Administration Guide

FortiOS 7.0.1
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

September 28, 2021

FortiOS 7.0.1 Administration Guide
01-701-700620-20210928
 TABLE OF CONTENTS

Change Log 18
Getting started 19
Differences between models 19
Using the GUI 19
Connecting using a web browser 19
Menus 20
Tables 21
Entering values 23
GUI-based global search 24
Using the CLI 26
Connecting to the CLI 26
CLI basics 29
Command syntax 35
Subcommands 37
Permissions 40
FortiExplorer for iOS 40
Getting started with FortiExplorer 41
Connecting FortiExplorer to a FortiGate via WiFi 43
Running a security rating 44
Upgrading to FortiExplorer Pro 45
Basic administration 45
Basic configuration 46
Registration 48
FortiCare and FortiGate Cloud login 50
Transferring a FortiCloud account title 53
Configuration backups 56
Troubleshooting your installation 59
Dashboards and Monitors 62
Using dashboards 62
Using widgets 63
Widgets 65
Viewing device dashboards in the Security Fabric 67
Creating a fabric system and license dashboard 68
Example 68
Dashboards 69
Resetting the default dashboard template 70
Status dashboard 70
Security dashboard 72
Network dashboard 74
Users & Devices 82
WiFi dashboard 86
Monitors 92
Non-FortiView monitors 92
FortiView monitors 92

FortiOS 7.0.1 Administration Guide 3

Fortinet Technologies Inc.
 FortiView monitors and widgets 93
Adding FortiView monitors 94
Using the FortiView interface 97
Enabling FortiView from devices 100
FortiView sources 102
FortiView Sessions 103
FortiView Top Source and Top Destination Firewall Objects monitors 105
Viewing top websites and sources by category 107
Cloud application view 110
Network 121
Interfaces 121
Interface settings 122
Aggregation and redundancy 126
VLANs 129
Enhanced MAC VLANs 135
Inter-VDOM routing 138
Software switch 143
Hardware switch 145
Zone 147
Virtual wire pair 149
PRP handling in NAT mode with virtual wire pair 152
Virtual switch support for FortiGate 300E series 153
Failure detection for aggregate and redundant interfaces 155
VLAN inside VXLAN 156
Virtual wire pair with VXLAN 158
QinQ 160
Assign a subnet with the FortiIPAM service 161
Interface MTU packet size 166
One-arm sniffer 168
Interface migration wizard 172
DNS 176
Important DNS CLI commands 176
DNS domain list 178
FortiGate DNS server 179
DDNS 181
DNS latency information 185
DNS over TLS and HTTPS 187
DNS troubleshooting 191
Explicit and transparent proxies 193
Explicit web proxy 193
FTP proxy 196
Transparent proxy 197
Proxy policy addresses 199
Proxy policy security profiles 206
Explicit proxy authentication 210
Transparent web proxy forwarding 216
Upstream proxy authentication in transparent proxy mode 220
Multiple dynamic header count 222
Restricted SaaS access 224

FortiOS 7.0.1 Administration Guide 4

Fortinet Technologies Inc.
 Explicit proxy and FortiSandbox Cloud 226
Proxy chaining 229
WAN optimization SSL proxy chaining 234
Agentless NTLM authentication for web proxy 242
Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers 245
Learn client IP addresses 246
Explicit proxy authentication over HTTPS 247
mTLS client certificate authentication 249
DHCP server 255
Configure a DHCP server on an interface 255
Configure a DHCP relay on an interface 256
Configure a DHCP server and relay on an interface 256
DHCP options 257
IP address assignment with relay agent information option 259
DHCP client options 261
Static routing 262
Routing concepts 262
Policy routes 272
Equal cost multi-path 275
Dual internet connections 279
RIP 285
OSPF 285
BGP 285
Multicast 285
Multicast routing and PIM support 286
Configuring multicast forwarding 286
FortiExtender 289
Adding a FortiExtender 290
Data plan profiles 291
Direct IP support for LTE/4G 293
Sample LTE interface 295
Limitations 295
LLDP reception 296
Virtual routing and forwarding 299
Implementing VRF 299
VRF routing support 300
Route leaking between VRFs with BGP 305
Route leaking between multiple VRFs 307
VRF with IPv6 317
IBGP and EBGP support in VRF 321
NetFlow 323
Verification and troubleshooting 324
NetFlow templates 325
NetFlow on FortiExtender and tunnel interfaces 337
Link monitor 341
Link monitor with route updates 342
Enable or disable updating policy routes when link health monitor fails 343
Add weight setting on each link health monitor server 345

FortiOS 7.0.1 Administration Guide 5

Fortinet Technologies Inc.
 SD-WAN 350
SD-WAN quick start 350
Configuring the SD-WAN interface 351
Adding a static route 352
Selecting the implicit SD-WAN algorithm 353
Configuring firewall policies for SD-WAN 353
Link monitoring and failover 354
Results 355
Configuring SD-WAN in the CLI 358
SD-WAN zones 360
Specify an SD-WAN zone in static routes and SD-WAN rules 365
Performance SLA 369
Link health monitor 370
Factory default health checks 372
Health check options 375
Link monitoring example 377
SLA targets example 378
Passive WAN health measurement 379
Health check packet DSCP marker support 385
Manual interface speedtest 385
Scheduled interface speedtest 386
Monitor performance SLA 388
SLA monitoring using the REST API 391
SD-WAN rules 395
Implicit rule 395
Best quality strategy 399
Lowest cost (SLA) strategy 403
Maximize bandwidth (SLA) strategy 406
Minimum number of links for a rule to take effect 409
Use MAC addresses in SD-WAN rules and policy routes 410
SD-WAN traffic shaping and QoS 411
SDN dynamic connector addresses in SD-WAN rules 416
Application steering using SD-WAN rules 418
DSCP tag-based traffic steering in SD-WAN 431
ECMP support for the longest match in SD-WAN rule matching 441
Override quality comparisons in SD-WAN longest match rule matching 443
Advanced routing 446
Local out traffic 446
Using BGP tags with SD-WAN rules 452
BGP multiple path support 455
Controlling traffic with BGP route mapping and service rules 457
Applying BGP route-map to multiple BGP neighbors 464
VPN overlay 470
ADVPN and shortcut paths 470
SD-WAN monitor on ADVPN shortcuts 483
Hold down time to support SD-WAN service strategies 484
SD-WAN integration with OCVPN 486
Forward error correction on VPN overlay networks 493

FortiOS 7.0.1 Administration Guide 6

Fortinet Technologies Inc.
 Dual VPN tunnel wizard 496
Duplicate packets based on SD-WAN rules 497
Duplicate packets on other zone members 499
Speed tests run from the hub to the spokes in dial-up IPsec tunnels 501
Interface based QoS on individual child tunnels based on speed test results 508
Use SSL VPN interfaces in zones 511
Advanced configuration 515
SD-WAN with FGCP HA 515
Configuring SD-WAN in an HA cluster using internal hardware switches 522
SD-WAN configuration portability 525
SD-WAN cloud on-ramp 531
Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM 532
Configuring the VPN overlay between the HQ FortiGate and AWS native VPN
gateway 537
Configuring the VIP to access the remote servers 540
Configuring the SD-WAN to steer traffic between the overlays 543
Verifying the traffic 547
Hub and spoke SD-WAN deployment example 554
Datacenter configuration 554
Branch configuration 559
Validation 563
Troubleshooting 564
Dynamic definition of SD-WAN routes 564
Adding another datacenter 565
Troubleshooting SD-WAN 566
Tracking SD-WAN sessions 566
Understanding SD-WAN related logs 567
SD-WAN related diagnose commands 570
SD-WAN bandwidth monitoring service 574
Using SNMP to monitor health check 577
Policy and Objects 581
Policies 581
Firewall policy parameters 582
Profile-based NGFW vs policy-based NGFW 583
NGFW policy mode application default service 587
Application logging in NGFW policy mode 589
Policy views and policy lookup 590
Policy with source NAT 592
Policy with destination NAT 605
Policy with Internet Service 619
NAT64 policy and DNS64 (DNS proxy) 635
NAT46 policy 639
Local-in policies 643
DoS protection 644
Access control lists 652
Mirroring SSL traffic in policies 653
Inspection mode per policy 656
OSPFv3 neighbor authentication 658

FortiOS 7.0.1 Administration Guide 7

Fortinet Technologies Inc.
 Firewall anti-replay option per policy 660
Enabling advanced policy options in the GUI 660
Recognize anycast addresses in geo-IP blocking 661
Matching GeoIP by registered and physical location 662
Authentication policy extensions 663
HTTP to HTTPS redirect for load balancing 664
Use Active Directory objects directly in policies 666
FortiGate Cloud / FDN communication through an explicit proxy 669
No session timeout 671
MAP-E support 672
Seven-day rolling counter for policy hit counters 676
Cisco Security Group Tag as policy matching criteria 677
Objects 680
Address group exclusions 680
MAC addressed-based policies 681
ISDB well-known MAC address list 683
Dynamic policy — fabric devices 684
FSSO dynamic address subtype 686
ClearPass integration for dynamic address objects 690
Group address objects synchronized from FortiManager 693
Using wildcard FQDN addresses in firewall policies 695
Configure FQDN-based VIPs 697
IPv6 geography-based addresses 698
Array structure for address objects 700
IPv6 MAC addresses and usage in firewall policies 702
Traffic shaping 704
Configuration methods 704
Traffic shaping policy 705
Traffic shaping profiles 707
Traffic shapers 711
Global traffic prioritization 721
DSCP matching and DSCP marking 724
Examples 728
Zero Trust Network Access 739
Zero Trust Network Access introduction 740
Basic ZTNA configuration 742
Establish device identity and trust context with FortiClient EMS 751
SSL certificate based authentication 755
ZTNA configuration examples 757
Migrating from SSL VPN to ZTNA HTTPS access proxy 817
ZTNA logging enhancements 820
ZTNA troubleshooting and debugging 823
Security Profiles 829
Inspection modes 829
Flow mode inspection (default mode) 830
Proxy mode inspection 830
Inspection mode feature comparison 832
Antivirus 834

FortiOS 7.0.1 Administration Guide 8

Fortinet Technologies Inc.
 Protocol comparison between antivirus inspection modes 835
Other antivirus differences between inspection modes 835
AI-based malware detection 835
Proxy mode stream-based scanning 836
Databases 837
Content disarm and reconstruction 838
FortiGuard outbreak prevention 840
External malware block list 842
Malware threat feed from EMS 846
Checking flow antivirus statistics 849
CIFS support 851
Using FortiSandbox with antivirus 856
FortiAI inline blocking and integration with an AV profile 858
Web filter 861
URL filter 862
FortiGuard filter 867
Credential phishing prevention 873
Additional antiphishing settings 876
Usage quota 879
Web content filter 881
Advanced filters 1 884
Advanced filters 2 887
Web filter statistics 891
URL certificate blocklist 892
Video filter 893
Filtering based on FortiGuard categories 893
Filtering based on YouTube channel 897
DNS filter 899
FortiGuard DNS rating service 900
Configuring a DNS filter profile 901
FortiGuard category-based DNS domain filtering 903
Botnet C&C domain blocking 906
DNS safe search 909
Local domain filter 911
DNS translation 914
Applying DNS filter to FortiGate DNS server 917
DNS inspection with DoT and DoH 918
Troubleshooting for DNS filter 922
Application control 924
Basic category filters and overrides 925
Excluding signatures in application control profiles 928
Port enforcement check 930
Protocol enforcement 931
SSL-based application detection over decrypted traffic in a sandwich topology 932
Matching multiple parameters on application control signatures 933
Application signature dissector for DNP3 936
Intrusion prevention 936
Botnet C&C IP blocking 937
Detecting IEC 61850 MMS protocol in IPS 941

FortiOS 7.0.1 Administration Guide 9

Fortinet Technologies Inc.
 IPS signature filter options 943
SCTP filtering capabilities 946
File filter 948
Logs 951
Supported file types 952
Email filter 954
Protocol comparison between email filter inspection modes 955
Local-based filters 955
FortiGuard-based filters 958
Protocols and actions 959
Configuring webmail filtering 961
Data leak prevention 961
Protocol comparison between DLP inspection modes 962
Logging and blocking files by file name 963
Basic DLP filter types 963
DLP fingerprinting 965
VoIP solutions 969
General use cases 970
SIP message inspection and filtering 974
SIP pinholes 976
SIP over TLS 977
Custom SIP RTP port range support 978
Voice VLAN auto-assignment 980
ICAP 982
ICAP configuration example 983
ICAP response filtering 985
Secure ICAP clients 987
Web application firewall 988
Protecting a server running web applications 988
SSL & SSH Inspection 991
Certificate inspection 992
Deep inspection 994
Protecting an SSL server 996
Handling SSL offloaded traffic from an external decryption device 996
SSH traffic file scanning 999
Redirect to WAD after handshake completion 1000
HTTP/2 support in proxy mode SSL inspection 1001
Define multiple certificates in an SSL profile in replace mode 1002
Custom signatures 1004
Application groups in traffic shaping policies 1005
Blocking applications with custom signatures 1008
Filters for application control groups 1010
Overrides 1013
Web rating override 1014
Web profile override 1019
VPN 1024
IPsec VPNs 1024
General IPsec VPN configuration 1024

FortiOS 7.0.1 Administration Guide 10

Fortinet Technologies Inc.
 Site-to-site VPN 1052
Remote access 1105
Aggregate and redundant VPN 1148
Overlay Controller VPN (OCVPN) 1192
ADVPN 1222
Other VPN topics 1257
VPN IPsec troubleshooting 1289
SSL VPN 1296
SSL VPN best practices 1297
SSL VPN quick start 1300
SSL VPN tunnel mode 1307
SSL VPN web mode for remote user 1313
SSL VPN authentication 1318
SSL VPN to IPsec VPN 1401
SSL VPN protocols 1407
FortiGate as SSL VPN Client 1409
Dual stack IPv4 and IPv6 support for SSL VPN 1418
Disable the clipboard in SSL VPN web mode RDP connections 1429
SSL VPN IP address assignments 1434
SSL VPN troubleshooting 1436
User & Authentication 1439
Endpoint control and compliance 1439
Per-policy disclaimer messages 1439
Compliance 1442
FortiGuard distribution of updated Apple certificates 1444
Integrate user information from EMS and Exchange connectors in the user store 1445
User Definition 1448
User types 1448
Removing a user 1448
User Groups 1449
Configuring POP3 authentication 1449
Guest Management 1450
Configuring guest access 1450
Retail environment guest access 1452
LDAP Servers 1453
FSSO polling connector agent installation 1453
Enabling Active Directory recursive search 1457
Configuring LDAP dial-in using a member attribute 1458
Configuring wildcard admin accounts 1459
Configuring least privileges for LDAP admin account authentication in Active
Directory 1461
RADIUS Servers 1461
Configuring RADIUS SSO authentication 1462
RSA ACE (SecurID) servers 1468
Support for Okta RADIUS attributes filter-Id and class 1472
Send multiple RADIUS attribute values in a single RADIUS Access-Request 1474
Traffic shaping based on dynamic RADIUS VSAs 1474
TACACS+ servers 1481

FortiOS 7.0.1 Administration Guide 11

Fortinet Technologies Inc.
 SAML 1483
Outbound firewall authentication for a SAML user 1483
SAML SP for VPN authentication 1485
Using a browser as an external user-agent for SAML authentication in an SSL VPN
connection 1487
SAML authentication in a proxy policy 1491
Authentication Settings 1494
FortiTokens 1496
FortiToken Mobile quick start 1497
FortiToken Cloud quick start 1505
Registering hard tokens 1508
Managing FortiTokens 1511
FortiToken Mobile Push 1512
Troubleshooting and diagnosis 1514
Configuring the maximum log in attempts and lockout period 1517
PKI 1517
Creating a PKI/peer user 1518
Configuring firewall authentication 1518
Creating a locally authenticated user account 1519
Creating a RADIUS-authenticated user account 1519
Creating an FSSO user group 1520
Creating a firewall user group 1522
Defining policy addresses 1523
Creating security policies 1523
Configuring the FSSO timeout when the collector agent connection fails 1525
Example 1525
Wireless configuration 1527
Switch Controller 1528
System 1529
Basic system settings 1529
Advanced system settings 1529
Operating modes 1530
Administrators 1532
Administrator profiles 1532
Add a local administrator 1534
Remote authentication for administrators 1535
Password policy 1537
Associating a FortiToken to an administrator account 1538
SSO administrators 1539
FortiGate administrator log in using FortiCloud single sign-on 1540
Firmware 1541
Firmware upgrade notifications 1542
Downloading a firmware image 1543
Testing a firmware version 1544
Upgrading the firmware 1545
Downgrading to a previous firmware version 1546
Installing firmware from system reboot 1547

FortiOS 7.0.1 Administration Guide 12

Fortinet Technologies Inc.
 Restoring from a USB drive 1548
Controlled upgrade 1549
Settings 1549
Default administrator password 1550
Changing the host name 1551
Setting the system time 1552
Configuring ports 1555
Setting the idle timeout time 1556
Setting the password policy 1557
Changing the view settings 1557
Setting the administrator password retries and lockout time 1558
TLS configuration 1558
Controlling return path with auxiliary session 1559
Email alerts 1563
Virtual Domains 1567
Global and per-VDOM resources 1568
Split-task VDOM mode 1569
Multi VDOM mode 1572
Configure VDOM-A 1575
Configure VDOM-B 1577
Configure the VDOM link 1580
Configure VDOM-A 1585
Configure VDOM-B 1587
High Availability 1589
FortiGate Clustering Protocol (FGCP) 1589
FortiGate Session Life Support Protocol (FGSP) 1589
FGCP 1590
FGSP 1633
Standalone configuration synchronization 1653
SNMP 1658
Interface access 1658
MIB files 1659
FortiGate Rugged 30D SNMP bridge MIB module support 1659
SNMP agent 1661
SNMP v1/v2c communities 1661
SNMP v3 users 1663
Important SNMP traps 1664
SNMP traps and query for monitoring DHCP pool 1666
Replacement messages 1667
Modifying replacement messages 1667
Replacement message images 1669
Replacement message groups 1671
FortiGuard 1674
Configuring FortiGuard updates 1674
Manual updates 1675
Automatic updates 1676
Scheduled updates 1676
Sending malware statistics to FortiGuard 1677

FortiOS 7.0.1 Administration Guide 13

Fortinet Technologies Inc.
 Update server location 1678
Filtering 1679
Online security tools 1680
FortiGuard anycast and third-party SSL validation 1680
Using FortiManager as a local FortiGuard server 1683
Cloud service communication statistics 1684
IoT detection service 1685
FortiAP query to FortiGuard IoT service to determine device details 1688
Feature visibility 1688
Certificates 1689
Uploading a certificate using the GUI 1689
Uploading a certificate using the CLI 1692
Uploading a certificate using an API 1692
Procuring and importing a signed SSL certificate 1697
Microsoft CA deep packet inspection 1700
ACME certificate support 1705
Configuration scripts 1709
Workspace mode 1710
Custom languages 1712
RAID 1713
FortiGate encryption algorithm cipher suites 1716
HTTPS access 1716
SSH access 1717
SSL VPN 1717
Fortinet Security Fabric 1720
Security Fabric settings and usage 1720
Components 1721
Configuring the root FortiGate and downstream FortiGates 1724
Configuring FortiAnalyzer 1731
Configuring other Security Fabric devices 1733
Using the Security Fabric 1780
Deploying the Security Fabric 1788
Deploying the Security Fabric in a multi-VDOM environment 1796
Synchronizing objects across the Security Fabric 1801
Security Fabric over IPsec VPN 1808
Leveraging LLDP to simplify Security Fabric negotiation 1814
Configuring the Security Fabric with SAML 1817
Configuring single-sign-on in the Security Fabric 1818
CLI commands for SAML SSO 1824
SAML SSO with pre-authorized FortiGates 1825
Navigating between Security Fabric members with SSO 1826
Integrating FortiAnalyzer management using SAML SSO 1828
Integrating FortiManager management using SAML SSO 1832
Advanced option - FortiGate SP changes 1834
Security rating 1834
Security Fabric score 1841
Automation stitches 1842
Creating automation stitches 1843

FortiOS 7.0.1 Administration Guide 14

Fortinet Technologies Inc.
 Triggers 1856
Actions 1864
Public and private SDN connectors 1916
Getting started with public and private SDN connectors 1917
AliCloud SDN connector using access key 1921
AWS SDN connector using certificates 1923
Azure SDN connector using service principal 1929
Cisco ACI SDN connector using a standalone connector 1930
ClearPass endpoint connector via FortiManager 1932
GCP SDN connector using service account 1935
IBM Cloud SDN connector using API keys 1937
Kubernetes (K8s) SDN connectors 1941
Nuage SDN connector using server credentials 1957
Nutanix SDN connector using server credentials 1959
OCI SDN connector using certificates 1961
OpenStack SDN connector using node credentials 1963
VMware ESXi SDN connector using server credentials 1967
VMware NSX-T Manager SDN connector using NSX-T Manager credentials 1969
Multiple concurrent SDN connectors 1972
Filter lookup in SDN connectors 1974
Support for wildcard SDN connectors in filter configurations 1977
Endpoint/Identity connectors 1979
Fortinet single sign-on agent 1979
Poll Active Directory server 1980
Symantec endpoint connector 1981
RADIUS single sign-on agent 1987
Exchange Server connector 1990
Threat feeds 1993
External resources file format 1994
Create a threat feed 1995
Update history 1996
EMS threat feed 1996
External blocklist policy 1997
External blocklist authentication 1998
External blocklist file hashes 1999
External resources for DNS filter 2000
Threat feed connectors per VDOM 2004
Monitoring the Security Fabric using FortiExplorer for Apple TV 2008
NOC and SOC example 2009
Troubleshooting 2020
Viewing a summary of all connected FortiGates in a Security Fabric 2021
Diagnosing automation stitches 2023
Log and Report 2027
Viewing event logs 2028
Sample logs by log type 2029
Log buffer on FortiGates with an SSD disk 2049
Checking the email filter log 2052
Supported log types to FortiAnalyzer, syslog, and FortiAnalyzer Cloud 2053

FortiOS 7.0.1 Administration Guide 15

Fortinet Technologies Inc.
 Sending traffic logs to FortiAnalyzer Cloud 2053
Example 2054
Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode 2056
Checking FortiAnalyzer connectivity 2057
Configuring multiple FortiAnalyzers (or syslog servers) per VDOM 2059
Source and destination UUID logging 2060
Logging the signal-to-noise ratio and signal strength per client 2062
RSSO information for authenticated destination users in logs 2065
Scenario 1 2065
Scenario 2 2066
Scenario 3 2067
Threat weight 2068
Logs for the execution of CLI commands 2069
Troubleshooting 2071
Log-related diagnose commands 2071
Backing up log files or dumping log messages 2077
SNMP OID for logs that failed to send 2078
VM 2082
Amazon Web Services 2082
Microsoft Azure 2082
Google Cloud Platform 2082
Oracle OCI 2082
AliCloud 2083
Private cloud 2083
VM license 2083
Uploading a license file 2084
Types of VM licenses 2084
CLI troubleshooting 2085
FortiGate multiple connector support 2087
Adding VDOMs with FortiGate v-series 2089
Terraform: FortiOS as a provider 2092
Troubleshooting 2096
PF and VF SR-IOV driver and virtual SPU support 2096
Using OCI IMDSv2 2098
FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs 2100
Troubleshooting 2102
Troubleshooting methodologies 2103
Verify user permissions 2103
Establish a baseline 2103
Create a troubleshooting plan 2105
Troubleshooting scenarios 2106
Checking the system date and time 2107
Checking the hardware connections 2108
Checking FortiOS network settings 2109
Troubleshooting CPU and network resources 2112
Troubleshooting high CPU usage 2113

FortiOS 7.0.1 Administration Guide 16

Fortinet Technologies Inc.
 Checking the modem status 2117
Running ping and traceroute 2118
Checking the logs 2121
Verifying routing table contents in NAT mode 2122
Verifying the correct route is being used 2123
Verifying the correct firewall policy is being used 2123
Checking the bridging information in transparent mode 2124
Checking wireless information 2125
Performing a sniffer trace (CLI and packet capture) 2126
Debugging the packet flow 2129
Testing a proxy operation 2132
Displaying detail Hardware NIC information 2132
Performing a traffic trace 2134
Using a session table 2135
Finding object dependencies 2139
Diagnosing NPU-based interfaces 2140
Identifying the XAUI link used for a specific traffic stream 2140
Date and time settings 2141
Running the TAC report 2142
Other commands 2142
FortiGuard troubleshooting 2145
Additional resources 2148
Technical documentation 2148
Fortinet video library 2148
Release notes 2148
Knowledge base 2148
Fortinet technical discussion forums 2148
Fortinet training services online campus 2149
Fortinet Support 2149

FortiOS 7.0.1 Administration Guide 17

Fortinet Technologies Inc.
Change Log

Change Log

Date Change Description

2021-07-15 Initial release.

2021-07-19 Updated Filtering based on YouTube channel on page 897 and Advanced filters 2
on page 887.

2021-07-22 Added FortiGate encryption algorithm cipher suites on page 1716.

2021-07-29 Added Basic configuration on page 46, Uploading a certificate using the GUI on
page 1689, Uploading a certificate using the CLI on page 1692, Uploading a
certificate using an API on page 1692, and Specify an SD-WAN zone in static
routes and SD-WAN rules on page 365.
Updated Registration on page 48.

2021-07-30 Updated SSL VPN with certificate authentication on page 1329 and Local out traffic
on page 446.

2021-08-04 Updated Local-in policies on page 643.

2021-08-11 Reorganized High Availability on page 1589 section.

2021-08-13 Added ZTNA SSH access proxy example on page 797.

2021-08-17 Added section for Link monitor on page 341.

Updated Policy routes on page 272.

2021-08-18 Updated FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs on page
2100.

2021-08-25 Added Virtual routing and forwarding on page 299, and QinQ on page 160.
Updated Local-in policies on page 643.

2021-09-03 Added Dialup IPsec VPN with certificate authentication on page 1139.
Reorganized Traffic shaping on page 704 section.

2021-09-09 Added ZTNA access proxy with SAML and MFA using FortiAuthenticator example
on page 804.

2021-09-28 Updated Virtual Domains on page 1567 and Types of VM licenses on page 2084.

FortiOS 7.0.1 Administration Guide 18

Fortinet Technologies Inc.
Getting started

This section explains how to get started with a FortiGate.

Differences between models

Not all FortiGates have the same features, particularly entry-level models (models 30 to 90). A number of features on
these models are only available in the CLI.

Consult your model's QuickStart Guide, hardware manual, or the Feature / Platform Matrix for
further information about features that vary by model.

FortiGate models differ principally by the names used and the features available:
l Naming conventions may vary between FortiGate models. For example, on some models the hardware switch
interface used for the local area network is called lan, while on other units it is called internal.
l Certain features are not available on all models. Additionally, a particular feature may be available only through the
CLI on some models, while that same feature may be viewed in the GUI on other models.
If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System > Feature
Visibility and confirm that the feature is enabled. For more information, see Feature visibility on page 1688.

Using the GUI

This section presents an introduction to the graphical user interface (GUI) on your FortiGate.
The following topics are included in this section:
l Connecting using a web browser
l Menus
l Tables
l Entering values
l GUI-based global search
For information about using the dashboards, see Dashboards and Monitors on page 62.

Connecting using a web browser

In order to connect to the GUI using a web browser, an interface must be configured to allow administrative access over
HTTPS or over both HTTPS and HTTP. By default, an interface has already been set up that allows HTTPS access with
the IP address 192.168.1.99.

FortiOS 7.0.1 Administration Guide 19

Fortinet Technologies Inc.
Getting started

Browse to https://192.168.1.99 and enter your username and password. If you have not changed the admin account’s
password, use the default user name, admin, and leave the password field blank.
The GUI will now display in your browser, and you will be required to provide a password for the administrator account.

To use a different interface to access the GUI:

1. Go to Network > Interfaces and edit the interface you wish to use for access. Take note of its assigned IP address.
2. In Administrative Access, select HTTPS, and any other protocol you require. You can also select HTTP, although
this is not recommended as the connection will be less secure.
3. Click OK.
4. Browse to the IP address using your chosen protocol.
The GUI will now be displayed in your browser.

Menus

If you believe your FortiGate model supports a menu that does not appear in the GUI, go to
System > Feature Visibility and ensure the feature is enabled. For more information, see
Feature visibility on page 1688.

The GUI contains the following main menus, which provide access to configuration options for most FortiOS features:

Dashboard The dashboard displays various widgets that display important system
information and allow you to configure some system options.
For more information, see Dashboards and Monitors on page 62.

Network Options for networking, including configuring system interfaces and routing
options.
For more information, see Network on page 121.

Policy & Objects Configure firewall policies, protocol options, and supporting content for policies,
including schedules, firewall addresses, and traffic shapers.
For more information, see Policy and Objects on page 581.

Security Profiles Configure your FortiGate's security features, including Antivirus, Web Filter, and
Application Control.
For more information, see Security Profiles on page 829.

VPN Configure options for IPsec and SSL virtual private networks (VPNs).
For more information, see IPsec VPNs on page 1024 and SSL VPN on page
1296.

User & Authentication Configure user accounts, groups, and authentication methods, including external
authentication and single sign-on (SSO).

WiFi & Switch Controller Configure the unit to act as a wireless network controller, managing the wireless
Access Point (AP) functionality of FortiWiFi and FortiAP units.
On certain FortiGate models, this menu has additional features allowing for
FortiSwitch units to be managed by the FortiGate.

FortiOS 7.0.1 Administration Guide 20

Fortinet Technologies Inc.
 Getting started

For more information, see Wireless configuration on page 1527 and Switch
Controller on page 1528.

System Configure system settings, such as administrators, HA, FortiGuard, and

certificates.
For more information, see System on page 1529.

Security Fabric Access the physical topology, logical topology, automation, and settings of the
Fortinet Security Fabric.
For more information, see Fortinet Security Fabric on page 1720.

Log & Report Configure logging and alert email as well as reports.

For more information, see Log and Report on page 2027.

Tables

Many GUI pages contain tables of information that can be filtered and customized to display specific information in a
specific way. Some tables allow content to be edited directly on that table, or rows to be copied and pasted.

Navigation

Some tables contain information and lists that span multiple pages. Navigation controls will be available at the bottom of
the page.

Filters

Filters are used to locate a specific set of information or content in a table. They can be particularly useful for locating
specific log entries. The filtering options vary, depending on the type of information in the log.
Depending on the table content, filters can be applied using the filter bar, using a column filter, or based on a cell's
content. Some tables allow filtering based on regular expressions.
Administrators with read and write access can define filters. Multiple filters can be applied at one time.

To manually create a filter:

1. Click Add Filter at the top of the table. A list of the fields available for filtering is shown.
2. Select the field to filter by.
3. Enter the value to filter by, adding modifiers as needed.
4. Press Enter to apply the filter.

To create a column filter:

1. Click the filter icon on the right side of the column header
2. Choose a filter type from the available options.
3. Enter the filter text, or select from the available values.
4. Click Apply.

FortiOS 7.0.1 Administration Guide 21

Fortinet Technologies Inc.
Getting started

To create a filter based on a cell's content:

1. Right click on a cell in the table.

2. Select a filtering option from the menu.

Column settings

Columns can be rearranged, resized, and added or removed from tables.

To add or remove columns:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Select columns to add or remove.
3. Click Apply.

To rearrange the columns in a table:

1. Click and drag the column header.

To resize a column:

1. Click and drag the right border of the column header.

To resize a column to fit its contents:

1. Click the dots or filter icon on the right side of the column header and select Resize to Contents.

To resize all of the columns in a table to fit their content:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Click Best Fit All Columns.

To reset a table to its default view:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Click Reset Table.
Resetting a table does not remove filters.

Editing objects

In some tables, parts of a configuration can be edited directly in the table. For example, security profiles can be added to
an existing firewall policy by clicking the edit icon in a cell in the Security Profiles column.

FortiOS 7.0.1 Administration Guide 22

Fortinet Technologies Inc.
 Getting started

Copying rows

In some tables, rows can be copied and pasted using the right-click menu. For example, a policy can be duplicated by
copying and pasting it.

Entering values

Numerous fields in the GUI and CLI require text strings or numbers to be entered when configuring the FortiGate. When
entering values in the GUI, you will be prevented from entering invalid characters, and a warning message will be shown
explaining what values are not allowed. If invalid values are entered in a CLI command, the setting will be rejected when
you apply it.
l Text strings on page 23
l Numbers on page 24

Text strings

Text strings are used to name entities in the FortiGate configuration. For example, the name of a firewall address,
administrator, or interface are all text strings.
The following characters cannot be used in text strings, as they present cross-site scripting (XSS) vulnerabilities:
l “ - double quotes
l ' - single quote
l > - greater than
l < - less than
Most GUI text fields prevent XSS vulnerable characters from being added.

VDOM names and hostnames can only use numbers (0-9), letters (a-z and A-Z), dashes, and
underscores.

The tree CLI command can be used to view the number of characters allowed in a name field. For example, entering
the following commands show that a firewall address name can contain up to 80 characters, while its FQDN can contain
256 characters:
config fire address
(address) # tree
-- [address] --*name (80)
|- uuid
|- subnet
|- type
|- start-mac
|- end-mac
|- start-ip
|- end-ip
|- fqdn (256)
|- country (3)
|- wildcard-fqdn (256)
|- cache-ttl (0,86400)

FortiOS 7.0.1 Administration Guide 23

Fortinet Technologies Inc.
 Getting started

|- wildcard
|- sdn (36)
|- interface (36)
|- tenant (36)
|- organization (36)
|- epg-name (256)
|- subnet-name (256)
|- sdn-tag (16)
|- policy-group (16)
|- comment
|- visibility
|- associated-interface (36)
|- color (0,32)
|- filter
|- sdn-addr-type
|- obj-id
|- [list] --*ip (36)
|- obj-id (128)
+- net-id (128)
|- [tagging] --*name (64)
|- category (64)
+- [tags] --*name (80)
+- allow-routing

Numbers

Numbers are used to set sizes, rated, addresses, port numbers, priorities, and other such numeric values. They can be
entered as a series of digits (without commas or spaces), in a dotted decimal format (such as IP addresses), or
separated by colons (such as MAC addresses). Most numeric values use base 10 numbers, while some use
hexadecimal values.
Most GUI and CLI fields prevent invalid numbers from being entered. The CLI help text includes information about the
range of values allowed for applicable settings.

GUI-based global search

The global search option in the GUI allows users to search for keywords appearing in objects and navigation menus to
quickly access the object and configuration page. Click the magnifying glass icon in the top-left corner of the banner to
access the global search.
The global search includes the following features:
l Keep a history of frequent and recent searches
l Sort results alphabetically by increasing or decreasing order, and relevance by search weight
l Search by category
l Search in Security Fabric members (accessed by the Security Fabric members dropdown menu in the banner)

Examples

In this example, searching for the word ZTNA yields the following results:

FortiOS 7.0.1 Administration Guide 24

Fortinet Technologies Inc.
Getting started

l Firewall policy object 9, which contains ZTNA in the property value, Name. The name of the policy is ZTNA-TCP.
l ZTNA server object ZTNA-webserver, which contains ZTNA in the property value, Name.
l ZTNA navigation menu item under Policy & Objects > ZTNA.
Since CMDB objects have a higher search weight (50) than navigation objects (20), the navigation menu result appears
at the bottom.

In this example, searching for the address 10.88.0.1 yields the following results:
l Address object EMS that has a subnet of 10.88.0.1/32, which matches the search term.
l Virtual IP object Telemetry-VIP that has a mapped IP range of 10.88.0.1, which matches the search term.
l Address objects all, FIREWALL_AUTH_PORTAL_ADDRESS, and FABRIC_DEVICE that have IP subnets of
0.0.0.0/0, which the searched term falls into.
l Address group object All_Grp that contains members addresses that have IP subnets of 0.0.0.0/0, which the
searched term falls into.
Sorting by Relevance will display address objects that are more closely matched at the top (10.88.0.1), and more loosely
matched at the bottom ( 0.0.0.0).

FortiOS 7.0.1 Administration Guide 25

Fortinet Technologies Inc.
 Getting started

Using the CLI

The Command Line Interface (CLI) can be used in lieu of the GUI to configure the FortiGate. Some settings are not
available in the GUI, and can only be accessed using the CLI.
This section briefly explains basic CLI usage. For more information about the CLI, see the FortiOS CLI Reference.
l Connecting to the CLI on page 26
l CLI basics on page 29
l Command syntax on page 35
l Subcommands on page 37
l Permissions on page 40

Connecting to the CLI

You can connect to the CLI using a direct console connection, SSH, the FortiExplorer app on your iOS device, or the CLI
console in the GUI.
You can access the CLI outside of the GUI in three ways:
l Console connection: Connect your computer directly to the console port of your FortiGate.
l SSH access: Connect your computer through any network interface attached to one of the network ports on your
FortiGate.
l FortiExplorer: Connect your device to the FortiExplorer app on your iOS device to configure, manage, and monitor
your FortiGate. See FortiExplorer for iOS on page 40 for details.
To open a CLI console, click the _> icon in the top right corner of the GUI. The console opens on top of the GUI. It can be
minimized and multiple consoles can be opened.
To edit policies and objects directly in the CLI, right-click on the element and select Edit in CLI.

Console connection

A direct console connection to the CLI is created by directly connecting your management computer or console to the
FortiGate using its DB-9 or RJ-45 console port.
Direct console access to the FortiGate may be required if:
l You are installing the FortiGate for the first time and it is not configured to connect to your network.
l You are restoring the firmware using a boot interrupt. Network access to the CLI will not be available until after the
boot process has completed, making direct console access the only option.
To connect to the FortiGate console, you need:
l A console cable to connect the console port on the FortiGate to a communications port on the computer. Depending
on your device, this is one of:
l null modem cable (DB-9 to DB-9)

l DB-9 to RJ-45 cable (a DB-9-to-USB adapter can be used)

l USB to RJ-45 cable

l A computer with an available communications port

l Terminal emulation software

FortiOS 7.0.1 Administration Guide 26

Fortinet Technologies Inc.
Getting started

To connect to the CLI using a direct console connection:

1. Using the console cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your
management computer.
2. Start a terminal emulation program on the management computer, select the COM port, and use the following
settings:

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

3. Press Enter on the keyboard to connect to the CLI.

4. Log in to the CLI using your username and password (default: admin and no password).
You can now enter CLI commands, including configuring access to the CLI through SSH.

SSH access

SSH access to the CLI is accomplished by connecting your computer to the FortiGate using one of its network ports. You
can either connect directly, using a peer connection between the two, or through any intermediary network.

If you do not want to use an SSH client and you have access to the GUI, you can access the
CLI through the network using the CLI console in the GUI.

SSH must be enabled on the network interface that is associated with the physical network port that is used.
If your computer is not connected either directly or through a switch to the FortiGate, you must also configure the
FortiGate with a static route to a router that can forward packets from the FortiGate to the computer. This can be done
using a local console connection, or in the GUI.
To connect to the FortiGate CLI using SSH, you need:
l A computer with an available serial communications (COM) port and RJ-45 port
l An appropriate console cable
l Terminal emulation software
l A network cable
l Prior configuration of the operating mode, network interface, and static route.

To enable SSH access to the CLI using a local console connection:

1. Using the network cable, connect the FortiGate unit’s port either directly to your computer’s network port, or to a
network through which your computer can reach the FortiGate.
2. Note the number of the physical network port.
3. Using direct console connection, connect and log into the CLI.

FortiOS 7.0.1 Administration Guide 27

Fortinet Technologies Inc.
Getting started

4. Enter the following command:

config system interface
edit <interface_str>
append allowaccess ssh
next
end

Where <interface_str> is the name of the network interface associated with the physical network port, such as
port1.
5. Confirm the configuration using the following command to show the interface’s settings:
show system interface <interface_str>

For example:
show system interface port1
config system interface
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
set type hard-switch
set stp enable
set role lan
set snmp-index 6
next
end

Connecting using SSH

Once the FortiGate is configured to accept SSH connections, use an SSH client on your management computer to
connect to the CLI.
The following instructions use PuTTy. The steps may vary in other terminal emulators.

To connect to the CLI using SSH:

1. On your management computer, start PuTTy.

2. In the Host Name (or IP address) field, enter the IP address of the network interface that you are connected to and
that has SSH access enabled.
3. Set the port number to 22, if it is not set automatically.
4. Select SSH for the Connection type.
5. Click Open. The SSH client connect to the FortiGate.
The SSH client may display a warning if this is the first time that you are connecting to the FortiGate and its SSH key
is not yet recognized by the SSH client, or if you previously connected to the FortiGate using a different IP address
or SSH key. This is normal if the management computer is connected directly to the FortiGate with no network hosts
in between.
6. Click Yes to accept the FortiGate's SSH key.
The CLI displays the log in prompt.
7. Enter a valid administrator account name, such as admin, then press Enter.
8. Enter the administrator account password, then press Enter.
The CLI console shows the command prompt (FortiGate hostname followed by a #). You can now enter
CLI commands.

FortiOS 7.0.1 Administration Guide 28

Fortinet Technologies Inc.
 Getting started

If three incorrect log in or password attempts occur in a row, you will be disconnected. If this
occurs, wait for one minute, then reconnect and attempt to log in again.

CLI basics

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.

Help

Press the question mark (?) key to display command help and complete commands.
l Press the question mark (?) key at the command prompt to display a list of the commands available and a
description of each command.
l Enter a command followed by a space and press the question mark (?) key to display a list of the options available
for that command and a description of each option.
l Enter a command followed by an option and press the question mark (?) key to display a list of additional options
available for that command option combination and a description of each option.
l Enter a question mark after entering a portion of a command to see a list of valid complete commands and their
descriptions. If there is only one valid command, it will be automatically filled in.

Shortcuts and key commands

Shortcut key Action

? List valid complete or subsequent commands.

If multiple commands can complete the command, they are listed with their
descriptions.

Tab Complete the word with the next available match.

Press multiple times to cycle through available matches.

Up arrow or Ctrl + P Recall the previous command.

Command memory is limited to the current session.

Down arrow, or Ctrl + N Recall the next command.

Left or Right arrow Move the cursor left or right within the command line.

Ctrl + A Move the cursor to the beginning of the command line.

Ctrl + E Move the cursor to the end of the command line.

Ctrl + B Move the cursor backwards one word.

Ctrl + F Move the cursor forwards one word.

Ctrl + D Delete the current character.

Ctrl + C Abort current interactive commands, such as when entering multiple lines.

FortiOS 7.0.1 Administration Guide 29

Fortinet Technologies Inc.
Getting started

Shortcut key Action

If you are not currently within an interactive command such as config or edit,
this closes the CLI connection.

\ then Enter Continue typing a command on the next line for a multiline command.
For each line that you want to continue, terminate it with a backslash ( \ ). To
complete the command, enter a space instead of a backslash, and then press
Enter.

Command tree

Enter tree to display the CLI command tree. To capture the full output, connect to your device using a terminal
emulation program and capture the output to a log file. For some commands, use the tree command to view all
available variables and subcommands.

Command abbreviation

You can abbreviate words in the command line to their smallest number of non-ambiguous characters.
For example, the command get system status could be abbreviated to g sy stat.

Adding and removing options from lists

When configuring a list, the set command will remove the previous configuration.
For example, if a user group currently includes members A, B, and C, the command set member D will remove
members A, B, and C. To avoid removing the existing members from the group, the command set members A B C D
must be used.
To avoid this issue, the following commands are available:

append Add an option to an existing list.

For example, append member D adds user D to the user group without removing any of the
existing members.

select Clear all of the options except for those specified.

For example, select member B removes all member from the group except for member B.

unselect Remove an option from an existing list.

For example, unselect member C removes only member C from the group, without
affecting the other members.

Environment variables

The following environment variables are support by the CLI. Variable names are case-sensitive.

FortiOS 7.0.1 Administration Guide 30

Fortinet Technologies Inc.
Getting started

$USERFROM The management access type (ssh, jsconsole, and so on) and the IPv4 address of the
administrator that configured the item.

$USERNAME The account name of the administrator that configured the item.

$SerialNum The serial number of the FortiGate.

For example, to set a FortiGate device's host name to its serial number, use the following CLI command:
config system global
set hostname $SerialNum
end

Special characters

The following characters cannot be used in most CLI commands: <, >, (, ), #, ', and "
If one of those characters, or a space, needs to be entered as part of a string, it can be entered by using a special
command, enclosing the entire string in quotes, or preceding it with an escape character (backslash, \).
To enter a question mark (?) or a tab, Ctrl + V or Ctrl + Shift + - must be entered first.

Question marks and tabs cannot be copied into the CLI Console or some SSH clients. They
must be typed in.

Character Keys

? Ctrl + V or Ctrl + Shift + - then ?

Tab Ctrl + V then Tab

Space Enclose the string in single or double quotation marks: "Security

(as part of a string value, not to end the string) Administrator" or 'Security Administrator'.
Precede the space with a backslash: Security\ Administrator.

' \'
(as part of a string value, not to begin or end
the string)

" \"
(as part of a string value, not to begin or end
the string)

\ \\

Using grep to filter command output

The get, show, and diagnose commands can produce large amounts of output. The grep command can be used to
filter the output so that it only shows the required information.
The grep command is based on the standard UNIX grep, used for searching text output based on regular expressions.
For example, the following command displays the MAC address of the internal interface:

FortiOS 7.0.1 Administration Guide 31

Fortinet Technologies Inc.
Getting started

get hardware nic internal | grep Current_HWaddr

Current_HWaddr 00:09:0f:cb:c2:75

The following command will display all TCP sessions that are in the session list, including the session list line number in
the output:
get system session list | grep -n tcp

The following command will display all of the lines in the HTTP replacement message that contain URL or url:
show system replacemsg http | grep -i url

The following options can also be used:

-A <num> After
-B <num> Before
-C <num> Context

The -f option is available to support contextual output, in order to show the complete configuration. The following
example shows the difference in the output when -f is used versus when it is not used:

Without -f: With -f:

show | grep ldap-group1 show | grep -f ldap-group1
edit "ldap-group1" config user group
set groups "ldap-group1" edit "ldap-group1"
set member "pc40-LDAP"
next
end
config firewall policy
edit 2
set srcintf "port31"
set dstintf "port32"
set srcaddr "all"
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set groups "ldap-group1"
set dstaddr "all"
set service "ALL"
next
end
next
end

Language support and regular expressions

Characters such as ñ and é, symbols, and ideographs are sometimes acceptable input. Support varies depending on the
type of item that is being configured. CLI commands, objects, field names, and options must use their exact ASCII

FortiOS 7.0.1 Administration Guide 32

Fortinet Technologies Inc.
Getting started

characters, but some items with arbitrary names or values can be input using your language of choice. To use other
languages in those cases, the correct encoding must be used.
Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings into UTF-8 before it is stored.
If your input method encodes some characters differently than in UTF-8, configured items may not display or operate as
expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular
expression using a different encoding, or if an HTTP client sends a request in a different encoding, matches may not be
what is expected.
For example, with Shift-JIS, backslashes could be inadvertently interpreted as the symbol for the Japanese yen ( ¥ ), and
vice versa. A regular expression intended to match HTTP requests containing monetary values with a yen symbol may
not work it if the symbol is entered using the wrong encoding.
For best results:
l use UTF-8 encoding, or
l use only characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters
that are encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS, and other encoding
methods, or
l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.

HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary
based on the client’s operating system or input language. If the client's encoding method
cannot be predicted, you might only be able to match the parts of the request that are in
English, as the values for English characters tend to be encoded identically, regardless of the
encoding method.

If the FortiGate is configured to use an encoding method other than UTF-8, the management computer's language may
need to be changed, including the web browse and terminal emulator. If the FortiGate is configured using non-ASCII
characters, all the systems that interact with the FortiGate must also support the same encoding method. If possible, the
same encoding method should be used throughout the configuration to avoid needing to change the language settings
on the management computer.
The GUI and CLI client normally interpret output as encoded using UTF-8. If they do not, configured items may not
display correctly. Exceptions include items such as regular expression that may be configured using other encodings to
match the encoding of HTTP requests that the FortiGate receives.

To enter non-ASCII characters in a terminal emulator:

1. On the management computer, start the terminal client.

2. Configure the client to send and receive characters using UTF-8 encoding.
Support for sending and receiving international characters varies by terminal client.
3. Log in to the FortiGate.
4. At the command prompt, type your command and press Enter.
Words that use encoded characters may need to be enclosed in single quotes ( ' ).
Depending on your terminal client’s language support, you may need to interpret the characters into character
codes before pressing Enter. For example, you might need to enter: edit '\743\601\613\743\601\652'
5. The CLI displays the command and its output.

FortiOS 7.0.1 Administration Guide 33

Fortinet Technologies Inc.
Getting started

Screen paging

By default, the CLI will pause after displaying each page worth of text when a command has multiple pages of output.
this can be useful when viewing lengthy outputs that might exceed the buffer of terminal emulator.
When the display pauses and shows --More--, you can:
l Press Enter to show the next line,
l Press Q to stop showing results and return to the command prompt,
l Press an arrow key, Insert, Home, Delete, End, Page Up, or Page Down to show the next few pages,
l Press any other key to show the next page, or
l Wait for about 30 seconds for the console to truncate the output and return to the command prompt.
When pausing the screen is disabled, press Ctrl + C to stop the output and log out of the FortiGate.

To disable pausing the CLI output:

config system console

set output standard
end

To enable pausing the CLI output:

config system console

set output more
end

Changing the baud rate

The baud rate of the local console connection can be changed from its default value of 9600.

To change the baud rate:

config system console

set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
end

Editing the configuration file

The FortiGate configuration file can be edited on an external host by backing up the configuration, editing the
configuration file, and then restoring the configuration to the FortiGate.
Editing the configuration file can save time is many changes need to be made, particularly if the plain text editor that you
are using provides features such as batch changes.

To edit the configuration file:

1. Backup the configuration. See Configuration backups on page 56 for details.

2. Open the configuration file in a plain text editor that supports UNIX-style line endings.

FortiOS 7.0.1 Administration Guide 34

Fortinet Technologies Inc.
Getting started

3. Edit the file as needed.

Do not edit the first line of the configuration file.

This line contains information about the firmware version and FortiGate model. If you
change the model number, the FortiGate will reject the configuration when you attempt to
restore it.

4. Restore the modified configuration to the FortiGate. See Configuration backups on page 56 for details.
The FortiGate downloads the configuration file and checks that the model information is correct. If it is correct, the
configuration file is loaded and each line is checked for errors. If a command is invalid, that command is ignored. If
the configuration file is valid, the FortiGate restarts and loads the downloaded configuration.

Command syntax

When entering a command, the CLI console requires that you use valid syntax and conform to expected input
constraints. It rejects invalid commands. Indentation is used to indicate the levels of nested commands.
Each command line consists of a command word, usually followed by configuration data or a specific item that the
command uses or affects.

Notation

Brackets, vertical bars, and spaces are used to denote valid syntax. Constraint notations, such as <address_ipv4>,
indicate which data types or string patterns are acceptable value input.
All syntax uses the following conventions:

Angle brackets < > Indicate a variable of the specified data type.

Curly brackets { } Indicate that a variable or variables are mandatory.

Square brackets [ ] Indicate that the variable or variables are optional.
For example:
show system interface [<name_str>]
To show the settings for all interfaces, you can enter show system interface
To show the settings for the Port1 interface, you can enter show system interface
port1.

Vertical bar | A vertical bar separates alternative, mutually exclusive options.

For example:
set protocol {ftp | sftp}
You can enter either set protocol ftp or set protocol sftp.

Space A space separates non-mutually exclusive options.

