flow-based scanning, 560
FortiAnalyzer, 537
HTTPS, IMAPS, POP3S, SMTPS, 543
maximum file size, 567
override default database, 565
proxy-based scanning, 559
scan buffer size, 566
scanning order, 560
antivirus quarantine
HTTPS, IMAPS, POP3S, SMTPS, 544
antivirus scanning, 1386
antivirus, about, 165
Antivurs
SymbOS/Commwar.A!worm, 1784
SymbOS/Commwar.B!wm, 1783
SymbOS/Commwarriie.C-wm, 1784
AP profile
creating, 1877
described, 1876
AP unit
attaching, 1886
application
database, viewing, 1673, 1675
detection, 1673
sensor, 1673
application control, 538, 1708
explicit web proxy, 2086
monitor, 672
packet logging, 673
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
application layer, 957, 2156
application monitor, 672
Application-Control, 1279
archive antivirus scan depth, 566
archive content meta-information
MMS protection profile, 1801
archiving
DLP, 663
archiving support, local hard drives, 155
area, 1175
ARP, 2112
gratuitous, 1606
proxy ARP, 2112
request, 1368
resolution, 1424
ARP resolution, 1087
arp table, 1625, 1658
arp-reply
load balance virtual server, 2112
arps
CLI command, 1606
gratuitous, 1606
arps-interval
CLI command, 1606
AS
multihomed, 1080
number (ASN), 1080
stub, 1080
ASCII, 401, 708
assets
adding manually, 1687
discovering, 1685
selecting to scan, 1685
asymmetric routing, 1086, 1267, 1423, 1860
attached network equipment
failover, 1635
attributes
RADIUS, 701
authenticated access
configuring, 719
authenticating
based on peer IDs, 936
IPsec VPN peers and clients, 933
L2TP clients, 1303
PPTP clients, 1296
through IPsec certificate, 931
through XAuth settings, 942
authenticating FortiGate unit
with pre-shared key, 932
authenticating users
FortiGate, 711
with LDAP servers, 712
with RADIUS servers, 712
with TACACS+ servers, 712
2173
�Index
authentication, 1870, 2004
authentication method, 2000
Citrix, 2086
explicit web proxy, 2084, 2086
firewall policy, 721
heartbeat, 1605
HTTP, 2086
Internet access, 723
IP Based, 1335
IPSec VPN, 724
L2TP, 727
NAT device, 2086
overview, 757
peer, 1998
PPTP VPN, 726
protocols, 720
proxy, 2086
SSL VPN, 723
SSL VPN timeout, 724
timeout, 719
VPN, 723
VPN client-based, 698
WAN optimization peer authentication, 1997
web proxy, 2086
web-based user, 697
Windows Terminal Server, 2086
XAuth, 725
Authentication Algorithm, Manual Key, 888
authentication group
authentication method, 2000
certificate, 2000
password, 2000
pre-shared key, 2000
Authentication Key, Manual Key, 888
authentication protocols
ASCII, 708
CHAP, 708
MS-CHAP, 708
PAP, 708
setting, 721
TACACS+ servers, 708
authentication server, external
for L2TP, 1303
for PPTP, 1295
for XAuth, 942
authentication servers
Directory Service, 709
LDAP, 703
RADIUS, 701
TACACS+, 707
authentication timeout
firewall, 719
setting, 719
SSL VPN, 719, 724
authentication timeout setting, 983
auto-install, 380
Autokey Keep Alive
IPsec interface mode, 949
Autokey Keep Alive, Phase 2, 947
B
back to HA monitor
HA statistics, 1578
2174
backing up configuration, 93
backup
cluster configuration, 1583
backup unit, 1433
See Also subordinate unit, 1433
backup VPN, 879
band
radio bands for wireless LANs, 1865
bandwidth, 1700, 1872
calculation method, 2158
guaranteed, 1697, 1706
limitation, 2158
maximum, 1706, 2005
zero, 1706
bandwidth cost, 1270
bandwidth guarantees, 2156
baud rate, 404
BGP
graceful restart, 1618
bgp
attribute
AS_PATH, 1138
ATOMIC_AGGREGATE, 1140
COMMUNITY, 1139
MULTI_EXIT_DESC, 1139
NEXT_HOP, 1140
BGP-4+, 1131
clearing routes, 1133, 1144
control plane, 1146
flap, 1146
graceful restart, 1146
MED, 1139
neighbors, 1133
password, MD5, 1133
RFC 1997, 1139
route reflectors (RR), 1135
stabilizing the network, 1146
BGP support, four-byte AS path, 133
BGP, IPv6, 1278
BGP4+, 1278
bidirection, 2158
Bi-directional Forwarding Detection (BFD), 1147
billing, 1780
binding
LDAP servers, 703
bits per second (bps), 388
black list, 538
blackhole route, 1217
blades, ELBC configuration, 108
blended network attacks, about, 168
block, 1965
carrier end point, 1775
pattern, 570
block traffic, 1706
blocking
http access by ip, 452
port 25, 450
blocking of users
Endpoint NAC, 1671
Blowfish, 390
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
body
SIP message, 1898
bookmarks
user-defined, 1022
bookmarks, web-portal, 1021
boot interrupt, 387
border gateway protocol (BGP). See routing, BGP
BPDU
message exchange, 1659
branch, 1971
bridge protocol data unit, 1659
broadcast domains, 1235
broadcast storm, 1264
broken cluster unit
replacing, 1495
buffer size
IPS, 608
byte cache, 1981
C
CA certificate, 542
cache
exempting from web caching, 2032
cache cleaner
introduction, 977
cache engine
WCCP, 2097
call-keepalive, 1923
captive portal, 1869
creating, 1882
carrier end point, 1756, 1775
blocking, 1775
configuring the filter list, 1777
delete from communication session, 1769
filtering, 1775
hexadecimal, 1770
IP filter, 1778
IP filtering, 1777
logging, 1761
MMS filtering, 1775
patterns, 1775, 1777
prefix options, 1770
RADIUS attribute, 1761
user context list, 1757
carrier end point filtering, 1737, 1821
carrier end point header
delete, 1769
carrier end point MMS filter list
adding to an MMS protection profile, 1775
adding to MMS protection profile, 1775
carrier end point MMS filtering
blocking MMS messages, 1775
carrier end point pattern
Perl regular expression, 1775
regular expression, 1775
wildcard, 1775
carrier menu, 151
case sensitivity
Perl regular expressions, 405
CB2, 1646
central NAT, 441
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
central NAT table, 131
certificate
authentication group, 2000
key size, 542
SSL, 542
Certificate Name, Phase 1, 932
certificate request, 759
generating, 758
certificate revocation list
importing, 762
certificate, IPsec
group, 935
Local ID setting, 935
using DN to establish access, 934
viewing local DN, 935
certificate, security, 362
certificates
importing CRL, 762
installing root CA, 761
installing signed server, 761
obtaining signed server, 761
self signed, 1019
certification, 85
changing session TTL for SCTP traffic, 114
channels
for 802.11a, 1866
for 802.11b, 1867
for 802.11g, 1868
for 802.11n 5GHz, 1866
radio channels for wireless LANs, 1865
CHAP, 708, 1294
Charging Data Function (CDF), 1748
Charging Data Record (CDR), 1749
CIDR, 393, 2007
cipher suite, SSL negotiations, 983
Cisco
router configuration, 1247, 1262
switch configuration, 1247, 1252, 1261
Cisco switch configuration, 1381
Cisco VPN, 913
Citrix
authentication, 2086
Classless Inter-Domain Routing (CIDR), 1071, 1072, 1270,
1272
CLI, 2167
connecting, 387
connecting to the, 387
get commands, troubleshooting, 105
grep, 103
is-is commands, 104
session-pickup, 1599, 1630
upgrading the firmware, 379
CLI command, 1464, 1469, 1475, 1480, 1487, 1490, 1499,
1503, 1510, 1514, 1530, 1534, 1549, 1553, 1609
CLI Console widget, 388
CLI syntax conventions, 83
client
downloading, 1034
using Linux, 1038
using Mac OS, 1040
using Windows, 1036
WCCP, 2097
2175
�Index
client certificate handling, SSL inspection, 121
client comforting, 1785
client IP
assigning with RADIUS, 830
client mode, 422
Client to FortiGate
SSL offloading, 2124, 2125
Client to FortiGate to Server
SSL offloading, 2124, 2125
cluster
adding a new FortiGate unit, 1494
configuring in transparent mode, 1473
connecting an HA cluster, 1439
converting a standalone FortiGate unit, 1492
definition, 1455
operating, 1557
replacing a failed cluster unit, 1495
virtual cluster, 1523
cluster configuration
backup, 1583
restore, 1583
troubleshoot, 1466, 1472, 1478, 1484, 1488, 1492, 1500,
1505, 1511, 1516, 1519, 1520, 1551, 1555
cluster member, 1576, 2157
cluster members list, 1576
priority, 1577
role, 1576
cluster name, 1442
cluster unit
connect to a cluster, 1591
definition, 1455
disconnect from a cluster, 1591
getting information using SNMP, 1574, 1575
getting cluster unit serial numbers, 1575
getting serial numbers using SNMP, 1575
SNMP get, 1574, 1575
cluster units, 1432
collector
sFlow, 118
collector agent
settings, 737
specifying, 750
column settings, firewall policies, 218
command, 391
abbreviation, 399
completion, 399
help, 399
multi-line, 399
comments
firewall policy, 1011, 1012
comments, documentation, 86
common name
LDAP servers, 704
concentrator, defining, 811
concepts
antivirus, 559
web filtering, 538
concurrent username restriction, 117
2176
configuration
backup, 1583
collector agent, 737
collector agent Ignore User list, 739
collector agent LDAP access, 739
collector agent TCP ports, 742
FortiGate firewall policies, 753
LDAP server, FortiGate unit, 748
restore, 1583
synchronization, 1611
testing, 755
configuration synchronization, 1597
disabling, 1611
configuration, backing up, 93
configuration, ELBC blade, 108
configuration, general steps, 979
configure
DNS, 364, 368
FortiGuard, 371
interfaces, 362
restore, 376
configuring
alert email message, 485
authenticated access, 719
dynamic DNS VPN, 822
firewall policy authentication, 721
FortiAnalyzer reports, 526
FortiClient dialup-client VPN, 831
FortiClient in dialup-client VPN, 836
FortiGate dialup-client VPN, 846
FortiGate in dialup-client IPsec VPN, 848
gateway-to-gateway IPsec VPN, 795
hub-and-spoke IPsec VPN, 807
Internet access authentication, 723
IPSec VPN authentication, 724
L2TP VPN authentication, 727
local users, 712
manual keys, 887
multiple FortiAnalyzer units, 470
multiple syslog servers, 471
peer user groups, 717
peer users, 713
PPTP VPN authentication, 726
sql database reports, 527
SSL VPN authentication, 723
transparent mode IPsec VPN, 885
WAN optimization peer, 1999
XAuth authentication for IPSec dialup users, 725
XAuth authentication with LDAP servers, 725
XAuth authentication with RADIUS servers, 725
configuring a FortiGate unit for HA operation, 1437
configuring assets, 144
configuring charts, 158
configuring layouts, 159
configuring profile group, FortiOS Carrier, 152
configuring themes, 156
connected monitored interfaces
primary unit selection, 1444
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
connecting
to FTP server, 1024
to PC by RDP, 1026
to PC by VNC, 1029
to secure HTTP gateway, 1019
to SMB/CIFS file share, 1025
to SSH server, 1026
to telnet server, 1023
to web portal, 1019
to web server, 1023
to web-based manager, 980
web-based manager, 361
connecting a FortiGate HA cluster, 1439
connecting to the FortiMail CLI using SSH, 389
connecting to the FortiMail CLI using Telnet, 390
connecting to the FortiMail console, 387
connecting using automatic discovery, FortiAnalyzer, 466
Connection Tool
using, 1023
connections
defining bookmarks to, 1022
connectivity, testing for, 1023
conservation mode, 434
conserve mode, 539
console messages
synchronization fails, 1614
contact-fixup, 1949
content archive
MMS protection profile, 1800
content archive options
metadata, 1800
summary, 1800
content blocking,, 1737
content meta-information
protection profile option, 1801
content scanning
SSL, 541
Content-Length
SIP header, 1965
control plane, 1146
controlling source interface IP, self-originating traffic, 121
conventions, 79, 391
convergence, 1071, 1147
cookie, 1782
persistence, 271, 2123
coverage, 1872
cp1252, 402
CPU load, 1337, 1386
CPU usage
HA statistics, 1578
creating
local users, 712
peer user groups, 717
peer users, 713
user groups, 716
cryptographic load, 957, 2160
custom services, 209
custom signature
adding, 597
customer communication session, 1756, 1775
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
customer identifying information, 1756, 1775
customer service, 86, 1337
D
dampening, 1146
reachability half-life, 1146
dashboards, adding, 99
data leak prevention (DLP), see DLP
Data-Leak-Prevention, 1279
date
quarantine files list, 488
date and time, 370
DB-9, 387
DC
quarantine files list, 488
DCE-RPC, 1311
dcerps
session helper, 1311
DDNS services, subscribing to, 822
Dead entry timeout
collector agent configuration, 738
dead gateway detection, 1108
Dead Peer Detection, Phase 1, 940, 941
debug
diagnose, 1616
Declined Disclaimer page
modifying, 1883
decryption, 2161, 2162, 2163, 2164, 2167, 2168, 2169, 2170
dedicated monitoring
interface, 1559
deep scan, 543
deep SIP message inspection, 1961
default
adding a route, 365
VoIP profile, 1920
default port
RADIUS servers, 702
TACACS+ servers, 707
default route, 365, 1245
NAT/Route example, 1361
VDOM example, 1363
VLAN, 1245
definitions, 391
delete
carrier end point header, 1769
IP address header, 1769
delete, shell command, 394
deleting
local users from FortiGate configuration, 713
user group from FortiGate configuration, 718
denial of service
policies, 217, 221
deny, 216
deny policy, 220, 280
deployment, 1871
deployment topology, 976, 1044
DES, 958, 2160
destination
firewall policy, 1010, 1012, 1013, 1014, 1047, 1048, 1054,
1055
2177
�Index
destination NAT
SIP, 1945
destination network address translation (DNAT)
virtual IPs, 197, 199
details, firewall policies, 218
device
failure, 1596
device failover, 1595, 1597
active-active, 1643
active-passive, 1440
configuration synchronization, 1597
definition, 1456
HA heartbeat, 1597
IPsec SA synchronization, 1597
route synchronization, 1597
virtual MAC address, 1597
device priority, 1580
primary unit selection, 1444, 1447, 1448
subordinate unit, 1580
devices
FortiAnalyzer unit, 460
FortiGuard Analysis server, 460
local disk, amc disks, 459
netiq webtrends, 460
sql database, 459
syslog server, 460
system memory, 459
DH Group
IPsec interface mode, 948
DH Group, Phase 1, 939, 940
DH Group, Phase 2, 946
DHCP, 200, 363, 1453
configuring relay agent, 442
for WLAN, 1880
relay, 1453
server, 1453
servers and relays, 442
service, 442
DHCP relay
in FortiClient dialup-client configuration, 834
in FortiGate dialup-client configuration, 844
DHCP server
for AP unit control channel, 1889
in FortiClient dialup-client configuration, 834
DHCP-IPsec
IPsec interface mode, 949
DHCP-IPsec, phase 2, 947
diagnose
firewall vip realserver, 2117
firewall vip virtual-server, 2117
flow trace, 283
session list, 281
sniffer packet, 286
sys checkused, 283
sys ha reset-uptime, 1447
sys ha showcsum, 1616
diagnose commands, 1092
FortiOS Carrier, 1855
diagnose debug, 1616
diagnose hardware deviceinfo nic, 1464, 1469, 1475, 1480,
1487, 1490, 1499, 1503, 1510, 1514, 1530, 1534,
2178
1549, 1553
CLI command, 1609
diagnose sys ha dump, 1445
diagnose sys sip, 1916, 1921
diagnose sys sip debug-mask, 1916
diagnose sys sip dialog, 1916
diagnose sys sip mapping list, 1916
diagnose sys sip status, 1917
diagnose sys sip-proxy calls, 1921
diagnose sys sip-proxy filter, 1921
diagnose sys sip-proxy log-filter, 1921
diagnose sys sip-proxy meters, 1921
diagnose sys sip-proxy stats, 1921
diagnose test application sip, 1921
diagnostics
debug the packet flow, 1424
packet sniffing, 1423
traceroute, 1364
tracert, 1253, 1364
dialog
SIP, 1897, 1903
dialup users
configuring authentication for, 724
dialup-client IPsec configuration
configuration steps for FortiGate dialup clients, 846
DHCP relay for FortiClient VIP, 834
DHCP server for FortiClient VIP, 834
dialup server for FortiClient dialup clients, 831
dialup server for FortiGate dialup clients, 846
FortiGate client configuration, 848
infrastructure requirements for FortiClient access, 831
infrastructure requirements for FortiGate client access,
845
dictionary
RADIUS attributes, 702
differentiated services, 1711
mapping, 1716
Diffie-Hellman algorithm, 939, 946
Dijkstra’s algorithm, 1177
directory
LDAP servers, 703
Directory Service
user groups, 717
Directory Service servers, 709
disabling, 1310
Disclaimer page
enabling, 1884
modifying, 1882
disconnecting a unit from a cluster
override, 1453
disk I/O scalability, 108
disk management, 107
disk I/O scalability, 108
storage health monitor, 108
distance vector protocols, 1072
distinguished names
elements, 704
LDAP servers, 704
list of, 706
Distributed Computing Environment Remote Procedure Call
(DCE-RPC), 1311
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
DLP, 653
archiving, 663
default rules, 658
default sensors, 662
explicit web proxy, 2086
NAC quarantine logging, 660
DLP archive
displaying on dashboard, 545
HTTPS, IMAPS, POP3S, SMTPS, 545
DLP archiving, 1737
DNAT, 957, 1389, 2156
virtual IPs, 197, 199
DNS, 1311
split, 443, 445
TTL, 195
DNS lookups, 1347
DNS override, 363
DNS server, dynamic DNS configuration, 821, 822
dns-tcp
session helper, 1311
dns-udp
session helper, 1311
document conventions
CLI syntax, 83
documentation, 85
commenting on, 86
conventions, 79
Fortinet, 85
domain component
LDAP servers, 704
domain name server
configure, 368
domain name server, configure, 364
domain name, dynamic DNS configuration, 821, 822
DoS
anomaly protection, 538
policies, 217, 221
sensors, 221
DoS sensor
SCCP, 1967
SIP, 1967
dotted decimal, 393
double NAT example, 269
download
quarantine files list, 488
downloading
tunnel client, 1034
downloading firmware, 378
duplicate MAC, 1264
dynamic DNS configuration
configuration steps, 822
domain name configuration, 822
infrastructure requirements, 822
overview, 821
remote VPN peer configuration, 824
supported DDNS services, 822
dynamic IP address
for remote host, 827
FortiGate DDNS peer, 821
FortiGate dialup client, 843
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
dynamic IP pool
SIP, 1946
dynamic NAT, IP pools, 203
dynamic profile, 1755, 1759
assigning profile groups, 1733
carrier end point logging, 1761
configuring the accounting system, 1756
default protection profile, 1756
enabling, 1760
event log messages, 1762
example, 1763
FortiGuard overrides, 1761
log message period, 1763
log settings, 1762
missing header: use session IP address, 1768
protocol settings, 1760
RADIUS, 1733, 1761
RADIUS Stop record, 1757
timeout options, 1762
user context list, 1757
WAP traffic, 1756
Dynamic Profile Users Only, 1758
dynamic proxy allocation, 102
dynamic routing
failover, 1618
E
earthing, 414
ECMP, 1217
edirectory - see Directory Service
edit
shell command, 394
EEI (Enhanced Extension Interface), 2151
EICAR, 573
eip
vpn pptp, 1298
ELBC blade configuration, 108
elements
distinguished names, 704
email filter
Perl regular expressions, 1798
techniques, 168
email filter, about, 168
email filtering
IMAPS, POP3S, SMTPS, 544
email filtering, see also FortiGuard, AntiSpam, 538
Enable perfect forward secrecy (PFS)
IPsec interface mode, 948
Enable perfect forward secrecy (PFS), Phase 2, 946
Enable replay detection
IPsec interface mode, 948
Enable replay detection, Phase 2, 946
enable session pickup, 1630
encryption, 2161, 2162, 2163, 2164, 2167, 2168, 2169, 2170
heartbeat, 1605
Encryption Algorithm, Manual Key, 888
Encryption Key, Manual Key, 888
2179
�Index
encryption policy
allow outbound and inbound, 952
defining IP addresses, 951
defining IPsec, 953
defining multiple for same IPsec tunnel, 954
enabling specific services, 953
evaluating multiple, 954
outbound and inbound NAT, 952
traffic direction, 953
encryption types, 1869
end
command in an edit shell, 395
shell command, 395
end point
See carrier end point, 1756
endpoint
viewing information, 1679
endpoint application enforcement, 143
Endpoint Mapper (EPM), 1311
endpoint menu enhancements, 143
Endpoint NAC
blocked users, 1671
modifying download portal, 1679
modifying recommendation portal, 1679
modifying replacement pages, 1679
monitoring endpoints, 1678
endpoint profiles, 1676
endpoints
monitoring, 1678
engine algorithm
IPS, 607
engine count
IPS, 607
enhanced packet-matching, 1082
environment variables, 400
Equal Cost Multipath (ECMP), 1217
equipment
FortiAP unit, 1871
FortiWiFi unit, 1870
wireless, 1870
escape sequence, 400
ESP, 2160
event log
dynamic profile, 1762
example
blocking IP address, 227
complex SSL VPN, 1049
dynamic protection profile configuration, 1763
Endpoint NAC configuration, 1680
inter-VDOM, 1396
limiting concurrent explicit proxy users, 117
NAT/Route VDOM, 1355
OS patch check, 1057
profile configuration and applying to a firewall policy, 129
scheduled access, 228
sFlow client configuration, 118
VDOM, 1355
VLAN NAT/route, 1246
2180
example IPSec configurations, 2161, 2167
examples
blocking images for MMS messages, FortiOS Carrier, 151
configuring multiple FortiAnalyzer units, 472
gateway-to-gateway VPN, 797
grep command, 103
hub-and-spoke VPN, 816
report styles, 524
reports, 528
sql statements, 490
execute
ha synchronize all, 1612
execute shutdown, 415
exempt
web cache, 2032
explicit, 1335
explicit mode
WAN optimization, 2004, 2009
explicit proxy, 1335
explicit proxy improvements, 130
explicit web proxy, 1632, 2079
antivirus, 2086
application control, 2086
authentication, 2084, 2086
DLP, 2086
FortiGuard overrides, 2087
FortiGuard quotas, 2087
FortiGuard Web Filtering, 2087
FortiGuard web filtering, 2086
FTP, 2079
HTTPS, 2079
intrusion protection, 2086
IPS, 2086
load balancing, 1643
PAC, 2079
protocol options, 2086
proxy auto-config, 2079
SOCKS, 2079
UTM, 2081, 2086
web filtering, 2086
Exterior Gateway Protocol (EGP), 1131
extreme antivirus database, 137
F
FA2, 1646
FA2 (NP1) processor, 2151
failed cluster unit
replacing, 1495
fail-open
IPS, 608
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
failover, 1442
active-passive, 1596
and attached network equipment, 1635
attached network equipment, 1659
definition, 1456
delayed, 1659
device, 1595, 1597
dynamic routing, 1618
enabling session failover, 1630
GTP and HA session failover, 1633
HA, 1433
heartbeat, 1456
issues with layer-3 switches, 1658
link, 1457, 1595, 1621
monitoring cluster units, 1583
session, 1596, 1630
failover protection, 1523
active-passive operating mode, 1440
virtual clustering, 1523
failure
definition, 1456
device, 1596
link, 1596, 1621
multiple link failures, 1625
FAQ, 86
fast path
required session characteristics, 957, 2156
fast path requirements, 2156
fast roaming, 1873
FB4, 1646
FB8, 1646
FC 2071, 1270
FDN, 1565
FDQN, 195
features, top ten, 87
FGCP
definition, 1456
FGT_ha_admin
HA administrator account, 1591
field, 392
SIP, 1907
field commands, 395
file
quarantine, 1575
file block
default list of patterns, 1790
file filtering, 570
antivirus, 537
enabling, 572
general configuration steps, 571
file name
quarantine files list, 488
file pattern, 560, 563, 570
creating, 571
file quarantine
configuring, 569
general configuration steps, 569
file sharing, 1393
file size, 560, 563
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
File transfer protocol (FTP), 1311
file type, 560, 563, 570
creating, 571
filter
carrier end point, 1775
carrier end point MMS filtering, 1775
IPS, 595
quarantine files list, 488
filter list
carrier end point, 1777
IP, 1757
final
SIP response message, 1905
firewall
configuring user groups, 716
creating user groups, 716
Internet access authentication, 723
IPSec VPN dialup user access, 715
load balancing, 1632
policy authentication, 721
policy matching, 2006
protection profile, 1375
schedule, 1374
service group, 1353
stateless, 1263
user authentication timeout, 719
user groups, 715
firewall address, 1249, 1359, 1374, 1378
address name, 1008, 1299
IP range/subnet, 1008, 1299
NAT/Route VDOM example, 1359
simple VDOM NAT/Route example, 1362
subnet, 1008, 1299
VDOM NAT/Route example, 1361
VLAN example, 1249
firewall IP addresses
defining, 951
defining L2TP, 1304
firewall load balancing, 2004
firewall policies, 218, 366, 1881
accept, 216
adding NAT policies to transparent mode, 265
and Endpoint NAC, 1677
basic accept, 219
basic deny, 220
basic VPN, 220
checking, 279
column settings, 218, 279
denial of service, 217, 222
deny, 216
ICMP packets, 227
identity-based, 224
IPsec, 216
log messages, 280
multicast, 238