For example:
set allowaccess {ping https ssh snmp http fgfm radius-acct probe-
response capwap ftm}
You can enter any of the following:
set allowaccess ping
set allowaccess https ping ssh

FortiOS 7.0.1 Administration Guide 35

Fortinet Technologies Inc.
Getting started

set allowaccess http https snmp ssh ping

In most cases, to make changes to lists that contain options separated by spaces, you need to
retype the entire list, including all the options that you want to apply and excluding all the
options that you want to remove.

Optional values and ranges

Any field that is optional will use square-brackets. The overall config command will still be valid whether or not the option
is configured.
Square-brackets can be used is to show that multiple options can be set, even intermixed with ranges. The following
example shows a field that can be set to either a specific value or range, or multiple instances:
config firewall service custom
set iprange <range1> [<range2> <range3> ...]
end

next

The next command is used to maintain a hierarchy and flow to CLI commands. It is at the same indentation level as the
preceding edit command, to mark where a table entry finishes.
The following example shows the next command used in the subcommand entries:

After configuring table entry <2> then entering next, the <2> table entry is saved and the console returns to the
entries prompt:

You can now create more table entries as needed, or enter end to save the table and return to the filepattern table
element prompt.

end

The end command is used to maintain a hierarchy and flow to CLI commands.

FortiOS 7.0.1 Administration Guide 36

Fortinet Technologies Inc.
Getting started

The following example shows the same command and subcommand as the next command example, except end has
been entered instead of next after the subcommand:

Entering end will save the <2> table entry and the table, and exit the entries subcommand entirely. The console
returns to the filepattern table element prompt:

Subcommands

Subcommands are available from within the scope of some commands. When you enter a subcommand level, the
command prompt changes to indicate the name of the current command scope. For example, after entering:
config system admin

the command prompt becomes:

(admin)#

Applicable subcommands are available until you exit the command, or descend an additional level into another
subcommand. Subcommand scope is indicated by indentation.
For example, the edit subcommand is only available in commands that affects tables, and the next subcommand is
available only in the edit subcommand:
config system interface
edit port1
set status up
next
end

The available subcommands vary by command. From a command prompt under the config command, subcommands
that affect tables and fields could be available.

Table subcommands

edit <table_row> Create or edit a table value.

FortiOS 7.0.1 Administration Guide 37

Fortinet Technologies Inc.
Getting started

In objects such as security policies, <table_row> is a sequence number. To

create a new table entry without accidentally editing an existing entry, enter edit
0. The CLI will confirm that creation of entry 0, but will assign the next unused
number when the entry is saved after entering end or next.
For example, to create a new firewall policy, enter the following commands:
config firewall policy
edit 0
....
next
end
To edit an existing policy, enter the following commands:
config firewall policy
edit 27
....
next
end
The edit subcommand changes the command prompt to the name of the table
value that is being edited.

delete <table_row> Delete a table value.

For example, to delete firewall policy 30, enter the following commands:
config firewall policy
delete 30
end

purge Clear all table values.

The purge command cannot be undone. To restore purged table values, the
configuration must be restored from a backup.

move Move an ordered table value.

In the firewall policy table, this equivalent to dragging a policy into a new position.
It does not change the policy's ID number.
For example, to move policy 27 to policy 30, enter the following commands:
config firewall policy
move 27 to 30
end
The move subcommand is only available in tables where the order of the table
entries matters.

clone <table_row> to <table_ Make a clone of a table entry.

row> For example, to create firewall policy 30 as a clone of policy 27, enter the following
commands:
config firewall policy
clone 27 to 30
end
The clone subcommand may not be available for all tables.

rename <table_row> to Rename a table entry.

<table_row> For example to rename an administrator from Flank to Frank, enter the following
commands:
config system admin

FortiOS 7.0.1 Administration Guide 38

Fortinet Technologies Inc.
Getting started

rename Flank to Frank

end
The rename subcommand is only available in tables where the entries can be
renamed.

get List the current table entries.

For example, to view the existing firewall policy table entries, enter the following
commands:
config firewall policy
get

show Show the configuration. Only table entries that are not set to default values are
shown.

end Save the configuration and exit the current config command.

Purging the system interface or system admin tables does not reset default table
values. This can result in being unable to connect to or log in to the FortiGate, requiring the
FortiGate to be formatted and restored.

Field subcommands

set <field> <value> Modify the value of a field.

For example, the command set fsso enable sets the fsso field to the value
enable.

unset Set the field to its default value.

select Clear all of the options except for those specified.

For example, if a group contains members A, B, C, and D, to remove all members
except for B, use the command select member B.

unselect Remove an option from an existing list.

For example, if a group contains members A, B, C, and D, to remove only member
B, use the command unselect member B.

append Add an option to an existing multi-option table value.

clear Clear all the options from a multi-option table value.

get List the configuration of the current table entry, including default and customized
values.

show Show the configuration. Only values that are not set to default values are shown.

next Save changes to the table entry and exit the edit command so that you can
configure the next table entry.

abort Exit the command without saving.

end Save the configuration and exit the current config command.

FortiOS 7.0.1 Administration Guide 39

Fortinet Technologies Inc.
 Getting started

Permissions

Administrator (or access) profiles control what CLI commands an administrator can access by assigning read, write, or
no access to each area of FortiOS. For information, see Administrator profiles on page 1532.
Read access is required to view configurations. Write access is required to make configuration changes. Depending on
your account's profile, you may not have access to all CLI commands. To have access to all CLI commands, an
administrator account with the super_admin profile must be used, such as the admin account.
Accounts assigned the super_admin profile are similar to the root administrator account. They have full permission to
view and change all FortiGate configuration options, including viewing and changing other administrator accounts.
To increase account security, set strong passwords for all administrator accounts, and change the passwords regularly.

FortiExplorer for iOS

FortiExplorer for iOS is a user-friendly application that helps you to rapidly provision, deploy, and monitor Security Fabric
components from your iOS device.

FortiExplorer for iOS requires iOS 10.0 or later and is compatible with iPhone, iPad, and Apple TV. It is supported by
FortiOS 5.6 and later, and is only available on the App Store for iOS devices.
Advanced features are available with the purchase of FortiExplorer Pro. Paid features include the ability to add more
than two devices, and firmware upgrades for devices with active licenses.
Up to six members can use this app with 'Family Sharing' enabled in the App Store.

Firmware upload requires a valid firmware license. Users can download firmware for models
with a valid support contract.

FortiOS 7.0.1 Administration Guide 40

Fortinet Technologies Inc.
 Getting started

Getting started with FortiExplorer

If your FortiGate is accessible on a wireless network, you can connect to it using FortiExplorer provided that your
iOS device is on the same network (see Connecting FortiExplorer to a FortiGate via WiFi). Otherwise, you will need to
physically connect your iOS device to the FortiGate using a USB cable.

To connect and configure a FortiGate with FortiExplorer using a USB connection:

1. Connect your iOS device to your FortiGate USB A port. If prompted on your iOS device, Trust this computer.
2. Open FortiExplorer and select your FortiGate from the FortiGate Devices list . A blue USB icon will indicate that you
are connected over a USB connection.

3. On the Login screen, select USB.

4. Enter the default Username (admin) and leave the Password field blank.
5. Optionally, select Remember Password.
6. Tap Done when you are ready.
FortiExplorer opens the FortiGate management interface to the Device Status page:

7. Go to Network > Interfaces and configure the WAN interface or interfaces.

8. The wan1 interface Address mode is set to DHCP by default. Set it to Manual and enter its Address, Netmask, and
Default Gateway, and then Apply your changes.

FortiOS 7.0.1 Administration Guide 41

Fortinet Technologies Inc.
Getting started

9. Optionally, configure Administrative Access to allow HTTPS access. This will allow administrators to access the
FortiGate GUI using a web browser.

10. Go to Network > Interfaces and configure the local network (internal) interface.
11. Set the Address mode as before and configure Administrative Access if required.
12. Configure a DHCP Server for the internal network subnet.

13. Return to the internal interface using the < button at the top of the screen.

FortiOS 7.0.1 Administration Guide 42

Fortinet Technologies Inc.
 Getting started

14. Go to Network > Static Routes and configure the static route to the gateway.

15. Go to Policy & Objects > Firewall Policy and edit the Internet access policy. Enter a Name for the policy, enable the
required Security Profiles, configure Logging Options, then tap OK.

Connecting FortiExplorer to a FortiGate via WiFi

You can wirelessly connect to the FortiGate if your iOS device and the FortiGate are both connected to the same
wireless network.

FortiOS 7.0.1 Administration Guide 43

Fortinet Technologies Inc.
 Getting started

To connect and configure a FortiGate with FortiExplorer wirelessly:

1. Open the FortiExplorer app and tap Add on the Devices page.
2. On the Add Device By page, tap HTTPS.

3. Enter the Host information, Username, and Password.

4. If required, change the default Port number, and optionally enable Remember Password.

5. Tap Done.
6. If the FortiGate device identity cannot be verified, tap Connect at the prompt.
FortiExplorer opens the FortiGate management interface to the Device Status page.

Running a security rating

After configuring your network, run a security rating check to identify vulnerabilities and highlight best practices that
could improve your network's security and performance.

FortiOS 7.0.1 Administration Guide 44

Fortinet Technologies Inc.
 Getting started

Go to Security Fabric > Security Rating and follow the steps to determine the score. See Security rating on page 1834 for
more information.

Upgrading to FortiExplorer Pro

FortiExplorer Pro allows you to add unlimited devices, and download firmware images for devices with active licenses.

To upgrade to FortiExplorer Pro:

1. In FortiExplorer, go to Settings.
2. Tap Manage Subscription.
3. Follow the on-screen prompts.

Basic administration

This section contains information about basic FortiGate administration that you can do after you installing the unit in your
network.
l Basic configuration on page 46
l Registration on page 48
l FortiCare and FortiGate Cloud login on page 50

FortiOS 7.0.1 Administration Guide 45

Fortinet Technologies Inc.
 Getting started

l Transferring a FortiCloud account title on page 53

l Configuration backups on page 56

Basic configuration

This topic will help you configure a few basic settings on the FortiGate as described in the Using the GUI on page 19 and
Using the CLI on page 26 sections, including:
l Configuring an interface to be part of your existing network for further configuration
l Configuring the hostname
l Configuring the default route
l Ensuring internet/FortiGuard connectivity

Configuring an interface

It is unlikely the default interface configuration will be appropriate for your environment and typically requires some effort
of the administrator to use these settings, such as being physically near the FortiGate to establish a serial connection.
Therefore, the first step is to configure an interface that can be used to complete the FortiGate configuration.

To configure an interface in the GUI:

1. Go to Network > Interfaces. Select an interface and click Edit.

2. Enter an Alias.
3. In the Address section, enter the IP/Netmask.
4. In Administrative Access section, select the access options as needed (such as PING, HTTPS, and SSH).
5. Optionally, enable DHCP Server and configure as needed.
6. Click OK.

To configure an interface in the CLI:

config system interface

edit "port2"
set ip 203.0.113.99 255.255.255.0
set allowaccess ping https ssh
set alias "Management"
next
end

Configuring the hostname

Setting the FortiGate’s hostname assists with identifying the device, and it is especially useful when managing multiple
FortiGates. Choose a meaningful hostname as it is used in the CLI console, SNMP system name, device name for
FortiGate Cloud, and to identify a member of an HA cluster.

To configure the hostname in the GUI:

1. Go to System > Settings.
2. Enter a name in the Host name field.

FortiOS 7.0.1 Administration Guide 46

Fortinet Technologies Inc.
Getting started

3. Click Apply.

To configure the hostname in the CLI:

config system global

set hostname 200F_YVR
end

Configuring the default route

Setting the default route enables basic routing to allow the FortiGate to return traffic to sources that are not directly
connected. The gateway address should be your existing router or L3 switch that the FortiGate is connected to. If you are
directly connecting to the FortiGate, you may choose your endpoint’s IP address as the gateway address. Set the
interface to be the interface the gateway is connected to.

To configure the default route in the GUI:

1. Go to Network > Static Routes and click Create New.

2. Leave the destination subnet as 0.0.0.0/0.0.0.0. This is known as a default route, since it would match any IPv4
address.
3. Enter the Gateway Address.
4. Select an Interface.
5. Click OK.

To configure the default route in the CLI:

config router static

edit 0
set gateway 192.168.1.254
set device port1
next
end

Ensuring internet and FortiGuard connectivity

This step is not necessary for the configuration; however, it is necessary in order to keep your FortiGate up to date
against the latest threats. Updates are provided to FortiGates that are registered and make a request to the FortiGuard
network to verify if there are any more recent definitions.
Use execute ping <domain.tld> to ensure the DNS resolution is able to resolve the following FortiGuard servers:
l fds1.fortinet.com
l service.fortiguard.net
l update.fortiguard.net
You also need to ensure the necessary ports are permitted outbound in the event your FortiGate is behind a filtering
device. Refer to the Ports and Protocols document for more information.

FortiOS 7.0.1 Administration Guide 47

Fortinet Technologies Inc.
 Getting started

Registration

The FortiGate, and then its service contract, must be registered to have full access to Fortinet Customer Service and
Support, and FortiGuard services. The FortiGate can be registered in either the FortiGate GUI or the FortiCloud support
portal. The service contract can be registered from the FortiCloud support portal.

The service contract number is needed to complete registrations on the FortiCloud support
portal. You can find this 12-digit number in the email that contains your service registration
document (sent from [email protected]) in the service entitlement summary.

To register your FortiGate in the GUI:

1. Connect to the FortiGate GUI. A dialog box appears, which indicates the steps you should take to complete the
setup of your FortiGate. These steps include:
a. Specify Hostname
b. Change Your Password
c. Dashboard Setup
d. Upgrade Firmware
If you completed the Basic configuration on page 46, the hostname and password steps are already marked as
complete (checkmark). If you chose to deploy the latest firmware, the Upgrade Firmware step is marked as
complete.
2. Click Begin to complete the dashboard setup. Two options appear (Optimal and Comprehensive).

3. Select the desired setting and click OK. The Dashboard > Status page opens. Note that the licenses are grayed out
because the device or virtual machine is not registered.
4. Go to System > FortiGuard and click Enter Registration Code.

5. Enter the contract registration code from your service registration document.
6. Click OK.

To register the FortiGate on the FortiCloud support portal:

1. Go to support.fortinet.com and log in using your FortiCloud account credentials. If you do not have an account, click
Register to create one.
2. In the left-side menu, click Register Product.
3. Enter the product serial number or license certificate number for a VM, select an end user type, then click Next.

FortiOS 7.0.1 Administration Guide 48

Fortinet Technologies Inc.
Getting started

4. Enter the Support Contract number and FortiCloud Key (optionally, enter a product description), then click Next.

5. Review the product entitlement information, select the checkbox to accept the terms, then click Confirm.

FortiOS 7.0.1 Administration Guide 49

Fortinet Technologies Inc.
 Getting started

6. Go to Products > Product List. The FortiGate is now visible in the product list.

FortiCare and FortiGate Cloud login

With FortiCloud, FortiGate supports a unified login to FortiCare and FortiGate Cloud. The FortiGate Cloud setup is a
subset of the FortiCare setup.
l If the FortiGate is not registered, activating FortiGate Cloud will force you to register with FortiCare.
l If a FortiGate is registered in FortiCare using a FortiCloud account, then only that FortiCloud account can be used to
activate FortiGate Cloud.
l If a different FortiCloud account was already used to activate FortiGate Cloud, then a notification asking you to
migrate to FortiCloud is shown in the GUI after upgrading FortiOS.
The CLI can be used to activate FortiGate Cloud without registration, or with a different FortiCloud account.

FortiOS 7.0.1 Administration Guide 50

Fortinet Technologies Inc.
Getting started

To activate FortiGate Cloud and register with FortiCare at the same time:

1. Go to Dashboard > Status.

2. In the FortiGate Cloud widget, click Not Activated > Activate.
You must register with FortiCare before activating FortiGate Cloud.

3. Enter your FortiCare Email address and Password.

4. Select your Country/Region and Reseller.
5. Enable Sign in to FortiGate Cloud using the same account.
6. Click OK.

To activate FortiGate Cloud on an already registered FortiGate:

1. Go to Dashboard > Status.

2. In the FortiGate Cloud widget, click Not Activated > Activate.

FortiOS 7.0.1 Administration Guide 51

Fortinet Technologies Inc.
Getting started

3. Enter the password for the account that was used to register the FortiGate.

4. Click OK.
The FortiGate Cloud widget now shows the FortiCloud account.

To migrate from the activated FortiGate Cloud account to the registered FortiCloud account:

1. Go to Dashboard > Status.

2. In the FortiGate Cloud widget, click Migrate to FortiCloud.

FortiOS 7.0.1 Administration Guide 52

Fortinet Technologies Inc.
 Getting started

3. Enter the password for the account that was used to register the FortiGate, then click OK.
The FortiGate Cloud widget now shows the FortiCloud account.

To activate FortiGate Cloud using an account that is not used for registration:

1. In the CLI, enter the following command:

execute fortiguard-log login <account_id> <password>

Where the <account_id> and <password> are the credentials for the account that you are using to activate
FortiGate Cloud.
2. Check the account type with following command:
# diagnose fdsm contract-controller-update
Protocol=2.0|Response=202|Firmware=FAZ-4K-FW-2.50-
100|SerialNumber=FAMS000000000000|Persistent=false|ResponseItem=HomeServer:172.16.95.151
:443*AlterServer:172.16.95.151:443*Contract:20200408*NextRequest:86400*UploadConfig:Fals
e*ManagementMode:Local*ManagementID:737941253*AccountType:multitenancy

Result=Success

A FortiCloud account that is not used for the support portal account cannot be used to register
FortiGate. Attempting to activate FortiGate Cloud with this type of account will fail.

Transferring a FortiCloud account title

Master account users can transfer a FortiCloud and FortiCare account from one device to another. Users can transfer up
to three accounts within a twelve-month time period.

Requirements:

To transfer an account, you must:

l Have access to the FortiGate, as well as both the FortiCloud and FortiCare accounts.
l Be a master account user.
To verify you are the master account user, go to support.fortinet.com. Click the User icon, and then click Account
Profile.

FortiOS 7.0.1 Administration Guide 53

Fortinet Technologies Inc.
Getting started

You can transfer up to three accounts in a twelve-month time period. If more transfers are
required within the twelve-month time period, contact Technical Support to request the
transfer.

To transfer an account in the GUI:

1. Go to Dashboard > Status. In the Status dashboard, hover over the FortiCare Support link, and click Transfer
FortiGate to Another Account.

You can also transfer an account from System > FortiGuard.

2. In the Current FortiCloud Account fields, enter the username and password for the current account. In the Target
FortiCloud Account fields, enter the new username and password. Click Next.

FortiOS 7.0.1 Administration Guide 54

Fortinet Technologies Inc.
Getting started

FortiGate transfers the account.

After the transfer is complete, FortiGate displays the new the FortiCloud account.

FortiOS 7.0.1 Administration Guide 55

Fortinet Technologies Inc.
 Getting started

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some
cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase
the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup
can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server
certificates that are generated by your FortiGate by default are not saved in a system backup.
We also recommend that you backup the configuration after any changes are made, to ensure you have the most current
configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should anything
happen to the configuration during the upgrade, you can easily restore the saved configuration.
Always backup the configuration and store it on the management computer or off-site. You have the option to save the
configuration file to various locations including the local PC, USB key, FTP, and TFTP server. FTP and TFTP are only
configurable through the CLI.
If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you
are using FortiManager or FortiGate Cloud, full backups are performed and the option to backup individual VDOMs will
not appear.

You can also backup and restore your configuration using Secure File Copy (SCP). See How
to download/upload a FortiGate configuration file using secure file copy (SCP).
You enable SCP support using the following command:
config system global
set admin-scp enable
end
For more information about this command and about SCP support, see config system global.

Backing up the configuration

To backup the configuration using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
2. Direct the backup to your Local PC or to a USB Disk.
The USB Disk option will not be available if no USB drive is inserted in the USB port. You can also backup to the
FortiManager using the CLI.
3. If VDOMs are enabled, indicate whether the scope of the backup is the entire FortiGate configuration (Global) or
only a specific VDOM configuration (VDOM).
If backing up a VDOM configuration, select the VDOM name from the list.
4. Enable Encryption. Encryption must be enabled on the backup file to back up VPN certificates.
5. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
6. Click OK.
7. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will
have a .conf extension.

To backup the configuration using the CLI:

Use one of the following commands:

execute backup config management-station <comment>

FortiOS 7.0.1 Administration Guide 56

Fortinet Technologies Inc.
Getting started

or:
execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:
execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>] [<user_name>]
[<password>] [<backup_password>]

or for TFTP:
execute backup config tftp <backup_filename> <tftp_servers> [<backup_password>]

or for SFTP:
execute backup config sftp <backup_filename> <sftp_server>[<:sftp_port>] <user>
<password> [<backup_password>]

Use the same commands to backup a VDOM configuration by first entering the commands:
config vdom
edit <vdom_name>

The configuration can be backed up to IPv4 and IPv6 FTP, TFTP, and SFTP servers.
The configuration can be restored from IPv4 and IPv6 FTP and TFTP servers.

Restoring a configuration

To restore the FortiGate configuration using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
2. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.
The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the
FortiManager using the CLI.
3. Click Upload, locate the configuration file, and click Open.
4. Enter the password if required.
5. Click OK.

To restore the FortiGate configuration using the CLI:

execute restore config management-station normal 0

or:
execute restore config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:
execute restore config ftp <backup_filename> <ftp_server>[<:port>] [<user_name>]
[<password>] [<backup_password>]

or for TFTP:
execute restore config tftp <backup_filename> <tftp_server> [<backup_password>]

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has
been restored.

FortiOS 7.0.1 Administration Guide 57

Fortinet Technologies Inc.
Getting started

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message Reason and Solution

Configuration file error This error occurs when attempting to upload a configuration file that is
incompatible with the device. This may be due to the configuration file being for a
different model or being saved from a different version of firmware.
Solution: Upload a configuration file that is for the correct model of FortiGate
device and the correct version of the firmware.

Invalid password When the configuration file is saved, it can be protected by a password. The
password entered during the upload process is not matching the one associated
with the configuration file.
Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher.
Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this
feature. Typically, configuration backup to local drive is not available on lower-end models.
The central management server can either be a FortiManager unit or FortiGate Cloud.
If central management is not configured on your FortiGate unit, a message appears instructing you to either
l Enable central management, or
l Obtain a valid license.
When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved
revisions of those backed-up configurations appears.
Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and
selecting Configuration > Revisions.

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The
export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible
to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>

where:
l <cert_name> is the name of the server certificate.
l <filename> is a name for the output file.
l <tftp_ip> is the IP address assigned to the TFTP server host interface.

FortiOS 7.0.1 Administration Guide 58

Fortinet Technologies Inc.
Getting started

To restore the local certificates using the GUI:

1. Move the output file from the TFTP server location to the management computer.
2. Go to System > Certificates and click Import > Local.
3. Select the certificate type, then click Upload in the Certificate file field.
4. On the management computer, browse to the file location, select it, and click Open.
5. If the Type is Certificate, upload the Key file as well.
6. If required, enter the Password that is required to upload the file or files.
7. Click OK.

To restore the local certificates using the CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There
are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box
configuration.
You can reset the device with the following CLI command:
execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration with the
following command:
execute factoryreset2

Troubleshooting your installation

If your FortiGate does not function as desired after installation, try the following troubleshooting tips:
1. Check for equipment issues
Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for
information about connecting your FortiGate to the network.
2. Check the physical network connections
Check the cables used for all physical connections to ensure that they are fully connected and do not appear
damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that
device.
3. Verify that you can connect to the internal IP address of the FortiGate
Connect to the GUI from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the
internal interface IP address; for example, ping 192.168.1.99. If you cannot connect to the internal interface,
verify the IP configuration of the PC. If you can ping the interface but can't connect to the GUI, check the settings for
administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS
has been enabled for Administrative Access on the interface.

FortiOS 7.0.1 Administration Guide 59

Fortinet Technologies Inc.
Getting started

4. Check the FortiGate interface configurations

Check the configuration of the FortiGate interface connected to the internal network (under Network > Interfaces)
and check that Addressing mode is set to the correct mode.
5. Verify the security policy configuration
Go to Policy & Objects > Firewall Policy and verify that the internal interface to Internet-facing interface security
policy has been added and is located near the top of the policy list. Check the Active Sessions column to ensure that
traffic has been processed (if this column does not appear, right-click on the table header and select Active
Sessions). If you are using NAT mode, check the configuration of the policy to make sure that NAT is enabled and
that Use Outgoing Interface Address is selected.
6. Verify the static routing configuration
Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify
that the default route appears in the list as a static route. Along with the default route, you should see two routes
shown as Connected, one for each connected FortiGate interface.
7. Verify that you can connect to the Internet-facing interface’s IP address
Ping the IP address of the Internet-facing interface of your FortiGate. If you cannot connect to the interface, the
FortiGate is not allowing sessions from the internal interface to Internet-facing interface. Verify that PING has been
enabled for Administrative Access on the interface.
8. Verify that you can connect to the gateway provided by your ISP
Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact
your ISP to verify that you are using the correct gateway.
9. Verify that you can communicate from the FortiGate to the Internet
Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute
traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.
10. Verify the DNS configurations of the FortiGate and the PCs
Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping
www.fortinet.com.
If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that
the DNS server IP addresses are present and correct.
11. Confirm that the FortiGate can connect to the FortiGuard network
Once the FortiGate is on your network, you should confirm that it can reach the FortiGuard network. First, check the
License Information widget to make sure that the status of all FortiGuard services matches the services that you
have purchased. Go to System > FortiGuard, and, in the Filtering section, click Test Connectivity. After a minute, the
GUI should indicate a successful connection. Verify that your FortiGate can resolve and reach FortiGuard at
service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the
connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of
FortiGuard IP gateways you can connect to, as well as the following information:
l Weight: Based on the difference in time zone between the FortiGate and this server
l RTT: Return trip time

l Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)

l TZ: Server time zone

l Curr Lost: Current number of consecutive lost packets

l Total Lost: Total number of lost packets

12. Consider changing the MAC address of your external interface

Some ISPs do not want the MAC address of the device connecting to their network cable to change. If you have
added a FortiGate to your network, you may have to change the MAC address of the Internet-facing interface using
the following CLI command:
config system interface
edit <interface>

FortiOS 7.0.1 Administration Guide 60

Fortinet Technologies Inc.
Getting started

set macaddr <xx:xx:xx:xx:xx:xx>

end
end
13. Check the FortiGate bridge table (transparent mode)
When a FortiGate is in transparent mode, the unit acts like a bridge sending all incoming traffic out on the other
interfaces. The bridge is between interfaces on the FortiGate unit. Each bridge listed is a link between interfaces.
Where traffic is flowing between interfaces, you expect to find bridges listed. If you are having connectivity issues
and there are no bridges listed, that is a likely cause. Check for the MAC address of the interface or device in
question. To list the existing bridge instances on the FortiGate, use the following CLI command:
diagnose netlink brctl name host root.b
show bridge control interface root.b host.
fdb: size=2048, used=25, num=25, depth=1
Bridge root.b host table
port no device devname mac addr ttl attributes
3 4 wan1 00:09:0f:cb:c2:77 88
3 4 wan1 00:26:2d:24:b7:d3 0
3 4 wan1 00:13:72:38:72:21 98
4 3 internal 00:1a:a0:2f:bc:c6 6
1 6 dmz 00:09:0f:dc:90:69 0 Local Static
3 4 wan1 c4:2c:03:0d:3a:38 81
3 4 wan1 00:09:0f:15:05:46 89
3 4 wan1 c4:2c:03:1d:1b:10 0
2 5 wan2 00:09:0f:dc:90:68 0 Local Static
14. Use FortiExplorer if you cannot connect to the FortiGate over Ethernet
If you cannot connect to the FortiGate GUI or CLI, you may be able to connect using FortiExplorer. Refer to the
QuickStart Guide or see the section on FortiExplorer for more details.
15. Either reset the FortiGate to factory defaults or contact Fortinet Support for assistance
To reset the FortiGate to factory defaults, use the CLI command execute factoryreset. When prompted, type
y to confirm the reset.
If you require further assistance, visit the Fortinet Support website.

FortiOS 7.0.1 Administration Guide 61

Fortinet Technologies Inc.
Dashboards and Monitors

Dashboards and Monitors

FortiOS includes predefined dashboards so administrators can easily monitor device inventory, security threats, traffic,
and network health. You can customize the appearance of a default dashboard to display data pertinent to your Security
Fabric or combine widgets to create custom dashboards. Many dashboards also allow you to switch views between
fabric devices.
Each dashboard contains a set of widgets that allow you to view drilldown data and take actions to prevent threats. Use
widgets to perform tasks such as viewing device inventory, creating and deleting DHCP reservations, and disconnecting
dial-up users. You can add or remove widgets in a dashboard or save a widget as a standalone monitor.
Monitors display information in both text and visual format. Use monitors to change views, search for items, view
drilldown information, or perform actions such as quarantining an IP address. FortiView monitors for the top categories
are located below the dashboards. All of the available widgets can be added to the tree menu as a monitor.

Using dashboards

You can combine widgets to create custom dashboards. You can also use the dropdown in the tree menu to switch to
another device in the Security Fabric.

To create a new dashboard:

1. Under Dashboard, click the Add Dashboard button. The Add Dashboard window opens.

2. Enter a name in the Name field and click OK. The new dashboard opens.

FortiOS 7.0.1 Administration Guide 62

Fortinet Technologies Inc.
Dashboards and Monitors

To add a widget to a dashboard:

1. In the tree menu, select a dashboard.

2. In the banner, click Add Widget. The Add Dashboard Widget pane opens.
3. Click the Add button next to the widget. You can use the Search field to search for a widget. Enable Show More to
view more widgets in a category.
4. Configure the widget settings, then click Add Widget.
5. Click Close.
6. (Optional) Click and drag the widget to the desired location in the dashboard.

To edit a dashboard:

1. Click the Actions menu next to the dashboard and selectEdit Dashboard.

2. Edit the dashboard and click OK.

To delete a dashboard:

1. Click the Actions menu next to the dashboard and select Delete Dashboard.

2. Click Delete Dashboard . The Confirm dialog opens.

3. Click OK.

You cannot delete the Status dashboard.

To switch to another device in the Security Fabric:

1. In the tree menu, click the device name and select a fabric device from dropdown.

Using widgets

You can convert a widget to a standalone monitor, change the view type, configure tables, and filter data.

FortiOS 7.0.1 Administration Guide 63

Fortinet Technologies Inc.
Dashboards and Monitors

To save a dashboard widget as a monitor:

1. Hover over the widget and click Expand to full screen.

Full screen mode is not supported in all widgets.

2. In the widget, click Save as Monitor. The Add Monitor window opens.

3. (Optional) Enter a new name for the monitor in the Name field.
4. Click OK.

To view the widget settings:

1. Click the menu dropdown at the right side of the widget and select Settings.

2. Configure the widget settings and click OK.

The settings will vary depending on the widget.

To configure a table in the widget:

1. Hover over the left side of the table header and click Configure Table.

FortiOS 7.0.1 Administration Guide 64

Fortinet Technologies Inc.
 Dashboards and Monitors

2. Configure the table options:

Option Description

Best Fit All Columns Resizes all of the columns in a table to fit their content.

Reset Table Resets the table to the default view.

Select Columns Adds or removes columns from the view.

3. Click Apply.

To filter or configure a column in a table:

1. Hover over a column heading, and click Filter/Configure Column.

2. Configure the column options.

Option Description

Resize to Contents Resizes the column to fit the content.

Group by this Column Groups the table rows by the contents in the selected column.

3. Click Apply.
4. To filter a column, enter a value in the Filter field, and click Apply.

Filtering is not supported in all widgets.

Widgets

Dashboards are created per VDOM when VDOM mode is enabled.For information about VDOM mode, see Virtual
Domains on page 1567.

Some dashboards and widgets are not available in Multi-VDOM mode.

The following table lists the available widgets in VDOM mode:

Category Widgets

FortiView l FortiView Application Bandwidth FortiView

FortiOS 7.0.1 Administration Guide 65

Fortinet Technologies Inc.
Dashboards and Monitors

Category Widgets
l Applications FortiView Cloud Applications
l FortiView Destination Interfaces FortiView
l Destination Owners FortiView Destinations
l FortiView Policies FortiView Sessions
l FortiView Source Interfaces FortiView
l Sources FortiView VPN FortiView Web
l Categories FortiView Countries/Regions
l FortiView Destination Firewall Objects
l FortiView Interface Pairs FortiView Search
l Phrases FortiView Servers FortiView Source
l Firewall Objects FortiView Sources - WAN
l FortiView Traffic Shaping

Security Fabric l Fabric Device

l FortiGate Cloud
l Security Fabric Status

Network l DHCP
l Interface Bandwidth
l IP Pool Utilization
l IPsec
l Routing
l SD-WAN
l SSL-VPN
l Top IP Pools by Assigned IPs

The Interface Bandwidth widget can monitor a maximum of 25 interfaces.

System l Administrators
l Botnet Activity
l HA Status
l License Status
l System Information
l Top System Events
l Virtual Machine

Resource Usage l CPU Usage

l Disk Usage
l Log Rate Memory Usage
l Session Rate
l Sessions

Security l Advanced Threat Protection Statistics

l Compromised Hosts

FortiOS 7.0.1 Administration Guide 66

Fortinet Technologies Inc.
Dashboards and Monitors

Category Widgets
l FortiClient Detected Vulnerabilities
l GTP Tunnel Rate
l GTP Tunnels
l Host Scan Summary
l Quarantine
l Top Endpoint Vulnerabilities
l Top Failed Authentication
l Top FortiSandbox Files
l Top Threats
l Top Threats - WAN

User & l Device Inventory

Authentication l Firewall Users
l FortiClient
l FortiGuard Quota
l FortiSwitch NAC VLANs
l Top Admin Logins
l Top Vulnerable Endpoint Devices
l Top Cloud Users

WiFi l Channel Utilization

l Clients By FortiAP
l FortiAP Status
l Historical Clients
l Interfering SSIDs
l Login Failures
l Rogue APs
l Signal Strength
l Top WiFi Clients

Viewing device dashboards in the Security Fabric

Use the device dropdown to view the dashboards in downstream fabric devices. You can also create dedicated device
dashboards or log in and configure fabric devices.
To view the dashboards in fabric devices, click the device dropdown at the left side of the page, and select a device from
the list.

FortiOS 7.0.1 Administration Guide 67

Fortinet Technologies Inc.
Dashboards and Monitors

The device dropdown is available in the Status, Security, Network, Users & Devices, and WiFi
dashboards. You can also enable the dropdown when you create a dashboard.

To log in to or configure a fabric device, hover over the device name until the device dialog opens and then select Login
or Configure.

Creating a fabric system and license dashboard

Create a dashboard summary page to monitor all the fabric devices in a single view. You can use this dashboard to
monitor aspects of the devices such as system information, VPN and routing.

Example

The following image is an example of a Fabric System & License dashboard to monitor the System Information,
Licenses, and Memory usage for Branch_Office_01 and Branch_Office_02.

FortiOS 7.0.1 Administration Guide 68

Fortinet Technologies Inc.
Dashboards and Monitors

To create a system dashboard:

1. Click the Add Dashboard button. The Add Dashboard window opens.

2. In the Name field, enter a name such as Fabric System & Licenses, and click OK. The new dashboard appears.
3. In the banner, click Add Widget. The Add Dashboard Widget window opens. You can use the Search field to search
for a specific widget (for example, License Status, System Information, and Memory Usage).
4. Click the Add button next to widget. The Add Dashboard Widget window opens.
5. In the Fabric member area, select Specify and select a device in the Security Fabric.

6. Click Add Widget. The widget is added to the dashboard.

Repeat this step for all the devices you want to view in the dashboard.
7. (Optional) Arrange the widgets in the dashboard by fabric device.

Dashboards

A dashboard is a collection of widgets that show the status of your devices, network, and Security Fabric at a glance.
Widgets are condensed monitors that display a summary of the key details about your FortiGate pertaining to routing,
VPN, DHCP, devices, users, quarantine, and wireless connections.
The following dashboards are included in the dashboard templates:

Dashboard Default Template Use these widgets to:

Status l Comprehensive l View the device serial number, licenses, and administrators
l Optimal l View the status of devices in the security fabric
l Monitor CPU and Memory usage
l Monitor IPv4 and IPv6 sessions
l View VMs and Cloud devices

Security l Optimal l View compromised hosts and host scan summary

l View top threats and vulnerabilities

Network l Optimal l Monitor DHCP clients

l Monitor IPsec VPN connections
l Monitor current routing table
l Monitor SD-WAN status
l Monitor SSL-VPN connections

FortiOS 7.0.1 Administration Guide 69

Fortinet Technologies Inc.
 Dashboards and Monitors

Dashboard Default Template Use these widgets to:

Users & Devices l Optimal l View users and devices connected to the network
l Identify threats from individual users and devices
l View FortiGuard and FortiClient data
l Monitor traffic bandwidth over time

WiFi l Comprehensive l View FortiAP status, channel utilization, and clients

l Optimal l View login failures and signal strength
l View the number of WiFi clients

Resetting the default dashboard template

You can use the GUI to change the default dashboard template. The Optimal template contains a set of popular default
dashboards and FortiView monitors. The Comprehensive template contains a set of default dashboards as well as all of
the FortiView monitors.

Resetting the default template will delete any custom dashboards and monitors, and reset the
widget settings.

To reset all dashboards:

1. Click the Actions menu next to Add Dashboard or Add Monitor and click Reset All Dashboards. The Dashboard
Setup window opens.

2. Select Optimal or Comprehensive and click OK.

Status dashboard

The Status dashboard provides an overview of your FortiGate device and the devices in your Security Fabric. If your
FortiGate is a Virtual Machine, information about the Virtual Machine is also displayed in the dashboard.

FortiOS 7.0.1 Administration Guide 70

Fortinet Technologies Inc.
Dashboards and Monitors

Updating system information

The System Information widget contains links to the Settings module where you can update the System Time, Uptime,
and WAN IP.
A notification will appear in the Firmware field when a new version of FortiOS is released. Click Update firmware in
System > Firmware to view the available versions and update FortiOS.

Viewing fabric devices

The Security Fabric widget provides a visual overview of the devices connected to the fabric and their connection status.
Hover of a device icon to view more information about the device.
Click a device in the fabric to:
l View the device in the physical or logical topology
l Register, configure, deauthorize, or log in to the device
l Open Diagnostics and Tools
l View the FortiClient Monitor
These options will vary depending on the device.
Click Expand & Pin hidden content to view all the devices in the fabric at once.

FortiOS 7.0.1 Administration Guide 71

Fortinet Technologies Inc.
 Dashboards and Monitors

Viewing administrators

The Administrators widget displays the active administrators and their access interface. Click the username to view the
Active Administrator Sessions monitor. You can use the monitor to end an administrator's session.

Resource widgets

The resource widgets show the current usage statistics for CPU, Memory, and Sessions.
Click the CPU monitor to show the per core CPU usage.

You can switch between IPv4, IPv6, or IPv4+IPv6 in the Sessions monitor.

Security dashboard

The widgets in the Security dashboard provide a snapshot of the current threats and vulnerabilities targeting your
Security Fabric.

FortiOS 7.0.1 Administration Guide 72

Fortinet Technologies Inc.
Dashboards and Monitors

The Security dashboard contains the following widgets:

Widget Description

Compromised Hosts by Shows the session information for a compromised host. See Viewing session
Verdict information for a compromised host on page 73.

Top Threats by Threat Level Shows the top traffic sessions aggregated by threat.
You can expand the widget to view drilldown information about the Threat, Threat
Category, Threat Level, Threat Score and Sessions.

FortiClient Detected Shows a summary of vulnerabilities detected by FortiClient. FortiClient must be

Vulnerablities enabled.

Host Scan Summary Shows a summary of hosts scanned.

Hover over a color in the chart to view the number of hosts by category. Click the
chart to view the FortiClient Monitor or Device Inventory monitor.

Top Vulnerable Endpoint Shows a summary devices aggregated by vulnerabilities.

Devices by Detected Expand the widget to view drilldown information about the Device, Source and
Vulnerabilities Detected Vulnerablities.

Viewing session information for a compromised host

You can use the Compromised Hosts by Verdict widget to view the session information for a compromised host.

To view session information for a compromised host in the GUI:

1. Go to Dashboard > Security and expand the Compromised Hosts by Verdict widget.

2. Double-click a compromised host to view the session information. You can also right-click a compromised host, and
select View Sessions.

FortiOS 7.0.1 Administration Guide 73

Fortinet Technologies Inc.
 Dashboards and Monitors

3. Double-click a session, or right-click the session and select View Sessions to view the information.

Network dashboard

The widgets in the Network dashboard show information related to networking for this FortiGate and other devices
connected to your Security Fabric. Use this dashboard to monitor the status of Routing, DHCP, SD-WAN, IPsec and SSL
VPN tunnels. All of the widgets in the Network dashboard can be expanded to full screen and saved as a monitor.
The Network dashboard contains the following widgets:

Widget Description

Static & Dynamic Routing Shows the static and dynamic routes currently active in your routing table. The
widget also includes policy routes, BGP neighbors and paths, and OSPF
neighbors.
See Static & Dynamic Routing monitor on page 75.

DHCP Shows the addresses leased out by FortiGate's DHCP servers. See DHCP
monitor on page 78.

SD-WAN Shows a summary of the SD-WAN status, including ADVPN shortcut information.

IPsec Shows the connection statuses of your IPsec VPN site to site and dial-up tunnels.
See IPsec monitor on page 79.

SSL-VPN Shows a summary of remote active users and the connection mode. See SSL-
VPN monitor on page 81.

FortiOS 7.0.1 Administration Guide 74

Fortinet Technologies Inc.
Dashboards and Monitors

Widget Description

IP Pool Utilization Shows IP pool utilization.

Static & Dynamic Routing monitor

The Static & Dynamic Routing Monitor displays the routing table on the FortiGate, including all static and dynamic
routing protocols in IPv4 and IPv6. You can also use this monitor to view policy routes, BGP neighbors and paths, and
OSPF neighbors..

To view the routing monitor in the GUI:

1. Go to Dashboard > Network.

2. Hover over the Routing widget, and click Expand to Full Screen. The Routing monitor is displayed.
3. To view neighbors and paths, click the monitors dropdown at the top of the page.
BGP Neighbors

BGP Paths

FortiOS 7.0.1 Administration Guide 75

Fortinet Technologies Inc.
Dashboards and Monitors

IPv6 BGP Paths

OSPF Neighbors

4. To filter the Interfaces and Type columns:

a. Click the Static & Dynamic tab.
b. Hover over the column heading, and click the Filter/Configure Column icon.

c. Click Group By This Column, then click Apply.

FortiOS 7.0.1 Administration Guide 76

Fortinet Technologies Inc.
Dashboards and Monitors

5. (Optional) Click Save as Monitor to save the widget as monitor.

To look up a route in the GUI:

1. Click Route Lookup.

2. Enter an IP address in the Destination field, then click Search. The matching route is highlighted on the Routing
monitor.

To view the routing table in the CLI:

# get route info routing-table all

Sample output:
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [1/0] via 10.0.10.1, To-HQ-A
[1/0] via 10.0.12.1, To-HQ-MPLS
[1/0] via 10.10.11.1, To-HQ-B
[1/0] via 10.100.67.1, port1
[1/0] via 10.100.67.9, port2
C 10.0.10.0/24 is directly connected, To-HQ-A
C 10.0.10.2/32 is directly connected, To-HQ-A
C 10.0.11.0/24 is directly connected, To-HQ-B
C 10.0.11.2/32 is directly connected, To-HQ-B
C 10.0.12.0/24 is directly connected, To-HQ-MPLS
C 10.0.12.2/32 is directly connected, To-HQ-MPLS
C 10.1.0.0/24 is directly connected, port3
C 10.1.0.2/32 is directly connected, port3
C 10.1.0.3/32 is directly connected, port3
C 10.1.100.0/24 is directly connected, vsw.port6

To look up a firewall route in the CLI:

# diagnose firewall proute list

Sample output:
list route policy info(vf=root):

id=0x7f450002 vwl_service=2(BusinessCritialCloudApp) vwl_mbr_seq=4 5 3 dscp_tag=0xff 0xff

flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=3
(port1) oif=4(port2) oif=18(To-HQ-MPLS)
source(1): 0.0.0.0-255.255.255.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(4): Microsoft.Office.365(4294837472,0,0,0, 33182) Microsoft.Office.Online
(4294837475,0,0,0, 16177) Salesforce(4294837976,0,0,0, 16920) GoToMeeting
(4294836966,0,0,0, 16354)
hit_count=0 last_used=2020-03-30 10:50:18

FortiOS 7.0.1 Administration Guide 77

Fortinet Technologies Inc.
Dashboards and Monitors

id=0x7f450003 vwl_service=3(NonBusinessCriticalCloudApp) vwl_mbr_seq=4 5 dscp_tag=0xff 0xff

flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=3
(port1) oif=4(port2)
source(1): 0.0.0.0-255.255.255.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(2): Facebook(4294836806,0,0,0, 15832) Twitter(4294838278,0,0,0, 16001)
hit_count=0 last_used=2020-03-30 10:50:18

id=0x7f450004 vwl_service=4(Ping-Policy) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0

tos=0x00 tos_mask=0x00 protocol=1 sport=0:65535 iif=0 dport=1-65535 oif=16(To-HQ-A)
oif=17(To-HQ-B)

To view neighbors and paths

DHCP monitor

The DHCP monitor shows all the addresses leased out by FortiGate's DHCP servers. You can use the monitor to revoke
an address for a device, or create, edit, and delete address reservations.

To view the DHCP monitor:

1. Go to Dashboard > Network.

2. Hover over the DHCP widget, and click Expand to Full Screen.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

To revoke a lease:

1. Select a device in the table.

2. In the toolbar, click Revoke, or right-click the device, and click Revoke Lease(s). The Confirm page is displayed.
3. Click OK.

A confirmation window opens only if there is an associated address reservation. If there is no

address, the lease will be removed immediately upon clicking Revoke.

FortiOS 7.0.1 Administration Guide 78

Fortinet Technologies Inc.
Dashboards and Monitors

To create a DHCP reservation:

1. Select a server in the table.

2. In the toolbar, click Reservation, or right-click the device and click Create DHCP Reservation. The Create New
DHCP Reservation page is displayed.
3. Configure the DHCP reservation settings.

4. Click OK.

To view top sources by bytes:

1. Right-click a device in the table and click Show in FortiView. The FortiView Sources by Bytes widget is displayed.

To view the DHCP lease list in the CLI:

# execute dhcp lease-list

IPsec monitor

The IPsec monitor displays all connected Site to Site VPN, Dial-up VPNs, and ADVPN shortcut tunnel information. You
can use the monitor to bring a phase 2 tunnel up or down or disconnect dial-up users. A notification appears in the
monitor when users have not enabled two-factor authentication.

To view the IPsec monitor in the GUI:

1. Go to Dashboard > Network.

2. Hover over the IPsec widget, and click Expand to Full Screen. A warning appears when an unauthenticated user is
detected.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

3. Hover over a record in the table. A tooltip displays the Phase 1 and Phase 2 interfaces. A warning appears next to a
user who has not enabled two-factor authentication.

FortiOS 7.0.1 Administration Guide 79

Fortinet Technologies Inc.
Dashboards and Monitors

To reset statistics:

1. Select a tunnel in the table.

2. In the toolbar, click Reset Statistics or right-click the tunnel, and click Reset Statistics. The Confirm dialog is
displayed.
3. Click OK.

To bring a tunnel up:

1. Select a tunnel in the table.

2. Click Bring Up, or right-click the tunnel, and click Bring Up. The Confirm dialog is displayed.
3. Click OK.

To bring a tunnel down:

1. Select a tunnel in the table.

2. Click Bring Down, or right-click the tunnel, and click Bring Down. The Confirm dialog is displayed.
3. Click OK.

To locate a tunnel on the VPN Map:

1. Select a tunnel in the table.

2. Click Locate on VPN Map, or right-click the tunnel, and click Locate on VPN Map. The VPN Location Map is
displayed.

To view the IPsec monitor in the CLI:

# diagnose vpn tunnel list

Sample output:
list all ipsec tunnel in vd 0
------------------------------------------------------
name=fct-dialup ver=1 serial=4 10.100.67.5:0->0.0.0.0:0 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc
accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=0 refcnt=12 ilast=5545 olast=5545 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0
------------------------------------------------------
name=To-HQ-MPLS ver=2 serial=3 192.168.0.14:0->192.168.0.1:0 dst_mtu=1500
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev
frag-rfc accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=22 ilast=0 olast=0 ad=/0

stat: rxp=66693 txp=29183 rxb=33487128 txb=1908427
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=To-HQ-MPLS proto=0 sa=1 ref=6 serial=1 adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=32203 type=00 soft=0 mtu=1438 expire=266/0B replaywin=2048

FortiOS 7.0.1 Administration Guide 80

Fortinet Technologies Inc.
Dashboards and Monitors

seqno=2c5e esn=0 replaywin_lastseq=00002ea3 itn=0 qat=0 hash_search_len=1

life: type=01 bytes=0/0 timeout=1773/1800
dec: spi=700c9198 esp=aes key=16 ebd04605de6148c8a92ced48b30930fa
ah=sha1 key=20 5f0201f67d7c714a046025a1df41d40376437f6a
enc: spi=5aaccc20 esp=aes key=16 13d5d4b46e5e9c42eef509f2d9879188
ah=sha1 key=20 2dde67ef7a2a78b622d9a7ec6d75ad3c55d241e1
dec:pkts/bytes=11938/5226964, enc:pkts/bytes=11357/1312184

SSL-VPN monitor

The SSL-VPN monitor displays remote user logins and active connections. You can use the monitor to disconnect a
specific connection. The monitor will notify you when VPN users have not enabled two-factor authentication.

To view the SSL-VPN monitor in the GUI:

1. Go Dashboard > Network.

2. Hover over the SSL-VPN widget, and click Expand to Full Screen.The Duration and Connection Summary charts
are displayed at the top of the monitor.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

To disconnect a user:

1. Select a user in the table.

2. In the table, right-click the user, and click End Session. The Confirm window opens.
3. Click OK.

FortiOS 7.0.1 Administration Guide 81

Fortinet Technologies Inc.
 Dashboards and Monitors

To monitor SSL-VPN users in the CLI:

# get vpn ssl monitor

Sample output
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out
0 amitchell TAC 1(1) 296 10.100.64.101 3838502/11077721 0/0
1 mmiles Dev 1(1) 292 10.100.64.101 4302506/11167442 0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP

Users & Devices

The Users & Devices dashboard shows the current status of users and devices connected to your network. All of the
widgets can be expanded to view as monitor. In monitor view, you can create firewall addresses, deauthenticate a user,
or remove a device from the network.
The User & Devices dashboard contains the following widgets:

Widget Description

Device Inventory Shows a summary of the hardware and software that is connected to the network.
See Device inventory on page 82.

FortiClient Shows a summary of the FortiClient endpoints.

Firewall Users Shows a summary of the users logged into the network.

Quarantine Shows a summary of quarantined devices.

FortiSwitch NAC VLANs Shows a summary of VLANs assigned to devices by FortiSwitch NAC policies.

Device inventory

You can enable device detection to allow FortiOS to monitor your networks and gather information about devices
operating on those networks, including:
l MAC address
l IP address
l Operating system
l Hostname
l Username
l When FortiOS detected the device and on which interface
You can enable device detection separately on each interface in Network > Interfaces.
Device detection is intended for devices directly connected to your LAN and DMZ ports. The widget is only available
when your Interface Role is LAN, DMZ or Undefined. It is not available when the role is WAN.
You can also manually add devices to Device Inventory to ensure that a device with multiple interfaces displays as a
single device.