one-armed sniffer, 223
policy order, 216
rearrange, 217
schedule example, 228
ssl-vpn policies, 216
verify traffic, 279
2181
�Index
firewall policy, 566, 1360, 1709, 1988, 2003
accept action, 1993
adding an MMS protection profile, 1745
changing the position in the policy list, 2007
comments, 1011, 1012
defining for policy-based VPN, 952
defining for route-based VPN, 955
defining L2TP, 1304
defining PPTP, 1298
deleting, 2007
destination, 1010, 1012, 1013, 1014, 1047, 1048, 1054,
1055
hub to spoke, 813
identity-based, 2004
insert policy before, 2005
inter-VDOM, 1386
matching, 2006
maximum bandwidth, 2005
moving, 2007
policy-based, for FortiGate dialup client, 849
policy-based, for gateway-to-gateway, 796
policy-based, for hub-and-spoke, 811
route-based, for FortiGate dialup client, 848
route-based, for gateway-to-gateway, 796
route-based, for hub-and-spoke, 810
sniffer, 222
source, 1010, 1012, 1013, 1014, 1047, 1048, 1054, 1055
spoke to spoke, 814
traffic priority, 2005
using as route-based " concentrator " , 813
VDOM, 1353, 1354
VDOM example, 1360, 1362, 1379
VLAN, 1245
VLAN example, 1250
VLAN Transparent, 1255, 1259, 1370
web-only mode access, 1008
firewall policy and strong authentication, 767
firewall vip realserver
diagnose, 2117
firewall vip virtual-server
diagnose, 2117
firmware
backup and restore from USB, 383
download, 378
from system reboot, 381
installing, 381
revert from CLI, 380
reverting with web-based manager, 378
testing before use, 384
testing new firmware, 384
upgrade from CLI, 379
upgrade with web-based manager, 378
upgrading using the CLI, 379
firmware install, 2151
firmware upgrade
HA, 1580
first alive
load balancing, 2113
fixed ports, IP pools, 203
flood, 1803
flow control, 388
flow inspection, 175
flow trace, 283
2182
flow, reverse shaping, 1710
flow-based antivirus database, 136
FortiAccel (NP1) processor, 2151
FortiAnalyzer, 1566
antivirus, 537
quarantine, 569
FortiAnalyzer traffic reports, 2150
FortiAnalyzer unit, 460
FortiAP unit, 1871
connecting to CLI, 1888
FortiClient
download location, 1672
required version, 1672
FortiClient dialup client configuration
example, 838
FortiClient dialup-client configuration
configuration steps, 831
FortiClient configuration, 836
overview, 827
FortiClient dialup-client IPsec configuration
VIP address assignment, 829
FortiClient peer, 1989
FortiGate
authenticating users, 711
authenticating with XAuth, 725
configuring to use LDAP server, 705
configuring to use RADIUS server, 702
configuring to use TACACS+ server, 708
IPSec VPN, 724
FortiGate dialup client IPsec configuration
policy-based firewall policy, 849
route-based firewall policy, 848
FortiGate dialup-client IPsec configuration
FortiGate acting as client, 843
using DHCP relay in, 844
FortiGate documentation
commenting on, 86
FortiGate features, logging, 458
FortiGate unit
adding to a cluster, 1494
converting from standalone to a cluster, 1492
replacing a failed, 1495
FortiGate unit serial number
primary unit selection, 1449
FortiGate-ASM-FB4, 2161, 2167
FortiGate-ASM-S08 module, 569
FortiGate-ASM-SAS module, 569
FortiGuard, 371, 1565
AntiSpam, 538
Antivirus, 85, 564, 569
as source of antivirus signatures, 1671
as source of application signatures, 1671
as source of FortiClient installer, 1671
services, 85
Web Filtering, 538, 544
HTTPS, 544
FortiGuard Analysis and Management Service, 1800, 1801
FortiGuard Analysis server, 460, 467
FortiGuard Antispam, 1565
FortiGuard Antivirus, 1565
FortiGuard Center, 564
FortiGuard Distribution Network, 1565
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
FortiGuard Intrusion Protection, 1565
FortiGuard overrides, 1771
dynamic profile, 1761
explicit web proxy, 2087
FortiGuard quotas
explicit web proxy, 2087
FortiGuard service, 1347
FortiGuard Web Filter quota, 644
FortiGuard Web Filtering, 1565
explicit web proxy, 2087
FortiGuard web filtering
explicit web proxy, 2086
FortiGuard web filtering quotas, 135
FortiGuard, Distribution Network, 563
FortiMobile app, 141
Fortinet
customer service, 1337
Knowledge Center, 86
Technical Documentation, 85
Technical Documentation, conventions, 79
Technical Support, 86
Technical Support, registering with, 85
Technical Support, web site, 85
Training Services, 85
Fortinet customer service, 86
Fortinet documentation, 85
Fortinet Knowledge Center, 86
Fortinet MIB, 431, 434
FortiWiFi unit, 1870
configuring as an AP unit, 1888
forward delay
spanning tree parameter, 1658
forwarding
MAC forwarding table, 1625, 1658
fragmented packets, 958, 2156
frame size, 2150
frame size, maximum, 2151
framed-ip-addr
RADIUS field, 1761
frequency, 420
fsae enhancements, 102
FSM
hard disk, 1453
FTP, 2157
explicit web proxy, 2079
FTP server, connecting to, 1024
full mesh
HA, 1545
redundant HA heartbeat interfaces, 1546
full mesh HA, 1433, 1545
configuration example, 1547
definition, 1456
full mode
SSL offloading, 2124, 2125
fully qualified domain name (FQDN), 393
fuzzing protection
SIP, 1961
G
GARP, 1606
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
gateway, 365
Gateway Function (CGF), 1748
Gateway GPRS Support Node (GGSN), 1747
gateway-to-gateway IPsec configuration
configuration example, 797
configuration steps, 795
infrastructure requirements, 794
overview, 793
policy-based firewall policy, 796
route-based firewall policy, 796
GB2312, 402
general configuration steps
file filtering, 571
file quarantine, 569
General Packet Radio Service (GPRS), 1747, 1845
generating
IPsec phase 1 keys, 939
IPsec phase 2 keys, 946
Generic Access Network (GAN), 1850
Generic Routing Encapsulation (GRE), 1294
get
edit shell command, 395
shell command, 395
test vs, 2116
get commands, troubleshooting, 105
get hardware nic, 1464, 1469, 1475, 1480, 1487, 1490, 1499,
1503, 1510, 1514, 1520, 1530, 1534, 1549, 1553,
1609
get system performance status, 1572
get test ipldb, 2116
get test sip, 1921
Global System for Mobile Communications (GSM), 1747,
1845
glossary, 86
GPRS System Node (GSN), 1752
Gr interface, 1751
graceful restart, 1146
BGP, 1618
OSPF, 1618
gratuitous ARP packets, 1606
gratuitous arps, 1606
grayware, 560, 563
scanning, 572
grayware, about, 167
GRE-over-IPsec VPN, 913
grep command, CLI, 103
grounding, 414
group filters
FortiGate, on collector agent, 740
group ID
changing, 1610
HA configuration option, 1442
virtual MAC address, 1610
group name
HA cluster name, 1442
HA configuration option, 1442
group-id
CLI command, 1610
groups
Windows AD, viewing on FortiGate, 751
groups, addressing, 200
2183
�Index
GSM EDGE Radio Access Network (GERAN), 1850
GTP
HA session failover, 1633
GTP UDP
session failover, 1633
GTP-U (GTP user data tunnelling), 1856
guaranteed bandwidth, 1700, 1706
guest network, 1869
Gx interface, 1751
Gz, 1751
H
H.245, 1312
H.323, 1308
h245I
session helper, 1312
H323, 1312
h323
session helper, 1312
HA, 1144, 1576
alert email, 1583, 1584
changing firmware upgrade, 1581
cluster member, 1576
cluster members list, 1576
configure weighted-round-robin weights, 1647
configuring virtual clustering, 1527, 1529, 1533
connect a cluster unit, 1591
disconnect a cluster unit, 1591
event log message, 1566
FGT_ha_admin administrator account, 1591
firmware upgrade, 1580
full mesh and 802.3ad aggregate interfaces, 1546
full mesh and redundant heartbeat interfaces, 1546
full mesh HA configuration example, 1547
GTP session failover, 1633
hello state, 1566
host name, 1576
IPS processing, 606
link failover scenarios, 1625
log message, 1566
manage individual cluster units, 1590
manage logs for individual cluster units, 1566
monitor cluster units for a failover, 1583
reserved management interface, 124
router monitor, 1064, 1211
routes, 1064, 1211
SIP session failover, 1969
SNMP and reserved management interface, 124, 1560
standby state, 1566
states, 1566
subordinate unit device priority, 1580
subordinate unit host name, 1580
viewing HA statistics, 1578
virtual cluster, 1523
virtual domains, 1523
work state, 1566
HA group ID
changing, 1610
HA group name, 1442
2184
HA heartbeat, 1597
definition, 1456
HA session offloading, 2157
HA statistics
active sessions, 1579
back to HA monitor, 1578
CPU usage, 1578
intrusion detected, 1579
memory usage, 1579
monitor, 1578
network utilization, 1579
refresh every, 1578
serial no, 1578
status, 1578
total bytes, 1579
total packets, 1579
up time, 1578
virus detected, 1579
HA virtual MAC address
definition, 1456
ha_daemon
HA user interface, 1570
HA, virtual cluster, 1395
ha-eth-type
CLI command, 1603, 1660
half mode
SSL offloading, 2124, 2125
hard disk
AMC, 1453
FSM, 1453
hardware
get hardware nic command, 1464, 1469, 1475, 1480,
1487, 1490, 1499, 1503, 1510, 1514, 1530, 1534,
1549, 1553, 1609
hash map, 1601
hb-interval, 1604
hb-lost-threshold, 1603
hc-eth-type
CLI command, 1603, 1660
header
SIP, 1907
SIP messages, 1898
health check
ping, 2119
health check monitor
matched content, 2115
real server, 2115
health monitor
real server, 2115
heartbeat, 1597
authentication, 1605
changing the heartbeat interval, 1604
changing the hello state hold-down time, 1604
changing the lost heartbeat threshold, 1603
definition, 1456
encryption, 1605
modifying heartbeat timing, 1603
heartbeat device
definition, 1456
heartbeat failover
definition, 1456
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
heartbeat interface, 1599
configuring, 1599
priority, 1599
recommended practice, 1454
selection, 1600
switch interfaces, 1600
virtual clustering, 1524
heartbeat interfaces, 1524
hello state
changing the time to wait, 1604
definition, 1456
hello state hold-down time
changing, 1604
helo-holddown, 1604
heuristics, 560, 563
hexadecimal
carrier end point, 1770
hierarchy
LDAP servers, 704
high availability
definition, 1457
high availability (HA), 2157
active-active, 2157
load balancing, 2157
High Speed Packet Access (HSPA), 1850
HMAC check offloading, 2161
HNT, 1957
hnt-restrict-source-ip, 1960
Home Location Register (HLR), 1749
home location registers (HLRs), 1751
Home Network Identity (HNI), 1849
home page, web portal features, 1020
host check
introduction, 977
OS, 1004
host ID
peer, 1988, 1997
host name, 1580
recommended practice, 1454
host OS
patch check, 1004
hosted NAT traversal
See HNT, 1957
hosted-nat-traversal, 1959
hostname
cluster members list, 1576
how-to, 86
HTTP, 1245
authentication, 2086
persistence, 2123
unknown HTTP sessions, 2011
http blocking, 452
HTTP cookie
persistence, 271, 2123
HTTP header, 1756, 1775, 1781
HTTP header options
configuring, 1767, 1768
missing header: use session IP address, 1768
WAP traffic, 1767
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
HTTP multiplexing, 1632
load balancing, 1643
HTTP rule
non-HTTP sessions, 2010
HTTPS, 1245
antivirus, 543
antivirus quarantine, 544
data leak prevention, 544
DLP archive, 545
explicit web proxy, 2079
FortiGuard Web Filtering, 544
load balancing, 1643
persistence, 2123
protocol recognition, 543
web filtering, 544
hub
HA schedule, 1644
hub-and-spoke
spoke subnet addressing, 808
hub-and-spoke IPsec configuration
concentrator, defining, 811
configuration example, 816
hub configuration, 809
infrastructure requirements, 808
overview, 807
policy-based concentrator, 811
policy-based firewall policy, 811
route-based firewall policy, 810
route-based inter-spoke communication, 812
spoke configuration, 813
humidity, 413
I
ICMP land, 2165
ICMP processing, 227
ID tag, 1236, 1239
identity-based firewall policies, 2004
identity-based policy, 224
position, 226
Idle timeout
VPN connection, 698
idle timeout setting, 983
IDS
one-armed IDS, 538
IEEE 1394 (FireWire), 1271
IEEE 802.1, 1367
IEEE 802.11a, channels, 1866
IEEE 802.11b, channels, 1867
IEEE 802.11g, channels, 1868
IEEE 802.1Q, 1235, 1239
IEEE 802.1q, 957, 2156
IEEE 802.3ad, 957, 2156
IKE negotiation
parameters, 938
IM, 538
load balancing, 1643
im usage widget, 100
im users, 133
2185
�Index
IMAPS
antivirus, 543
antivirus quarantine, 544
data leak prevention, 544
DLP archive, 545
email filtering, 544
predefined firewall services, 543
protocol recognition, 543
importing images, 157
inactivity timeout
SIP session, 1922
Inbound NAT, encryption policy, 952
incremental
synchronization, 1612
indentation, 392
independent VDOM configuration, 1391
index, 1601
index number, 393
Information Elements (IE), 1849
informational
SIP response message, 1905
infrastructure requirements, 976, 1044
overall, 976, 1044
Initial Disc Timeout, 364
insert policy before
firewall policy, 2005
inspection
flow, 175
proxy, 176
security layers, 176
SSL, 541
stateful, 175
inspection without address translation
SIP, 1901, 1919
installation
note re installation on Vista, 978
Instant Messaging (IM), 1393
instant messaging, about, 167
interface
802.1Q trunk, 1242, 1252
accelerated NP2, 1424
dedicated monitoring, 1559
external, VLAN NAT/Route example, 1247
failover, 1621
HA heartbeat, 1599
HA reserved management interface, 124
heartbeat, 1599
load balance virtual server, 2112
loopback, 1217
maximum number, 1236, 1267, 1368
monitor, 1621
physical, 1386, 1390
point-to-point, 1388
proxy ARP, 2112
reserved management interface, 1559
VDOM link, 1388
virtual interface, 1386
VLAN subinterface, 1242, 1246, 1248, 1252
vpn ipsec phase1-interface, 852
wireless, 1870
WLAN, 1870
2186
interface index
hash map order, 1601
interface mode, 2163, 2169
interface mode IPSec, 2167
interface monitoring, 1455
aggregate interfaces, 1496
definition, 1457
redundant interfaces, 1508
interface, configuring, 362
interfaces
accelerated NP2, 1087
aggregate, 188
AMC card, 186
physical, 185
virtual domains, 189
virtual LANs, 191
wireless, 188
zones, 192
interference, 420
International characters, 401
International Mobile Equipment Identity (IMEI), 1851
International Mobile Subscriber Identity (IMSI), 1849
Internet access authentication, 723
Internet Assigned Numbers Authority (IANA), 1080
Internet Control Message Protocol (ICMP), 1089, 1219, 1275
Internet Engineering Task Force (IETF), 1269, 1290
internet gateway protocol (IGP), 1353
Internet-browsing
configuring FortiClient, 858
Internet-browsing firewall policy
VPN server, 856
Internet-browsing IPsec configuration
FortiClient dialup-client configuration, 857
gateway-to-gateway configuration, 856
infrastructure requirements, 856
overview, 855
interval
changing the heartbeat interval, 1604
log message, 1763
interval, comfort clients
protection profile, 1785, 1786
inter-VDOM
benefits, 1385
firewall policy, 1394
independent configuration, 1391
management configuration, 1386
management VDOM, 1392
meshed configuration, 1386, 1393
physical interface, 1385
stand alone configuration, 1386, 1391
virtual interface, 1386
introduction
deployment topology, 976
Fortinet documentation, 85
general configuration steps, 979
intrusion detected
HA statistics, 1579
intrusion detection system, see IDS
Intrusion Prevention, 2165
Intrusion Prevention System (IPS), 957, 2156, 2165
intrusion prevention system, see IPS
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
intrusion protection
explicit web proxy, 2086
intrusion protection system, see IPS
intrusion protection, about, 169
IP, 1644
load balance virtual server, 2112
load balancing, 2132
IP address
delete from communication session, 1769
peer, 1988
private network, 79
WAN optimization, 1997
IP address conservation
NAT, 1947
IP address header
delete, 1769
IP address range
setting for L2TP VPN, 727
setting for PPTP VPN, 726
setting for SSL VPN, 723
IP address range, tunnel mode, 981
IP address, overlapping, 1243
IP addresses
blocking, 227
multicasting, 235
IP Based authentication, 1335
IP filter
carrier end point, 1777, 1778
IP filter list, 1757
IP header
differentiated services, 1712
ToS, 1710
IP land, 2165
IP monitoring
remote, 1626
IP pool, 202
address matching, 204
dynamic NAT, 203
policies and fixed ports, 203
proxy ARP, 2112
SIP, 1946
IP port
HA schedule, 1644
IP port 47, 1313
IP range, 194
IP range/subnet
firewall address, 1008, 1299
IP, protocol 89, 1175
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
IPS
adding custom signatures, 597
buffer size, 608
concepts, 593
custom signature keywords, 598
custom signature syntax, 597
engine algorithm, 607
engine count, 607
explicit web proxy, 2086
fail-open, 608
filter, 595
in an HA cluster, 606
overview, 537
packet logging, 609
protocol decoders, 608
scanning, 595
sensor, 595
session count accuracy, 608
signature override, 596
IPS, GTP-U, 1856
IPS, one-armed, 1386
IPSec, 958, 2149, 2150, 2157, 2161, 2162, 2163, 2167, 2168,
2169
interface mode, 2167
tunnel, 2160
tunnel mode, 2167
IPsec, 216, 958, 1707
SAs, 1620
security associations, 1620
tunnel, 957
IPSec Interface Mode, 960, 2163, 2164, 2167, 2169, 2170
IPsec Interface Mode, 959, 960, 961
IPSec VPN
configuring authentication for, 724
dialup users, access to, 715
dialup users, configuring authentication for, 724
IPsec VPN
authentication methods, 933
authentication options, 933
backup, 879
certificates, 934
comparison to SSL, 974
extended authentication (XAuth), 942
firewall IP addresses, defining, 951
firewall IPsec policy, 952
keeping tunnel open, 947
load balancing, 1643
logging events, 965
monitoring IKE sessions, 965
monitoring, dialup connection, 963
monitoring, static or DDNS connection, 963
peer identification, 937
phase 1 parameters, 929
phase 2 parameters, 945
role of encryption policy, 953
route-based firewall policy, 955
testing, 965
troubleshooting, 967
IPsec VPN SA
synchronization, 1597
IPv4, 957, 2156
2187
�Index
IPv6, 205
dual stack, 1282
dynamic routing, 1278
firewall policies, 1278
interfaces, 1276
Neighbor Discovery (ND), 1274
SIP, 1960
static routing, 1277
troubleshooting, 1285
tunnel provider example, 1282
tunneling, 1282
IPv6 IPsec configurations
certificates, 889, 1280
configuration, 890, 1281
firewall policies, 890, 1281
IPv4-over-IPv6 example, 894
IPv6-over-IPv4 example, 897
IPv6-over-IPv6 example, 891
overview, 889
phase 1, 890, 1281
phase 2, 890, 1281
routing, 890, 1281
IPX, layer-2 forwarding, 1263, 1267
ISAKMP, 2160
is-is commands, CLI, 104
ISO 8859-1, 402
ITU-T E.164, 1850
J
join time
of access point, 1890
jumbo frames, 2151
K
K-12, 446
Keepalive Frequency, Phase 1, 940, 941
key, 390
key size
certificate, 542
keyboard
for RDP connection, 1026
Keylife
IPsec interface mode, 949
Keylife, Phase 1, 939, 940
Keylife, Phase 2, 946
keyword, 1449
keywords
IPS custom signatures, 598
Knowledge Center, 86
L
l2ep-eth-type
CLI command, 1603, 1660
L2TP, 1263, 1267, 1632
L2TP and IPSec support, 141
2188
L2TP VPN
authentication method, 1303
configuration steps, 1303
configuring authentication for, 727
enabling, 1303
firewall IP addresses, defining, 1304
firewall policy, defining, 1304
infrastructure requirements, 1303
network configuration, 1302
restrictions, 1302
VIP address range, 1303
L2TP-over-IPsec, 901
LACP, 1496
active-passive HA mode, 1497
lacp-ha-slave
CLI keyword, 1497, 1660
LAG, 1496
language
for RDP connection, 1026
Layer 2, 957, 2156
Layer 3, 957, 2156
Layer 4, 957, 2156
layer-2, 1236, 1237, 1239, 1241
example, 1237
forwarding, 1263
frames, 1236
layer-2 loops, 1367
layer-2 switch
troubleshooting, 1657
layer-3, 1239
packets, 1236
layer-3 switch
failover issues, 1658
LDAP, 1564, 1565
FortiGate configuration, 748
XAuth authentication with, 725
LDAP access
collector agent, 739
LDAP server, external
for L2TP, 1303
for PPTP, 1295
for XAuth, 942
LDAP servers, 703
authenticating users with, 712
binding, 703
common name, 704
configuring FortiGate unit to use, 705
directory, 703
Distinguished Name Query list, 706
distinguished names, 704
domain component, 704
hierarchy, 704
protocols, 704
RFC compliance, 704
LDAP/RADIUS password renewal, 133
least round trip time
load balancing, 2113
least RTT
load balancing, 2113
least session
load balancing, 2113
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
Least-Connection
HA schedule, 1644
license, 1319
license key, 1337
life of a packet, 175
limited bandwidth, 1697
limiting
number of SIP dialogs, 1968
limiting concurrent explicit proxy users, 117
line endings, 404
link
failure, 1596
multiple link failures, 1625
link aggregation, 957, 2156
Link Aggregation Control Protocol, 1496
link failover, 1595, 1621
active-active, 1643
active-passive, 1441
aggregate interfaces, 1496
definition, 1457
not detected by high-end switches, 1625
redundant interfaces, 1508
link failure
remote, 1626
link-failed-signal, 1625
CLI, 1625
link-state advertisement (LSA), 1073
load balance
explicit web proxy, 1643
first alive, 2113
health check monitoring, 2115
health monitoring, 2115
HTTP multiplexing, 1643
HTTPS, 1643
IM, 1643
IPsec VPN, 1643
least RTT, 2113
least session, 2113
P2P, 1643
round robin, 2113
schedule, 1647
SSL offloading, 1643
SSL VPN, 1643
static, 2113
virtual server IP, 2112
VoIP, 1643
WAN optimization, 1643
WCCP, 1643
weighted, 2113
load balancing, 1433, 2004, 2111, 2157
active-active, 1441, 1643
basic example, 2118
definition, 1457
IP, 2132
load-balance-all, 1643
monitoring, 2116
real servers, 2114
SSL, 2124
SSL offloading, 2124
TCP, 2132
traffic not load balanced by active-active HA, 1643
UDP, 2132
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
load-balance-all, 1646
enabling, 1643
recommended practice, 1454
Local certificates
generating request, 758
installing signed, 761
local console access, 387
local disk, amc disks, 459
Local Gateway IP, 957, 959, 960, 961, 2160, 2162, 2163,
2164, 2167, 2168, 2169, 2170
local host, 2156, 2160, 2161
local host ID
peer, 1997
Local ID
for certificates, 935
for peer IDs, 936
to identify FortiGate dialup clients, 843
Local SPI, Manual Key, 888
local users
configuring, 712
creating, 712
deleting from FortiGate configuration, 713
removing from FortiGate configuration, 713
locale
for RDP connection, 1026
Location Area Identity (LAI), 1749
location server
SIP, 1900
log backup solutions
FortiAnalyzer unit, 461
hard disks and amc disks, 461
netiq webtrends server, 462
syslog server, 462
log devices
FortiAnalyzer unit, 460
FortiGuard Analysis server, 460
local disk, amc disks, 459
netiq webtrends server, 460
sql database, 459
syslog server, 460
system memory, 459
log message
grouping, 1763
HA, 1566
interval, 1763
log messages, 280
antispam, 511
antivirus, 505
application control, 515
attack, 509
dlp, 513
dlp archive, 503
event, 502
example log message scenarios, 1567
HA, 1567
network vulnerability scan, 517
primary unit removed from cluster, 1568
traffic, 499
webfilter, 507
log types and subtypes, 475
log viewing enhancements, 155
2189
�Index
logging, 1347, 1566
blocked files, 1789
carrier end point, 1761
dynamic profile, 1762
enabling SSL VPN events, 1016
example log message scenarios, 1567
HA log messages, 1567
oversized files/emails, 1789
setting event-logging parameters, 1015
viewing SSL VPN logs, 1017
viruses, 1789
logging features, 458
logging in
to FortiGate secure HTTP gateway, 1019
logging in, security messages, 757
logging rate-limited GTP packets, 1840
logging VPN events, 965
logs
managing for individual cluster units, 1566
loopback interface, 1217
loose source record route, 2165
lost heartbeat threshold
changing, 1603
M
M3UA, 276
MAC
MAC forwarding table, 1625, 1658
MAC address, 1265
aggregate interfaces, 1496
redundant interfaces, 1508
virtual, 1605
MAC address filtering, 424
MAC forwarding tables, 1625, 1658
MAC table, 1368
Main Interface IP, 2167
maintenance menu enhancements, 122
malformed-request-line, 1963
manage cluster units
HA, 1590
management configuration, 1392
Management Information Base (MIB), 428
management interface
HA reserved, 124
reserved, 1559
management IP, 367
management services, 1338
management VDOM, 1320, 1324, 1338, 1341, 1342, 1386,