FortiOS 7.0.1 Administration Guide 82

Fortinet Technologies Inc.
Dashboards and Monitors

To view the device inventory monitor:

1. Go to Dashboard > Users & Devices.

If you are using the Comprehensive dashboard template, go to Dashboard > Device Inventory Monitor. See .
2. Hover over the Device Inventory widget, and click Expand to Full Screen. The Device Inventory monitor is
displayed.

To filter or configure a column in the table, hover over the column heading, and click
Filter/Configure Column. See Device inventory and filtering on page 83.

Device inventory and filtering

The Device Inventory widget contains a series of summary charts that provide an overview of the hardware, operating
system, status, and interfaces. You can use these clickable charts to simplify filtering among your devices.

To view the device inventory and apply a filter:

1. Go to Dashboard > Users & Devices.

If you are using the Comprehensive dashboard template, go to Dashboard > Device Inventory Monitor. See .
2. Hover over the Device Inventory widget, and click Expand to Full Screen. The Device Inventory monitor is
displayed.
3. To filter the order of the charts by operating system, click the dropdown in the top menu bar and select Software OS.
4. To filter a chart, click an item in the legend or chart area. The table displays the filter results.
5. To combine filters, hover over a column heading and click Filter/Configure Column.

6. Click the filter icon in the top-right corner of the chart to remove the filter.

FortiOS 7.0.1 Administration Guide 83

Fortinet Technologies Inc.
Dashboards and Monitors

Filter examples

To filter all offline devices:

1. In the Status chart, click Offline in the legend or on the chart itself.

To filter all devices discovered on port3:

1. In the Interfaces chart, click port3.

Adding MAC-based addresses to devices

Assets detected by device detection appear in the Device Inventory widget. You can manage policies around devices by
adding a new device object (MAC-based address) to a device. Once you add the MAC-based address, the device can be
used in address groups or directly in policies.

To add a MAC-based address to a device:

1. Go to Dashboard > Users & Devices.

If you are using the Comprehensive dashboard template, go to Dashboard > Device Inventory Monitor. See .
2. Hover over the Device Inventory widget, and click Expand to Full Screen. The Device Inventory monitor is
displayed.

FortiOS 7.0.1 Administration Guide 84

Fortinet Technologies Inc.
Dashboards and Monitors

3. Click a device, then click Firewall Device Address. The New Address dialog is displayed.

4. In the Name field, give the device a descriptive name so that it is easy to in the Device column.
5. Configure the MAC Address.

6. Click OK, then refresh the page. The MAC address icon appears in the Address column next to the device name.

Firewall Users monitor

The Firewall Users monitor displays all firewall users currently logged in. You can use the monitor to diagnose user-
related logons or to highlight and deauthenticate a user.

FortiOS 7.0.1 Administration Guide 85

Fortinet Technologies Inc.
 Dashboards and Monitors

To view the firewall monitor:

1. Go to Dashboard > Users & Devices.

If you are using the Comprehensive dashboard template, go to Dashboard > Firewall User Monitor. See .
2. Hover over the Firewall Users widget, and click Expand to Full Screen.
3. To show FSSO logons, click Show all FSSO Logons at the top right of the page.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

To deauthenticate a user:

1. Go to Dashboard > Users & Devices.

2. Hover over the Firewall Users widget, and click Expand to Full Screen.
3. (Optional) Use the Search field to search for a specific user.
4. In the toolbar, click Deauthenticate, or right-click the user, and click Deauthenticate. The Confirm dialog is
displayed.
5. Click OK.

To view firewall users in the CLI:

# diagnose firewall auth list

WiFi dashboard

The WiFi dashboard provides an overview of your WiFi network's performance, including FortiAP status, channel
utilization, WiFi clients and associated information, login failures, and signal strength.

FortiOS 7.0.1 Administration Guide 86

Fortinet Technologies Inc.
Dashboards and Monitors

To access the WiFi dashboard, go to Dashboard > WiFi.

The WiFi dashboard can be customized per your requirements. To learn more about using and modifying dashboards
and widgets, see Dashboards and Monitors on page 62.
This section describes the following monitors available for the WiFi Dashboard:
l FortiAP Status monitor on page 87
l Clients by FortiAP monitor on page 89

FortiAP Status monitor

The FortiAP Status monitor displays the status and the channel utilization of the radios of FortiAP devices connected to a
FortiGate. It also provides access to tools to diagnose and analyze connected APs.

To view the FortiAP Status monitor:

1. Go to Dashboard > WiFi.

2. Hover over the FortiAP Status widget, and click Expand to Full Screen. The FortiAP Status monitor opens.

FortiOS 7.0.1 Administration Guide 87

Fortinet Technologies Inc.
Dashboards and Monitors

3. (Optional) Click Save as Monitor to save the widget as monitor.

To view the Diagnostics and Tools menu:

1. Right-click an Access Point in the table, and click Diagnostics and Tools. The Diagnostics and Tools dialog opens.

2. To monitor and analyze the FortiAP device, click on the tabs in the Diagnostics and Tools dialog, such as Clients,
Spectrum Analysis, VLAN Probe, and so on.

FortiOS 7.0.1 Administration Guide 88

Fortinet Technologies Inc.
Dashboards and Monitors

The Diagnostics and Tools dialog is similar to the device dialog from WiFi & Switch Controller > Managed FortiAPs. To
learn more about the various tabs and their functions, see Spectrum analysis of FortiAP E models, VLAN probe report,
and Standardize wireless health metrics.

Clients by FortiAP monitor

The Clients by FortiAP monitor allows you to view detailed information about the health of individual WiFi connections in
the network. It also provides access to tools to diagnose and analyze connected wireless devices.

To view the Clients by FortiAP monitor:

1. Go to Dashboard > WiFi.

2. Hover over the Clients by FortiAP widget, and click Expand to Full Screen. The Clients by FortiAP monitor opens.
3. (Optional) Click Save as Monitor to save the widget as monitor.

To view the summary page for a wireless client:

1. Right-click a client in the table and select Diagnostics and Tools. The Diagnostics and Tools - <device> page is
displayed.

FortiOS 7.0.1 Administration Guide 89

Fortinet Technologies Inc.
Dashboards and Monitors

2. (Optional) Click Quarantine to quarantine the client,

3. (Optional) Click Disassociate to disassociate the client.

Health status

The Status section displays the overall health for the wireless connection. The overall health of the connection is:
l Good if the value range for all three conditions are Good
l Fair or poor if one of the three conditions is Fair or Poor respectively.

Condition Value Range

Signal Strength l Good > -56dBm

l -56dBm > Fair > -75dBm
l Poor < -75dBm

Signal Strength/Noise l Good > 39dBm

l 20dBm < Fair < 39dBm
l Poor < 20dBm

Band l Good = 5G band

l Fair = 2.4G band

The summary page also has the following FortiView tabs:

FortiOS 7.0.1 Administration Guide 90

Fortinet Technologies Inc.
Dashboards and Monitors

l Performance

l Applications

l Destinations

FortiOS 7.0.1 Administration Guide 91

Fortinet Technologies Inc.
 Dashboards and Monitors

l Policies

l Logs

Monitors

FortiGate supports both FortiView and Non-FortiView monitors. FortiView monitors are driven by traffic information
captured from logs and real-time data. Non-FortiView monitors capture information from various real-time state tables on
the FortiGate.

Non-FortiView monitors

Non-FortiView monitors capture information on various state tables, such as the routes in the routing table, devices in
the device inventory, DHCP leases in the DHCP lease table, connected VPNs, clients logged into the wireless network,
and much more. These monitors are useful when troubleshooting the current state of the FortiGate, and to identify
whether certain objects are in the state table or not. For more information, see Dashboards on page 69.

FortiView monitors

FortiView is the FortiOS log view tool and comprehensive monitoring system for your network. FortiView integrates real-
time and historical data into a single view on your FortiGate. It can log and monitor network threats, keep track of
administration activities, and more.
Use FortiView monitors to investigate traffic activity such as user uploads and downloads, or videos watched on
YouTube. You can view the traffic on the whole network by user group or by individual. FortiView displays the
information in both text and visual format, giving you an overall picture of your network traffic activity so that you can
quickly decide on actionable items.
FortiView is integrated with many UTM functions. For example, you can quarantine an IP address directly in FortiView or
create custom devices and addresses from a FortiView entry.

FortiOS 7.0.1 Administration Guide 92

Fortinet Technologies Inc.
 Dashboards and Monitors

The logging range and depth will depend on the FortiGate model.

The Optimal template contains a set of popular default dashboards and FortiView monitors. The Comprehensive
template contains a set of default dashboards as well as all of the FortiView monitors. See Dashboards on page 69.

Template Monitors

Optimal l FortiView Sources

l FortiView Destinations
l FortiView Applications
l FortiView Web Sites
l FortiView Policies
l FortiView Sessions

Comprehensive l FortiView Sources

l FortiView Destinations
l FortiView Applications
l FortiView Web Sites
l FortiView Threats
l FortiView Compromised Hosts
l FortiView Policies
l FortiView Sessions
l Device Inventory Monitor
l Routing Monitor
l DHCP Monitor
l SD-WAN Monitor
l FortiGuard Quota Monitor
l IPsec Monitor
l SSL-VPN Monitor
l Firewall User Monitor
l Quarantine Monitor
l FortiClient Monitor
l FortiAP Clients Monitor
l Rogue APs Monitor

FortiView monitors and widgets

FortiView monitors are available in the tree menu under Dashboards. The menu contains several default monitors for the
top categories. Additional FortiView monitors are available as widgets that can be added to the dashboards. You can
also add FortiView monitors directly to the tree menu with the Add (+) button.

FortiOS 7.0.1 Administration Guide 93

Fortinet Technologies Inc.
 Dashboards and Monitors

Core FortiView monitors

The following default monitors are available in the tree menu:

Dashboard Usage

FortiView Sources Displays Top Sources by traffic volume and drilldown by Source.

FortiView Destinations Displays Top Destinations by traffic volume and drilldown by Destination.

FortiView Applications Displays Top Applications by traffic volume and drilldown by Application.

FortiView Web Sites Displays Top Websites by session count and drilldown by Domain.

FortiView Policies Displays Top Policies by traffic volume and drilldown by Policy number

FortiView Sessions Displays Top Sessions by traffic source and can be used to end sessions.

Usage is based on default settings. The pages may be customized further and sorted by other fields.

You can quarantine a host and ban an IP from all of the core FortiView monitors.

Adding FortiView monitors

Non-core FortiView monitors are available in the Add monitor pane. You can add a FortiView widget to a dashboard or
the tree menu as a monitor.

FortiOS 7.0.1 Administration Guide 94

Fortinet Technologies Inc.
Dashboards and Monitors

To add a monitor to the tree menu:

1. In the tree menu, under the monitors section, click Add Monitor (+). The Add Monitor window opens.

2. Click Add next to a monitor. You can use the Search field to search for a specific monitor.
3. In the FortiGate area, select All FortiGates or Specify to select a FortiGate device in the security fabric.
4. (Optional) In the Data Source area, select Specify and select a source device.
5. From the Time Period dropdown, select the time period. This option is not available in all monitors.
6. In the Visualization area, select Table View or Bubble Chart.
7. From the Sort By dropdown, select the sorting method.
8. Click Add Monitor. The monitor is added to the tree menu.

Monitors by category

Usage is based on the default settings. The monitors may be customized further and sorted by other fields.

LANDMARK

Widget Sort by Usage

Applications Bytes/Sessions/Bandwidth/Packets Displays top applications and drilldown by

application.

Application Bytes/Bandwidth Displays bandwidth for top applications and

Bandwidth drilldown by application.

Cloud Applications Bytes/Sessions/Files(Up/Down) Displays top cloud applications and drilldown

by application.

Cloud Users Bytes/Sessions/Files(Up/Down) Displays top cloud users and drilldown by

cloud user.

Compromised Hosts Verdict Displays compromised hosts and drilldown

by source.

Countries/Regions Bytes/Sessions/Bandwidth/Packets Displays top countries/regions and drilldown

by countries/regions.

Destination Firewall Bytes/Sessions/Bandwidth/Packets Displays top destination firewall objects and

Objects drilldown by destination objects.

Destination Owners Bytes/Sessions/Bandwidth/Packets Displays top destination owners and

drilldown by destination.

Destinations Bytes/Sessions/Bandwidth/Packets Displays top destinations and drilldown by

destination.

FortiOS 7.0.1 Administration Guide 95

Fortinet Technologies Inc.
Dashboards and Monitors

Widget Sort by Usage

Search Phrases Count Displays top search phrases and drilldown

by search phrase.

Source Firewall Bytes/Sessions/Bandwidth/Packets Displays top search phrases and drilldown

Objects by source object.

Sources Bytes/Sessions/Bandwidth/Packets Displays top sources and drilldown by

source.

Threats Threat level/Threat Score/Sessions Displays top threats and drilldown by threat.

Traffic Shaping Dropped Displays top traffic shaping and drilldown by

Bytes/Bytes/Sessions/Bandwidth/Packets shaper.

Web Categories Bytes/Sessions/Bandwidth/Packets Displays top web categories and drilldown

by category.

Web Sites Bytes/Sessions/Bandwidth/Packets Displays top web sites and drilldown by

domain.

WiFi Clients Bytes/Sessions Displays top WiFi clients and drilldown by

source.

WAN

Widget Sort by Usage

Servers Bytes/Sessions/Bandwidth/Packets Displays top servers and drilldown by server address.

Sources Bytes/Sessions/Bandwidth/Packets Displays top sources and drilldown by device.

Threats Threat Level/Threat Score/Sessions Displays top threats and drilldown by threat.

All Segments

Widget Sort by Usage

Admin Logins Configuration Changes/Logins/Failed Displays top admin logins by username.

Logins

Destination Bytes/Sessions/Bandwidth/Packets Displays top destination interfaces by destination

Interfaces interface.

Endpoint Severity Displays top endpoint vulnerabilities by vulnerability

Vulnerabilities name.

Failed Failed Attempts Displays top failed authentications by failed

Authentication authentication source.

FortiSandbox Submitted Displays top FortiSandbox files by file name.

Files

FortiOS 7.0.1 Administration Guide 96

Fortinet Technologies Inc.
 Dashboards and Monitors

Widget Sort by Usage

Interface Pairs Bytes/Sessions/Bandwidth/Packets Displays top interface pairs by source interface.

Policies Bytes/Sessions/Bandwidth/Packets Displays top policies by policy.

Source Interfaces Bytes/Sessions/Bandwidth/Packets Displays top source interfaces by source interface.

System Events Level/Events Displays top system events by event name.

VPN Connections/Bytes Displays top VPN connections by user.

Vulnerable Detected Vulnerabilities Displays top vulnerable endpoint devices by device.

Endpoint Devices

A maximum of 25 interfaces can be monitored at one time on a device.

Using the FortiView interface

Use the FortiView interface to customize the view and visualizations within a monitor to find the information you are
looking for. The tools in the top menu bar allow you to change the time display, refresh or customize the data source, and
filter the results. You can also right-click a table in the monitor to view drilldown information for an item.

Real-time and historical charts

Use the Time Display dropdown to select the time period to display on the current monitor. Time display options vary
depending on the monitor and can include real-time information (now) and historical information (1 hour, 24 hours, and 7
days).

Disk logging or remote logging must be enabled to view historical information.

You can create a custom time range by selecting an area in table with your cursor.

The icon next to the time period identifies the data source (FortiGate Disk, FortiAnalyzer, or FortiGate Cloud). You can
hover over the icon to see a description of the device.

FortiOS 7.0.1 Administration Guide 97

Fortinet Technologies Inc.
Dashboards and Monitors

Data source

FortiView gathers information from a variety of data sources. If there are no log disk or remote logging configured, the
data will be drawn from the FortiGate's session table, and the Time Period is set to Now.

Other data sources that can be configured are:

l FortiGates (disk)
l FortiAnalyzer
l FortiGate Cloud

When Data Source is set to Best Available Device, FortiAnalyzer is selected when available,
then FortiGate Cloud, and then FortiGate Disk.

Drilldown information

Double-click or right-click an entry in a FortiView monitor and select Drill Down to Details to view additional details about
the selected traffic activity. Click the Back icon in the toolbar to return to the previous view.
You can group drilldown information into different drilldown views. For example, you can group the drilldown information
in the FortiView Destinations monitor by Sources, Applications, Threats, Policies, and Sessions.

Double-click an entry to view the logs in Sessions view. Double-click a session to view the logs.

FortiOS 7.0.1 Administration Guide 98

Fortinet Technologies Inc.
Dashboards and Monitors

Graph l The graph shows the bytes sent/received in the time frame. real time does not include a
chart.
l Users can customize the time frame by selecting a time period within the graph.

Summary of l Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total
for the time period.
l Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or
FortiAP.
l Can ban IP addresses, adds the source IP address into the quarantine list.

Tabs l Drilling down entries in any of these tabs (except sessions tab) will take you to the
underlying traffic log in the sessions tab.
l Applications shows a list of the applications attributed to the source IP. This can include
scanned applications (using Application Control in a firewall policy or unscanned
applications.
config log gui-display
set fortiview-unscanned-apps enable
end
l Destinations shows destinations grouped by IP address/FQDN.
l Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, Web
Filter, Application Control, etc.
l Web Sites contains the websites which were detected either with webfilter, or through
FQDN in traffic logs.
l Web Categories groups entries into their categories as dictated by the Web Filter
Database.
l Policies groups the entries into which polices they passed through or were blocked by.
l Sessions shows the underlying logs (historical) or sessions (real time). Drilldowns from
other tabs end up showing the underlying log located in this tab.
l Search Phrases shows entries of search phrases on search engines captured by a Web
Filter UTM profile, with deep inspection enabled in firewall policy.
l More information can be shown in a tooltip while hovering over these entries.

To view matching logs or download a log, click the Security tab in the Log Details .

FortiOS 7.0.1 Administration Guide 99

Fortinet Technologies Inc.
 Dashboards and Monitors

Enabling FortiView from devices

You can enable FortiView from SSD disk, FortiAnalyzer and FortiGate Cloud.

FortiView from disk

FortiView from disk is available on all FortiGates with an SSD disk.

Restrictions

Model Supported view

Desktop models (100 series) Five minutes and one hour

with SSD

Medium models with SSD Up to 24 hours

Large models (1500D and Up to seven days

above) with SSD To enable seven days view:
config log setting
set fortiview-weekly-data enable
end

Configuration

A firewall policy needs to be in place with traffic logging enabled. For optimal operation with FortiView, internal interface
roles should be clearly defined as LAN. DMZ and internet facing or external interface roles should be defined as WAN.

To configure logging to disk:

config log disk setting

set status enable
end

To include sniffer traffic and local-deny traffic when FortiView from Disk:

config report setting

set report-source forward-traffic sniffer-traffic local-deny-traffic
end

FortiOS 7.0.1 Administration Guide 100

Fortinet Technologies Inc.
Dashboards and Monitors

This feature is only supported through the CLI.

Troubleshooting

Use execute report flush-cache and execute report recreate-db to clear up any irregularities that may
be caused by upgrading or cache issues.

Traffic logs

To view traffic logs from disk:

1. Go to Log & Report, and select either the Forward Traffic, Local Traffic, or Sniffer Traffic views.
2. In the top menu bar, click Log location and select Disk.

FortiView from FortiAnalyzer

Connect FortiGate to a FortiAnalyzer to increase the functionality of FortiView. Adding a FortiAnalyzer is useful when
adding monitors such as the Compromised Hosts. FortiAnalyzer also allows you to view historical information for up to
seven days.

Requirements
l A FortiGate or FortiOS
l A compatible FortiAnalyzer (see Compatibility with FortiOS)
To configure logging to the FortiAnalyzer, see Configuring FortiAnalyzer on page 1731

To enable FortiView from FortiAnalyzer:

1. Go to Dashboard > FortiView Sources.

2. Select a time range other than Now from the dropdown list to view historical data.
3. In top menu, click the dropdown, and select Settings. The Edit Dashboard Widget dialog is displayed.
a. In the Data Source area, click Specify.
b. From the dropdown, select FortiAnalyzer, and click OK.

All the historical information now comes from the FortiAnalyzer.

When Data Source is set to Best Available Device, FortiAnalyzer is selected when
available, then FortiGate Cloud, and then FortiGate Disk.

FortiOS 7.0.1 Administration Guide 101

Fortinet Technologies Inc.
 Dashboards and Monitors

FortiView from FortiGate Cloud

This function requires a FortiGate that is registered and logged into a compatible FortiGate Cloud. When using FortiGate
Cloud, the Time Period can be set to up to 24 hours.
To configure logging to FortiGate Cloud, see FortiGate Cloud on page 1734.

To enable FortiView with log source as FortiGate Cloud:

1. Go to Dashboard > FortiView Sources.

2. In the top menu, click the dropdown, and select Settings. The Edit Dashboard Widget window opens.
a. In the Data Source area, click Specify.
b. From the dropdown, select FortiGate Cloud, then click OK.

You can select FortiGate Cloud as the data source for all available FortiView pages and
widgets.

FortiView sources

The FortiView Sources monitor displays top sources sorted by Bytes, Sessions or Threat Score. The information can be
displayed in real time or historical views. You can use the monitor to create or edit a firewall device address or IP address
definitions, and temporarily or permanently ban IPs.

To add a firewall device address:

1. In the Device column, hover over the device MAC address. An information window opens.

2. Click Firewall Device Address. The New Address dialog opens.

3. Configure the address settings, and click Return.

Use the Name field to assign a descriptive name to a device so it is easier to find it in the
Device column. After you finish configuring the device, refresh the page to see the new
name in the monitor.

FortiOS 7.0.1 Administration Guide 102

Fortinet Technologies Inc.
 Dashboards and Monitors

To add a firewall IP address:

1. In the Device column, hover over the device MAC address. An information window opens.

2. Click Firewall IP Address. The New Address window opens.

3. Configure the address settings, and click Return.

Use the Name field to assign a descriptive name to a device so it is easier to find it in the
Device column. After you finish configuring the device, refresh the page to see the new
name in the monitor.

To ban an IP address:

1. In the Device column, hover over the device MAC address. An information window opens.

2. Click Ban IP . The Ban IP dialog is displayed.

3. Configure the ban IP settings, and click OK.

FortiView Sessions

The FortiView Sessions monitor displays Top Sessions by traffic source and can be used to end sessions.
To view the FortiView Sessions dashboard, go to Dashboard > FortiView Sessions.

FortiOS 7.0.1 Administration Guide 103

Fortinet Technologies Inc.
Dashboards and Monitors

The session table displayed on the FortiView Sessions monitor is useful when verifying open connections. For example,
if you have a web browser open to browse the Fortinet website, you would expect a session entry from your computer on
port 80 to the IP address for the Fortinet website. You can also use a session table to investigate why there are too many
sessions for FortiOS to process.
You can filter the sessions displayed in the session table by setting up the available filtering options.

To filter sessions in the session table:

1. Click on the Add Filter button at the top of the session table.

2. Select the required filtering option. The session table updates to the filter selection.

3. You may add one or more filters depending upon your requirements. To add more filters, repeat the above steps for
a different set of filters.

FortiOS 7.0.1 Administration Guide 104

Fortinet Technologies Inc.
 Dashboards and Monitors

You can be very specific with how you use filters and target sessions based on different filter combinations. For example,
you may want to view all sessions from a device with a particular IP by adding the Source IP filter. Similarly, you may
need to target all the sessions having a particular Destination IP and Destination Port, and so on.
You may also view the session data in the CLI.

To view session data using the CLI:

# diagnose sys session list

The session table output in the CLI is very large. You can use the supported filters in the CLI to show only the data you
need.

To view session data with filters using the CLI:

# diagnose sys session filter <option>

See Using a session table on page 2135 to learn more about using the supported filters in the CLI.
You may also decide to end a particular session or all sessions for administrative purposes.

To end sessions from the GUI:

1. Select the session you want to end. To select multiple sessions, hold the Ctrl or Shift key on your keyboard while
clicking the sessions.

2. Right-click on the selected sessions, click on End Session(s) or End All Sessions.

3. Click OK in the confirmation dialog.

FortiView Top Source and Top Destination Firewall Objects monitors

The FortiView Source Firewall Objects and FortiView Destination Firewall Objects monitors leverage UUID to resolve
firewall object address names for improved usability.

Requirements

To have a historical Firewall Objects-based view, address objects' UUIDs need to be logged.

To enable address object UUID logging in the CLI:

config system global

set log-uuid-address enable

FortiOS 7.0.1 Administration Guide 105

Fortinet Technologies Inc.
Dashboards and Monitors

end

To add a firewall object monitor in the GUI:

1. Click Add Monitor. The Add Monitor window opens.

2. In the Search field, type Destination Firewall Objects and click the Add button next to the dashboard name.
3. In the FortiGate area, select the FortiGate(s) from the dropdown.
4. In the Data Source area, select Best Available Device or Specify. For information, see Using the FortiView interface
on page 97.
5. From the Time Period dropdown, select the time period. Select now for real-time information, or (1 hour, 24 hours,
and 7 days) for historical information.
6. In the Visualization area, select Table View or Bubble Chart.
7. From the Sort By dropdown, select Bytes, Sessions, Bandwidth, or Packets.
8. Click Add Monitor. The monitor is added to the tree menu.

To drill down Firewall Objects:

1. Open the FortiView Source Firewall Objects or FortiView Destination Firewall Objects monitor.
2. Right-click on any Source or Destination Object and click Drill Down to Details.

3. Click the tabs to sort the sessions by Application, Destinations, Web Sites, or Policies.

4. To view signatures, click the entry in the Category column.

5. To views sessions, right-click an entry and click View Sessions, or click the Sessions tab.
6. To end a session, right-click an entry in the Sessions tab and select End Sessions or End All Sessions.

FortiOS 7.0.1 Administration Guide 106

Fortinet Technologies Inc.
 Dashboards and Monitors

Viewing top websites and sources by category

You can use FortiGuard web categories to populate the category fields in various FortiView monitors such as FortiView
Web Categories, FortiView Websites or FortiView Sources. To view the categories in a monitor, the web filter profile
must be configured to at least monitor for a FortiGuard category based on a web filter and applied to a firewall policy for
outbound traffic.

To verify the web filter profile is monitor-only:

1. Go to Security Profiles > Web Filter.

2. Double-click a web filter that is applied to an outbound traffic firewall policy. The Edit Web Filter Profile window
opens.
3. Ensure FortiGuard category based filter is enabled.
In the image below, the General Interest - Business categories are monitor-only.

To create a Web categories monitor:

1. Click Add Monitor. The Add Monitor window opens.

2. In the Search field, type FortiView Web Categories and click the Add button next to the monitor name.
3. In the FortiGate area, select the FortiGate(s) from the dropdown.
4. In the Data Source area, click Best Available Device or Specify to select a device in the security fabric.
5. From the Time Period dropdown, select a time period greater than Now.
6. From the Sort By dropdown, select Bytes, Sessions, Bandwidth, or Packets.
7. Click Add Monitor. The widget is added to the tree menu.

FortiOS 7.0.1 Administration Guide 107

Fortinet Technologies Inc.
Dashboards and Monitors

Viewing the web filter category

The web filter category name appears in the Category column of the dashboard.

Click an entry in the table. The category name appears at the top of the Summary of box.

Click the Web Sites tab. The category name appears in the Category column.

FortiOS 7.0.1 Administration Guide 108

Fortinet Technologies Inc.
Dashboards and Monitors

Click the Sessions tab. The category name appears in the Category Description column.

The category name also appears in the Category column in the FortiView Websites and FortiView Sources monitors.

FortiOS 7.0.1 Administration Guide 109

Fortinet Technologies Inc.
 Dashboards and Monitors

Cloud application view

To see different cloud application views, set up the following:

l A FortiGate having a relative firewall policy with the Application Control security profile.
l A FortiGate with log data from the local disk or FortiAnalyzer.
l Optional but highly recommended: SSL Inspection set to deep-inspection on relative firewall policies.

Viewing cloud applications

Cloud applications

All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_
File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep
information in the network packets.

To view cloud applications:

1. Go to Security Profiles > Application Control.

2. Select a relative Application Control profile used by the firewall policy and click Edit.
3. On the Edit Application Sensor page, click View Application Signatures.
4. Hover over a column heading or the Application Signature bar. In the right gutter area, click the filter icon to filter the
applications.

FortiOS 7.0.1 Administration Guide 110

Fortinet Technologies Inc.
Dashboards and Monitors

Cloud applications have a cloud icon beside them.

The lock icon indicates that the application requires SSL deep inspection.

5. Hover over an item to see its details.

This example shows Gmail_Attachment.Download, a cloud application signature based sensor which requires SSL
deep inspection. If any local network user behind the firewall logs into Gmail and downloads a Gmail attachment,
that activity is logged.

Applications with cloud behavior

Applications with cloud behavior is a superset of cloud applications.

Some applications do not require SSL deep inspection, such as Facebook, Gmail, and YouTube. This means that if any
traffic trigger application sensors for these applications, there is a FortiView cloud application view for that traffic.
Other applications require SSL deep inspection, such as Gmail attachment, Facebook_Workplace, and so on.

FortiOS 7.0.1 Administration Guide 111

Fortinet Technologies Inc.
Dashboards and Monitors

To view applications with cloud behavior:

1. In the Application Signature page, ensure the Behavior column is displayed. If necessary, add the Behavior column.
a. Hover over the left side of the table column headings to display the Configure Table icon.
b. Click Configure Table and select Behavior.
c. Click Apply.

2. Click the filter icon in the Behavior column and select Cloud to filter by Cloud. Then click Apply.

3. The Application Signature page displays all applications with cloud behavior.

FortiOS 7.0.1 Administration Guide 112

Fortinet Technologies Inc.
Dashboards and Monitors

4. Use the Search box to search for applications. For example, you can search for youtube.

5. Hover over an item to see its details.

This example shows an application sensor with no lock icon which means that this application sensor does not
require SSL deep inspection. If any local network user behind the firewall tries to navigate to the YouTube website,
that activity is logged.

Configuring the Cloud Applications monitor

On the Edit Application Sensor page in the Categories section, the eye icon next to a category means that category is
monitored and logged.

FortiOS 7.0.1 Administration Guide 113

Fortinet Technologies Inc.
Dashboards and Monitors

To add the Cloud Applications monitor in the GUI:

1. Click Add Monitor. The Add monitor window opens.

2. In the Search field, enter FortiView Cloud Applications and click the Add button next to the monitor.
3. In the FortiGate area, select the FortiGate(s) from the dropdown.
4. In the Data Source area, click Best Available Device or Specify to select a device in the security fabric.
5. From the Time Period dropdown, select a time period greater than Now.
6. From the Sort By dropdown, select Bytes, Sessions, or Files (Up/Down).
7. Click Add Monitor. The monitor is added to the tree menu.
8. Open the monitor. If SSL deep inspection is enabled on the relative firewall, then the monitor shows the additional
details that are logged, such as Files (Up/Down) and Videos Played.
l For YouTube, the Videos Played column is triggered by the YouTube_Video.Play cloud application sensor.
This shows the number of local network users who logged into YouTube and played YouTube videos.
l For Dropbox, the Files (Up/Down) column is triggered by Dropbox_File.Download and Dropbox_File.Upload
cloud application sensors. This shows the number of local network users who logged into Dropbox and
uploaded or downloaded files.

FortiOS 7.0.1 Administration Guide 114

Fortinet Technologies Inc.
Dashboards and Monitors

Using the Cloud Applications monitor

To see additional information in the Cloud Applications monitor:

1. In the tree menu, click the FortiView Cloud Applications monitor to open it.

2. For details about a specific entry, double-click the entry or right-click the entry and select Drill Down to Details.
3. To see all the sessions for an application, click Sessions.
In this example, the Application Name column shows all applications related to YouTube.

FortiOS 7.0.1 Administration Guide 115

Fortinet Technologies Inc.
Dashboards and Monitors

4. To view log details, double-click a session to display the Log Details pane.
Sessions monitored by SSL deep inspection (in this example, Youtube_Video.Play) captured deep information such
as Application User, Application Details, and so on. The Log Details pane also shows additional deep information
such as application ID, Message, and so on.
Sessions not monitored by SSL deep inspection (YouTube) did not capture the deep information.

5. To display a specific time period, select and drag in the timeline graph to display only the data for that time period.

Top application: YouTube example

Monitoring network traffic with SSL deep inspection

This example describes how to monitor network traffic for YouTube using FortiView Applications view with SSL deep
inspection.

To monitor network traffic with SSL deep inspection:

1. Create a firewall policy with the following settings:

l Application Control is enabled.

l SSL Inspection is set to deep-inspection.

FortiOS 7.0.1 Administration Guide 116

Fortinet Technologies Inc.
Dashboards and Monitors

l Log Allowed Traffic is set to All Sessions.

2. Go to Security Profiles > Application Control.

3. Select a relative Application Control profile used by the firewall policy and click Edit.
4. Because YouTube cloud applications are categorized into Video/Audio, ensure the Video/Audio category is
monitored. Monitored categories are indicate by an eye icon.
5. Click View Application Signatures and hover over YouTube cloud applications to view detailed information about
YouTube application sensors.
6. Expand YouTube to view the Application Signatures associated with the application.

Application Signature Description Application

ID

YouTube_Video.Access An attempt to access a video on YouTube. 16420

YouTube_Channel.ID An attempt to access a video on a specific channel on 44956

YouTube.

YouTube_Comment.Posting An attempt to post comments on YouTube. 31076

YouTube_HD.Streaming An attempt to watch HD videos on YouTube. 33104

YouTube_Messenger An attempt to access messenger on YouTube. 47858

YouTube_Video.Play An attempt to download and play a video from YouTube. 38569

YouTube_Video.Upload An attempt to upload a video to YouTube. 22564

YouTube An attempt to access YouTube. 31077

This application sensor does not depend on SSL deep
inspection so it does not have a cloud or lock icon.

YouTube_Channel.Access An attempt to access a video on a specific channel on 41598

YouTube.

To view the application signature description, click the ID link in the information window.

7. On the test PC, log into YouTube and play some videos.
8. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing
YouTube videos.

FortiOS 7.0.1 Administration Guide 117

Fortinet Technologies Inc.
Dashboards and Monitors

In this example, note the Application User and Application Details. Also note that the Application Control ID is 38569
showing that this entry was triggered by the application sensor YouTube_Video.Play.

9. Go to Dashboard > FortiView Applications.

10. In the FortiView Applications monitor, double-click YouTube to view the drilldown information.
11. Select the Sessions tab to see all the entries for the videos played. Check the sessions for YouTube_Video.Play
with the ID 38569.

Monitoring network traffic without SSL deep inspection

This example describes how to monitor network traffic for YouTube using FortiView cloud application view without SSL
deep inspection.

To monitor network traffic without SSL deep inspection:

1. Create a firewall policy with the following settings.

l Application Control is enabled.

l SSL Inspection is set to certificate-inspection.

FortiOS 7.0.1 Administration Guide 118

Fortinet Technologies Inc.
Dashboards and Monitors

l Log Allowed Traffic is set to All Sessions.

2. On the test PC, log into YouTube and play some videos.
3. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing
YouTube videos.
In this example, the log shows only applications with the name YouTube. The log cannot show YouTube application
sensors which rely on SSL deep inspection.

4. Go to Dashboard > FortiView Applications.

The FortiView Application by Bytes monitor shows the YouTube cloud application without the video played
information that requires SSL deep inspection.

FortiOS 7.0.1 Administration Guide 119

Fortinet Technologies Inc.
Dashboards and Monitors

5. Double-click YouTube and click the Sessions tab.

These sessions were triggered by the application sensor YouTube with the ID 31077. This is the application sensor
with cloud behavior which does not rely on SSL deep inspection.

FortiOS 7.0.1 Administration Guide 120

Fortinet Technologies Inc.
Network

The following topics provide information about network settings:

l Interfaces on page 121
l DNS on page 176
l Explicit and transparent proxies on page 193
l SD-WAN on page 350
l DHCP server on page 255
l Static routing on page 262
l RIP on page 285
l OSPF on page 285
l BGP on page 285
l Multicast on page 285
l FortiExtender on page 289
l Direct IP support for LTE/4G on page 293
l LLDP reception on page 296
l Virtual routing and forwarding on page 299
l NetFlow on page 323
l Link monitor on page 341

Interfaces

Physical and virtual interfaces allow traffic to flow between internal networks, and between the internet and internal
networks. FortiGate has options for setting up interfaces and groups of subnetworks that can scale as your organization
grows. You can create and edit VLAN, EMAC-VLAN, switch interface, zones, and so on.
The following topics provide information about interfaces:
l Interface settings on page 122
l Aggregation and redundancy on page 126
l VLANs on page 129
l Enhanced MAC VLANs on page 135
l Inter-VDOM routing on page 138
l Software switch on page 143
l Hardware switch on page 145
l Zone on page 147
l Virtual wire pair on page 149
l PRP handling in NAT mode with virtual wire pair on page 152
l Virtual switch support for FortiGate 300E series on page 153
l Failure detection for aggregate and redundant interfaces on page 155
l VLAN inside VXLAN on page 156
l Virtual wire pair with VXLAN on page 158

FortiOS 7.0.1 Administration Guide 121

Fortinet Technologies Inc.
 Network

l QinQ on page 160

l Assign a subnet with the FortiIPAM service on page 161
l Interface MTU packet size on page 166
l One-arm sniffer on page 168
l Interface migration wizard on page 172

Interface settings

Administrators can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different
options for configuring interfaces when FortiGate is in NAT mode or transparent mode.
The available options will vary depending on feature visibility, licensing, device model, and other factors. The following
list is not comprehensive.

To configure an interface in the GUI:

1. Go to Network > Interfaces.

2. Click Create New > Interface.
3. Configure the interface fields:

Interface Name Physical interface names cannot be changed.

Alias Enter an alternate name for a physical interface on the FortiGate unit. This
field appears when you edit an existing physical interface. The alias does not
appear in logs.
The maximum length of the alias is 25 characters.

Type The configuration type for the interface, such as VLAN, Software Switch.
802.3ad Aggregate, and others.

Interface This field is available when Type is set to VLAN.

Select the name of the physical interface that you want to add a VLAN
interface to. Once created, the VLAN interface is listed below its physical
interface in the Interface list.
You cannot change the physical interface of a VLAN interface.

VLAN ID This field is available when Type is set to VLAN.

Enter the VLAN ID. The VLAN ID can be any number between 1 and 4094 and
must match the VLAN ID added by the IEEE 802.1Q-compliant router or
switch that is connected to the VLAN subinterface.
The VLAN ID can be edited after the interface is added.

VRF ID Virtual Routing and Forwarding (VRF) allows multiple routing table instances
to coexist on the same router. One or more interface can have a VRF, and
packets are only forwarded between interfaces with the dame VRF.

Virtual Domain Select the virtual domain to add the interface to.
Only administrator accounts with the super_admin profile can change the
Virtual Domain.

Interface Members This section can have different formats depending on the Type.

FortiOS 7.0.1 Administration Guide 122

Fortinet Technologies Inc.
Network

Members can be selected for some interface types:

l Software Switch or Hardware Switch: Specify the physical and wireless

interfaces joined into the switch.

l 802.3ad Aggregate or Redundant Interface: This field includes the
available and selected interface lists.

Role Set the role setting for the interface. Different settings will be shown or hidden
when editing an interface depending on the role:
l LAN: Used to connected to a local network of endpoints. It is default role

for new interfaces.

l WAN: Used to connected to the internet. When WAN is selected, the

Estimated bandwidth setting is available, and the following settings are

not: DHCP server, Create address object matching subnet, Device
detection, Security mode, One-arm sniffer, Dedicate to extension/fortiap
modes, and Admission Control.and will show Estimated Bandwidth
settings.
l DMZ: Used to connected to the DMZ. When selected, DHCP server and

Security mode are not available.

l Undefined: The interface has no specific role. When selected, Create

address object matching subnet is not available.

Estimated bandwidth The estimated WAN bandwidth.

The values can be entered manually, or saved from a speed test executed on
the interface. The values can be used in SD-WAN rules that use the Maximize
Bandwidth or Best Quality strategy.

Traffic mode This option is only available when Type is WiFi SSD.
l Tunnel: Tunnel to wireless controller

l Bridge: Local bridge with FortiAP's interface

l Mesh: Mesh downlink

Address

Addressing mode Select the addressing mode for the interface.

l Manual: Add an IP address and netmask for the interface. If IPv6

configuration is enabled, you can add both an IPv4 and an IPv6 address.
l DHCP: Get the interface IP address and other network settings from a

DHCP server.
l Auto-managed by FortiIPAM: Assign subnets to prevent duplicate

IP addresses from overlapping within the same Security Fabric. See

Assign a subnet with the FortiIPAM service on page 161.
l PPPoE: Get the interface IP address and other network settings from a

PPPoE server. This option is only available on the low-end FortiGate

models.
l One-Arm Sniffer: Set the interface as a sniffer port so it can be used to

detect attacks. See One-arm sniffer on page 168.

IP/Netmask If Addressing Mode is set to Manual, enter an IPv4 address and subnet mask
for the interface. FortiGate interfaces cannot have multiple IP addresses on
the same subnet.

FortiOS 7.0.1 Administration Guide 123

Fortinet Technologies Inc.
Network

IPv6 addressing mode Select the addressing mode for the interface:
l Manual: Add an IP address and netmask for the interface.

l DHCP: Get the interface IP address and other network settings from a
DHCP server.
l Delegated: Select an IPv6 upstream interface that has DHCPv6 prefix
delegation enabled, and enter an IPv6 subnet if needed. The interface will
get the IPv6 prefix from the upstream DHCPv6 server that is connected to
the IPv6 upstream interface, and form the IPv6 address with the subnet
configured on the interface.

IPv6 Address/Prefix If Addressing Mode is set to Manual and IPv6 support is enabled, enter an
IPv6 address and subnet mask for the interface. A single interface can have an
IPv4 address, IPv6 address, or both.

Auto configure IPv6 address Automatically configure an IPv6 address using Stateless Address Auto-
configuration (SLAAC).
This option is available when IPv6 addressing mode is set to Manual.

DHCPv6 prefix delegation Enable/disable DHCPv6 prefix delegation, which can be used to delegate IPv6
prefixes from an upstream DHCPv6 server to another interface or downstream
device.
When enabled, there is an option to enable a DHCPv6 prefix hint that helps the
DHCPv6 server provide the desired prefix.

Create address object This option is available when Role is set to LAN or DMZ.
matching subnet Enable this option to automatically create an address object that matches the
interface subnet.

Secondary IP Address Add additional IPv4 addresses to this interface.

Administrative Access

IPv4 Administrative Access Select the types of administrative access permitted for IPv4 connections to this
interface. See Configure administrative access to interfaces on page 125.

IPv6 Administrative Access Select the types of administrative access permitted for IPv6 connections to this
interface. See Configure administrative access to interfaces on page 125.

DHCP Server Enable a DHCP server for the interface. See DHCP server on page 255.

Stateless Address Auto- Enable to provide IPv6 addresses to connected devices using SLAAC.
configuration (SLAAC)

DHCPv6 Server Select to enable a DHCPv6 server for the interface.

When enabled, you can configure DNS service settings: Delegated (delegate
the DNS received from the upstream server), Same as System DNS, or
Specify (up to four servers).
You can also enable Stateful serverto configure the DHCPv6 server to be
stateful. Manually enter the IP range, or use Delegated mode to delegate IP
prefixes from an upstream DHCPv6 server connected to the upstream
interface.

Network

FortiOS 7.0.1 Administration Guide 124

Fortinet Technologies Inc.
Network

Device Detection Enable/disable passively gathering device identity information about the
devices on the network that are connected to this interface.

Security Mode Enable/disable captive portal authentication for this interface. After enabling
captive portal authentication, you can configure the authentication portal, user
and group access, custom portal messages, exempt sources and
destinations/services, and redirect after captive portal.

Traffic Shaping

Outbound shaping profile Enable/disable traffic shaping on the interface. This allows you to enforce
bandwidth limits on individual interfaces. See Interface-based traffic shaping
profile on page 728 for more information.

Miscellaneous

Comments Enter a description of the interface of up to 255 characters.

Status Enable/disable the interface.

l Enabled: The interface is active and can accept network traffic.

l Disabled: The interface is not active and cannot accept traffic.

4. Click OK.

To configure an interface in the CLI:

config system interface

edit <name>
set vdom <VDOM_name>
set mode {static | dhcp | pppoe}
set ip <IP_address/netmask>
set security-mode {none | captive-portal | 802.1X}
set egress-shaping-profile <profile>
set device-identification {enable | disable}
set allowaccess {ping https ssh http snmp telnet fgfm radius-acct probe-response
fabric ftm}
set secondary-IP enable
config secondaryip
edit 1
set ip 9.1.1.2 255.255.255.0
set allowaccess ping https ssh snmp http
next
end
next
end

Configure administrative access to interfaces

You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure
access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing
interfaces that you don't want them to access, such as public-facing ports.
As a best practice, you should configure administrative access when you're setting the IP address for a port.

FortiOS 7.0.1 Administration Guide 125

Fortinet Technologies Inc.
 Network

To configure administrative access to interfaces in the GUI:

1. Go to Network > Interfaces.

2. Create or edit an interface.
3. In the Administrative Access section, select which protocols to enable for IPv4 and IPv6 Administrative Access.

HTTPS Allow secure HTTPS connections to the FortiGate GUI through this interface. If
configured, this option is enabled automatically.

HTTP Allow HTTP connections to the FortiGate GUI through this interface. This option can
only be enabled if HTTPS is already enabled.

PING The interface responds to pings. Use this setting to verify your installation and for
testing.

FMG-Access Allow FortiManager authorization automatically during the communication

exchanges between FortiManager and FortiGate devices.

SSH Allow SSH connections to the CLI through this interface.

SNMP Allow a remote SNMP manager to request SNMP information by connecting to this
interface.

FTM Allow FortiToken Mobile Push (FTM) access.

RADIUS Accounting Allow RADIUS accounting information on this interface.

Security Fabric Allow Security Fabric access. This enables FortiTelemetry and CAPWAP.
Connection

Aggregation and redundancy

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated
(combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred
automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.
This feature is similar to redundant interfaces. The major difference is a redundant interface group only uses one link at a
time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).
An interface is available to be an aggregate interface if:
l It is a physical interface and not a VLAN interface or subinterface.
l It is not already part of an aggregate or redundant interface.
l It is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs.
l It does not have an IP address and is not configured for DHCP or PPPoE.
l It is not referenced in any security policy, VIP, IP Pool, or multicast policy.
l It is not an HA heartbeat interface.
l It is not one of the FortiGate-5000 series backplane interfaces.
When an interface is included in an aggregate interface, it is not listed on the Network > Interfaces page. Interfaces still
appear in the CLI although configuration for those interfaces do not take affect. You cannot configure the interface
individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.

FortiOS 7.0.1 Administration Guide 126

Fortinet Technologies Inc.
Network

Sample configuration

This example creates an aggregate interface on a FortiGate-140D POE using ports 3-5 with an internal IP address of
10.1.1.123, as well as the administrative access to HTTPS and SSH.

To create an aggregate interface in the GUI:

1. Go to Network > Interfaces and select Create New > Interface.

2. Set Name to aggregate.
3. Set Type to 802.3ad Aggregate.
4. Set Interface members to port4, port5, and port6.
5. Set Addressing mode to Manual.
6. Set IP/Netmask to 10.1.1.123/24.
7. For Administrative Access, select HTTPS and SSH.
8. Click OK.

To create an aggregate interface in the CLI:

config system interface

edit "aggregate"
set vdom "root"
set ip 10.1.1.123 255.255.255.0
set allowaccess https ssh
set type aggregate
set member "port4" "port5" "port6"
set snmp-index 45
next
end

Redundancy

In a redundant interface, traffic only goes over one interface at any time. This differs from an aggregated interface where
traffic goes over all interfaces for increased bandwidth. This difference means redundant interfaces can have more
robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.
An interface is available to be in a redundant interface if:
l It is a physical interface and not a VLAN interface.
l It is not already part of an aggregated or redundant interface.
l It is in the same VDOM as the redundant interface.
l It does not have an IP address and is not configured for DHCP or PPPoE.
l It has no DHCP server or relay configured on it.
l It does not have any VLAN subinterfaces.
l It is not referenced in any security policy, VIP, or multicast policy.
l It is not monitored by HA.
l It is not one of the FortiGate-5000 series backplane interfaces.
When an interface is included in a redundant interface, it is not listed on the Network > Interfaces page. You cannot
configure the interface individually and it is not available for inclusion in security policies, VIPs, or routing.

FortiOS 7.0.1 Administration Guide 127

Fortinet Technologies Inc.
Network

Sample configuration

To create a redundant interface in the GUI:

1. Go to Network > Interfaces and select Create New > Interface.

2. Set Name to redundant.
3. Set Type to Redundant Interface.
4. Set Interface members to port4, port5, and port6.
5. Set Addressing mode to Manual.
6. Set IP/Netmask to 10.13.101.100/24.
7. For Administrative Access, select HTTPS and SSH.
8. Click OK.

To create a redundant interface in the CLI:

config system interface

edit "redundant"
set vdom "root"
set ip 10.13.101.100 255.255.255.0
set allowaccess https http
set type redundant
set member "port4" "port5" "port6"
set snmp-index 9
next
end

Enhanced hashing for LAG member selection

FortiGate models that have an internal switch that supports modifying the distribution algorithm can use enhanced
hashing to help distribute traffic evenly, or load balance, across links on the Link Aggregation (LAG) interface.
The enhanced hashing algorithm is based on a 5-tuple of the IP protocol, source IP address, destination IP address,
source port, and destination port.
Different computation methods allow for more variation in the load balancing distribution, in case one algorithm does not
distribute traffic evenly between links across different XAUIs. The available methods are:

xor16 Use the XOR operator to make a 16 bit hash.

xor8 Use the XOR operator to make an 8 bit hash.

xor4 Use the XOR operator to make a 4 bit hash.

crc16 Use the CRC-16-CCITT polynomial to make a 16 bit hash.

The following NP6 non-service FortiGate models support this feature: 1200D, 1500D,
1500DT, 3000D, 3100D, 3200D, 3700D, and 5001D.

FortiOS 7.0.1 Administration Guide 128

Fortinet Technologies Inc.
Network

To configure the enhanced hashing:

config system npu

set lag-out-port-select {enable | disable}
config sw-eh-hash
set computation {xor4 | xor8 | xor16 | crc16}
set ip-protocol {include | exclude}
set source-ip-upper-16 {include | exclude}
set source-ip-lower-16 {include | exclude}
set destination-ip-upper-16 {include | exclude}
set destination-ip-lower-16 {include | exclude}
set source-port {include | exclude}
set destination-port {include | exclude}
set netmask-length {0 - 32}
end
end

For example, to use XOR16 and include all of the fields in the 5-tuple to compute the link in the LAG interface that the
packet is distributed to:
config system npu
set lag-out-port-select enable
config sw-eh-hash
set computation xor16
set ip-protocol include
set source-ip-upper-16 include
set source-ip-lower-16 include
set destination-ip-upper-16 include
set destination-ip-lower-16 include
set source-port include
set destination-port include
set netmask-length 32
end
end

VLANs

Virtual Local Area Networks (VLANs) multiply the capabilities of your FortiGate unit and can also provide added network
security. VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller
domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network
security.