1757
manual key IPsec configuration
configuration steps, 887
overview, 887
Martian addresses, 1068, 1217
master unit, 2157
See Also primary unit, 1433
matched content
HTTP health check monitor, 2115
matching
firewall policy, 2006
max-body-length, 1965
max-dialogs, 1968
2190
maximum age
spanning tree parameter, 1658
maximum bandwidth, 1700, 1706, 2005
firewall policy, 2005
traffic shaping, 2005
maximum connections
real server, 2114
maximum file size
antivirus, 567
maximum frame size, 2151
Maximum Transmission Unit (MTU), 1270, 1277
MD5, 958, 2160
MD5 hash, log transfers, 117
memory, 1268, 1337
memory constraints, 1800
memory usage
HA statistics, 1579
meshed configuration, 1386, 1393
meshed VPN, 793
message
SIP, 1903
message fingerprint, 1818
message flood, 1821
Message Integrity Code (MIC), 423
message length
SIP, 1965
message request-line
SIP, 1907
message start line
SIP, 1907
message status-line
SIP, 1907
Message Transfer Part 3, 276
MGCP, 1312
session helper, 1312
MIB, 434, 1573
FortiGate, 430
HA, 1573
RFC 1213, 430
RFC 2665, 430
Microsoft Point-to-Point Encryption (MPPE), 1294
Microsoft Windows, 1266
Microsoft Windows VPN, 901
missing header: use session IP address
dynamic profile, 1768
HTTP header options, 1768
missing MED, 1139
MM1 message blocking MMS filtering, 1775
MM3 message
blocking using carrier end point MMS filtering, 1775
MM4 message
blocking using carrier end point MMS filtering, 1775
MM7 message
blocking using carrier end point MMS filtering, 1775
MMS
carrier end point MMS filtering, 1775
MMS Address Translation, 1737, 1780
MMS DLP archive, 1810
MMS file filtering, 1789
MMS filter list
adding to an MMS protection profile, 1775
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
mms filtering enhancements, 150
MMS flood prevention, 1803
MMS notifications, 1737
MMS protection profile, 1744
adding to a firewall policy, 1745
archive content meta-information, 1801
content archive, 1800
MMS virus scanning, 1783
Mobile Country Code (MCC), 1849
Mobile Network Code (MNC), 1849
Mobile Station Identification Number (MSIN), 1849
Mobile Subscriber Integrated Services Digital Network
(MSISDN), 1850
Mobile Subscriber Integrated Services Digital Network
Number (MSISDN), 1784
mode
real server, 2114
Mode, Phase 1, 932, 933
modes of operation
overview, 976
tunnel mode, 977
web-only mode, 977
modifying settings, 98
monitor
application control, 672
HA statistics, 1578
interface, 1621
load balancing, 2116
port, 1621
monitored interface
definition, 1457
primary unit selection, 1444
monitoring
rogue APs, 1892
WAN optimization, 1992
wireless clients, 1891
monitoring application control traffic, 138
more, 404
moving a firewall policy, 2007
m-retrieve-conf, 1828
MS RPC, 1311
MS-CHAP, 708
m-send-conf, 1828
m-send-req, 1828
MSIDSN number, 1806
MSISDN, 1823
MSISDN. See also carrier end point, 1756, 1775
MTP3, 276
MTP3 User Adaptation Layer, 276
MTU (Maximum Transmission Unit), 958, 2151, 2156
multicast. See routing, multicast
multicast-enable command, 238
multicasting
debugging example, 246
enabling, 238
firewall policies, 238
IP addresses, 235
RIPv2, 236
Multi-Exit Discriminator (MED), 1139
multi-line command, 399
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
Multimedia Message Service Center (MMSC), 1734
Multipath routing, 1068, 1217
multiple pages, 404
N
naming rules, 1340
NAT, 441, 1389, 2004
keepalive frequency, 941
SDP, 1949
SIP ALG IP address conservation, 1948
SIP ALG NAT tracing, 1948
SIP contact headers, 1948
SIP session helper NAT tracing, 1948
symmetric, 199
traversal, 941, 968
with IP address conservation, 1947
NAT device
authentication, 2086
NAT IP End point, 1771
NAT mode
about, 171
NAT port translation (NAT-PT), 1313
NAT/Route
VLAN example, 1246, 1248
NAT/Route mode, 1989
general configuration steps, 1462, 1498, 1509, 1528
HA network topology, 1462
web-based manager configuration steps, 1463, 1467,
1474, 1479, 1485, 1488
nat-trace, 1948
Nat-traversal, Phase 1, 940, 941
navigating, web-based manager, 97
negotiating
IPsec phase 1 parameters, 939
IPsec phase 2 parameters, 946
NetBIOS, for Windows networks, 1266
netiq webtrends server, 460
network
topology, 2161, 2167
train, 1606
Network Address Translation (NAT), 1270
network address translation (NAT), 197
network configuration, 976, 1044
recommended, 976
network equipment
failover time, 1659
network ID, 424
Network Identifier, 1850
network instability, 1264
network processing unit (NPU), 958, 2157, 2161
network processor accelerated interfaces
accelerate active-active HA, 1646
network processors
FA2 (NP1), 2151
FortiAccel (NP1), 2151
NP1, 2151
NP2, 2151
NP4, 2151
network topologies, 1885
2191
�Index
network topology
dynamic DNS, 821
FortiClient dialup-client, 827
FortiGate dialup-client, 843
fully meshed network, 793
gateway-to-gateway, 793
hub-and-spoke, 807
Internet-browsing, 855
L2TP VPN, 1302
manual key, 887
NAT/Route mode HA, 1462
partially meshed network, 793
PPTP VPN, 1295
redundant-tunnel, 859
supported IPsec VPNs, 790
transparent mode VPN, 881
network utilization
HA statistics, 1579
next, 395
nic
get hardware nic, 1464, 1469, 1475, 1480, 1487, 1490,
1499, 1503, 1510, 1514, 1530, 1534, 1549, 1553,
1609
non-dynamic profile sessions, 1758
none
HA schedule, 1644
non-HTTP sessions
HTTP rule, 2010
no-sdp-fixup, 1949
notification, alerts, 1793, 1812
not-so-stubby area (NSSA), 1064, 1212
Novell edirectory - see Directory Service
NP1, 1646, 2151, 2156, 2160
NP1 processor, 2151
NP2, 1646, 2151
NP2 interface, 1424, 1707
NP2 interfaces, 1087, 1349, 1859
NP2 processor, 2151
NP4, 1646
NP4 processor, 2151
NTLM implementation, 732
NTLM mode, 731
NT-style domain mode implementation, 730
null modem, 387, 389
O
object, 392
object identifier (OID), 434
OID, 1573, 1574, 1575
ONC-RPC, 1311, 1313
one-armed IDS, 538
one-armed IPS, 1386
one-armed sniffer policy, 223
open shortest path first (OSPF). See routing, OSPF
Open Systems Interconnect (OSI), 1237
opera mini browser support, 149
operating a cluster, 1557
operating mode
active-passive, 1440
operating temperature, 413
2192
operation mode
active-active, 1441
option, 392
order of operations for shapers, 1709
OS
host patch check, 1004
OS patch check
example, 1057
OSFP
graceful restart, 1618
OSI Networking Model, 1219
OSPF
protecting with IPsec, 921
with redundant IPsec tunnels, 927
ospf
adjacent routers, 1175, 1180
area, 1175
area border router (ABR), 1175
Dijkstra’s algorithm, 1177
e1, 1064, 1212
e2, 1064, 1212
Hello packets, 1175
Hello protocol, 1176
IP datagrams, 1175
link-state, 1175
neighbor, 1176
NSSA, 1064, 1212
path cost, 1177
state of neighbor, 1180
ospf AS, 1172
OSPF, IPv6, 1278
OSPFv3, 1278
out of band management, 1559
out of path
topology, 1982
Outbound NAT, encryption policy, 952
overlap
resolving IP address, 844
resolving through FortiGate DHCP relay, 844
override, 1449
and primary unit selection, 1449
configuration changes lost, 1452
disconnecting a unit from a cluster, 1453
IPS signature, 596
primary unit selection, 1447, 1451
overrides
cookie, 1771
explicit web proxy, 2087
oversize threshold, 1786
P
P1 Proposal, Phase 1, 938, 940
P2 Proposal, 2167
Phase 2 IPsec interface mode, 948
P2 Proposal, Phase 2, 946
P2P, 538
load balancing, 1643
p2p usage widget, 100
P2P, about, 167
PAC
explicit web proxy, 2079
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
packet
flow, 177
forwarding rate, 2150, 2161, 2167
gratuitous ARP, 1606
ICMP, 227
life of, 175
processing flow, 2149
sniffer, 286
packet data protocol (PDP), 1749
packet flow, 2149
packet logging
application control, 673
IPS, 609
settings, 545
viewing and saving logged packets, 545
packet rates, 1700
packet sniffer, 1086, 1423, 1860
verbosity level, 1087, 1423, 1860
packets
layer-3 routing, 1239
VLAN-tagged, 1243
PADT timeout, 364
paging, 404
PAP, 708, 1294
parity, 388
partially meshed VPN, 793
password
authentication group, 2000
HA configuration option, 1442
validate RADIUS secret, 1761
password, changing, 371
PAT
virtual IPs, 197
patch check
host OS, 1004
pattern, 393, 570
allow, 570
block, 570
carrier end point, 1775, 1777
creating, 571
default list of file block patterns, 1790
peer, 1580
accept any peer, 1997
host ID, 1988, 1997
IP address, 1988
local host ID, 1997
WAN optimization, 1997
peer authentication, 1998
WAN optimization, 1997
peer host ID
WAN optimization, 1997
peer ID
assigning to FortiGate unit, 936
enabling, 937
Local ID setting, 936
peer IP address
WAN optimization, 1997
peer user groups
configuring, 717
creating, 717
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
peer users, 711, 713
configuring, 713
creating, 713
peer-to-peer
WAN optimization rules, 2003
peer-to-peer, about, 167
per policy shaper, 1706
perfect forward secrecy, enabling, 946
periodic
synchronization, 1613
per-IP, 1707
NP2 interface, 1707
per-ip bandwidth usage widget, 100
Perl regular expression
carrier end point pattern, 1775
Perl regular expressions
email filter, 1798
Perl regular expressions, using, 405
permissions, 396
persistence, 2113
HTTP cookie, 271, 2123
HTTP/HTTPS, 2123
pharming, about, 167
Phase 1, 959, 960, 961, 2160, 2162, 2163, 2164, 2167, 2168,
2169, 2170
phase 1 parameters
authenticating with certificates, 931
authenticating with preshared keys, 932
authentication method, 933
authentication options, 933
defining, 929
defining the tunnel ends, 930
IKE proposals, 939
main or aggressive mode, 930
negotiating, 939
overview, 929
peer identifiers, 936
user accounts, 937
Phase 2, 959, 960, 961, 2161, 2162, 2163, 2164, 2167, 2168,
2169, 2170
phase 2 parameters
autokey keep alive, 947
auto-negotiate, 946
configuring, 948
defining, 945
DHCP-IPsec, 947
keylife, 946
negotiating, 946
perfect forward secrecy (PFS), 946
quick mode selectors, 947
replay detection, 946
Phase I, 957, 2160
Phase II, 958, 2160
phishing, about, 167
physical interface, 1385, 1386, 1390
PING, 1245
ping
health check monitor, 2119
ping host from remote client, 1023
2193
�Index
pinhole
more secure, 1954
RTP, 1898, 1902
SIP, 1898, 1902
smaller, 1954
strict-register, 1954
PKI authentication - see peer users
planning VPN configuration, 790
pmap
session helper, 1313
PMK caching, 1873
Point-to-Point (PPP), 1293
point-to-point interface, 1388
Point-to-Point Tunneling Protocol (PPTP), 1293
policies, 216, 217
basic accept, 219
basic deny, 220
basic VPN, 220
checking, 279
column settings, 218
denial of service, 217, 221, 222
ICMP packets, 227
identity-based, 224
log messages, 280
multicast, 238
NAT to transparent mode, 265
one-armed sniffer, 223
order, 216
sniffer, 222
verify traffic, 279
policy, 957, 2156
accept action, 1993
changing the position in the policy list, 2007
comments, 1011, 1012
deleting, 2007
firewall, 1988
insert policy before, 2005
matching, 2006
maximum bandwidth, 2005
move, 2007
traffic priority, 2005
policy 0, 218
policy route
moving in list, 1231
policy server, VPN
configuring FortiGate unit as, 834
policy-based VPN
vs route-based, 790
POP3S
antivirus, 543
antivirus quarantine, 544
data leak prevention, 544
DLP archive, 545
email filtering, 544
predefined firewall services, 543
protocol recognition, 543
port
RADIUS server, 1761
RADIUS servers, 702
session helper, 1308
virtual server, 2112
port 179, 1141
port 21123, 1839
2194
port 2152, 1856
port 25, 450
port address translation
virtual IPs, 197
port forwarding, 197
port monitor, 1621
virtual clustering, 1525
port monitoring, 1455
aggregate interfaces, 1496
redundant interfaces, 1508
port number
changing the port numbers that the SIP ALG listens on,
1920
changing the port numbers that the SIP session helper
listens on, 1913
for web-portal connections, 985
ports
closing to traffic, 208
default system, 206
originating traffic, 206
receiving traffic, 207
services, 209
TCP 113, 208
TCP 541, 208
position
identity-based policy, 226
power
security consideration, 1869
WLAN power level, 1868
power off, 415
PPP, 1453
PPPoE, 1453
PPTP, 1263, 1267, 1313, 1632
VPN, 1293
pptp
session helper, 1313
PPTP server
external, 1299
PPTP VPN
authentication, 726
authentication method, 1296
configuration steps, 1296
configuring authentication for, 726
configuring pass through, 1296, 1299
enabling, 1297
firewall policy, defining, 1298
FortiGate implementation, 1293
infrastructure requirements, 1295
IP address range, 726
network configuration, 1295
VIP address range, 1297
PPTP, layer-2 forwarding, 1263
PRACK
SIP message, 1906
pre-authentication, 1873
predefined firewall services
IMAPS, POP3S, SMTPS, 543
preserve-override, 1948
pre-shared key
authenticating FortiGate unit with, 932
authentication group, 2000
Pre-shared Key, Phase 1, 933
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
primary cluster unit
definition, 1457
primary unit, 1433, 2157
connected monitored interfaces, 1444
definition, 1457
getting information using SNMP, 1573
override keyword, 1449
recovery after a failover, 1597
selection, 1443
SNMP get, 1573
primary unit selection
age, 1444, 1445
basic, 1444
device priority, 1444, 1447, 1448
FortiGate unit serial number, 1449
interface monitoring, 1444
monitored interfaces, 1444
override, 1447, 1449, 1451
serial number, 1449
priority
cluster members, 1577
heartbeat interface, 1599
priority traffic, 1706
product registration, 85
profile
dynamic, 1755
key, RADIUS, 1762
VoIP, 1919
profile group
assigning dynamically, 1733
dynamic profile, 1733
Profile Query types, 1767
profiles
endpoint, 1676
profiles, UTM, 212
profiles, voip, 130
proposal
vpn ipsec phase1, 852
protection profile
amount, comfort clients, 1786
dashboard, content meta-information, 1801
dynamic profile default, 1756
interval, comfort clients, 1785, 1786
logging, blocked files, 1789
logging, oversized files/emails, 1789
logging, viruses, 1789
RADIUS profile attribute, 1761
protection profiles, 129
protocol
ospf Hello, 1176
session helper, 1308
settings, dynamic profile, 1760
protocol decoders, 608
protocol optimization, 1981
protocol options
explicit web proxy, 2086
protocol recognition
HTTPS, IMAPS, POP3S, SMTPS, 543
protocols
authentication, 720
LDAP servers, 704
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
provisional
SIP response message, 1905
provisional response acknowledgement
SIP message, 1906
provisional-invite-expiry-time, 1924
proxy
antivirus, 2086
DLP, 2086
explicit web, 1632
explicit web proxy authentication, 2086
FortiGuard web filtering, 2086
protocol options, 2086
web filtering, 2086
proxy ARP, 2112
FortiGate interface, 2112
IP pool, 2112
virtual IP, 2112
proxy auto-config
explicit web proxy, 2079
proxy inspection, 176
proxy server
SIP, 1899
PSTN, 275
public land mobile network (PLMN), 1749
Public Switched Telephone Network
See PSTN, 275
purge, shell command, 395
Q
QoS, 2156, 2158
quality of service, 1695
quality of service (QoS), 1269
quarantine, 569, 1819
file, 1575
quarantine files, 487
quarantine files list
apply, 488
date, 488
DC, 488
download, 488
file name, 488
filter, 488
service, 488
sorting, 488
status, 488
status description, 488
TTL, 488
upload status, 488
Query list
LDAP Distinguished Name, 706
queuing, 1696
Quick Mode Selector
IPsec interface mode, 949
Quick mode selectors, Phase 2, 947
quota
explicit web proxy, 2087
FortiGuard Web Filter, 644
quotas, FortiGuard web filtering, 135
2195
�Index
R
RADIUS, 1564, 1565
accounting system, 1756
assigning client IPs with, 830
dynamic profile, 1733
dynamic profile options, 1761
framed-ip-addr field, 1761
profile attribute, 1761
profile key, 1762
secret, 1761
send responses, 1761
server port, 1761
Start record, 1733
Stop record, 1757
validate secret, 1761
XAuth authentication with, 725
RADIUS attributes, 701
RADIUS authentication servers, 701
RADIUS server port, 1761
RADIUS server, external
for L2TP, 1303
for PPTP, 1295
for XAuth, 942
RADIUS servers
attribute dictionary, 702
authenticating users with, 712
changing default port, 702
configuring FortiGate unit to use, 702
default port, 702
port, 702
VSA, 702
RADIUS Start record, 1756, 1775
RADIUS Stop record, 1757
random
HA schedule, 1644
RAS, 1312
ras
session helper, 1312
rate limit
number of SIP dialogs, 1968
rate limiting
SCCP, 1967
SIMPLE, 1967
SIP, 1967
rate limits, 2156
RDP
setting locale, 1026
setting screen resolution, 1027
RDP session, establishing, 1026
real server
health check monitoring, 2115
health monitoring, 2115
load balancing, 2114
maximum connections, 2114
mode, 2114
weight, 2114
Real Time Control Protocol, 1924
Real Time Protocol, 1935
rearrange, 217
recommended practice, 1455
record route option, 2165
2196
Redirect message, 1275
redirect server
SIP, 1899
redistributed routes
ospf e1/e2, 1064, 1212
redundant interface
recommended practice, 1454
active-active mode, 1508
active-passive mode, 1508
HA, 1433, 1545
HA MAC addresses, 1508
port monitoring, 1508
redundant VPNs
configuration, 860
example, fully redundant configuration, 862
example, partially-redundant configuration, 873
overview, 859
refresh every
HA statistics, 1578
registering
with Fortinet Technical Support, 85
registrar
SIP, 1900
Registration, Admission, and Status (RAS), 1312
regular expression, 393
relay
DHCP, 442, 1453
remote client
authenticating with certificates, 931
FortiGate dialup-client, 843
in Internet-browsing IPsec configuration, 855
L2TP VPN, 1305
Remote Gateway, Phase 1, 931, 933
remote IP monitoring, 1626
remote link failover
recommended practice, 1455
virtual clustering, 1525
remote link failure, 1626
remote peer
authenticating with certificates, 931
dynamic DNS configuration, 824
gateway-to-gateway IPsec configuration, 795
manual key IPsec configuration, 887
transparent IPsec VPN configuration, 882
remote shell, 1314
Remote SPI, Manual Key, 888
removing
local users from FortiGate configuration, 713
user group from FortiGate configuration, 718
rename, shell command, 395
replacement FortiGate unit
adding to a cluster, 1495
replacement message, to customize web portal login page,
986
replacement messages, web proxy, 121
replacing a broken cluster unit, 1495
replacing a failed cluster unit, 1495
replay detection, 958, 959, 960, 961, 2160, 2161, 2162, 2164,
2167, 2168, 2169, 2170
replay detection, enabling, 946
reports (FortiAnalyzer), 526
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
reports (sql database), 527
reports, vulnerability scans
creating, 1691
viewing, 1692
request
SIP, 1897
request messages, 1905
Request-line
deep SIP message checking, 1963
request-line
SIP, 1907
Require Client Certificate option, 767
reserved characters, 400
reserved management interface, 1559
HA, 124
reset age
command, 1447
reset uptime
command, 1447
reset-uptime
diagnose command, 1447
response
SIP, 1897
restore, 376
cluster configuration, 1583
restriction, concurrent username, 117
reverse path lookup, 1068, 1217
reverse proxy
web cache, 1985, 2073
reverting firmware, 378
revocation list, importing, 761
RFC
1349, 1231
1918, 79
2080, 1278
2185, 1282
2545, 1278
2640, 1270
2740, 1278
2858, 1278
2893, 1282
5237, 1230
791, 1231
IPv6 list, 1290
RFC 1519, 1072
RFC 1771, 1131
RFC 1965, 1136
RFC 1966, 1135
RFC 1997, 1139
RFC 2385, 1133
RFC 2453, 1095
RFC 3065, 1136
RFC 3509, 1177
RFC 4271, 1131
RFC 4632, 1072
SIP, 1898
RFC 1213, 428, 430
RFC 1215, 432
RFC 2474, 1711
RFC 2475, 1711
RFC 2543, 1971
RFC 2665, 428, 430
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
RFC 791, 1710
RFC compliance
LDAP servers, 704
RIP
hop count, 1102
RFC 1058, 1095
RFC 2453, 1095
RIP Next Generation (RIPng), 1096
version 1, 1095
version 2, 1095
RIP next generation (RIPng), 1278
RIP, IPv6, 1278
RIPv2, 236
RJ-45, 387
RJ-45-to-DB-9, 387, 389
role
cluster members, 1576
root certificate, installing, 761
round robin
load balancing, 2113
Round-Robin
HA schedule, 1644
route, 959, 960, 961, 2162, 2163, 2164, 2168, 2169, 2170
route flap, 1146
HA, 1144
route hold, 1619
route reflectors (RR), 1135
route synchronization, 1597
route-based VPN
firewall policy, 955
vs policy-based, 790
route-hold, 1619
router
WCCP, 2097
router monitor
HA, 1064, 1211
Router Solicitation message, 1275
route-ttl, 1619
route-wait, 1619
routing
administrative distance, 1069, 1218
asymmetric, 1267
BGP, 1245, 1394
blackhole, 1217
configuring, 2079
domain, 1080
ECMP, 1217
enhanced packet-matching, 1082
hop count, 1353
loopback interface, 1217
multicast, 1245, 1394
OSPF, 1245, 1394
RIP, 1245, 1394
routing table, searching, 1067, 1214
STP, 1267
viewing information, 1063, 1211
Routing Area Identifier (RAI), 1851
routing information protocol (RIP). See routing, RIP
routing policy
protocol number, 1230
routing table, 1178
removing routes, 1133
2197
�Index
routing table updates
synchronizing, 1618
routing, default, 1245, 1361
routing, default route
VDOM example, 1361, 1363
routing, transparent VPN IPsec configuration, 884
RPF (Reverse Path Forwarding), 1086, 1423, 1860
RSA RC4, 423
rsh
session helper, 1314
RTCP, 1898, 1924
RTP, 1898, 1935, 1945
pinhole, 1898, 1902
RTSP, 1315
rtsp
session helper, 1315
rule, 2003
active-passive, 2003
non-HTTP sessions, 2010
peer-to-peer, 2003
unknown HTTP sessions, 2011
WAN optimization, 2003
S
SA
IPsec, 1620
scan buffer size
antivirus, 566
scanning order
antivirus, 560
SCCP
DoS sensor, 1967
protection profile, 1967
rate limiting, 1967
VoIP profile, 1919
schedule
automatic updates, 295
load balance, 1647
schedules
example, 228
group, 211
one time, 209
recurring, 209
scheduling a scan, 146
school administration, 446
screen resolution
for RDP connection, 1027
SDP, 1898, 1904, 1909
NAT, 1949
session profile, 1909
secret
RADIUS, 1761
Secure Shell (SSH)
key, 390
secure tunnelling, 1981
security, 1869
choosing security level, 974
MAC address filtering, 424
WEP, 423
wireless, 423
WPA, 423
2198
security association
IPsec, 1620
security association (SA), 958, 2149, 2160, 2161
security certificate, 362
security layers, 176
security option, 2165
security processing modules, 2153
configuring, 609
displaying information, 2154
example configuration, 618
models, 2153
proxy statistics, 621
selecting the primary unit, 1443
self-signed certificate, installing, 757
sensor
IPS, 595
sensors, UTM, 212
serial communications (COM) port, 387
serial no
HA statistics, 1578
serial number
getting using SNMP, 1575
primary unit selection, 1449
Series 60, 1783
server
DHCP, 442, 1453
WCCP, 2097
server certificate
installing signed, 761
obtaining, 761
server comforting, 1786
server load balance port forwarding virtual IP
adding, 2138
server load balance virtual IP
adding, 2133
servers
configuring XAuth authentication using, 725
service
DHCP, 442
quarantine files list, 488
service group
VDOM Transparent example, 1378
Service Set Identifier (SSID), 424
services, 208
custom, 209
list, 209
Serving GPRS Support Node (SGSN), 1747
session
failover, 1596
key, 2149
session count accuracy, 608
session description protocol
See SDP, 1909
session failover, 1441, 1630
active-active, 1644
definition, 1458
enabling, 1630
failover
session, 1595
GTP and HA, 1633
SIP, 1632, 1969
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
session helper, 1307, 1310, 1311, 1312, 1313, 1314, 1315,
1316, 2157
changing the configuration, 1308
changing the port numbers that the SIP session helper
listens on, 1913
dcerpc, 1311
disabling the SIP session helper, 1913
DNS, 1311
enabling the SIP session helper, 1913
H.245, 1312
h245O, 1312
h323, 1312
mgcp, 1312
pmap, 1313
port, 1308
pptp, 1313
protocol, 1308
ras, 1312
rsh, 1314
rtsp, 1315
sip, 1315
tftp, 1316
tns, 1316
viewing, 1307
Session Initiation Protocol for Instant Messaging and
Presence Leveraging Extensions
See SIMPLE, 1919
Session Initiation Protocol. See SIP
session list, diagnose, 281