VLANs in NAT mode

In NAT mode, the FortiGate unit functions as a layer-3 device. In this mode, the FortiGate unit controls the flow of
packets between VLANs and can also remove VLAN tags from incoming VLAN packets. The FortiGate unit can also
forward untagged packets to other networks such as the Internet.
In NAT mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-compliant switches or routers. The trunk
link transports VLAN-tagged packets between physical subnets or networks. When you add VLAN subinterfaces to the
FortiGate's physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate
unit directs packets with VLAN IDs to subinterfaces with matching IDs.

FortiOS 7.0.1 Administration Guide 129

Fortinet Technologies Inc.
Network

You can define VLAN subinterfaces on all FortiGate physical interfaces. However, if multiple virtual domains are
configured on the FortiGate unit, you only have access to the physical interfaces on your virtual domain. The FortiGate
unit can tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a
different VLAN tag to outgoing packets.
Normally in VLAN configurations, the FortiGate unit's internal interface is connected to a VLAN trunk, and the external
interface connects to an Internet router that is not configured for VLANs. In this configuration, the FortiGate unit can
apply different policies for traffic on each VLAN interface connected to the internal interface, which results in less
network traffic and better security.

Sample topology

In this example, two different internal VLAN networks share one interface on the FortiGate unit and share the connection
to the Internet. This example shows that two networks can have separate traffic streams while sharing a single interface.
This configuration can apply to two departments in a single company or to different companies.
There are two different internal network VLANs in this example. VLAN_100 is on the 10.1.1.0/255.255.255.0 subnet, and
VLAN_200 is on the 10.1.2.0/255.255.255.0 subnet. These VLANs are connected to the VLAN switch.
The FortiGate internal interface connects to the VLAN switch through an 802.1Q trunk. The internal interface has an IP
address of 192.168.110.126 and is configured with two VLAN subinterfaces (VLAN_100 and VLAN_200). The external
interface has an IP address of 172.16.21.2 and connects to the Internet. The external interface has no VLAN
subinterfaces.
When the VLAN switch receives packets from VLAN_100 and VLAN_200, it applies VLAN ID tags and forwards the
packets of each VLAN both to local ports and to the FortiGate unit across the trunk link. The FortiGate unit has policies
that allow traffic to flow between the VLANs, and from the VLANs to the external network.

Sample configuration

In this example, both the FortiGate unit and the Cisco 2950 switch are installed and connected and basic configuration
has been completed. On the switch, you need access to the CLI to enter commands. No VDOMs are enabled in this

FortiOS 7.0.1 Administration Guide 130

Fortinet Technologies Inc.
Network

example.
General configuration steps include:
1. Configure the external interface.
2. Add two VLAN subinterfaces to the internal network interface.
3. Add firewall addresses and address ranges for the internal and external networks.
4. Add security policies to allow:
l the VLAN networks to access each other.

l the VLAN networks to access the external network.

To configure the external interface:

config system interface

edit external
set mode static
set ip 172.16.21.2 255.255.255.0
next
end

To add VLAN subinterfaces:

config system interface

edit VLAN_100
set vdom root
set interface internal
set type vlan
set vlanid 100
set mode static
set ip 10.1.1.1 255.255.255.0
set allowaccess https ping
next
edit VLAN_200
set vdom root
set interface internal
set type vlan
set vlanid 200
set mode static
set ip 10.1.2.1 255.255.255.0
set allowaccess https ping
next
end

To add the firewall addresses:

config firewall address

edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
next
end

FortiOS 7.0.1 Administration Guide 131

Fortinet Technologies Inc.
Network

To add security policies:

Policies 1 and 2 do not need NAT enabled, but policies 3 and 4 do need NAT enabled.
config firewall policy
edit 1
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf VLAN_200
set dstaddr VLAN_200_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 2
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf VLAN_100
set dstaddr VLAN_100_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 3
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
edit 4
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
end

VLANs in transparent mode

In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide services such as antivirus
scanning, web filtering, spam filtering, and intrusion protection to traffic. Some limitations of transparent mode is that you

FortiOS 7.0.1 Administration Guide 132

Fortinet Technologies Inc.
Network

cannot use SSL VPN, PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent mode
apply to IEEE 802.1Q VLAN trunks passing through the unit.
You can insert the FortiGate unit operating in transparent mode into the VLAN trunk without making changes to your
network. In a typical configuration, the FortiGate unit internal interface accepts VLAN packets on a VLAN trunk from a
VLAN switch or router connected to internal network VLANs. The FortiGate external interface forwards VLAN-tagged
packets through another VLAN trunk to an external VLAN switch or router and on to external networks such as the
Internet. You can configure the unit to apply different policies for traffic on each VLAN in the trunk.
To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the same VLAN ID, one to the
internal interface and the other to the external interface. You then create a security policy to permit packets to flow from
the internal VLAN interface to the external VLAN interface. If required, create another security policy to permit packets to
flow from the external VLAN interface to the internal VLAN interface. Typically in transparent mode, you do not permit
packets to move between different VLANs. Network protection features such as spam filtering, web filtering, and anti-
virus scanning, are applied through the UTM profiles specified in each security policy, enabling very detailed control over
traffic.
When the FortiGate unit receives a VLAN-tagged packet on a physical interface, it directs the packet to the VLAN
subinterface with the matching VLAN ID. The VLAN tag is removed from the packet and the FortiGate unit then applies
security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through a
VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding
physical interface.

Sample topology

In this example, the FortiGate unit is operating in transparent mode and is configured with two VLANs: one with an ID of
100 and the other with ID 200. The internal and external physical interfaces each have two VLAN subinterfaces, one for
VLAN_100 and one for VLAN_200.
The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the internal VLAN_200 network is
10.200.0.0/255.255.0.0.
The internal networks are connected to a Cisco 2950 VLAN switch which combines traffic from the two VLANs onto one
in the FortiGate unit's internal interface. The VLAN traffic leaves the FortiGate unit on the external network interface,
goes on to the VLAN switch, and on to the Internet. When the FortiGate units receives a tagged packet, it directs it from
the incoming VLAN subinterface to the outgoing VLAN subinterface for that VLAN.
In this example, we create a VLAN subinterface on the internal interface and another one on the external interface, both
with the same VLAN ID. Then we create security policies that allow packets to travel between the VLAN_100_int
interface and the VLAN_100_ext interface. Two policies are required: one for each direction of traffic. The same is
required between the VLAN_200_int interface and the VLAN_200_ext interface, for a total of four security policies.

FortiOS 7.0.1 Administration Guide 133

Fortinet Technologies Inc.
Network

Sample configuration

There are two main steps to configure your FortiGate unit to work with VLANs in transparent mode:
1. Add VLAN subinterfaces.
2. Add security policies.
You can also configure the protection profiles that manage antivirus scanning, web filtering, and spam filtering.

To add VLAN subinterfaces:

config system interface

edit VLAN_100_int
set type vlan
set interface internal
set vlanid 100
next
edit VLAN_100_ext
set type vlan
set interface external
set vlanid 100
next
edit VLAN_200_int
set type vlan
set interface internal
set vlanid 200
next
edit VLAN_200_ext
set type vlan
set interface external
set vlanid 200
next
end

FortiOS 7.0.1 Administration Guide 134

Fortinet Technologies Inc.
Network

To add security policies:

config firewall policy

edit 1
set srcintf VLAN_100_int
set srcaddr all
set dstintf VLAN_100_ext
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 2
set srcintf VLAN_100_ext
set srcaddr all
set dstintf VLAN_100_int
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 3
set srcintf VLAN_200_int
set srcaddr all
set dstintf VLAN_200_ext
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 4
set srcintf VLAN_200_ext
set srcaddr all
set dstintf VLAN_200_int
set dstaddr all
set action accept
set schedule always
set service ALL
next
end

Enhanced MAC VLANs

The Media Access Control (MAC) Virtual Local Area Network (VLAN) feature in Linux allows you to configure multiple
virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.
FortiGate implements an enhanced MAC VLAN consisting of a MAC VLAN with bridge functionality. Because each MAC
VLAN has a unique MAC address, virtual IP addresses (VIPs) and IP pools are supported, and you can disable Source
Network Address Translation (SNAT) in policies.
MAC VLAN cannot be used in a transparent mode virtual domain (VDOM). In a transparent mode VDOM, a packet
leaves an interface with the MAC address of the original source instead of the interface’s MAC address. FortiGate
implements an enhanced version of MAC VLAN where it adds a MAC table in the MAC VLAN which learns the MAC
addresses when traffic passes through.

FortiOS 7.0.1 Administration Guide 135

Fortinet Technologies Inc.
Network

If you configure a VLAN ID for an enhanced MAC VLAN, it won’t join the switch of the underlying interface. When a
packet is sent to this interface, a VLAN tag is inserted in the packet and the packet is sent to the driver of the underlying
interface. When the underlying interface receives a packet, if the VLAN ID doesn’t match, it won’t deliver the packet to
this enhanced MAC VLAN interface.

When using a VLAN ID, the ID and the underlying interface must be a unique pair, even if the
belong to different VDOMs. This is because the underlying, physical interface uses the VLAN
ID as the identifier to dispatch traffic among the VLAN and enhanced MAC VLAN interfaces.

If you use an interface in an enhanced MAC VLAN, do not use it for other purposes such as a management interface, HA
heartbeat interface, or in Transparent VDOMs.
If a physical interface is used by an EMAC VLAN interface, you cannot use it in a Virtual Wire Pair.
In high availability (HA) configurations, enhanced MAC VLAN is treated as a physical interface. It’s assigned a unique
physical interface ID and the MAC table is synchronized with the secondary devices in the same HA cluster.

Example 1: Enhanced MAC VLAN configuration for multiple VDOMs that use the same
interface or VLAN

In this example, a FortiGate is connected, through port 1 to a router that’s connected to the Internet. Three VDOMs share
the same interface (port 1) which connects to the same router that’s connected to the Internet. Three enhanced MAC
VLAN interfaces are configured on port 1 for the three VDOMs. The enhanced MAC VLAN interfaces are in the same IP
subnet segment and each have unique MAC addresses.
The underlying interface (port 1) can be a physical interface, an aggregate interface, or a VLAN interface on a physical or
aggregate interface.

To configure enhanced MAC VLAN for this example in the CLI:

config system interface

edit port1.emacvlan1
set vdom VDOM1
set type emac-vlan
set interface port1
next
edit port 1.emacvlan2

FortiOS 7.0.1 Administration Guide 136

Fortinet Technologies Inc.
Network

set vdom VDOM2

set type emac-vlan
set interface port1
next
edit port1.emacvlan3
set vdom VDOM3
set type emac-vlan
set interface port1
next
end

Example 2: Enhanced MAC VLAN configuration for shared VDOM links among multiple
VDOMs

In this example, multiple VDOMs can connect to each other using enhanced MAC VLAN on network processing unit
(NPU) virtual link (Vlink) interfaces.
FortiGate VDOM links (NPU-Vlink) are designed to be peer-to-peer connections and VLAN interfaces on NPU Vlink
ports use the same MAC address. Connecting more than two VDOMs using NPU Vlinks and VLAN interfaces is not
recommended.

To configure enhanced MAC VLAN for this example in the CLI:

config system interface

edit npu0_vlink0.emacvlan1
set vdom VDOM1
set type emac-vlan
set interface npu0_vlink0
next
edit npu0_vlink0.emacvlan2
set vdom VDOM3
set type emac-vlan
set interface npu0_vlink0
next
edit npu0_vlink1.emacvlan1
set vdom VDOM2
set type emac-vlan
set interface npu0_vlink1

FortiOS 7.0.1 Administration Guide 137

Fortinet Technologies Inc.
 Network

next
end

Example 3: Enhanced MAC VLAN configuration for unique MAC addresses for each
VLAN interface on the same physical port

Some networks require a unique MAC address for each VLAN interface when the VLAN interfaces share the same
physical port. In this case, the enhanced MAC VLAN interface is used the same way as normal VLAN interfaces.
To configure this, use the set vlanid command for the VLAN tag. The VLAN ID and interface must be a unique pair,
even if they belong to different VDOMs.

To configure enhanced MAC VLAN:

config system interface

edit <interface-name>
set type emac-vlan
set vlanid <VLAN-ID>
set interface <physical-interface>
next
end

Inter-VDOM routing

VDOM links allow VDOMs to communicate internally without using additional physical interfaces.
Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual interfaces that connect VDOMs. A
VDOM link contains a pair of interfaces, each one connected to a VDOM and forming either end of the inter-VDOM
connection.
When VDOMs are configured on your FortiGate unit, configuring inter-VDOM routing and VDOM links is like creating a
VLAN interface. VDOM links can be managed in either the CLI or in the network interface list in the GUI.

VDOM link does not support traffic offload. If you want to use traffic offload, use NPU-VDOM-
LINK.

To configure a VDOM link in the GUI:

1. In the Global VDOM, go to Network > Interfaces.

2. Click Create New > VDOM Link.
3. Configure the fields, including the Name, Virtual Domain, IP information, Administrative Access, and others, then
click OK.

By default, VDOM links are created as point-to-point (ppp) links. If required, the link type can
be changed in the CLI.
For example, when running OSPF in IPv6, a link-local address is required in order to
communicate with OSPF neighbors. For a VDOM link to obtain a link-local address its type
must be set to ethernet.

FortiOS 7.0.1 Administration Guide 138

Fortinet Technologies Inc.
Network

To configure a VDOM link in the CLI:

config global
config system vdom-link
edit "<vdom-link-name>"
set type {ppp | ethernet}
next
end
config system interface
edit "<vdom-link-name0>"
set vdom "<VDOM Name>"
set type vdom-link
next
edit "<vdom-link-name1>"
set vdom "<VDOM Name>"
set type vdom-link
next
end
end

To delete a VDOM link in the GUI:

1. In the Global VDOM, go to Network > Interfaces.

2. Select a VDOM Link and click Delete.

To delete a VDOM link in the CLI:

config global
config system vdom-link
delete <VDOM-LINK-Name>
end
end

Example

This example shows how to configure a FortiGate unit to use inter-VDOM routing.
Two departments of a company, Accounting and Sales, are connected to one FortiGate. The company uses a single ISP
to connect to the Internet.
This example includes the following general steps. We recommend following the steps in the order below.

FortiOS 7.0.1 Administration Guide 139

Fortinet Technologies Inc.
Network

Create the VDOMs

To enable VDOMs:

config system global

set vdom-mode multi-vdom
end

You will be logged out of the device when VDOM mode is enabled.

To create the Sales and Accounting VDOMs:

config global
config vdom
edit Accounting
next
edit Sales
next
end
end

Configure the physical interfaces

Next, configure the physical interfaces. This example uses three interfaces on the FortiGate unit: port2 (internal), port3
(DMZ), and port1 (external). Port2 and port3 interfaces each have a department’s network connected. Port1 is for all
traffic to and from the Internet and uses DHCP to configure its IP address, which is common with many ISPs.

To configure the interfaces:

config global
config system interface
edit port2
set alias AccountingLocal
set vdom Accounting
set mode static
set ip 172.100.1.1 255.255.0.0
set allowaccess https ping ssh
set description "The accounting dept. internal interface"
next
edit port3
set alias SalesLocal
set vdom Sales
set mode static
set ip 192.168.1.1 255.255.0.0
set allowaccess https ping ssh
set description "The sales dept. internal interface"
next
edit port1
set alias ManagementExternal
set vdom root
set mode dhcp
set allowaccess https ssh snmp
set description "The system wide management interface."
next

FortiOS 7.0.1 Administration Guide 140

Fortinet Technologies Inc.
Network

end
end

Configure the VDOM links

To complete the connection between each VDOM and the management VDOM, add the two VDOM links. One pair is the
Accounting – management link and the other is the Sales – management link.
When configuring inter-VDOM links, you do not have to assign IP addresses to the links unless you are using advanced
features such as dynamic routing that require them. Not assigning IP addresses results in faster configuration and more
available IP addresses on your networks.

To configure the Accounting and management VDOM link:

config global
config system vdom-link
edit AccountVlnk
next
end
config system interface
edit AccountVlnk0
set vdom Accounting
set ip 11.11.11.2 255.255.255.0
set allowaccess https ping ssh
set description "Accounting side of the VDOM link"
next
edit AccountVlnk1
set vdom root
set ip 11.11.11.1 255.255.255.0
set allowaccess https ping ssh
set description "Management side of the VDOM link"
next
end
end

To configure the Sales and management VDOM link:

config global
config system vdom-link
edit SalesVlnk
next
end
config system interface
edit SalesVlnk0
set vdom Sales
set ip 12.12.12.2 255.255.255.0
set allowaccess https ping ssh
set description "Sales side of the VDOM link"
next
edit SalesVlnk1
set vdom root
set ip 12.12.12.1 255.255.255.0
set allowaccess https ping ssh
set description "Management side of the VDOM link"
next

FortiOS 7.0.1 Administration Guide 141

Fortinet Technologies Inc.
Network

end
end

Configure the firewall and security profile

With the VDOMs, physical interfaces, and VDOM links configured, the firewall must now be configured to allow the
proper traffic. Firewalls are configured per-VDOM, and firewall objects and routes must be created for each VDOM
separately.

To configure the firewall policies from AccountingLocal to Internet:

config vdom
edit Accounting
config firewall policy
edit 1
set name "Accounting-Local-to-Management"
set srcintf port2
set dstintf AccountVlnk0
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
edit root
config firewall policy
edit 2
set name "Accounting-VDOM-to-Internet"
set srcintf AccountVlnk1
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
end

To configure the firewall policies from SalesLocal to the Internet:

config vdom
edit Sales
config firewall policy
edit 3
set name "Sales-local-to-Management"
set srcintf port3
set dstintf SalesVlnk0
set srcaddr all
set dstaddr all

FortiOS 7.0.1 Administration Guide 142

Fortinet Technologies Inc.
 Network

set action accept

set schedule always
set service ALL
set nat enable
next
end
next
edit root
config firewall policy
edit 4
set name "Sales-VDOM-to-Internet"
set srcintf SalesVlnk1
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
end

Test the configuration

When the inter-VDOM routing has been configured, test the configuration to confirm proper operation. Testing
connectivity ensures that physical networking connections, FortiGate unit interface configurations, and firewall policies
are properly configured.
The easiest way to test connectivity is to use the ping and traceroute commands to confirm the connectivity of
different routes on the network.
Test both from AccountingLocal to the internet and from SalesLocal to the internet.

Software switch

A software switch is a virtual switch that is implemented at the software or firmware level and not at the hardware level. A
software switch can be used to simplify communication between devices connected to different FortiGate interfaces. For
example, using a software switch, you can place the FortiGate interface connected to an internal network on the same
subnet as your wireless interfaces. Then devices on the internal network can communicate with devices on the wireless
network without any additional configuration on the FortiGate unit, such as additional security policies.
A software switch can also be useful if you require more hardware ports for the switch on a FortiGate unit. For example, if
your FortiGate unit has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and you need one more port, you can create
a soft switch that can include the four-port switch and the DMZ interface, all on the same subnet. These types of
applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces such as those in
FortiWiFi and FortiAP units.
Similar to a hardware switch, a software switch functions like a single interface. It has one IP address and all the
interfaces in the software switch are on the same subnet. Traffic between devices connected to each interface are not
regulated by security policies, and traffic passing in and out of the switch are controlled by the same policy.

FortiOS 7.0.1 Administration Guide 143

Fortinet Technologies Inc.
Network

When setting up a software switch, consider the following:

l Ensure that you have a back up of the configuration.
l Ensure that you have at least one port or connection, such as the console port, to connect to the FortiGate unit. If
you accidentally combine too many ports, you need a way to undo errors.
l The ports that you include must not have any link or relation to any other aspect of the FortiGate unit, such as DHCP
servers, security policies, and so on.
l For increased security, you can create a captive portal for the switch to allow only specific user groups access to the
resources connected to the switch.
Some of the difference between software and hardware switches are:

Feature Software switch Hardware switch

Processing Packets are processed in software by the Packets are processed in hardware by the
CPU. hardware switch controller, or SPU where
applicable.

STP Not Supported Supported

Wireless SSIDs Supported Not Supported

Intra-switch traffic Allowed by default. Can be explicitly set to Allowed by default.

require a policy.

To create a software switch in the GUI:

1. Go to Network > Interfaces.

2. Click Create New > Interface.
3. Set Type to Software Switch.
4. Configure the Name, Interface members, and other fields as required.
To add an interface to a software switch, it cannot be referenced by an existing configuration and its IP address
must be set to 0.0.0.0/0.0.0.0.
5. Click OK.

To create a software switch in the CLI:

config system switch-interface

edit <interface>
set vdom <vdom>
set member <interface_list>
set type switch
next
end
config system interface
edit <interface>
set vdom <vdom>
set type switch
set ip <ip_address>
set allowaccess https ssh ping
next
end

FortiOS 7.0.1 Administration Guide 144

Fortinet Technologies Inc.
 Network

To add an interface to a software switch, it cannot be referenced by an existing configuration and its IP address must be
set to 0.0.0.0/0.0.0.0.

Example

For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1 interface to facilitate
wireless synchronizing from an iPhone and a local computer. Because synchronizing between two subnets is
problematic, putting both interfaces on the same subnet allows the synchronizing will work. The software switch will
accomplish this.
1. Clear the interfaces and back up the configuration:
a. Ensure the interfaces are not used for other security policy or for other use on the FortiGate unit.
b. Check the WiFi and DMZ1 ports to ensure that DHCP is not enabled and that there are no other dependencies
on these interfaces.
c. Save the current configuration so that it can be recovered if something foes wrong.
2. Merge the WiFi port and DMZ1 port to create a software switch named synchro with an IP address of 10.10.21.12
and administrative access for HTTPS, SSH and PING:
config system switch-interface
edit synchro
set vdom "root"
set type switch
set member dmz1 wifi
next
end
config system interface
edit synchro
set ip 10.10.21.12 255.255.255.0
set allowaccess https ssh ping
next
end

After the switch is set up, you add security policies, DHCP servers, and any other settings that are required.

Hardware switch

A hardware switch is a virtual switch interface that groups different ports together so that the FortiGate can use the group
as a single interface. Supported FortiGate models have a default hardware switch called either internal or lan. The
hardware switch is supported by the chipset at the hardware level.
Ports that are connected to the same hardware switch behave like they are on the same physical switch in the same
broadcast domain. Ports can be removed from a hardware switch and assigned to another switch or used as standalone
interfaces.
Some of the difference between hardware and software switches are:

Feature Hardware switch Software switch

Processing Packets are processed in hardware by the Packets are processed in software by the
hardware switch controller, or SPU where CPU.
applicable.

FortiOS 7.0.1 Administration Guide 145

Fortinet Technologies Inc.
Network

Feature Hardware switch Software switch

STP Supported Not Supported

Wireless SSIDs Not Supported Supported

Intra-switch traffic Allowed by default. Allowed by default. Can be explicitly set to

require a policy.

To change the ports in a hardware switch in the GUI:

1. Go to Network > Interface and edit the hardware switch.

2. Click inside the Interface members field.

3. Select interfaces to add or remove them from the hardware switch, then click Close.
To add an interface to a hardware switch, it cannot be referenced by an existing configuration and its IP address
must be set to 0.0.0.0/0.0.0.0.
4. Click OK.
Removed interfaces will now be listed as standalone interfaces in the Physical Interface section.

To remove ports from a hardware switch in the CLI:

config system virtual-switch

edit "internal"
config port
delete internal2
delete internal7
...
end
next
end

To add ports to a hardware switch in the CLI:

config system virtual-switch

edit "internal"
set physical-switch "sw0"
config port
edit "internal3"
next
edit "internal5"
next

FortiOS 7.0.1 Administration Guide 146

Fortinet Technologies Inc.
Network

edit "internal4"
next
edit "internal6"
next
end
next
end

To add an interface to a hardware switch, it cannot be referenced by an existing configuration and its IP address must be
set to 0.0.0.0/0.0.0.0.

Zone

Zones are a group of one or more physical or virtual FortiGate interfaces that you can apply security policies to control
inbound and outbound traffic. Grouping interfaces and VLAN subinterfaces into zones simplifies the creation of security
policies where a number of network segments can use the same policy settings and protection profiles.
When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Each interface
still has its own address. Routing is still done between interfaces, that is, routing is not affected by zones. You can use
security policies to control the flow of intra-zone traffic.
For example, in the sample configuration below, the network includes three separate groups of users representing
different entities on the company network. While each group has its own set of ports and VLANs in each area, they can
all use the same security policy and protection profiles to access the Internet. Rather than the administrator making nine
separate security policies, he can make administration simpler by adding the required interfaces to a zone and creating
three policies.

Sample configuration

You can configure policies for connections to and from a zone but not between interfaces in a zone. For this example,
you can create a security policy to go between zone 1 and zone 3, but not between WAN2 and WAN1, or WAN1 and
DMZ1.

FortiOS 7.0.1 Administration Guide 147

Fortinet Technologies Inc.
Network

To create a zone in the GUI:

1. Go to Network > Interfaces.

If VDOMs are enabled, go to the VDOM to create a zone.

2. Click Create New > Zone.

3. Configure the Name and add the Interface Members.
4. Enable or disable Block intra-zone traffic as required.
5. Click OK.

To configure a zone to include the internal interface and a VLAN using the CLI:

config system zone

edit zone_1
set interface internal VLAN_1
set intrazone {deny | allow}
next
end

Using zone in a firewall policy

To configure a firewall policy to allow any interface to access the Internet using the CLI:

config firewall policy

edit 2
set name "2"
set srcintf "Zone_1"
set dstintf "port15"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

Intra-zone traffic

In the zone configuration you can set intrazone deny to prohibit the different interfaces in the same zone to talk to
each other.
For example, if you have ten interfaces in your zone and the intrazone setting is deny. You now want to allow traffic
between a very small number of networks on different interfaces that are part of the zone but you do not want to disable
the intra-zone blocking.
In this example, the zone VLANs are defined as: 192.168.1.0/24, 192.168.2.0/24, ... 192.168.10.0/24.

FortiOS 7.0.1 Administration Guide 148

Fortinet Technologies Inc.
 Network

This policy allows traffic from 192.168.1.x to 192.168.2.x even though they are in the same zone and intra-zone blocking
is enabled. The intra-zone blocking acts as a default deny rule and you have to specifically override it by creating a policy
within the zone.

To enable intra-zone traffic, create the following policy:

Source Interface Zone-name, e.g., Vlans

Source Address 192.168.1.0/24

Destination Zone-name (same as Source Interface, i.e., Vlans)

Destination Address 192.168.2.0/24

Virtual wire pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode
VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a
virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual
wire pair. Redundant and 802.3ad aggregate (LACP) interfaces can be included in a virtual wire pair.
Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port
pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the
request’s MAC address pair.

Example

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate
operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the
ISFW over the virtual wire pair.

Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before
creating a virtual wire pair, make sure you have a different port configured to allow admin
access using your preferred protocol.

To add a virtual wire pair using the GUI:

1. Go to Network > Interfaces.

2. Click Create New > Virtual Wire Pair.
3. Enter a name for the virtual wire pair.

FortiOS 7.0.1 Administration Guide 149

Fortinet Technologies Inc.
Network

4. Select the Interface Members to add to the virtual wire pair (port3 and port 4).
These interfaces cannot be part of a switch, such as the default LAN/internal interface.
5. If required, enable Wildcard VLAN and set the VLAN Filter.
6. Click OK.

To add a virtual wire pair using the CLI:

config system virtual-wire-pair

edit "VWP-name"
set member "port3" "port4"
set wildcard-vlan disable
next
end

To create a virtual wire pair policy using the GUI:

1. Go to Policy & Objects > Firewall Virtual Wire Pair Policy.

2. Click Create New.
3. In the Virtual Wire Pair field, click the + to add the virtual wire pair.
4. Select the direction (arrows) that traffic is allowed to flow.
5. Configure the other settings as needed.
6. Click OK.

To create a virtual wire pair policy using the CLI:

config firewall policy

edit 1
set name "VWP-Policy"
set srcintf "port3" "port4"
set dstintf "port3" "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set fsso disable
next
end

Configuring multiple virtual wire pairs in a virtual wire pair policy

You can create a virtual wire pair policy that includes different virtual wire pairs in NGFW profile and policy mode. This
reduces overhead to create multiple similar policies for each VWP. In NGFW policy mode, multiple virtual wire pairs can
be configured in a Security Virtual Wire Pair Policy and Virtual Wire Pair SSL Inspection & Authentication policy.
The virtual wire pair settings must have wildcard VLAN enabled. When configuring a policy in the CLI, the virtual wire pair
members must be entered in srcintf and dstintf as pairs.

FortiOS 7.0.1 Administration Guide 150

Fortinet Technologies Inc.
Network

To configure multiple virtual wire pairs in a policy in the GUI:

1. Configure the virtual wire pairs:

a. Go to Network > Interfaces and click Create New > Virtual Wire Pair.
b. Create a pair with the following settings:

Name test-vwp-1

Interface members wan1, wan2

Wildcard VLAN Enable

c. Click OK.
d. Click Create New > Virtual Wire Pair and create another pair with the following settings:

Name test-vwp-2

Interface members port19, port20

Wildcard VLAN Enable

e. Click OK.
2. Configure the policy:
a. Go to Policy & Objects > Firewall Virtual Wire Pair Policy and click Create New.
b. In the Virtual Wire Pair field, click the + to add test-vwp-1 and test-vwp-2. Select the direction for each of the
selected virtual wire pairs.

c. Configure the other settings as needed.

d. Click OK.

FortiOS 7.0.1 Administration Guide 151

Fortinet Technologies Inc.
 Network

To configure multiple virtual wire pairs in a policy in the CLI:

1. Configure the virtual wire pairs:

config system virtual-wire-pair
edit "test-vwp-1"
set member "wan1" "wan2"
set wildcard-vlan enable
next
edit "test-vwp-2"
set member "port19" "port20"
set wildcard-vlan enable
next
end

2. Configure the policy:

config firewall policy
edit 1
set name "vwp1&2-policy"
set srcintf "port19" "wan1"
set dstintf "port20" "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

PRP handling in NAT mode with virtual wire pair

PRP (Parallel Redundancy Protocol) is supported in NAT mode for a virtual wire pair. This preserves the PRP RCT
(redundancy control trailer) while the packet is processed by the FortiGate.

To configure PRP handling on a device in NAT mode:

1. Enable PRP in the VDOM settings:

(root) # config system settings
set prp-trailer-action enable
end

2. Enable PRP in the NPU attributes:

(global) # config system npu
set prp-port-in "port15"
set prp-port-out "port16"
end

3. Configure the virtual wire pair:

(root) # config system virtual-wire-pair
edit "test-vwp-1"
set member "port15" "port16"

FortiOS 7.0.1 Administration Guide 152

Fortinet Technologies Inc.
 Network

next
end

Virtual switch support for FortiGate 300E series

On the FortiGate 300E series, switch ports can be assigned to different VLANs.

To create a VLAN switch in the GUI:

1. Go to Network > Interfaces and enable VLAN Switch Mode.

2. Click Create New > Interface.

3. Enter an interface name and configure the following:
a. For Type, select VLAN Switch.
b. (Optional) Enter a VLAN ID (range is 3900–3999).
c. If applicable, select a Virtual Domain.
d. Add the Interface Members.
e. Configure the Address and Administrative Access settings as needed.

FortiOS 7.0.1 Administration Guide 153

Fortinet Technologies Inc.
Network

4. Click OK.

The new VLAN switch is visible in the interface table:

To create a VLAN switch in the CLI:

1. Enable VLAN switch mode:

config system global
set virtual-switch-vlan enable
end

2. Create the VLAN switch. Optionally, you can assign an ID to the VLAN:
The default ID is 0. You can use the default ID, or you can assign an ID to the VLAN (3900–3999).
config system virtual-switch
edit "VLAN switch"
set physical-switch "sw0"
set vlan 3900
config port
edit "port1"
next

FortiOS 7.0.1 Administration Guide 154

Fortinet Technologies Inc.
 Network

edit "port3"
next
end
next
end

3. Configure the VLAN switch interface:

config system interface
edit "VLAN switch"
set vdom "vdom1"
set ip 6.6.6.1 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type hard-switch
set snmp-index 15
next
end

4. (Optional) Create a trunk interface:

config system interface
edit port2
set trunk enable
next
end

Failure detection for aggregate and redundant interfaces

When an aggregate or redundant interface goes down, the corresponding fail-alert interface changes to down. When an
aggregate or redundant interface comes up, the corresponding fail-alert interface changes to up.

Fail-detect for aggregate and redundant interfaces can be configured using the CLI.

To configure an aggregate interface so that port3 goes down with it:

config system interface

edit "agg1"
set vdom "root"
set fail-detect enable
set fail-alert-method link-down
set fail-alert-interfaces "port3"
set type aggregate
set member "port1" "port2"
next
end

FortiOS 7.0.1 Administration Guide 155

Fortinet Technologies Inc.
 Network

To configure a redundant interface so that port4 goes down with it:

config system interface

edit "red1"
set vdom "root"
set fail-detect enable
set fail-alert-method link-down
set fail-alert-interfaces "port4"
set type redundant
set member "port1" "port2"
next
end

VLAN inside VXLAN

VLANs can be assigned to VXLAN interfaces. In a data center network where VXLAN is used to create an L2 overlay
network and for multitenant environments, a customer VLAN tag can be assigned to VXLAN interface. This allows the
VLAN tag from VLAN traffic to be encapsulated within the VXLAN packet.

To configure VLAN inside VXLAN on HQ1:

1. Configure VXLAN:
config system vxlan
edit "vxlan1"
set interface port1
set vni 1000
set remote-ip 173.1.1.1
next
end

2. Configure system interface:

config system interface
edit vlan100
set vdom root
set vlanid 100
set interface dmz
next
edit vxlan100
set type vlan
set vlanid 100
set vdom root
set interface vxlan1

FortiOS 7.0.1 Administration Guide 156

Fortinet Technologies Inc.
Network

next
end

3. Configure software-switch:
config system switch-interface
edit sw1
set vdom root
set member vlan100 vxlan100
set intra-switch-policy implicit
next
end

The default intra-switch-policy implicit behavior allows traffic between member

interfaces within the switch. Therefore, it is not necessary to create firewall policies to allow
this traffic.

Instead of creating a software-switch, it is possible to use a virtual-wire-pair as well. See

Virtual wire pair with VXLAN on page 158.

To configure VLAN inside VXLAN on HQ2:

1. Configure VXLAN:
config system vxlan
edit "vxlan2"
set interface port25
set vni 1000
set remote-ip 173.1.1.2
next
end
2. Configure system interface:
config system interface
edit vlan100
set vdom root
set vlanid 100
set interface port20
next
edit vxlan100
set type vlan
set vlanid 100
set vdom root
set interface vxlan2
next
end
3. Configure software-switch:
config system switch-interface
edit sw1
set vdom root
set member vlan100 vxlan100
next
end

FortiOS 7.0.1 Administration Guide 157

Fortinet Technologies Inc.
 Network

To verify the configuration:

Ping PC1 from PC2.

The following is captured on HQ2:

This captures the VXLAN traffic between 172.1.1.1 and 172.1.1.2 with the VLAN 100 tag inside.

Virtual wire pair with VXLAN

Virtual wire pairs can be used with VXLAN interfaces.

In this examples, VXLAN interfaces are added between FortiGate HQ1 and FortiGate HQ2, a virtual wire pair is added in
HQ1, and firewall policies are created on both HQ1 and HQ2.

To create VXLAN interface on HQ1:

config system interface

edit "port11"
set vdom "root"
set ip 10.2.2.1 255.255.255.0
set allowaccess ping https ssh snmp telnet
next
end
config system vxlan
edit "vxlan1"
set interface "port11"
set vni 1000
set remote-ip "10.2.2.2"
next
end

FortiOS 7.0.1 Administration Guide 158

Fortinet Technologies Inc.
Network

To create VXLAN interface on HQ2:

config system interface

edit "port11"
set vdom "root"
set ip 10.2.2.2 255.255.255.0
set allowaccess ping https ssh snmp http
next
end
config system vxlan
edit "vxlan1"
set interface "port11"
set vni 1000
set remote-ip "10.2.2.1"
next
end
config system interface
edit "vxlan1"
set vdom "root"
set ip 10.1.100.2 255.255.255.0
set allowaccess ping https ssh snmp
next
end

To create a virtual wire pair on HQ1:

config system virtual-wire-pair

edit "vwp1"
set member "port10" "vxlan1"
next
end

To create a firewall policy on HQ1:

config firewall policy

edit 5
set name "vxlan-policy"
set srcintf "port10" "vxlan1"
set dstintf "port10" "vxlan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set fsso disable
next
end

FortiOS 7.0.1 Administration Guide 159

Fortinet Technologies Inc.
Network

To create a firewall policy on HQ2:

config firewall policy

edit 5
set name "1"
set srcintf "port13"
set dstintf "vxlan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next
end

QinQ

QinQ (802.1ad) allows multiple VLAN tags to be inserted into a single frame, and can be configured on supported
FortiGate devices.
In this example, the customer connects to a provider that uses 802.1ad double-tagging to separate their customer
VLANs. The FortiGate connecting to the provider double-tags its frames with an outer provider-tag (S-Tag) and an inner
customer-tag (C-Tag).

The customer identifies itself with the provider-tag (S-Tag) 232 and uses the customer-tag (C-Tag) 444 for traffic to its
VLAN.

To configure the interfaces:

1. Configure the interface to the provider that uses the outer tag (S-Tag):
config system interface
edit "vlan-8021ad"
set vdom "root"
set vlan-protocol 8021ad
set device-identification enable
set role lan
set snmp-index 47
set interface "PORT"
set vlanid 232
next
end

2. Configure a dynamic VLAN interface that uses the inner tag (C-Tag):
config system interface
edit "DVLAN"
set vdom "vdom1"
set device-identification enable

FortiOS 7.0.1 Administration Guide 160

Fortinet Technologies Inc.
 Network

set role lan

set snmp-index 48
set interface "vlan-8021ad"
set vlanid 444
next
end

Assign a subnet with the FortiIPAM service

The FortiIPAM (IP Address Management) service automatically assigns subnets to FortiGate to prevent duplicate
IP addresses from overlapping within the same Security Fabric.
After the FortiIPAM registration is synced to FortiGuard from FortiCare, FortiGate can use FortiIPAM to automatically
assign IP addresses based on the configured network size for the FortiGate interface.

FortiIPAM is a paid service, and must be registered to the FortiGate in FortiCare.

To verify the FortiIPAM service registration:

1. Go to System > FortiGuard.

2. Find the FortiIPAM row and confirm that the FortiIPAM service is registered.

Example

FortiOS 7.0.1 Administration Guide 161

Fortinet Technologies Inc.
Network

In this example, port5 on the root FortiGate is configured to be managed by FortiIPAM, with DHCP to supply IP address
to the network. The downstream FortiGate gets its IP address from the DHCP, and then uses FortiIPAM to assign
IP addresses to the internal network.

To configure the interface on the root FortiGate in the GUI:

1. Go to Network > Interfaces and edit port5.

2. Set Role to LAN.
3. Set Addressing mode to Auto-managed by FortiIPAM.
4. Set Network size as needed.
5. Enable DHCP Server. The DHCP settings will be configured by FortiIPAM.

6. Click OK.

To view the IP allocation map in the GUI:

1. Go to Network > Interfaces and edit port5.

The interface should have received an IP address from FortiIPAM.

2. Click Show Global IP Allocation Map. FortiCloud opens in your default browser.
3. Click Login and log in to FortiCloud.
4. In the FortiIPAM portal, click on the root FortiGate's subnet then select the SOURCE tab.

FortiOS 7.0.1 Administration Guide 162

Fortinet Technologies Inc.
Network

The columns show the device serial number, the interface, how the interface is assigned, and when it was last
updated.

To configure DHCP on the downstream FortiGate in the GUI:

1. Go to System > FortiGuard and verify FortiIPAM is licensed.

2. Go to Network > Interfaces and edit port5.
3. Set Addressing mode to DHCP.
4. Click OK.
5. Edit port5 again, and confirm that it received an IP address from the DHCP server configured on the root FortiGate.

To add the downstream FortiGate to the Security Fabric in the GUI:

1. Go to Security Fabric > Fabric Connectors and edit Security Fabric Setup.
2. Set Status to Enabled.
3. Set Security Fabric role to Join Existing Fabric.
4. Enter the FortiGate Root IP address as the Upstream FortiGate IP.

FortiOS 7.0.1 Administration Guide 163

Fortinet Technologies Inc.
Network

5. Click OK.

To configure the interface that connects to the internal network to use FortiIPAM on the downstream
FortiGate in the GUI:

1. Go to Network > Interfaces and edit port6.

2. Set Role to LAN.
3. Set Addressing mode to Auto-managed by FortiIPAM.
4. Set Network size as needed.
5. Enable DHCP Server. The DHCP settings will be configured by FortiIPAM.
6. Click OK.

To view the IP allocation map in the GUI:

1. Go to Network > Interfaces and edit port6.

2. The interface should have received an IP address from FortiIPAM.
3. Click Show Global IP Allocation Map. FortiCloud opens in your default browser.
4. Click Loginand log in to FortiCloud.
5. In the FortiIPAM portal, click on a subnet and confirm that the IP address is different than the root FortiGate's
IP address.

To configure FortiIPAM in the CLI:

1. Verify the FortiIPAM service registration:

# diagnose test update info
...
System contracts:
...
IPMC,Mon Jun 6 17:00:00 2022
...

2. Configure the interface on the root FortiGate:

config system interface
edit "port5"

FortiOS 7.0.1 Administration Guide 164

Fortinet Technologies Inc.
Network

set vdom "root"

set ip-managed-by-fortiipam enable
set managed-subnetwork-size 256
next
end
config system dhcp server
edit 1
set interface "port5"
set dhcp-settings-from-fortiipam enable
next
end

3. View the IP address and DHCP information from the FortiIPAM:

# show system interface
config system interface
edit "port5"
set vdom "root"
set ip 10.128.1.1 255.255.255.0
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 4
set ip-managed-by-fortiipam enable
next
end
# show system dhcp server
config system dhcp server
edit 1
set dns-service default
set default-gateway 10.128.0.1
set netmask 255.255.255.0
set interface "port5"
config ip-range
edit 1
set start-ip 10.128.0.1
set end-ip 10.128.0.254
next
end
set dhcp-settings-from-fortiipam enable
config exclude-range
edit 1
set start-ip 10.128.0.1
set end-ip 10.128.0.1
next
end
next
end

4. Configure DHCP on the downstream FortiGate:

config system interface
edit "port5"
set mode dhcp

FortiOS 7.0.1 Administration Guide 165

Fortinet Technologies Inc.
 Network

next
end

5. Add the downstream FortiGate to the Security Fabric

config system csf
set status enable
set upstream-ip 10.128.0.1
end

6. On the downstream FortiGate, configure the interface that connects to the internal network to use FortiIPAM:
config system interface
edit "port6"
set ip-managed-by-fortiipam enable
set managed-subnetwork-size 512
next
end
config system dhcp server
edit 1
set interface "port6"
set dhcp-settings-from-fortiipam enable
next
end

You can also use the REST API to view the FortiIPAM service information:
https://172.16.116.xxx/api/v2/monitor/license/status
..."fortiipam_cloud":{
"type":"live_cloud_service",
"status":"licensed",
"expires":1618531200,
"entitlement":"IPMC"
}

Interface MTU packet size

Changing the maximum transmission unit (MTU) on FortiGate interfaces changes the size of transmitted packets. Most
FortiGate device's physical interfaces support jumbo frames that are up to 9216 bytes, but some only support 9000 or
9204 bytes.
To avoid fragmentation, the MTU should be the same as the smallest MTU in all of the networks between the FortiGate
and the destination. If the packets sent by the FortiGate are larger than the smallest MTU, then they are fragmented,
slowing down the transmission. Packets with the DF flag set in the IPv4 header are dropped and not fragmented .
On many network and endpoint devices, the path MTU is used to determine the smallest MTU and to transmit packets
within that size.
l ASIC accelerated FortiGate interfaces, such as NP6, NP7, and SOC4 (np6xlite), support MTU sizes up to 9216
bytes.
l FortiGate VMs can have varying maximum MTU sizes, depending on the underlying interface and driver.
l Virtual interfaces, such as VLAN interfaces, inherit their MTU size from their parent interface.

FortiOS 7.0.1 Administration Guide 166

Fortinet Technologies Inc.
Network

To verify the supported MTU size:

config system interface

edit <interface>
set mtu-override enable
set mtu ?
<integer> Maximum transmission unit (<min>-<max>)
next
end

To change the MTU size:

config system interface

edit <interface>
set mtu-override enable
set mtu <max bytes>
next
end

Maximum MTU size on a path

To manually test the maximum MTU size on a path, you can use the ping command on a Windows computer.
For example, you can send ICMP packets of a specific size with a DF flag, and iterate through increasing sizes until the
ping fails.
l The -f option specifies the Do not Fragment (DF) flag.
l The -l option specifies the length, in bytes, of the Data field in the echo Request messages. This does not include
the 8 bytes for the ICMP header and 20 bytes for the IP header. Therefore, if the maximum MTU is 1500 bytes, then
the maximum supported data size is: 1500 - 8 - 20 = 1472 bytes.

To determine the maximum MTU size on a path:

1. In Windows command prompt, try a likely MTU size:

>ping 4.2.2.1 -l 1472 -f
Pinging 4.2.2.1 with 1472 bytes of data:
Reply from 4.2.2.1: bytes=1472 time=41ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=42ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=103ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=38ms TTL=52

Ping statistics for 4.2.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 38ms, Maximum = 103ms, Average = 56ms

2. Increase the size and try the ping again:

>ping 4.2.2.1 -l 1473 -f
Pinging 4.2.2.1 with 1473 bytes of data:
Request timed out.

Ping statistics for 4.2.2.1:

Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

FortiOS 7.0.1 Administration Guide 167

Fortinet Technologies Inc.
 Network

The second test fails, so the maximum MTU size on the path is 1472 bytes + 8-byte ICMP header + 20-byte IP
header = 1500 bytes

Maximum segment size

The TCP maximum segment size (MSS) is the maximum amount of data that can be sent in a TCP segment. The MSS is
the MTU size of the interface minus the 20 byte IP header and 20 byte TCP header. By reducing the TCP MSS, you can
effectively reduce the MTU size of the packet.
The TCP MSS can be configured in a firewall policy, or directly on an interface.

To configure the MSS in a policy:

config firewall policy

edit <policy ID>
set srcintf "internal"
set dstintf "wan1"
set srcaddr "10.10.10.6"
set dstaddr "all"
set schedule "always"
set service "ALL"
set tcp-mss-sender 1448
set tcp-mss-receiver 1448
next
end

To configure the MSS on an interface:

config system interface

edit "wan2"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm
set type physical
set tcp-mss 1448
set role wan
next
end

One-arm sniffer

You can use a one-arm sniffer to configure a physical interface as a one-arm intrusion detection system (IDS). Traffic
sent to the interface is examined for matches to the configured security profile. The matches are logged, and then all
received traffic is dropped. Sniffing only reports on attacks; it does not deny or influence traffic.
You can also use the one-arm sniffer to configure the FortiGate to operate as an IDS appliance to sniff network traffic for
attacks without actually processing the packets. To configure a one-arm IDS, enable sniffer mode on a physical interface
and connect the interface to the SPAN port of a switch or a dedicated network tab that can replicate the traffic to the
FortiGate.

FortiOS 7.0.1 Administration Guide 168

Fortinet Technologies Inc.
Network

If the one-arm sniffer option is not available, this means the interface is in use. Ensure that the interface is not selected in
any firewall policies, routes, virtual IPs, or other features where a physical interface is specified. The option also does not
appear it the role is set to WAN. Ensure the role is set to LAN, DMZ, or undefined.
The following table lists some of the one-arm sniffer settings you can configure:

Field Description

Filters Enable this setting to include filters that define a more granular sniff of network
traffic. Select specific hosts, ports, VLANs, and protocols.
In all cases, enter a number or range for the filter type. The standard protocols
are:
l UDP: 17

l TCP: 6

l ICMP: 1

Include IPv6 Packets If the network is running IPv4 and IPv6 addresses, enable this setting to sniff both
types; otherwise, the FortiGate will only sniff IPv4 traffic.

Include Non-IPv6 Packets Enable this setting for a more intense content scan of the traffic.

Security Profiles The following profiles are configurable in the GUI and CLI:
l Antivirus

l Web filter

l Application control

l IPS

l File filter

The following profiles are only configurable in the CLI:

l Email filter

l DLP

l IPS DoS

CPU usage and packet loss

Traffic scanned on the one-arm sniffer interface is processed by the CPU, even if there is an SPU, such as NPU or CP,
present. The one-arm sniffer may cause higher CPU usage and perform at a lower level than traditional inline scanning,
which uses NTurbo or CP to accelerate traffic when present.
The absence of high CPU usage does not indicate the absence of packet loss. Packet loss may occur due to the
capacity of the TAP devices hitting maximum traffic volume during mirroring, or on the FortiGate when the kernel buffer
size is exceeded and it is unable to handle bursts of traffic.

Sample configuration

The following example shows how to configure a file filter profile that blocks PDF and RAR files used in a one-arm sniffer
policy.

FortiOS 7.0.1 Administration Guide 169

Fortinet Technologies Inc.
Network

To configure a one-arm sniffer policy in the GUI:

1. Go to Network > Interfaces and double-click a physical interface to edit it.

2. For Role, select either LAN, DMZ, or Undefined.
3. For Addressing Mode, select One-Arm Sniffer.

4. In the Security Profiles section, enable File Filter and click Edit. The Edit File Filter Profile pane opens.
5. In the Rules table, click Create New.

6. Configure the rule:

a. For File types, click the + and select pdf and rar.
b. For Action, select Block.

FortiOS 7.0.1 Administration Guide 170

Fortinet Technologies Inc.
Network

c. Click OK to save the rule.

7. Click OK to save the file filter profile.

8. Click OK to save the interface settings.

9. Go to Log & Report > File Filter to view the logs.

To configure a one-arm sniffer policy in the CLI:

1. Configure the interface:

config system interface
edit "s1"
set vdom "root"
set ips-sniffer-mode enable
set type physical
set role undefined
set snmp-index 31
next
end

2. Configure the file filter profile:

config file-filter profile
edit "sniffer-profile"
set comment "File type inspection."
config rules
edit "1"
set protocol http ftp smtp imap pop3 cifs
set action block
set file-type "pdf" "rar"
next

FortiOS 7.0.1 Administration Guide 171

Fortinet Technologies Inc.
 Network

end
next
end

3. Configure the firewall sniffer policy:

config firewall sniffer
edit 1
set interface "s1"
set file-filter-profile-status enable
set file-filter-profile "sniffer-profile"
next
end

4. View the log:

# execute log filter category  19
# execute log display
1 logs found.
1 logs returned.

1: date=2020-12-29 time=09:14:46 eventtime=1609262086871379250 tz="-0800"

logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter"
level="warning" vd="root" policyid=1 sessionid=792 srcip=172.16.200.55 srcport=20
srcintf="s1" srcintfrole="undefined" dstip=10.1.100.11 dstport=56745 dstintf="s1"
dstintfrole="undefined" proto=6 service="FTP" profile="sniffer-profile"
direction="outgoing" action="blocked" filtername="1" filename="hello.pdf" filesize=9539
filetype="pdf" msg="File was blocked by file filter."

Interface migration wizard

The Integrate Interface option on the Network > Interfaces page helps migrate a physical port into another interface or
interface type such as aggregate, software switch, redundant, zone, or SD-WAN zone. The FortiGate will migrate object
references either by replacing the existing instance with the new interface, or deleting the existing instance based on the
user's choice. Users can also change the VLAN ID of existing VLAN sub-interface or FortiSwitch VLANs.

The interface migration wizard does not support turning an aggregate, software switch,
redundant, zone, or SD-WAN zone interface back into a physical interface.

Integrating an interface

In this example, a DHCP server interface is integrated into a newly created redundant interface, which transfers the
DHCP server to a redundant interface.

To integrate an interface:

1. Go to Network > Interfaces and select an interface in the list.

2. Click Integrate Interface. The wizard opens.

FortiOS 7.0.1 Administration Guide 172

Fortinet Technologies Inc.
Network

Alternatively, select an interface in the list. Then right-click and select Integrate Interface.

3. Select Migrate to Interface and click Next.

4. Select Create an Interface. Enter a name (rd1) and set the Type to Redundant.

5. Click Next. The References sections lists the associated services with options to Replace Instance or Delete Entry.
6. For the DHCP server Action, select Replace Instance and click Create.

FortiOS 7.0.1 Administration Guide 173

Fortinet Technologies Inc.
Network

7. The migration occurs automatically and the statuses for the object and reference change to Updated entry. Click
Close.

Changing the VLAN ID

In this example, the VLAN ID of InternalVLAN is changed from 11 to 22.

To change the VLAN ID:

1. Go to Network > Interfaces and edit an existing interface.

2. Beside the VLAN ID field, click Edit. The Update VLAN ID window opens.

3. Enter the new ID (22) and click Next.

FortiOS 7.0.1 Administration Guide 174

Fortinet Technologies Inc.
Network

4. Verify the changes, then click Update and OK.

5. The target object status changes to Updated entry. Click Close.

In the interface settings, the ID displays as 22.

FortiOS 7.0.1 Administration Guide 175

Fortinet Technologies Inc.
 Network

DNS

Domain name system (DNS) is used by devices to locate websites by mapping a domain name to a website’s IP
address.
A FortiGate can serve different roles based on user requirements:
l A FortiGate can control what DNS server a network uses.
l A FortiGate can function as a DNS server.
FortiGuard Dynamic DNS (DDNS) allows a remote administrator to access a FortiGate's Internet-facing interface using a
domain name that remains constant even when its IP address changes.
FortiOS supports DNS configuration for both IPv4 and IPv6 addressing. When a user requests a website, the FortiGate
looks to the configured DNS servers to provide the IP address of the website in order to know which server to contact to
complete the transaction.
The FortiGate queries the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP
or web servers defined by their domain names.
The following topics provide information about DNS:
l Important DNS CLI commands on page 176
l DNS domain list on page 178
l FortiGate DNS server on page 179
l DDNS on page 181
l DNS latency information on page 185
l DNS over TLS and HTTPS on page 187
l DNS troubleshooting on page 191

Important DNS CLI commands

DNS settings can be configured with the following CLI command:

FortiOS 7.0.1 Administration Guide 176

Fortinet Technologies Inc.
Network

config system dns

set primary <ip_address>
set secondary <ip_address>
set protocol {cleartext dot doh}
set ssl-certificate <string>
set server-hostname <hostname>
set domain <domains>
set ip6-primary <ip6_address>
set ip6-secondary <ip6_address>
set timeout <integer>
set retry <integer>
set dns-cache-limit <integer>
set dns-cache-ttl <integer>
set cache-notfound-responses {enable | disable}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
set source-ip <class_ip>
end

For a FortiGate with multiple logical CPUs, you can set the DNS process number from 1 to the number of logical CPUs.
The default DNS process number is 1.
config system global
set dnsproxy-worker-count <integer>
end

DNS protocols

The following DNS protocols can be enabled:

l cleartext: Enable clear text DNS over port 53 (default).
l dot: Enable DNS over TLS.
l doh: Enable DNS over HTTPS.
For more information, see DNS over TLS and HTTPS on page 187.

cache-notfound-responses

When enabled, any DNS requests that are returned with NOT FOUND can be stored in the cache. The DNS server is not
asked to resolve the host name for NOT FOUND entries. By default, this option is disabled.

dns-cache-limit

Set the number of DNS entries that are stored in the cache (0 to 4294967295, default = 5000). Entries that remain in the
cache provide a quicker response to requests than going out to the Internet to get the same information.

dns-cache-ttl

The duration that the DNS cache retains information, in seconds (60 to 86400 (1 day), default = 1800).

FortiOS 7.0.1 Administration Guide 177

Fortinet Technologies Inc.
 Network

DNS domain list

You can configure up to eight domains in the DNS settings using the GUI or the CLI.
When a client requests a URL that does not include an FQDN, FortiOS resolves the URL by traversing through the DNS
domain list and performing a query for each domain until the first match is found.
By default, FortiGate uses FortiGuard's DNS servers:
l Primary: 208.91.112.53
l Secondary: 208.91.112.52
You can also customize the DNS timeout time and the number of retry attempts.

To configure a DNS domain list in the GUI:

1. Go to Network > DNS.

2. Set DNS Servers to Specify.
3. Configure the primary and secondary DNS servers as needed.
4. In the Local Domain Name field, enter the first domain (sample.com in this example).
5. Click the + to add more domains (example.com and domainname.com in this example). You can enter up to eight
domains.
6. Configure additional DNS protocol and IPv6 settings as needed.

7. Click Apply.

To configure a DNS domain list in the CLI:

config system dns

set primary 208.91.112.53
set secondary 208.91.112.52
set domain "sample.com" "example.com" "domainname.com"
end

Verify the DNS configuration

In the following example, the local DNS server has the entry for host1 mapped to the FQDN of host1.sample.com, and
the entry for host2 is mapped to the FQDN of host2.example.com.

FortiOS 7.0.1 Administration Guide 178

Fortinet Technologies Inc.
 Network

To verify that the DNS domain list is configured:

1. Open Command Prompt.

2. Enter ping host1.
The system returns the following response:
PING host1.sample.com (1.1.1.1): 56 data bytes
As the request does not include an FQDN, FortiOS traverses the configured DNS domain list to find a match.
Because host1 is mapped to the host1.sample.com, FortiOS resolves host1 to sample.com, the first entry in the
domain list.
3. Enter ping host2.
The system returns the following response:
PING host2.example.com (2.2.2.2): 56 data bytes
FortiOS traverses the domain list to find a match. It first queries sample.com, the first entry in the domain list, but
does not find a match. It then queries the second entry in the domain list, example.com. Because host2 is mapped
to the FQDN of host2.example.com, FortiOS resolves host2 to example.com.

DNS timeout and retry settings

The DNS timeout and retry settings can be customized using the CLI.
config system dns
set timeout <integer>
set retry <integer>
end

timeout <integer> The DNS query timeout interval, in seconds (1 - 10, default = 5).
retry <integer> The number of times to retry the DNS query (0 - 5, default - 2).

FortiGate DNS server

You can create local DNS servers for your network. Depending on your requirements, you can either manually maintain
your entries (primary DNS server), or use it to refer to an outside source (secondary DNS server).
A local, primary DNS server requires that you to manually add all URL and IP address combinations. Using a primary
DNS server for local services can minimize inbound and outbound traffic, and access time. Making it authoritative is not
recommended, because IP addresses can change, and maintaining the list can become labor intensive.
A secondary DNS server refers to an alternate source to obtain URL and IP address combinations. This is useful when
there is a primary DNS server where the entry list is maintained.
FortiGate as a DNS server also supports TLS and HTTPS connections to a DNS client. See DNS over TLS and HTTPS
on page 187 for details.
By default, DNS server options are not available in the FortiGate GUI.

To enable DNS server options in the GUI:

1. Go to System > Feature Visibility.

2. Enable DNS Database in the Additional Features section.
3. Click Apply.

FortiOS 7.0.1 Administration Guide 179

Fortinet Technologies Inc.
Network

Example configuration

This section describes how to create an unauthoritative primary DNS server. The interface mode is recursive so that, if
the request cannot be fulfilled, the external DNS servers will be queried.

To configure FortiGate as a primary DNS server in the GUI:

1. Go to Network > DNS Servers.

2. In the DNS Database table, click Create New.
3. Set Type to Primary.
4. Set View to Shadow.
The View setting controls the accessibility of the DNS server. If you select Public, external users can access or use
the DNS server. If you select Shadow, only internal users can use it.
5. Enter a DNS Zone, for example, WebServer.
6. Enter the Domain Name of the zone, for example, fortinet.com.
7. Enter the Hostname of the DNS server, for example, Corporate.
8. Enter the Contact Email Address for the administrator, for example, [email protected].
9. Disable Authoritative.

10. Add DNS entries:

a. In the DNS Entries table, click Create New.
b. Select a Type, for example Address (A).
c. Set the Hostname, for example web.example.com.

d. Configure the remaining settings as needed. The options vary depending on the selected Type.
e. Click OK.
11. Add more DNS entries as needed.

FortiOS 7.0.1 Administration Guide 180

Fortinet Technologies Inc.
Network

12. Click OK.

13. Enable DNS services on an interface:
a. Go to Network > DNS Servers.
b. In the DNS Service on Interface table, click Create New.
c. Select the Interface for the DNS server, such as wan2.
d. Set the Mode to Recursive.

e. Click OK.

To configure FortiGate as a primary DNS server in the CLI:

config system dns-database

edit WebServer
set domain example.com
set type master
set view shadow
set ttl 86400
set primary-name corporate
set contact [email protected]
set authoritative disable
config dns-entry
edit 1
set status enable
set hostname web.example.com
set type A
set ip 192.168.21.12
next
end
next
end
config system dns-server
edit wan2
set mode recursive
next
end

DDNS

If your external IP address changes regularly and you have a static domain name, you can configure the external
interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to
your company firewall. If you have a FortiGuard subscription, you can use FortiGuard as the DDNS server.

l FortiGate does not support DDNS for pure TP mode.

l FortiGate models 1000D and higher do not support DDNS in the GUI.

FortiOS 7.0.1 Administration Guide 181

Fortinet Technologies Inc.
Network

You can configure FortiGuard as the DDNS server using the GUI or CLI.

Sample topology

In this example, FortiGuard DDNS is enabled and the DDNS server is set to float-zone.com. Other DDNS server options
include fortiddns.com and fortidyndns.com.

To configure FortiGuard DDNS service as a DDNS server in the GUI:

1. Go to Network > DNS

2. Enable FortiGuard DDNS.
3. Select the Interface with the dynamic connection.
4. Select the Server that you have an account with.
5. Enter your Unique Location.

6. Click Apply.

To configure the FortiGuard DDNS service as an IPv4 DDNS server in the CLI:

config system ddns

edit 1
set ddns-server FortiGuardDDNS

FortiOS 7.0.1 Administration Guide 182

Fortinet Technologies Inc.
Network

set server-type ipv4

set ddns-domain "branch.float-zone.com"
set addr-type ipv4
set use-public-ip enable
set monitor-interface "wan1"
next
end

To configure the FortiGuard DDNS service as an IPv6 DDNS server in the CLI:

config system ddns

edit 1
set ddns-server FortiGuardDDNS
set server-type ipv6
set ddns-domain "fgtatest001.float-zone.com"
set addr-type ipv6
set monitor-interface "wan1"
next
end

DDNS servers other than FortiGuard

If you do not have a FortiGuard subscription, or want to use a different DDNS server, you can configure a DDNS server
for each interface. Only the first configure port appears in the GUI.
The available commands vary depending on the selected DDNS server.

To configure DDNS servers other than FortiGuard in the CLI:

config system ddns

edit <DDNS_ID>
set monitor-interface <external_interface>
set ddns-server <ddns_server_selection>
set server-type {ipv4 | ipv6}
set ddns-server-addr <address>
set addr-type ipv6 {ipv4 | ipv6}
...
next
end

To configure an IPv6 DDNS client with generic DDNS on port 3 in the CLI:

config system ddns

edit 1
set ddns-server genericDDNS
set server-type ipv6
set ddns-server-addr "2004:16:16:16::2" "16.16.16.2" "ddns.genericddns.com"
set ddns-domain "test.com"
set addr-type ipv6
set monitor-interface "port3"
next
end

FortiOS 7.0.1 Administration Guide 183

Fortinet Technologies Inc.
Network

Refresh DDNS IP addresses

When FortiGuard is the DDNS server, you can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically
checks the DDNS server that is configured.

To configure FortiGate to refresh DDNS IP addresses in the CLI:

config system ddns

edit 1
set use-public-ip enable
set update-interval seconds
next
end

Disable cleartext

When clear-text is disabled, FortiGate uses the SSL connection to send and receive DDNS updates.

To disable cleartext and set the SSL certificate in the CLI:

config system ddns

edit 2
set clear-text disable
set ssl-certificate <cert_name>
next
end

DDNS update override

A DHCP server has an override command option that allows DHCP server communications to go through DDNS to
perform updates for the DHCP client. This enforces a DDNS update of the A field every time even if the DHCP client
does not request it. This allows support for the allow, ignore, and deny client-updates options.

To enable DDNS update override in the CLI:

config system dhcp server

edit 1
set ddns-update enable
set ddns-update-override enable
set ddns-server-ip <ddns_server_ip>
set ddns-zone <ddns_zone>
next
end

Troubleshooting

To debug DDNS:

# diagnose debug application ddnscd -1

# diagnose debug enable

FortiOS 7.0.1 Administration Guide 184

Fortinet Technologies Inc.
 Network

To check if a DDNS server is available:

# diagnose test application ddnscd 3

Not available:
FortiDDNS status:
ddns_ip=0.0.0.0, ddns_ip6=::, ddns_port=443 svr_num=0 domain_num=0

Available:
FortiDDNS status:
ddns_ip=208.91.113.230, ddns_ip6=::, ddns_port=443 svr_num=1 domain_num=3
svr[0]= 208.91.113.230
domain[0]= fortiddns.com
domain[1]= fortidyndns.com
domain[2]= float-zone.com

DNS latency information

High latency in DNS traffic can result in an overall sluggish experience for end-users. In the DNS Settings pane, you can
quickly identify DNS latency issues in your configuration.
Go to Network > DNS to view DNS latency information in the right side bar. If you use FortiGuard DNS, latency
information for DNS, DNS filter, web filter, and outbreak prevention servers is also visible. Hover your pointer over a
latency value to see when it was last updated.

To view DNS latency information using the CLI:

# diagnose test application dnsproxy 2

worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=2001::1 latency=1494 updated=73311
vfid=0 server=208.91.112.52 latency=1405 updated=2547
vfid=0 server=208.91.112.53 latency=19 updated=91
SDNS latency info:
vfid=0 server=173.243.138.221 latency=1 updated=707681
DNS_CACHE: alloc=35, hit=26

FortiOS 7.0.1 Administration Guide 185

Fortinet Technologies Inc.
Network

RATING_CACHE: alloc=1, hit=49

DNS UDP: req=66769 res=63438 fwd=83526 alloc=0 cmp=0 retrans=16855 to=3233
cur=111 switched=8823467 num_switched=294 v6_cur=80 v6_switched=7689041 num_v6_
switched=6
ftg_res=8 ftg_fwd=8 ftg_retrans=0
DNS TCP: req=0, res=0, fwd=0, retrans=0 alloc=0, to=0
FQDN: alloc=45 nl_write_cnt=9498 nl_send_cnt=21606 nl_cur_cnt=0
Botnet: searched=57 hit=0 filtered=57 false_positive=0

To view the latency from web filter and outbreak protection servers using the CLI:

# diagnose debug rating

Locale : english

Service : Web-filter
Status : Enable
License : Contract

Service : Antispam
Status : Disable

Service : Virus Outbreak Prevention

Status : Disable

-=- Server List (Tue Jan 22 08:03:14 2019) -=-

IP Weight RTT Flags TZ Packets Curr Lost Total Lost Updated Time
173.243.138.194 10 0 DI -8 700 0 2 Tue Jan 22 08:02:44
2019
173.243.138.195 10 0 -8 698 0 4 Tue Jan 22 08:02:44
2019
173.243.138.198 10 0 -8 698 0 4 Tue Jan 22 08:02:44
2019
173.243.138.196 10 0 -8 697 0 3 Tue Jan 22 08:02:44
2019
173.243.138.197 10 1 -8 694 0 0 Tue Jan 22 08:02:44
2019
96.45.33.64 10 22 D -8 701 0 6 Tue Jan 22 08:02:44
2019
64.26.151.36 40 62 -5 704 0 10 Tue Jan 22 08:02:44
2019
64.26.151.35 40 62 -5 703 0 9 Tue Jan 22 08:02:44
2019
209.222.147.43 40 70 D -5 696 0 1 Tue Jan 22 08:02:44
2019
66.117.56.42 40 70 -5 697 0 3 Tue Jan 22 08:02:44
2019
66.117.56.37 40 71 -5 702 0 9 Tue Jan 22 08:02:44
2019
65.210.95.239 40 74 -5 695 0 1 Tue Jan 22 08:02:44
2019
65.210.95.240 40 74 -5 695 0 1 Tue Jan 22 08:02:44
2019
45.75.200.88 90 142 0 706 0 12 Tue Jan 22 08:02:44
2019
45.75.200.87 90 155 0 714 0 20 Tue Jan 22 08:02:44

FortiOS 7.0.1 Administration Guide 186

Fortinet Technologies Inc.
 Network

2019
45.75.200.85 90 156 0 711 0 17 Tue Jan 22 08:02:44
2019
45.75.200.86 90 159 0 704 0 10 Tue Jan 22 08:02:44
2019
62.209.40.72 100 157 1 701 0 7 Tue Jan 22 08:02:44
2019
62.209.40.74 100 173 1 705 0 11 Tue Jan 22 08:02:44
2019
62.209.40.73 100 173 1 699 0 5 Tue Jan 22 08:02:44
2019
121.111.236.179 180 138 9 706 0 12 Tue Jan 22 08:02:44
2019
121.111.236.180 180 138 9 704 0 10 Tue Jan 22 08:02:44
2019

DNS over TLS and HTTPS

DNS over TLS (DoT) is a security protocol for encrypting and encapsulating DNS queries and responses over the TLS
protocol. DoT increases user privacy and security by preventing eavesdropping and manipulation of DNS data via man-
in-the-middle attacks. Similarly, DNS over HTTPS (DoH) provides a method of performing DNS resolution over a secure
HTTPS connection. DoT and DoH are supported in explicit mode where the FortiGate acts as an explicit DNS server that
listens for DoT and DoH requests. Local-out DNS traffic over TLS and HTTPS is also supported.

Basic configurations for enabling DoT and DoH for local-out DNS queries

To enable DoT and DoH DNS in the GUI:

1. Go to Network > DNS.

2. Enter the primary and secondary DNS server addresses.
3. In the DNS Protocols section, enable TLS (TCP/853) and HTTPS (TCP/443).

FortiOS 7.0.1 Administration Guide 187

Fortinet Technologies Inc.
Network

4. Configure the other settings as needed.

5. Click Apply.

To enable DoT and DoH DNS in the CLI:

config system dns

set primary 1.1.1.1
set secondary 1.0.0.1
set protocol {cleartext dot doh}
end

To enable DoH on the DNS server in the GUI:

1. Go to Network > DNS Servers.
2. In the DNS Service on Interface section, edit an existing interface, or create a new one.
3. Select a Mode, and DNS Filter profile.
4. Enable DNS over HTTPS.

5. Click OK.

To enable DoH on the DNS server in the CLI:

config system dns-server

edit "port1"
set dnsfilter-profile "dnsfilter"
set doh enable
next
end

Examples

The following examples demonstrate how configure DNS settings to support DoT and DoH queries made to the
FortiGate.

FortiOS 7.0.1 Administration Guide 188

Fortinet Technologies Inc.
Network

DoT

The following example uses a DNS filter profile where the education category is blocked.

To enable scanning DoT traffic in explicit mode with a DNS filter:

1. Configure the DNS settings:

config system dns
set primary 1.1.1.1
set secondary 1.0.0.1
set protocol dot
end

2. Configure the DNS filter profile:

config dnsfilter profile
edit "dnsfilter"
config ftgd-dns
config filters
edit 1
set category 30
set action block
next
end
end
next
end

3. Configure the DNS server settings:

config system dns-server
edit "port1"
set dnsfilter-profile "dnsfilter"
next
end

4. Send a DNS query over TLS (this example uses kdig on an Ubuntu client) using the FortiGate as the DNS server.
The www.ubc.ca domain belongs to the education category:

FortiOS 7.0.1 Administration Guide 189

Fortinet Technologies Inc.
Network

root@client:/tmp# kdig -d @10.1.100.173 +tls +header +all www.ubc.ca

;; DEBUG: Querying for owner(www.ubc.ca.), class(1), type(1), server(10.1.100.173), port
(853), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1,
C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=FortiGate,CN=FG3H1E5818903681,EMAIL=support
@fortinet.com
;; DEBUG: SHA-256 PIN: Xhkpv9ABEhxDLtWG+lGEndNrBR7B1xjRYlGn2ltlkb8=
;; DEBUG: #2, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate
Authority,CN=fortinet-subca2001,[email protected]
;; DEBUG: SHA-256 PIN: 3T8EqFBjpRSkxQNPFagjUNeEUghXOEYp904ROlJM8yo=
;; DEBUG: #3, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate
Authority,CN=fortinet-ca2,[email protected]
;; DEBUG: SHA-256 PIN: /QfV4N3k5oxQR5RHtW/rbn/HrHgKpMLN0DEaeXY5yPg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56719
;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.ubc.ca. IN A

;; ANSWER SECTION:
www.ubc.ca. 60 IN A 208.91.112.55

;; Received 44 B
;; Time 2021-03-12 23:11:27 PST
;; From 10.1.100.173@853(TCP) in 0.2 ms
root@client:/tmp#

The IP returned by the FortiGate for ubc.ca belongs to the FortiGuard block page, so the query was blocked
successfully.

DoH

The following example uses a DNS filter profile where the education category is blocked.

To configure scanning DoH traffic in explicit mode with a DNS filter:

1. Configure the DNS settings:

config system dns
set primary 1.1.1.1
set secondary 1.0.0.1
set protocol doh
end

2. Configure the DNS filter profile:

config dnsfilter profile
edit "dnsfilter"
config ftgd-dns
config filters
edit 1
set category 30
set action block

FortiOS 7.0.1 Administration Guide 190

Fortinet Technologies Inc.
 Network

next
end
end
next
end

3. Configure the DNS server settings:

config system dns-server
edit "port1"
set dnsfilter-profile "dnsfilter"
set doh enable
next
end

4. In your browser, enable DNS over HTTPS.

5. On your computer, edit the TCP/IP settings to use the FortiGate interface address as the DNS server.
6. In your browser, go to a website in the education category (www.ubc.ca). The website is redirected to the block
page.

DNS troubleshooting

The following diagnose command can be used to collect DNS debug information. If you do not specify worker ID, the
default worker ID is 0.
# diagnose test application dnsproxy
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
18. DNS debug obj mem
99. Restart dnsproxy worker

FortiOS 7.0.1 Administration Guide 191

Fortinet Technologies Inc.
Network

To view useful information about the ongoing DNS connection:

# diagnose test application dnsproxy 3

worker idx: 0
vdom: root, index=0, is primary, vdom dns is disabled, mip-169.254.0.1 dns_log=1 tls=0 cert=
dns64 is disabled
vdom: vdom1, index=1, is primary, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert=
dns64 is disabled
dns-server:208.91.112.220:53 tz=-480 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37
probe=9 failure=0 last_failed=0
dns-server:8.8.8.8:53 tz=0 tls=0 req=73 to=0 res=73 rt=5 rating=0 ready=1 timer=0 probe=0
failure=0 last_failed=0
dns-server:65.39.139.63:53 tz=0 tls=0 req=39 to=0 res=39 rt=1 rating=0 ready=1 timer=0
probe=0 failure=0 last_failed=0
dns-server:62.209.40.75:53 tz=60 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37
probe=9 failure=0 last_failed=0
dns-server:209.222.147.38:53 tz=-300 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37
probe=9 failure=0 last_failed=0
dns-server:173.243.138.221:53 tz=-480 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37
probe=9 failure=0 last_failed=0
dns-server:45.75.200.89:53 tz=0 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37
probe=9 failure=0 last_failed=0
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=-1
DNS FD: udp_s=12 udp_c=17:18 ha_c=22 unix_s=23, unix_nb_s=24, unix_nc_s=25
v6_udp_s=11, v6_udp_c=20:21, snmp=26, redir=13, v6_redir=14
DNS FD: tcp_s=29, tcp_s6=27, redir=31 v6_redir=32
FQDN: hash_size=1024, current_query=1024
DNS_DB: response_buf_sz=131072
LICENSE: expiry=2015-04-08, expired=1, type=2
FDG_SERVER:208.91.112.220:53
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=eb19, tz=-480, error_allow=0
FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:

Important fields include:

tls 1 if the connection is TLS, 0 if the connection is not TLS.

rt The round trip time of the DNS latency.
probe The number of probes sent.

To dump the second DNS worker's cache:

diagnose test application dnsproxy 7 1

To enable debug on the second worker:

diagnose debug application dnsproxy -1 1

To enable debug on all workers by specifying -1 as worker ID:

diagnose debug application dnsproxy -1 -1

FortiOS 7.0.1 Administration Guide 192

Fortinet Technologies Inc.
 Network

Explicit and transparent proxies

This section contains instructions for configuring explicit and transparent proxies.
l Explicit web proxy on page 193
l Transparent proxy on page 197
l FTP proxy on page 196
l Proxy policy addresses on page 199
l Proxy policy security profiles on page 206
l Explicit proxy authentication on page 210
l Transparent web proxy forwarding on page 216
l Upstream proxy authentication in transparent proxy mode on page 220
l Multiple dynamic header count on page 222
l Restricted SaaS access on page 224
l Explicit proxy and FortiSandbox Cloud on page 226
l Proxy chaining on page 229
l WAN optimization SSL proxy chaining on page 234
l Agentless NTLM authentication for web proxy on page 242
l Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers on page 245
l Learn client IP addresses on page 246
l Explicit proxy authentication over HTTPS on page 247
l mTLS client certificate authentication on page 249

Explicit web proxy

Explicit web proxy can be configured on FortiGate for proxying HTTP and HTTPS traffic.
To deploy explicit proxy, individual client browsers can be manually configured to send requests directly to the proxy, or
they can be configured to download proxy configuration instructions from a Proxy Auto-Configuration (PAC) file.
When explicit proxy is configured on an interface, the interface IP address can be used by client browsers to forward
requests directly to the FortiGate. FortiGate also supports PAC file configuration.

To configure explicit web proxy in the GUI:

1. Enable and configure explicit web proxy:

a. Go to Network > Explicit Proxy.
b. Enable Explicit Web Proxy.
c. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
d. Configure the remaining settings as needed.

FortiOS 7.0.1 Administration Guide 193

Fortinet Technologies Inc.
Network

e. Click Apply.
2. Create an explicit web proxy policy:
a. Go to Policy & Objects > Proxy Policy.
b. Click Create New.
c. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
d. Also set Source and Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.

e. Click OK to create the policy.

This example creates a basic policy. If required, security profiles can be enabled, and deep
SSL inspection can be selected to inspect HTTPS traffic.

FortiOS 7.0.1 Administration Guide 194

Fortinet Technologies Inc.
Network

3. Configure a client to use the FortiGate explicit proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the
PAC file.

To configure explicit web proxy in the CLI:

1. Enable and configure explicit web proxy:

config web-proxy explicit
set status enable
set ftp-over-http enable
set socks enable
set http-incoming-port 8080
set ipv6-status enable
set unknown-http-version best-effort
end
config system interface
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set explicit-web-proxy enable
set snmp-index 12
end
next
end

2. Create an explicit web proxy policy:

config firewall proxy-policy
edit 1
set name "proxy-policy-explicit"
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
next
end

This example creates a basic policy. If required, security profiles can be enabled, and deep
SSL inspection can be selected to inspect HTTPS traffic.

3. Configure a client to use the FortiGate explicit web proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the
PAC file.

FortiOS 7.0.1 Administration Guide 195

Fortinet Technologies Inc.
 Network

FTP proxy

FTP proxies can be configured on the FortiGate so that FTP traffic can be proxied. When the FortiGate is configured as
an FTP proxy, FTP client applications should be configured to send FTP requests to the FortiGate.

To configure explicit FTP proxy in the GUI:

1. Enable and configure explicit FTP proxy:

a. Go to Network > Explicit Proxy.
b. Enable Explicit FTP Proxy.
c. Select port2 as the Listen on Interfaces and set the HTTP Port to 21.
d. Configure the Default Firewall Policy Action as needed.

e. Click Apply.
2. Create an explicit FTP proxy policy:
a. Go to Policy & Objects > Proxy Policy.
b. Click Create New.
c. Set Proxy Type to FTP and Outgoing Interface to port1.
d. Also set Source and Destination to all, Schedule to always, and Action to ACCEPT.

e. Click OK to create the policy.

This example creates a basic policy. If required, security profiles can be enabled.

3. Configure the FTP client application to use the FortiGate IP address.

FortiOS 7.0.1 Administration Guide 196

Fortinet Technologies Inc.
 Network

To configure explicit FTP proxy in the CLI:

1. Enable and configure explicit FTP proxy:

config ftp-proxy explicit
set status enable
set incoming-port 21
end
config system interface
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set explicit-ftp-proxy enable
set snmp-index 12
next
end

2. Create an explicit FTP proxy policy:

config firewall proxy-policy
edit 4
set name "proxy-policy-ftp"
set proxy ftp
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
next
end

This example creates a basic policy. If required, security profiles can be enabled.

3. Configure the FTP client application to use the FortiGate IP address.

Transparent proxy

In a transparent proxy deployment, the user's client software, such as a browser, is unaware that it is communicating
with a proxy.
Users request internet content as usual, without any special client configuration, and the proxy serves their requests.
FortiGate also allows user to configure in transparent proxy mode.
To redirect HTTPS traffic, SSL inspection is required.

To configure transparent proxy in the GUI:

1. Configure a regular firewall policy with HTTP redirect:

a. Go to Policy & Objects > Firewall Policy.
b. Click Create New.

FortiOS 7.0.1 Administration Guide 197

Fortinet Technologies Inc.
Network

c. Name the policy appropriately, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
d. Also set Source and Destination to all, Schedule to always, Service to ALL, and Action to ACCEPT.
e. Set Inspection Mode to Proxy-based and SSL Inspection to deep-inspection.

f. Configure the remaining settings as needed.

g. Click OK.
2. Configure a transparent proxy policy:
a. Go to Policy & Objects > Proxy Policy.
b. Click Create New.
c. Set Proxy Type to Transparent Web, set the Incoming Interface to port2, and set the Outgoing Interface to
port1.
d. Also set Source and Destination to all, Scheduleto always, Service to webproxy, and Action to ACCEPT.

e. Configure the remaining settings as needed.

f. Click OK to create the policy.
3. No special configuration is required on the client to use FortiGate transparent proxy. As the client is using the
FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the
transparent proxy policy.

FortiOS 7.0.1 Administration Guide 198

Fortinet Technologies Inc.
 Network

To configure transparent proxy in the CLI:

1. Configure a regular firewall policy with HTTP redirect:

config firewall policy
edit 1
set name "LAN To WAN"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set http-policy-redirect enable
set fsso disable
set ssl-ssh-profile "deep-inspection"
set nat enable
next
end

2. Configure a transparent proxy policy:

config firewall proxy-policy
edit 5
set name "proxy-policy-transparent"
set proxy transparent-web
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
next
end

This example creates a basic policy. If required, security profiles can be enabled, and deep
SSL inspection can be selected to inspect HTTPS traffic.

3. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate
as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent
proxy policy.

Proxy policy addresses

Proxy addresses are designed to be used only by proxy policies. The following address types are available:
l Host regex match on page 200
l URL pattern on page 201
l URL category on page 202
l HTTP method on page 202

FortiOS 7.0.1 Administration Guide 199

Fortinet Technologies Inc.
Network

l HTTP header on page 203

l User agent on page 204
l Advanced (source) on page 204
l Advanced (destination) on page 205

Fast policy match

The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate
devices.
When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different
proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at
a time from the beginning of the policy list.
Fast policy matching is enabled by default, and can be configured with the following CLI command:
config web-proxy global
set fast-policy-match {enable | disable}
end

Host regex match

In this address type, a user can create a hostname as a regular expression. Once created, the hostname address can be
selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the
regular expression.
This example creates a host regex match address with the pattern qa.[a-z]*.com.

To create a host regex match address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to Host Regex,
l Type to Host Regex Match, and
l Host Regex Pattern to qa.[a-z]*.com.

4. Click OK.

FortiOS 7.0.1 Administration Guide 200

Fortinet Technologies Inc.
Network

To create a host regex match address in the CLI:

config firewall proxy-address

edit "Host Regex"
set type host-regex
set host-regex "qa.[a-z]*.com"
next
end

URL pattern

In this address type, a user can create a URL path as a regular expression. Once created, the path address can be
selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the
regular expression.
This example creates a URL pattern address with the pattern /filetypes/.

To create a URL pattern address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to URL Regex,
l Type to URL Pattern,
l Host to all, and
l URL Path Regex to /filetypes/.

4. Click OK.

To create a URL pattern address in the CLI:

config firewall proxy-address

edit "URL Regex"
set type url
set host "all"
set path "/filetypes/"
next
end

FortiOS 7.0.1 Administration Guide 201

Fortinet Technologies Inc.
Network

URL category

In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be
selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the URL
category.
The example creates a URL category address for URLs in the Education category. For more information about
categories, see https://fortiguard.com/webfilter/categories.
For information about creating and using custom local and remote categories, see Web rating override on page 1014
and Threat feeds on page 1993.

To create a URL category address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,

l Name to url-category,

l Type to URL Category,

l Host to all, and

l URL Category to Education.

4. Click OK.

To create a URL category address in the CLI:

config firewall proxy-address

edit "url-category"
set type category
set host "all"
set category 30
next
end

To see a list of all the categories and their numbers, when editing the address, enter set category ?.

HTTP method

In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method
options are supported, including: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, and TRACE. Once
created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block
requests that match the selected HTTP method.

FortiOS 7.0.1 Administration Guide 202

Fortinet Technologies Inc.
Network

The example creates a HTTP method address that uses the GET method.

To create a HTTP method address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to method_get,
l Type to HTTP Method,
l Host to all, and
l Request Method to GET.
4. Click OK.

To create a HTTP method address in the CLI:

config firewall proxy-address

edit "method_get"
set type method
set host "all"
set method get
next
end

HTTP header

In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can
be selected as a source of a proxy policy. This means that a policy will only allow or block requests where the HTTP
header matches the regular expression.
This example creates a HTTP header address with the pattern Q[A-B].

To create a HTTP header address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to HTTP-header,
l Type to HTTP Header,
l Host to all,
l Header Name to Header_Test, and
l Header Regex to Q[A-B].
4. Click OK.

FortiOS 7.0.1 Administration Guide 203

Fortinet Technologies Inc.
Network

To create a HTTP header address in the CLI:

config firewall proxy-address

edit "method_get"
set type header
set host "all"
set header-name "Header_Test"
set header "Q[A-B]"
next
end

User agent

In this address type, a user can create an address based on the names of the browsers that are used as user agents.
Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can
be selected as a source of a proxy policy. This means that a policy will only allow or block requests from the specified
user agent.
This example creates a user agent address for Google Chrome.

To create a user agent address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to UA-Chrome,
l Type to User Agent,
l Host to all, and
l User Agent to Google Chrome.
4. Click OK.

To create a user agent address in the CLI:

config firewall proxy-address

edit "UA-Chrome"
set type ua
set host "all"
set ua chrome
next
end

Advanced (source)

In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent,
and HTTP header. Once created, the address can be selected as a source of a proxy policy. This means that a policy will
only allow or block requests that match the selected address.
This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with
the pattern Q[A-B].

FortiOS 7.0.1 Administration Guide 204

Fortinet Technologies Inc.
Network

To create an advanced (source) address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to advanced_src,
l Type to Advanced (Source),
l Host to all,
l Request Method to GET,
l User Agent to Google Chrome, and
l HTTP header to Header_Test : Q[A-B].
4. Click OK.

To create an advanced (source) address in the CLI:

config firewall proxy-address

edit "advance_src"
set type src-advanced
set host "all"
set method get
set ua chrome
config header-group
edit 1
set header-name "Header_Test"
set header "Q[A-B]"
next
end
next
end

Advanced (destination)

In this address type, a user can create an address based on URL pattern and URL category parameters. Once created,
the address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests
that match the selected address.
This example creates an address with the URL pattern /about that are in the Education category. For more information
about categories, see https://fortiguard.com/webfilter/categories.

To create an advanced (destination) address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to Advanced-dst,
l Type to Advanced (Destination),
l Host to all,

FortiOS 7.0.1 Administration Guide 205

Fortinet Technologies Inc.
 Network

l URL Path Regex to /about, and

l URL Category to Education.

4. Click OK.

To create an advanced (destination) address in the CLI:

config firewall proxy-address

edit "Advanced-dst"
set type dst-advanced
set host "ubc"
set path "/about"
set category 30
next
end

Proxy policy security profiles

Web proxy policies support most security profile types.

Security profiles must be created before they can be used in a policy, see Security Profiles on
page 829 for information.

Explicit web proxy policy

The security profiles supported by explicit web proxy policies are:

l AntiVirus
l Web Filter
l Application Control
l IPS
l DLP Sensor
l ICAP
l Web Application Firewall
l SSL Inspection

FortiOS 7.0.1 Administration Guide 206

Fortinet Technologies Inc.
Network

To configure security profiles on an explicit web proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.

2. Click Create New.
3. Set the following:

Proxy Type Explicit Web

Outgoing Interface port1

Source all

Destination all

Schedule always

Service webproxy

Action ACCEPT

4. In the Firewall / Network Options section, set Protocol Options to default.

5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been
created):

AntiVirus av

Web Filter urlfiler

Application Control app

IPS Sensor-1

DLP Sensor dlp

ICAP default

Web Application Firewall default

SSL Inspection deep-inspection

6. Click OK to create the policy.

To configure security profiles on an explicit web proxy policy in the CLI:

config firewall proxy-policy

edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set utm-status enable
set av-profile "av"
set webfilter-profile "urlfilter"
set dlp-sensor "dlp"
set ips-sensor "sensor-1"

FortiOS 7.0.1 Administration Guide 207

Fortinet Technologies Inc.
Network

set application-list "app"

set icap-profile "default"
set waf-profile "default"
set ssl-ssh-profile "deep-inspection"
next
end

Transparent proxy

The security profiles supported by transparent proxy policies are:

l AntiVirus
l Web Filter
l Application Control
l IPS
l DLP Sensor
l ICAP
l Web Application Firewall
l SSL Inspection

To configure security profiles on a transparent proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.

2. Click Create New.
3. Set the following:

Proxy Type Explicit Web

Incoming Interfae port2

Outgoing Interface port1

Source all

Destination all

Schedule always

Service webproxy

Action ACCEPT

4. In the Firewall / Network Options section, set Protocol Options to default.

5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been
created):

AntiVirus av

Web Filter urlfiler

Application Control app

IPS Sensor-1

FortiOS 7.0.1 Administration Guide 208

Fortinet Technologies Inc.
Network

DLP Sensor dlp

ICAP default

Web Application Firewall default

SSL Inspection deep-inspection

6. Click OK to create the policy.

To configure security profiles on a transparent proxy policy in the CLI:

config firewall proxy-policy

edit 2
set proxy transparent-web
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set utm-status enable
set av-profile "av"
set webfilter-profile "urlfilter"
set dlp-sensor "dlp"
set ips-sensor "sensor-1"
set application-list "app"
set icap-profile "default"
set waf-profile "default"
set ssl-ssh-profile "certificate-inspection"
next
end

FTP proxy

The security profiles supported by FTP proxy policies are:

l AntiVirus
l Application Control
l IPS
l DLP Sensor

To configure security profiles on an FTP proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.

2. Click Create New.
3. Set the following:

Proxy Type FTP

Outgoing Interface port1

Source all

FortiOS 7.0.1 Administration Guide 209

Fortinet Technologies Inc.
 Network

Destination all

Schedule always

Action ACCEPT

4. In the Firewall / Network Options section, set Protocol Options to default.

5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been
created):

AntiVirus av

Application Control app

IPS Sensor-1

DLP Sensor dlp

6. Click OK to create the policy.

To configure security profiles on an FTP proxy policy in the CLI:

config firewall proxy-policy

edit 3
set proxy ftp
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set utm-status enable
set av-profile "av"
set dlp-sensor "dlp"
set ips-sensor "sensor-1"
set application-list "app"
next
end

Explicit proxy authentication

FortiGate supports multiple authentication methods. This topic explains using an external authentication server with
Kerberos as the primary and NTLM as the fallback.

To configure Explicit Proxy with authentication:

1. Enable and configure the explicit proxy on page 211.

2. Configure the authentication server and create user groups on page 211.
3. Create an authentication scheme and rules on page 213.
4. Create an explicit proxy policy and assign a user group to the policy on page 214.
5. Verify the configuration on page 215.

FortiOS 7.0.1 Administration Guide 210

Fortinet Technologies Inc.
Network

Enable and configure the explicit proxy

To enable and configure explicit web proxy in the GUI:

1. Go to Network > Explicit Proxy.

2. Enable Explicit Web Proxy.
3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
4. Configure the remaining settings as needed.
5. Click Apply.

To enable and configure explicit web proxy in the CLI:

config web-proxy explicit

set status enable
set ftp-over-http enable
set socks enable
set http-incoming-port 8080
set ipv6-status enable
set unknown-http-version best-effort
end
config system interface
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set explicit-web-proxy enable
set snmp-index 12
end
next
end

Configure the authentication server and create user groups

Since we are using an external authentication server with Kerberos authentication as the primary and NTLM as the
fallback, Kerberos authentication is configured first and then FSSO NTLM authentication is configured.
For successful authorization, the FortiGate checks if user belongs to one of the groups that is permitted in the security
policy.

To configure an authentication server and create user groups in the GUI:

1. Configure Kerberos authentication:

a. Go to User & Authentication > LDAP Servers.
b. Click Create New.

FortiOS 7.0.1 Administration Guide 211

Fortinet Technologies Inc.
Network

c. Set the following:

Name ldap-kerberos

Server IP 172.18.62.220

Server Port 389

Common Name Identifier cn

Distinguished Name dc=fortinetqa,dc=local

d. Click OK
2. Define Kerberos as an authentication service. This option is only available in the CLI. For information on generating
a keytab, see Generating a keytab on a Windows server on page 216.
3. Configure FSSO NTLM authentication:
FSSO NTLM authentication is supported in a Windows AD network. FSSO can also provide NTLM authentication
service to the FortiGate unit. When a user makes a request that requires authentication, the FortiGate initiates
NTLM negotiation with the client browser, but does not process the NTLM packets itself. Instead, it forwards all the
NTLM packets to the FSSO service for processing.
a. Go to Security Fabric > External Connectors.
b. Click Create New and select FSSO Agent on Windows AD from the Endpoint/Identity category.
c. Set the Name to FSSO, Primary FSSO Agent to 172.16.200.220, and enter a password.
d. Click OK.
4. Create a user group for Kerberos authentication:
a. Go to User & Authentication > User Groups.
b. Click Create New.
c. Set the Name to Ldap-Group, and Type to Firewall.
d. In the Remote Groups table, click Add, and set the Remote Server to the previously created ldap-kerberos
server.
e. Click OK.
5. Create a user group for NTLM authentication:
a. Go to User & Authentication > User Groups.
b. Click Create New.
c. Set the Name to NTLM-FSSO-Group, Type to Fortinet Single Sign-On (FSSO), and add FORTINETQA/FSSO
as a member.
d. Click OK.

To configure an authentication server and create user groups in the CLI:

1. Configure Kerberos authentication:

config user ldap
edit "ldap-kerberos"
set server "172.18.62.220"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********

FortiOS 7.0.1 Administration Guide 212

Fortinet Technologies Inc.
Network

next
end

2. Define Kerberos as an authentication service:

config user krb-keytab
edit "http_service"
set pac-data disable
set principal "HTTP/[email protected]"
set ldap-server "ldap-kerberos"
set keytab
"BQIAAABFAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEAAE
ACKLCMonpitnVAAAARQACABBGT1JUSU5FVFFBLkxPQ0FMAARIVFRQABRGR1QuRk9SVElORVRRQS5MT0NBTAAAAAE
AAAAABAADAAiiwjKJ6YrZ1QAAAE0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAAURkdULkZPUlRJTkVUUUEuTE9
DQUwAAAABAAAAAAQAFwAQUHo9uqR9cSkzyxdzKCEXdwAAAF0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAAURkd
ULkZPUlRJTkVUUUEuTE9DQUwAAAABAAAAAAQAEgAgzee854Aq1HhQiKJZvV4tL2Poy7hMIARQpK8MCB//BIAAAAB
NAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEABEAEG49vHE
iiBghr63Z/lnwYrU="
next
end

For information on generating a keytab, see Generating a keytab on a Windows server on page 216.
3. Configure FSSO NTLM authentication:
config user fsso
edit "1"
set server "172.18.62.220"
set password *********
next
end

4. Create a user group for Kerberos authentication:

config user group
edit "Ldap-Group"
set member "ldap" "ldap-kerberos"
next
end

5. Create a user group for NTLM authentication:

config user group
edit "NTLM-FSSO-Group"
set group-type fsso-service
set member "FORTINETQA/FSSO"
next
end

Create an authentication scheme and rules

Explicit proxy authentication is managed by authentication schemes and rules. An authentication scheme must be
created first, and then the authentication rule.

FortiOS 7.0.1 Administration Guide 213

Fortinet Technologies Inc.
Network

To create an authentication scheme and rules in the GUI:

1. Create an authentication scheme:

a. Go to Policy & Objects > Authentication Rules.
b. Click Create New > Authentication Schemes.
c. Set the Name to Auth-scheme-Negotiate and select Negotiate as the Method.
d. Click OK.
2. Create an authentication rule:
a. Go to Policy & Objects > Authentication Rules.
b. Click Create New > Authentication Rules.
c. Set the Name to Auth-Rule, Source Address to all, and Protocol to HTTP.
d. Enable Authentication Scheme, and select the just created Auth-scheme-Negotiate scheme.
e. Click OK.

To create an authentication scheme and rules in the CLI:

1. Create an authentication scheme:

config authentication scheme
edit "Auth-scheme-Negotiate"
set method negotiate <<< Accepts both Kerberos and NTLM as fallback
next
end

2. Create an authentication rule:

config authentication rule
edit "Auth-Rule"
set status enable
set protocol http
set srcaddr "all"
set ip-based enable
set active-auth-method "Auth-scheme-Negotiate"
set comments "Testing"
next
end

Create an explicit proxy policy and assign a user group to the policy

To create an explicit proxy policy and assign a user group to it in the GUI:

1. Go to Policy & Objects > Proxy Policy.

2. Click Create New.
3. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
4. Set Source to all, and the just created user groups NTLM-FSSO-Group and Ldap-Group.
5. Also set Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.
6. Click OK.

FortiOS 7.0.1 Administration Guide 214

Fortinet Technologies Inc.
Network

To create an explicit proxy policy and assign a user group to it in the CLI:

config firewall proxy-policy

edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set logtraffic all
set groups "NTLM-FSSO-Group" "Ldap-Group"
set av-profile "av"
set ssl-ssh-profile "deep-custom"
next
end

Verify the configuration

Log in using a domain and system that would be authenticated using the Kerberos server, then enter the diagnose
wad user list CLI command to verify:
# diagnose wad user list
ID: 8, IP: 10.1.100.71, VDOM: vdom1
user name : [email protected]
duration : 389
auth_type : IP
auth_method : Negotiate
pol_id : 1
g_id : 1
user_based : 0
expire : no
LAN:
bytes_in=4862 bytes_out=11893
WAN:
bytes_in=7844 bytes_out=1023

Log in using a system that is not part of the domain. The NTLM fallback server should be used:
# diagnose wad user list
ID: 2, IP: 10.1.100.202, VDOM: vdom1
user name : TEST31@FORTINETQA
duration : 7
auth_type : IP
auth_method : NTLM
pol_id : 1
g_id : 5
user_based : 0
expire : no
LAN:
bytes_in=6156 bytes_out=16149
WAN:
bytes_in=7618 bytes_out=1917

FortiOS 7.0.1 Administration Guide 215

Fortinet Technologies Inc.
 Network

Generating a keytab on a Windows server

A keytab is used to allow services that are not running Windows to be configured with service instance accounts in the
Active Directory Domain Service (AD DS). This allows Kerberos clients to authenticate to the service through Windows
Key Distribution Centers (KDCs).
For an explanation of the process, see https://docs.microsoft.com/en-us/windows-server/administration/windows-
commands/ktpass.

To generate a keytab on a Windows server:

1. On the server, create a user for the FortiGate:

l The service name is the FQDN for the explicit proxy interface, such as the hostname in the client browser proxy
configuration. In this example, the service name is FGT.
l The account only requires domain users membership.
l The password must be very strong.
l The password is set to never expire.
2. Add the FortiGate FQDN in to the Windows DNS domain, as well as in-addr.arpa.
3. Generate the Kerberos keytab using the ktpass command on Windows servers and many domain workstations:
# ktpass -princ HTTP/<domain name of test fgt>@realm -mapuser <user> -pass <password> -
crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab

For example:
ktpass -princ HTTP/[email protected] -mapuser FGT -pass ***********
-crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab

If the FortiGate is handling multiple keytabs in Kerberos authentication, use different

passwords when generating each keytab.

4. Encode the keytab to base64 in a text file:

l On Windows: certutil -encode fgt.keytab tmp.b64 && findstr /v /c:- tmp.b64 >
fgt.txt
l On Linux: base64 fgt.keytab > fgt.txt
l On MacOS: base64 -i fgt.keytab -o fgt.txt
5. Use the code in fgt.txt as the keytab parameter when configuring the FortiGate.

Transparent web proxy forwarding

In FortiOS, there is an option to enable proxy forwarding for transparent web proxy policies and regular firewall policies
for HTTP and HTTPS.
In previous versions of FortiOS, you could forward proxy traffic to another proxy server (proxy chaining) with explicit
proxy. Now, you can forward web traffic to the upstream proxy without having to reconfigure your browsers or publish a
proxy auto-reconfiguration (PAC) file.
Once configured, the FortiGate forwards traffic generated by a client to the upstream proxy. The upstream proxy then
forwards it to the server.

FortiOS 7.0.1 Administration Guide 216

Fortinet Technologies Inc.
Network

To configure proxy forwarding:

1. Configure the web proxy forwarding server:

config web-proxy forward-server
edit "upStream_proxy_1"
set ip 172.16.200.20
set healthcheck enable
set monitor "http://www.google.ca"
next
end

2. Append the web proxy forwarding server to a firewall policy:

config firewall policy
edit 1
set name "LAN To WAN"
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set webproxy-forward-server "upStream_proxy_1"
set fsso disable
set av-profile "av"
set ssl-ssh-profile "deep-custom"
set nat enable
next
end

Selectively forward web requests to a transparent web proxy

Web traffic over HTTP/HTTPS can be forwarded selectively by the FortiGate's transparent web proxy to an upstream
web proxy to avoid overwhelming the proxy server. Traffic can be selected by specifying the proxy address, which can
be based on a FortiGuard URL category.

The FortiGuard web filter service must be enabled on the downstream FortiGate.

FortiOS 7.0.1 Administration Guide 217

Fortinet Technologies Inc.
Network

Topology

Forwarding behavior

The forward server will be ignored if the proxy policy matching for a particular session needs the FortiGate to see
authentication information inside the HTTP (plain text) message. For example, assume that user authentication is
required and a forward server is configured in the transparent web proxy, and the authentication method is an active
method (such as basic). When the user or client sends the HTTP request over SSL with authentication information to the
FortiGate, the request cannot be forwarded to the upstream proxy. Instead, it will be forwarded directly to the original
web server (assuming deep inspection and http-policy-redirect are enabled in the firewall policy).
The FortiGate will close the session before the client request can be forwarded if all of the following conditions are met:
l The certificate inspection is configured in the firewall policy that has the http-policy-redirect option enabled.
l A previously authenticated IP-based user record cannot be found by the FortiGate's memory during the SSL
handshake.
l Proxy policy matching needs the FortiGate to see the HTTP request authentication information.
This means that in order to enable user authentication and use webproxy-forward-server in the transparent web
proxy policy at the same time, the following best practices should be followed:
l In the firewall policy that has the http-policy-redirect option enabled, set ssl-ssh-profile to use the
deep-inspection profile.
l Use IP-based authentication rules; otherwise, the webproxy-forward-server setting in the transparent web
proxy policy will be ignored.
l Use a passive authentication method such as FSSO. With FSSO, once the user is authenticated as a domain user
by a successful login, the web traffic from the user's client will always be forwarded to the upstream proxy as long as
the authenticated user remains unexpired. If the authentication method is an active authentication method (such as
basic, digest, NTLM, negotiate, form, and so on), the first session containing authentication information will bypass
the forward server, but the following sessions will be connected through the upstream proxy.

FortiOS 7.0.1 Administration Guide 218

Fortinet Technologies Inc.
Network

Sample configuration

On the downstream FortiGate proxy, there are two category proxy addresses used in two separate transparent web
proxy policies as the destination address:
l In the policy with upstream_proxy_1 as the forward server, the proxy address category_infotech is used to
match URLs in the information technology category.
l In the policy with upstream_proxy_2 as the forward server, the proxy address category_social is used to
match URLs in the social media category.

To configure forwarding requests to transparent web proxies:

1. Configure the proxy forward servers:

config web-proxy forward-server
edit "upStream_proxy_1"
set ip 172.16.200.20
next
edit "upStream_proxy_2"
set ip 172.16.200.46
next
end

2. Configure the web proxy addresses:

config firewall proxy-address
edit "category_infotech"
set type category
set host "all"
set category 52
next
edit "category_social"
set type category
set host "all"
set category 37
next
end

3. Configure the firewall policy:

config firewall policy
edit 1
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set http-policy-redirect enable
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
set nat enable
next
end

FortiOS 7.0.1 Administration Guide 219

Fortinet Technologies Inc.
 Network

4. Configure the proxy policies:

config firewall proxy-policy
edit 1
set proxy transparent-web
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "category_infotech"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
set webproxy-forward-server "upStream_proxy_1"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
next
edit 2
set proxy transparent-web
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "category_social"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
set webproxy-forward-server "upStream_proxy_2"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
next
end

Upstream proxy authentication in transparent proxy mode

A downstream proxy FortiGate that needs to be authenticated by the upstream web proxy can use the basic
authentication method to send its username and password, in the base64 format, to the upstream web proxy for
authentication. If the authentication succeeds, web traffic that is forwarded from the downstream proxy FortiGate to the
upstream proxy can be accepted and forwarded to its destinations.
In this example, a school has a FortiGate acting as a downstream proxy that is configured with firewall policies for each
user group (students and staff). In each policy, a forwarding server is configured to forward the web traffic to the
upstream web proxy.
The username and password that the upstream web proxy uses to authenticate the downstream proxy are configured on
the forwarding server, and are sent to the upstream web proxy with the forwarded HTTP requests.

Username Password

student.proxy.local:8080 students ABC123

staff.proxy.local:8081 staff 123456

FortiOS 7.0.1 Administration Guide 220

Fortinet Technologies Inc.
Network

On the downstream FortiGate, configure forwarding servers with the usernames and passwords for authentication on
the upstream web proxy, then apply those servers to firewall policies for transparent proxy. For explicit web proxy, the
forwarding servers can be applied to proxy policies.
When the transparent proxy is configured, clients can access websites without configuring a web proxy in their browser.
The downstream proxy sends the username and password to the upstream proxy with forwarded HTTP requests to be
authenticated.

To configure the forwarding server on the downstream FortiGate:

config web-proxy forward-server

edit "Student_Upstream_WebProxy"
set addr-type fqdn
set fqdn "student.proxy.local"
set port 8080
set username "student"
set password ABC123
next
edit "Staff_Upstream_WebProxy"
set addr-type fqdn
set fqdn "staff.proxy.local"
set port 8081
set username "staff"
set password 123456
next
end

To configure firewall policies for transparent proxy:

config firewall policy

edit 1
set srcintf "Vlan_Student"
set dstintf "port9"
set srcaddr "Student_Subnet"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
set webproxy-forward-server "Student_Upstream_WebProxy"
set nat enable
next
edit 2
set srcintf "Vlan_Staff"
set dstintf "port9"
set srcaddr "Staff_Subnet"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection"

FortiOS 7.0.1 Administration Guide 221

Fortinet Technologies Inc.
 Network

set av-profile "av"

set webproxy-forward-server "Staff_Upstream_WebProxy"
set nat enable
next
end

Multiple dynamic header count

Multiple dynamic headers are supported for web proxy profiles, as well as Base64 encoding and the append/new
options.
Administrators only have to select the dynamic header in the profile. The FortiGate will automatically display the
corresponding static value. For example, if the administrator selects the $client-ip header, the FortiGate will display
the actual client IP address.
The supported headers are:

$client-ip Client IP address

$user Authentication user name
$domain User domain name
$local_grp Firewall group name
$remote_grp Group name from authentication server
$proxy_name Proxy realm name

To configure dynamic headers using the CLI:

Since authentication is required, FSSO NTLM authentication is configured in this example.

1. Configure LDAP:
config user ldap
edit "ldap-kerberos"
set server "172.18.62.220"
set cnid "cn"a
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********
next
end

2. Configure FSSO:
config user fsso
edit "1"
set server "172.18.62.220"
set password *********
next
end

3. Configure a user group:

FortiOS 7.0.1 Administration Guide 222

Fortinet Technologies Inc.
Network

config user group

edit "NTLM-FSSO"
set group-type fsso-service
set member "FORTINETQA/FSSO"
next
end

4. Configure an authentication scheme:

config authentication scheme
edit "au-sch-ntlm"
set method ntlm
next
end

5. Configure an authentication rule:

config authentication rule
edit "au-rule-fsso"
set srcaddr "all"
set active-auth-method "au-sch-ntlm"
next
end

6. Create a web proxy profile that adds a new dynamic and custom Via header:
config web-proxy profile
edit "test"
set log-header-change enable
config headers
edit 1
set name "client-ip"
set content "$client-ip"
next
edit 2
set name "Proxy-Name"
set content "$proxy_name"
next
edit 3
set name "user"
set content "$user"
next
edit 4
set name "domain"
set content "$domain"
next
edit 5
set name "local_grp"
set content "$local_grp"
next
edit 6
set name "remote_grp"
set content "$remote_grp"
next
edit 7
set name "Via"
set content "Fortigate-Proxy"
next

FortiOS 7.0.1 Administration Guide 223

Fortinet Technologies Inc.
 Network

end
next
end

7. In the proxy policy, append the web proxy profile created in the previous step:
config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set logtraffic all
set groups "NTLM-FSSO"
set webproxy-profile "test"
set utm-status enable
set av-profile "av"
set webfilter-profile "content"
set ssl-ssh-profile "deep-custom"
next
end

8. Once traffic is being generated from the client, look at the web filter logs to verify that it is working.
The corresponding values for all the added header fields are shown at Log & Report > Web Filter, in the Change
headers section at the bottom of the Log Details pane.
1: date=2019-02-07 time=13:57:24 logid="0344013632" type="utm" subtype="webfilter"
eventtype="http_header_change" level="notice" vd="vdom1" eventtime=1549576642 policyid=1
transid=50331689 sessionid=1712788383 user="TEST21@FORTINETQA" group="NTLM-FSSO"
profile="test" srcip=10.1.100.116 srcport=53278 dstip=172.16.200.46 dstport=80
srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6
service="HTTP" url="http://172.16.200.46/" agent="curl/7.22.0" chgheaders="Added=client-
ip: 10.1.100.116|Proxy-Name: 1.1 100D.qa|user: TEST21|domain: FORTINETQA|local_grp:
NTLM-FSSO|remote_grp: FORTINETQA/FSSO|Via: Fortigate-Proxy"

Restricted SaaS access

With the web proxy profile, you can specify access permissions for Microsoft Office 365, Google G Suite, and Dropbox.
You can insert vendor-defined headers that restrict access to the specific accounts. You can also insert custom headers
for any destination.
You can configure the web proxy profile with the required headers for the specific destinations, and then directly apply it
to a policy to control the header's insertion.

To implement Office 365 tenant restriction, G Suite account access control, and Dropbox network
access control:

1. Configure a web proxy profile according to the vendors' specifications:

a. Define the traffic destination (service provider).
b. Define the header name, defined by the service provider.

FortiOS 7.0.1 Administration Guide 224

Fortinet Technologies Inc.
Network

c. Define the value that will be inserted into the traffic, defined by your settings.
2. Apply the web proxy profile to a policy.

The following example creates a web proxy profile for Office 365, G Suite, and Dropbox access control.

Due to vendors' changing requirements, this example may no longer comply with the vendors'
official guidelines.

To create a web proxy profile for access control using the CLI:

1. Configure the web proxy profile:

config web-proxy profile
edit "SaaS-Tenant-Restriction"
set header-client-ip pass
set header-via-request pass
set header-via-response pass
set header-x-forwarded-for pass
set header-front-end-https pass
set header-x-authenticated-user pass
set header-x-authenticated-groups pass
set strip-encoding disable
set log-header-change disable
config headers
edit 1
set name "Restrict-Access-To-Tenants" <---header name defined by
Office365 spec. input EXACTLY as it is
set dstaddr "Microsoft Office 365" <----built-in destination address for
Office365
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content "contoso.onmicrosoft.com,fabrikam.onmicrosoft.com" <----
your tenants restriction configuration
next
edit 2
set name "Restrict-Access-Context" <----header name defined by
Office365 spec. input EXACTLY as it is
set dstaddr "Microsoft Office 365" <----build-in destination address
for Office365
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content "456ff232-35l2-5h23-b3b3-3236w0826f3d" <----your directory
ID can find in Azure portal
next
edit 3
set name "X-GooGApps-Allowed-Domains" <----header name defined by
Google G suite.
set dstaddr "G Suite" <---- built-in G Suite destination address
set action add-to-request

FortiOS 7.0.1 Administration Guide 225

Fortinet Technologies Inc.
 Network

set base64-encoding disable

set add-option new
set protocol https http
set content "abcd.com" <----your domain restriction when you create G
Suite account
next
edit 4
set name "X-Dropbox-allowed-Team-Ids" <----header defined by Dropbox
set dstaddr "wildcard.dropbox.com" <----build-in destination address
for Dropbox
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content "dbmid:FDFSVF-DFSDF" <----your team-Id in Dropbox
next
end
next
end

2. Apply the web proxy profile to a firewall policy:

config firewall policy
edit 1
set name "WF"
set srcintf "port10" "wifi"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set webproxy-profile "SaaS-Tenant-Restriction"
set utm-status enable
set utm-inspection-mode proxy
set logtraffic all
set webfilter-profile "blocktest2"
set application-list "g-default"
set profile-protocol-options "protocol"
set ssl-ssh-profile "protocols"
set nat enable
next
end

References

l Office 365: Use tenant restrictions to manage access to SaaS cloud applications
l G Suite: Block access to consumer accounts
l Dropbox: Network control

Explicit proxy and FortiSandbox Cloud

Explicit proxy connections can leverage FortiSandbox Cloud for advanced threat scanning and updates. This allows
FortiGates behind isolated networks to connect to FortiCloud services.

FortiOS 7.0.1 Administration Guide 226

Fortinet Technologies Inc.
Network

To configure FortiGuard services to communicate with an explicit proxy server:

config system fortiguard

set proxy-server-ip 172.16.200.44
set proxy-server-port 3128
set proxy-username "test1"
set proxy-password *********
end

To verify the explicit proxy connection to FortiSandbox Cloud:

# diagnose debug application forticldd -1

Debug messages will be on for 30 minutes.
# diagnose debug enable
[2942] fds_handle_request: Received cmd 23 from pid-2526, len 0
[40] fds_queue_task: req-23 is added to Cloud-sandbox-controller
[178] fds_svr_default_task_xmit: try to get IPs for Cloud-sandbox-controller
[239] fds_resolv_addr: resolve aptctrl1.fortinet.com
[169] fds_get_addr: name=aptctrl1.fortinet.com, id=32, cb=0x2bc089
[101] dns_parse_resp: DNS aptctrl1.fortinet.com -&gt; 172.16.102.21
[227] fds_resolv_cb: IP-1: 172.16.102.21
[665] fds_ctx_set_addr: server: 172.16.102.21:443
[129] fds_svr_default_pickup_server: Cloud-sandbox-controller: 172.16.102.21:443
[587] fds_https_start_server: server: 172.16.102.21:443
[579] ssl_new: SSL object is created
[117] https_create: proxy server 172.16.200.44 port:3128
[519] fds_https_connect: https_connect(172.16.102.21) is established.
[261] fds_svr_default_on_established: Cloud-sandbox-controller has connected to
ip=172.16.102.21
[268] fds_svr_default_on_established: server-Cloud-sandbox-controller handles cmd-23
[102] fds_pack_objects: number of objects: 1
[75] fds_print_msg: FCPC: len=109
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Command=RegionList
[81] fds_print_msg: Firmware=FG101E-FW-6.02-0917
[81] fds_print_msg: SerialNumber=FG101E4Q17002429
[81] fds_print_msg: TimeZone=-7
[75] fds_print_msg: http req: len=248
[81] fds_print_msg: POST https://172.16.102.21:443/FCPService HTTP/1.1
[81] fds_print_msg: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[81] fds_print_msg: Host: 172.16.102.21:443
[81] fds_print_msg: Cache-Control: no-cache
[81] fds_print_msg: Connection: close
[81] fds_print_msg: Content-Type: application/octet-stream

FortiOS 7.0.1 Administration Guide 227

Fortinet Technologies Inc.
Network

[81] fds_print_msg: Content-Length: 301

[524] fds_https_connect: http request to 172.16.102.21: header=248, ext=301.
[257] fds_https_send: sent 248 bytes: pos=0, len=248
[265] fds_https_send: 172.16.102.21: sent 248 byte header, now send 301-byte body
[257] fds_https_send: sent 301 bytes: pos=0, len=301
[273] fds_https_send: sent the entire request to server: 172.16.102.21:443
[309] fds_https_recv: read 413 bytes: pos=413, buf_len=2048
[332] fds_https_recv: received the header from server: 172.16.102.21:443, [HTTP/1.1 200
Content-Type: application/octet-stream
Content-Length: 279
Date: Thu, 20 Jun 2019 16:41:11 GMT
Connection: close]
[396] fds_https_recv: Do memmove buf_len=279, pos=279
[406] fds_https_recv: server: 172.16.102.21:443, buf_len=279, pos=279
[453] fds_https_recv: received a packet from server-172.16.102.21:443: sz=279, objs=1
[194] __ssl_data_ctx_free: Done
[839] ssl_free: Done
[830] ssl_disconnect: Shutdown
[481] fds_https_recv: obj-0: type=FCPR, len=87
[294] fds_svr_default_on_response: server-Cloud-sandbox-controller handles cmd-23
[75] fds_print_msg: fcpr:  len=83
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Response=202
[81] fds_print_msg: ResponseItem=Region:Europe,Global,Japan,US
[81] fds_print_msg: existing:Japan
[3220] aptctrl_region_res: Got rsp: Region:Europe,Global,Japan,US
[3222] aptctrl_region_res: Got rsp: Region existing:Japan
[439] fds_send_reply: Sending 28 bytes data.
[395] fds_free_tsk: cmd=23; req.noreply=1
# [136] fds_on_sys_fds_change: trace
[2942] fds_handle_request: Received cmd 22 from pid-170, len 0
[40] fds_queue_task: req-22 is added to Cloud-sandbox-controller
[587] fds_https_start_server: server: 172.16.102.21:443
[579] ssl_new: SSL object is created
[117] https_create: proxy server 172.16.200.44 port:3128
[519] fds_https_connect: https_connect(172.16.102.21) is established.
[261] fds_svr_default_on_established: Cloud-sandbox-controller has connected to
ip=172.16.102.21
[268] fds_svr_default_on_established: server-Cloud-sandbox-controller handles cmd-22
[102] fds_pack_objects: number of objects: 1
[75] fds_print_msg: FCPC: len=146
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Command=UpdateAPT
[81] fds_print_msg: Firmware=FG101E-FW-6.02-0917
[81] fds_print_msg: SerialNumber=FG101E4Q17002429
[81] fds_print_msg: TimeZone=-7
[81] fds_print_msg: TimeZoneInMin=-420
[81] fds_print_msg: DataItem=Region:US
[75] fds_print_msg: http req: len=248
[81] fds_print_msg: POST https://172.16.102.21:443/FCPService HTTP/1.1
[81] fds_print_msg: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[81] fds_print_msg: Host: 172.16.102.21:443
[81] fds_print_msg: Cache-Control: no-cache
[81] fds_print_msg: Connection: close
[81] fds_print_msg: Content-Type: application/octet-stream
[81] fds_print_msg: Content-Length: 338

FortiOS 7.0.1 Administration Guide 228

Fortinet Technologies Inc.
 Network

[524] fds_https_connect: http request to 172.16.102.21: header=248, ext=338.

[257] fds_https_send: sent 248 bytes: pos=0, len=248
[265] fds_https_send: 172.16.102.21: sent 248 byte header, now send 338-byte body
[257] fds_https_send: sent 338 bytes: pos=0, len=338
[273] fds_https_send: sent the entire request to server: 172.16.102.21:443
[309] fds_https_recv: read 456 bytes: pos=456, buf_len=2048
[332] fds_https_recv: received the header from server: 172.16.102.21:443, [HTTP/1.1 200
Content-Type: application/octet-stream
Content-Length: 322
Date: Thu, 20 Jun 2019 16:41:16 GMT
Connection: close]
[396] fds_https_recv: Do memmove buf_len=322, pos=322
[406] fds_https_recv: server: 172.16.102.21:443, buf_len=322, pos=322
[453] fds_https_recv: received a packet from server-172.16.102.21:443: sz=322, objs=1
[194] __ssl_data_ctx_free: Done
[839] ssl_free: Done
[830] ssl_disconnect: Shutdown
[481] fds_https_recv: obj-0: type=FCPR, len=130
[294] fds_svr_default_on_response: server-Cloud-sandbox-controller handles cmd-22
[75] fds_print_msg: fcpr:  len=126
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Response=202
[81] fds_print_msg: ResponseItem=Server1:172.16.102.51:514
[81] fds_print_msg: Server2:172.16.102.52:514
[81] fds_print_msg: Contract:20210215
[81] fds_print_msg: NextRequest:86400
[615] parse_apt_contract_time_str: The APTContract is valid to Mon Feb 15 23:59:59 2021
[616] parse_apt_contract_time_str: FGT current local time is Thu Jun 20 09:41:16 2019
[3289] aptctrl_update_res: Got rsp: APT=172.16.102.51:514 APTAlter=172.16.102.52:514 next-
upd=86400
[395] fds_free_tsk: cmd=22; req.noreply=1

Proxy chaining

For the explicit web proxy you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy
sessions to other proxy servers. Proxy chaining can be used to forward web proxy sessions from the FortiGate unit to
one or more other proxy servers on your network or on a remote network. You can use proxy chaining to integrate the
FortiGate explicit web proxy with a web proxy solution that you already have in place.
A FortiGate unit can forward sessions to most web proxy servers including a remote FortiGate unit with the explicit web
proxy enabled. No special configuration of the explicit web proxy on the remote FortiGate unit is required.
You can deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite
offices and a main office. If each office has a FortiGate unit, users at each of the satellite offices can use their local
FortiGate unit as an explicit web proxy server. The satellite office FortiGate units can forward explicit web proxy sessions
to an explicit web proxy server at the central office. From here the sessions can connect to web servers on the Internet.
FortiGate proxy chaining does not support web proxies in the proxy chain authenticating each other.
The following examples assume explicit web proxy has been enabled.

To enable explicit web proxy in the GUI:

1. Go to System > Feature Visibility.

2. In the Security Features column, enable Explicit Proxy.

FortiOS 7.0.1 Administration Guide 229

Fortinet Technologies Inc.
Network

3. Configure the explicit web proxy settings. See Explicit web proxy on page 193.

To add a web proxy forwarding server in the GUI:

1. Go to Network > Explicit Proxy. The Explicit Proxy page opens.

2. In the Web Proxy Forwarding Servers section, click Create New.
3. Configure the server settings:

Name Enter the name of the forwarding server.

Proxy Address Type Select the type of IP address of the forwarding server. A forwarding server can
have an FQDN or IP address.

Proxy Address Enter the IP address of the forwarding server.

Port Enter the port number on which the proxy receives connections. Traffic leaving
the FortiGate explicit web proxy for this server has its destination port number
changed to this number.

Server Down Action Select the action the explicit web proxy will take if the forwarding server is
down.
l Block: Blocks the traffic if the remote server is down.

l Use Original Server: Forwards the traffic from the FortiGate to its

destination as if no forwarding server is configured.

Health Monitor Select to enable health check monitoring.

Health Check Monitor Site Enter the address of a remote site.

4. Click OK.

Example

The following example adds a web proxy forwarding server named fwd-srv at address proxy.example.com and port
8080.

To add a web proxy forwarding server in the CLI:

config web-proxy forward-server

edit fwd-srv
set addr-type fqdn
set fqdn proxy.example.com
set port 8080
next
end

Web proxy forwarding server monitoring and health checking

By default, a FortiGate unit monitors a web proxy forwarding server by forwarding a connection to the remote server
every 10 seconds. The remote server is assumed to be down if it does not respond to the connection. FortiGate
continues checking the server. The server is assumed to be back up when the server sends a response. If you enable
health checking, the FortiGate unit attempts to get a response from a web server every 10 seconds by connecting
through the remote forwarding server.

FortiOS 7.0.1 Administration Guide 230

Fortinet Technologies Inc.
Network

You can configure health checking for each remote server and specify a different website to check for each one.
If the remote server is found to be down you can configure the FortiGate unit to block sessions until the server comes
back up or to allow sessions to connect to their destination, bypassing the remote forwarding server. You cannot
configure the FortiGate unit to fail over to another remote forwarding server.

To configure proxy server monitor and health checking in the GUI:

1. Go to Network > Explicit Proxy. The Explicit Proxy page opens.

2. In the Web Proxy Forwarding Servers section, edit a server.
3. Configure the Server Down Action and Health Monitor settings.

Server Down Action Select the action the explicit web proxy will take if the forwarding server is
down.
l Block: Blocks the traffic if the remote server is down.

l Use Original Server: Forwards the traffic from the FortiGate to its

destination as if no forwarding server configured.

Health Monitor Select to enable health check monitoring.

Health Check Monitor Site Enter the address of a remote site.

4. Click OK.

Example

The following example enables health checking for a web proxy forwarding server and sets the server down option to
bypass the forwarding server if it is down.

To configure proxy server monitor and health checking in the CLI:

config web-proxy forward-server

edit fwd-srv
set healthcheck enable
set monitor http://example.com
set server-down-option pass
next
end

Grouping forwarding servers and load balancing traffic to the servers

You can add multiple web proxy forwarding servers to a forwarding server group and then add the server group to an
explicit web proxy policy instead of adding a single server. Forwarding server groups are created from the FortiGate CLI
but can be added to policies from the web-based manager (or from the CLI).
When you create a forwarding server group you can select a load balancing method to control how sessions are load
balanced to the forwarding servers in the server group. Two load balancing methods are available:
l Weighted load balancing sends more sessions to the servers with higher weights. You can configure the weight for
each server when you add it to the group.
l Least-session load balancing sends new sessions to the forwarding server that is processing the fewest sessions.

FortiOS 7.0.1 Administration Guide 231

Fortinet Technologies Inc.
Network

When you create a forwarding server group you can also enable affinity. Enable affinity to have requests from the same
client processed by the same server. This can reduce delays caused by using multiple servers for a single multi-step
client operation. Affinity takes precedence over load balancing.
You can also configure the behavior of the group if all of the servers in the group are down. You can select to block traffic
or you can select to have the traffic pass through the FortiGate explicit proxy directly to its destination instead of being
sent to one of the forwarding servers.

Example

The following example adds a forwarding server group that uses weighted load balancing to load balance traffic to three
forwarding servers. Server weights are configured to send most traffic to server2. The group has affinity enabled
and blocks traffic if all of the forward servers are down.

To configure load balancing in the CLI:

config web-proxy forward-server

edit server_1
set ip 172.20.120.12
set port 8080
next
edit server_2
set ip 172.20.120.13
set port 8000
next
edit server_3
set ip 172.20.120.14
set port 8090
next
end
config web-proxy forward-server-group
edit New-fwd-group
set affinity enable
set ldb-method weighted
set group-down-option block
config server-list
edit server_1
set weight 10
next
edit server_2
set weight 40
next
edit server_3
set weight 10
next
end
next
end

Adding proxy chaining to an explicit web proxy policy

You can enable proxy chaining for web proxy sessions by adding a web proxy forwarding server or server group to an
explicit web proxy policy. In a policy you can select one web proxy forwarding server or server group. All explicit web

FortiOS 7.0.1 Administration Guide 232

Fortinet Technologies Inc.
Network

proxy traffic accepted by this security policy is forwarded to the specified web proxy forwarding server or server group.

To add an explicit web proxy forwarding server in the GUI:

1. Go to Policy & Objects > Proxy Policy and click Create New.
2. Configure the policy settings:

Proxy Type Explicit Web

Outgoing Interface wan1

Source Internal_subnet

Destination all

Schedule always

Service webproxy

Action Accept

3. Enable Web Proxy Forwarding Server and select the forwarding server, (for example,fwd-srv).
4. Click OK.

Example

The following example adds a security policy that allows all users on the 10.31.101.0 subnet to use the explicit web
proxy for connections through the wan1 interface to the Internet. The policy forwards web proxy sessions to a remote
forwarding server named fwd-srv.

To add an explicit web proxy forwarding server in the CLI:

config firewall proxy-policy

edit 0
set proxy explicit-web
set dstintf "wan1"
set srcaddr "Internal_subnet"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set webproxy-forward-server "fwd-srv"
next
end

Using TLS 1.3 with web proxy forward servers

A FortiGate can handle TLS 1.3 traffic in both deep and certificate inspection modes.

Example

The following example demonstrates that the Squid server and the FortiGate can handle TLS 1.3 traffic.

FortiOS 7.0.1 Administration Guide 233

Fortinet Technologies Inc.
 Network

The following output from the Squid server demonstrates that the FortiGate supports TLS 1.3 traffic and forwards the
hello retry request back to the client PC. The client PC then sends the client hello again, and the connection is
successfully established.

WAN optimization SSL proxy chaining

An SSL server does not need to be defined for WAN optimization (WANOpt) SSL traffic offloading (traffic acceleration).
The server side FortiGate uses an SSL profile to resign the HTTP server's certificate, both with and without an external
proxy, without an SSL server configured. GCM and ChaCha ciphers can also be used in the SSL connection.

Examples

In these examples, HTTPS traffic is accelerated without configuring an SSL server, including with a proxy in between,
and when the GCM or ChaCha ciphers are used.

Example 1

In this example, the server certificate is resigned by the server side FortiGate, and HTTPS traffic is accelerated without
configuring an SSL server.
HTTPS traffic with the GCM or ChaCha cipher can pass though WANOpt tunnel.

FortiOS 7.0.1 Administration Guide 234

Fortinet Technologies Inc.
Network

To configure FGT_A:

1. Configure the hard disk to perform WANOpt:

config system storage
edit "HDD2"
set status enable
set usage wanopt
set wanopt-mode mix
next
end

2. Configure the WANOpt peer and profile:

config wanopt peer
edit "FGT-D"
set ip 120.120.120.172
next
end
config wanopt profile
edit "test"
config http
set status enable
set ssl enable
end
next
end

3. Create an SSL profile with deep inspection on HTTPS port 443:

config firewall ssl-ssh-profile
edit "ssl"
config https
set ports 443
set status deep-inspection
end
next
end

4. Configure a firewall policy in proxy mode with WANOpt enabled and the WANOpt profile selected:
config firewall policy
edit 1
set name "WANOPT-A"
set srcintf "port21"

FortiOS 7.0.1 Administration Guide 235

Fortinet Technologies Inc.
Network

set dstintf "port27"

set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set profile-protocol-options "protocol"
set ssl-ssh-profile "ssl"
set wanopt enable
set wanopt-profile "test"
set nat enable
next
end

To configure FGT_D:

1. Configure the hard disk to perform WANOpt:

config system storage
edit "HDD2"
set status enable
set usage wanopt
set wanopt-mode mix
next
end

2. Configure the WANOpt peer:

config wanopt peer
edit "FGT-A"
set ip 110.110.110.171
next
end

3. Create an SSL profile with deep inspection on HTTPS port 443. The default Fortinet_CA_SSL certificate is used to
resign the server certificate:
config firewall ssl-ssh-profile
edit "ssl"
config https
set ports 443
set status deep-inspection
end
next
end

4. Configure a firewall policy in proxy mode with WANOpt enabled and passive WANOpt detection:
config firewall policy
edit 1
set name "WANOPT-B"
set srcintf "port27"
set dstintf "port23"
set action accept
set srcaddr "all"
set dstaddr "all"

FortiOS 7.0.1 Administration Guide 236

Fortinet Technologies Inc.
Network

set schedule "always"

set service "ALL"
set utm-status enable
set inspection-mode proxy
set wanopt enable
set wanopt-detection passive
set nat enable
next
end

5. Configure a proxy policy to apply the SSL profile:

config firewall proxy-policy
edit 100
set proxy wanopt
set dstintf "port23"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
set action accept
set schedule "always"
set utm-status enable
set profile-protocol-options "protocol"
set ssl-ssh-profile "ssl"
next
end

To confirm that traffic is accelerated:

1. On the client PC, curl a 10MB test sample for the first time:
root@client:/tmp# curl -k https://172.16.200.144/test_10M.pdf -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9865k 100 9865k 0 0 663k 0 0:00:14 0:00:15 --:--:-- 1526k

It takes 15 seconds to finish the download.

2. On FGT_A, check the WAD statistics:
# diagnose wad stats worker.tunnel
comp.n_in_raw_bytes 10155840
comp.n_in_comp_bytes 4548728
comp.n_out_raw_bytes 29624
comp.n_out_comp_bytes 31623
# diagnose wad stats worker.protos.http
wan.bytes_in 0
wan.bytes_out 0
lan.bytes_in 760
lan.bytes_out 10140606
tunnel.bytes_in 4548728
tunnel.bytes_out 31623

3. Curl the same test sample a second time:

root@client:/tmp# curl -k https://172.16.200.144/test_10M.pdf -O
% Total % Received % Xferd Average Speed Time Time Time Current

FortiOS 7.0.1 Administration Guide 237

Fortinet Technologies Inc.
Network

Dload Upload Total Spent Left Speed

100 9865k 100 9865k 0 0 663k 0 0:00:01 0:00:01 --:--:-- 1526k

It now takes less than one second to finish the download.

4. On FGT_A, check the WAD statistics again:
# diagnose wad stats worker.tunnel
comp.n_in_raw_bytes 10181157
comp.n_in_comp_bytes 4570331
comp.n_out_raw_bytes 31627
comp.n_out_comp_bytes 34702
# diagnose wad stats worker.protos.http
wan.bytes_in 0
wan.bytes_out 0
lan.bytes_in 1607
lan.bytes_out 20286841
tunnel.bytes_in 4570331
tunnel.bytes_out 34702

The tunnel bytes are mostly unchanged, but the LAN bytes are doubled. This means that the bytes of the second
curl come from the cache, showing that the traffic is accelerated.

To confirm that a curl using the GCM cipher is accepted and accelerated:

1. On the client PC, curl a 10MB test sample with the GCM cipher:
root@client:/tmp# curl -v -k --ciphers DHE-RSA-AES128-GCM-SHA256
https://172.16.200.144/test_10M.pdf -O
* Trying 172.16.200.144...
* TCP_NODELAY set
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
Connected to 172.16.200.144 (172.16.200.144) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: DHE-RSA-AES128-GCM-SHA256
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [100 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1920 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [783 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):

FortiOS 7.0.1 Administration Guide 238

Fortinet Technologies Inc.
Network

} [16 bytes data]

* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / DHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=ubuntu
* start date: Sep 20 21:38:01 2018 GMT
* expire date: Sep 17 21:38:01 2028 GMT
* issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority;
CN=Fortinet Untrusted CA; [email protected]
* SSL certificate verify result: self signed certificate in certificate chain (19),
continuing anyway.
} [5 bytes data]
> GET /test_10M.pdf HTTP/1.1
> Host: 172.16.200.144
> User-Agent: curl/7.64.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Sat, 12 Jun 2021 00:31:08 GMT
< Server: Apache/2.4.37 (Ubuntu)
< Upgrade: h2,h2c
< Connection: Upgrade
< Last-Modified: Fri, 29 Jan 2021 20:10:25 GMT
< ETag: "9a2572-5ba0f98404aa5"
< Accept-Ranges: bytes
< Content-Length: 10102130
< Content-Type: application/pdf
<
{ [5 bytes data]
100 9865k 100 9865k 0 0 16.7M 0 --:--:-- --:--:-- --:--:-- 16.8M
* Connection #0 to host 172.16.200.144 left intact
* Closing connection 0

To confirm that a curl using the ChaCha cipher is accepted and accelerated:

1. On the client PC, curl a 10MB test sample with the ChaCha cipher:
root@client:/tmp# curl -v -k --ciphers ECDHE-RSA-CHACHA20-POLY1305
https://172.16.200.144/test.doc -O
* Trying 172.16.200.144...
* TCP_NODELAY set
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
Connected to 172.16.200.144 (172.16.200.144) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ECDHE-RSA-CHACHA20-POLY1305
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

FortiOS 7.0.1 Administration Guide 239

Fortinet Technologies Inc.
Network

} [512 bytes data]

* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [100 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1920 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=ubuntu
* start date: Sep 20 21:38:01 2018 GMT
* expire date: Sep 17 21:38:01 2028 GMT
* issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority;
CN=Fortinet Untrusted CA; [email protected]
* SSL certificate verify result: self signed certificate in certificate chain (19),
continuing anyway.
} [5 bytes data]
> GET /test.doc HTTP/1.1
> Host: 172.16.200.144
> User-Agent: curl/7.64.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Sat, 12 Jun 2021 00:32:11 GMT
< Server: Apache/2.4.37 (Ubuntu)
< Upgrade: h2,h2c
< Connection: Upgrade
< Last-Modified: Wed, 05 May 2021 21:59:49 GMT
< ETag: "4c00-5c19c504b63f4"
< Accept-Ranges: bytes
< Content-Length: 19456
< Content-Type: application/msword
<
{ [5 bytes data]
100 19456 100 19456 0 0 137k 0 --:--:-- --:--:-- --:--:-- 138k
* Connection #0 to host 172.16.200.144 left intact
* Closing connection 0

Example 2

In this example, an external proxy is added to the configuration in Example 1.

FortiOS 7.0.1 Administration Guide 240

Fortinet Technologies Inc.
Network

To reconfigure FGT_A:

config firewall profile-protocol-options

edit "protocol"
config http
set ports 80 8080
unset options
unset post-lang
end
next
end

To reconfigure FGT_D:

1. Configure a new firewall policy for traffic passing from port27 to port29:
config firewall policy
edit 1
set name "WANOPT-B"
set srcintf "port27"
set dstintf "port29"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set wanopt enable
set wanopt-detection passive
set nat enable
next
end

2. Configure a proxy policy for traffic on destination interface port29:

config firewall proxy-policy
edit 100
set proxy wanopt
set dstintf "port29"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
set action accept

FortiOS 7.0.1 Administration Guide 241

Fortinet Technologies Inc.
 Network

set schedule "always"

set profile-protocol-options "protocol"
set ssl-ssh-profile "ssl"
next
end

To confirm that HTTPS traffic is still being accelerated:

1. On the client PC, curl the same 10MB test sample through the explicit proxy:
root@client:/tmp# curl -x 100.100.100.174:8080 -v -k https://172.16.200.144/test_10M.pdf
-O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9865k 100 9865k 0 0 663k 0 0:00:01 0:00:01 --:--:-- 1526k

It takes less than a second to finish the download.

Agentless NTLM authentication for web proxy

Agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:
l Multiple servers
l Individual users
You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high
service stability.
You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS
matches the user's group information from an LDAP server.

To support multiple domain controllers for agentless NTLM using the CLI:

1. Configure an LDAP server:

config user ldap
edit "ldap-kerberos"
set server "172.18.62.177"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********
next
end

2. Configure multiple domain controllers:

config user domain-controller
edit "dc1"
set ip-address 172.18.62.177
config extra-server
edit 1
set ip-address 172.18.62.220
next
end

FortiOS 7.0.1 Administration Guide 242

Fortinet Technologies Inc.
Network

set ldap-server "ldap-kerberos"

next
end

3. Create an authentication scheme and rule:

config authentication scheme
edit "au-ntlm"
set method ntlm
set domain-controller "dc1"
next
end
config authentication rule
edit "ru-ntlm"
set srcaddr "all"
set ip-based disable
set active-auth-method "au-ntlm"
next
end

4. In the proxy policy, append the user group for authorization:

config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set groups "ldap-group"
set utm-status enable
set av-profile "av"
set ssl-ssh-profile "deep-custom"
next
end

This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication
request to the first domain controller. Later when another user logs in, the FortiGate sends the authentication
request to another domain controller.
5. Verify the behavior after the user successfully logs in:
# diagnose wad user list
ID: 1825, IP: 10.1.100.71, VDOM: vdom1
user name : test1
duration : 497
auth_type : Session
auth_method : NTLM
pol_id : 1 g_id : 5
user_based : 0 e
xpire : 103
LAN:
bytes_in=2167 bytes_out=7657
WAN:
bytes_in=3718 bytes_out=270

FortiOS 7.0.1 Administration Guide 243

Fortinet Technologies Inc.
Network

To support individual users for agentless NTLM using the CLI:

1. Configure an LDAP server:

config user ldap
edit "ldap-kerberos"
set server "172.18.62.177"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********
next
end

2. Configure the user group and allow user-based matching:

config user group
edit "ldap-group"
set member "ldap" "ldap-kerberos"
config match
edit 1
set server-name "ldap-kerberos"
set group-name "test1"
next
end
next
end

3. Create an authentication scheme and rule:

config authentication scheme
edit "au-ntlm"
set method ntlm
set domain-controller "dc1"
next
end
config authentication rule
edit "ru-ntlm"
set srcaddr "all"
set ip-based disable
set active-auth-method "au-ntlm"
next
end

4. In the proxy policy, append the user group for authorization:

config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set groups "ldap-group"
set utm-status enable

FortiOS 7.0.1 Administration Guide 244

Fortinet Technologies Inc.
 Network

set av-profile "av"

set ssl-ssh-profile "deep-custom"
next
end

This implementation lets you configure a single user instead of a whole group. The FortiGate will now allow the user
named test1.

To verify the configuration using the CLI:

diagnose wad user list

ID: 1827, IP: 10.1.15.25, VDOM: vdom1
user name : test1
duration : 161
auth_type : Session
auth_method : NTLM
pol_id : 1
g_id : 5
user_based : 0
expire : 439
LAN:
bytes_in=1309 bytes_out=4410
WAN:
bytes_in=2145 bytes_out=544

Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers

Multiple LDAP servers can be configured in Kerberos keytabs and agentless NTLM domain controllers for multi-forest
deployments.

To use multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers:

1. Add multiple LDAP servers:

config user ldap
edit "ldap-kerberos"
set server "172.16.200.98"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password xxxxxxxxx
next
edit "ldap-two"
set server "172.16.106.128"
set cnid "cn"
set dn "OU=Testing,DC=ad864r2,DC=com"
set type regular
set username "cn=Testadmin,cn=users,dc=AD864R2,dc=com"
set password xxxxxxxxx
next
end

2. Configure a Kerberos keytab entry that uses both LDAP servers:

FortiOS 7.0.1 Administration Guide 245

Fortinet Technologies Inc.
 Network

config user krb-keytab

edit "http_service"
set pac-data disable
set principal "HTTP/[email protected]"
set ldap-server "ldap-kerberos" "ldap-two"
set keytab xxxxxxxxx
next
end

3. Configure a domain controller that uses both LDAP servers:

config user domain-controller
edit "dc1"
set ip-address 172.16.200.98
set ldap-server "ldap-two" "ldap-kerberos"
next
end

Learn client IP addresses

Learning the actual client IP addresses is imperative for authorization. This function identifies the real client IP address
when there is a NATing device between the FortiGate and the client.
config web-proxy global
set learn-client-ip {enable | disable}
set learn-client-ip-from-header {true-client-ip | x-real-ip | x-forwarded-for}
set learn-client-ip-srcaddr <address> ... <address>
end

learn-client-ip {enable | Enable/disable learning the client's IP address from headers.

disable}
learn-client-ip-from- Learn client IP addresses from the specified headers.
header {true-client-
ip | x-real-ip | x-
forwarded-for}
learn-client-ip-srcaddr The source address names.
<address> ...
<address>

Example

In this example, the real client IP address is used to match a policy for FSSO authentication.

To enable learning the client IP address:

config web-proxy global

set proxy-fqdn "default.fqdn"
set webproxy-profile "default"
set learn-client-ip enable
set learn-client-ip-from-header x-forwarded-for
set learn-client-ip-srcaddr "all"
end

FortiOS 7.0.1 Administration Guide 246

Fortinet Technologies Inc.
 Network

To configure the proxy policy:

config firewall proxy-policy

edit 1
set proxy explicit-web
set dstintf "mgmt1"
set srcaddr "all"
set dstaddr "all"
set service "w"
set action accept
set schedule "always"
set groups "fsso1"
set utm-status enable
set av-profile "default"
set dlp-sensor "default"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
next
end

To configure the authentication scheme and rule:

config authentication scheme

edit "scheme1"
set method fsso
next
end
config authentication rule
edit "rule1"
set srcaddr "all"
set sso-auth-method "scheme1"
next
end

Explicit proxy authentication over HTTPS

When a HTTP request requires authentication in an explicit proxy, the authentication can be redirected to a secure
HTTPS captive portal. Once authentication is complete, the client can be redirected back to the original destination over
HTTP.

Example

A user visits a website via HTTP through the explicit web proxy on a FortiGate. The user is required to authenticate by
either basic or form IP-based authentication for the explicit web proxy service. The user credentials need to be
transmitted over the networks in a secured method over HTTPS rather than in plain text. The user credentials are
protected by redirecting the client to a captive portal of the FortiGate over HTTPS for authentication where the user
credentials are encrypted and transmitted over HTTPS.

FortiOS 7.0.1 Administration Guide 247

Fortinet Technologies Inc.
Network

In this example, explicit proxy authentication over HTTPS is configured with form IP-based authentication. Once
configured, you can enable authorization for an explicit web proxy by configuring users or groups in the firewall proxy
policy.

To configure explicit proxy authentication over HTTPS:

1. Configure the authentication settings:

config authentication setting
set captive-portal-type fqdn
set captive-portal "fgt-cp"
set auth-https enable
end

2. Configure the authentication scheme:

config authentication scheme
edit "form"
set method form
set user-database "local-user-db"
next
end

3. Configure the authentication rule:

config authentication rule
edit "form"
set srcaddr "all"
set active-auth-method "form"
next
end

If a session-based basic authentication method is used, enable web-auth-cookie.

4. Configure the firewall address:

config firewall address
edit "fgt-cp"
set type fqdn
set fqdn "fgt.fortinetqa.local"
next
end

5. Configure the interface:

FortiOS 7.0.1 Administration Guide 248

Fortinet Technologies Inc.
 Network

config system interface

edit "port10"
set ip 10.1.100.1 255.255.255.0
set explicit-web-proxy enable
set proxy-captive-portal enable
next
end

6. Configure a firewall proxy policy with users or groups (see Explicit web proxy on page 193).

Verification

When a client visits a HTTP website, the client will be redirected to the captive portal for authentication by HTTPS. For
example, the client could be redirected to a URL by a HTTP 303 message similar to the following:
HTTP/1.1 303 See Other
Connection: close
Content-Type: text/html
Cache-Control: no-cache
Location:
https://fgt.fortinetqa.local:7831/XX/YY/ZZ/cpauth?scheme=http&4Tmthd=0&host=172.16.200.46&port=80&rule=75&uri
=Lw==& 
Content-Length: 0
The captive portal URL used for authentication is https://fgt.fortinetqa.local:7831/.... Once the authentication is complete
with all user credentials protected by HTTPS, the client is redirected to the original HTTP website they intended to visit.

mTLS client certificate authentication

FortiGate supports client certificate authentication used in mutual Transport Layer Security (mTLS) communication
between a client and server. Clients are issued certificates by the CA, and an access proxy configured on the FortiGate
uses the new certificate method in the authentication scheme to identify and approve the certificate provided by the client
when they try to connect to the access proxy. The FortiGate can also add the HTTP header X-Forwarded-Client-Cert to
forward the certificate information to the server.

Examples

In these examples, the access proxy VIP IP address is 10.1.100.200.

FortiOS 7.0.1 Administration Guide 249

Fortinet Technologies Inc.
Network

Example 1

In this example, clients are issued unique client certificates from your CA. The FortiGate authenticates the clients by their
user certificate before allowing them to connect to the access proxy. The access server acts as a reverse proxy for the
web server that is behind the FortiGate.
This example assumes that you have already obtained the public CA certificate from your CA, the root CA of the client
certificate has been imported (CA_Cert_1), and the client certificate has been distributed to the endpoints.

To configure the FortiGate:

1. Configure user authentication. Both an authentication scheme and rule must be configured, as the authentication is
applied on the access proxy:
config authentication scheme
edit "mtls"
set method cert
set user-cert enable
next
end
config authentication rule
edit "mtls"
set srcintf "port2"
set srcaddr "all"
set dstaddr "all"
set active-auth-method "mtls"
next
end

2. Select the CA or CAs used to verify the client certificate:

config authentication setting
set user-cert-ca "CA_Cert_1"
end

3. Configure the users. Users can be matched based on either the common-name on the certificate or the trusted
issuer.
l Verify the user based on the common name on the certificate:
config user certificate
edit "single-certificate"
set type single-certificate
set common-name "client.fortinet.com"
next
end

l Verify the user based on the CA issuer:

config user certificate
edit "trusted-issuer"
set type trusted-issuer
set issuer "CA_Cert_1"
next
end

4. Configure the access proxy VIP. The SSL certificate is the server certificate that is presented to the user as they
connect:

FortiOS 7.0.1 Administration Guide 250

Fortinet Technologies Inc.
Network

config firewall vip

edit "mTLS"
set type access-proxy
set extip 10.1.100.200
set extintf "port2"
set server-type https
set extport 443
set ssl-certificate "Fortinet_CA_SSL"
next
end

5. Configure the access proxy policy, including the real server to be mapped. To request the client certificate for
authentication, client-cert is enabled:
config firewall access-proxy
edit "mTLS-access-proxy"
set vip "mTLS"
set client-cert enable
set empty-cert-action accept
config api-gateway
edit 1
config realservers
edit 1
set ip 172.16.200.44
next
end
next
end
next
end

6. Configure the firewall policy to allow the client to connect to the access proxy:
config firewall policy
edit 1
set srcintf "port2"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "mTLS"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
end

7. Configure the proxy policy to apply authentication and the security profile, selecting the appropriate user object
depending on the user type:
config firewall proxy-policy
edit 3
set proxy access-proxy
set access-proxy "mTLS-access-proxy"
set srcintf "port2"
set srcaddr "all"
set dstaddr "all"

FortiOS 7.0.1 Administration Guide 251

Fortinet Technologies Inc.
Network

set action accept

set schedule "always"
set users {"single-certificate" | "trusted-issuer"}
set utm-status enable
set ssl-ssh-profile "deep-inspection-clone"
set av-profile "av"
next
end

To verify the results:

1. In a web browser, access the VIP address. This example uses Chrome.
2. When prompted, select the client certificate, then click OK.

3. Click Certificate information to view details about the certificate.

4. On the FortiGate, check the traffic logs.

l If client certificate authentication passes:
1: date=2021-06-03 time=15:48:36 eventtime=1622760516866635697 tz="-0700"
logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1"

FortiOS 7.0.1 Administration Guide 252

Fortinet Technologies Inc.
Network

srcip=10.1.100.11 srcport=45532 srcintf="port2" srcintfrole="undefined"

dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.44 dstport=443
dstintf="vdom1" dstintfrole="undefined" sessionid=154900 service="HTTPS"
wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-
policy" poluuid="af5e2df2-c321-51eb-7d5d-42fa58868dcb" duration=0 user="single-
certificate" wanin=2550 rcvdbyte=2550 wanout=627 lanin=4113 sentbyte=4113 lanout=2310
appcat="unscanned"

l If the CA issuer is used to verify the client:

1: date=2021-06-03 time=15:43:02 eventtime=1622760182384776037 tz="-0700"
logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=45514 srcintf="port2" srcintfrole="undefined"
dstcountry="Reserved" srccountry="Reserved" dstip=10.1.100.200 dstport=443
dstintf="vdom1" dstintfrole="undefined" sessionid=153884 service="HTTPS"
wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-
policy" poluuid="af5e2df2-c321-51eb-7d5d-42fa58868dcb" duration=0 user="trusted-
issuer" wanin=0 rcvdbyte=0 wanout=0 lanin=4089 sentbyte=4089 lanout=7517
appcat="unscanned" utmaction="block" countweb=1 crscore=30 craction=8 utmref=65535-0

l If the client certificate authentication fails, and the traffic is blocked:

1: date=2021-06-03 time=15:45:53 eventtime=1622760353789703671 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=45518 srcintf="port2" srcintfrole="undefined"
dstip=172.16.200.44 dstport=443 dstintf="vdom1" dstintfrole="undefined"
srccountry="Reserved" dstcountry="Reserved" sessionid=154431 proto=6 action="deny"
policyid=0 policytype="proxy-policy" user="single-certificate" service="HTTPS"
trandisp="noop" url="https://10.1.100.200/" agent="curl/7.68.0" duration=0 sentbyte=0
rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=131072
crlevel="high" msg="Traffic denied because of explicit proxy policy"

Example 2

In this example, the same configuration as in Example 1 is used, with a web proxy profile added to enable adding the
client certificate to the HTTP header X-Forwarded-Client-Cert. The header is then forwarded to the server.

To configure the FortiGate:

1. Repeat steps 1 to 6 of Example 1, using the common name on the certificate to verify the user.
2. Configure a web proxy profile that adds the HTTP x-forwarded-client-cert header in forwarded requests:
config web-proxy profile
edit "mtls"
set header-x-forwarded-client-cert add
next
end

3. Configure the proxy policy to apply authentication, the security profile, and web proxy profile:
config firewall proxy-policy
edit 3
set uuid af5e2df2-c321-51eb-7d5d-42fa58868dcb
set proxy access-proxy
set access-proxy "mTLS-access-proxy"
set srcintf "port2"
set srcaddr "all"

FortiOS 7.0.1 Administration Guide 253

Fortinet Technologies Inc.
Network

set dstaddr "all"

set action accept
set schedule "always"
set logtraffic all
set users "single-certificate"
set webproxy-profile "mtls"
set utm-status enable
set ssl-ssh-profile "deep-inspection-clone"
set av-profile "av"
next
end

To verify the results:

The WAD debug shows that the FortiGate adds the client certificate information to the HTTP header. The added header
cannot be checked using the sniffer, because the FortiGate encrypts the HTTP header to forward it to the server.
1. Enable WAD debug on all categories:
# diagnose wad debug enable category all

2. Set the WAD debug level to verbose:

# diagnose wad debug enable level verbose

3. Enable debug output:

# diagnose debug enable

4. Check the debug output.

l When the FortiGate receives the client HTTP request:
[0x7fc8d4bc4910] Received request from client: 10.1.100.11:45544

GET / HTTP/1.1
Host: 10.1.100.200
User-Agent: curl/7.68.0
Accept: */*

l When the FortiGate adds the client certificate in to the HTTP header and forwards the client HTTP request:
[0x7fc8d4bc4910] Forward request to server:
GET / HTTP/1.1
Host: 172.16.200.44
User-Agent: curl/7.68.0
Accept: */*
X-Forwarded-Client-Cert: -----BEGIN CERTIFICATE-----
MIIFXzCCA0egAwI...aCFHDHlR+wb39s=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFpTCCA42gAwI...OtDtetkNoFLbvb
-----END CERTIFICATE-----

FortiOS 7.0.1 Administration Guide 254

Fortinet Technologies Inc.
 Network

DHCP server

A DHCP server leases IP addresses from a defined address range to clients on the network that request dynamically
assigned addresses.
A DHCP server can be in server or relay mode. In server mode, you can define one or more address ranges ti assign
addresses from, and options such as the default gateway, DNS server, lease time, and other advanced options. In relay
mode, the interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses
to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients
arrive at the unit.
l DHCP options on page 257
l IP address assignment with relay agent information option on page 259
l DHCP client options on page 261

Configure a DHCP server on an interface

To configure a DHCP server in the GUI:

1. Go to Network > Interfaces.

2. Edit an interface.
3. Enable the DHCP Server option and configure the settings.
4. Click OK.

To configure a DHCP server in the CLI:

config system dhcp server

edit 1
set dns-service default
set default-gateway 192.168.1.2
set netmask 255.255.255.0
set interface "port1"
config ip-range
edit 1
set start-ip 192.168.1.1
set end-ip 192.168.1.1
next
edit 2
set start-ip 192.168.1.3
set end-ip 192.168.1.254
next
end
set timezone-option default
set tftp-server "172.16.1.2"
next
end

FortiOS 7.0.1 Administration Guide 255

Fortinet Technologies Inc.
 Network

Configure a DHCP relay on an interface

To configure a DHCP relay in the GUI:

1. Go to Network > Interfaces.

2. Edit an interface.
3. Enable the DHCP Server option and set DHCP status to Disabled.
4. Expand the Advanced section and set Mode to Relay.
5. Enter the DHCP Server IP.
6. Click OK.

To configure a DHCP relay in the CLI:

1. Configure the interface:

config system interface
edit "port2"
set vdom "root"
set dhcp-relay-service enable
set ip 10.1.1.5 255.255.255.0
set allowaccess ping https ssh fabric
set type physical
set snmp-index 4
set dhcp-relay-ip "192.168.20.10"
next
end

2. On the DHCP server settings for the interface, set the status to disable:
config system dhcp server
edit 17
set status disable
set dns-service default
set default-gateway 10.1.1.5
set netmask 255.255.255.0
set interface "port2"
next
end

Configure a DHCP server and relay on an interface

A FortiGate interface can be configured to work in DHCP server mode to lease out addresses, and at the same time
relay the DHCP packets to another device, such as a FortiNAC to perform device profiling.
The DHCP message to be forwarded to the relay server under the following conditions:
l dhcp-relay-request-all-server is enabled
l Message type is either DHCPDISCOVER or DHCPINFORM
l Client IP address in client message is 0
l Server ID is NULL in the client message
l Server address is a broadcast address (255.255.255.255)
l Server address is 0

FortiOS 7.0.1 Administration Guide 256

Fortinet Technologies Inc.
 Network

To configure a DHCP server and relay in the GUI:

1. Go to Network > Interfaces.

2. Edit an interface.
3. Enable the DHCP Server option and set DHCP status to Enabled.
4. Edit the address range as required.
5. Expand the Advanced section and set Mode to Relay.
6. Enter the DHCP Server IP.
7. Click OK.
8. In the CLI, enable dhcp-relay-request-all-server.

To configure a DHCP server and relay in the CLI:

1. Configure the interface:

config system interface
edit "port2"
set vdom "root"
set dhcp-relay-service enable
set ip 10.1.1.5 255.255.255.0
set allowaccess ping https ssh fabric
set type physical
set snmp-index 4
set dhcp-relay-ip "192.168.20.10"
set dhcp-relay-request-all-server enable
next
end

2. Configure the DHCP server settings:

config system dhcp server
edit 17
set status enable
set dns-service default
set default-gateway 10.1.1.5
set netmask 255.255.255.0
set interface "port2"
next
end

DHCP options

When adding a DHCP server, you can include DHCP codes and options. The DHCP options are BOOTP vendor
information fields that provide additional vendor-independent configuration parameters to manage the DHCP server. For
example, you might need to configure a FortiGate DHCP server that gives out a separate option as well as an IP
address, such as an environment that needs to support PXE boot with Windows images.
The option numbers and codes are specific to the application. The documentation for the application indicates the values
to use. Option codes are represented in a option value/HEX value pairs. The option is a value between 1 and 255.
You can add up to three DHCP code/option pairs per DHCP server.
For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions.

FortiOS 7.0.1 Administration Guide 257

Fortinet Technologies Inc.
Network

To configure option 252 with value http://192.168.1.1/wpad.dat using the CLI:

config system dhcp server

edit <server_entry_number>
set option1 252 687474703a2f2f3139322e3136382e312e312f777061642e646174
next
end

Option 82

The DHCP relay agent information option (option 82 in RFC 3046) helps protect the FortiGate against attacks such as
spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation.
This option is disabled by default. However, when dhcp-relay-service is enabled, dhcp-relay-agent-option
becomes enabled.

To configure the DHCP relay agent option using the CLI:

config system interface

edit <interface>
set vdom root
set dhcp-relay-service enable
set dhcp-relay-ip <ip>
set dhcp-relay-agent-option enable
set vlanid <id>
next
end

See IP address assignment with relay agent information option on page 259 for an example.

Option 42

This option specifies a list of the NTP servers available to the client by IP address.

config system dhcp server
edit 2
set ntp-service {local | default | specify}
set ntp-server1 <class_ip>
set ntp-server2 <class_ip>
set ntp-server3 <class_ip>
next
end

The NTP service options include:

l local: The IP address of the interface that the DHCP server is added to becomes the client's NTP server
IP address.
l default: Clients are assigned the FortiGate's configured NTP servers.
l specify: Specify up to three NTP servers in the DHCP server configuration.

FortiOS 7.0.1 Administration Guide 258

Fortinet Technologies Inc.
 Network

IP address assignment with relay agent information option

Option 82 (DHCP relay information option) helps protect the FortiGate against attacks such as spoofing (or forging) of IP
and MAC addresses, and DHCP IP address starvation.

The following CLI variables are included in the config system dhcp server > config reserved-address
command:

circuit-id-type {hex | DHCP option type; hex or string (default).

string}
circuit-id <value> Option 82 circuit ID of the client that will get the reserved IP address.
Format: vlan-mod-port
l vlan: VLAN ID (2 bytes)

l mod: 1 = snoop, 0 = relay (1 byte)

l port: port number (1 byte)

remote-id-type {hex | DHCP option type; hex or string (default).

string}
remote-id <value> Option 82 remote ID of the client that will get the reserved IP address.
Format: the MAC address of the client.
type {mac | option82} The DHCP reserved address type; mac (default) or option82.

To create an IP address assignment rule using option 82 in the GUI:

1. Go to Network > Interfaces.

2. Edit an existing port, or create a new one.

The port Role must be LAN or Undefined.

3. Enable DHCP Server.

4. Configure the address ranges and other settings as needed.

FortiOS 7.0.1 Administration Guide 259

Fortinet Technologies Inc.
Network

5. Click + to expand the Advanced options.

6. In the IP Address Assignment Rules table, click Create New.

The Create New IP Address Assignment Rule pane opens.
7. Configure the new rule:
a. For the Type, select DHCP Relay Agent.
b. Enter the Circuit ID and Remote ID.
c. Enter the IP address that will be reserved.

8. Click OK.

To create an IP address assignment rule using option 82 with the CLI:

config system dhcp server

edit 1
set netmask 255.255.255.0
set interface "port4"
config ip-range

FortiOS 7.0.1 Administration Guide 260

Fortinet Technologies Inc.
 Network

edit 1
set start-ip 100.100.100.1
set end-ip 100.100.100.99
next
edit 2
set start-ip 100.100.100.101
set end-ip 100.100.100.254
next
end
config reserved-address
edit 1
set type option82
set ip 100.100.100.12
set circuit-id-type hex
set circuit-id "00010102"
set remote-id-type hex
set remote-id "704ca5e477d6"
next
end
next
end

DHCP client options

When an interface is in DHCP addressing mode, DHCP client options can be configured in the CLI. For example, a
vendor class identifier (usually DCHP client option 60) can be specified so that a request can be matched by a specific
DHCP offer.
Multiple options can be configured, but any options not recognized by the DHCP server are discarded.

To configure client option 60 - vendor class identifier:

config system interface

edit port1
set vdom vdom1
set mode dhcp
config client-options
edit 1
set code 60
set type hex
set value aabbccdd
next
end
set type physical
set snmp-index 4
next
end

Variable Description
code <integer> DHCP client option code (0 - 255, default = 0).
See Dynamic Host Configuration Protocol (DHCP) and Bootstrap Protocol
(BOOTP) Parameters for a list of possible options.

FortiOS 7.0.1 Administration Guide 261

Fortinet Technologies Inc.
 Network

Variable Description
type {hex | string | ip | DHCP client option type (default = hex).
fqdn}
value <string> DHCP client option value.
ip <ip> DHCP client option IP address. This option is only available when type is ip.

Static routing

Static routing is one of the foundations of firewall configuration. It is a form of routing in which a device uses manually-
configured routes. In the most basic setup, a firewall will have a default route to its gateway to provide network access. In
a more complex setup with dynamic routing, ADVPN, or SD-WAN involved, you would still likely find static routes being
deployed.
This section explores concepts in using static routing and provides examples in common use cases:
l Routing concepts on page 262
l Policy routes on page 272
l Equal cost multi-path on page 275
l Dual internet connections on page 279
The following topics include additional information about static routes:
l Deploying the Security Fabric on page 1788
l Security Fabric over IPsec VPN on page 1808
l Adding a static route on page 352
l Configure VDOM-A on page 1575
l Configure VDOM-A on page 1585
l IPsec VPN in an HA environment on page 1159
l IPsec VPN to Azure with virtual network gateway on page 1087
l FortiGate as dialup client on page 1106
l ADVPN with BGP as the routing protocol on page 1227
l ADVPN with OSPF as the routing protocol on page 1236
l ADVPN with RIP as the routing protocol on page 1245
l Basic site-to-site VPN with pre-shared key on page 1053
l Site-to-site VPN with digital certificate on page 1058
l Site-to-site VPN with overlapping subnets on page 1065
l Tunneled Internet browsing on page 1133
l FortiGate multiple connector support on page 2087
l IPsec aggregate for redundancy and traffic load-balancing on page 1165
l Use MAC addresses in SD-WAN rules and policy routes on page 410
l Using BGP tags with SD-WAN rules on page 452

Routing concepts

This section contains the following topics:

FortiOS 7.0.1 Administration Guide 262

Fortinet Technologies Inc.
Network

l Default route on page 263

l Adding or editing a static route on page 263
l Configuring FQDNs as a destination address in static routes on page 264
l Routing table on page 264
l Viewing the routing database on page 267
l Kernel routing table on page 268
l Route cache on page 269
l Route look-up on page 270
l Blackhole routes on page 270
l Reverse path look-up on page 271
l Asymmetric routing on page 271
l Routing changes on page 272

Default route

The default route has a destination of 0.0.0.0/0.0.0.0, representing the least specific route in the routing table. It is
a catch all route in the routing table when traffic cannot match a more specific route. Typically this is configured with a
static route with an administrative distance of 10. In most instances, you will configure the next hop interface and the
gateway address pointing to your next hop. If your FortiGate is sitting at the edge of the network, your next hop will be
your ISP gateway. This provides internet access for your network.
Sometimes the default route is configured through DHCP. On some desktop models, the WAN interface is preconfigured
in DHCP mode. Once the WAN interface is plugged into the network modem, it will receive an IP address, default
gateway, and DNS server. FortiGate will add this default route to the routing table with a distance of 5, by default. This
will take precedence over any default static route with a distance of 10. Therefore, take caution when you are configuring
an interface in DHCP mode, where Retrieve default gateway from server is enabled. You may disable it and/or change
the distance from the Network > Interfaces page when you edit an interface.

Adding or editing a static route

To add a static route using the GUI:

1. Go to Network > Static Routes and click Create New.

2. Enter the following information:

Dynamic Gateway When enabled, a selected DHCP/PPPoE interface will automatically retrieve
its dynamic gateway.

Destination l Subnet
Enter the destination IP address and netmask. A value of
0.0.0.0/0.0.0.0 creates a default route.
l Named Address
Select an address or address group object. Only addresses with static
route configuration enabled will appear on the list. This means a
geography type address cannot be used.
l Internet Service
Select an Internet Service. These are known IP addresses of popular

FortiOS 7.0.1 Administration Guide 263

Fortinet Technologies Inc.
Network

services across the Internet.

Interface Select the name of the interface that the static route will connect through.

Gateway Address Enter the gateway IP address. When selecting an IPsec VPN interface or SD-
WAN creating a blackhole route, the gateway cannot be specified.

Administrative Distance Enter the distance value, which will affect which routes are selected first by
different protocols for route management or load balancing. The default is 10.

Advanced Options Optionally, expand Advanced Options and enter a Priority. When two routes
have an equal distance, the route with a lower priority number will take
precedence. The default is 0.

3. Click OK.

Configuring FQDNs as a destination address in static routes

You can configure FQDN firewall addresses as destination addresses in a static route, using either the GUI or the CLI.
In the GUI, to add an FQDN firewall address to a static route in the firewall address configuration, enable the Static
Route Configuration option. Then, when you configure the static route, set Destination to Named Address.

To configure an FQDN as a destination address in a static route using the CLI:

config firewall address

edit 'Fortinet-Documentation-Website'
set type fqdn
set fqdn docs.fortinet.com
set allow-routing enable
next
end
config router static
edit 0
set dstaddr Fortinet-Documentation-Website
...
next
end

Routing table

A routing table consists of only the best routes learned from the different routing protocols. The most specific route
always takes precedence. If there is a tie, then the route with a lower administrative distance will be injected into the
routing table. If administrative distances are also equal, then all the routes are injected into the routing table, and Cost
and Priority become the deciding factors on which a route is preferred. If these are also equal, then FortiGate will use
Equal cost multi-path on page 275 to distribute traffic between these routes.

Viewing the routing table in the GUI

You can view routing tables in the FortiGate GUI under Dashboard > Network > Static & Dynamic Routing by default.
Expand the widget to see the full page. Additionally, if you want to convert the widget into a dashboard, click on the Save
as Monitor icon on the top right of the page.

FortiOS 7.0.1 Administration Guide 264

Fortinet Technologies Inc.
Network

You can also monitor policy routes by toggling from Static & Dynamic to Policy on the top right corner of the page. The
active policy routes include policy routes that you created, SD-WAN rules, and Internet Service static routes. It also
supports downstream devices in the Security Fabric.
The following figure show an example of the static and dynamic routes in the Routing Monitor:

To view more columns, right-click on the column header to select the columns to be displayed:

Field Description

IP Version Shows whether the route is IPv4 or IPv6.

Network The IP addresses and network masks of destination networks that the FortiGate can reach.

Gateway IP The IP addresses of gateways to the destination networks.

Interfaces The interface through which packets are forwarded to the gateway of the destination network.

Distance The administrative distance associated with the route. A lower value means the route is
preferable compared to other routes to the same destination.

Type The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or BGP):
l Connected: All routes associated with direct connections to FortiGate interfaces

l Static: The static routes that have been added to the routing table manually

l RIP: All routes learned through RIP

l RIPNG: All routes learned through RIP version 6 (which enables the sharing of routes

through IPv6 networks)

l BGP: All routes learned through BGP

l OSPF: All routes learned through OSPF

l OSPF6: All routes learned through OSPF version 6 (which enables the sharing of routes

through IPv6 networks)

l IS-IS: All routes learned through IS-IS

l HA: RIP, OSPF, and BGP routes synchronized between the primary unit and the

subordinate units of a high availability (HA) cluster. HA routes are maintained on

subordinate units and are visible only if you're viewing the router monitor from a virtual
domain that is configured as a subordinate virtual domain in a virtual cluster.

FortiOS 7.0.1 Administration Guide 265

Fortinet Technologies Inc.
Network

Field Description

Metric The metric associated with the route type. The metric of a route influences how the FortiGate
dynamically adds it to the routing table. The following are types of metrics and the protocols
they are applied to:
l Hop count: Routes learned through RIP

l Relative cost: Routes learned through OSPF

l Multi-Exit Discriminator (MED): Routes learned through BGP. By default, the MED value

associated with a BGP route is zero. However, the MED value can be modified
dynamically. If the value was changed from the default, the Metric column displays a non-
zero value.

Priority In static routes, priorities are 0 by default. When two routes have an equal distance, the route
with the lower priority number will take precedence.

VRF Virtual routing and forwarding (VRF) allows multiple routing table instances to co-exist. VRF
can be assigned to an Interface. Packets are only forwarded between interfaces with the
same VRF.

Up Since The total accumulated amount of time that a route learned through RIP, OSPF, or BGP has
been reachable.

Viewing the routing table in the CLI

Viewing the routing table using the CLI displays the same routes as you would see in the GUI.
If VDOMs are enabled on the FortiGate, all routing-related CLI commands must be run within a VDOM and not in the
global context.

To view the routing table using the CLI:

# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 172.31.0.1, MPLS [1/0]
via 192.168.2.1, port1 [1/0] via 192.168.122.1, port2
S 1.2.3.4/32 [10/0] via 172.16.100.81, VLAN100
C 10.10.2.0/24 is directly connected, hub
C 10.10.2.1/32 is directly connected, hub
O 10.10.10.0/24 [110/101] via 192.168.2.1, port1, 01:54:18
C 10.253.240.0/20 is directly connected, wqt.root
S 110.2.2.122/32 [22/0] via 2.2.2.2, port2, [3/3]
C 172.16.50.0/24 is directly connected, WAN1-VLAN50
C 172.16.60.0/24 is directly connected, WAN2-VLAN60
C 172.16.100.0/24 is directly connected, VLAN100
C 172.31.0.0/30 is directly connected, MPLS
C 172.31.0.2/32 is directly connected, MPLS
B 192.168.0.0/24 [20/0] via 172.31.0.1, MPLS, 00:31:43
C 192.168.2.0/24 is directly connected, port1
C 192.168.20.0/24 is directly connected, port3

FortiOS 7.0.1 Administration Guide 266

Fortinet Technologies Inc.
Network

C 192.168.99.0/24 is directly connected, Port1-VLAN99

C 192.168.122.0/24 is directly connected, port2
Routing table for VRF=10
C 172.16.101.0/24 is directly connected, VLAN101

Examining an entry:

B 192.168.0.0/24 [20/0] via 172.31.0.1, MPLS, 00:31:43

Value Description
B BGP. The routing protocol used.
192.168.0.0/24 The destination of this route, including netmask.
[20/0] 20 indicates an administrative distance of 20 out of a range of 0 to 255. 0 is an
additional metric associated with this route, such as in OSPF.
172.31.0.1 The gateway or next hop.
MPLS The interface that the route uses.

00:31:43 The age of the route in HH:MM:SS.

Viewing the routing database

The routing database consists of all learned routes from all routing protocols before they are injected into the routing
table. This likely lists more routes than the routing table as it consists of routes to the same destinations with different
distances. Only the best routes are injected into the routing table. However, it is useful to see all learned routes for
troubleshooting purposes.

To view the routing database using the CLI:

# get router info routing-table database

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
Routing table for VRF=0
S *> 0.0.0.0/0 [1/0] via 172.31.0.1, MPLS
*> [1/0] via 192.168.2.1, port1
*> [1/0] via 192.168.122.1, port2
S *> 1.2.3.4/32 [10/0] via 172.16.100.81, VLAN100
C *> 10.10.2.0/24 is directly connected, hub
C *> 10.10.2.1/32 is directly connected, hub
O *> 10.10.10.0/24 [110/101] via 192.168.2.1, port1, 02:10:17
C *> 10.253.240.0/20 is directly connected, wqt.root
S *> 110.2.2.122/32 [22/0] via 2.2.2.2, port2, [3/3]
C *> 172.16.50.0/24 is directly connected, WAN1-VLAN50
C *> 172.16.60.0/24 is directly connected, WAN2-VLAN60
C *> 172.16.100.0/24 is directly connected, VLAN100
O 172.31.0.0/30 [110/201] via 192.168.2.1, port1, 00:47:36
C *> 172.31.0.0/30 is directly connected, MPLS

FortiOS 7.0.1 Administration Guide 267

Fortinet Technologies Inc.
Network

Selected routes are marked by the > symbol. In the above example, the OSPF route to destination 172.31.0.0/30 is
not selected.

Kernel routing table

The kernel routing table makes up the actual Forwarding Information Base (FIB) that used to make forwarding decisions
for each packet. The routes here are often referred to as kernel routes. Parts of this table are derived from the routing
table that is generated by the routing daemon.

To view the kernel routing table using the CLI:

# get router info kernel

tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0
gwy=172.31.0.1 flag=04 hops=0 oif=31(MPLS) gwy=192.168.2.1 flag=04 hops=0 oif=3(port1)
gwy=192.168.122.1 flag=04 hops=0 oif=4(port2)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 192.168.122.98/255.255.255.255/0->1.1.1.1/32
pref=0.0.0.0 gwy=192.168.122.1 dev=4(port2)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 172.31.0.2/255.255.255.255/0->1.1.1.1/32
pref=0.0.0.0 gwy=172.31.0.1 dev=31(MPLS)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 192.168.2.5/255.255.255.255/0->1.1.1.1/32
pref=0.0.0.0 gwy=192.168.2.1 dev=3(port1)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->1.2.3.4/32 pref=0.0.0.0
gwy=172.16.100.81 dev=20(VLAN100)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 192.168.122.98/255.255.255.255/0->8.8.8.8/32
pref=0.0.0.0 gwy=192.168.122.1 dev=4(port2)

The kernel routing table entries are:

Value Description
tab Table number: It will either be 254 (unicast) or 255 (multicast).
vf Virtual domain of the firewall: It is the VDOM index number. If
VDOMs are not enabled, this number is 0.
type Type of routing connection. Valid values include:
l 0 - unspecific

l 1 - unicast

l 2 - local

l 3 - broadcast

l 4 - anycast

l 5 - multicast

l 6 - blackhole

l 7 - unreachable

l 8 - prohibited

proto Type of installation that indicates where the route came from.
Valid values include:
l 0 - unspecific

l 2 - kernel

l 11 - ZebOS routing module

l 14 - FortiOS

FortiOS 7.0.1 Administration Guide 268

Fortinet Technologies Inc.
Network

Value Description
l 15 - HA
l 16 - authentication based
l 17 - HA1
prio Priority of the route. Lower priorities are preferred.

->0.0.0.0/0 The IP address and subnet mask of the destination.

(->x.x.x.x/mask)

pref Preferred next hop along this route.

gwy Gateway: The address of the gateway this route will use.
dev Outgoing interface index: This number is associated with the
interface for this route. If VDOMs are enabled, the VDOM is
also included here. If an interface alias is set for this interface, it
is also displayed here.

Route cache

The route cache contains recently used routing entries in a table. It is consulted before the routing table to speed up the
route look-up process.

To view the route cache using the CLI:

# diagnose ip rtcache list

family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=00000200
0.0.0.0@0->208.91.113.230@3(port1) gwy=192.168.2.1 prefsrc=192.168.2.5
ci: ref=0 lastused=1 expire=0 err=00000000 used=5 br=0 pmtu=1500
family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=00000200
192.168.2.5@0->8.8.8.8@3(port1) gwy=192.168.2.1 prefsrc=0.0.0.0
ci: ref=0 lastused=0 expire=0 err=00000000 used=2 br=0 pmtu=1500
family=02 tab=254 vrf=0 vf=0 type=02 tos=8 flag=80000200
8.8.8.8@31(MPLS)->172.31.0.2@6(root) gwy=0.0.0.0 prefsrc=172.31.0.2
ci: ref=1 lastused=0 expire=0 err=00000000 used=0 br=0 pmtu=16436
family=02 tab=254 vrf=0 vf=0 type=02 tos=0 flag=84000200
192.168.20.6@5(port3)->192.168.20.5@6(root) gwy=0.0.0.0 prefsrc=192.168.20.5
ci: ref=2 lastused=0 expire=0 err=00000000 used=1 br=0 pmtu=16436
...

The size of the route cache is calculated by the kernel. However, you can modify it.

To modify the size of the route cache:

config system global

set max-route-cache-size <number_of_cache_entries>
end

FortiOS 7.0.1 Administration Guide 269

Fortinet Technologies Inc.
Network

Route look-up

Route look-up typically occurs twice in the life of a session. Once when the first packet is sent by the originator and once
more when the first reply packet is sent from the responder. When a route look-up occurs, the routing information is
written to the session table and the route cache. If routing changes occur during the life of a session, additional routing
look-ups may occur.
FortiGate performs a route look-up in the following order:
1. Policy-based routes: If a match occurs and the action is to forward, traffic is forwarded based on the policy route.
2. Route Cache: If there are no matches, FortiGate looks for the route in the route cache.
3. Forwarding Information Base, otherwise known as the kernel routing table.
4. If no match occurs, the packet is dropped.

Searching the routing table

When there are many routes in your routing table, you can perform a quick search by using the search bar to specify your
criteria, or apply filters on the column header to display only certain routes. For example, if you want to only display static
routes, you may use "static" as the search term, or filter by the Type field with value Static.
Route look-up on the other hand provides a utility for you to enter criteria such as Destination, Destination Port, Source,
Protocol and/or Source Interface, in order to determine the route that a packet will take. Once you click Search, the
corresponding route will be highlighted.
You can also use the CLI for a route look-up. The CLI provides a basic route look-up tool.

To look-up a route in the CLI:

# get router info routing-table details 4.4.4.4

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
* 172.31.0.1, via MPLS distance 0
* 192.168.2.1, via port1 distance 0
* 192.168.122.1, via port2 distance 0

Blackhole routes

Sometimes upon routing table changes, it is not desirable for traffic to be routed to a different gateway. For example, you
may have traffic destined for a remote office routed through your IPsec VPN interface. When the VPN is down, traffic will
try to re-route to another interface. However, this may not be viable and traffic will instead be routed to your default route
through your WAN, which is not desirable. Traffic may also be routed to another VPN, which you do not want. For such
scenarios, it is good to define a blackhole route so that traffic is dropped when your desired route is down. Upon
reconnection, your desired route is once again added to the routing table and your traffic will resume routing to your
desired interface. For this reason, blackhole routes are created when you configure an IPsec VPN using the IPsec
wizard.

To create a blackhole route in the GUI:

1. Go to Network > Static Routes.

2. Click Create New. The New Static Route screen appears.
3. Specify a Destination type.

FortiOS 7.0.1 Administration Guide 270

Fortinet Technologies Inc.
Network

4. Select Blackhole from the Interface field.

5. Type the desired Administrative Distance.
6. Click OK.

Route priority for a Blackhole route can only be configured from the CLI.

Reverse path look-up

Whenever a packet arrives at one of the interfaces on a FortiGate, the FortiGate determines whether the packet was
received on a legitimate interface by doing a reverse look-up using the source IP address in the packet header. This
protects against IP spoofing attacks. If the FortiGate does not have a route to the source IP address through the interface
on which the packet was received, the FortiGate drops the packet as per Reverse Path Forwarding (RPF) check. There
are two modes of RPF – feasible path and strict. The default feasible RPF mode checks only for the existence of at least
one active route back to the source using the incoming interface. The strict RPF check ensures the best route back to the
source is used as the incoming interface.

To configure a strict Reverse Path Forwarding check in the CLI:

config system settings

set strict-src-check enable
end

You can remove RPF state checks without needing to enable asymmetric routing by disabling state checks for traffic
received on specific interfaces. Disabling state checks makes a FortiGate less secure and should only be done with
caution for troubleshooting purposes.

To remove Reverse Path Forwarding checks from the state evaluation process in the CLI:

config system interface

edit <interface_name>
set src-check disable
next
end

Asymmetric routing

The firewall tries to ensure symmetry in its traffic by using the same source-destination combination in the original and
reverse path. Asymmetric routing occurs when traffic in the returning direction takes a different path than the original.
There may be various scenarios in which this happens. For example, traffic in the original direction hits the firewall on
port1, and is routed to port2. However, returning traffic is received on port3 instead. In this scenario, asymmetric
routing occurs and the returning traffic is blocked.
If for some specific reason it is required that a FortiGate unit should permit asymmetric routing, you can configure it by
using CLI commands per VDOM.

FortiOS 7.0.1 Administration Guide 271

Fortinet Technologies Inc.
 Network

To configure asymmetric routing per VDOM by using the CLI:

config vdom
edit <vdom_name>
config system settings
set asymroute enable
end
next
end

Routing changes

When routing changes occur, routing look-up may occur on an existing session depending on certain configurations.

Routing Changes without SNAT

When a routing change occurs, FortiGate flushes all routing information from the session table and performs new routing
look-up for all new packets on arrival by default. You can modify the default behavior using the following commands:
config system interface
edit <interface>
set preserve-session-route enable
next
end

By enabling preserve-session-route, the FortiGate marks existing session routing information as persistent.
Therefore, routing look-up only occurs on new sessions.

Routing Changes with SNAT

When SNAT is enabled, the default behavior is opposite to that of when SNAT is not enabled. After a routing change
occurs, sessions with SNAT keep using the same outbound interface as long as the old route is still active. This may be
the case if the priority of the static route was changed. You can modify this default behavior using the following
commands:
config system global
set snat-route-change enable
end

By enabling snat-route-change, sessions with SNAT will require new route look-up when a routing change occurs.
This will apply a new SNAT to the session.

Policy routes

Policy routing allows you to specify an interface to route traffic. This is useful when you need to route certain types of
network traffic differently than you would if you were using the routing table. You can use the incoming traffic's protocol,
source or destination address, source interface, or port number to determine where to send the traffic.
When a packet arrives, the FortiGate starts at the top of the policy route list and attempts to match the packet with a
policy. For a match to be found, the policy must contain enough information to route the packet. At a minimum, this
requires the outgoing interface to forward the traffic, and the gateway to route the traffic to. If one or both of these are not
specified in the policy route, then the FortiGate searches the routing table to find the best active route that corresponds

FortiOS 7.0.1 Administration Guide 272

Fortinet Technologies Inc.
Network

to the policy route. If no routes are found in the routing table, then the policy route does not match the packet. The
FortiGate continues down the policy route list until it reaches the end. If no matches are found, then the FortiGate does a
route lookup using the routing table.

Policy routes are sometimes referred to as Policy-based routes (PBR).

Configuring a policy route

In this example, a policy route is configured to send all FTP traffic received at port1 out through port4 and to a next hop
router at 172.20.120.23. To route FTP traffic, the protocol is set to TCP (6) and the destination ports are set to 21 (the
FTP port).

To configure a policy route in the GUI:

1. Go to Network > Policy Routes.

2. Click Create New > Policy Route.
3. Configure the following fields:

Incoming interface port1

Source Address 0.0.0.0/0.0.0.0

Destination Address 0.0.0.0/0.0.0.0

Protocol TCP

Destination ports 21 - 21

Type of service 0x00

Bit Mask 0x00

Outgoing interface Enable and select port4

Gateway address 172.20.120.23

FortiOS 7.0.1 Administration Guide 273

Fortinet Technologies Inc.
Network

4. Click OK.

To configure a policy route in the CLI:

config router policy

edit 1
set input-device "port1"
set src "0.0.0.0/0.0.0.0"
set dst "0.0.0.0/0.0.0.0"
set protocol 6
set start-port 21
set end-port 21
set gateway 172.20.120.23
set output-device "port4"
set tos 0x00
set tos-mask 0x00
next
end

Moving a policy route

A routing policy is added to the bottom of the table when it is created. Routing policies can be moved to a different
location in the table to change the order of preference. In this example, routing policy 3 will be moved before routing
policy 2.

FortiOS 7.0.1 Administration Guide 274

Fortinet Technologies Inc.
 Network

To move a policy route in the GUI:

1. Go to Network > Policy Routes.

2. In the table, select the policy route.

3. Drag the selected policy route to the desired position.

To move a policy route in the CLI:

config router policy

move 3 after 1
end

Equal cost multi-path

Equal cost multi-path (ECMP) is a mechanism that allows a FortiGate to load-balance routed traffic over multiple
gateways. Just like routes in a routing table, ECMP is considered after policy routing, so any matching policy routes will
take precedence over ECMP.
ECMP pre-requisites are as follows:
l Routes must have the same destination and costs. In the case of static routes, costs include distance and priority
l Routes are sourced from the same routing protocol. Supported protocols include static routing, OSPF, and BGP

ECMP and SD-WAN implicit rule

ECMP and SD-WAN implicit rule are essentially similar in the sense that an SD-WAN implicit rule is processed after SD-
WAN service rules are processed. See Implicit rule on page 395 to learn more.
The following table summarizes the different load-balancing algorithms supported by each:

SD-WAN
ECMP Description
GUI CLI

Traffic is divided equally between the

interfaces. Sessions that start at the same
source-ip-based Source IP source-ip-based
source IP address use the same path.
This is the default selection.

FortiOS 7.0.1 Administration Guide 275

Fortinet Technologies Inc.
Network

SD-WAN
ECMP Description
GUI CLI

The workload is distributed based on the

number of sessions that are connected
through the interface.
The weight that you assign to each interface
weight-based Sessions weight-based
is used to calculate the percentage of the
total sessions allowed to connect through an
interface, and the sessions are distributed to
the interfaces accordingly.

The interface is used until the traffic

bandwidth exceeds the ingress and egress
usage-based Spillover usage-based thresholds that you set for that interface.
Additional traffic is then sent through the next
interface member.

Traffic is divided equally between the

source-dest-ip- Source-Destination source-dest-ip- interfaces. Sessions that start at the same
based IP based source IP address and go to the same
destination IP address use the same path.

This mode is supported in SD-WAN only.

measured-volume- The workload is distributed based on the
Not supported Volume based number of packets that are going through the
interface.

To configure the ECMP algorithm from the CLI:

l At the VDOM-level:
config system settings
set v4-ecmp-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-
based}
end
l If SD-WAN is enabled, the above option is not available and ECMP is configured under the SD-WAN settings:
config system sdwan
set status enable
set load-balance-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-
based | measured-volume-based}
end

For ECMP in IPv6, the mode must also be configured under SD-WAN.
# diagnose sys vd list
system fib version=63
list virtual firewall info:
name=root/root index=0 enabled fib_ver=40 use=168 rt_num=46 asym_rt=0 sip_helper=0, sip_nat_
trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0
ecmp=source-ip-based, ecmp6=source-ip-based asym_rt6=0 rt6_num=55 strict_src_check=0 dns_
log=1 ses_num=20 ses6_num=0 pkt_num=19154477

FortiOS 7.0.1 Administration Guide 276

Fortinet Technologies Inc.
Network

To change the number of paths allowed by ECMP:

config system settings

set ecmp-max-paths <number of paths>
end

Setting ecmp-max-paths to the lowest value of 1 is equivalent to disabling ECMP.

ECMP configuration examples

The following examples demonstrate the behavior of ECMP in different scenarios:

l Example 1: Default ECMP on page 277
l Example 2: Same distance, different priority on page 278
l Example 3: Weight-based ECMP on page 278
l Example 4: Load-balancing BGP routes on page 279

Example 1: Default ECMP

config router static
edit 1
set gateway 172.16.151.1
set device "port1"
next
edit 2
set gateway 192.168.2.1
set device "port2"
next
end

# get router info routing-table all

Routing table for VRF=0
S*    0.0.0.0/0 [10/0] via 172.16.151.1, port1
[10/0] via 192.168.2.1, port2
C    172.16.151.0/24 is directly connected, port1
C    192.168.2.0/24 is directly connected, port2

FortiOS 7.0.1 Administration Guide 277

Fortinet Technologies Inc.
Network

Result:

Both routes are added to the routing table and load-balanced based on the source IP.

Example 2: Same distance, different priority

config router static
edit 1
set gateway 172.16.151.1
set priority 5
set device "port1"
next
edit 2
set gateway 192.168.2.1
set device "port2"
next
end

# get router info routing-table all

Routing table for VRF=0
S*    0.0.0.0/0 [10/0] via 192.168.2.1, port2
[10/0] via 172.16.151.1, port1, [5/0]
C    172.16.151.0/24 is directly connected, port1
C    192.168.2.0/24 is directly connected, port2

Result:

Both routes are added to the routing table, but traffic is routed to port2 which has a lower priority value with a default of
0.

Example 3: Weight-based ECMP

config router static
edit 3
set dst 10.10.30.0 255.255.255.0
set weight 80
set device "vpn2HQ1"
next
edit 5
set dst 10.10.30.0 255.255.255.0
set weight 20
set device "vpn2HQ2"
next
end

# get router info routing-table all

Routing table for VRF=0
...
S    10.10.30.0/24 [10/0] is directly connected, vpn2HQ1, [0/80]
[10/0] is directly connected, vpn2HQ2, [0/20]
C    172.16.151.0/24 is directly connected, port1
C    192.168.0.0/24 is directly connected, port3
C    192.168.2.0/24 is directly connected, port2

FortiOS 7.0.1 Administration Guide 278

Fortinet Technologies Inc.
 Network

Result:

Both routes are added to the routing table, but 80% of the sessions to 10.10.30.0/24 are routed to vpn2HQ1, and
20% are routed to vpn2HQ2.

Example 4: Load-balancing BGP routes

config router bgp
set as 64511
set router-id 192.168.2.86
set ebgp-multipath enable
config neighbor
edit "192.168.2.84"
set remote-as 64512
next
edit "192.168.2.87"
set remote-as 64512
next
end
end

# get router info routing-table all

Routing table for VRF=0
...
C    172.16.151.0/24 is directly connected, port1
C    192.168.0.0/24 is directly connected, port3
C    192.168.2.0/24 is directly connected, port2
B    192.168.80.0/24 [20/0] via 192.168.2.84, port2, 00:00:33
[20/0] via 192.168.2.87, port2, 00:00:33

Result:

The network 192.168.80.0/24 is advertised by two BGP neighbors. Both routes are added to the routing table, and
traffic is load-balanced based on Source IP.
For multiple BGP paths to be added to the routing table, you must enable ebgp-multipath for eBGP or ibgp-
multipath for iBGP. These settings are disabled by default.

Dual internet connections

Dual internet connections, also referred to as dual WAN or redundant internet connections, refers to using two FortiGate
interfaces to connect to the Internet. This is generally accomplished with SD-WAN, but this legacy solution provides the
means to configure dual WAN without using SD-WAN. You can use dual internet connections in several ways:
l Link redundancy: If one interface goes down, the second interface automatically becomes the main connection.
l Load sharing: This ensures better throughput.
l Use a combination of link redundancy and load sharing.

FortiOS 7.0.1 Administration Guide 279

Fortinet Technologies Inc.
Network

This section describes the following dual internet connection scenarios:

l Scenario 1: Link redundancy and no load-sharing on page 280
l Scenario 2: Load-sharing and no link redundancy on page 282
l Scenario 3: Link redundancy and load-sharing on page 284

Scenario 1: Link redundancy and no load-sharing

Link redundancy ensures that if your Internet access is no longer available through a certain port, the FortiGate uses an
alternate port to connect to the Internet.
In this scenario, two interfaces, WAN1 and WAN2, are connected to the Internet using two different ISPs. WAN1 is the
primary connection. In the event of a failure of WAN1, WAN2 automatically becomes the connection to the Internet. For
this configuration to function correctly, you must configure the following settings:
l Link health monitor on page 280: To determine when the primary interface (WAN1) is down and when the
connection returns.
l Routing on page 281: Configure a default route for each interface.
l Security policies on page 282: Configure security policies to allow traffic through each interface to the internal
network.

Link health monitor

Adding a link health monitor is required for routing failover traffic. A link health monitor confirms the device interface
connectivity by probing a gateway or server at regular intervals to ensure it is online and working. When the server is not
accessible, that interface is marked as down.
Set the interval (how often to send a ping) and failtime (how many lost pings are considered a failure). A smaller
interval value and smaller number of lost pings results in faster detection, but creates more traffic on your network.
The link health monitor supports both IPv4 and IPv6, and various other protocols including ping, tcp-echo, udp-echo,
http, and twamp.

FortiOS 7.0.1 Administration Guide 280

Fortinet Technologies Inc.
Network

To add a link health monitor (IPv4) using the CLI:

config system link-monitor

edit <link-monitor-name>
set addr-mode ipv4
set srcintf <interface-name>
set server <server-IP-address>
set protocol {ping tcp-echo udp-echo http twamp}
set gateway-ip <gateway-IP-address>
set interval <seconds>
set failtime <retry-attempts>
set recoverytime <number-of-successful-responses>
set status enable
next
end

Option Description
set update-cascade-interface {enable | This option is used in conjunction with fail-detect and fail-
disable} alert options in interface settings to cascade the link
failure down to another interface. See the Bring other
interfaces down when link monitor fails KB article for
details.
set update-static-route {enable | disable} When the link fails, all static routes associated with the
interface will be removed.

Routing

You must configure a default route for each interface and indicate your preferred route as follows:
l Specify different distances for the two routes. The lower of the two distance values is declared active and placed in
the routing table
OR
l Specify the same distance for the two routes, but give a higher priority to the route you prefer by defining a lower
value. Both routes will be added to the routing table, but the route with a higher priority will be chosen as the best
route
In the following example, we will use the first method to configure different distances for the two routes. You might not be
able to connect to the backup WAN interface because the FortiGate does not route traffic out of the backup interface.
The FortiGate performs a reverse path look-up to prevent spoofed traffic. If an entry cannot be found in the routing table
that sends the return traffic out through the same interface, the incoming traffic is dropped.

To configure the routing of the two interfaces using the GUI:

1. Go to Network > Static Routes, and click Create New.

2. Enter the following information:

Destination For an IPv4 route, enter a subnet of 0.0.0.0/0.0.0.0.

For an IPv6 route, enter a subnet of ::/0.

Interface Select the primary connection. For example, wan1.

FortiOS 7.0.1 Administration Guide 281

Fortinet Technologies Inc.
Network

Gateway Address Enter the gateway address.

Administrative Distance Leave as the default of 10.

3. Click OK.
4. Repeat the above steps to set Interface to wan2 and Administrative Distance to 20.

To configure the routing of the two interfaces using the CLI:

config router {static | static6}

edit 0
set dst 0.0.0.0 0.0.0.0
set device wan1
set gateway <gateway_address>
set distance 10
next
edit 0
set dst 0.0.0.0 0.0.0.0
set device wan2
set gateway <gateway_address>
set distance 20
next
end

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1,
regular traffic is allowed to pass through WAN2, as it did with WAN1. This ensures that failover occurs with minimal effect
to users.

Scenario 2: Load-sharing and no link redundancy

Load sharing may be accomplished in a few of the following ways of the many possible ways:
l By defining a preferred route with a lower distance, and specifying policy routes to route certain traffic to the
secondary interface.
l By defining routes with same distance values but different priorities, and specifying policy routes to route certain
traffic to the secondary interface.
l By defining routes with same distance values and priorities, and use equal-cost multi-path (ECMP) routing to
equally distribute traffic between the WAN interfaces.
In our example, we will use the first option for our configuration. In this scenario, because link redundancy is not required,
you do not have to configure a link monitor.

Traffic behaviour without a link monitor is as follows:

l If the remote gateway is down but the primary WAN interface of a FortiGate is still up, the

FortiGate will continue to route traffic to the primary WAN. This results in traffic
interruptions.
l If the primary WAN interface of a FortiGate is down due to physical link issues, the

FortiGate will remove routes to it and the secondary WAN routes will become active.
Traffic will failover to the secondary WAN.

FortiOS 7.0.1 Administration Guide 282

Fortinet Technologies Inc.
Network

Routing

Configure routing as you did in Scenario 1: Link redundancy and no load-sharing on page 280 above.

Policy routes

By configuring policy routes, you can redirect specific traffic to the secondary WAN interface. This works in this case
because policy routes are checked before static routes. Therefore, even though the static route for the secondary WAN
is not in the routing table, traffic can still be routed using the policy route.
In this example, we will create a policy route to route traffic from one address group to the secondary WAN interface.

To configure a policy route from the GUI:

1. Go to Network > Policy Routes, and click Create New.

2. Enter the following information:

Incoming interface Define the source of the traffic. For example, internal.

Source Address If we prefer to route traffic only from a group of addresses, define an address or
address group, and add here.

Destination Address Because we want to route all traffic from the address group here, we do not specify a
destination address.

Protocol Specify any protocol.

Action Forward traffic.

Outgoing interface Select the secondary WAN as the outbound interface. For example, wan2.

Gateway address Input the gateway address for your secondary WAN.
Because its default route has a higher distance value and is not added to the routing
table, the gateway address must be added here.

3. Click OK.

To configure a policy route from the CLI:

config router policy

edit 1
set input-device "internal"
set srcaddr "Laptops"
set gateway <gateway_address>
set output-device "wan2"
next
end

Security policies

Your security policies should allow all traffic from internal to WAN1. Because link redundancy is not needed, you do
not need to duplicate all WAN1 policies to WAN2. You will only need to define policies used in your policy route.

FortiOS 7.0.1 Administration Guide 283

Fortinet Technologies Inc.
Network

Scenario 3: Link redundancy and load-sharing

In this scenario, both the links are available to distribute Internet traffic with the primary WAN being preferred more.
Should one of the interfaces fail, the FortiGate will continue to send traffic over the other active interface. The
configuration is a combination of both the link redundancy and the load-sharing scenarios. The main difference is that
the configured routes have equal distance values, with the route with a higher priority being preferred more. This ensures
both routes are active in the routing table, but the route with a higher priority will be the best route.

Link health monitor

Link monitor must be configured for both the primary and the secondary WAN interfaces. This ensures that if the primary
or the secondary WAN fails, the corresponding route is removed from the routing table and traffic re-routed to the other
WAN interface.
For configuration details, see sample configurations in Scenario 1: Link redundancy and no load-sharing on page 280.

Routing

Both WAN interfaces must have default routes with the same distance. However, preference is given to the primary
WAN by giving it a higher priority.

To configure the routing of the two interfaces using the CLI:

config router {static | static6}

edit 0
set dst 0.0.0.0 0.0.0.0
set device wan1
set gateway <gateway_address>
set distance 10
set priority 0
next
edit 0
set dst 0.0.0.0 0.0.0.0
set device wan2
set gateway <gateway_address>
set distance 10
set priority 10
next
end

Policy routes

The policy routes configuration is very similar to that of the policy routes in Scenario 2: Load-sharing and no link
redundancy on page 282, except that the gateway address should not be specified. When a policy route is matched and
the gateway address is not specified, the FortiGate looks at the routing table to obtain the gateway. In case the
secondary WAN fails, traffic may hit the policy route. Because there is no gateway specified and the route to the
secondary WAN is removed by the link monitor, the policy route will by bypassed and traffic will continue through the
primary WAN. This ensures that the policy route is not active when the link is down.

FortiOS 7.0.1 Administration Guide 284

Fortinet Technologies Inc.
Network

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1,
regular traffic is allowed to pass through WAN2, as it was with WAN1. This ensures that failover occurs with minimal
effect to users.

RIP

The following topics include information about Routing Information Protocol (RIP):

l ADVPN with RIP as the routing protocol on page 1245

OSPF

The following topics include information about Open Shortest Path First (OSPF):

l OSPF with IPsec VPN for network redundancy on page 1152

l IPsec aggregate for redundancy and traffic load-balancing on page 1165
l ADVPN with OSPF as the routing protocol on page 1236

BGP

The following topics include information about Border Gateway Protocol (BGP):

l ADVPN and shortcut paths on page 470

l ADVPN with BGP as the routing protocol on page 1227
l Applying BGP route-map to multiple BGP neighbors on page 464
l BGP multiple path support on page 455
l Configuring RADIUS SSO authentication on page 1462
l Controlling traffic with BGP route mapping and service rules on page 457
l IBGP and EBGP support in VRF on page 321
l IKEv2 IPsec site-to-site VPN to an AWS VPN gateway on page 1081
l Route leaking between VRFs with BGP on page 305
l SD-WAN related diagnose commands on page 570
l Using BGP tags with SD-WAN rules on page 452

Multicast

The following topics include information about multicast:

FortiOS 7.0.1 Administration Guide 285

Fortinet Technologies Inc.
 Network

l Multicast routing and PIM support on page 286

l Configuring multicast forwarding on page 286

Multicast routing and PIM support

Multicasting (also called IP multicasting) consists of using a single multicast source to send data to many receivers.
Multicasting can be used to send data to many receivers simultaneously while conserving bandwidth and reducing
network traffic. Multicasting can be used for one-way delivery of media streams to multiple receivers and for one-way
data transmission for news feeds, financial information, and so on. Many dynamic routing protocols such as RIPv2,
OSPF, and EIGRP use multicasting to share hello packets and routing information.
A FortiGate can operate as a Protocol Independent Multicast (PIM) version 2 router. FortiGates support PIM sparse
mode (RFC 4601) and PIM dense mode (RFC 3973), and can service multicast servers or receivers on the network
segment to which a FortiGate interface is connected. Multicast routing is not supported in transparent mode.
To support PIM communications, the sending and receiving applications, and all connecting PIM routers in between,
must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their
destinations. To enable source-to-destination packet delivery, sparse mode or dense mode must be enabled on the PIM
router interfaces. Sparse mode routers cannot send multicast messages to dense mode routers. If the FortiGate is
located between a source and a PIM router, between two PIM routers, or is connected directly to a receiver, you must
manually create a multicast policy to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the
source and destination.

PIM domains

A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least one bootstrap
router (BSR), and if sparse mode is enabled, a number of rendezvous points (RPs) and designated routers (DRs). When
PIM is enabled, the FortiGate can perform any of these functions at any time as configured.
A PIM domain can be configured in the GUI by going to Network > Multicast, or in the CLI using config router
multicast. Note that PIM version 2 must be enabled on all participating routers between the source and receivers. Use
config router multicast to set the global operating parameters.
When PIM is enabled, the FortiGate allocates memory to manage mapping information. The FortiGate communicates
with neighboring PIM routers to acquire mapping information and, if required, processes the multicast traffic associated
with specific multicast groups.
Instead of sending multiple copies of generated IP traffic to more than one specific IP destination address, PIM-enabled
routers encapsulate the data and use a Class D multicast group address (224.0.0.0 to 239.255.255.255) to forward
multicast packets to multiple destinations. A single stream of data can be sent because one destination address is used.
Client applications receive multicast data by requesting that the traffic destined for a certain multicast group address be
delivered to them.

Configuring multicast forwarding

There is sometimes confusion between the terms forwarding and routing. These two functions should not take place at
the same time. Multicast forwarding should be enabled when the FortiGate is in NAT mode and you want to forward
multicast packets between multicast routers and receivers. However, this function should not be enabled when the
FortiGate itself is operating as a multicast router, or has an applicable routing protocol that uses multicast.

FortiOS 7.0.1 Administration Guide 286

Fortinet Technologies Inc.
Network

Multicast forwarding is not supported on enhanced MAC VLAN interfaces. To use multicast with enhanced MAC VLAN
interfaces, use PIM (Multicast routing and PIM support on page 286).
There are two steps to configure multicast forwarding:
1. Enabling multicast forwarding on page 287
2. Configuring multicast policies on page 288

Enabling multicast forwarding

Multicast forwarding is enabled by default. If a FortiGate is operating in transparent mode, adding a multicast policy
enables multicast forwarding. In NAT mode you must use the multicast-forward setting to enable or disable
multicast forwarding.

Multicast forwarding in NAT mode

When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher
to all interfaces and VLAN interfaces, except the receiving interface. The TTL in the IP header will be reduced by 1. Even
though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets
through the FortiGate.

To enable multicast forwarding in NAT mode:

config system settings

set multicast-forward enable
end

Prevent the TTL for forwarded packets from being changed

You can use the multicast-ttl-notchange option so that the FortiGate does not increase the TTL value for
forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.

To prevent the TTL for forwarded packets from being changed: 

config system settings

set multicast-ttl-notchange enable
end

Disable multicast traffic from passing through the FortiGate without a policy check in
transparent mode

In transparent mode, the FortiGate does not forward frames with multicast destination addresses. The FortiGate should
not interfere with the multicast traffic used by routing protocols, streaming media, or other multicast communication. To
avoid any issues during transmission, you can disable multicast-skip-policy and configure multicast security
policies.

To disable multicast traffic from passing through the FortiGate without a policy check in transparent
mode:

config system settings

set multicast-skip-policy disable

FortiOS 7.0.1 Administration Guide 287

Fortinet Technologies Inc.
Network

end

Configuring multicast policies

Multicast packets require multicast policies to allow packets to pass from one interface to another. Similar to firewall
policies, in a multicast policy you specify the source and destination interfaces, and the allowed address ranges for the
source and destination addresses of the packets. You can also use multicast policies to configure source NAT and
destination NAT for multicast packets.
Keep the following in mind when configuring multicast policies:
l The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP address.
l The snat setting is optional. Use it when SNAT is needed.

IPv4 and IPv6 multicast policies can be configured in the GUI. Go to System > Feature
Visibility, and enable Multicast Policy and IPv6.

Sample basic policy

In this basic policy, multicast packets received on an interface are flooded unconditionally to all interfaces on the
forwarding domain, except the incoming interface.
config firewall multicast-policy
edit 1
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
next
end

The destination address (dstaddr) is a multicast address object. The all option corresponds to all multicast addresses
in the range 224.0.0.0-239.255.255.255.

Sample policy with specific source and destination interfaces

This multicast policy only applies to the source port wan1 and the destination port internal.
config firewall multicast-policy
edit 1
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
next
end

Sample policy with specific source address object

In this policy, packets are allowed to flow from wan1 to internal, and sourced by the address 172.20.120.129, which is
represented by the example_addr-1 address object.

FortiOS 7.0.1 Administration Guide 288

Fortinet Technologies Inc.
Network

config firewall multicast-policy

edit 1
set srcintf "wan1"
set dstintf "internal"
set srcaddr "example_addr-1"
set dstaddr "all"
next
end

Sample detailed policy

This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range
239.168.4.0-255. The policy allows the multicast packets to enter the internal interface and then exit the external
interface. When the packets leave the external interface, their source address is translated to 192.168.18.10.
config firewall address
edit "192.168.5.18"
set subnet 192.168.5.18 255.255.255.255
next
end
config firewall multicast-address
edit "239.168.4.0"
set start-ip 239.168.4.0
set end-ip 239.168.4.255
next
end
config firewall multicast-policy
edit 1
set srcintf "internal"
set dstintf "external"
set srcaddr "192.168.5.18"
set dstaddr "239.168.4.0"
set snat enable
set snat-ip 192.168.18.10
next
end

To configure multicast policies in the GUI, enable Multicast Policy in System > Feature
Visibility.

FortiExtender

The following topics include information about FortiExtender:

l Adding a FortiExtender on page 290
l Data plan profiles on page 291

FortiOS 7.0.1 Administration Guide 289

Fortinet Technologies Inc.
 Network

Adding a FortiExtender

To add a FortiExtender to the FortiGate, create a virtual FortiExtender interface, then add a FortiExtender and assign the
interface to the modem. Like other interface types, the FortiExtender interface can be used in static routes, SD-WAN
(see Manage dual FortiExtender devices), policies, and other functions.

To create a virtual FortiExtender interface in the GUI:

1. Go to Network > Interfaces and click Create New > FortiExtender.

2. Enter a name for the interface.
3. Configure the remaining settings as needed. See Interface settings on page 122 for more details.

4. Click OK.

To add a FortiExtender in the GUI:

1. Go to Network > FortiExtender and click Create New > Extenders.

2. Enter your FortiExtender's serial number in the Serial number field.
3. Optionally, set an Alias for the FortiExtender.
4. In the State section, enable Authorized.
5. Set Interface to the FortiExtender interface.
6. Configure the remaining setting as required. See the FortiExtender Administration Guide for more information.

7. Click OK.
8. In the extenders list, right-click on the FortiExtender and select Diagnostics and Tools to review the modem and SIM
status, and other details about the FortiExtender.

FortiOS 7.0.1 Administration Guide 290

Fortinet Technologies Inc.
 Network

To create a virtual FortiExtender interface in the CLI:

config system interface

edit "fext"
set vdom "root"
set mode dhcp
set allowaccess ping https speed-test
set type fext-wan
set estimated-upstream-bandwidth 1000
set estimated-downstream-bandwidth 500
next
end

To configure the FortiExtender in the CLI:

config extender-controller extender

edit "FX211E0000000000"
set id "FX211E0000000000"
set authorized enable
config modem1
set ifname "fext"
end
next
end

To verify the modem settings in the CLI:

get extender modem-status FX211E0000000000 1

Modem 0:
physical_port: 2-1.2
manufacture: Sierra Wireless, Incorporated
product: Sierra Wireless, Incorporated
....

Data plan profiles

The data plan profile allows users to configure connectivity settings based on modem, carrier, slot, SIM ID, or cost. Users
can also specify billing details related to the data plan, as well as smart switch thresholds to define when to switch over to
a different SIM.
A FortiExtender has multiple SIM card slots. Certain models also have multiple modems. Essentially, each modem can
make one connection with one of the two SIMs associated with the modem. The data plan profile allows users to create
general configurations that work across multiple SIMs, or specific profiles that work on a specific SIM. First, the data plan
matches the criteria based on the modem ID and type.

Syntax
config extender-controller dataplan
edit <name>
set modem-id {modem1 | modem2 | all}
set type {carrier | slot | iccid | generic}
next
end

FortiOS 7.0.1 Administration Guide 291

Fortinet Technologies Inc.
Network

Variable Description

set modem-id (Available on in the Select the match criterion based on the modem:
GUI) l modem1: Use modem 1.

l modem2: Use modem 2.

l all: Use both modems (default).

set type (Type in the GUI) Select the match criterion based on the type:
l carrier: Assign by SIM carrier.

l slot: Assign to SIM slot 1 or 2.

l iccid: Assign to a specific SIM by ICCID.
l generic: Compatible with any SIM (default). Assigned if no other data plan
matches the chosen SIM.

When a modem connects to the network through a SIM, it will read the SIM information and try to match a data plan
based on the modem ID and type. It then uses the data plan connectivity settings to connect (authentication, PDN type,
preferred subnet, APN, private network). The billing details (such as the monthly data limit) and smart switch threshold
settings define how the SIMs will be switched.
Multiple data plans can be configured:

Once the FortiExtender is controlled by the FortiGate, the data plan is sent to the FortiExtender. The format is identical
between devices.

To configure a data plan in the GUI:

1. Go to Network > FortiExtender and click Create New > Data plans.

2. Enter a name for the plan.
3. Set Available on to All Modems or Modem 1.
4. Set the plan Type. If Carrier is selected, enter the carrier name. If ICCID is selected, enter the ICCID number.
5. Configure the other settings as needed.

FortiOS 7.0.1 Administration Guide 292

Fortinet Technologies Inc.
Network

6. Click OK.

To configure a data plan in the CLI:

config extender-controller dataplan

edit "Telus-modem1"
set modem-id modem1
set type carrier
set carrier "Telus"
set capacity 2000
set billing-date 30
next
edit "Fido-modem2"
set modem-id modem2
set type carrier
set carrier "Generic"
set capacity 3000
next
edit "Bell"
set type carrier
set carrier "Bell"
set apn "pda.bell.ca"
set capacity 6000
next
end

Direct IP support for LTE/4G

Direct IP is a public IP address that is assigned to a computing device, which allows the device to directly access the
internet.
When an LTE modem is enabled in FortiOS, a DHCP interface is created. As a result, the FortiGate can acquire direct IP
(which includes IP, DNS, and gateway) from the LTE network carrier.

FortiOS 7.0.1 Administration Guide 293

Fortinet Technologies Inc.
Network

Since some LTE modems require users to input the access point name (APN) for the LTE network, the LTE modem
configuration allows you to set the APN.

LTE modems can only be enabled by using the CLI.

To enable direct IP support using the CLI:

1. Enable the LTE modem:

config system lte-modem
set status enable
end

2. Check that the LTE interface was created:

config system interface
edit "wwan"
set vdom "root"
set mode dhcp
set status down
set distance 1
set type physical
set snmp-index 23
next
end

Shortly after the LTE modem joins its carrier network, wwan is enabled and granted direct IP:
config system interface
edit wwan
get
name : wwan
....
ip : 100.112.75.43 255.255.255.248
....
status : up
....
defaultgw : enable
DHCP Gateway : 100.112.75.41
Lease Expires : Thu Feb 21 19:33:27 2019
dns-server-override : enable
Acquired DNS1 : 184.151.118.254
Acquired DNS2 : 70.28.245.227
....

PCs can reach the internet via the following firewall policy:
config firewall policy
edit 5
set name "LTE"
set srcintf "port9"
set dstintf "wwan"
set srcaddr "all"
set dstaddr "all"

FortiOS 7.0.1 Administration Guide 294

Fortinet Technologies Inc.
 Network

set action accept

set schedule "always"
set service "ALL"
set utm-status enable
set fsso disable
set nat enable
next
end

Sample LTE interface

When an LTE modem is enabled, you can view the LTE interface in the GUI and check the acquired IP, DNS, and
gateway.

To view the LTE interface in the GUI:

1. Go to Network > Interfaces.

2. Double-click the LTE interface to view the properties.
3. Look in the Address section to see the Obtained IP/Netmask, Acquired DNS, and Default Gateway.

4. Click Return.

To configure the firewall policy that uses the LTE interface:

1. Go to Policy & Objects > Firewall Policy.

2. Edit the LTE policy.
3. In the Outgoing Interface field, select the interface (wwan in this example).
4. Configure the rest of the policy as needed.
5. Click OK.

Limitations

l Most LTE modems have a preset APN in their SIM card. Therefore, the APN does not need to be set in the FortiOS
configuration. In cases where the internet cannot be accessed, consult with your carrier and set the APN in the LTE

FortiOS 7.0.1 Administration Guide 295

Fortinet Technologies Inc.
Network

modem configuration (for example, inet.bell.ca):

config system lte-modem
set status enable
set apn "inet.bell.ca"
end

l Some models, such as the FortiGate 30E-3G4G, have built-in LTE modems. In this scenario, the LTE modem is
enabled by default. The firewall policy via the LTE interface is also created by default. Once you plug in a SIM card,
your network devices can connect to the internet.

Sample FortiGate 30E-3G4G default configuration:

config system lte-modem

set status enable
set extra-init ''
set manual-handover disable
set force-wireless-profile 0
set authtype none
set apn ''
set modem-port 255
set network-type auto
set auto-connect disable
set gpsd-enabled disable
set data-usage-tracking disable
set gps-port 255
end
config firewall policy
....
edit 3
set srcintf "internal"
set dstintf "wwan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

LLDP reception

Device detection can scan LLDP as a source for device identification, but the FortiGate does not read or store the full
information. Enabling LLDP reception allows the FortiGate to receive and store LLDP messages, learn about active
neighbors, and makes the LLDP information available via the CLI, REST API, and SNMP.
You need to enable device-identification at the interface level, and then lldp-reception can be enabled on
three levels: globally, per VDOM, or per interface.

FortiOS 7.0.1 Administration Guide 296

Fortinet Technologies Inc.
Network

To configure device identification on an interface:

config system interface

edit <port>
set device-identification enable
next
end

To configure LLDP reception globally:

config system global

set lldp-reception enable
end

To configure LLDP reception per VDOM:

config system setting

set lldp-reception enable
end

To configure LLDP reception per interface:

config system interface

edit <port>
set lldp-reception enable
next
end

To view the LLDP information in the GUI:

1. Go to Dashboard > Users & Devices.

2. Expand the Device Inventory widget to full screen.

To view the received LLDP information in the CLI:

# diagnose user device list

hosts
vd root/0 44:0a:a0:0a:0a:0a gen 3 req S/2
created 10290s gen 1 seen 0s port3 gen 1
ip 172.22.22.22 src lldp
type 20 'Other Network Device' src lldp id 155 gen 2
os 'Artist EOS ' version '4.20.4' src lldp id 155
host 'artist' src lldp

FortiOS 7.0.1 Administration Guide 297

Fortinet Technologies Inc.
Network

To view additional information about LLDP neighbors and ports:

# diagnose lldprx neighbor {summary | details | clear}

# diagnose lldprx port {details | summary | neighbor | filter}
# diagnose lldprx port neighbor {summary | details}

Note that the port index in the output corresponds to the port index from the following command:
# diagnose netlink interface list port2 port3 | grep index
if=port2 family=00 type=1 index=4 mtu=1500 link=0 master=0
if=port3 family=00 type=1 index=5 mtu=1500 link=0 master=0

To view the received LLDP information in the REST API:

{
"http_method":"GET",
"results":[
{
"mac":"90:9c:9c:c9:c9:90",
"chassis_id":"90:9C:9C:C9:C9:90",
"port":19,
"port_id":"port12",
"port_desc":"port12",
"system_name":"S124DN3W00000000",
"system_desc":"FortiSwitch-124D v3.6.6,build0416,180515 (GA)",
"ttl":120,
"addresses":[
{
"type":"ipv4",
"address":"192.168.1.99"
}
]
}
],
"vdom":"root",
"path":"network",
"name":"lldp",
"action":"neighbors",
"status":"success",
"serial":"FG201E4Q00000000",
"version":"v6.2.0",
"build":866
}
{
"http_method":"GET",
"results":[
{
"name":"port1",
"rx":320,
"neighbors":1
}
],
"vdom":"root",
"path":"network",
"name":"lldp",

FortiOS 7.0.1 Administration Guide 298

Fortinet Technologies Inc.
 Network

"action":"ports",
"mkey":"port1",
"status":"success",
"serial":"FG201E4Q00000000",
"version":"v6.2.0",
"build":866
}

Virtual routing and forwarding

Virtual Routing and Forwarding (VRF) is used to divide the FortiGate's routing functionality (layer 3), including interfaces,
routes, and forwarding tables, into separate units. Packets are only forwarded between interfaces that have the same
VRF.
VDOMs divide the FortiGate into two or more complete and independent virtual units that include all FortiGate functions.
VDOMs can be used for routing segmentation, but that should not be the only reason to implement them when a less
complex solution (VRFs) can be used. VDOMs also support administration boundaries, but VRFs do not.
Up to 32 VRFs can be configured in each VDOM, but only ten VDOMs can be configured by default on a FortiGate (more
VDOMs can be configured on larger devices with additional licenses).
l Implementing VRF on page 299
l VRF routing support on page 300
l Route leaking between VRFs with BGP on page 305
l Route leaking between multiple VRFs on page 307
l VRF with IPv6 on page 317
l IBGP and EBGP support in VRF on page 321

Implementing VRF

VRFs are always enabled and, by default, all routing is done in VRF 0. To use additional VRFs, assign a VRF ID to an
interface. All routes relating to that interface are isolated to that VRF specific routing table. Interfaces in one VRF cannot
reach interfaces in a different VRF.
If some traffic does have to pass between VRFs, route leaking can be used. See Route leaking between VRFs with BGP
on page 305.

Enable Advanced Routing in System > Feature Visibility to configure VRFs.

To configure a VRF ID on an interface in the GUI:

1. Go to Network > Interfaces and click Create New > Interface.

2. Enter a value in the VRF ID field.
3. Configure the other settings as needed.

FortiOS 7.0.1 Administration Guide 299

Fortinet Technologies Inc.
 Network

4. Click OK.
5. To add the VRF column in the interface table, click the gear icon, select VRF, and click Apply.

To configure a VRF ID on an interface in the CLI:

config system interface

edit interface42
...
set vrf 14
next
end

VRF routing support

VRF supports static routing, OSPF, and BGP. Other routing protocols require using VDOMs.

FortiOS 7.0.1 Administration Guide 300

Fortinet Technologies Inc.
Network

BGP

In this example, BGP is used to update the VRF that it is neighbors with.
The hub is configured with two neighbors connected to two interfaces. The branches are configured to match the hub,
with branch networks configured to redistribute into BGP.
Policies must be created on the hub and branches to allow traffic between them.

To configure the hub:

config router bgp

set as 65000
config neighbor
edit "10.101.101.2"
set soft-reconfiguration enable
set interface "port2"
set remote-as 65101
set update-source "port2"
next
edit "10.102.102.2"
set soft-reconfiguration enable
set interface "port3"
set remote-as 65102
set update-source "port3"
next
end
end

To configure branch 101:

config router bgp

set as 65101
config neighbor
edit "10.101.101.1"
set soft-reconfiguration enable
set interface "port2"
set remote-as 65000
set update-source "port2"
next
end
config redistribute connected
set status enable
end
end

To configure branch 102:

config router bgp

set as 65102
config neighbor
edit "10.102.102.1"
set soft-reconfiguration enable
set interface "port2"
set remote-as 65000

FortiOS 7.0.1 Administration Guide 301

Fortinet Technologies Inc.
Network

set update-source "port2"

next
end
config redistribute connected
set status enable
end
end

To verify the BGP neighbors and check the routing table on the hub:

# get router info bgp summary

BGP router identifier 192.168.0.1, local AS number 65000
BGP table version is 2
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pf

10.101.101.2 4 65101 4 4 2 0 0
10.102.102.2 4 65102 3 3 1 0 0

Total number of neighbors 2

# get router info routing-table all
Routing table for VRF=0
Codes (…)
S* 0.0.0.0/0 [10/0] via 192.168.0.254, port1
C 10.101.101.0/24 is directly connected, port2
C 10.102.102.0/24 is directly connected, port3
C 192.168.0.0/24 is directly connected, port1
B 192.168.101.0/24 [20/0] via 10.101.101.2, port2, 00:01:25
B 192.168.102.0/24 [20/0] via 10.102.102.2, port3, 00:00:50

To configure VRF on the hub:

1. Put the interfaces into VRF:

config system interface
edit port2
set vrf 10
next
edit port3
set vrf 20
next
end

2. Restart the router to reconstruct the routing tables:

# execute router restart

3. Check the routing tables:

# get router info routing-table all
Routing table for VRF=0
Codes (…)
S* 0.0.0.0/0 [10/0] via 192.168.0.254, port1
C 192.168.0.0/24 is directly connected, port1

Routing table for VRF=10

FortiOS 7.0.1 Administration Guide 302

Fortinet Technologies Inc.
Network

C 10.101.101.0/24 is directly connected, port2

B 192.168.101.0/24 [20/0] via 10.101.101.2, port2, 00:02:25

Routing table for VRF=20

C 10.102.102.0/24 is directly connected, port3
B 192.168.102.0/24 [20/0] via 10.102.102.2, port2, 00:01:50

4. Check the BGP summary:

# get router info bgp summary

VRF 10 BGP router identifier 10.101.101.1, local AS number 65000

BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State

10.101.101.2 4 65101 4 4 2 0 0

Total number of neighbors 1

VRF 10 BGP router identifier 10.101.101.1, local AS number 65000

BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State

10.102.102.2 4 65102 3 3 1 0 0

Total number of neighbors 1

OSPF

OSPF routes in VRFs work the same as BGP: the interface that OSPF is using is added to the VRF.

To configure the hub:

1. Configure OSPF:
config router ospf
set router-id 1.1.1.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit Branch101
set interface “port2”
set dead-interval 40
set hello-interval 10
next
edit Branch102
set dead-interval 40
set hello-interval 10
next
end

FortiOS 7.0.1 Administration Guide 303

Fortinet Technologies Inc.
Network

config network
edit 0
set prefix 10.101.101.0 255.255.255.0
next
edit 0
set prefix 10.102.102.0 255.255.255.0
next
edit 0
set prefix 192.168.1.0 255.255.255.0
next
end
end

2. Put the interfaces into VRF:

config system interface
edit port2
set vrf 10
next
edit port3
set vrf 20
next
end

To configure branch 101:

config router ospf

set router-id 101.101.101.101
config area
edit 0.0.0.0
next
end
config ospf-interface
edit HUB
set interface port2
set dead-interval 40
set hello-interval 10
next
end
config network
edit 0
set prefix 10.101.101.0 255.255.255.0
next
edit 0
set prefix 192.168.101.0 255.255.255.0
next
end
end

To check the routing table and OSPF summary:

# get router info routing-table ospf

# get router info ospf interface

FortiOS 7.0.1 Administration Guide 304

Fortinet Technologies Inc.
 Network

Route leaking between VRFs with BGP

Route leaking allows you to configure communication between VRFs. If route leaking is not configured, then the VRFs
are isolated. This example shows route leaking with BGP using virtual inter-VDOM links.
In this example, a hub FortiGate forms BGP neighbors with two branches. It learns the networks 192.168.101.0/24 and
192.168.102.0/24 from the neighbors and separates them into VRF 10 and VRF 20.
To leak the learned routes to each other, an inter-VDOM link (IVL) is formed. An IVL normally bridges two VDOMs, but in
this case the links reside on the same VDOM and are used to bridge the two VRFs. NPU links could also be used on
models that support it to deliver better performance.
VRF 10 has a leaked route to 192.168.102.0/24 on IVL link-10-20-0, and VRF 20 has a leaked route to 192.168.101.0/24
on IVL link-10-20-1,

To configure route leaking:

1. Configure inter-VDOM links:

config global
config system vdom-link
edit link-10-20-
next
end
config system interface
edit link-10-20-0
set vdom “root”
set vrf 10
set ip 10.1.1.1/30
next
edit link-10-20-1
set vdom “root”
set vrf 20
set ip 10.1.1.2/30
next
end
end

2. Create prefix lists:

These object define the subnet and mask that are leaked.
config router prefix-list
edit VRF10_Route
config rule
edit 1
set prefix 192.168.101.0 255.255.255.0

FortiOS 7.0.1 Administration Guide 305

Fortinet Technologies Inc.
Network

next
end
next
edit VRF20_Route
config rule
edit 1
set prefix 192.168.102.0 255.255.255.0
next
end
next
end

3. Create the route map:

The route map can be used to group one or more prefix lists.
config router route-map
edit "Leak_from_VRF10_to_VRF20"
config rule
edit 1
set match-ip-address "VRF10_Route"
next
end
next
edit "Leak_from_VRF20_to_VRF10"
config rule
edit 1
set match-ip-address "VRF20_Route"
next
end
next
end

4. Configure the VRF leak in BGP, specifying a source VRF, destination VRF, an the route map to use:
config router bgp
config vrf-leak
edit "10"
config target
edit "20"
set route-map "Leak_from_VRF10_to_VRF20"
set interface "link-10-20-0"
next
end
next
edit "20"
config target
edit "10"
set route-map "Leak_from_VRF20_to_VRF10"
set interface "link-10-20-1"
next
end
next
end
end

5. Create policies to allow traffic between the VRFs.

Without a policy permitting traffic on the route between the VRFs, the VRFs are still isolated.

FortiOS 7.0.1 Administration Guide 306

Fortinet Technologies Inc.
 Network

Route leaking between multiple VRFs

In this example, routing leaking between three VRFs in a star topology is configured. This allows the solution to be
scaled to more VRFs without building full mesh, one-to-one connections between each pair of VRFs. VLAN
subinterfaces are created on VDOM links to connect each VRF to the central VRF, allowing routes to be leaked from a
VRF to the central VRF, and then to the other VRFs. Static routes are used for route leaking in this example.
For instructions on creating route leaking between two VRFs, see Route leaking between VRFs with BGP on page 305.

Physical topology:

Logical topology:

FortiOS 7.0.1 Administration Guide 307

Fortinet Technologies Inc.
Network

In this example, a specific route is leaked from each of the VRFs to each of the other VRFs. VLAN subinterfaces are
created based on VDOM links to connect each VRF to the core VRF router.
Multi VDOM mode is enabled so that NP VDOM links can be used. The setup could be configured without enabling multi
VDOM mode by manually creating non-NP VDOM links, but this is not recommended as the links are not offloaded to the
NPU.
After VDOMs are enabled, all of the configuration is done in the root VDOM.

To configure the FortiGate:

1. Enable multi VDOM mode:

config system global
set vdom-mode multi-vdom
end

If the FortiGate has an NP, the VDOM links will be created:

# show system interface
config system interface
...
edit "npu0_vlink0"
set vdom "root"
set type physical
next
edit "npu0_vlink1"
set vdom "root"
set type physical
next
...
end

If multi VDOM mode is not used, the VDOM links can be manually created:
config system vdom-link
edit <name of vdlink>
next
end

2. Allow interface subnets to use overlapping IP addresses:

config vdom
edit root
config system settings
set allow-subnet-overlap enable
end

3. Configure the inter-connecting VLAN subinterfaces between VRF based on VDOM-LINK:

config system interface
edit "vlink0_Vlan_10"
set vdom "root"
set vrf 10
set ip 10.1.1.1 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink0_Vlan_10"
set role lan
set interface "npu0_vlink0"

FortiOS 7.0.1 Administration Guide 308

Fortinet Technologies Inc.
Network

set vlanid 10
next
edit "vlink1_Vlan_10"
set vdom "root"
set vrf 31
set ip 10.1.1.2 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink1_Vlan_10"
set role lan
set interface "npu0_vlink1"
set vlanid 10
next
edit "vlink0_Vlan_11"
set vdom "root"
set vrf 11
set ip 11.1.1.1 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink0_Vlan_11"
set role lan
set interface "npu0_vlink0"
set vlanid 11
next
edit "vlink1_Vlan_11"
set vdom "root"
set vrf 31
set ip 11.1.1.2 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink1_Vlan_11"
set role lan
set interface "npu0_vlink1"
set vlanid 11
next
edit "vlink0_Vlan_12"
set vdom "root"
set vrf 12
set ip 12.1.1.1 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink0_Vlan_12"
set role lan
set interface "npu0_vlink0"
set vlanid 12
next
edit "vlink1_Vlan_12"
set vdom "root"
set vrf 31
set ip 12.1.1.2 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink1_Vlan_12"
set role lan
set interface "npu0_vlink1"
set vlanid 12
next
end

4. Configure a zone to allow intrazone traffic between VLANs in the central VRF:

FortiOS 7.0.1 Administration Guide 309

Fortinet Technologies Inc.
Network

config system zone

edit "Core-VRF-Router"
set intrazone allow
set interface "vlink1_Vlan_10" "vlink1_Vlan_11" "vlink1_Vlan_12"
next
end

5. Add allow policies for the VRF31 core router:

config firewall policy
edit 0
set name "any_to_core_vrf31"
set srcintf "any"
set dstintf "Core-VRF-Router"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 0
set name "core_vrf31_to_any"
set srcintf "Core-VRF-Router"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

6. Configure VRF10, VRF11, and VRF12 on the Internal and WAN VLAN sub-interfaces:
config system interface
edit "Internal_VRF10"
set vdom "root"
set vrf 10
set ip 172.16.10.1 255.255.255.0
set allowaccess ping https ssh http
set alias "Internal_VRF10"
set role lan
set interface "internal"
set vlanid 10
next
edit "Internal_VRF11"
set vdom "root"
set vrf 11
set ip 172.16.11.1 255.255.255.0
set allowaccess ping https ssh http
set alias "Internal_VRF11"
set role lan
set interface "internal"
set vlanid 11
next

FortiOS 7.0.1 Administration Guide 310

Fortinet Technologies Inc.
Network

edit "Internal_VRF12"
set vdom "root"
set vrf 12
set ip 172.16.12.1 255.255.255.0
set allowaccess ping https ssh http
set alias "Internal_VRF12"
set role lan
set interface "internal"
set vlanid 12
next
edit "wan1_VRF10"
set vdom "root"
set vrf 10
set ip 202.100.10.1 255.255.255.0
set allowaccess ping
set alias "wan1_VRF10"
set role wan
set interface "wan1"
set vlanid 10
next
edit "wan1_VRF11"
set vdom "root"
set vrf 11
set ip 202.100.11.1 255.255.255.0
set allowaccess ping
set alias "wan1_VRF11"
set role wan
set interface "wan1"
set vlanid 11
next
edit "wan1_VRF12"
set vdom "root"
set vrf 12
set ip 202.100.12.1 255.255.255.0
set allowaccess ping
set alias "wan1_VRF12"
set role wan
set interface "wan1"
set vlanid 12
next
end

7. Configure static routing and route leaking between each VRF and Core-VRF-Router:
config router static
edit 1
set dst 172.16.10.0 255.255.255.0
set gateway 10.1.1.1
set device "vlink1_Vlan_10"
set comment "VRF31_Core_Router"
next
edit 2
set dst 172.16.11.0 255.255.255.0
set gateway 11.1.1.1
set device "vlink1_Vlan_11"
set comment "VRF31_Core_Router"

FortiOS 7.0.1 Administration Guide 311

Fortinet Technologies Inc.
Network

next
edit 3
set dst 172.16.12.0 255.255.255.0
set gateway 12.1.1.1
set device "vlink1_Vlan_12"
set comment "VRF31_Core_Router"
next
edit 4
set dst 172.16.11.0 255.255.255.0
set gateway 10.1.1.2
set device "vlink0_Vlan_10"
set comment "VRF10_Route_Leaking"
next
edit 5
set dst 172.16.12.0 255.255.255.0
set gateway 10.1.1.2
set device "vlink0_Vlan_10"
set comment "VRF10_Route_Leaking"
next
edit 6
set dst 172.16.10.0 255.255.255.0
set gateway 11.1.1.2
set device "vlink0_Vlan_11"
set comment "VRF11_Route_Leaking"
next
edit 7
set dst 172.16.12.0 255.255.255.0
set gateway 11.1.1.2
set device "vlink0_Vlan_11"
set comment "VRF11_Route_Leaking"
next
edit 8
set dst 172.16.10.0 255.255.255.0
set gateway 12.1.1.2
set device "vlink0_Vlan_12"
set comment "VRF12_Route_Leaking"
next
edit 9
set dst 172.16.11.0 255.255.255.0
set gateway 12.1.1.2
set device "vlink0_Vlan_12"
set comment "VRF12_Route_Leaking"
next
edit 10
set gateway 202.100.10.254
set device "wan1_VRF10"
set comment "VRF10_Default_Route"
next
edit 11
set gateway 202.100.11.254
set device "wan1_VRF11"
set comment "VRF11_Default_Route"
next
edit 12
set gateway 202.100.12.254

FortiOS 7.0.1 Administration Guide 312

Fortinet Technologies Inc.
Network

set device "wan1_VRF12"

set comment "VRF12_Default_Route"
next
end

In the GUI, go to Network > Static Routes to view the static routes:

8. Configure firewall policies for VRF10, VRF11, and VRF12

config firewall policy
edit 6
set name "VRF10_to_Internet_Policy"
set srcintf "Internal_VRF10"
set dstintf "wan1_VRF10"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 7
set name "VRF10_to_VRF_Leaking_Route"
set srcintf "Internal_VRF10"
set dstintf "vlink0_Vlan_10"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 8
set name "VRF_Leaking_Route_to_VRF10"
set srcintf "vlink0_Vlan_10"
set dstintf "Internal_VRF10"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all

FortiOS 7.0.1 Administration Guide 313

Fortinet Technologies Inc.
Network

next
edit 9
set name "VRF11_to_Internet_Policy"
set srcintf "Internal_VRF11"
set dstintf "wan1_VRF11"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 10
set name "VRF11_to_VRF_Leaking_Route"
set srcintf "Internal_VRF11"
set dstintf "vlink0_Vlan_11"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 11
set name "VRF_Leaking_Route_to_VRF11"
set srcintf "vlink0_Vlan_11"
set dstintf "Internal_VRF11"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 12
set name "VRF12_to_Internet_Policy"
set srcintf "Internal_VRF12"
set dstintf "wan1_VRF12"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 13
set name "VRF12_to_VRF_Leaking_Route"
set uuid 92bccf8e-b27b-51eb-3c56-6d5259af6299
set srcintf "Internal_VRF12"
set dstintf "vlink0_Vlan_12"
set srcaddr "all"
set dstaddr "all"
set action accept

FortiOS 7.0.1 Administration Guide 314

Fortinet Technologies Inc.
Network

set schedule "always"

set service "ALL"
set logtraffic all
next
edit 14
set name "VRF_Leaking_Route_to_VRF12"
set srcintf "vlink0_Vlan_12"
set dstintf "Internal_VRF12"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

In the GUI, go to Policy & Objects > Firewall Policy to view the policies.

To check the results:

1. On the FortiGate, check the routing table to see each VRF:

# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0

C 10.6.30.0/24 is directly connected, mgmt

Routing table for VRF=10

S* 0.0.0.0/0 [10/0] via 202.100.10.254, wan1_VRF10
C 10.1.1.0/30 is directly connected, vlink0_Vlan_10
C 172.16.10.0/24 is directly connected, Internal_VRF10
S 172.16.11.0/24 [10/0] via 10.1.1.2, vlink0_Vlan_10
S 172.16.12.0/24 [10/0] via 10.1.1.2, vlink0_Vlan_10
C 202.100.10.0/24 is directly connected, wan1_VRF10

Routing table for VRF=11

S* 0.0.0.0/0 [10/0] via 202.100.11.254, wan1_VRF11
C 11.1.1.0/30 is directly connected, vlink0_Vlan_11
S 172.16.10.0/24 [10/0] via 11.1.1.2, vlink0_Vlan_11
C 172.16.11.0/24 is directly connected, Internal_VRF11
S 172.16.12.0/24 [10/0] via 11.1.1.2, vlink0_Vlan_11
C 202.100.11.0/24 is directly connected, wan1_VRF11

Routing table for VRF=12

S* 0.0.0.0/0 [10/0] via 202.100.12.254, wan1_VRF12
C 12.1.1.0/30 is directly connected, vlink0_Vlan_12
S 172.16.10.0/24 [10/0] via 12.1.1.2, vlink0_Vlan_12
S 172.16.11.0/24 [10/0] via 12.1.1.2, vlink0_Vlan_12
C 172.16.12.0/24 is directly connected, Internal_VRF12

FortiOS 7.0.1 Administration Guide 315

Fortinet Technologies Inc.
Network

C 202.100.12.0/24 is directly connected, wan1_VRF12

Routing table for VRF=31

C 10.1.1.0/30 is directly connected, vlink1_Vlan_10
C 11.1.1.0/30 is directly connected, vlink1_Vlan_11
C 12.1.1.0/30 is directly connected, vlink1_Vlan_12
S 172.16.10.0/24 [10/0] via 10.1.1.1, vlink1_Vlan_10
S 172.16.11.0/24 [10/0] via 11.1.1.1, vlink1_Vlan_11
S 172.16.12.0/24 [10/0] via 12.1.1.1, vlink1_Vlan_12

2. From the FW10-PC:

# ifconfig ens32
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.10.100 netmask 255.255.255.0 broadcast 172.16.10.255
inet6 fe80::dbed:c7fe:170e:e61c prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:2a:3a:17 txqueuelen 1000 (Ethernet)
RX packets 1632 bytes 160001 (156.2 KiB)
RX errors 0 dropped 52 overruns 0 frame 0
TX packets 2141 bytes 208103 (203.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.10.1 0.0.0.0 UG 100 0 0 ens32
172.16.10.0 0.0.0.0 255.255.255.0 U 100 0 0 ens32
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0

a. Ping a public IP address through VRF10:

# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=4.33 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=4.17 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=113 time=4.04 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 4.049/4.188/4.336/0.117 ms

b. Ping the internet gateway through VRF10:

# ping 202.100.10.254
PING 202.100.10.254 (202.100.10.254) 56(84) bytes of data.
64 bytes from 202.100.10.254: icmp_seq=1 ttl=254 time=0.294 ms
64 bytes from 202.100.10.254: icmp_seq=2 ttl=254 time=0.225 ms
64 bytes from 202.100.10.254: icmp_seq=3 ttl=254 time=0.197 ms
^C
--- 202.100.10.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.197/0.238/0.294/0.044 ms

c. Ping the FW11-PC on VRF11 from VRF10:

# ping 172.16.11.100
PING 172.16.11.100 (172.16.11.100) 56(84) bytes of data.
64 bytes from 172.16.11.100: icmp_seq=1 ttl=61 time=0.401 ms
64 bytes from 172.16.11.100: icmp_seq=2 ttl=61 time=0.307 ms

FortiOS 7.0.1 Administration Guide 316

Fortinet Technologies Inc.
 Network

64 bytes from 172.16.11.100: icmp_seq=3 ttl=61 time=0.254 ms

64 bytes from 172.16.11.100: icmp_seq=4 ttl=61 time=0.277 ms
64 bytes from 172.16.11.100: icmp_seq=5 ttl=61 time=0.262 ms
^C
--- 172.16.11.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.254/0.300/0.401/0.054 ms

3. On the FortiGate, sniff traffic between VRF10 and VRF11:

# diagnose sniffer packet any "icmp and host 172.16.11.100" 4 l 0
interfaces=[any]
filters=[icmp and host 172.16.11.100]
10.086656 Internal_VRF10 in 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086705 vlink0_Vlan_10 out 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086706 npu0_vlink0 out 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.086711 vlink1_Vlan_10 in 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.086739 vlink1_Vlan_11 out 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086740 npu0_vlink1 out 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.086744 vlink0_Vlan_11 in 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.086929 Internal_VRF11 out 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086930 internal out 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.087053 Internal_VRF11 in 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087061 vlink0_Vlan_11 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
10.087062 npu0_vlink0 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087066 vlink1_Vlan_11 in 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087071 vlink1_Vlan_10 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
10.087072 npu0_vlink1 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087076 vlink0_Vlan_10 in 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087176 Internal_VRF10 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
10.087177 internal out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
^C
20 packets received by filter
0 packets dropped by kernel

VRF with IPv6

IPv6 routes support VRF. Static, connected, OSPF, and BGP routes can be isolated in different VRFs. BGP IPv6 routes
can be leaked from one VRF to another.
config router bgp
config vrf-leak6
edit <origin vrf-id>
config target
edit <target vrf-id>
set route-map <route-map>
set interface <interface>
next
end
next

FortiOS 7.0.1 Administration Guide 317

Fortinet Technologies Inc.
Network

end
end

The origin or target VRF ID is an integer value from 0 - 31.

config router static6
edit <id>
set vrf <vrf-id>
next
end

Using a VRF leak on BGP

In this example, the route 2000:5:5:5::/64 learned from Router 1 is leaked to VRF 20 through the interface vlan552.
Conversely, the route 2009:3:3:3::/64 learned from Router 2 is leaked to VRF 10 through interface vlan55.

To configure VRF leaking in BGP:

1. Configure the BGP neighbors:

config router bgp
set as 65412
config neighbor
edit "2000:10:100:1::1"
set activate disable
set remote-as 20
set update-source "R150"
next
edit "2000:10:100:1::5"
set activate disable
set soft-reconfiguration enable
set interface "R160"
set remote-as 20
next
end
end

2. Configure the VLAN interfaces:

config system interface
edit "vlan55"
set vdom "root"
set vrf 10
set ip 55.1.1.1 255.255.255.0

FortiOS 7.0.1 Administration Guide 318

Fortinet Technologies Inc.
Network

set device-identification enable

set role lan
set snmp-index 51
config ipv6
set ip6-address 2000:55::1/64
end
set interface "npu0_vlink0"
set vlanid 55
next
edit "vlan552"
set vdom "root"
set vrf 20
set ip 55.1.1.2 255.255.255.0
set device-identification enable
set role lan
set snmp-index 53
config ipv6
set ip6-address 2000:55::2/64
end
set interface "npu0_vlink1"
set vlanid 55
next
end

3. Configure the IPv6 prefixes:

config router prefix-list6
edit "1"
config rule
edit 1
set prefix6 2000:5:5:5::/64
unset ge
unset le
next
end
next
edit "2"
config rule
edit 1
set prefix6 2009:3:3:3::/64
unset ge
unset le
next
end
next
end

4. Configure the route maps:

config router route-map
edit "from106"
config rule
edit 1
set match-ip6-address "1"
next
end
next

FortiOS 7.0.1 Administration Guide 319

Fortinet Technologies Inc.
Network

edit "from206"
config rule
edit 1
set match-ip6-address "2"
next
end
next
end

5. Configure the IPv6 route leaking (leak route 2000:5:5:5::/64 learned from Router 1 to VRF 20, then leak route
2009:3:3:3::/64 learned from Router 2 to VRF 10):
config router bgp
config vrf-leak6
edit "10"
config target
edit "20"
set route-map "from106"
set interface "vlan55"
next
end
next
edit "20"
config target
edit "10"
set route-map "from206"
set interface "vlan552"
next
end
next
end
end

To verify the VRF leaking:

1. Check the routing table before the leak:

# get router info6 routing-table bgp
Routing table for VRF=10
B 2000:5:5:5::/64 [20/0] via fe00::2000:0000:0000:00, R150, 00:19:45

Routing table for VRF=20

B 2008:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:18:49
B 2009:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:18:49

2. Check the routing table after the leak:

# get router info6 routing-table bgp
Routing table for VRF=10
B 2000:5:5:5::/64 [20/0] via fe00::2000:0000:0000:0, R150, 00:25:45
B 2009:3:3:3::/64 [20/0] via fe80::10:0000:0000:4245, vlan55, 00:00:17

Routing table for VRF=20

B 2000:5:5:5::/64 [20/0] via fe80::10:0000:0000:4244, vlan552, 00:00:16
B 2008:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:24:49
B 2009:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:24:49

FortiOS 7.0.1 Administration Guide 320

Fortinet Technologies Inc.
 Network

Using VRF on a static route

In this example, a VRF is defined on static route 22 so that it will only appear in the VRF 20 routing table.

To configure the VRF on the static route:

config router static6

edit 22
set dst 2010:2:2:2::/64
set blackhole enable
set vrf 20
next
end

IBGP and EBGP support in VRF

Support is included for internal and external border gateway protocols (IBGP and EBGP) in virtual routing and forwarding
(VRF).
FortiGate can establish neighbor connections with other FortiGates or routers, and the learned routes are put into
different VRF tables according to the neighbor's settings.
This example uses the following topology:

l BGP routes learned from the Router1 neighbor are put into vrf10.
l BGP routes learned from the Router2 neighbor are put into vrf20.

To configure this example:

config system interface

edit port1
set vrf 10
next
edit port2
set vrf 20
next
end
config router bgp
config neighbor
edit "192.168.1.1"

FortiOS 7.0.1 Administration Guide 321

Fortinet Technologies Inc.
Network

set update-source port1

next
edit "192.168.2.1"
set interface port2
next
end
end

Results

Using the above topology:

l Both Router1 and Router2 establish OSPF and BGP neighbor with the FortiGate.
l Router1 advertises 10.10.1.0/24 into OSPF and 10.10.2.0/24 into BGP.
l Router2 advertises 20.20.1.0/24 into OSPF and 20.20.2.0/24 into BGP.
When port1 and port2 have not set VRF, all of the routing is in VRF=0:
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [5/0] via 10.0.1.254, port9
C 10.0.1.0/24 is directly connected, port9
O 10.10.1.0/24 [110/10] via 192.168.1.1, port1, 00:18:31
B 10.10.2.0/24 [20/200] via 192.168.1.1, port1, 00:01:31
O 20.20.1.0/22 [110/10] via 192.168.2.1, port2, 00:19:05
B 20.20.2.0/24 [20/200] via 192.168.2.1, port2, 00:01:31
C 192.168.1.0/24 is directly connected, port1
C 192.168.2.0/24 is directly connected, port2

After VRF is set for BGP, BGP routes are added to the VRF tables along with OSPF and connected routes:
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [5/0] via 10.0.1.254, port9
C 10.0.1.0/24 is directly connected, port9

Routing table for VRF=10

O 10.10.1.0/24 [110/10] via 192.168.1.1, port1, 00:18:31
B 10.10.2.0/24 [20/200] via 192.168.1.1, port1, 00:01:31
C 192.168.1.0/24 is directly connected, port1

Routing table for VRF=20

O 20.20.1.0/22 [110/10] via 192.168.2.1, port2, 00:19:05

FortiOS 7.0.1 Administration Guide 322

Fortinet Technologies Inc.
Network

B 20.20.2.0/24 [20/200] via 192.168.2.1, port2, 00:01:31

C 192.168.2.0/24 is directly connected, port2

BGP neighbor groups

This feature is also supported in the BGP neighbor groups. For example:
config router bgp
config neighbor-group
edit "FGT"
set update-source "port1"
next
end
config neighbor-range
edit 1
set prefix 172.16.201.0 255.255.255.0
set neighbor-group "FGT"
next
end
end

Note that the set interface command is not supported.

NetFlow

NetFlow allows you to collect IP network traffic statistics for an interface, and then export those statistics for analysis.
NetFlow samplers, that sample every packet, are configured per interface. Full NetFlow is supported through the
information maintained in the firewall session.

To configure NetFlow:

config system netflow

set collector-ip <ip>
set collector-port <port>
set source-ip <ip>
set active-flow-timeout <integer>
set inactive-flow-timeout <integer>
set template-tx-timeout <integer>
set template-tx-counter <integer>
end

collector-ip <ip> Collector IP address.

collector-port <port> NetFlow collector port number (0 - 65535)
source-ip <ip> Source IP address, for communication with the NetFlow agent.
active-flow-timeout Timeout to report active flows, in minutes (1 - 60, default = 30).
<integer>
inactive-flow-timeout Timeout for periodic report of finished flows, in seconds (10 - 600, default = 15).
<integer>

FortiOS 7.0.1 Administration Guide 323

Fortinet Technologies Inc.
 Network

template-tx-timeout Timeout for periodic template flowset transmission, in minutes (1 - 1440, default =
<integer> 30).
template-tx-counter Counter of flowset records, before resending a template flowset record (10 - 6000,
<integer> default = 20).

To configure NetFlow in a specific VDOM:

config vdom
edit <vdom>
config system vdom-netflow
set vdom-netflow enable
set collector-ip <ip>
set collector-port <port>
set source-ip <ip>
end
next
end

To configure a NetFlow sampler on an interface:

config system interface

edit <interface>
set netflow-sampler {disable | tx | rx | both}
next
end

disable Disable the NetFlow protocol on this interface (default).

tx Monitor transmitted traffic on this interface.
rx Monitor received traffic on this interface.
both Monitor transmitted/received traffic on this interface.

Verification and troubleshooting

If data are not seen on the NetFlow collector after it has been configured, use the following sniffer commands to verify if
the FortiGate and the collector are communicating:
l By collector port:
# diagnose sniffer packet 'port <collector-port>' 6 0 a

l By collector IP address:
# diagnose sniffer packet 'host <collector-ip>' 6 0 a

NetFlow uses the sflow daemon. The current NetFlow configuration can be viewed using test level 3 or 4:
# diagnose test application sflowd 3
# diagnose test application sflowd 4
Netflow Cache Stats:
vdoms=1 Collectors=1 Cached_intf=2 Netflow_enabled_intf=1 Live_sessions=0 Session cache max
count:71950

FortiOS 7.0.1 Administration Guide 324

Fortinet Technologies Inc.
 Network

NetFlow templates

Netflow uses templates to capture and categorize the data that it collects. FortiOS supports the following Netflow
templates:

Name Template ID Description

STAT_OPTIONS 256 Statistics information about exporter

APP_ID_OPTIONS 257 Application information

IPV4 258 No NAT IPv4 traffic

IPV6 259 No NAT IPv6 traffic

ICMP4 260 No NAT ICMPv4 traffic

ICMP6 261 No NAT ICMPv6 traffic

IPV4_NAT 262 Source/Destination NAT IPv4 traffic

IPV4_AF_NAT 263 AF NAT IPv4 traffic (4->6)

IPV6_NAT 264 Source/Destination NAT IPv6 traffic

IPV6_AF_NAT 265 AF NAT IPv6 traffic (6->4)

ICMP4_NAT 266 Source/Destination NAT ICMPv4 traffic

ICMP4_AF_NAT 267 AF NAT ICMPv4 traffic (4->6)

ICMP6_NAT 268 Source/Destination NAT ICMPv6 traffic

ICMPv6_AF_NAT 269 AF NAT ICMPv6 traffic (6->4)

256 - STAT_OPTIONS

Description Statistics information about exporter

Scope Field Count 1

Data Field Count 7

Option Scope Length 4

Option Length 28

Padding 0000

Scope fields

Field # Field Type Length

1 System System (1) 2

FortiOS 7.0.1 Administration Guide 325

Fortinet Technologies Inc.
Network

Data fields

Field # Field Type Length

1 TOTAL_BYTES_EXP TOTAL_BYTES_EXP (40) 8

2 TOTAL_PKTS_EXP TOTAL_PKTS_EXP (41) 8

3 TOTAL_FLOWS_EXP TOTAL_FLOWS_EXP (42) 8

4 FLOW_ACTIVE_TIMEOUT FLOW_ACTIVE_TIMEOUT (36) 2

5 FLOW_INACTIVE_TIMEOUT FLOW_INACTIVE_TIMEOUT (37) 2

6 SAMPLING_INTERVAL SAMPLING_INTERVAL (34) 4

7 SAMPLING_ALGORITHM SAMPLING_ALGORITHM (35) 1

257 - APP_ID_OPTIONS

Description Application information

Scope Field Count 1

Data Field Count 4

Option Scope Length 4

Option Length 16

Padding 0000

Scope fields

Field # Field Type Length

1 System System (1) 2

Data fields

Field # Field Type Length

1 APPLICATION_ID APPLICATION_ID (95) 9

2 APPLICATION_NAME APPLICATION_NAME (96) 64

3 APPLICATION_DESC APPLICATION_DESC (94) 64

4 applicationCategoryName applicationCategoryName (372) 32

258 - IPV4

Description No NAT IPv4 traffic

FortiOS 7.0.1 Administration Guide 326

Fortinet Technologies Inc.
Network

Data Field Count 17

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IP_SRC_ADDR IP_SRC_ADDR (8) 4

17 IP_DST_ADDR IP_DST_ADDR (12) 4

259 - IPV6

Description No NAT IPv6 traffic

Data Field Count 17

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

FortiOS 7.0.1 Administration Guide 327

Fortinet Technologies Inc.
Network

Field # Field Type Length

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

17 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

260 - ICMP4

Description No NAT ICMPv4 traffic

Data Field Count 16

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

FortiOS 7.0.1 Administration Guide 328

Fortinet Technologies Inc.
Network

Field # Field Type Length

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IP_SRC_ADDR IP_SRC_ADDR (8) 4

16 IP_DST_ADDR IP_DST_ADDR(12) 4

261 - ICMP6

Description No NAT ICMPv6 traffic

Data Field Count 16

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

16 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

FortiOS 7.0.1 Administration Guide 329

Fortinet Technologies Inc.
Network

262 - IPV4_NAT

Description Source/Destination NAT IPv4 traffic

Data Field Count 21

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65)