session pick-up
definition, 1458
session pickup, 1441
enable, 1630
recommended practice, 1454
session profile
SDP, 1909
session synchronization
between two standalone FortiGate units, 1661
session table, 281
session-based authenticated user, 1335
session-helper, 1307
session-pickup
CLI command, 1599, 1630
set, 396
setting
authentication protocols, 721
firewall policy authentication, 721
firewall user authentication timeout, 719
SSL VPN authentication timeout, 719, 724
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
setting administrative access for SSH or Telnet, 388
severity levels (logs), 477
sFlow
agent, 118
collector, 118
multiple VDOMs, 119
sFlow client, 118
SHA1, 958, 2160
shaper
all policies, 1706
application control, 1708
firewall policy, 1709
per policy, 1706
per-IP, 1707
processing order, 1709
shared, 1705
shared shaper, 1705
sharing
WAN optimization tunnels, 1990
shell command
delete, 394
edit, 394
end, 395
get, 395
purge, 395
rename, 395
show, 395
shielded twisted pair, 414
Shift-JIS, 402
Shortest Path First (SPF), 1177
show, 396
show, shell command, 395
shut down, 415
signature
adding custom IPS signatures, 597
signature override
IPS, 596
signatures, update, 371
SIMPLE
protection profile, 1967
rate limiting, 1967
VoIP profile, 1919
Simple Internet Transition (SIT), 1279
Single Sign On (SSO)
bookmarks, 1022
Single Sign-on (SSO)
adding SSO bookmark (user), 1022
overview, 978
2199
�Index
SIP, 1315
accepting register response, 1930
adding SCTP custom service, 113
adding SCTP policy route, 113
adding SCTP port forwarding virtual IP, 114
blocking requests, 1965
changing session time to live, SCTP traffic, 114
changing the port numbers that the SIP ALG listens on,
1920
changing the port numbers that the SIP session helper
listens on, 1913
contact headers and NAT, 1948
deep header inspection, 1961
deep message inspection, 1961
deep SIP message inspection, 111
destination NAT, 1945
dialog, 1897, 1903
different source and destination NAT for SIP and RTP,
1947
disabling the SIP session helper, 1913
DoS sensor, 1967
enabling the SIP session helper, 1913
fields, 1907
fuzzing protection, 1961
HA failover, 111
HA session failover, 1969
header conformance check, 110
headers, 1907
hosted NAT traversal (HNT), 114
inspection without address translation, 1901, 1919
IP address conservation, 1948
IPv6, 1960
location server, 1900
logging and statistics, 115
message request-line, 1907
message sequence, 1903
message start line, 1907
message status-line, 1907
messages per method rate limitation, 110
NAT IP address conservation, 111
NAT tracing, 1948
NAT with dynamic IP pool, 1946
NAT with IP address conservation, 1947
pinhole, 1898, 1902
protection profile, 1967
proxy server, 1899
rate limiting, 1967
redirect server, 1899
registrar, 1900
request, 1897
request-line
SIP, 1907
response, 1897
RFCs, 1898
RTP bypass option, 111
session failover, 1632
source NAT, 1945
start line
SIP, 1907
stateful SCTP firewall, 112
status-line
SIP, 1907
support multiple RTP endpoint, 111
Transparent mode, 1901, 1919
2200
user element, 1897
VoIP profile, 1919
sip
session helper, 1315
vpn pptp, 1298
SIP ALG
changing the port numbers that the SIP ALG listens on,
1920
NAT tracing, 1948
SIP dialogs
limiting the number, 1968
SIP message
body, 1898
final, 1905
headers, 1898
informational, 1905
PRACK, 1906
provisional, 1905
SIP requests, 1965
SIP session
inactivity timeout, 1922
SIP session helper
changing the port numbers that the SIP session helper
listens on, 1913
disabling, 1913
enabling, 1913
NAT tracing, 1948
sip-nat-trace, 1948
sip-tcp-port, 1920
sip-udp-port, 1920
Skinny Call Control Protocol
See SCCP, 1919
Skinny Call Control Protocol. See SCCP
skype control improvements, 136
slave unit, 1433, 2157
See Also subordinate unit, 1433
SMB/CIFS file share
connecting to, 1025
SMIL, 1788
smtp traffic, 450
SMTPS
antivirus, 543
antivirus quarantine, 544
data leak prevention, 544
DLP archive, 545
email filtering, 544
predefined firewall services, 543
protocol recognition, 543
SNAT, 957, 1389, 2156
virtual IPs, 197
sniffer
one-armed policy, 223
packet, 281
policy, 222
sniffer policies, 538
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
SNMP, 1347, 1573
configuring community, 429
HA reserved management interface, 124, 1560
manager, 428, 429
MIB, 434, 1573
MIBs, 430
queries, 429
RFC 12123, 430
RFC 1215, 432
RFC 2665, 430
trap, 1573
traps, 432
v3, 428
SNMP get
any cluster unit, 1574, 1575
primary unit, 1573
subordinate unit, 1574, 1575
snmpget, 1563, 1573
SOCKS
explicit web proxy, 2079
sorting
quarantine files list, 488
source
firewall policy, 1010, 1012, 1013, 1014, 1047, 1048, 1054,
1055
source IP address
example, 952
source NAT
SIP, 1945
spam, 1817
spanning tree
forward delay, 1658
maximum age, 1658
spanning tree protocol, 1659
settings and HA, 1658
Spanning Tree Protocol (STP), 1264, 1267, 1367
special characters, 400, 401
Spill-over, 1226
split brain, 1599
heartbeat, 1455
split DNS, 443, 445
split-DNS, 443, 445
spyware, about, 167
sql
tables, 489
sql database, 459
sql statement examples, 490
sql tables, 489
SQLNET
session helper, 1316
SS7, 276
SSH, 388, 389, 1245
key, 390
SSH server, connecting to, 1026
SSID
whether to broadcast, 1869
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
SSL
antivirus, 543
antivirus quarantine, 544
certificate, 542
content inspection, 541
content scanning, 541
data leak prevention, 544
DLP archive, 545
email filtering, 544
example, 573
FortiGuard Web Filtering, 544
HTTPS, 544
inspection, 541
load balancing, 2124
predefined firewall services, 543
protocol recognition, 543
settings, all, 543
supported FortiGate models, 541
web filtering, 544
SSL Client Certificate Restrictive option, 767
SSL inspection, client certificate handling, 121
SSL offloading, 1632, 1981
certificates.certificate
SSL offloading, 2125
Client to FortiGate, 2124, 2125
Client to FortiGate to Server, 2124, 2125
full mode, 2124, 2125
half mode, 2124, 2125
load balancing, 1643, 2124
SSL proxy exemption, web filter category, 137
SSL VPN
authentication timeout, 719, 724
configuration overview, 979
default web portal, 990
downloading client, 1034
enabling, 1056
event logging, 1015
host OS patch check, 1004
load balancing, 1643
user authentication, 723
using Linux client, 1038
using Mac OS client, 1040
using Windows client, 1036
Virtual Desktop, 1034
SSL VPN app, 141
SSL VPN user groups, 715
configuring, 715
creating, 715
IPSec VPN dialup users, 715
SSL VPN web portal, 987
default, 990
ssl-vpn, 216
standalone FortiGate unit
adding to a cluster, 1494
converting to a cluster, 1492
standalone session synchronization, 1661
filters, 1662
standby state
definition, 1458
HA, 1566
start line
SIP, 1907
2201
�Index
state
hello, 1456
standby, 1458
work, 1459
state synchronization
definition, 1458
stateful inspection, 175, 1086, 1422, 1423, 1860
stateful SIP tracking, 1922
stateless firewall, 1263
static
load balancing, 2113
static route, 365, 959, 960, 961, 2162, 2163, 2164, 2168,
2169, 2170
adding policy, 1229
administrative distance, 1068, 1217
moving in list, 1231
policy list, 1229
table priority, 1070, 1224
table sequence, 1070, 1224
statistics
viewing HA statistics, 1578
status
HA statistics, 1578
quarantine files list, 488
vpn pptp, 1298
status description
quarantine files list, 488
status-line
SIP, 1907
storage health monitor, 108
storage widget, 101
storing
configuration history and templates, 109
STP, 1659
STP, forwarding, 1267
stream option, 2165
streaming media, about, 167
strict
VoIP profile, 1920
strict source record route, 2165
strict-register, 1954
string, 393
strong authentication, 766
for administrators, 766
for SSL VPN users, 766
sub-command, 392, 394
subinterface
VLAN NAT/Route, 1242
subnet
firewall address, 1008, 1299
subordinate cluster unit
definition, 1458
subordinate unit, 1433
definition, 1458
getting information using SNMP, 1574, 1575
getting serial numbers using SNMP, 1575
SNMP get, 1574, 1575
subscribing to DDNS service, 822
supernetting, 1137
2202
switch
link failover, 1625
troubleshooting layer-2 switches, 1657
switch interface
heartbeat interface, 1600
switching vdoms, 98
Symbian OS version 6, 1783
synchronization
configuration, 1611
failure console messages, 1614
incremental, 1612
IPsec VPN SA, 1597
periodic, 1613
route, 1597
sessions between standalone FortiGate units, 1661
TCP sessions between standalone FortiGate units, 1661
synchronize all
CLI command, 1612
Synchronized Multimedia Integration Language (SMIL), 1826
synchronizing routing table updates, 1618
synchronizing the configuration
disabling, 1611
syntax, 391
IPS custom signatures, 597
sys ha showcsum
diagnose, 1616
syslog, 1840
syslog server, 460
system
session-helper, 1307
system memory, 459
system reboot, installing, 381
system requirements
Windows, 733
T
table, 392
arp, 1625, 1658
MAC forwarding table, 1625, 1658
TACACS+, 1564
TACACS+ servers, 707
ASCII, 708
authenticating users with, 712
authentication protocols, 708
changing default port, 707
CHAP, 708
configuring the FortiGate unit to use, 708
default port, 707
MS-CHAP, 708
PAP, 708
port, 707
TCP
load balancing, 2132
port 111, 1308
port 135, 1311
port 1720, 1308
port 1723, 1308, 1313
port 21, 1311
port 512, 1308
port 514, 1308
TCP land, 2165
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
TCP port, 1760
WAN optimization tunnels, 1989
TCP ports
for collector agent, 742
TCP session synchronization
between two standalone FortiGate units, 1661
filters, 1662
TCP sessions
load-balance-all, 1643
TCP WinNuke, 2165, 2166
technical
documentation, 85
documentation conventions, 79
notes, 86
support, 86
technical support, 86, 1337
TELNET, 1245
Telnet, 388, 390
telnet server, connecting to, 1023
test vs
get, 2116
testing
VDOM, 1364
VDOM Transparent, 1262
VLAN, 1253
testing configuration, 755
testing FortiAnalyzer configuration, 466
testing VPN connections, 965
TFTP, 1316, 2151
tftp
session helper, 1316
TFTP server, 382
third-party products, 1657
threshold
oversize, 1786
time and date, 370
time to live for routes, 1619
time zone, 370
timeout
dynamic profile, 1762
user context creation, 1756, 1762
user context entry, 1762
timer
provisional invite, 1924
timestamp option, 2165
timing
modifying heartbeat timing, 1603
TKIP, 423
TNS, 1316
tns
session helper, 1316
top ten features, 87
topology, 2161, 2167
out of path, 1982
ToS, 1710
byte value, 1698
mapping, 1716
total bytes
HA statistics, 1579
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
total packets
HA statistics, 1579
trace
SIP ALG NAT tracing, 1948
SIP session helper NAT tracing, 1948
traceroute, 1364
tracert, 1253, 1364
traffic
policing, 1696
priority, 1706
reverse shaping, 1710
shaping, 1696
traffic count, 279
traffic offloading, 2156
Traffic Priority, 2005
traffic priority
firewall policy, 2005
traffic shaping, 2005
traffic shaping, 2004, 2156, 2158
about, 170
maximum bandwidth, 2005
traffic priority, 2005
traffic shaping offloading, 2157
traffic shaping settings, application control list, 139
traffic statistics, 2150
traffic trace, 281
train the network, 1606
Training Services, 85
Transparent
advanced example, 1370
firewall address, 1374, 1378
firewall policy, 1255, 1259, 1370
firewall schedule, 1374
VDOM example, 1258, 1261, 1262, 1372, 1381
VLAN example, 1256
Transparent mode, 1234, 1253, 1989
configuring an active-active HA cluster, 1473
general configuration steps, 1474
SIP, 1901, 1919
switching to, 367
VLAN subinterface, 1254, 1370
transparent mode
about, 173
adding NAT policies, 265
feature differences, 174
switching to, 173
WAN optimization, 2004, 2009
transparent mode VPN configuration
configuration steps, 885
infrastructure requirements, 884
overview, 881
prerequisites to configuration, 884
transport mode
setting, 915
trap
SNMP, 1573
traps
SNMP, 432
troubleshoot
cluster configuration, 1466, 1472, 1478, 1484, 1488, 1492,
1500, 1505, 1511, 1516, 1519, 1520, 1551, 1555
2203
�Index
troubleshooting, 1085
BFD, 1147
bgp, 1144
communication sessions lost after a failover, 1619
dampening, 1146
debug packet flow, 1087, 1424
diagnose commands, 1092
firewall session list, 1088, 1222
flow trace, 283
graceful restart, 1146
holddown timer, 1145
layer-2 loops, 1367
layer-2 switch, 1657
log messages, 280
packet sniffer, 286
packet sniffing, 1086, 1422, 1859
ping, 1089
policies, 279
route flap, 1144
routing table, 1085, 1222
session table, 281
traceroute, 1089
verify traffic, 279
troubleshooting sql statements, 492
troubleshooting VPNs, 967
trunk interface, 1242, 1252
trunk links, 1237
TTL
quarantine files list, 488
TTL reduction, 957, 2156
tunnel
sharing WAN optimization tunnels, 1990
TCP port, 1989
WAN optimization, 1989
Tunnel Endpoint Identifier (TEID), 1840
tunnel mode, 977, 2162, 2168
configuring FortiGate server, 1011
IP address range, 981
SSL VPN IP range, 723
web portal features, 1030
tunnel mode client
installing in Linux, 1035
installing in Mac OS, 1035
installing in Windows, 1035
using in Linux, 1038
using in Mac OS, 1040
using in Windows, 1036
tunnel mode IPSec, 2167
tunnel provider, IPv6, 1282
tunnel request, 1998
tunneling, IPv6, 1282
tunnel-non-http, 2010
two-factor authentication, 695, 714
type of service, 1710
Type of service (TOS), 1230
types of user groups, 715
types of users, 711
2204
U
UA, 1897
UAC, 1897
UAS, 1897
UDP
GTP session failover, 1633
load balancing, 2132
port 111, 1308
port 135, 1311
port 1719, 1312
port 2427, 1312
port 2727, 1312
UDP land, 2165
UE
See UA, 1897
UMTS Terrestrial Radio Access Network (UTRAN), 1850
unicast reverse path forwarding (uRPF), 1210
Unicode, 401
unidirection, 2158
Unified Threat Management (UTM), 1268
Unified Threat Management, see UTM
Universal Mobile Telecommunications System (UMTS), 1747,
1845
universal unique identifier (UUID), 1311
unknown action, 391
unknown HTTP sessions, 2011
unknown option, 2165
unknown protocol, 2165
unnumbered IP, 364
unset, 396
up time
HA statistics, 1578
update signatures, 371
updating
antivirus and IPS, web-based manager, 371
updating switch arp tables, 1625
upgrading
3.0MR7 to 4.0 MR2, 91
4.0 MR1 to 4.0 MR2, 92
4.0 to 4.0 MR2, 91
4.0 using the CLI, 94
firmware using the CLI, 379
upgrading issues
FortiOS, 87
FortiOS Carrier, 89
upload status
quarantine files list, 488
URL
for user log in, 1019
URL filtering, 538
URL-Filtering, 1279
usage-based ECMP, 1226
USB, 383
auto-install, 380
user accounts, creating, 1005
User Agent, 1897
User Agent Client, 1897
User Agent Server, 1897
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
user authentication
IPSec VPN dialup users, 724
L2TP VPN, 727
PPTP VPN, 726
protocols, 720
SSL VPN, 723
timeout, 719
XAuth, 725
User Context Creation Timeout, 1759
user context creation timeout, 1756
user context list
carrier end point, 1757
dynamic profile, 1757
timeout for removing entries, 1762
user context creation timeout, 1762
user context entry timeout, 1762
waiting for new entries, 1762
user element
See UA, 1897
user group for wireless users, 1880
user groups, 715
creating, 716
Directory Service, 717
firewall, 715
for different access permissions, example, 1049
on authentication servers, 716
on FortiGate unit, 753
peer, configuring, 717
peer, creating, 717
types of, 715
Windows AD, 736
user groups, creating, 1005
User Location Information (ULI), 1851
users, 711
authenticating with LDAP servers, 712
authenticating with RADIUS servers, 712
authenticating with TACACS+ servers, 712
local, creating, 712
local, deleting from FortiGate configuration, 713
local, removing from FortiGate configuration, 713
peer, configuring, 713
peer, creating, 713
types of, 711
users, number of concurrent, 1335
using the CLI, 387
usrgrp
vpn pptp, 1298
UTF-8, 401
UTM, 2003
explicit web proxy, 2081, 2086
overview, 537
profiles, 212
profiles and sensors, 212
sessions continue after active-active HA failover, 1633
VDOM, 539
web proxy, 2081
UTM profiles, 539
V
validating
RADIUS Secret, 1761
value, 392
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
value-added-service ID (VAS ID), 1794
value-added-service-provider ID (VASP ID), 1794
vcluster, 1395
VDOM, 1707
configuration, 1372
firewall policy, 1353, 1354
independent configuration, 1391
license, 1319
limited resources, 1268, 1337
link, 1385
management, 1757
management configuration, 1386, 1392
management services, 1338
management VDOM, 1320, 1324, 1341, 1342
maximum interface, 1368
maximum interfaces, 1236, 1267
maximum number, 1337
meshed configuration, 1386, 1393
simple VDOM NAT/Route example, 1359
stand alone configuration, 1386, 1391
status, 1341
Transparent mode, 1234, 1253, 1365
UTM, 539
VDOM example, 1356, 1361
VLAN subinterface, 1348
VDOMs, 1989
vdoms
switching between vdoms, 98
vendor-specific attributes - see VSA
verify traffic, 279
verifying
upgrade to 4.0, 95
viewing
carrier end point IP filter list, 1747, 1778, 1845, 1849
viewing FortiGuard web filtering quota usage, 136
viewing FortiOS reports, 160
viewing quarantine files, 487
viewing reports
reports, viewing, 527
violation traffic, 280
VIP address
L2TP clients, 1303
PPTP clients, 1297
VIP address, FortiClient dialup clients, 829
viral marketing, 1817
virtual AP
creating, 1876
described, 1876
virtual cluster, 1523, 1524
and virtual domains, 1523
configuring, 1527, 1529, 1533
virtual clustering, 1433
definition, 1459
port monitoring, 1525
remote link failover, 1525
Virtual Desktop, 1034
using, 1031
virtual domain, transparent VPN IPsec configuration, 884
virtual domains, 189, 1989
maximums, 189
virtual interface, 1386
virtual interfaces, 1707
2205
�Index
virtual IP, 1632, 2112
assigning with RADIUS, 830
destination network address translation (DNAT), 197, 199
NAT, 197
PAT, 197
port address translation, 197
SNAT, 197
source network address translation, 197
WAN optimization, 2004
virtual LANs, 191
virtual MAC address, 1597, 1605
definition, 1456
group ID, 1610
how its determined, 1607
virtual private network (VPN), 1293
Virtual Router Redundancy Protocol (VRRP), 1370
virtual server, 1632
arp-reply, 2112
interface, 2112
IP, 2112
port, 2112
virus
explicit web proxy, 2086
virus database, 564
virus detected
HA statistics, 1579
virus name, 1829
virus scan, 560, 563
Visitor Location Register (VLR), 1749
VLAN, 957, 1707, 2156
adding to VDOM, 1348
application, 1236
firewall policy, 1245
maximum number, 1236, 1267, 1368
subinterface, 1242, 1246, 1248, 1252
tagged packets, 1243
Transparent mode, 1234, 1253, 1365
VLAN ID, 1239
range, 1236
tag, 1236
VLAN subinterface
Transparent mode, 1254, 1370
VDOM example, 1373, 1377
VDOM NAT/Route, 1348
VDOM Transparent example, 1258
VLAN NAT/Route example, 1248
VNC
starting a session, 1029
VoIP, 1312
load balancing, 1643
profile, 1919
VoIP Profile
SCCP, 1919
SIMPLE, 1919
VoIP profile
default, 1920
strict, 1920
voip profile, 130
voip usage widget, 101
2206
VPN, 958, 2161
backup, 879
FortiClient automatic settings, 836
FortiClient manual settings, 836
gateway, 961, 2162, 2163, 2168, 2169
general steps for configuring L2TP, 1303
general steps for configuring PPTP, 1296
IPSec, 724
L2TP, 727
logging events, 965
monitoring IKE sessions, 965
monitoring, dialup connection, 963
monitoring, static or DDNS connection, 963
planning configurations, 790
policy, 220
policy-based vs route-based, 790
PPTP, 726, 1293
preparation steps, 791
SSL, 723
testing, 965
troubleshooting, 967
VPN authentication, 723
VPN client-based authentication, 698
VPN connection
idle timeout, 698
VPN encryption/decryption offloading, 2161
VPN policy server
configuring FortiClient to use, 836
configuring FortiGate unit as, 834
VSA
RADIUS servers, 702
vulnerability scan
adding assets manually, 1687
configuring scans, 1688
creating reports, 1691
discovering assets, 1685
selecting assets to scan, 1685
viewing executive summary graphs, 1691
viewing reports, 1692
viewing results, 1688, 1690
viewing scan logs, 1690
W
WAN optimization, 1632, 1634
and virtual IPs, 2004
explicit mode, 2009
IP address, 1997
load balancing, 1643
monitoring, 1992
peer authentication, 1997
peer host ID, 1997
peer IP address, 1997
peers, 1997
transparent mode, 2009
WAN optimization peer
configuring, 1999
WAP, 1736
WAP traffic, 1756
dynamic profile, 1756
HTTP header options, 1767
warning to install FortiClient, 1670
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�Index
WCCP, 1632, 2097
cache engine, 2097
client, 2097
load balancing, 1643
router, 2097
server, 2097
topology, 1987
wccp client mode configuration, 120
wccp router mode configuration, 119
web cache, 1981
active-passive WAN optimization, 2037
adding to passive WAN optimization rule, 2037
client/server WAN optimization, 2037
exempt, 2032
non-standard ports, 2035
peer to peer WAN optimization, 2041
reverse proxy, 1985, 2073
Web Cache Communication Protocol
See WCCP, 2097
web cache exempt list, 147
web content filtering, 538
web filter
quota, 644
web filtering, 538
explicit web proxy, 2086
explicit web proxy and FortiGuard web filtering, 2087
HTTPS, 544
web filtering service, 1829
web filtering, about, 166
web portal, 1022
adding caption to home page, 993
customizing login page, 986
home page features, 1020
logging in, 1019
server applications, 1021
setting login page port number, 985
SSL VPN,SSL VPN web portal
customize, 987
tunnel mode features, 1030
using bookmarks, 1021
widgets, 1020
web proxy, 1632, 2079
antivirus, 2086
authentication, 2084, 2086
DLP, 2086
FortiGuard Web Filtering, 2087
FortiGuard web filtering, 2086
protocol options, 2086
UTM, 2081
web filtering, 2086
web proxy replacement messages, 121
web server
connecting to, 1023
web site, content category, 1828
web-based manager, 361
connecting to, 980
web-based manager configuration steps
NAT/Route mode, 1463, 1467, 1474, 1479, 1485, 1488
web-based user authentication, 697
web-only mode, 977
firewall policy for, 1008
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
weight
real server, 2114
weighted
load balancing, 2113
weighted round-robin
HA schedule, 1644
weighted-round-robin
configuring weights, 1647
WEP128, 1870
WEP64, 1870
widget
tunnel mode, 1030
widgets
alert message, FortiGuard alerts, 101
im usage, 100
p2p usage, 100
per-ip bandwidth usage, 100
storage, 101
voip usage, 101
web portal, 1020
Wi-Fi Protected Access (WPA), 423
wild cards, 393
wildcard, 570
carrier end point pattern, 1775
wildcard pattern matching, 405
Windows networks
enabling NetBIOS, 1266
Windows Terminal Server
authentication, 2086
Windows VPN, 901
WINS, 1266
wire speed, 2150
wireless, 188
client mode, 422
interface, 1870
network name, 424
security, 423
wireless controller
discovery methods, 1887
Wireless Equivalent Privacy (WEP), 423
Wireless LAN (WLAN), 1850
WLAN
configuring DHCP, 1880
firewall policies, 1881
interface, 1870
WLAN interface configuration
standalone FortiWiFi, 1878
wireless controller, 1879
WML, 1788
word boundary
Perl regular expressions, 405
work state
definition, 1459
HA, 1566
Workstation verify interval
collector agent configuration, 738
worm-generated messages, 1817
WPA, 1870
WPA2, 1870
WPA2 Auto, 1870
2207
�Index
X
X.509 security certificates, 984
managing, 758
XAuth, 725
configuring authentication with, 725
XAuth (extended authentication)
authenticating users with, 942
FortiClient application as client, 837
FortiGate unit as client, 943
FortiGate unit as server, 942
XAuth Enable as Client, Phase 1, 943
2208
XAuth Enable as Server, Phase 1, 942
XD4, 1646
X-Forwarded-For (XFF), 2084
x-up-calling-line-id, 1781
Z
zero bandwidth, 1706
zone
using as route-based " concentrator " , 812
zones, 192
FortiOS™ Handbook FortiOS 4.0 MR2
01-420-99686-20100714
http://docs.fortinet.com/ • Feedback
�
