FortiOS - Administration Guide

Version 6.4.13
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

July 25, 2023

FortiOS 6.4.13 Administration Guide
01-6413-607590-20230725
 TABLE OF CONTENTS

Change Log 20
Getting started 21
Differences between models 21
Using the GUI 21
Connecting using a web browser 21
Menus 22
Tables 23
Entering values 25
Using the CLI 26
Connecting to the CLI 27
CLI basics 29
Command syntax 35
Subcommands 38
Permissions 40
FortiExplorer Management 40
Getting started with FortiExplorer 41
Connecting FortiExplorer to a FortiGate via WiFi 44
Running a security rating 45
Upgrading to FortiExplorer Pro 46
Basic administration 46
Basic configuration 47
Registration 49
FortiCare and FortiGate Cloud login 52
Transfer a device to another FortiCloud account 55
Configuration backups 57
Fortinet Developer Network access 61
LEDs 64
Alarm levels 68
Troubleshooting your installation 68
Zero touch provisioning 70
Zero touch provisioning with FortiDeploy 70
Zero touch provisioning with FortiManager 72
Dashboards and widgets 75
Using dashboards 75
Viewing device dashboards in the security fabric 77
Creating a fabric system and license dashboard 78
Using widgets 80
Changing the default dashboard template 81
Monitor dashboards and widgets 82
Static & Dynamic Routing Monitor 83
DHCP monitor 85
IPsec monitor 86
SSL-VPN monitor 88
Firewall Users Monitor 88

FortiOS 6.4.13 Administration Guide 3

Fortinet Inc.
 Implement a user device store to centralize device data 89
WiFi Dashboard 90
Device inventory 97
FortiView 102
FortiView monitors and widgets 102
Adding FortiView widgets 104
VDOMs and dashboards 106
FortiView interface 107
FortiView from disk 114
FortiView from FortiAnalyzer 116
FortiView from FortiGate Cloud 117
FortiView sources 118
FortiView Sessions 120
Viewing top websites and sources by category 124
Cloud application view 127
Viewing session information for a compromised host 138
Fortinet Security Fabric 140
Security Fabric settings and usage 140
Components 141
Configuring the root FortiGate and downstream FortiGates 144
Configuring FortiAnalyzer 150
Configuring FortiGate Cloud 152
Configuring FortiAnalyzer Cloud service 154
Configuring FortiManager 157
Configuring FortiManager Cloud service 158
Configuring FortiSandbox 160
Configuring FortiClient EMS 162
Synchronizing FortiClient EMS tags and configurations 168
Configuring FortiNAC 171
Configuring FortiAP and FortiSwitch 173
Configuring FortiMail 174
Configuring FortiVoice 176
Configuring additional devices 180
Using the Security Fabric 182
Deploying the Security Fabric 195
Synchronizing objects across the Security Fabric 203
Group address objects synchronized from FortiManager 212
Security Fabric over IPsec VPN 214
Leveraging LLDP to simplify security fabric negotiation 219
Configuring the Security Fabric with SAML 222
Configuring single-sign-on in the Security Fabric 222
CLI commands for SAML SSO 227
SAML SSO with pre-authorized FortiGates 228
Navigating between Security Fabric members with SSO 228
Integrating FortiAnalyzer management using SAML SSO 231
Integrating FortiManager management using SAML SSO 233
Advanced option - FortiGate SP changes 234
Advanced option - unique SAML attribute types 235

FortiOS 6.4.13 Administration Guide 4

Fortinet Inc.
 Security rating 238
Security Fabric score 242
Automation stitches 243
Creating automation stitches 243
Triggers 254
Actions 259
Execute a CLI script based on memory and CPU thresholds 294
Public and private SDN connectors 297
Getting started with public and private SDN connectors 298
AliCloud SDN connector using access key 302
AWS SDN connector using certificates 304
Azure SDN connector using service principal 310
Cisco ACI SDN connector using a standalone connector 311
ClearPass endpoint connector via FortiManager 313
GCP SDN connector using service account 317
IBM Cloud SDN connector using API keys 319
Kubernetes (K8s) SDN connectors 323
Nuage SDN connector using server credentials 337
OCI SDN connector using certificates 339
OpenStack SDN connector using node credentials 341
VMware ESXi SDN connector using server credentials 345
VMware NSX-T Manager SDN connector using NSX-T Manager credentials 347
Multiple concurrent SDN connectors 350
Filter lookup in SDN connectors 352
Support for wildcard SDN connectors in filter configurations 355
Endpoint/Identity connectors 357
Fortinet single sign-on agent 357
Poll Active Directory server 358
Symantec endpoint connector 358
RADIUS single sign-on agent 364
Exchange Server connector 367
Threat feeds 371
External resources file format 371
Configuring a threat feed 372
FortiGuard category threat feed 374
IP address threat feed 377
Domain name threat feed 380
Malware hash threat feed 381
Monitoring the Security Fabric using FortiExplorer for Apple TV 384
NOC and SOC example 385
Troubleshooting 395
Viewing a summary of all connected FortiGates in a Security Fabric 396
Diagnosing automation stitches 398
Network 402
Interfaces 402
Interface settings 403
Aggregation and redundancy 406
VLANs 408

FortiOS 6.4.13 Administration Guide 5

Fortinet Inc.
 Enhanced MAC VLANs 414
Inter-VDOM routing 417
Software switch 423
Hardware switch 425
Zone 428
Virtual Wire Pair 430
Virtual VLAN switch 431
Failure detection for aggregate and redundant interfaces 437
VLAN inside VXLAN 438
Virtual Wire Pair with VXLAN 440
QinQ 802.1Q in 802.1ad 442
QinQ 802.1Q in 802.1Q 443
Assign a subnet with the FortiIPAM service 445
Interface MTU packet size 452
One-arm sniffer 454
Captive portals 455
DNS 458
Important DNS CLI commands 458
DNS domain list 460
FortiGate DNS server 461
DDNS 464
DNS latency information 467
DNS over TLS 469
DNS troubleshooting 470
Explicit and transparent proxies 471
Explicit web proxy 471
FTP proxy 475
Transparent proxy 476
Proxy policy addresses 479
Proxy policy security profiles 487
Explicit proxy authentication 493
Transparent web proxy forwarding 499
Upstream proxy authentication in transparent proxy mode 500
Multiple dynamic header count 502
Restricted SaaS access 504
Explicit proxy and FortiSandbox Cloud 513
Proxy chaining (web proxy forwarding servers) 515
Agentless NTLM authentication for web proxy 520
Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers 523
Learn client IP addresses 524
DHCP servers and relays 525
Configure DHCP on the FortiGate 526
Default DHCP server for low-end FortiGates 527
Configuring the lease time 527
Configuring TFTP servers 528
Configuring the DHCP renew time 528
FortiGate DHCP works with DDNS to allow FQDN connectivity to leased IP
addresses 529
Breaking an address lease 529

FortiOS 6.4.13 Administration Guide 6

Fortinet Inc.
 Excluding addresses in DHCP 529
Viewing information about DHCP server connections 529
DHCP options 530
IP address assignment with relay agent information option 531
DHCP client options 533
Static routing 534
Routing concepts 535
Policy routes 547
Equal cost multi-path 549
Dual internet connections 553
Dynamic routing 559
RIP 560
OSPF 577
BGP 588
BFD 605
Multicast 609
Multicast routing and PIM support 609
Configuring multicast forwarding 610
FortiExtender 614
Adding a FortiExtender 614
Data plan profiles 616
Direct IP support for LTE/4G 618
LLDP reception 621
Virtual routing and forwarding 624
Implementing VRF 624
VRF routing support 626
Route leaking between VRFs 631
Route leaking between multiple VRFs 633
IBGP and EBGP support in VRF 643
NetFlow 646
Verification and troubleshooting 647
NetFlow templates 647
sFlow 660
Configuring sFlow 660
IPv6 662
IPv6 overview 662
IPv6 quick start 663
IPv6 configuration examples 667
SD-WAN 675
SD-WAN overview 675
SD-WAN components 675
SD-WAN designs and architectures 676
SD-WAN designs principles 677
SD-WAN quick start 679
Configuring the SD-WAN interface 680
Adding a static route 681
Selecting the implicit SD-WAN algorithm 681

FortiOS 6.4.13 Administration Guide 7

Fortinet Inc.
 Configuring firewall policies for SD-WAN 682
Link monitoring and failover 682
Results 683
Configuring SD-WAN in the CLI 687
SD-WAN zones 689
Performance SLA 694
Link health monitor 694
Factory default health checks 697
Health check options 699
Link monitoring example 702
SLA targets example 703
Health check packet DSCP marker support 705
Interface speedtest 705
Monitor performance SLA 707
SLA monitoring using the REST API 710
SD-WAN rules 713
Implicit rule 714
Best quality strategy 718
Lowest cost (SLA) strategy 721
Maximize bandwidth (SLA) strategy 724
Minimum number of links for a rule to take effect 727
Use MAC addresses in SD-WAN rules and policy routes 728
SD-WAN traffic shaping and QoS 729
SDN dynamic connector addresses in SD-WAN rules 734
Application steering using SD-WAN rules 737
DSCP tag-based traffic steering in SD-WAN 748
Advanced routing 759
Self-originating traffic 759
Using BGP tags with SD-WAN rules 764
BGP multiple path support 767
Controlling traffic with BGP route mapping and service rules 770
Applying BGP route-map to multiple BGP neighbors 776
VPN overlay 782
ADVPN and shortcut paths 783
SD-WAN monitor on ADVPN shortcuts 796
SD-WAN integration with OCVPN 797
Forward error correction on VPN overlay networks 804
Dual VPN tunnel wizard 807
Duplicate packets based on SD-WAN rules 808
Duplicate packets on other zone members 810
Advanced configuration 812
SD-WAN with FGCP HA 812
Configuring SD-WAN in an HA cluster using internal hardware switches 819
SD-WAN configuration portability 822
SD-WAN cloud on-ramp 828
Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM 829
Configuring the VPN overlay between the HQ FortiGate and AWS native VPN
gateway 834

FortiOS 6.4.13 Administration Guide 8

Fortinet Inc.
 Configuring the VIP to access the remote servers 837
Configuring the SD-WAN to steer traffic between the overlays 840
Verifying the traffic 845
Hub and spoke SD-WAN deployment example 852
Datacenter configuration 852
Branch configuration 857
Validation 861
Dynamic definition of SD-WAN routes 862
Adding another datacenter 863
Troubleshooting SD-WAN 864
Tracking SD-WAN sessions 864
Understanding SD-WAN related logs 865
SD-WAN related diagnose commands 868
SD-WAN bandwidth monitoring service 872
Using SNMP to monitor health check 874
System 878
Basic system settings 878
Advanced system settings 878
Operating modes 879
Administrators 881
Administrator profiles 881
Add a local administrator 884
Remote authentication for administrators 885
Password policy 887
Admin profile option for diagnose access 888
Associating a FortiToken to an administrator account 889
REST API administrator 890
SSO administrators 891
Firmware 892
Firmware maturity levels 892
Firmware upgrade notifications 893
Downloading a firmware image 894
Testing a firmware version 894
Upgrading the firmware 895
Downgrading to a previous firmware version 896
Installing firmware from system reboot 897
Restoring from a USB drive 899
Controlled upgrade 899
Settings 900
Default administrator password 900
Changing the host name 901
Setting the system time 901
Configuring ports 905
Setting the idle timeout time 905
Setting the password policy 906
Changing the view settings 906
Setting the administrator password retries and lockout time 907
TLS configuration 907

FortiOS 6.4.13 Administration Guide 9

Fortinet Inc.
 Controlling return path with auxiliary session 908
Email alerts 912
Trusted platform module support 915
Virtual Domains 917
Global and per-VDOM resources 918
Split-task VDOM mode 920
Multi VDOM mode 923
High Availability 942
FortiGate Clustering Protocol (FGCP) 943
FortiGate Session Life Support Protocol (FGSP) 943
VRRP 943
FGCP 943
FGSP 991
Using standalone configuration synchronization 1017
VRRP 1019
SNMP 1030
Interface access 1030
MIB files 1031
SNMP agent 1032
SNMP v1/v2c communities 1032
SNMP v3 users 1034
Important SNMP traps 1035
SNMP traps and query for monitoring DHCP pool 1037
Replacement messages 1038
Modifying replacement messages 1038
Replacement message images 1040
Replacement message groups 1041
FortiGuard 1044
Anycast 1045
Connection and OCSP stapling 1046
IPv6 FortiGuard connections 1048
Configuring FortiGuard updates 1048
Configuring a proxy server for FortiGuard updates 1049
Manual updates 1050
Automatic updates 1051
Sending malware statistics to FortiGuard 1053
Update server location 1053
Filtering 1054
Override FortiGuard servers 1055
Online security tools 1056
Anycast and unicast services 1056
Using FortiManager as a local FortiGuard server 1057
Cloud service communication statistics 1057
IoT detection service 1059
FortiAP query to FortiGuard IoT service to determine device details 1061
FDS-only ISDB package in firmware images 1062
License expiration 1063
Feature visibility 1065

FortiOS 6.4.13 Administration Guide 10

Fortinet Inc.
 Security feature presets 1065
Certificates 1065
Uploading a certificate using the GUI 1066
Uploading a certificate using the CLI 1069
Uploading a certificate using an API 1070
Procure and import a signed SSL certificate 1074
Microsoft CA deep packet inspection 1078
Provision a trusted certificate with Let's Encrypt 1083
Creating certificates with XCA 1086
Security 1094
BIOS-level signature and file integrity checking 1094
Real-time file system integrity checking 1098
Configuration scripts 1100
Workspace mode 1101
Custom languages 1102
RAID 1103
Conserve mode 1106
Proxy inspection in conserve mode 1107
Flow inspection in conserve mode 1107
Diagnostics 1108
Using APIs 1108
Token-based authentication 1109
Making an API call to retrieve information from the FortiGate 1109
Policy and Objects 1113
Policies 1113
Firewall policy parameters 1114
Profile-based NGFW vs policy-based NGFW 1115
NGFW policy mode application default service 1119
Application logging in NGFW policy mode 1121
Policy views and policy lookup 1122
Policy with source NAT 1124
Policy with destination NAT 1143
NAT64 policy and DNS64 (DNS proxy) 1159
NAT46 policy 1163
Local-in policies 1166
DoS protection 1169
Access control lists 1177
Mirroring SSL traffic in policies 1178
Inspection mode per policy 1180
OSPFv3 neighbor authentication 1183
Firewall anti-replay option per policy 1185
Enabling advanced policy options in the GUI 1185
Recognize anycast addresses in geo-IP blocking 1186
Matching GeoIP by registered and physical location 1187
Authentication policy extensions 1189
HTTP to HTTPS redirect for load balancing 1190
Use active directory objects directly in policies 1191
FortiGate Cloud / FDN communication through an explicit proxy 1195

FortiOS 6.4.13 Administration Guide 11

Fortinet Inc.
 No session timeout 1196
MAP-E support 1198
Address objects 1201
Address Types 1202
Address Group 1203
Subnet 1203
Dynamic policy — fabric devices 1204
IP range 1206
FQDN addresses 1207
Using wildcard FQDN addresses in firewall policies 1208
Geography based addresses 1210
IPv6 geography-based addresses 1213
Wildcard addressing 1215
Interface subnet 1215
Address group 1217
Address folder 1218
Address group exclusions 1219
FSSO dynamic address subtype 1221
ClearPass integration for dynamic address objects 1224
MAC addressed-based policies 1229
ISDB well-known MAC address list 1231
IPv6 MAC addresses and usage in firewall policies 1232
Protocol options 1235
Log oversized files 1235
RPC over HTTP 1235
Protocol port mapping 1235
Common options 1235
Web options 1236
Email options 1237
Traffic shaping 1237
Configuration methods 1238
Traffic shaping policy 1239
Traffic shaping policies 1240
Traffic shaping profiles 1243
Traffic shapers 1253
Global traffic prioritization 1263
DSCP matching and DSCP marking 1266
Examples 1270
Internet Service 1286
Using Internet Service in policy 1287
Using custom Internet Service in policy 1289
Using extension Internet Service in policy 1291
Global IP address information database 1294
IP reputation filtering 1296
Internet service groups in policies 1298
Allow creation of ISDB objects with regional information 1302
Internet service customization 1304

FortiOS 6.4.13 Administration Guide 12

Fortinet Inc.
 Security Profiles 1306
Inspection modes 1306
Flow mode inspection (default mode) 1307
Proxy mode inspection 1307
Inspection mode feature comparison 1309
Antivirus 1311
Protocol comparison between antivirus inspection modes 1312
Other antivirus differences between inspection modes 1312
Configuring an antivirus profile 1312
Proxy mode stream-based scanning 1317
Databases 1320
Content disarm and reconstruction 1321
FortiGuard outbreak prevention 1322
External malware block list 1324
Checking flow antivirus statistics 1326
CIFS support 1328
Using FortiSandbox with antivirus 1333
Using FortiSandbox Cloud with antivirus 1340
Web filter 1346
URL filter 1347
FortiGuard filter 1353
Credential phishing prevention 1359
Usage quota 1362
Web content filter 1364
Advanced filters 1 1367
Advanced filters 2 1370
Web filter statistics 1375
URL certificate blocklist 1376
DNS filter 1377
DNS filter behavior in proxy mode 1377
Configuring a DNS filter profile 1378
FortiGuard category-based DNS domain filtering 1382
Botnet C&C domain blocking 1385
DNS safe search 1389
Local domain filter 1391
DNS translation 1394
Applying DNS filter to FortiGate DNS server 1397
Troubleshooting for DNS filter 1398
Application control 1401
Configuring an application sensor 1402
Basic category filters and overrides 1403
Excluding signatures in application control profiles 1406
Port enforcement check 1408
Protocol enforcement 1408
SSL-based application detection over decrypted traffic in a sandwich topology 1410
Matching multiple parameters on application control signatures 1411
Intrusion prevention 1414
Signature-based defense 1415

FortiOS 6.4.13 Administration Guide 13

Fortinet Inc.
 Configuring an IPS sensor 1419
IPS configuration options 1421
IPS signature filter options 1426
IPS with botnet C&C IP blocking 1428
IPS sensor for IEC 61850 MMS protocol 1432
File filter 1434
Configuring a file filter profile 1436
Supported file types 1440
Email filter 1442
Protocol comparison between email filter inspection modes 1443
Configuring an email filter profile 1443
Local-based filters 1444
FortiGuard-based filters 1451
Third-party-based filters 1453
Filtering order 1454
Protocols and actions 1456
Configuring webmail filtering 1457
Data leak prevention 1458
Protocol comparison between DLP inspection modes 1459
Logging and blocking files by file name 1459
Basic DLP filter types 1459
DLP fingerprinting 1461
VoIP solutions 1465
General use cases 1466
SIP message inspection and filtering 1470
SIP pinholes 1472
SIP over TLS 1473
Custom SIP RTP port range support 1474
Voice VLAN auto-assignment 1476
ICAP 1477
ICAP configuration example 1478
ICAP response filtering 1480
Web application firewall 1483
Protecting a server running web applications 1483
SSL & SSH Inspection 1487
Certificate inspection 1487
Deep inspection 1489
Protecting an SSL server 1492
Handling SSL offloaded traffic from an external decryption device 1493
SSH traffic file scanning 1495
Redirect to WAD after handshake completion 1496
Custom signatures 1497
Configuring custom signatures 1497
Blocking applications with custom signatures 1499
Application groups in policies 1501
Overrides 1504
Web rating override 1504
Using local and remote categories 1511

FortiOS 6.4.13 Administration Guide 14

Fortinet Inc.
 Web profile override 1513
Profile groups 1517
VPN 1520
IPsec VPNs 1520
General IPsec VPN configuration 1520
Site-to-site VPN 1545
Remote access 1604
Aggregate and redundant VPN 1650
Overlay Controller VPN (OCVPN) 1690
ADVPN 1721
Other VPN topics 1755
VPN IPsec troubleshooting 1800
SSL VPN 1808
SSL VPN best practices 1808
SSL VPN quick start 1811
SSL VPN tunnel mode 1818
SSL VPN web mode 1827
SSL VPN authentication 1837
SSL VPN to IPsec VPN 1920
SSL VPN protocols 1931
Configuring OS and host check 1933
SSL VPN troubleshooting 1939
User & Authentication 1942
Endpoint control and compliance 1942
Per-policy disclaimer messages 1942
Compliance 1944
FortiGuard distribution of updated Apple certificates 1949
User definition and groups 1950
Users 1951
User groups 1953
Retail environment guest access 1960
User and user group timeouts 1963
LDAP servers 1964
Configuring an LDAP server 1964
Enabling Active Directory recursive search 1965
Configuring LDAP dial-in using a member attribute 1967
Configuring wildcard admin accounts 1968
Configuring least privileges for LDAP admin account authentication in Active
Directory 1969
RADIUS servers 1970
Configuring a RADIUS server 1971
Using multiple RADIUS servers 1972
RADIUS AVPs and VSAs 1975
Restricting RADIUS user groups to match selective users on the RADIUS server 1977
Configuring RADIUS SSO authentication 1978
RSA ACE (SecurID) servers 1984
Support for Okta RADIUS attributes filter-Id and class 1989
Sending multiple RADIUS attribute values in a single RADIUS Access-Request 1991

FortiOS 6.4.13 Administration Guide 15

Fortinet Inc.
 Traffic shaping based on dynamic RADIUS VSAs 1991
TACACS+ servers 1998
SAML 2000
Outbound firewall authentication for a SAML user 2000
SAML SP for VPN authentication 2002
Outbound firewall authentication with Azure AD as a SAML IdP 2004
Authentication settings 2014
FortiTokens 2016
FortiToken Mobile quick start 2017
FortiToken Cloud 2025
Registering hard tokens 2025
Managing FortiTokens 2027
FortiToken Mobile Push 2029
Troubleshooting and diagnosis 2031
Configuring the maximum log in attempts and lockout period 2034
PKI 2034
Configuring a PKI user 2035
Configuring firewall authentication 2038
Creating a locally authenticated user account 2039
Creating a RADIUS-authenticated user account 2039
Creating an FSSO user group 2040
Creating a firewall user group 2042
Defining policy addresses 2042
Creating security policies 2043
FSSO 2044
FSSO polling connector agent installation 2047
FSSO using Syslog as source 2051
Wireless configuration 2055
Switch Controller 2056
Log and Report 2057
Viewing event logs 2057
Sample logs by log type 2059
Log buffer on FortiGates with an SSD disk 2078
Checking the email filter log 2081
Supported log types to FortiAnalyzer, FortiAnalyzer Cloud, FortiGate Cloud, and
syslog 2082
Sending traffic logs to FortiAnalyzer Cloud 2082
Example 2082
Configuring multiple FortiAnalyzers on a multi-VDOM FortiGate 2084
Checking FortiAnalyzer connectivity 2086
Configuring multiple FortiAnalyzers (or syslog servers) per VDOM 2087
Source and destination UUID logging 2089
Logging the signal-to-noise ratio and signal strength per client 2090
RSSO information for authenticated destination users in logs 2093
Scenario 1 2093
Scenario 2 2094

FortiOS 6.4.13 Administration Guide 16

Fortinet Inc.
 Scenario 3 2095
Threat weight 2096
Configuring and debugging the free-style filter 2097
Troubleshooting 2099
Log-related diagnose commands 2099
Backing up log files or dumping log messages 2105
SNMP OID for logs that failed to send 2107
WAN optimization 2111
Features 2111
Protocol optimization 2111
Byte caching 2111
SSL offloading 2111
WAN optimization and HA 2111
Secure tunneling 2112
Prerequisites 2112
Disk usage 2112
Overview 2114
Client/server architecture 2114
Profiles 2114
Peers and authentication groups 2115
Tunnels 2116
Transparent mode 2118
Protocol optimization 2119
Cache service and video caching 2120
Manual and active-passive 2121
Monitoring performance 2122
System and feature operation with WAN optimization 2122
Best practices 2125
Example topologies 2125
In-path WAN optimization topology 2125
Out-of-path WAN optimization topology 2126
Topology for multiple networks 2126
Configuration examples 2127
Manual (peer-to-peer) WAN optimization configuration example 2128
Active-passive WAN optimization configuration example 2132
Secure tunneling configuration example 2137
Testing and troubleshooting the configuration 2143
VM 2147
Amazon Web Services 2147
Microsoft Azure 2147
Google Cloud Platform 2147
Oracle OCI 2147
AliCloud 2147
Private cloud 2147
VM license 2147
Uploading a license file 2148
Types of VM licenses 2149

FortiOS 6.4.13 Administration Guide 17

Fortinet Inc.
 Consuming a new vCPU 2150
CLI troubleshooting 2150
FortiGate multiple connector support 2153
Adding VDOMs with FortiGate v-series 2155
Terraform: FortiOS as a provider 2157
Troubleshooting 2162
PF and VF SR-IOV driver and virtual SPU support 2162
Using OCI IMDSv2 2163
FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs 2166
Troubleshooting 2169
Troubleshooting methodologies 2170
Verify user permissions 2170
Establish a baseline 2170
Create a troubleshooting plan 2172
Troubleshooting scenarios 2173
Checking the system date and time 2174
Checking the hardware connections 2175
Checking FortiOS network settings 2176
Troubleshooting CPU and network resources 2179
Troubleshooting high CPU usage 2180
Checking the modem status 2184
Running ping and traceroute 2185
Checking the logs 2188
Verifying routing table contents in NAT mode 2189
Verifying the correct route is being used 2190
Verifying the correct firewall policy is being used 2190
Checking the bridging information in transparent mode 2191
Checking wireless information 2192
Performing a sniffer trace and packet capture 2193
Debugging the packet flow 2196
Testing a proxy operation 2200
Displaying detail Hardware NIC information 2200
Performing a traffic trace 2203
Using a session table 2204
Finding object dependencies 2207
Diagnosing NPU-based interfaces 2208
Identifying the XAUI link used for a specific traffic stream 2209
Date and time settings 2210
Running the TAC report 2210
Other commands 2210
FortiGuard troubleshooting 2213
View open and in use ports 2217
Additional resources 2217
Fortinet Document Library 2218
Release notes 2218
Fortinet Video Library 2218
Fortinet Community 2218
Fortinet Training Institute 2218

FortiOS 6.4.13 Administration Guide 18

Fortinet Inc.
 Fortinet Support 2218

FortiOS 6.4.13 Administration Guide 19

Fortinet Inc.
Change Log

Change Log

Date Change Description

2023-06-08 Initial release.

2023-06-15 Updated FGSP basic peer setup on page 994.

2023-06-30 Updated Explicit web proxy on page 471.

2023-07-25 Added BIOS-level signature and file integrity checking on page 1094 and Real-time
file system integrity checking on page 1098.

FortiOS 6.4.13 Administration Guide 20

Fortinet Inc.
Getting started

This section explains how to get started with a FortiGate.

Differences between models

Not all FortiGates have the same features, particularly entry-level models (models 30 to 90). A number of features on
these models are only available in the CLI.

Consult your model's QuickStart Guide, hardware manual, or the Feature / Platform Matrix for
further information about features that vary by model.

FortiGate models differ principally by the names used and the features available:
l Naming conventions may vary between FortiGate models. For example, on some models the hardware switch
interface used for the local area network is called lan, while on other units it is called internal.
l Certain features are not available on all models. Additionally, a particular feature may be available only through the
CLI on some models, while that same feature may be viewed in the GUI on other models.
If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System > Feature
Visibility and confirm that the feature is enabled. For more information, see Feature visibility on page 1065.

Using the GUI

This section presents an introduction to the graphical user interface (GUI) on your FortiGate.
The following topics are included in this section:
l Connecting using a web browser
l Menus
l Tables
l Entering values
For information about using the dashboards, see Dashboards and widgets on page 75.

Connecting using a web browser

In order to connect to the GUI using a web browser, an interface must be configured to allow administrative access over
HTTPS or over both HTTPS and HTTP. By default, an interface has already been set up that allows HTTPS access with
the IP address 192.168.1.99.
Browse to https://192.168.1.99 and enter your username and password. If you have not changed the admin account’s
password, use the default user name, admin, and leave the password field blank.

FortiOS 6.4.13 Administration Guide 21

Fortinet Inc.
Getting started

The GUI will now display in your browser, and you will be required to provide a password for the administrator account.

To use a different interface to access the GUI:

1. Go to Network > Interfaces and edit the interface you wish to use for access. Take note of its assigned IP address.
2. In Administrative Access, select HTTPS, and any other protocol you require. You can also select HTTP, although
this is not recommended as the connection will be less secure.
3. Click OK.
4. Browse to the IP address using your chosen protocol.
The GUI will now be displayed in your browser.

Menus

If you believe your FortiGate model supports a menu that does not appear in the GUI, go to
System > Feature Visibility and ensure the feature is enabled. For more information, see
Feature visibility on page 1065.

The GUI contains the following main menus, which provide access to configuration options for most FortiOS features:

Dashboard The dashboard displays various widgets that display important system
information and allow you to configure some system options.
For more information, see Dashboards and widgets on page 75.

Security Fabric Access the physical topology, logical topology, automation, and settings of the
Fortinet Security Fabric.
For more information, see Fortinet Security Fabric on page 140.

Network Options for networking, including configuring system interfaces and routing
options.
For more information, see Network on page 402.

System Configure system settings, such as administrators, HA, FortiGuard, and

certificates.
For more information, see System on page 878.

Policy & Objects Configure firewall policies, protocol options, and supporting content for policies,
including schedules, firewall addresses, and traffic shapers.
For more information, see Policy and Objects on page 1113.

Security Profiles Configure your FortiGate's security features, including Antivirus, Web Filter, and
Application Control.
For more information, see Security Profiles on page 1306.

VPN Configure options for IPsec and SSL virtual private networks (VPNs).
For more information, see IPsec VPNs on page 1520 and SSL VPN on page
1808.

User & Authentication Configure user accounts, groups, and authentication methods, including external
authentication and single sign-on (SSO).

FortiOS 6.4.13 Administration Guide 22

Fortinet Inc.
 Getting started

WiFi & Switch Controller Configure the unit to act as a wireless network controller, managing the wireless
Access Point (AP) functionality of FortiWiFi and FortiAP units.
On certain FortiGate models, this menu has additional features allowing for
FortiSwitch units to be managed by the FortiGate.
For more information, see Wireless configuration on page 2055 and Switch
Controller on page 2056.

Log & Report Configure logging and alert email as well as reports.

For more information, see Log and Report on page 2057.

Tables

Many GUI pages contain tables of information that can be filtered and customized to display specific information in a
specific way. Some tables allow content to be edited directly on that table, or rows to be copied and pasted.

Navigation

Some tables contain information and lists that span multiple pages. Navigation controls will be available at the bottom of
the page.

Filters

Filters are used to locate a specific set of information or content in a table. They can be particularly useful for locating
specific log entries. The filtering options vary, depending on the type of information in the log.
Depending on the table content, filters can be applied using the filter bar, using a column filter, or based on a cell's
content. Some tables allow filtering based on regular expressions.
Administrators with read and write access can define filters. Multiple filters can be applied at one time.

To manually create a filter:

1. Click Add Filter at the top of the table. A list of the fields available for filtering is shown.
2. Select the field to filter by.
3. Enter the value to filter by, adding modifiers as needed.
4. Press Enter to apply the filter.

To create a column filter:

1. Click the filter icon on the right side of the column header
2. Choose a filter type from the available options.
3. Enter the filter text, or select from the available values.
4. Click Apply.

To create a filter based on a cell's content:

1. Right click on a cell in the table.

2. Select a filtering option from the menu.

FortiOS 6.4.13 Administration Guide 23

Fortinet Inc.
Getting started

Column settings

Columns can be rearranged, resized, and added or removed from tables.

To add or remove columns:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Select columns to add or remove.
3. Click Apply.

To rearrange the columns in a table:

1. Click and drag the column header.

To resize a column:

1. Click and drag the right border of the column header.

To resize a column to fit its contents:

1. Click the dots or filter icon on the right side of the column header and select Resize to Contents.

To resize all of the columns in a table to fit their content:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Click Best Fit All Columns.

To reset a table to its default view:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Click Reset Table.
Resetting a table does not remove filters.

Editing objects

In some tables, parts of a configuration can be edited directly in the table. For example, security profiles can be added to
an existing firewall policy by clicking the edit icon in a cell in the Security Profiles column.

Copying rows

In some tables, rows can be copied and pasted using the right-click menu. For example, a policy can be duplicated by
copying and pasting it.

FortiOS 6.4.13 Administration Guide 24

Fortinet Inc.
 Getting started

Entering values

Numerous fields in the GUI and CLI require text strings or numbers to be entered when configuring the FortiGate. When
entering values in the GUI, you will be prevented from entering invalid characters, and a warning message will be shown
explaining what values are not allowed. If invalid values are entered in a CLI command, the setting will be rejected when
you apply it.
l Text strings on page 25
l Numbers on page 26

Text strings

Text strings are used to name entities in the FortiGate configuration. For example, the name of a firewall address,
administrator, or interface are all text strings.
The following characters cannot be used in text strings, as they present cross-site scripting (XSS) vulnerabilities:
l “ - double quotes
l ' - single quote
l > - greater than
l < - less than
Most GUI text fields prevent XSS vulnerable characters from being added.

VDOM names and hostnames can only use numbers (0-9), letters (a-z and A-Z), dashes, and
underscores.

The tree CLI command can be used to view the number of characters allowed in a name field. For example, entering
the following commands show that a firewall address name can contain up to 80 characters, while its FQDN can contain
256 characters:
tree firewall address
-- [address] --*name (80)
|- uuid
|- subnet
|- type
|- sub-type
|- clearpass-spt
|- [macaddr] --*macaddr (128)
|- start-ip
|- end-ip
|- fqdn (256)
|- country (3)
|- wildcard-fqdn (256)
|- cache-ttl (0,86400)
|- wildcard
|- sdn (36)
|- [fsso-group] --*name (512)
|- interface (36)
|- tenant (36)
|- organization (36)
|- epg-name (256)

FortiOS 6.4.13 Administration Guide 25

Fortinet Inc.
Getting started

|- subnet-name (256)
|- sdn-tag (16)
|- policy-group (16)
|- obj-tag (256)
|- obj-type
|- tag-detection-level (16)
|- tag-type (64)
|- dirty
|- comment
|- associated-interface (36)
|- color (0,32)
|- filter
|- sdn-addr-type
|- node-ip-only
|- obj-id
|- [list] --*ip (36)
|- obj-id (128)
+- net-id (128)
|- [tagging] --*name (64)
|- category (64)
+- [tags] --*name (80)
|- allow-routing
+- fabric-object

Numbers

Numbers are used to set sizes, rated, addresses, port numbers, priorities, and other such numeric values. They can be
entered as a series of digits (without commas or spaces), in a dotted decimal format (such as IP addresses), or
separated by colons (such as MAC addresses). Most numeric values use base 10 numbers, while some use
hexadecimal values.
Most GUI and CLI fields prevent invalid numbers from being entered. The CLI help text includes information about the
range of values allowed for applicable settings.

Using the CLI

The Command Line Interface (CLI) can be used in lieu of the GUI to configure the FortiGate. Some settings are not
available in the GUI, and can only be accessed using the CLI.
This section briefly explains basic CLI usage. For more information about the CLI, see the FortiOS CLI Reference.
l Connecting to the CLI on page 27
l CLI basics on page 29
l Command syntax on page 35
l Subcommands on page 38
l Permissions on page 40

FortiOS 6.4.13 Administration Guide 26

Fortinet Inc.
 Getting started

Connecting to the CLI

You can connect to the CLI using a direct console connection, SSH, the FortiExplorer app on your iOS device, or the CLI
console in the GUI.
You can access the CLI outside of the GUI in three ways:
l Console connection: Connect your computer directly to the console port of your FortiGate.
l SSH access: Connect your computer through any network interface attached to one of the network ports on your
FortiGate.
l FortiExplorer: Connect your device to the FortiExplorer app on your iOS device to configure, manage, and monitor
your FortiGate. See FortiExplorer Management on page 40 for details.
To open a CLI console, click the _> icon in the top right corner of the GUI. The console opens on top of the GUI. It can be
minimized and multiple consoles can be opened.
To edit policies and objects directly in the CLI, right-click on the element and select Edit in CLI.

Console connection

A direct console connection to the CLI is created by directly connecting your management computer or console to the
FortiGate using its DB-9 or RJ-45 console port.
Direct console access to the FortiGate may be required if:
l You are installing the FortiGate for the first time and it is not configured to connect to your network.
l You are restoring the firmware using a boot interrupt. Network access to the CLI will not be available until after the
boot process has completed, making direct console access the only option.
To connect to the FortiGate console, you need:
l A console cable to connect the console port on the FortiGate to a communications port on the computer. Depending
on your device, this is one of:
l null modem cable (DB-9 to DB-9)

l DB-9 to RJ-45 cable (a DB-9-to-USB adapter can be used)

l USB to RJ-45 cable

l A computer with an available communications port

l Terminal emulation software

To connect to the CLI using a direct console connection:

1. Using the console cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your
management computer.
2. Start a terminal emulation program on the management computer, select the COM port, and use the following
settings:

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

FortiOS 6.4.13 Administration Guide 27

Fortinet Inc.
Getting started

3. Press Enter on the keyboard to connect to the CLI.

4. Log in to the CLI using your username and password (default: admin and no password).
You can now enter CLI commands, including configuring access to the CLI through SSH.

SSH access

SSH access to the CLI is accomplished by connecting your computer to the FortiGate using one of its network ports. You
can either connect directly, using a peer connection between the two, or through any intermediary network.

If you do not want to use an SSH client and you have access to the GUI, you can access the
CLI through the network using the CLI console in the GUI.

SSH must be enabled on the network interface that is associated with the physical network port that is used.
If your computer is not connected either directly or through a switch to the FortiGate, you must also configure the
FortiGate with a static route to a router that can forward packets from the FortiGate to the computer. This can be done
using a local console connection, or in the GUI.
To connect to the FortiGate CLI using SSH, you need:
l A computer with an available serial communications (COM) port and RJ-45 port
l An appropriate console cable
l Terminal emulation software
l A network cable
l Prior configuration of the operating mode, network interface, and static route.

To enable SSH access to the CLI using a local console connection:

1. Using the network cable, connect the FortiGate unit’s port either directly to your computer’s network port, or to a
network through which your computer can reach the FortiGate.
2. Note the number of the physical network port.
3. Using direct console connection, connect and log into the CLI.
4. Enter the following command:
config system interface
edit <interface_str>
append allowaccess ssh
next
end

Where <interface_str> is the name of the network interface associated with the physical network port, such as
port1.
5. Confirm the configuration using the following command to show the interface’s settings:
show system interface <interface_str>

For example:
show system interface port1
config system interface
edit "port1"
set vdom "root"

FortiOS 6.4.13 Administration Guide 28

Fortinet Inc.
 Getting started

set ip 192.168.1.99 255.255.255.0

set allowaccess ping https ssh
set type hard-switch
set stp enable
set role lan
set snmp-index 6
next
end

Connecting using SSH

Once the FortiGate is configured to accept SSH connections, use an SSH client on your management computer to
connect to the CLI.
The following instructions use PuTTy. The steps may vary in other terminal emulators.

To connect to the CLI using SSH:

1. On your management computer, start PuTTy.

2. In the Host Name (or IP address) field, enter the IP address of the network interface that you are connected to and
that has SSH access enabled.
3. Set the port number to 22, if it is not set automatically.
4. Select SSH for the Connection type.
5. Click Open. The SSH client connect to the FortiGate.
The SSH client may display a warning if this is the first time that you are connecting to the FortiGate and its SSH key
is not yet recognized by the SSH client, or if you previously connected to the FortiGate using a different IP address
or SSH key. This is normal if the management computer is connected directly to the FortiGate with no network hosts
in between.
6. Click Yes to accept the FortiGate's SSH key.
The CLI displays the log in prompt.
7. Enter a valid administrator account name, such as admin, then press Enter.
8. Enter the administrator account password, then press Enter.
The CLI console shows the command prompt (FortiGate hostname followed by a #). You can now enter
CLI commands.

If three incorrect log in or password attempts occur in a row, you will be disconnected. If this
occurs, wait for one minute, then reconnect and attempt to log in again.

CLI basics

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.

Help

Press the question mark (?) key to display command help and complete commands.
l Press the question mark (?) key at the command prompt to display a list of the commands available and a
description of each command.

FortiOS 6.4.13 Administration Guide 29

Fortinet Inc.
Getting started

l Enter a command followed by a space and press the question mark (?) key to display a list of the options available
for that command and a description of each option.
l Enter a command followed by an option and press the question mark (?) key to display a list of additional options
available for that command option combination and a description of each option.
l Enter a question mark after entering a portion of a command to see a list of valid complete commands and their
descriptions. If there is only one valid command, it will be automatically filled in.

Shortcuts and key commands

Shortcut key Action

? List valid complete or subsequent commands.

If multiple commands can complete the command, they are listed with their
descriptions.

Tab Complete the word with the next available match.

Press multiple times to cycle through available matches.

Up arrow or Ctrl + P Recall the previous command.

Command memory is limited to the current session.

Down arrow, or Ctrl + N Recall the next command.

Left or Right arrow Move the cursor left or right within the command line.

Ctrl + A Move the cursor to the beginning of the command line.

Ctrl + E Move the cursor to the end of the command line.

Ctrl + B Move the cursor backwards one word.

Ctrl + F Move the cursor forwards one word.

Ctrl + D Delete the current character.

Ctrl + C Abort current interactive commands, such as when entering multiple lines.
If you are not currently within an interactive command such as config or edit,
this closes the CLI connection.

\ then Enter Continue typing a command on the next line for a multiline command.
For each line that you want to continue, terminate it with a backslash ( \ ). To
complete the command, enter a space instead of a backslash, and then press
Enter.

Command tree

Enter tree to display the CLI command tree. To capture the full output, connect to your device using a terminal
emulation program and capture the output to a log file. For some commands, use the tree command to view all
available variables and subcommands.

FortiOS 6.4.13 Administration Guide 30

Fortinet Inc.
Getting started

Command abbreviation

You can abbreviate words in the command line to their smallest number of non-ambiguous characters.
For example, the command get system status could be abbreviated to g sy stat.

Adding and removing options from lists

When configuring a list, the set command will remove the previous configuration.
For example, if a user group currently includes members A, B, and C, the command set member D will remove
members A, B, and C. To avoid removing the existing members from the group, the command set members A B C D
must be used.
To avoid this issue, the following commands are available:

append Add an option to an existing list.

For example, append member D adds user D to the user group without removing any of the
existing members.

select Clear all of the options except for those specified.

For example, select member B removes all member from the group except for member B.

unselect Remove an option from an existing list.

For example, unselect member C removes only member C from the group, without
affecting the other members.

Environment variables

The following environment variables are support by the CLI. Variable names are case-sensitive.

$USERFROM The management access type (ssh, jsconsole, and so on) and the IPv4 address of the
administrator that configured the item.

$USERNAME The account name of the administrator that configured the item.

$SerialNum The serial number of the FortiGate.

For example, to set a FortiGate device's host name to its serial number, use the following CLI command:
config system global
set hostname $SerialNum
end

Special characters

The following characters cannot be used in most CLI commands: <, >, (, ), #, ', and "
If one of those characters, or a space, needs to be entered as part of a string, it can be entered by using a special
command, enclosing the entire string in quotes, or preceding it with an escape character (backslash, \).
To enter a question mark (?) or a tab, Ctrl + V or Ctrl + Shift + - must be entered first.

FortiOS 6.4.13 Administration Guide 31

Fortinet Inc.
Getting started

Question marks and tabs cannot be copied into the CLI Console or some SSH clients. They
must be typed in.

Character Keys

? Ctrl + V or Ctrl + Shift + - then ?

Tab Ctrl + V then Tab

Space Enclose the string in single or double quotation marks: "Security

(as part of a string value, not to end the string) Administrator" or 'Security Administrator'.
Precede the space with a backslash: Security\ Administrator.

' \'
(as part of a string value, not to begin or end
the string)

" \"
(as part of a string value, not to begin or end
the string)

\ \\

Using grep to filter command output

The get, show, and diagnose commands can produce large amounts of output. The grep command can be used to
filter the output so that it only shows the required information.
The grep command is based on the standard UNIX grep, used for searching text output based on regular expressions.
For example, the following command displays the MAC address of the internal interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr 00:09:0f:cb:c2:75

The following command will display all TCP sessions that are in the session list, including the session list line number in
the output:
get system session list | grep -n tcp

The following command will display all of the lines in the HTTP replacement message that contain URL or url:
show system replacemsg http | grep -i url

The following options can also be used:

-A <num> After
-B <num> Before
-C <num> Context

The -f option is available to support contextual output, in order to show the complete configuration. The following
example shows the difference in the output when -f is used versus when it is not used:

Without -f: With -f:

show | grep ldap-group1

FortiOS 6.4.13 Administration Guide 32

Fortinet Inc.
Getting started

edit "ldap-group1" show | grep -f ldap-group1

set groups "ldap-group1" config user group
edit "ldap-group1"
set member "pc40-LDAP"
next
end
config firewall policy
edit 2
set srcintf "port31"
set dstintf "port32"
set srcaddr "all"
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set groups "ldap-group1"
set dstaddr "all"
set service "ALL"
next
end
next
end

Language support and regular expressions

Characters such as ñ and é, symbols, and ideographs are sometimes acceptable input. Support varies depending on the
type of item that is being configured. CLI commands, objects, field names, and options must use their exact ASCII
characters, but some items with arbitrary names or values can be input using your language of choice. To use other
languages in those cases, the correct encoding must be used.
Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings into UTF-8 before it is stored.
If your input method encodes some characters differently than in UTF-8, configured items may not display or operate as
expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular
expression using a different encoding, or if an HTTP client sends a request in a different encoding, matches may not be
what is expected.
For example, with Shift-JIS, backslashes could be inadvertently interpreted as the symbol for the Japanese yen ( ¥ ), and
vice versa. A regular expression intended to match HTTP requests containing monetary values with a yen symbol may
not work it if the symbol is entered using the wrong encoding.
For best results:
l use UTF-8 encoding, or
l use only characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters
that are encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS, and other encoding
methods, or
l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.

FortiOS 6.4.13 Administration Guide 33

Fortinet Inc.
Getting started

HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary
based on the client’s operating system or input language. If the client's encoding method
cannot be predicted, you might only be able to match the parts of the request that are in
English, as the values for English characters tend to be encoded identically, regardless of the
encoding method.

If the FortiGate is configured to use an encoding method other than UTF-8, the management computer's language may
need to be changed, including the web browse and terminal emulator. If the FortiGate is configured using non-ASCII
characters, all the systems that interact with the FortiGate must also support the same encoding method. If possible, the
same encoding method should be used throughout the configuration to avoid needing to change the language settings
on the management computer.
The GUI and CLI client normally interpret output as encoded using UTF-8. If they do not, configured items may not
display correctly. Exceptions include items such as regular expression that may be configured using other encodings to
match the encoding of HTTP requests that the FortiGate receives.

To enter non-ASCII characters in a terminal emulator:

1. On the management computer, start the terminal client.

2. Configure the client to send and receive characters using UTF-8 encoding.
Support for sending and receiving international characters varies by terminal client.
3. Log in to the FortiGate.
4. At the command prompt, type your command and press Enter.
Words that use encoded characters may need to be enclosed in single quotes ( ' ).
Depending on your terminal client’s language support, you may need to interpret the characters into character
codes before pressing Enter. For example, you might need to enter: edit '\743\601\613\743\601\652'
5. The CLI displays the command and its output.

Screen paging

By default, the CLI will pause after displaying each page worth of text when a command has multiple pages of output.
this can be useful when viewing lengthy outputs that might exceed the buffer of terminal emulator.
When the display pauses and shows --More--, you can:
l Press Enter to show the next line,
l Press Q to stop showing results and return to the command prompt,
l Press an arrow key, Insert, Home, Delete, End, Page Up, or Page Down to show the next few pages,
l Press any other key to show the next page, or
l Wait for about 30 seconds for the console to truncate the output and return to the command prompt.
When pausing the screen is disabled, press Ctrl + C to stop the output and log out of the FortiGate.

To disable pausing the CLI output:

config system console

set output standard
end

FortiOS 6.4.13 Administration Guide 34

Fortinet Inc.
Getting started

To enable pausing the CLI output:

config system console

set output more
end

Changing the baud rate

The baud rate of the local console connection can be changed from its default value of 9600.

To change the baud rate:

config system console

set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
end

Editing the configuration file

The FortiGate configuration file can be edited on an external host by backing up the configuration, editing the
configuration file, and then restoring the configuration to the FortiGate.
Editing the configuration file can save time is many changes need to be made, particularly if the plain text editor that you
are using provides features such as batch changes.

To edit the configuration file:

1. Backup the configuration. See Configuration backups on page 57 for details.

2. Open the configuration file in a plain text editor that supports UNIX-style line endings.
3. Edit the file as needed.

Do not edit the first line of the configuration file.

This line contains information about the firmware version and FortiGate model. If you
change the model number, the FortiGate will reject the configuration when you attempt to
restore it.

4. Restore the modified configuration to the FortiGate. See Configuration backups on page 57 for details.
The FortiGate downloads the configuration file and checks that the model information is correct. If it is correct, the
configuration file is loaded and each line is checked for errors. If a command is invalid, that command is ignored. If
the configuration file is valid, the FortiGate restarts and loads the downloaded configuration.

Command syntax

When entering a command, the CLI console requires that you use valid syntax and conform to expected input
constraints. It rejects invalid commands. Indentation is used to indicate the levels of nested commands.
Each command line consists of a command word, usually followed by configuration data or a specific item that the
command uses or affects.

FortiOS 6.4.13 Administration Guide 35

Fortinet Inc.
Getting started

Notation

Brackets, vertical bars, and spaces are used to denote valid syntax. Constraint notations, such as <address_ipv4>,
indicate which data types or string patterns are acceptable value input.
All syntax uses the following conventions:

Angle brackets < > Indicate a variable of the specified data type.

Curly brackets { } Indicate that a variable or variables are mandatory.

Square brackets [ ] Indicate that the variable or variables are optional.
For example:
show system interface [<name_str>]
To show the settings for all interfaces, you can enter show system interface
To show the settings for the Port1 interface, you can enter show system interface
port1.

Vertical bar | A vertical bar separates alternative, mutually exclusive options.

For example:
set protocol {ftp | sftp}
You can enter either set protocol ftp or set protocol sftp.

Space A space separates non-mutually exclusive options.

For example:
set allowaccess {ping https ssh snmp http fgfm radius-acct probe-
response capwap ftm}
You can enter any of the following:
set allowaccess ping
set allowaccess https ping ssh
set allowaccess http https snmp ssh ping
In most cases, to make changes to lists that contain options separated by spaces, you need to
retype the entire list, including all the options that you want to apply and excluding all the
options that you want to remove.

Optional values and ranges

Any field that is optional will use square-brackets. The overall config command will still be valid whether or not the option
is configured.
Square-brackets can be used is to show that multiple options can be set, even intermixed with ranges. The following
example shows a field that can be set to either a specific value or range, or multiple instances:
config firewall service custom
set iprange <range1> [<range2> <range3> ...]
end

next

The next command is used to maintain a hierarchy and flow to CLI commands. It is at the same indentation level as the
preceding edit command, to mark where a table entry finishes.

FortiOS 6.4.13 Administration Guide 36

Fortinet Inc.
Getting started

The following example shows the next command used in the subcommand entries:

After configuring table entry <2> then entering next, the <2> table entry is saved and the console returns to the
entries prompt:

You can now create more table entries as needed, or enter end to save the table and return to the filepattern table
element prompt.

end

The end command is used to maintain a hierarchy and flow to CLI commands.
The following example shows the same command and subcommand as the next command example, except end has
been entered instead of next after the subcommand:

Entering end will save the <2> table entry and the table, and exit the entries subcommand entirely. The console
returns to the filepattern table element prompt:

FortiOS 6.4.13 Administration Guide 37

Fortinet Inc.
Getting started

Subcommands

Subcommands are available from within the scope of some commands. When you enter a subcommand level, the
command prompt changes to indicate the name of the current command scope. For example, after entering:
config system admin

the command prompt becomes:

(admin)#

Applicable subcommands are available until you exit the command, or descend an additional level into another
subcommand. Subcommand scope is indicated by indentation.
For example, the edit subcommand is only available in commands that affects tables, and the next subcommand is
available only in the edit subcommand:
config system interface
edit port1
set status up
next
end

The available subcommands vary by command. From a command prompt under the config command, subcommands
that affect tables and fields could be available.

Table subcommands

edit <table_row> Create or edit a table value.

In objects such as security policies, <table_row> is a sequence number. To
create a new table entry without accidentally editing an existing entry, enter edit
0. The CLI will confirm that creation of entry 0, but will assign the next unused
number when the entry is saved after entering end or next.
For example, to create a new firewall policy, enter the following commands:
config firewall policy
edit 0
....
next
end
To edit an existing policy, enter the following commands:
config firewall policy
edit 27
....
next
end
The edit subcommand changes the command prompt to the name of the table
value that is being edited.

delete <table_row> Delete a table value.

For example, to delete firewall policy 30, enter the following commands:
config firewall policy
delete 30
end

FortiOS 6.4.13 Administration Guide 38

Fortinet Inc.
Getting started

purge Clear all table values.

The purge command cannot be undone. To restore purged table values, the
configuration must be restored from a backup.

move Move an ordered table value.

In the firewall policy table, this equivalent to dragging a policy into a new position.
It does not change the policy's ID number.
For example, to move policy 27 to policy 30, enter the following commands:
config firewall policy
move 27 to 30
end
The move subcommand is only available in tables where the order of the table
entries matters.

clone <table_row> to <table_ Make a clone of a table entry.

row> For example, to create firewall policy 30 as a clone of policy 27, enter the following
commands:
config firewall policy
clone 27 to 30
end
The clone subcommand may not be available for all tables.

rename <table_row> to Rename a table entry.

<table_row> For example to rename an administrator from Flank to Frank, enter the following
commands:
config system admin
rename Flank to Frank
end
The rename subcommand is only available in tables where the entries can be
renamed.

get List the current table entries.

For example, to view the existing firewall policy table entries, enter the following
commands:
config firewall policy
get

show Show the configuration. Only table entries that are not set to default values are
shown.

end Save the configuration and exit the current config command.

Purging the system interface or system admin tables does not reset default table
values. This can result in being unable to connect to or log in to the FortiGate, requiring the
FortiGate to be formatted and restored.

Field subcommands

set <field> <value> Modify the value of a field.

FortiOS 6.4.13 Administration Guide 39

Fortinet Inc.
 Getting started

For example, the command set fsso enable sets the fsso field to the value
enable.

unset Set the field to its default value.

select Clear all of the options except for those specified.

For example, if a group contains members A, B, C, and D, to remove all members
except for B, use the command select member B.

unselect Remove an option from an existing list.

For example, if a group contains members A, B, C, and D, to remove only member
B, use the command unselect member B.

append Add an option to an existing multi-option table value.

clear Clear all the options from a multi-option table value.

get List the configuration of the current table entry, including default and customized
values.

show Show the configuration. Only values that are not set to default values are shown.

next Save changes to the table entry and exit the edit command so that you can
configure the next table entry.

abort Exit the command without saving.

end Save the configuration and exit the current config command.

Permissions

Administrator (or access) profiles control what CLI commands an administrator can access by assigning read, write, or
no access to each area of FortiOS. For information, see Administrator profiles on page 881.
Read access is required to view configurations. Write access is required to make configuration changes. Depending on
your account's profile, you may not have access to all CLI commands. To have access to all CLI commands, an
administrator account with the super_admin profile must be used, such as the admin account.
Accounts assigned the super_admin profile are similar to the root administrator account. They have full permission to
view and change all FortiGate configuration options, including viewing and changing other administrator accounts.
To increase account security, set strong passwords for all administrator accounts, and change the passwords regularly.

FortiExplorer Management

FortiExplorer for iOS is a user-friendly application that helps you to rapidly provision, deploy, and monitor Security Fabric
components from your iOS device.

FortiOS 6.4.13 Administration Guide 40

Fortinet Inc.
 Getting started

FortiExplorer for iOS requires iOS 10.0 or later and is compatible with iPhone, iPad, and Apple TV. It is supported by
FortiOS 5.6 and later, and is available on the App Store for iOS devices.

FortiExplorer is also available for support on Android on the Google Play Store. Steps for
configuring FortiExplorer for Android may differ from what is included in the guide.

Advanced features are available with the purchase of FortiExplorer Pro. Paid features include the ability to add more
than two devices, and firmware upgrades for devices with active licenses.
Up to six members can use this app with 'Family Sharing' enabled in the App Store.

Firmware upload requires a valid firmware license. Users can download firmware for models
with a valid support contract.

Getting started with FortiExplorer

If your FortiGate is accessible on a wireless network, you can connect to it using FortiExplorer provided that your
iOS device is on the same network (see Connecting FortiExplorer to a FortiGate via WiFi). Otherwise, you will need to
physically connect your iOS device to the FortiGate using a USB cable.

To connect and configure a FortiGate with FortiExplorer using a USB connection:

1. Connect your iOS device to your FortiGate USB A port. If prompted on your iOS device, Trust this computer.
2. Open FortiExplorer and select your FortiGate from the FortiGate Devices list . A blue USB icon will indicate that you
are connected over a USB connection.

FortiOS 6.4.13 Administration Guide 41

Fortinet Inc.
Getting started

3. On the Login screen, select USB.

4. Enter the default Username (admin) and leave the Password field blank.
5. Optionally, select Remember Password.
6. Tap Done when you are ready.
FortiExplorer opens the FortiGate management interface to the Device Status page:

7. Go to Network > Interfaces and configure the WAN interface or interfaces.

8. The wan1 interface Address mode is set to DHCP by default. Set it to Manual and enter its Address, Netmask, and
Default Gateway, and then Apply your changes.

9. Optionally, configure Administrative Access to allow HTTPS access. This will allow administrators to access the
FortiGate GUI using a web browser.

FortiOS 6.4.13 Administration Guide 42

Fortinet Inc.
Getting started

10. Go to Network > Interfaces and configure the local network (internal) interface.
11. Set the Address mode as before and configure Administrative Access if required.
12. Configure a DHCP Server for the internal network subnet.

13. Return to the internal interface using the < button at the top of the screen.
14. Go to Network > Static Routes and configure the static route to the gateway.

15. Go to Policy & Objects > Firewall Policy and edit the Internet access policy. Enter a Name for the policy, enable the
required Security Profiles, configure Logging Options, then tap OK.

FortiOS 6.4.13 Administration Guide 43

Fortinet Inc.
 Getting started

Connecting FortiExplorer to a FortiGate via WiFi

You can wirelessly connect to the FortiGate if your iOS device and the FortiGate are both connected to the same
wireless network.

FortiOS 6.4.13 Administration Guide 44

Fortinet Inc.
 Getting started

To connect and configure a FortiGate with FortiExplorer wirelessly:

1. Open the FortiExplorer app and tap Add on the Devices page.
2. On the Add Device By page, tap HTTPS.

3. Enter the Host information, Username, and Password.

4. If required, change the default Port number, and optionally enable Remember Password.

5. Tap Done.
6. If the FortiGate device identity cannot be verified, tap Connect at the prompt.
FortiExplorer opens the FortiGate management interface to the Device Status page.

Running a security rating

After configuring your network, run a security rating check to identify vulnerabilities and highlight best practices that
could improve your network's security and performance.

FortiOS 6.4.13 Administration Guide 45

Fortinet Inc.
 Getting started

Go to Security Fabric > Security Rating and follow the steps to determine the score. See Security rating on page 238 for
more information.

Upgrading to FortiExplorer Pro

FortiExplorer Pro allows you to add unlimited devices, and download firmware images for devices with active licenses.

To upgrade to FortiExplorer Pro:

1. In FortiExplorer, go to Settings.
2. Tap Manage Subscription.
3. Follow the on-screen prompts.

Basic administration

This section contains information about basic FortiGate administration that you can do after you installing the unit in your
network.
l Basic configuration on page 47
l Registration on page 49
l FortiCare and FortiGate Cloud login on page 52
l Transfer a device to another FortiCloud account on page 55

FortiOS 6.4.13 Administration Guide 46

Fortinet Inc.
 Getting started

l Configuration backups on page 57

l Fortinet Developer Network access on page 61

Basic configuration

This topic will help you configure a few basic settings on the FortiGate as described in the Using the GUI on page 21 and
Using the CLI on page 26 sections, including:
l Configuring an interface to be part of your existing network for further configuration
l Configuring the hostname
l Configuring the default route
l Ensuring internet/FortiGuard connectivity

Configuring an interface

It is unlikely the default interface configuration will be appropriate for your environment and typically requires some effort
of the administrator to use these settings, such as being physically near the FortiGate to establish a serial connection.
Therefore, the first step is to configure an interface that can be used to complete the FortiGate configuration.

To configure an interface in the GUI:

1. Go to Network > Interfaces. Select an interface and click Edit.

2. Enter an Alias.
3. In the Address section, enter the IP/Netmask.
4. In Administrative Access section, select the access options as needed (such as PING, HTTPS, and SSH).
5. Optionally, enable DHCP Server and configure as needed.
6. Click OK.

To configure an interface in the CLI:

config system interface

edit "port2"
set ip 203.0.113.99 255.255.255.0
set allowaccess ping https ssh
set alias "Management"
next
end

Configuring the hostname

Setting the FortiGate’s hostname assists with identifying the device, and it is especially useful when managing multiple
FortiGates. Choose a meaningful hostname as it is used in the CLI console, SNMP system name, device name for
FortiGate Cloud, and to identify a member of an HA cluster.

To configure the hostname in the GUI:

1. Go to System > Settings.
2. Enter a name in the Host name field.

FortiOS 6.4.13 Administration Guide 47

Fortinet Inc.
Getting started

3. Click Apply.

To configure the hostname in the CLI:

config system global

set hostname 200F_YVR
end

Configuring the default route

Setting the default route enables basic routing to allow the FortiGate to return traffic to sources that are not directly
connected. The gateway address should be your existing router or L3 switch that the FortiGate is connected to. If you are
directly connecting to the FortiGate, you may choose your endpoint’s IP address as the gateway address. Set the
interface to be the interface the gateway is connected to.

To configure the default route in the GUI:

1. Go to Network > Static Routes and click Create New.

2. Leave the destination subnet as 0.0.0.0/0.0.0.0. This is known as a default route, since it would match any IPv4
address.
3. Enter the Gateway Address.
4. Select an Interface.
5. Click OK.

To configure the default route in the CLI:

config router static

edit 0
set gateway 192.168.1.254
set device port1
next
end

Ensuring internet and FortiGuard connectivity

This step is not necessary for the configuration; however, it is necessary in order to keep your FortiGate up to date
against the latest threats. Updates are provided to FortiGates that are registered and make a request to the FortiGuard
network to verify if there are any more recent definitions.
Use execute ping <domain.tld> to ensure the DNS resolution is able to resolve the following FortiGuard servers:
l fds1.fortinet.com
l service.fortiguard.net
l update.fortiguard.net
You also need to ensure the necessary ports are permitted outbound in the event your FortiGate is behind a filtering
device. Refer to the Ports and Protocols document for more information.

FortiOS 6.4.13 Administration Guide 48

Fortinet Inc.
 Getting started

Registration

The FortiGate, and then its service contract, must be registered to have full access to Fortinet Customer Service and
Support, and FortiGuard services. The FortiGate can be registered in either the FortiGate GUI or the FortiCloud support
portal. The service contract can be registered from the FortiCloud support portal.

The service contract number is needed to complete registrations on the FortiCloud support
portal. You can find this 12-digit number in the email that contains your service registration
document (sent from [email protected]) in the service entitlement summary.

To register your FortiGate in the GUI:

1. Connect to the FortiGate GUI. A dialog box appears, which indicates the steps you should take to complete the
setup of your FortiGate. These steps include:
a. Specify Hostname
b. Change Your Password
c. Upgrade Firmware
d. Dashboard Setup
If you completed the Basic configuration on page 47, the hostname and password steps are already marked as
complete (checkmark). If you chose to deploy the latest firmware, the Upgrade Firmware step is marked as
complete.
2. Click Begin to complete the dashboard setup. Two options appear (Optimal and Comprehensive).

3. Select the desired setting and click OK. The System > FortiGuard page opens.
4. Click Enter Registration Code.
5. Enter the contract registration code from your service registration document.
6. Click OK.

To register the FortiGate on the FortiCloud support portal:

1. Go to support.fortinet.com and log in using your FortiCloud account credentials. If you do not have an account, click
Register to create one.
2. In the left-side menu, click Register Product.

FortiOS 6.4.13 Administration Guide 49

Fortinet Inc.
Getting started

3. Enter the product serial number or license certificate number for a VM, select an end user type, then click Next.

4. Enter the Support Contract number and FortiCloud Key (optionally, enter a product description), then click Next.

5. Review the product entitlement information, select the checkbox to accept the terms, then click Confirm.

FortiOS 6.4.13 Administration Guide 50

Fortinet Inc.
Getting started

6. Go to Products > Product List. The FortiGate is now visible in the product list.

FortiOS 6.4.13 Administration Guide 51

Fortinet Inc.
 Getting started

FortiCare and FortiGate Cloud login

With FortiCloud, FortiGate supports a unified login to FortiCare and FortiGate Cloud. The FortiGate Cloud setup is a
subset of the FortiCare setup.
l If the FortiGate is not registered, activating FortiGate Cloud will force you to register with FortiCare.
l If a FortiGate is registered in FortiCare using a FortiCloud account, then only that FortiCloud account can be used to
activate FortiGate Cloud.
l If a different FortiCloud account was already used to activate FortiGate Cloud, then a notification asking you to
migrate to FortiCloud is shown in the GUI after upgrading FortiOS.
The CLI can be used to activate FortiGate Cloud without registration, or with a different FortiCloud account.

To activate FortiGate Cloud and register with FortiCare at the same time:

1. Go to Dashboard > Status.

2. In the FortiGate Cloud widget, click Not Activated > Activate.
You must register with FortiCare before activating FortiGate Cloud.

3. Enter your FortiCare Email address and Password.

4. Select your Country/Region and Reseller.
5. Enable Sign in to FortiGate Cloud using the same account.
6. Click OK.

FortiOS 6.4.13 Administration Guide 52

Fortinet Inc.
Getting started

To activate FortiGate Cloud on an already registered FortiGate:

1. Go to Dashboard > Status.

2. In the FortiGate Cloud widget, click Not Activated > Activate.

3. Enter the password for the account that was used to register the FortiGate.

4. Click OK.
The FortiGate Cloud widget now shows the FortiCloud account.

FortiOS 6.4.13 Administration Guide 53

Fortinet Inc.
Getting started

To migrate from the activated FortiGate Cloud account to the registered FortiCloud account:

1. Go to Dashboard > Status.

2. In the FortiGate Cloud widget, click Migrate to FortiCloud.

3. Enter the password for the account that was used to register the FortiGate, then click OK.
The FortiGate Cloud widget now shows the FortiCloud account.

To activate FortiGate Cloud using an account that is not used for registration:

1. In the CLI, enter the following command:

execute fortiguard-log login <account_id> <password>

Where the <account_id> and <password> are the credentials for the account that you are using to activate
FortiGate Cloud.
2. Check the account type with following command:
# diagnose fdsm contract-controller-update
Protocol=2.0|Response=202|Firmware=FAZ-4K-FW-2.50-

FortiOS 6.4.13 Administration Guide 54

Fortinet Inc.
 Getting started

100|SerialNumber=FAMS000000000000|Persistent=false|ResponseItem=HomeServer:172.16.95.151
:443*AlterServer:172.16.95.151:443*Contract:20200408*NextRequest:86400*UploadConfig:Fals
e*ManagementMode:Local*ManagementID:737941253*AccountType:multitenancy

Result=Success

A FortiCloud account that is not used for the support portal account cannot be used to register
FortiGate. Attempting to activate FortiGate Cloud with this type of account will fail.

Transfer a device to another FortiCloud account

Master account users can transfer a device from one FortiCloud/FortiCare account to another. Users can transfer a
device up to three times within a twelve-month time period.

Requirements:

To transfer an account, you must:

l Have access to the FortiGate, as well as both the FortiCloud and FortiCare accounts.
l Be a master account user.
To verify you are the master account user, go to support.fortinet.com. Click the user name, then click My Account.

You can transfer a device up to three times in a twelve-month time period. If more transfers are
required within the twelve-month time period, contact Technical Support to request the
transfer.

To transfer an account in the GUI:

1. Go to Dashboard > Status. In the Status dashboard, click on FortiCare Support, and click Transfer FortiGate to
Another Account.

FortiOS 6.4.13 Administration Guide 55

Fortinet Inc.
Getting started

You can also transfer an account from System > FortiGuard.

2. In the Current FortiCloud Account fields, enter the username and password for the current account. In the Target
FortiCloud Account fields, enter the new username and password. Click Next.

FortiGate transfers the account.

FortiOS 6.4.13 Administration Guide 56

Fortinet Inc.
 Getting started

After the transfer is complete, FortiGate displays the new the FortiCloud account.

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some
cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase
the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup
can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server
certificates that are generated by your FortiGate by default are not saved in a system backup.
We also recommend that you backup the configuration after any changes are made, to ensure you have the most current
configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should anything
happen to the configuration during the upgrade, you can easily restore the saved configuration.
Always backup the configuration and store it on the management computer or off-site. You have the option to save the
configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last two are
configurable through the CLI only.
If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you
are using FortiManager or FortiGate Cloud, full backups are performed and the option to backup individual VDOMs will
not appear.

You can also backup and restore your configuration using Secure File Copy (SCP). See How
to download a FortiGate configuration file and upload firmware file using secure file copy
(SCP).
You enable SCP support using the following command:
config system global
set admin-scp enable
end
For more information about this command and about SCP support, see config system global.

FortiOS 6.4.13 Administration Guide 57

Fortinet Inc.
Getting started

Backing up the configuration

To backup the configuration using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
2. Direct the backup to your Local PC or to a USB Disk.
The USB Disk option will not be available if no USB drive is inserted in the USB port. You can also backup to the
FortiManager using the CLI.
3. If VDOMs are enabled, indicate whether the scope of the backup is the entire FortiGate configuration (Global) or
only a specific VDOM configuration (VDOM).
If backing up a VDOM configuration, select the VDOM name from the list.
4. Enable Encryption. Encryption must be enabled on the backup file to back up VPN certificates.
5. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
6. Click OK.
7. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will
have a .conf extension.

To backup the configuration using the CLI:

Use one of the following commands:

execute backup config management-station <comment>

or:
execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:
execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:
execute backup config tftp <backup_filename> <tftp_servers> <password>

Use the same commands to backup a VDOM configuration by first entering the commands:
config vdom
edit <vdom_name>

See Backing up and restoring configurations in multi VDOM mode on page 939 for more information.

Restoring a configuration

To restore the FortiGate configuration using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
2. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.
The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the
FortiManager using the CLI.
3. Click Upload, locate the configuration file, and click Open.
4. Enter the password if required.
5. Click OK.

FortiOS 6.4.13 Administration Guide 58

Fortinet Inc.
Getting started

To restore the FortiGate configuration using the CLI:

execute restore config management-station normal 0

or:
execute restore config usb <filename> [<password>]

or for FTP, note that port number, username are optional depending on the FTP site:
execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>]
[<password>]

or for TFTP:
execute restore config tftp <backup_filename> <tftp_server> <password>

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has
been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message Reason and Solution

Configuration file error This error occurs when attempting to upload a configuration file that is
incompatible with the device. This may be due to the configuration file being for a
different model or being saved from a different version of firmware.
Solution: Upload a configuration file that is for the correct model of FortiGate
device and the correct version of the firmware.

Invalid password When the configuration file is saved, it can be protected by a password. The
password entered during the upload process is not matching the one associated
with the configuration file.
Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher.
Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this
feature. Typically, configuration backup to local drive is not available on lower-end models.
The central management server can either be a FortiManager unit or FortiGate Cloud.
If central management is not configured on your FortiGate unit, a message appears instructing you to either
l Enable central management, or
l Obtain a valid license.
When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved
revisions of those backed-up configurations appears.
Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and
selecting Configuration > Revisions.

FortiOS 6.4.13 Administration Guide 59

Fortinet Inc.
Getting started

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The
export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible
to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>

where:
l <cert_name> is the name of the server certificate.
l <filename> is a name for the output file.
l <tftp_ip> is the IP address assigned to the TFTP server host interface.

To restore the local certificates using the GUI:

1. Move the output file from the TFTP server location to the management computer.
2. Go to System > Certificates and click Import > Local.
3. Select the certificate type, then click Upload in the Certificate file field.
4. On the management computer, browse to the file location, select it, and click Open.
5. If the Type is Certificate, upload the Key file as well.
6. If required, enter the Password that is required to upload the file or files.
7. Click OK.

To restore the local certificates using the CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There
are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box
configuration.
You can reset the device with the following CLI command:
execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration with the
following command:
execute factoryreset2

FortiOS 6.4.13 Administration Guide 60

Fortinet Inc.
 Getting started

Fortinet Developer Network access

The Fortinet Developer Network (FNDN) is a subscription-based community that helps administrators enhance and
increase the effectiveness of Fortinet products. Administrators can access the FortiAPI forum in FNDN to help create
applications that interact with Fortinet products, such as custom web portals, automated deployment and provisioning
systems, and scripted tasks. FNDN makes it easy for administrators and Fortinet professionals to interact, share sample
code, and upload their own tools. The FortiOS REST API documentation is available within the FortiAPI forum.
All FNDN users must be sponsored by two Fortinet employees. The sponsors must be able to confirm the user’s identity
and need for access. Approvals from both sponsors are required before access is granted to new users. The sponsors'
email addresses are required to create a new FNDN account.
Basic and licensed access options are available. Refer to the Fortinet Developer Network data sheet for more
information.

To create an FNDN account:

1. Obtain sponsorship from two Fortinet employees.

2. Go to the FNDN website, https://fndn.fortinet.net/. The log in page appears.

3. Click Create a new account. The Sign Up page appears.

FortiOS 6.4.13 Administration Guide 61

Fortinet Inc.
Getting started

4. Enter the information in the form fields and agree to the Terms of Use.

FortiOS 6.4.13 Administration Guide 62

Fortinet Inc.
Getting started

FortiOS 6.4.13 Administration Guide 63

Fortinet Inc.
Getting started

5. Click Create my Account.

New accounts are reviewed and approved by an FNDN administrator. After both sponsors approve the request, an
FNDN administrator reviews the request and approves account access in around one business day if all
requirements are met.

LEDs

Check your device's QuickStart guide for specific LED information: FortiGate QuickStart
Guides.

The following faceplates show where the LEDs are typically found on FortiGate models:

LED State Description

Green The unit is on

Logo Blue The FortiWiFi unit is on

Off The unit is off

Green The unit is on and/or both power supplies are functioning

Amber One power supply is functioning

Flashing Amber Power supply failure

Power (PWR)
Red The unit is on, but only one power supply is functional

Flashing Red Power failure

Off The unit is off

FortiOS 6.4.13 Administration Guide 64

Fortinet Inc.
Getting started

LED State Description

Green Normal

Flashing Green Booting up

Amber Major or minor alarm

Status (STA) Flashing Amber BLE is on

Red Major alarm

Flashing Red BLE is on

Off The unit is off

Amber Bypass Port Pair is active

Bypass (BYP)
Off Bypass Port Pair is off

Red Major alarm

Alarm Amber Minor alarm

Off No alarms

Green Operating in an HA cluster

HA Amber or Red HA failover

Off HA disabled

Green, Amber, or Red Maximum PoE power allocated

Max PoE
Off PoE power available or normal

Green Power delivered

PoE Flashing Green Error or PoE device requesting power

Off No PoE device connected or no power delivered

Green SVC is on

SVC Flashing Green SVC activity

Off SVC is off

Green 3G / 4G service is on

3G / 4G Flashing Green 3G / 4G activity

Off 3G / 4G service is off

Green WiFi connected

WiFi Flashing Green WiFi activity

Off WiFi is off

FortiOS 6.4.13 Administration Guide 65

Fortinet Inc.
Getting started

LED State Description

Green Power supply operating normally

Power detected, but power supply not providing power or

Flashing Green
is in standby mode

Power output is off, there is a power supply error, or there

Amber
is no input power but the redundant supply is on
Power Supply
Power supply error or warning events, or the power
Flashing Amber
supply should be replaced

Red Cord unplugged or power lost

Flashing Red Power supply warning events

Off Power not detected

Green Standby rail and main output on

Power Supply OK Flashing Green Standby rail and main output off

Off Error or no AC power input

Amber Main output or fan error detected

Power Supply Fail Flashing Amber Power supply warning event detected

Off No errors or no power

Green Input voltage within normal range

Power Supply Input Flashing Green Over or under voltage warning

Off No input power

Green Output voltage normal

Flashing Green Standby mode

Power Supply Output Amber Critical error

Flashing Amber Warning

Off No output

Green Fan(s) operating normally

Flashing Green Fan switching/initialization in progress

Amber Fan failure

Fan Fan error, RPM too low or too high, or both fan sets have
Red
at least one alert

Flashing Red One fan set has at least one alert

Off Fan error or fan is off

FortiOS 6.4.13 Administration Guide 66

Fortinet Inc.
Getting started

Port LEDs

LED State Description

Green Connected at 1 Gbps

Flashing Green Transmitting and receiving data at 1 Gbps

Ethernet Amber Connected at 10/100 Mbps

Flashing Amber Transmitting and receiving data at 10/100 Mbps

Off No link established

Green Connected

Ethernet Link/Activity Flashing Green Transmitting data

Off No link established

Green Connected at 1 Gbps

Ethernet Speed Amber Connected at 100 Mbps

Off Not connected or connected at 10 Mbps

Green Connected

Ethernet 10G Link/Activity Flashing Green Transmitting data

Off No link established

Green Connected at 10 Gbps

Ethernet 10G Speed Amber Connected at 5 Gbps, 2.5 Gbps, or 1 Gbps

Off Not connected or connected at 100 Mbps

Green PoE power on or PoE device receiving power

PoE Amber Providing power

Red Connected but not powered

Off PoE power off or no device receiving power

Green Connected at 1 Gbps

SFP Flashing Green Data activity

Off No link established

Green Connected at 10 Gbps or 1 Gbps

SFP+ Flashing Green Data activity

Off No link established

FortiOS 6.4.13 Administration Guide 67

Fortinet Inc.
 Getting started

LED State Description

Green Connected at 25 Gbps, 10 Gbps, or 1 Gbps

SFP28 Flashing Green Data activity

Off No link established

Green Connected at 100 Gbps or 40 Gbps

QSFP28 Flashing Green Data activity

Off No link established

Alarm levels

Minor alarm

Also called an IPMI non-critical (NC) alarm, it indicates a temperature or power level outside of the normal operating
range that is not considered a problem. For a minor temperature alarm, the system could respond by increasing the fan
speed. A non-critical threshold can be an upper non-critical (UNC) threshold (for example, a high temperature or a high
power level) or a lower non-critical (LNC) threshold (for example, a low power level).

Major alarm

Also called an IPMI critical or critical recoverable (CR) alarm, it indicates that the system is unable to correct the cause of
the alarm, and that intervention is required. For example, the cooling system cannot provide enough cooling to reduce
the temperature. It can also mean that the conditions are approaching the outside limit of the allowed operating range. A
critical threshold can also be an upper critical (UC) threshold (such as a high temperature or high power level) or a lower
critical (LC) threshold (such as a low power level).

Critical alarm

Also called an IPMI non-recoverable (NR) alarm, it indicates that the system has detected a temperature or power level
that is outside of the allowed operating range and physical damage is possible.

Troubleshooting your installation

If your FortiGate does not function as desired after installation, try the following troubleshooting tips:
1. Check for equipment issues
Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for
information about connecting your FortiGate to the network.
2. Check the physical network connections
Check the cables used for all physical connections to ensure that they are fully connected and do not appear
damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that
device.

FortiOS 6.4.13 Administration Guide 68

Fortinet Inc.
Getting started

3. Verify that you can connect to the internal IP address of the FortiGate
Connect to the GUI from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the
internal interface IP address; for example, ping 192.168.1.99. If you cannot connect to the internal interface,
verify the IP configuration of the PC. If you can ping the interface but can't connect to the GUI, check the settings for
administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS
has been enabled for Administrative Access on the interface.
4. Check the FortiGate interface configurations
Check the configuration of the FortiGate interface connected to the internal network (under Network > Interfaces)
and check that Addressing mode is set to the correct mode.
5. Verify the security policy configuration
Go to Policy & Objects > Firewall Policy and verify that the internal interface to Internet-facing interface security
policy has been added and is located near the top of the policy list. Check the Active Sessions column to ensure that
traffic has been processed (if this column does not appear, right-click on the table header and select Active
Sessions). If you are using NAT mode, check the configuration of the policy to make sure that NAT is enabled and
that Use Outgoing Interface Address is selected.
6. Verify the static routing configuration
Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify
that the default route appears in the list as a static route. Along with the default route, you should see two routes
shown as Connected, one for each connected FortiGate interface.
7. Verify that you can connect to the Internet-facing interface’s IP address
Ping the IP address of the Internet-facing interface of your FortiGate. If you cannot connect to the interface, the
FortiGate is not allowing sessions from the internal interface to Internet-facing interface. Verify that PING has been
enabled for Administrative Access on the interface.
8. Verify that you can connect to the gateway provided by your ISP
Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact
your ISP to verify that you are using the correct gateway.
9. Verify that you can communicate from the FortiGate to the Internet
Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute
traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.
10. Verify the DNS configurations of the FortiGate and the PCs
Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping
www.fortinet.com.
If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that
the DNS server IP addresses are present and correct.
11. Confirm that the FortiGate can connect to the FortiGuard network
Once the FortiGate is on your network, you should confirm that it can reach the FortiGuard network. First, check the
License Information widget to make sure that the status of all FortiGuard services matches the services that you
have purchased. Go to System > FortiGuard, and, in the Filtering section, click Test Connectivity. After a minute, the
GUI should indicate a successful connection. Verify that your FortiGate can resolve and reach FortiGuard at
service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the
connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of
FortiGuard IP gateways you can connect to, as well as the following information:
l Weight: Based on the difference in time zone between the FortiGate and this server
l RTT: Return trip time
l Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
l TZ: Server time zone
l Curr Lost: Current number of consecutive lost packets
l Total Lost: Total number of lost packets

FortiOS 6.4.13 Administration Guide 69

Fortinet Inc.
 Getting started

12. Consider changing the MAC address of your external interface

Some ISPs do not want the MAC address of the device connecting to their network cable to change. If you have
added a FortiGate to your network, you may have to change the MAC address of the Internet-facing interface using
the following CLI command:
config system interface
edit <interface>
set macaddr <xx:xx:xx:xx:xx:xx>
end
end
13. Check the FortiGate bridge table (transparent mode)
When a FortiGate is in transparent mode, the unit acts like a bridge sending all incoming traffic out on the other
interfaces. The bridge is between interfaces on the FortiGate unit. Each bridge listed is a link between interfaces.
Where traffic is flowing between interfaces, you expect to find bridges listed. If you are having connectivity issues
and there are no bridges listed, that is a likely cause. Check for the MAC address of the interface or device in
question. To list the existing bridge instances on the FortiGate, use the following CLI command:
diagnose netlink brctl name host root.b
show bridge control interface root.b host.
fdb: size=2048, used=25, num=25, depth=1
Bridge root.b host table
port no device devname mac addr ttl attributes
3 4 wan1 00:09:0f:cb:c2:77 88
3 4 wan1 00:26:2d:24:b7:d3 0
3 4 wan1 00:13:72:38:72:21 98
4 3 internal 00:1a:a0:2f:bc:c6 6
1 6 dmz 00:09:0f:dc:90:69 0 Local Static
3 4 wan1 c4:2c:03:0d:3a:38 81
3 4 wan1 00:09:0f:15:05:46 89
3 4 wan1 c4:2c:03:1d:1b:10 0
2 5 wan2 00:09:0f:dc:90:68 0 Local Static
14. Use FortiExplorer if you can’t connect to the FortiGate over Ethernet
If you can’t connect to the FortiGate GUI or CLI, you may be able to connect using FortiExplorer. Refer to the
QuickStart Guide or see the section on FortiExplorer for more details.
15. Either reset the FortiGate to factory defaults or contact Fortinet Support for assistance
To reset the FortiGate to factory defaults, use the CLI command execute factoryreset. When prompted, type
y to confirm the reset.
If you require further assistance, visit the Fortinet Support website.

Zero touch provisioning

This section contains instructions for configuring zero touch provisioning:

l Zero touch provisioning with FortiDeploy on page 70
l Zero touch provisioning with FortiManager on page 72

Zero touch provisioning with FortiDeploy

You can use this feature only when the FortiGate boots up from factory reset.

FortiOS 6.4.13 Administration Guide 70

Fortinet Inc.
Getting started

Topology

FortiGate zero touch provisioning workflow

1. Add the FortiGate Cloud product key to the FortiGate Cloud portal so that the FortiGate serial number appears in
the portal.

2. Set up a configuration template with the basic configuration in the FortiGate Cloud portal.
3. Deploy the FortiGate to FortiGate Cloud with that template.

4. Ensure the FortiGate has an interface in default DHCP client mode and is connected to the ISP outlet.
5. Boot the FortiGate in factory reset. The FortiGate gets the DHCP lease so that it can access FortiGate Cloud in the
Internet and join FortiGate Cloud.

FortiOS 6.4.13 Administration Guide 71

Fortinet Inc.
 Getting started

The FortiGate Cloud server checks that the FortiGate key is valid and then deploys the FortiGate to FortiGate
Cloud.
To prevent spoofing, FortiGate Cloud invalidates that key after a successful join.
6. Complete zero touch provisioning by obtaining configuration from platform template in the Cloud.
0:     set admintimeout 50
0: end
0: config system interface
0:     edit "wan1"
0:         set allowaccess ping ssh fgfm
0:     next
0:     edit "port1"
0:         set allowaccess ping
0:         set ip 1.1.1.1 255.255.255.0
0:     next
0:     edit "port2"
0:         set allowaccess ping
0:         set ip 2.2.2.2 255.255.255.0
0:     next
0: end

7. The FortiGate Cloud admin can change the template for different configuration requirements and then deploy the
updated template to the FortiGate.
For example, you can add a secondary DNS to the template and deploy it to FortiGate.

Zero touch provisioning with FortiManager

You can use this feature only when the FortiGate boots up from factory reset. This feature is for FortiGate devices that
cannot access the Internet.
A DHCP server includes option 240 and 241 which records FortiManager IP and domain name. FortiGate has an
interface with the default DHCP client mode that is connected to the DHCP server in the intranet.
The FortiManager admin can authorize the FortiGate the specific ADOMs and install specific configurations on the
FortiGate.
In the whole operation, you do not need to do any manual configuration on the FortiGate except connect to the DHCP
server. This is called zero touch deployment.
To prevent spoofing, if a different FortiManager IP comes from the DHCP server later, FortiGate does not change the
central management configuration.

FortiOS 6.4.13 Administration Guide 72

Fortinet Inc.
Getting started

Example of configuring DHCP server with option 240

config system dhcp server
edit 2
set dns-service default
set default-gateway 172.16.200.254
set netmask 255.255.255.0
set interface "wan1"
config ip-range
edit 2
set start-ip 172.16.200.201
set end-ip 172.16.200.209
next
end
set timezone-option default
config options
edit 1
set code 240
set type ip
set ip "172.18.60.115"
next
end
next
end

FortiGate zero touch provisioning workflow

1. Boot the FortiGate in factory reset.

G201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status
dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=0

config-touched=0 means no configuration change from the default.

2. When FortiGate boots in factory reset, it gets the DHCP lease including IP, gateway, DNS, and the FortiManager
IP/URL. Central management is automatically configured by using FortiManager IP in option 240.
FG201E4Q17901047 # show system central-management
config system central-management
set type fortimanager
set fmg "172.18.60.115"
end

3. If FortiGate changes from factory reset, you can see it in central management in config-touched=1.
FG201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status
dhcp: fmg-ip=172.18.60.115, fmg-domain-name='', config-touched=1(/bin/dhcpcd)

Example of a spoofing DHCP server with a fake FortiManager IP

config options
    edit 1
set code 240
set type ip
set ip "172.18.60.117"
end

FortiOS 6.4.13 Administration Guide 73

Fortinet Inc.
Getting started

After FortiGate reboots and gets DHCP renew, central management will not use the fake FortiManager IP because
config-touched=1 shows that the FortiGate is not in factory reset.
FG201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status
dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=1(/bin/dhcpcd)

FG201E4Q17901047 # show system central-management

config system central-management
set type fortimanager
set fmg "172.18.60.115"
end

FortiOS 6.4.13 Administration Guide 74

Fortinet Inc.
Dashboards and widgets

Dashboards and widgets

FortiOS includes predefined dashboards so administrators can easily monitor device inventory, security threats, traffic,
and network health. You can customize the appearance of a default dashboard to display data pertinent to your security
fabric, or combine widgets to create custom dashboards. Many dashboards also allow you to switch views between
fabric devices.
Each dashboard contains a set of widgets and monitors that allow you to view drill down data and take actions to prevent
threats. Use widgets to perform tasks such as viewing device inventory, creating and deleting DHCP reservations, and
disconnecting dial-up users. You can add or remove widgets to a dashboard, or save a widget as a standalone monitor.
This section contains the following topics:
l Using dashboards on page 75
l Using widgets on page 80
l Monitor dashboards and widgets on page 82
l FortiView on page 102

Using dashboards

You can use the dashboard GUI to view fabric devices in the security fabric. You can also combine widgets to create
custom dashboards.

To view downstream fabric devices in the GUI:

1. At the right side of dashboard, click the device dropdown and select a device.

FortiOS 6.4.13 Administration Guide 75

Fortinet Inc.
Dashboards and widgets

The device dropdown is available in the Status, Security, Network, Users & Devices, and
WiFi dashboards. You can also enable the dropdown when you create a dashboard.

To create a new dashboard in the GUI:

1. Under Dashboard, click the Add Dashboard button. The Add Dashboard window opens.

2. Enter a name in the Name field and click OK. The new dashboard opens.

To add a widget to a dashboard in the GUI:

1. In the tree menu, select a dashboard.

2. (Optional) Click the device dropdown, and select a device in the network.
3. In the banner, click Add Widget. The Add Dashboard Widget window opens.
4. Click the Add button next to the widget. You can use the Search field to search for a widget. Click Show More to
view more widgets in a category.
5. Configure the widget settings and click Add Widget.
6. Click Close.

FortiOS 6.4.13 Administration Guide 76

Fortinet Inc.
Dashboards and widgets

To delete a dashboard in the GUI:

1. Click the Actions menu at the right side of the dashboard and selectDelete Dashboard.

2. Click Delete Dashboard . The Confirm window opens.

3. Click OK.

To edit a dashboard in the GUI:

1. Click the Actions menu at the right side of the dashboard and selectEdit Dashboard.
2. Edit the dashboard and click OK.

Viewing device dashboards in the security fabric

Use the device dropdown in the built-in dashboards to quickly navigate between downstream fabric devices. You can
also create dedicated device dashboards devices or log in and configure fabric devices.
To view fabric devices, click the device dropdown at the right side of the page, and select a device from the list.

FortiOS 6.4.13 Administration Guide 77

Fortinet Inc.
Dashboards and widgets

The device dropdown is available in the Status, Security, Network, Users & Devices, and WiFi
dashboards. You can also enable the dropdown when you create a dashboard.

To log into a device from the device dropdown:

1. Hover over the device in the dropdown, and click Login You are redirected to the device login page or System
dashboard if you are already logged in.

To configure a device from the device dropdown:

1. Hover over the device in the dropdown, and click Configure. The Configure page opens.

Creating a fabric system and license dashboard

Create a dashboard summary page to monitor all the fabric devices in a single view. You can use the dashboard to
monitor aspects of the devices such as system information, VPN, and routing.

FortiOS 6.4.13 Administration Guide 78

Fortinet Inc.
Dashboards and widgets

To create a system dashboard in the GUI:

1. Click the Add Dashboard button. The Add Dashboard window opens.

2. In the Name field, enter a name such as Fabric System & License, and click OK. The new dashboard appears.
3. In the banner, click Add Widget. The Add Dashboard Widget window opens. You can use the Search field to search
for a specific widget (for example, License Status, System Information, and Memory Usage).
4. Click the Add button next to widget. The Add Dashboard Widget window opens.
5. In the Fabric member area, select Specify and select a device in the security fabric.
6. Click Add Widget. The widget is added to the dashboard.
Repeat this step for all the devices you want to view in the dashboard.
7. (Optional) Arrange the widgets in the dashboard by fabric device.

FortiOS 6.4.13 Administration Guide 79

Fortinet Inc.
Dashboards and widgets

Using widgets

You can save a widget as a standalone monitor, change the view type, as well as configure tables and filter data.

To save a dashboard widget as a monitor:

1. Hover over a widget in the dashboard, and click Expand to Full Screen.
2. In the top menu, click the Save as Monitor icon. The Add Monitor window opens.

3. Enter a name for the monitor in the Name field, and click OK.

To view the widget settings:

1. Click the menu dropdown at the right side of the widget and select Settings.
2. Configure the widget settings and click OK.

The settings will vary depending on the widget.

To configure a table in the widget:

1. Hover over the left side of the table header and click the Configure Table icon.
2. Configure the table options.

Option Description

Best Fit All Columns Resizes all of the columns in a table to fit their content.

Reset Table Resets the table to the default view.

Select Columns Adds or removes columns from the view.

3. Click Apply.

To filter or configure a column in a table:

1. Hover over a column heading, and click the Filter/Configure Column icon.
2. Configure the column options, and click Apply.

Option Description

Resize to Contents Resizes the column to fit the content.

Group by this Column Groups the table rows by the contents in the selected column.

3. To filter a column, enter a value in the Filter field, and click Apply.

FortiOS 6.4.13 Administration Guide 80

Fortinet Inc.
Dashboards and widgets

Filtering is not supported in all the widgets.

Changing the default dashboard template

You can use the GUI to change the default dashboard template. The Optimal template contains a set of popular default
dashboards and FortiView monitors. The Comprehensive template contains a set of default dashboards as well as all
monitors and FortiViews. The Comprehensive template will be familiar to users coming from previous versions of
FortiOS.

Changing the default template will remove the dashboards and monitors you added and reset
the settings in the widgets.

To change the default in the GUI:

1. Click the Actions menu at the right side of Add Dashboard or Add Monitor and click Reset All Dashboards. The
Dashboard Setup window opens.

2. Select a default template and click OK.

The following dashboards and monitors are included in the default templates:

Optimal Dashboards l Status,

l Security
l Network
l Users & Devices
l WiFi

Monitors l FortiView Sources

l FortiView Destinations
l FortiView Applications
l FortiView Web Sites
l FortiView Policies
l FortiView Sessions

Comprehensive Dashboards l Status

l WiFi

Monitors l FortiView Sources

l FortiView Destinations
l FortiView Applications
l FortiView Web Sites

FortiOS 6.4.13 Administration Guide 81

Fortinet Inc.
Dashboards and widgets

l FortiView Threats
l FortiView Compromised Hosts
l FortiView Policies
l FortiView Sessions
l Device Inventory Monitor
l Routing Monitor
l DHCP Monitor
l SD-WAN Monitor
l FortiGuard Quota Monitor
l IPsec Monitor
l SSL-VPN Monitor
l Firewall User Monitor
l Quarantine Monitor
l FortiClient Monitor
l FortiAP Clients Monitor
l Rogue APs Monitor

Monitor dashboards and widgets

Monitor dashboards and widgets allows you to view various states of your FortiGate pertaining to routing, VPN, DHCP,
devices, users, quarantine, and wireless connections.
The following default monitor dashboards are built into FortiOS:
l Network
l Users & Devices
l WiFi
Each built-in dashboard contains multiple widgets which can be expanded for detail view. To save a view as its own
monitor, click Save as Monitor at the right side of the banner.

For more information, see Using widgets on page 80

To view the widgets available in each dashboard category, click Add Widget.

Category Use these widgets to:

Users & Devices l View users and devices connected to the network
l Identify threats from individual users and devices, and quarantine them.
l View FortiGuard and FortiClient data
l Monitor traffic bandwidth over time

Network l Monitor DHCP clients

l Monitor IPsec VPN connections
l Monitor current routing table
l Monitor SD-WAN status

FortiOS 6.4.13 Administration Guide 82

Fortinet Inc.
 Dashboards and widgets

Category Use these widgets to:

l Monitor SSL-VPN connections

WiFi l View FortiAP status, channel utilization, and clients

l View login failures and signal strength
l View the number of WiFi clients

Static & Dynamic Routing Monitor

The Static & Dynamic Routing Monitor displays the routing table on the FortiGate including all static and dynamic routing
protocols in IPv4 and IPv6. You can also use this monitor to view the firewall policy route.

To view the routing monitor in the GUI:

1. Go to Dashboard > Network.

2. Hover over the Routing widget, and click Expand to Full Screen. The Routing monitor opens.
3. To view the policy monitor, click the Policy tab.
4. To filter the Interfaces and Type columns:
a. Hover over the column heading, and click the Filter/Configure Column icon.
b. Click Group By This Column, then click Apply.
5. (Optional) Click Save as Monitor to save the widget as monitor.

To look up a route in the GUI:

1. Click Route Lookup.

2. Enter an IP address in the Destination field, then click Search. The matching route is highlighted on the Routing
monitor.

FortiOS 6.4.13 Administration Guide 83

Fortinet Inc.
Dashboards and widgets

To view the routing table in the CLI:

# get route info routing-table all

Sample output:
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [1/0] via 10.0.10.1, To-HQ-A
[1/0] via 10.0.12.1, To-HQ-MPLS
[1/0] via 10.10.11.1, To-HQ-B
[1/0] via 10.100.67.1, port1
[1/0] via 10.100.67.9, port2
C 10.0.10.0/24 is directly connected, To-HQ-A
C 10.0.10.2/32 is directly connected, To-HQ-A
C 10.0.11.0/24 is directly connected, To-HQ-B
C 10.0.11.2/32 is directly connected, To-HQ-B
C 10.0.12.0/24 is directly connected, To-HQ-MPLS
C 10.0.12.2/32 is directly connected, To-HQ-MPLS
C 10.1.0.0/24 is directly connected, port3
C 10.1.0.2/32 is directly connected, port3
C 10.1.0.3/32 is directly connected, port3
C 10.1.100.0/24 is directly connected, vsw.port6

To look up a firewall route in the CLI:

# diagnose firewall proute list

Sample output:
list route policy info(vf=root):

id=0x7f450002 vwl_service=2(BusinessCritialCloudApp) vwl_mbr_seq=4 5 3 dscp_tag=0xff 0xff

flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=3
(port1) oif=4(port2) oif=18(To-HQ-MPLS)
source(1): 0.0.0.0-255.255.255.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(4): Microsoft.Office.365(4294837472,0,0,0, 33182) Microsoft.Office.Online
(4294837475,0,0,0, 16177) Salesforce(4294837976,0,0,0, 16920) GoToMeeting
(4294836966,0,0,0, 16354)
hit_count=0 last_used=2020-03-30 10:50:18

id=0x7f450003 vwl_service=3(NonBusinessCriticalCloudApp) vwl_mbr_seq=4 5 dscp_tag=0xff 0xff

flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=3
(port1) oif=4(port2)
source(1): 0.0.0.0-255.255.255.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(2): Facebook(4294836806,0,0,0, 15832) Twitter(4294838278,0,0,0, 16001)
hit_count=0 last_used=2020-03-30 10:50:18

FortiOS 6.4.13 Administration Guide 84

Fortinet Inc.
 Dashboards and widgets

id=0x7f450004 vwl_service=4(Ping-Policy) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0

tos=0x00 tos_mask=0x00 protocol=1 sport=0:65535 iif=0 dport=1-65535 oif=16(To-HQ-A)
oif=17(To-HQ-B)

DHCP monitor

The DHCP monitor displays all the addresses leased out by FortiGate's DHCP servers. You can use the monitor to
revoke an address for a device, or create, edit, and delete address reservations.

To view the DHCP monitor in the GUI:

1. Go to Dashboard > Network.

2. Hover over the DHCP widget, and click Expand to Full Screen.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

To revoke a lease:

1. Select a device in the table.

2. In the toolbar, click Revoke, or right-click the device, and click Revoke. The Confirm window opens.
3. Click OK.

A confirmation window opens only if there is an associated address reservation. If there is no

address, the lease will be removed immediately upon clicking Revoke.

To create a DHCP reservation:

1. Select a server in the table.

2. In the toolbar, click Reservation, or right-click the device and click Create DHCP Reservation. The Create New
DHCP Reservation window opens.

FortiOS 6.4.13 Administration Guide 85

Fortinet Inc.
 Dashboards and widgets

3. Configure the DHCP settings.

4. Click OK.

To view top sources by bytes:

1. Right-click a device in the table and click Show in FortiView. The Top Sources by Bytes widget opens.

To view the DHCP lease list in the CLI:

# execute dhcp lease-list

IPsec monitor

The IPsec monitor displays all connected Site to Site VPN and Dial-up VPNs. You can use the monitor to bring a phase 2
tunnel up or down or disconnect dial-up users.

To view the IPSEC monitor in the GUI:

1. Go to Dashboard > Network.

2. Hover over the IPsec widget, and click Expand to Full Screen.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

To reset statistics:

1. Select a tunnel in the table.

2. In the toolbar, click Reset Statistics or right-click the tunnel, and click Reset Statistics. The Confirm window opens.
3. Click OK.

FortiOS 6.4.13 Administration Guide 86

Fortinet Inc.
Dashboards and widgets

To bring a tunnel up:

1. Select a tunnel in the table.

2. Click Bring Up, or right-click the tunnel, and click Bring Up. The Confirm window opens.
3. Click OK.

To bring a tunnel down:

1. Select a tunnel in the table.

2. Click Bring Down, or right-click the tunnel, and click Bring Down. The Confirm window opens.
3. Click OK.

To locate a tunnel on the VPN Map:

1. Select a tunnel in the table.

2. Click Locate on VPN Map, or right-click the tunnel, and click Locate on VPN Map. You are taken to VPN > VPN
Location Map.

To view the IPsec monitor in the CLI:

# diagnose vpn tunnel list

Sample output:
list all ipsec tunnel in vd 0
------------------------------------------------------
name=fct-dialup ver=1 serial=4 10.100.67.5:0->0.0.0.0:0 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc
accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=0 refcnt=12 ilast=5545 olast=5545 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0
------------------------------------------------------
name=To-HQ-MPLS ver=2 serial=3 192.168.0.14:0->192.168.0.1:0 dst_mtu=1500
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev
frag-rfc accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=22 ilast=0 olast=0 ad=/0

stat: rxp=66693 txp=29183 rxb=33487128 txb=1908427
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=To-HQ-MPLS proto=0 sa=1 ref=6 serial=1 adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=32203 type=00 soft=0 mtu=1438 expire=266/0B replaywin=2048
seqno=2c5e esn=0 replaywin_lastseq=00002ea3 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=1773/1800
dec: spi=700c9198 esp=aes key=16 ebd04605de6148c8a92ced48b30930fa
ah=sha1 key=20 5f0201f67d7c714a046025a1df41d40376437f6a
enc: spi=5aaccc20 esp=aes key=16 13d5d4b46e5e9c42eef509f2d9879188
ah=sha1 key=20 2dde67ef7a2a78b622d9a7ec6d75ad3c55d241e1
dec:pkts/bytes=11938/5226964, enc:pkts/bytes=11357/1312184

FortiOS 6.4.13 Administration Guide 87

Fortinet Inc.
 Dashboards and widgets

SSL-VPN monitor

The SSL-VPN monitor displays user logins and active connections. You can use the monitor to disconnect a specific
connection.

To view the SSL-VPN monitor in the GUI:

1. Go Dashboard > Network.

2. Hover over the SSL-VPN widget, and click Expand to Full Screen.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

To disconnect a user:

1. Select a user in the table.

2. In the table, right-click the user, and click End Session. The Confirm window opens.
3. Click OK.

To monitor SSL-VPN users in the CLI:

# get vpn ssl monitor

Sample output
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out
0 amitchell TAC 1(1) 296 10.100.64.101 3838502/11077721 0/0
1 mmiles Dev 1(1) 292 10.100.64.101 4302506/11167442 0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP

Firewall Users Monitor

The Firewall Users monitor displays all firewall users currently logged in. You can use the monitor to diagnose user-
related logons or to highlight and deauthenticate a user.

FortiOS 6.4.13 Administration Guide 88

Fortinet Inc.
 Dashboards and widgets

To view the firewall monitor in the CLI:

1. Go to Dashboard > Users & Devices.

If you are using the Comprehensive dashboard template, go to Dashboard > Firewall User Monitor. See Changing
the default dashboard template on page 81.
2. Hover over the Firewall Users widget, and click Expand to Full Screen.
3. To show FSSO logons, click Show all FSSO Logons at the top right of the page.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

To deauthenticate a user:

1. (Optional) Use the Search field to search for a specific user.

2. In the toolbar, click Deauthenticate, or right-click the user, and click Deauthenticate. The Confirm window opens.
3. Click OK.

To view firewall users in the CLI:

# diagnose firewall auth list

Implement a user device store to centralize device data

Device data collected from different daemons is centralized in a user device store for quick access and performance.
Thousands of devices can be displayed in the GUI in seconds. The maximum number of devices and users that are
stored in the database can be configured.
For example, go to Dashboard > Users & Devices and expand the Device Inventory widget.

FortiOS 6.4.13 Administration Guide 89

Fortinet Inc.
 Dashboards and widgets

To configure the maximum number of devices and users that are stored in the database:

config system global

set user-device-store-max-devices <value>
set user-device-store-max-users <value>
end

To view the user or device on disk session information:

l List all records:

diagnose user-device-store {device | user} disk list

l Query by SQL WHERE clause:

diagnose user-device-store {device | user} disk query <SQL WHERE clause>

To view the user or device in memory session information:

l List all records:

diagnose user-device-store {device | user} memory list

l Query by username or IP address:

diagnose user-device-store {device | user} memory query {ip | username} <value>

WiFi Dashboard

The WiFi Dashboard is one of the default monitor dashboards built into FortiOS. It allows you to view FortiAP status,
channel utilization, WiFi clients and associated information, login failures and signal strength, and so on.
Go to Dashboard > WiFi to access the WiFi Dashboard:

FortiOS 6.4.13 Administration Guide 90

Fortinet Inc.
Dashboards and widgets

You may customize the WiFi dashboard as per your requirements. To know more about using and modifying
dashboards and widgets, see Dashboards and widgets on page 75.
This section describes the following monitors available for the WiFi Dashboard:
l FortiAP Status monitor on page 91
l Clients by FortiAP monitor on page 93

FortiAP Status monitor

The FortiAP Status monitor displays the status and the channel utilization of the radios of FortiAP devices connected to a
FortiGate. It also provides access to tools to diagnose and analyze connected APs.

To view the FortiAP Status monitor in the GUI:

1. Go to Dashboard > WiFi.

2. Hover over the FortiAP Status widget, and click Expand to Full Screen. The FortiAP Status monitor opens.
3. (Optional) Click Save as Monitor to save the widget as monitor.

FortiOS 6.4.13 Administration Guide 91

Fortinet Inc.
Dashboards and widgets

To view the Diagnostics and Tools menu in the GUI:

1. Select and right-click on an Access Point entry in the table on the FortiAP Status monitor page.

2. Click Diagnostics and Tools. The Diagnostics and Tools dialog for the selected FortiAP device slides in on the
screen.

3. You may click on the various tabs in the Diagnostics and Tools dialog like Clients, Spectrum Analysis, VLAN Probe,
and so on, to monitor and analyze the FortiAP device.
The Diagnostics and Tools dialog is similar to the device dialog from WiFi & Switch Controller > Managed FortiAPs. To
learn more about the various tabs and their functions, see Support for spectrum analysis of FortiAP E models, VLAN
probe report, and Standardize wireless health metrics.

FortiOS 6.4.13 Administration Guide 92

Fortinet Inc.
Dashboards and widgets

Clients by FortiAP monitor

The Clients by FortiAP monitor allows you to view detailed information about the health of individual WiFi connections in
the network. It also provides access to tools to diagnose and analyze connected wireless devices.

To view the Clients by FortiAP monitor in the GUI:

1. Go to Dashboard > WiFi.

2. Hover over the Clients by FortiAP widget, and click Expand to Full Screen. The Clients by FortiAP monitor opens.
3. (Optional) Click Save as Monitor to save the widget as monitor.

FortiOS 6.4.13 Administration Guide 93

Fortinet Inc.
Dashboards and widgets

To view the summary page for a wireless client in the GUI:

1. Select a client entry in the table on the Clients by FortiAP monitor page.

2. Right-lick on the selected client entry in the table and select Diagnostics and Tools. The summary dialog for the
selected client slides in on the screen.

3. You may click on Quarantine to quarantine, or Disassociate to disassociate the selected wireless client.
From the summary page, the Health section displays the overall health for the wireless connection. The overall health of
the connection is:

FortiOS 6.4.13 Administration Guide 94

Fortinet Inc.
Dashboards and widgets

l Good if the value range for all three conditions are Good
l Fair or poor if one of the three conditions is Fair or Poor respectively.

Condition Value Range

Signal Strength l Good > -56dBm

l -56dBm > Fair > -75dBm
l Poor < -75dBm

Signal Strength/Noise l Good > 39dBm

l 20dBm < Fair < 39dBm
l Poor < 20dBm

Band l Good = 5G band

l Fair = 2.4G band

The summary page also has the following FortiView tabs:

l Performance

FortiOS 6.4.13 Administration Guide 95

Fortinet Inc.
Dashboards and widgets

l Applications

l Destinations

l Policies

FortiOS 6.4.13 Administration Guide 96

Fortinet Inc.
 Dashboards and widgets

l Logs

The Clients by FortiAP monitor is a drilled-down version of the WiFi & Switch Controller > WiFi Clients page.

Device inventory

You can enable device detection to allow FortiOS to monitor your networks and gather information about devices
operating on those networks, including:
l MAC address
l IP address
l Operating system
l Hostname
l Username
l When FortiOS detected the device and on which interface
You can enable device detection separately on each interface in Network > Interfaces.
Device detection is intended for devices directly connected to your LAN ports. If enabled on a WAN port, device
detection may be unable to determine the OS on some devices. You can enable active scanning on the interface to find
hosts whose device types FortiOS cannot determine passively.
You can also manually add devices to Device Inventory to ensure that a device with multiple interfaces displays as a
single device.

To view the device inventory monitor in the GUI:

1. Go to Dashboard > Users & Devices.

If you are using the Comprehensive dashboard template, go to Dashboard > Device Inventory Monitor. See
Changing the default dashboard template on page 81.
2. Hover over the Device Inventory widget, and click Expand to Full Screen. The Device Inventory pane appears.

FortiOS 6.4.13 Administration Guide 97

Fortinet Inc.
Dashboards and widgets

To filter or configure a column in the table, hover over the column heading, and click
Filter/Configure Column. See Device inventory and filtering on page 98.

Device inventory and filtering

The Device Inventory widget contains a series of summary charts that provide an overview of the hardware, operating
system, status, and interfaces. You can use these clickable charts to simplify filtering among your devices.

To view the device inventory and apply a filter:

1. Go to Dashboard > Users & Devices.

If you are using the Comprehensive dashboard template, go to Dashboard > Device Inventory Monitor. See
Changing the default dashboard template on page 81.
2. Hover over the Device Inventory widget, and click Expand to Full Screen. The Device Inventory pane appears.
3. To filter the order of the charts by operating system, click the dropdown in the top menu bar and select Software OS.
4. To filter a chart, click an item in the legend or chart area. The table displays the filter results.
5. To combine filters, hover over a column heading and click Filter/Configure Column.
6. Click the filter icon in the top-right corner of the chart to remove the filter.

FortiOS 6.4.13 Administration Guide 98

Fortinet Inc.
Dashboards and widgets

Filter examples

To filter all Linux devices:

1. In the Software OS chart, click Linux .

To filter all offline devices:

1. In the Status chart, click Offline.

FortiOS 6.4.13 Administration Guide 99

Fortinet Inc.
Dashboards and widgets

To filter all devices discovered on port4:

1. In the Interfaces chart, click port3.

Adding MAC-based addresses to devices

Assets detected by device detection appear in the Device Inventory widget. You can manage policies around devices by
adding a new device object (MAC-based address) to a device. Once you add the MAC-based address, the device can be
used in address groups or directly in policies.

To add a MAC-based address to a device:

1. Go to Dashboard > Users & Devices.

If you are using the Comprehensive dashboard template, go to Dashboard > Device Inventory Monitor. See
Changing the default dashboard template on page 81.
2. Hover over the Device Inventory widget, and click Expand to Full Screen. The Device Inventory monitor opens.

FortiOS 6.4.13 Administration Guide 100

Fortinet Inc.
Dashboards and widgets

3. Click a device and then click Firewall Device Address.

4. (Optional) In the Name field, give the device a descriptive name.

Use the Name field to assign a descriptive name to a device so it is easier to find it in the
Device column. After you finish configuring the device, refresh the page to see the new
name in the dashboard.

FortiOS 6.4.13 Administration Guide 101

Fortinet Inc.
 Dashboards and widgets

5. Click OK. The MAC address icon appears in the Address column next to the device name.

FortiView

FortiView is the FortiOS log view tool and comprehensive monitoring system for your network. FortiView integrates real-
time and historical data into a single view on your FortiGate. It can log and monitor network threats, keep track of
administration activities, and more.
Use FortiView dashboards and widgets to investigate traffic activity such as user uploads and downloads, or videos
watched on YouTube. You can view the traffic on the whole network, by user group or by individual. FortiView displays
the information in both text and visual format, giving you an overall picture of your network traffic activity so that you can
quickly decide on actionable items.
FortiView is integrated with many UTM functions and each release adds more features. For example, you can
quarantine an IP address directly in FortiView or create custom devices and addresses from a FortiView entry.

The logging range and depth will depend on the FortiGate model.

FortiView monitors and widgets

FortiView dashboards and widgets are available in the tree menu under the Dashboards module. The module contains
several core dashboards for the top categories. Non-core FortiView pages are available as widgets that can be added to
the dashboards. You can also use non-core pages to create standalone monitors.

FortiOS 6.4.13 Administration Guide 102

Fortinet Inc.
Dashboards and widgets

Core FortiView dashboards

The following core dashboards are available in the tree menu under the Dashboard console:

Dashboard Usage

FortiView Sources Displays Top Sources by traffic volume and drilldown by Source.

FortiView Destinations Displays Top Destinations by traffic volume and drilldown by Destination.

FortiView Applications Displays Top Applications by traffic volume and drilldown by Application.

FortiView Websites Displays Top Websites by session count and drilldown by Domain.

FortiView Policies Displays Top Policies by traffic volume and drilldown by Policy number

FortiView Sessions Displays Top Sessions by traffic source and can be used to end sessions.

Usage is based on default settings. The pages may be customized further and sorted by other fields.

You can quarantine a host and ban an IP from all of the core FortiView monitors.

FortiView widgets

FortiView widgets allow you to create custom dashboards to monitor vulnerabilities, scan summaries, and top items from
selected FortiView categories. You can also customize widgets to show information that is most important to you, such
as the time range, source logging device, and other information. For information, see Adding FortiView widgets on page
104

FortiOS 6.4.13 Administration Guide 103

Fortinet Inc.
 Dashboards and widgets

Adding FortiView widgets

Non-core FortiView pages are available in the Add Dashboard window.You can add a FortiView widget to a dashboard
or save the widget as a monitor.

You cannot add widgets to a core FortiView monitor.

To add a FortiView widget in the GUI:

1. In the tree menu, select a dashboard and click Add Widget.

2. In the FortiView section, click Add next to a widget. You can use the Search field to search for a specific widget or
click Show More to view more widgets.
3. In the Fabric member area, click Default or Specify to select a FortiGate device in the security fabric.
4. From the Time Period dropdown, select the time period. This option is not available in all widgets.
5. In the Visualization area, select Table View or Bubble Chart.
6. From the Sort By dropdown, select the sorting method.
7. Click Add Widget.

Widgets by category

Usage is based on the default settings. The widgets may be customized further and sorted by other fields.

LAN/DMZ

Widget Sort by Usage

Applications Bytes/Sessions/Bandwidth/Packets Displays top applications and drilldown by

application.

Cloud Applications Bytes/Sessions/Files(Up/Down) Displays top cloud applications and drilldown

by application .

Cloud Users Bytes/Sessions/Files(Up/Down) Displays top cloud users and drilldown by

cloud user.

Compromised Hosts Verdict Displays compromised hosts and drilldown by

source.

Countries/Regions Bytes/Sessions/Bandwidth/Packets Displays top countries/regions and drilldown

by countries/regions.

Destination Firewall Bytes/Sessions/Bandwidth/Packets Displays top destination firewall objects and

Objects drilldown by destination objects.

Destination Owners Bytes/Sessions/Bandwidth/Packets Displays top destination owners and drilldown

by destination.

FortiOS 6.4.13 Administration Guide 104

Fortinet Inc.
Dashboards and widgets

Widget Sort by Usage

Destinations Bytes/Sessions/Bandwidth/Packets Displays top destinations and drilldown by

destination.

Search Phrases Count Displays top search phrases and drilldown by

search phrase.

Source Firewall Bytes/Sessions/Bandwidth/Packets Displays top search phrases and drilldown by

Objects source object.

Sources Bytes/Sessions/Bandwidth/Packets Displays top sources and drilldown by source.

Threats Threat level/Threat Score/Sessions Displays top threats and drilldown by threat.

Traffic Shaping Dropped Displays top traffic shaping and drilldown by

Bytes/Bytes/Sessions/Bandwidth/Packets shaper.

Web Categories Bytes/Sessions/Bandwidth/Packets Displays top web categories and drilldown by

category.

Web Sites Bytes/Sessions/Bandwidth/Packets Displays top web sites and drilldown by

domain.

WiFi Clients Bytes/Sessions Displays top WiFi clients and drilldown by

source.

WAN

Widget Sort by Usage

Servers Bytes/Sessions/Bandwidth/Packets Displays top servers and drilldown by server address.

Sources Bytes/Sessions/Bandwidth/Packets Displays top sources and drilldown by device.

Threats Threat Level/Threat Score/Sessions Displays top threats and drilldown by threat.

All Segments

Widget Sort by Usage

Admin Logins Configuration Changes/Logins/Failed Displays top admin logins by username.

Logins

Destination Bytes/Sessions/Bandwidth/Packets Displays top destination interfaces by destination

Interfaces interface.

Endpoint Severity Displays top endpoint vulnerabilities by vulnerability

Vulnerabilities name.

Failed Failed Attempts Displays top failed authentications by failed

Authentication authentication source.

FortiSandbox Files Submitted Displays top FortiSandbox files by file name.

FortiOS 6.4.13 Administration Guide 105

Fortinet Inc.
Dashboards and widgets

Widget Sort by Usage

Interface Pairs Bytes/Sessions/Bandwidth/Packets Displays top interface pairs by source interface.

Policies Bytes/Sessions/Bandwidth/Packets Displays top policies by policy.

Source Interfaces Bytes/Sessions/Bandwidth/Packets Displays top source interfaces by source interface.

System Events Level/Events Displays top system events by event name.

VPN Connections/Bytes Displays top VPN connections by user.

Vulnerable Detected Vulnerabilities Displays top vulnerable endpoint devices by device.

Endpoint Devices

A maximum of 25 interfaces can be monitored at one time on a device.

VDOMs and dashboards

Dashboards are created per VDOM when VDOM mode is enabled. Some features and widgets are not available
depending on Multi or Split-task VDOM mode.

Multi-VDOM mode

The following widgets and dashboard setting are not available Multi-VDOM mode because it does not support Security
Fabric:
l Security Fabric related widgets
l FortiGate Selection option

Split-task mode

Split-task VDOM mode is limited to two VDOMs, the root VDOM and the FortiGate traffic VDOM. The root VDOM is for all
management related settings and the FortiGate traffic VDOM is for all traffic related settings.
The FortiGate Selection option is available when you create a dashboard in Split-Task VDOM mode.
For information about VDOM modes, see Virtual Domains on page 917.

Examples

When VDOM mode is disabled, the FortiGate Selection option is available in the Add Dashboard window:

When Multi-VDOM mode is enabled, the FortiGate Selection is not available in the Add Dashboard window:

FortiOS 6.4.13 Administration Guide 106

Fortinet Inc.
 Dashboards and widgets

When Multi-VDOM mode is disabled, all the widgets in the Add Dashboard Widget menu are enabled:

When Multi-VDOM mode is enabled, the Security Fabric Status widget is disabled:

FortiView interface

Use the FortiView interface to customize the view and visualizations within a dashboard to find the information you are
looking for. The tools in the top menu bar allow you to change the time display, refresh the data, customize the data
source, and filter the results. You can also right-click a table in the dashboard to view drilldown information for an entry.

FortiOS 6.4.13 Administration Guide 107

Fortinet Inc.
Dashboards and widgets

Top menu bar

The top menu bar contains the following settings:

l A time display dropdown to switch between current and historical data.
l A Refresh button to update the displayed data.
l A Settings dropdown to change the information shown on the dashboard.

Time period display

Use the time display dropdown to select the time period to display on the current dashboard. Time display options vary
depending on the dashboard and can include current information (now) and historical information (1 hour, 24 hours, and
7 days).

Disk logging or remote logging must be enabled to view historical information.

You can use a chart to create a custom time display by selecting the time range with your cursor.

The icon next to the time period identifies the data source (FortiGate Disk, FortiAnalyzer, or FortiGate Cloud). You can
hover over the icon to see a description of the device.

View settings

Use the Settings menu to change the data source, sort by information, and visualization.

FortiOS 6.4.13 Administration Guide 108

Fortinet Inc.
Dashboards and widgets

To change the widget settings:

1. Click the dropdown menu at the right side of the top menu bar, and select Settings.

2. Configure the widget settings, and click OK.

The Data Source dropdown only appears when FortiGate is connected to another data
source.

For information about widget settings, see Adding FortiView widgets on page 104

For dashboards with multiple widgets, you cannot access the settings dropdown when the
widget is expanded to full screen. To change the settings, click the back button to return to the
dashboard, and click the dropdown.

Data source

FortiView gathers information from a variety of data sources. If there are no log disk or remote logging configured, the
data will be drawn from the FortiGate's session table, and the Time Period is set to Now.

FortiOS 6.4.13 Administration Guide 109

Fortinet Inc.
Dashboards and widgets

Other data sources that can be configured are:

l FortiGates (disk)
l FortiAnalyzer
l FortiGate Cloud

When Data Source is set to Best Available Device, FortiAnalyzer is selected when available,
then FortiGate Cloud, and then FortiGate Disk.

Display types

Bubble charts

Display types include table view, bubble charts, and country maps. Not all display types are supported by all
dashboards.
Bubble charts allow you to sort information using the Compare By dropdown menu. The size of each bubble represents
the related amount of data. You can place your cursor over a bubble to display a tool-tip with detailed information on that
item, and click on a bubble to drilldown into greater detail.

Country maps

Country maps display traffic activity as regions on a map. Hover over the highlighted region to view information about the
entry. You can also compare data by Bytes, Sessions, Bandwidth, and Packets. Country maps are not available in all
dashboards and widgets.

FortiOS 6.4.13 Administration Guide 110

Fortinet Inc.
Dashboards and widgets

Table view

Table view displays traffic activity as a graph and a table. To remove the table, click close, at the top right corner of the
graph. To view the graph, click Show Graph.

Source view

Time l Now entries are determined by the FortiGate's system session list.
l Historical or 1 hour or later entries are determined by traffic logs, with additional
information coming from UTM logs.

The dropdown only shows now if there is no disk.

Graph l The graph shows the bytes sent/received in the time frame.
l Users can customize the time frame by selecting a time period within the graph.

Columns l Source shows the IP address (and user as well as user avatar if configured) of the source
device.
l Device shows the device information as listed in the Device Inventory widget. Device
detection should be enabled on the applicable interfaces for best function. For

FortiOS 6.4.13 Administration Guide 111

Fortinet Inc.
Dashboards and widgets

information about adding widgets, see Using widgets on page 80.

l Threat Score is the threat score of the source based on UTM features such as Web Filter
and antivirus. It shows threat scores allowed and threat scores blocked.
l Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the
session list, and in historical it is from logs.
l Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the
session list, and in historical it is from logs.
l Source is a simplified version of the first column, including only the IP address without
extra information.
l Source Interface is the interface from which the traffic originates. In realtime, this is
calculated from the session list, and in historical it is from the logs.
l FortiGate is the name of the fabric device.
l More information can be shown in a tooltip while hovering over these entries.
l For realtime, two more columns are available, Bandwidth and Packets, both of which
come from the session list.

Hover over linked items in an entry to view additional information. Some information windows provide links to other areas
of FortiOS such as the application signatures page.

To select the columns displayed in a table, hover over the header in the first column, and click the configure table icon.

Drilldown information

Double-click or right-click an entry in a FortiView dashboard and select Drill Down to Details to view additional details
about the selected traffic activity. Click the Back icon in the toolbar to return to the previous view.
You can group drilldown information into different drilldown views. For example, you can group the drilldown information
in the Top FortiView Destinations dashboard by Sources, Applications, Threats, and Policies.

FortiOS 6.4.13 Administration Guide 112

Fortinet Inc.
Dashboards and widgets

Double-click an entry to view the logs in Sessions view. Double-click a session to view the logs.

Graph l The graph shows the bytes sent/received in the time frame. Realtime does not include a
chart.
l Users can customize the time frame by selecting a time period within the graph.

Summary l Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total
Information for the time period.
l Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or
FortiAP.
l Can ban IP addresses, adds the source IP address into the quarantine list.

Tabs l Drilling down entries in any of these tabs (except sessions tab) will take you to the
underlying traffic log in the sessions tab.

FortiOS 6.4.13 Administration Guide 113

Fortinet Inc.
 Dashboards and widgets

l Applications shows a list of the applications attributed to the source IP. This can include
scanned applications (using Application Control in a firewall policy or unscanned
applications.
config log gui-display
set fortiview-unscanned-apps enable
end
l Destinations shows destinations grouped by IP address/FQDN.
l Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, Web
Filter, Application Control, etc.
l Web Sites contains the websites which were detected either with webfilter, or through
FQDN in traffic logs.
l Web Categories groups entries into their categories as dictated by the Web Filter
Database.
l Policies groups the entries into which polices they passed through or were blocked by.
l Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from
other tabs end up showing the underlying log located in this tab.
l Search Phrases shows entries of search phrases on search engines captured by a Web
Filter UTM profile, with deep inspection enabled in firewall policy.
l More information can be shown in a tooltip while hovering over these entries.

To view matching logs or download a log, click the Security tab in the Log Details .

FortiView from disk

FortiView from disk is available on all FortiGates with an SSD disk.

Restrictions

Model Supported view

Desktop models (100 series) with Five minutes and one hour
SSD

Medium models with SSD Up to 24 hours

Large models (1500D and Up to seven days

above) with SSD To enable seven days view:

FortiOS 6.4.13 Administration Guide 114

Fortinet Inc.
Dashboards and widgets

Model Supported view

config log setting
set fortiview-weekly-data enable
end

Configuration

A firewall policy needs to be in place with traffic logging enabled. For optimal operation with FortiView, internal interface
roles should be clearly defined as LAN. DMZ and internet facing or external interface roles should be defined as WAN.

To configure logging to disk in the GUI:

1. Enable disk logging from the FortiGate GUI.

a. Go to Log & Report > Log Settings > Local Traffic Log.
b. Select the checkbox next to Disk.
2. Enable historical FortiView from the FortiGate GUI.
a. Go to Log & Report > Log Settings > Local Traffic Log.
b. Select the checkbox next to Enable Historical FortiView.

3. Click Apply.

To include sniffer traffic and local-deny traffic when FortiView from Disk:

config report setting

set report-source forward-traffic sniffer-traffic local-deny-traffic
end

This feature is only supported through the CLI.

To configure the data source in the GUI:

1. Go to Dashboard > FortiView Sources.

2. Select a time range other than now from the drop-down list to view historical data.
3. In the top menu, click the dropdown, and select Settings. The Edit Dashboard Widget window opens.
a. In the Data Source area, click Specify.
b. From the dropdown, select Disk, then click OK.
For information see, FortiView interface on page 107.

FortiOS 6.4.13 Administration Guide 115

Fortinet Inc.
 Dashboards and widgets

Troubleshooting

Use execute report flush-cache and execute report recreate-db to clear up any irregularities that may
be caused by upgrading or cache issues.

FortiView from FortiAnalyzer

Attach a FortiAnalyzer to FortiGate to increase the functionality of FortiView. Adding a FortiAnalyzer is useful when
adding widgets such as the Compromised Hosts widget. It also allows historical view for up to seven days.

Requirements
l A FortiGate or FortiOS
l A compatible FortiAnalyzer (see Compatibility with FortiOS)

To configure logging to the FortiAnalyzer:

1. On the FortiGate, go to Security Fabric > Fabric Connectors, and double-click the FortiAnalyzer Logging card.
2. Enter the IP address of the FortiAnalyzer device.
3. Click Test Connectivity. A message will be shown stating that the FortiGate is not authorized on the FortiAnalyzer.

4. On the FortiAnalyzer, go to Device Manager, and click the Unauthorized tab.

5. In the device list, right-click the FortiGate, then click Authorize.

6. On FortiGate, go to Security Fabric > Fabric Connectors, and double-click the FortiAnalyzer Logging card.

FortiOS 6.4.13 Administration Guide 116

Fortinet Inc.
 Dashboards and widgets

7. Click Test Connectivity to confirm that the device is now authorized.

To enable FortiView from FortiAnalyzer:

1. Go to Dashboard > FortiView Sources.

2. Select a time range other than now from the drop-down list to view historical data.
3. In top menu, click the dropdown, and select Settings. The Edit Dashboard Widget window opens.
a. In the Data Source area, click Specify.
b. From the dropdown, select FortiAnalyzer, and click OK.

All the historical information now comes from the FortiAnalyzer.

When Data Source is set to Best Available Device, FortiAnalyzer is selected when
available, then FortiGate Cloud, and then FortiGate Disk.

FortiView from FortiGate Cloud

This function requires a FortiGate that is registered and logged into a compatible FortiGate Cloud. When using FortiGate
Cloud, the Time Period can be set to up to 24 hours.

To configure logging to FortiGate Cloud:

1. Go to Security Fabric > Fabric Connectors, and double-click the Cloud Logging card.
2. For Status, click Enabled.
3. For Type, click FortiGate Cloud.
If the FortiGate is registered and logged into FortiGate Cloud, the Account and Region is displayed.

FortiOS 6.4.13 Administration Guide 117

Fortinet Inc.
 Dashboards and widgets

If the FortiGate is logged out from FortiGate Cloud, click Activate and log in, and ensure Send logs to FortiGate
Cloud is selected.

4. Go to Log & Report > Log Settings and set the following:

a. Set Event Logging to All.
b. Set Local Traffic Log to All.
c. Click Apply.

To enable FortiView with log source as FortiGate Cloud:

1. Go to Dashboard > FortiView Sources.

2. In the top menu, click the dropdown, and select Settings. The Edit Dashboard Widget window opens.
a. In the Data Source area, click Specify.
b. From the dropdown, select FortiGate Cloud, then click OK.

You can select FortiGate Cloud as the data source for all available FortiView pages and
widgets.

FortiView sources

The FortiView Sources dashboard displays top sources sorted by Bytes, Sessions or Threat Score. The information can
be displayed in real time or historical views. You can use the dashboard to create or edit a firewall device address or

FortiOS 6.4.13 Administration Guide 118

Fortinet Inc.
Dashboards and widgets

IP address definitions, and temporarily or permanently ban IPs.

To add a firewall device address:

1. In the Device column, hover over the device MAC address. An information window opens.

2. Click Firewall Device Address. The New Address window opens.

3. Configure the address settings, and click Return.

Use the Name field to assign a descriptive name to a device so it is easier to find it in the
Device column. After you finish configuring the device, refresh the page to see the new
name in the dashboard.

To add a firewall IP address:

1. In the Device column, hover over the device MAC address. An information window opens.

2. Click Firewall IP Address. The New Address window opens.

FortiOS 6.4.13 Administration Guide 119

Fortinet Inc.
 Dashboards and widgets

3. Configure the address settings, and click Return.

Use the Name field to assign a descriptive name to a device so it is easier to find it in the
Device column. After you finish configuring the device, refresh the page to see the new
name in the dashboard.

To ban an IP address:

1. In the Device column, hover over the device MAC address. An information window opens.

2. Click Ban IP . The Ban IP window opens.

3. Configure the ban IP settings, and click OK.

FortiView Sessions

The FortiView Sessions dashboard is one of the core FortiView dashboards available in FortiOS. It displays Top
Sessions by traffic source and can be used to end sessions. You may customize the dashboard as per your needs by
using the sort and filter capabilities.
To view the FortiView Sessions dashboard, go to Dashboard > FortiView Sessions.

FortiOS 6.4.13 Administration Guide 120

Fortinet Inc.
Dashboards and widgets

The session table displayed on the FortiView Sessions dashboard is useful when verifying open connections. For
example, if you have a web browser open to browse the Fortinet website, you would expect a session entry from your
computer on port 80 to the IP address for the Fortinet website. You can also use a session table to investigate why there
are too many sessions for FortiOS to process.
You can filter the sessions displayed in the session table by setting up the available filtering options.

To filter sessions in the session table:

1. Click on the Add Filter button at the top of the session table. A list of selectable filtering options drops down.

FortiOS 6.4.13 Administration Guide 121

Fortinet Inc.
Dashboards and widgets

2. Select the required filtering option. For example you may select Country/Region, and select a country from the list of
countries. The session table updates as per the selected country.

3. You may add one or more filters depending upon your requirements. To add more filters, repeat the above steps for
a different set of filters.

You can be really specific with the way you use filters and target sessions based on different filter combinations. For
example, you may want to view all sessions from a computer with a particular IP, and you can do that by adding the
Source IP filter. Similarly, you may need to target all the sessions having a particular Destination IP and Destination Port,
and so on.
You may also see the session data in the CLI.

FortiOS 6.4.13 Administration Guide 122

Fortinet Inc.
Dashboards and widgets

To view session data using the CLI:

# diagnose sys session list

The session table output in the CLI is very large. You can use the supported filters in the CLI to show only the data you
need.

To view session data with filters using the CLI:

# diagnose sys session filter <option>

See Using a session table on page 2204 to learn more about using the supported filters in the CLI.
You may also decide to end a particular session or all sessions for administrative purposes.

To end sessions from the GUI:

1. Select a session that you want to end by clicking on it. To select multiple sessions, hold the Ctrl or Shift key on your
keyboard while clicking the session entries in the table.

2. Right-click on the selected sessions you want to end. A menu with options appears.

3. Click on End Session(s) to end the selected sessions, or End All Sessions to end all the active sessions.

FortiOS 6.4.13 Administration Guide 123

Fortinet Inc.
 Dashboards and widgets

4. Click OK in the confirmation dialog. The selected sessions are now ended.

Viewing top websites and sources by category

You can use FortiGuard web categories to populate the category fields in various FortiView pages such as FortiView
Web Categories, FortiView Websites or FortiView Sources. To view the categories in a dashboard, the web filter profile
must be configured to at least monitor for FortiGuard category based filter, and applied to a firewall policy for outbound
traffic.

To verify the web filter profile is monitor-only:

1. Go to Security Profiles > Web Filter.

2. Double-click a web filter that is applied to an outbound traffic firewall policy. The Edit Web Filter Profile window
opens.
3. Ensure FortiGuard category based filter is enabled.
In the image below, the General Interest - Business categories are monitor-only.

FortiOS 6.4.13 Administration Guide 124

Fortinet Inc.
Dashboards and widgets

To create a Web categories dashboard:

1. Under Dashboard, click Add Dashboard. The Add Dashboard window opens.

2. In the Name field, enter a name such as FortiView Web Categories and click OK. The new dashboard opens.
3. In the banner, click Add Widget. The Add Dashboard Widget window opens.
4. In the Search field, type FortiView Web Categories and click the Add button next to the widget name.
5. In the Fabric Member area, click Default or Specify to select a device in the security fabric.
6. From the Time Period dropdown, select a time period greater than Now.
7. From the Sort By dropdown, select Bytes, Sessions, Bandwidth, or Packets.
8. Click Add Widget. The widget is added to the dashboard.

Viewing the web filter category

The web filter category name appears in the Category column of the dashboard.

FortiOS 6.4.13 Administration Guide 125

Fortinet Inc.
Dashboards and widgets

Click an entry in the table. The category name appears at the top of Summary of box.

Click the Web Sites tab. The category name appears in the Category column.

Click the Sessions tab. The category name appears in the Category Description column.

The category name also appears in the Category column in the FortiView Websites and FortiView Sources dashboards.

FortiOS 6.4.13 Administration Guide 126

Fortinet Inc.
 Dashboards and widgets

Cloud application view

To see different cloud application views, set up the following:

l A FortiGate with a firewall policy that uses the Application Control security profile.
l A FortiGate with log data from the local disk or FortiAnalyzer.
l Optional but highly recommended: SSL Inspection set to deep-inspection in the related firewall policies.

Viewing cloud applications

Cloud applications

All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_
File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep
information in the network packets.

To view cloud applications:

1. Go to Security Profiles > Application Control.

2. Select a relative Application Control profile used by the firewall policy and click Edit.
3. On the Edit Application Sensor page, click View Application Signatures.
4. Hover over a column heading or the Application Signature bar. In the right gutter area, click the filter icon to filter the
applications.

FortiOS 6.4.13 Administration Guide 127

Fortinet Inc.
Dashboards and widgets

Cloud applications have a cloud icon beside them.

The lock icon indicates that the application requires SSL deep inspection.

5. Hover over an item to see its details.

This example shows Gmail_Attachment.Download, a cloud application signature based sensor which requires SSL
deep inspection. If any local network user behind the firewall logs into Gmail and downloads a Gmail attachment,
that activity is logged.

Applications with cloud behavior

Applications with cloud behavior is a superset of cloud applications.

Some applications do not require SSL deep inspection, such as Facebook, Gmail, and YouTube. This means that if any
traffic trigger application sensors for these applications, there is a FortiView cloud application view for that traffic.
Other applications require SSL deep inspection, such as Gmail attachment, Facebook_Workplace, and so on.

FortiOS 6.4.13 Administration Guide 128

Fortinet Inc.
Dashboards and widgets

To view applications with cloud behavior:

1. In the Application Signature page, ensure the Behavior column is displayed. If necessary, add the Behavior column.
a. Hover over the left side of the table column headings to display the Configure Table icon.
b. Click Configure Table and select Behavior.
c. Click Apply.

2. Click the filter icon in the Behavior column and select Cloud to filter by Cloud. Then click Apply.

3. The Application Signature page displays all applications with cloud behavior.

FortiOS 6.4.13 Administration Guide 129

Fortinet Inc.
Dashboards and widgets

4. Use the Search box to search for applications. For example, you can search for youtube.

5. Hover over an item to see its details.

This example shows an application sensor with no lock icon which means that this application sensor does not
require SSL deep inspection. If any local network user behind the firewall tries to navigate to the YouTube website,
that activity is logged.

Configuring the Cloud Applications widget

On the Edit Application Sensor page in the Categories section, the eye icon next to a category means that category is
monitored and logged.

FortiOS 6.4.13 Administration Guide 130

Fortinet Inc.
Dashboards and widgets

To add the Cloud Applications widget in the GUI:

1. Go to Dashboard , and select a dashboard in the tree menu.

2. In the dashboard banner, click Add Widget. The Add Dashboard Widget window opens.
3. In the Search field, enter FortiView Cloud Applications and click the Add button next to the widget.
4. In the Fabric Member area, click Default or Specify to select a device in the security fabric.
5. From the Time Period dropdown, select a time period greater than Now.
6. From the Sort By dropdown, select Bytes, Sessions, or Files (Up/Down).
7. Click Add Widget. The widget is added to the dashboard.
8. Click Close.
9. Hover the FortiView Cloud Applications widget and click Expand to Full Screen.
10. If SSL deep inspection is enabled in the related firewall policy, then the widget shows the additional details that are
logged, such as Files (Up/Down) and Videos Played.
For YouTube, the Videos Played column is triggered by the YouTube_Video.Play cloud application sensor. This
shows the number of local network users who logged into YouTube and played YouTube videos.
For Dropbox, the Files (Up/Down) column is triggered by Dropbox_File.Download and Dropbox_File.Upload cloud
application sensors. This shows the number of local network users who logged into Dropbox and uploaded or
downloaded files.

FortiOS 6.4.13 Administration Guide 131

Fortinet Inc.
Dashboards and widgets

Using the Cloud Applications widget

To see additional information in the Cloud Applications widget:

1. Hover over the widget in the dashboard, and click Expand to full screen.

2. For details about a specific entry, double-click the entry or right-click the entry and select Drill Down to Details.
3. To see all the sessions for an application, click Sessions.
In this example, the Application Name column shows all applications related to YouTube.

FortiOS 6.4.13 Administration Guide 132

Fortinet Inc.
Dashboards and widgets

4. To view log details, double-click a session to display the Log Details pane.
Sessions monitored by SSL deep inspection (in this example, Youtube_Video.Play) captured deep information such
as Application User, Application Details, and so on. The Log Details pane also shows additional deep information
such as application ID, Message, and so on.
Sessions not monitored by SSL deep inspection (YouTube) did not capture the deep information.

5. To display a specific time period, select and drag in the timeline graph to display only the data for that time period.

Top application: YouTube example

Monitoring network traffic with SSL deep inspection

This example of monitors network traffic for YouTube using FortiView Applications view with SSL deep inspection.

To monitor network traffic with SSL deep inspection:

1. Use a firewall policy with the following settings. If necessary, create a policy with these settings.
l Application Control is enabled.

l SSL Inspection is set to deep-inspection.

FortiOS 6.4.13 Administration Guide 133

Fortinet Inc.
Dashboards and widgets

l Log Allowed Traffic is set to All Sessions.

2. Go to Security Profiles > Application Control.

3. Select a relative Application Control profile used by the firewall policy and click Edit.
4. Because YouTube cloud applications are categorized into Video/Audio, ensure the Video/Audio category is
monitored.
Monitored categories are indicate by an eye icon.
5. Click View Application Signatures and hover over YouTube cloud applications to view detailed information about
YouTube application sensors.
6. Expand YouTube to view the Application Signatures associated with the application.

Application Signature Description Application

ID

YouTube_Video.Access An attempt to access a video on YouTube. 16420

YouTube_Channel.ID An attempt to access a video on a specific channel on 44956

YouTube.

YouTube_Comment.Posting An attempt to post comments on YouTube. 31076

YouTube_HD.Streaming An attempt to watch HD videos on YouTube. 33104

YouTube_Messenger An attempt to access messenger on YouTube. 47858

YouTube_Video.Play An attempt to download and play a video from YouTube. 38569

YouTube_Video.Upload An attempt to upload a video to YouTube. 22564

YouTube An attempt to access YouTube. 31077

This application sensor does not depend on SSL deep
inspection so it does not have a cloud or lock icon.

YouTube_Channel.Access An attempt to access a video on a specific channel on 41598

YouTube.

To view the application signature description, click the ID link in the information window.

7. On the test PC, log into YouTube and play some videos.
8. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing
YouTube videos.

FortiOS 6.4.13 Administration Guide 134

Fortinet Inc.
Dashboards and widgets

In this example, note the Application User and Application Details. Also note that the Application Control ID is 38569
showing that this entry was triggered by the application sensor YouTube_Video.Play.

9. Go to Dashboard > FortiView Applications.

10. In the FortiView Applications dashboard, double-click YouTube to view the drilldown information.
11. Select the Sessions tab to see all the entries for the videos played. Check the sessions for YouTube_Video.Play
with the ID 38569.

Monitoring network traffic without SSL deep inspection

This example of monitors network traffic for YouTube using FortiView cloud application view without SSL deep
inspection.

To monitor network traffic without SSL deep inspection:

1. Use a firewall policy with the following settings. If necessary, create a policy with these settings.
l Application Control is enabled.

l SSL Inspection is set to certificate-inspection.

FortiOS 6.4.13 Administration Guide 135

Fortinet Inc.
Dashboards and widgets

l Log Allowed Traffic is set to All Sessions.

2. On the test PC, log into YouTube and play some videos.
3. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing
YouTube videos.
In this example, the log shows only applications with the name YouTube. The log cannot show YouTube application
sensors which rely on SSL deep inspection.

4. Go to Dashboard > FortiView Applications.

The FortiView Cloud Application by Bytes dashboard shows the YouTube cloud application without the video played
information that requires SSL deep inspection.

FortiOS 6.4.13 Administration Guide 136

Fortinet Inc.
Dashboards and widgets

5. Double-click YouTube and click the Sessions tab.

These sessions were triggered by the application sensor YouTube with the ID 31077. This is the application sensor
with cloud behavior which does not rely on SSL deep inspection.

FortiView Top Source and Top Destination Firewall Objects widgets

The FortiView Source Firewall Objects and FortiView Destination Firewall Objects widgets leverage UUID to resolve
firewall object address names for improved usability.

Requirements

To have a historical Firewall Objects-based view, address objects' UUIDs need to be logged.

To enable address object UUID logging in the CLI:

config system global

set log-uuid-address enable
end

To add a firewall object widget in the GUI:

1. Open a dashboard and click Add Widget. The Add Dashboard Widget window opens.
2. In the Search field, type Destination Firewall Objects and click the Add button next to the dashboard name.
3. In the Fabric Member area, select Default or Specify to select a device in the security fabric.
4. In the Data Source area, select Best Available or Specify. For information about data sources, see FortiView
interface on page 107.
5. From the Time Period dropdown, select the time period.
6. In the Visualization area, select Table View or Bubble Chart.
7. From the Sort By dropdown, select Bytes, Sessions, Bandwidth, or Packets.
8. Click Add Widget.

FortiOS 6.4.13 Administration Guide 137

Fortinet Inc.
 Dashboards and widgets

Example

In this example, firewall addresses have been configured and associated with a unique UUID.
In the FortiView Source Firewall Objects and FortiView Destination Firewall Objects widgets, firewall objects can be
displayed in real-time or in a historical chart. Objects can also be drilled down for more details.

To view Firewall Object-based charts in real-time:

1. Open a dashboard, and click Add Widget. The Add Dashboard Widget window opens.
2. In the Search field, type Destination Firewall Objects and click the Add button next to the widget name.
3. From the Time Period dropdown, select Now.
4. Click Add Widget.

To view Firewall Object-based charts over a historical period:

1. Open a dashboard, and click Add Widget. The Add Dashboard Widget window opens.
2. In the Search field, type Destination Firewall Objects and click the Add button next to the widget name.
3. From the Time Period dropdown, select a time period other than Now.
4. Click Add Widget.

To drill down Firewall Objects:

1. Right-click on any Source or Destination Object in the view results.

2. Select Drill Down to Details. More information displays about the object; there are additional criteria to filter data.

Viewing session information for a compromised host

You can use the Compromised Hosts by Verdict widget to view the session information for a compromised host.

FortiOS 6.4.13 Administration Guide 138

Fortinet Inc.
Dashboards and widgets

To view session information for a compromised host in the GUI:

1. Go to Dashboard > Security and expand the Compromised Hosts by Verdict widget.

2. Double-click a compromised host to view the session information. You can also right-click a compromised host, and
select View Sessions.

3. Double-click a session, or right-click the session and select View Sessions to view the information.

FortiOS 6.4.13 Administration Guide 139

Fortinet Inc.
Fortinet Security Fabric

The Fortinet Security Fabric provides an intelligent architecture that interconnects discrete security solutions into an
integrated whole to detect, monitor, block, and remediate attacks across the entire attack surface. It delivers broad
protection and visibility into every network segment and device, be they hardware, virtual, or cloud based.
l The physical topology view shows all connected devices, including access layer devices. The logical topology view
shows information about the interfaces that each device is connected to.
l Security rating checks analyze the Security Fabric deployment to identify potential vulnerabilities and highlight best
practices to improve the network configuration, deploy new hardware and software, and increase visibility and
control of the network.
l Fabric connectors provide integration with multiple SDN, cloud, and partner technology platforms to automate the
process of managing dynamic security updates without manual intervention.
l Automation pairs an event trigger with one or more actions to monitor the network and take the designated actions
automatically when the Security Fabric detects a threat.

Security Fabric settings and usage

This section contains information about how to configure the following devices as part of the Fortinet Security Fabric:
l Components on page 141
l Configuring the root FortiGate and downstream FortiGates
l Configuring FortiAnalyzer
l Configuring FortiGate Cloud on page 152
l Configuring FortiAnalyzer Cloud service on page 154
l Configuring FortiManager on page 157
l Configuring FortiManager Cloud service on page 158
l Configuring FortiSandbox on page 160
l Configuring FortiClient EMS on page 162
l Synchronizing FortiClient EMS tags and configurations on page 168
l Configuring FortiNAC on page 171
l Configuring FortiAP and FortiSwitch on page 173
l Configuring FortiMail on page 174
l Configuring FortiVoice on page 176
l Configuring additional devices on page 180
l Using the Security Fabric
l Deploying the Security Fabric on page 195
l Synchronizing objects across the Security Fabric on page 203
l Group address objects synchronized from FortiManager on page 212
l Security Fabric over IPsec VPN on page 214
l Leveraging LLDP to simplify security fabric negotiation on page 219

FortiOS 6.4.13 Administration Guide 140

Fortinet Inc.
Fortinet Security Fabric

System requirements

To set up the Security Fabric, the devices that you want to include must meet the Product Integration and Support
requirements in the FortiOS Release Notes.
Some features of the Security Fabric are only available in certain firmware versions and models. Not all FortiGate
models can run the FortiGuard Security Rating Service if they are the root FortiGate in a Security Fabric. For more
information, see the Special Notices in the FortiOS Release Notes.

Prerequisites

l If devices are not already installed in your network, complete basic installation and configuration tasks by following
the instructions in the device documentation.
l FortiGate devices must either have VDOMs disabled or be running in split-task VDOM mode in order to be added to
the Security Fabric. See Virtual Domains on page 917.
l FortiGate devices must be operating in NAT mode.

Components

The Fortinet Security Fabric consists of different components that work together to secure you network.
The following devices are required to create a Security Fabric:

Device Description

FortiGate FortiGate devices are the core of the Security Fabric and can have one of the following roles:
l Root:

The root FortiGate is the main component in the Security Fabric. It is typically located on
the edge of the network and connects the internal devices and networks to the Internet
through your ISP. From the root FortiGate, you can see information about the entire
Security Fabric on the Physical and Logical Topology pages in the GUI.
l Downstream:
After a root FortiGate is installed, all other FortiGate devices in the Security Fabric act as
Internal Segmentation Firewalls (ISFWs), located at strategic points in your internal
network, rather than on the network edge. This allows extra security measures to be
taken around key network components, such as servers that contain valuable intellectual
property. ISFW FortiGate devices create network visibility by sending traffic and
information about the devices that are connected to them to the root FortiGate.
See Configuring the root FortiGate and downstream FortiGates on page 144 for more
information about adding FortiGate devices in the Security Fabric.
FortiGate documentation: https://docs.fortinet.com/product/fortigate

FortiAnalyzer FortiAnalyzer gives you increased visibility into your network, centralized monitoring, and
awareness of threats, events, and network activity by collecting and correlating logs from all
Security Fabric devices. This gives you a deeper and more comprehensive view across the
entire Security Fabric.
See Configuring FortiAnalyzer on page 150 for more information about adding FortiAnalyzer
devices in the Security Fabric.

FortiOS 6.4.13 Administration Guide 141

Fortinet Inc.
Fortinet Security Fabric

Device Description

FortiAnalyzer documentation: https://docs.fortinet.com/product/fortianalyzer

FortiAnalyzer Cloud 6.4.4 can be included in the security fabric if the root
FortiGate is running FortiOS 6.4.4 and later.

The following devices are recommended:

Device Description

FortiADC FortiADC devices optimize the availability, user experience, and scalability of enterprise
application delivery. They enable fast, secure, and intelligent acceleration and distribution of
even the most demanding enterprise applications.
See Configuring additional devices on page 180 for more information about adding FortiADC
devices in the Security Fabric.
FortiADC documentation: https://docs.fortinet.com/product/fortiadc

FortiAP Add FortiAP devices to extend the Security Fabric to your wireless devices. Devices
connected to a FortiAP appear in the Physical and Logical Topology pages in the Security
Fabric menu.
See Configuring FortiAP and FortiSwitch on page 173 for more information about adding
FortiAP devices in the Security Fabric.
FortiAP documentation: https://docs.fortinet.com/product/fortiap

FortiClient FortiClient adds endpoint control to devices that are located in the Security Fabric, allowing
only traffic from compliant devices to flow through the FortiGate. FortiClient compliance
profiles are applied by the first FortiGate that a device’s traffic flows through. Device
registration and on-net status information for a device that is running FortiClient appears only
on the FortiGate that applies the FortiClient profile to that device.
FortiClient documentation: https://docs.fortinet.com/product/forticlient

FortiClient EMS FortiClient EMS is used in the Security Fabric to provide visibility across your network,
securely share information, and assign security profiles to endpoints.
See Configuring FortiClient EMS on page 162 for more information about adding FortiClient
EMS devices in the Security Fabric.
FortiClient EMS documentation: https://docs.fortinet.com/product/forticlient

FortiDDoS FortiDDoS is a Network Behavior Anomaly (NBA) prevention system that detects and blocks
attacks that intend to disrupt network service by overutilizing server resources.
See Configuring additional devices on page 180 for more information about adding FortiDDoS
devices in the Security Fabric.
FortiDDoS documentation: https://docs.fortinet.com/product/fortiddos

FortiMail FortiMail antispam processing helps offload from other devices in the Security Fabric that
would typically carry out this process.
See Configuring additional devices on page 180 for more information about adding FortiMail
devices in the Security Fabric.
FortiMail documentation: https://docs.fortinet.com/product/fortimail

FortiOS 6.4.13 Administration Guide 142

Fortinet Inc.
Fortinet Security Fabric

Device Description

FortiManager Add FortiManager to simplify the network management of devices in the Security Fabric by
centralizing management access in a single device. This allows you to easily control the
deployment of security policies, FortiGuard content security updates, firmware revisions, and
individual configurations for devices in the Security Fabric.
See Configuring FortiManager on page 157 for more information about adding FortiManager
devices in the Security Fabric.
FortiManager documentation: https://docs.fortinet.com/product/fortimanager

FortiSandbox Add FortiSandbox to your Security Fabric to improve security with sandbox inspection.
Sandbox integration allows FortiGate devices in the Security Fabric to automatically receive
signature updates from FortiSandbox and add the originating URL of any malicious file to a
blocked URL list.
See Configuring FortiSandbox on page 160 for more information about adding FortiSandbox
devices in the Security Fabric.
FortiSandbox documentation: https://docs.fortinet.com/product/fortisandbox

FortiSwitch A FortiSwitch can be added to the Security Fabric when it is managed by a FortiGate that is in
the Security Fabric with the FortiLink protocol, and connected to an interface with Security
Fabric Connection enabled. FortiSwitch ports to become logical extensions of the FortiGate.
Devices connected to the FortiSwitch appear in the Physical and Logical Topology pages in
the Security Fabric menu, and security features, such as FortiClient compliance profiles, are
applied to them.
See Configuring FortiAP and FortiSwitch on page 173 for more information about adding
FortiSwitch devices in the Security Fabric.
FortiSwitch documentation: https://docs.fortinet.com/product/fortiswitch

FortiWeb Add FortiWeb to defend the application attack surface from attacks that target application
exploits. You can also configure FortiWeb to apply web application firewall features, virus
scanning, and web filtering to HTTP traffic to help offload from other devices in the Security
Fabric that would typically carry out these processes.
See Configuring additional devices on page 180 for more information about adding FortiWeb
devices in the Security Fabric.
FortiWeb documentation: https://docs.fortinet.com/product/fortiweb

FortiWLC FortiWLC delivers seamless mobility and superior reliability with optimized client distribution
and channel utilization. Both single and multi channel deployment options are supported,
maximizing efficiency to make the most of available wireless spectrum.
See Configuring additional devices on page 180 for more information about adding FortiWLC
devices in the Security Fabric.
FortiWLC documentation: https://docs.fortinet.com/product/wireless-controller

The following devices are optional:

Device Description

Other Fortinet Many other Fortinet products can be added to the Security Fabric, including
products FortiAuthenticator, FortiToken, FortiCache, and FortiSIEM.
Documentation: https://docs.fortinet.com/

FortiOS 6.4.13 Administration Guide 143

Fortinet Inc.
 Fortinet Security Fabric

Device Description

Third-party Third-party products that belong to the Fortinet Fabric-Ready Partner Program can be added
products to the Security Fabric.

Configuring the root FortiGate and downstream FortiGates

The following procedures include configuration steps for a typical Security Fabric implementation, where the edge
FortiGate is the root FortiGate, and the downstream FortiGate devices are all devices that are downstream from the root
FortiGate.
For information about the recommended number of downstream FortiGates, see the FortiOS 6.4 Best Practices.

Prerequisites

l FortiGate devices must either have VDOMs disabled or be running in split-task VDOM mode in order to be added to
the Security Fabric. See Virtual Domains on page 917.
l FortiGate devices must be operating in NAT mode.

Configure the root FortiGate

The edge FortiGate is typically configured as the root FortiGate, as this allows you to view the full topology of the
Security Fabric from the top down.

To configure the root FortiGate:

1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
2. For Status, click Enable.
3. Set the Security Fabric role to Serve as Fabric Root. FortiAnalyzer logging is automatically enabled and the settings
can be configured.

4. Optionally, enable Source Interface and select an interface to communicate with FortiAnalyzer. If disabled, the
interface will be determined based on the routing table.
5. Enter the FortiAnalyzer IP and select the Upload option.
6. In the FortiAnalyzer Logging section, in the IP address field, enter the IP address of the FortiAnalyzer.

FortiOS 6.4.13 Administration Guide 144

Fortinet Inc.
Fortinet Security Fabric

7. If required, enable Allow access to FortiGate REST API and, optionally, Verify FortiAnalyzer certificate.
The REST API accesses the FortiGate topology and shares data and results. The FortiGate will verify the
FortiAnalyzer by retrieving its serial number and checking it against the FortiAnalyzer certificate. When verified, the
FortiAnalyzer serial number is stored in the FortiGate configuration. When authorizing the FortiGate on the
FortiAnalyzer, the FortiGate admin credentials do not need to be entered.
8. Click Test Connectivity.
If you select Test Connectivity and this is the first time that you are connecting the FortiGate to the FortiAnalyzer,
you will receive a warning message because the FortiGate has not yet been authorized on the FortiAnalyzer. You
can configure this authorization when you configure the FortiAnalyzer. See Configuring FortiAnalyzer on page 150.
9. Click OK. The FortiAnalyzer serial number is verified.
10. Enter a Fabric name.
11. Ensure Allow other Security Fabric devices to join is enabled and add the interfaces.
12. Click OK.

Using the root FortiGate with disk to store historic user and device information

This backend implementation allows the root FortiGate in a Security Fabric to store historic user and device information
in a database on its disk. This will allow administrators to visualize users and devices over a period of time.
A new daemon, user_info_history, stores this data on the disk. The information source for the historical data will be the
user_info daemon, which would be recorded on the disk when user_info notifies user_info_history that a user has logged
out or the device is no longer connected.

Add downstream devices

Downstream FortiGate devices can be securely added to the Security Fabric without sharing the password of the root
FortiGate.
Downstream device serial numbers can be authorized from the root FortiGate, or allowed to join by request. New
authorization requests include the device serial number, IP address, and HA members. HA members can include up to
four serial numbers and is used to ensure that, in the event of a fail over, the secondary FortiGate is still authorized.
A downstream device's certificate can also be used to authorize the device by uploaded the certificate to the root
FortiGate.

You can use the FortiIPAM service to automatically assign subnets to downstream FortiGates
to prevent duplicate IP addresses from overlapping within the same Security Fabric. See
Assign a subnet with the FortiIPAM service on page 445.

Pre-authorizing the downstream FortiGate

When a downstream Fortinet device's serial number or certificate is added to the trusted list on the root FortiGate, the
device can join the Security Fabric as soon as it connects. After the new device is authorized, connected FortiAP and
FortiSwitch devices are automatically included in the topology, where they can be authorized with one click.
The interface that connects to the downstream FortiGate must have Security Fabric Connection enabled.

FortiOS 6.4.13 Administration Guide 145

Fortinet Inc.
Fortinet Security Fabric

To pre-authorize a FortiGate:

1. Configure the root FortiGate:

a. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
b. In the Device authorization field click Edit. The Device Authorization window opens.
c. Enter the device's serial number in the Device/Serial field.
d. Select the Authorization type, either Serial Number or Certificate.
e. If Certificate is selected, click Browse to upload the downstream device's certificate from the management
computer.

f. Select the Action, either Accept or Deny.

g. Add more devices as required, then click OK.
h. Click OK.
2. Configure the downstream FortiGate:
a. On the downstream FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric
Setup card.
b. Set Status to Enable.
c. Set Security Fabric role to Join Existing Fabric.
d. Enter the IP address of the root FortiGate in the Upstream FortiGate IP field.
e. Click OK.
3. On the root FortiGate, go to Security Fabric > Physical Topology and verify that the downstream FortiGate that you
added appears in the Security Fabric topology.

Using LLDP

You can automatically prompt downstream FortiGate devices to join the Security Fabric using Link Layer Discovery
Protocol (LLDP) and interface role assignments.
1. On the root FortiGate, assign the LAN role to all interfaces that may connect to downstream FortiGate devices.
When the LAN role is assigned to an interface, LLDP transmission is enabled by default.
2. When a downstream FortiGate is installed, assign the WAN role to the interface that connects to the upstream
FortiGate.
When the WAN role is assigned, LLDP reception is enabled by default. The newly installed FortiGate uses LLDP to
discover the upstream FortiGate, and the administrator is prompted to configure the FortiGate to join the Security

FortiOS 6.4.13 Administration Guide 146

Fortinet Inc.
Fortinet Security Fabric

Fabric.
3. On the root FortiGate, the new FortiGate must be authorized before it can join the Security Fabric.

If the network contains switches or routers, LLDP may not function as expected because some
devices do not pass LLDP packets.

Authorizing a downstream FortiGate

When you log in to an unauthorized, downstream FortiGate, the log in prompt includes the option to authorize the device
on the root FortiGate.
When the Security Fabric is disabled on the FortiGate, and a neighboring FortiGate is detected on the same network
using LLDP, the log in prompt gives the option to join the Security Fabric.

To authorize a downstream FortiGate:

1. Log in to the unauthorized, downstream device.

2. On the Fabric Setup step, click Review authorization on root FortiGate.

A pop-up window opens to a log in screen for the root FortiGate.

3. Enter the log in credentials for the root FortiGate, then click Login.
A list of pending authorizations is shown.

FortiOS 6.4.13 Administration Guide 147

Fortinet Inc.
Fortinet Security Fabric

4. Select Allow and then click OK to authorize the downstream FortiGate. You can also select Deny to reject the
authorization, or Later to postpone the decision to the next time that you log in.
When authorization is allowed, the pop-up window closes, and the log in prompt shows that the downstream
FortiGate has been authorized.

5. Click Done to log in to the downstream FortiGate.

To join an existing fabric that is detected on the same network:

1. Log in to the device.

2. On the Fabric Setup step, enable Join Existing Fabric.

3. Authorize the FortiGate, as previously shown.

FortiOS 6.4.13 Administration Guide 148

Fortinet Inc.
Fortinet Security Fabric

To review authorization on the downstream FortiGate:

1. Go to Security Fabric > Fabric Connectors.

2. In the gutter on the right side of the screen, click Review authorization on root FortiGate.
The root FortiGate pop-up window shows the state of the device authorization.

Device request

A device can request to join the Security Fabric from another FortiGate, but it must have the IP address of the root
FortiGate. The administrator of the root FortiGate must also authorize the device before it can join the Security Fabric.
The root FortiGate must have Security Fabric Connection enabled on the interface that the device connects to.

To enable FortiTelemetry on an interface:

1. Go to Network > Interfaces.

2. Edit the interface that the device that you authorizing to join the Security Fabric is connected to.
3. Under Administrative Access, enable Security Fabric Connection.
4. Under Network, turn on Device Detection.

To join the Security Fabric by device request:

1. Connect to the unauthorized FortiGate or FortiWiFi device, and go to Security Fabric > Fabric Connectors and
double-click the Security Fabric Setup card.
2. For Status, click Enable.
3. Set Security Fabric role to Join Existing Fabric.
4. Set Upstream FortiGate IP to the IP address of the upstream FortiGate.
5. Connect to the root FortiGate and go to Security Fabric > Fabric Connectors. The new FortiGate appears in the
topology tree as unauthorized.
6. Click the unauthorized device and select Authorize to authorize the device.

CLI commands

Use the following commands to view, accept, and deny authorization requests, to view upstream and downstream
devices, and to list or test fabric devices:

Command Description

diagnose sys csf authorization View pending authorization requests on the root FortiGate.
pending-list

diagnose sys csf authorization Authorize a device to join the Security Fabric.
accept <serial-number-value>

diagnose sys csf authorization Deny a device from joining the Security Fabric.
deny <serial-number-value>

diagnose sys csf downstream Show connected downstream devices.

diagnose sys csf upstream Show connected upstream devices.

FortiOS 6.4.13 Administration Guide 149

Fortinet Inc.
 Fortinet Security Fabric

Command Description

diagnose sys csf fabric-device list List all known fabric devices.

diagnose sys csf fabric-device Test connections to locally configured fabric devices.
test

Desynchronizing settings

By default, the settings for FortiAnalyzer logging, central management, sandbox inspection, and FortiClient EMS are
synchronized between all FortiGate devices in the Security Fabric. To disable the automatic synchronization of these
settings, use the following CLI command:
config system csf
set configuration-sync local
end

Deauthorizing a device

A device can be deauthorized to remove it from the Security Fabric.

To deauthorize a device:

1. On the root FortiGate, go to Security Fabric > Fabric Connectors

2. In the topology tree, click the device and select Deauthorize.
After devices are deauthorized, the devices' serial numbers are saved in a trusted list that can be viewed in the CLI using
the show system csf command. For example, this result shows a deauthorized FortiSwitch:
show system csf
config system csf
set status enable
set group-name "Office-Security-Fabric"
set group-password ENC 1Z2X345V678
config trusted-list
edit "FGT6HD391806070"
next
edit "S248DF3X17000482"
set action deny
next
end
end

Configuring FortiAnalyzer

FortiAnalyzer is a required component for the Security Fabric. In 6.4.4 and above, either FortiAnalyzer or FortiAnalyzer
Cloud can be used to meet this requirement. FortiAnalyzer allows the Security Fabric to show historical data for the
Security Fabric topology and logs for the entire Security Fabric.
For more information about using FortiAnalyzer, see the FortiAnalyzer Administration Guide.

FortiOS 6.4.13 Administration Guide 150

Fortinet Inc.
Fortinet Security Fabric

To connect a FortiAnalyzer to the Security Fabric:

1. Enable FortiAnalyzer Logging on the root FortiGate. See Configure the root FortiGate on page 144.
2. On the FortiAnalyzer, go to System Settings > Network and click All Interfaces.
3. Edit the port that connects to the root FortiGate.
4. Set the IP Address/Netmask to the IP address that is used for the Security Fabric on the root FortiGate.

5. Click OK.
If the FortiGates have already been configured, it will now be listed as an unauthorized device.
6. Go to Device Manager > Devices Unauthorized. The unauthorized FortiGate devices are listed.

7. Select the root FortiGate and downstream FortiGate devices in the list, then click Authorize. The Authorize Device
page opens.
8. Click OK to authorize the selected devices.

9. On the FortiGate devices, go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging
card. The page will now show the ADOM on the FortiAnalyzer that the FortiGate is in, and the storage, analytics,
and archive usage.

Sending traffic logs to FortiAnalyzer Cloud

FortiGates running version 6.4.4. or later, with a FortiCloud Premium subscription (AFAC) for Cloud-based Central
Logging & Analytics, can send traffic logs to FortiAnalyzer Cloud in addition to UTM logs and event logs. After the
Premium subscription is registered through FortiCare, FortiGuard will verify the purchase and authorize the AFAC
contract. Once the contract is verified, FortiGuard will deliver the contract to FortiGate.
FortiGates with a Standard FortiAnalyzer Cloud subscription (FAZC) can only send UTM and event logs. FortiGates with
a Premium subscription will send the UTM and event logs even if the Standard subscription has expired.
For information about cloud logging, see Configuring FortiAnalyzer Cloud service on page 154

FortiAnalyzer Cloud does not support DLP/IPS archives at this time.

FortiOS 6.4.13 Administration Guide 151

Fortinet Inc.
 Fortinet Security Fabric

To verify the status a FortiCloud subscription with the CLI:

# diagnose test update info

The FAZC and AFAC fields display the subscription expiration date. The Support contract field displays the
FortiCare account information. The User ID field displays the ID for FortiAnalyzer-Cloud instance.
...
FAZC,Tue Sep 24 16:00:00 2030
AFAC,Mon Nov 29 16:00:00 2021
...
Support contract: pending_registration=255 got_contract_info=1
account_id=[****@fortinet.com] company=[Fortinet] industry=[Technology]
User ID: 979090

Configuring FortiGate Cloud

FortiGate Cloud is a hosted security management and log retention service for FortiGate devices. It provides centralized
reporting, traffic analysis, configuration management, and log retention without the need for additional hardware or
software.
FortiGate Cloud offers a wide range of features:
l Simplified central management
FortiGate Cloud provides a central GUI to manage individual or aggregated FortiGate and FortiWiFi devices.
Adding a device to the FortiGate Cloud management subscription is straightforward. FortiGate Cloud has detailed
traffic and application visibility across the whole network.
l Hosted log retention with large default storage allocated
Log retention is an integral part of any security and compliance program, but administering a separate storage
system is onerous. FortiGate Cloud takes care of this automatically and stores the valuable log information in the
cloud. Different types of logs can be stored, including Traffic, System Events, Web, Applications, and Security
Events.
l Monitoring and alerting in real time
Network availability is critical to a good end-user experience. FortiGate Cloud enables you to monitor your FortiGate
network in real time with different alerting mechanisms to pinpoint potential issues. Alerting mechanisms can be
delivered via email.
l Customized or pre-configured reporting and analysis tools
Reporting and analysis are your eyes and ears into your network’s health and security. Pre-configured reports are
available, as well as custom reports that can be tailored to your specific reporting and compliance requirements.
The reports can be emailed as PDFs, and can cover different time periods.
l Maintain important configuration information uniformly
The correct configuration of the devices within your network is essential for maintaining optimum performance and
security posture. In addition, maintaining the correct firmware (operating system) level allows you to take advantage
of the latest features.
l Service security
All communication (including log information) between the devices and the cloud is encrypted. Redundant data
centers are always used to give the service high availability. Operational security measures have been put in place
to make sure your data is secure — only you can view or retrieve it.

FortiOS 6.4.13 Administration Guide 152

Fortinet Inc.
Fortinet Security Fabric

Registration and activation

Before you can activate a FortiGate Cloud account, you must first register your device.

FortiGate Cloud accounts can be registered manually through the FortiGate Cloud website, https://www.forticloud.com,
or you can easily register and activate your account directly from your FortiGate.

To activate your FortiGate Cloud account:

1. On your device, go to Dashboard > Status.

2. In the FortiGate Cloud widget, click the Not Activated > Activate button in the Status field.
3. A pane will open asking you to register your FortiGate Cloud account. Click Create Account, enter your information,
view and accept the terms and conditions, and then click OK.
4. A second dialogue window open , asking you to enter your information to confirm your account. This sends a
confirmation email to your registered email. The dashboard widget then updates to show that confirmation is
required.
5. Open your email, and follow the confirmation link it contains.
A FortiGate Cloud page will open, stating that your account has been confirmed. The Activation Pending message
on the dashboard will change to state the type of account you have, and will provide a link to the FortiGate Cloud
portal.

Enabling logging to FortiGate Cloud

To enable logging to FortiGate Cloud:

1. Go to Security Fabric > Fabric Connectors > Cloud Logging or Log & Report > Log Settings.
2. Enable Cloud Logging.
3. Select an upload option: Realtime, Every Minute, or Every 5 Minutes (default).
4. Click Apply.

Logging into the FortiGate Cloud portal

Once logging has been configured and you have registered your account, you can log into the FortiGate Cloud portal
and begin viewing your logging results. There are two methods to reach the FortiGate Cloud portal:
l If you have direct network access to the FortiGate:
a. Go to Dashboard > Status.
b. In the FortiGate Cloud widget, in the Status field, click Activated > Launch Portal, or, in the Licenses widget,
click FortiCare Support > Launch Portal.
l If you do not have access to the FortiGate’s interface, visit the FortiGate Cloud website (https://www.forticloud.com)
and log in remotely, using your email and password. It will ask you to confirm the FortiGate Cloud account you are
connecting to and then you will be granted access.

Cloud sandboxing

FortiGate Cloud can be used for automated sample tracking, or sandboxing, for files from a FortiGate. This allows
suspicious files to be sent to be inspected without risking network security. If the file exhibits risky behavior, or is found to

FortiOS 6.4.13 Administration Guide 153

Fortinet Inc.
 Fortinet Security Fabric

contain a virus, a new virus signature is created and added to the FortiGuard antivirus signature database.

To configure cloud sandboxing:

1. Go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
2. For status, click Enable.
3. Set the Type to FortiSandbox Cloud.

By default, the FortiSandbox Cloud option is not visible. See Feature visibility on page
1065 for instructions on making it visible.

4. Select the FortiSandbox cloud region.

5. Click OK.
Sandboxing results are shown on the Sandbox tab in the FortiGate Cloud portal.
For more information about FortiGate Cloud, see the FortiGate Cloud documentation.

Configuring FortiAnalyzer Cloud service

FortiGate supports the FortiAnalyzer Cloud service for event logging.

Traffic logs are not currently supported by FortiAnalyzer Cloud without a FortiCloud Premium
subscription (AFAC). For information, see Configuring FortiAnalyzer on page 150.

When FortiAnalyzer Cloud is licensed and enabled (see Deploying FortiAnalyzer Cloud for more information), all
event logs are sent to FortiAnalyzer Cloud by default. All traffic logs, security logs, and archive files are not sent to
FortiAnalyzer Cloud.
FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:
l You cannot enable FortiAnalyzer Cloud in vdom override-setting when global FortiAnalyzer Cloud is
disabled.
l You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiOS GUI is not supported.
l You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

Sample settings panes

In the FortiOS Security Fabric > Fabric Connectors > Cloud Logging card settings page, FortiAnalyzer Cloud is grayed
out when you do not have a FortiAnalyzer Cloud entitlement.

FortiOS 6.4.13 Administration Guide 154

Fortinet Inc.
Fortinet Security Fabric

When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available.

You can also view the FortiAnalyzer Cloud settings in the Log & Report > Log Settings pane.
In FortiAnalyzer Cloud, you can view logs from FortiOS in the Event > All Types pane.

To enable fortianalyzer-cloud using the CLI:

config log fortianalyzer-cloud setting

set status enable
set ips-archive disable
set access-config enable
set enc-algorithm high
set ssl-min-proto-version default
set conn-timeout 10
set monitor-keepalive-period 5
set monitor-failure-retry-period 5
set certificate ''
set source-ip ''
set upload-option realtime
end
config log fortianalyzer-cloud filter
set severity information
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable

FortiOS 6.4.13 Administration Guide 155

Fortinet Inc.
Fortinet Security Fabric

set anomaly disable

set voip disable
set dlp-archive disable
set dns disable
set ssh disable
set ssl disable
set cifs disable
set filter ''
set filter-type include
end

To disable fortianalyzer-cloud for a specific VDOM using the CLI:

​config log setting

set faz-override enable
end
config log fortianalyzer-cloud override-setting
set status disable
end

To set fortianalyzer-cloud filter for a specific vdom using the CLI:

​config log setting

set faz-override enable
end
config log fortianalyzer-cloud override-setting
set status enable
end
config log fortianalyzer-cloud override-filter
set severity information
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set anomaly disable
set voip disable
set dlp-archive disable
set dns disable
set ssh disable
set ssl disable
set cifs disable
set filter ''
set filter-type include
end

To display fortianalyzer-cloud log using the CLI:

​execute log filter device fortianalyzer-cloud

execute log filter category event
execute log display​​

Sample log

date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01

17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002
type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9

FortiOS 6.4.13 Administration Guide 156

Fortinet Inc.
 Fortinet Security Fabric

action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of

invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https
(10.6.30.254)" status="failed" reason="name_invalid" method="https"
eventtime=1556758666274548325 devid="FG5H1E5818900076" vd="root" dtime="2019-05-01
17:57:45" itime_t=1556758668 devname="FortiGate-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01
17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546
type="event" subtype="system" level="information" action="Edit" msg="Edit
log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh
(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter"
cfgattr="severity[information->critical]" eventtime=1556758642413367644
devid="FG5H1E5818900076" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643
devname="FortiGate-501E"

Configuring FortiManager

When a FortiManager device is added to the Security Fabric, it automatically synchronizes with any connected
downstream devices.
To add a FortiManager to the Security Fabric, configure it on the root FortiGate. The root FortiGate then pushes this
configuration to downstream FortiGate devices. The FortiManager provides remote management of FortiGate devices
over TCP port 541. The FortiManager must have internet access for it to join the Security Fabric.
Once configured, the FortiGate can receive antivirus and IPS updates, and allows remote management through
FortiManager or the FortiGate Cloud service. The FortiGate management option must be enabled so that the FortiGate
can accept management updates to its firmware and FortiGuard services.

To add a FortiManager to the Security Fabric using the CLI:

config system central-management

set type fortimanager
set fmg {<IP_address> | <FQDN_address>}
end

To add a FortiManager to the Security Fabric using the GUI:

1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiManager card.
2. For Status, click Enable.

FortiOS 6.4.13 Administration Guide 157

Fortinet Inc.
 Fortinet Security Fabric

3. For Type, click On-Premise.

4. Enter the IP/Domain Name of the FortiManager.

5. Click OK.
6. On the FortiManager, go to Device Manager and find the FortiGate in the Unauthorized Devices list.
7. Select the FortiGate device or devices, and click Authorize in the toolbar.
8. In the Authorize Device pop-up, adjust the device names as needed, then click OK.
For more information about using FortiManager, see the FortiManager Administration Guide.

Configuring FortiManager Cloud service

This cloud-based SaaS management service is available through FortiManager. This service is included in FortiCloud
accounts with a FortiManager Cloud account level subscription (ALCI).

Configuring a per-device license

Once the FortiGate has acquired a contract named FortiManager Cloud, FortiCloud creates a cloud-based FortiManager
instance under the user account. You can launch the portal for the cloud-based FortiManager from FortiCloud, and its
URL starts with the User ID.
You can use a FortiGate with a contract for FortiManager Cloud to configure central management by using the FQDN of
fortimanager.forticloud.com. A FortiGate-FortiManager tunnel is established between FortiGate and the FortiManager
instance.
After the tunnel is established, you can execute FortiManager functions from the cloud-based FortiManager portal.

To configure FortiManager Cloud central management:

1. Enable FortiManager Cloud:

a. Go to Security Fabric > Fabric Connectors and double-click the FortiManager card.
b. For Status, click Enable.
c. For Type, click FortiManager Cloud.

FortiOS 6.4.13 Administration Guide 158

Fortinet Inc.
Fortinet Security Fabric

d. Click OK.

The FortiManager Cloud button can only be selected if you have a FortiManager Cloud
product entitlement.

2. In the FortiManager Cloud instance, go to Device Manager and authorize the FortiGate. See Authorizing devices for
more information.
When using FortiGate to enable FortiManager Cloud, the FortiGate appears as an unauthorized device.

After authorizing the FortiGate, it becomes a managed device.

In FortiOS, the Security Fabric > Fabric Connectors page now displays green arrow in the FortiManager card
because FortiManager Cloud is registered.

FortiOS 6.4.13 Administration Guide 159

Fortinet Inc.
 Fortinet Security Fabric

Diagnostics

To verify the contract information:

# diagnose test update info contract

...
System contracts:
...
Account contracts:
FMGC,Thu Dec 2 16:00:00 2021
...

To verify the FortiManager Cloud instance has launched and the FortiGate is registered:

# diagnose fdsm central-mgmt-status

Connection status: Up
Registration status: Registered

Configuring FortiSandbox

The Security Fabric supports FortiSandbox appliances and FortiSandbox Cloud. A FortiGate Cloud account is not
required.
To use FortiSandbox in a Security Fabric, connect the FortiSandbox to the Security Fabric, then configure an antivirus
profile to send files to the FortiSandbox. Sandbox inspection can also be used in web filter profiles.
FortiSandbox settings are configured on the root FortiGate of the Security Fabric. After configuration, the root FortiGate
pushes the settings to other FortiGate devices in the Security Fabric.

Either a FortiSandbox appliance or FortiSandbox Cloud can be configured. If one is

configured, then the other will not be available.

To add a FortiSandbox appliance to the Security Fabric:

1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
2. Set Status to Enable.
3. In the Server field, enter the FortiSandbox device's IP address.

4. Optionally, enter a Notifier email.

5. Click OK.
6. On the FortiSandbox device, go to Scan Input > Device.

FortiOS 6.4.13 Administration Guide 160

Fortinet Inc.
Fortinet Security Fabric

7. Edit the root FortiGate.

8. Under Permissions, check the Authorized box.
9. Click OK.
10. Authorize the rest of the FortiGate devices that are in the Security Fabric.

To add a FortiSandbox cloud instance to the Security Fabric:

1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiSandbox Cloud card.
2. Set Status to Enable.
3. Select the FortiSandbox cloud Region from the dropdown list. Data from your network will only be sent to servers in
the selected region.

4. Click OK.

If FortiSandbox Cloud is not visible in the GUI, run the execute forticloud-sandbox
region and execute forticloud-sandbox update commands.

Antivirus profiles

An antivirus profile must be configured to send files to the FortiSandbox.

To configure an antivirus profile:

1. On the FortiGate, go to Security Profile > AntiVirus.

2. Create, edit, or clone an antivirus profile.

3. Under APT Protection Options, set Send Files to FortiSandbox Appliance for Inspection to All Supported Files.
4. Optionally, configure file exceptions.

FortiOS 6.4.13 Administration Guide 161

Fortinet Inc.
 Fortinet Security Fabric

5. Enable Use FortiSandbox database.

6. Click OK.

Web Filter profiles

Sandbox inspection can be used in Web Filter profiles.

To configure a web filter profile:

1. On the FortiGate, go to Security Profiles > Web Filter.

2. Create, edit, or clone a profile.
3. Under Static URL Filter, enable Block malicious URLs discovered by FortiSandbox.
4. Click OK.

Configuring FortiClient EMS

The FortiGate Security Fabric root device can link to FortiClient Endpoint Management System (EMS) and FortiClient
EMS Cloud (a cloud-based EMS solution) for endpoint connectors and automation. Up to three EMS servers can be
added to the Security Fabric, including a FortiClient EMS Cloud server. EMS settings are synchronized between all
fabric members.
To enable cloud-based EMS services, the FortiGate must be registered to FortiCloud with an appropriate user account.
The following examples presume that the EMS certificate has already been configured.

To add an on-premise FortiClient EMS server to the Security Fabric in the GUI:

1. On the root FortiGate, go to System > Feature Visibility and enable Endpoint Control.
2. Go to Security Fabric > Fabric Connectors.
3. Click Create New and click FortiClient EMS.
4. For Type, click FortiClient EMS.
5. Enter a name and IP address or FQDN. When connecting to a multitenancy-enabled EMS, Fabric connectors must
use an FQDN to connect to EMS, where the FQDN hostname matches a site name in EMS (including "Default").
The following are examples of FQDNs to provide when configuring the connector to connect to the default site and
to a site named SiteA, respectively: default.ems.yourcompany.com, sitea.ems.yourcompany.com. See
Multitenancy.

6. Click OK.
A window appears to verify the EMS server certificate:

FortiOS 6.4.13 Administration Guide 162

Fortinet Inc.
Fortinet Security Fabric

7. Click Accept.
The FortiClient EMS Status section displays a Successful connection and an Authorized certificate:

To add a FortiClient EMS Cloud server to the Security Fabric in the GUI:

FortiClient EMS Cloud can only be configured when the FortiGate is registered to FortiCloud
and the EMS Cloud entitlement is verified.
If the FortiCloud account does not pass the FortiClient EMS Cloud entitlement check, the
option is not selectable in the FortiClient EMS connector settings.

1. Go to Security Fabric > Fabric Connectors.

2. Click Create New and click FortiClient EMS.
3. Set Type to FortiClient EMS Cloud.

FortiOS 6.4.13 Administration Guide 163

Fortinet Inc.
Fortinet Security Fabric

4. Enter a name.

5. Click OK.
A window appears to verify the EMS server certificate.
6. Click Accept.
The FortiClient EMS Status section displays a Successful connection and an Authorized certificate.

To test connectivity with the EMS server:

1. Go to Security Fabric > Fabric Connectors and double-click the FortiClient EMS or FortiClient EMS Cloud card.
2. In the FortiClient EMS Status section under Connection, click Refresh.

To add an on-premise FortiClient EMS server to the Security Fabric in the CLI:

config endpoint-control fctems

edit <ems_name>
set server <ip_address>
set certificate <string>
set https-port <integer>
set source-ip <ip_address>
next
end

The https-port is the EMS HTTPS access port number, and the source-ip is the REST API call source IP address.

To add a FortiClient EMS Cloud server to the Security Fabric in the CLI:

config endpoint-control fctems

edit <name>
set fortinetone-cloud-authentication enable
set certificate <string>
next
end

To verify the EMS Cloud entitlement in the CLI:

# diagnose test update info

To verify an EMS certificate in the CLI:

# execute fctems verify ems137

FortiOS 6.4.13 Administration Guide 164

Fortinet Inc.
Fortinet Security Fabric

Subject: C = CA, ST = bc, L = burnaby, O = devqa, OU = top3, CN =

sys169.qa.fortinet.cm, emailAddress = [email protected]
Issuer: CN = 155-sub1.fortinet.com
Valid from: 2017-12-05 00:37:57 GMT
Valid to: 2027-12-02 18:08:13 GMT
Fingerprint: D3:7A:1B:84:CC:B7:5C:F0:A5:73:3D:BB:ED:21:F2:E0
Root CA: No
Version: 3
Serial Num:
01:86:a2
Extensions:
Name: X509v3 Basic Constraints
Critical: yes
Content:
CA:FALSE

Name: X509v3 Subject Key Identifier

Critical: no
Content:
35:B0:E2:62:AF:9A:7A:E6:A6:8E:AD:CB:A4:CF:4D:7A:DE:27:39:A4

Name: X509v3 Authority Key Identifier

Critical: no
Content:
keyid:66:54:0F:78:78:91:F2:E4:08:BB:80:2C:F6:BC:01:8E:3F:47:43:B1

DirName:/C=CA/ST=bc/L=burnaby/O=devqa/OU=top3/CN=fac155.fortinet.com/emailAddress=xyguo@fort
inet.com
serial:01:86:A4

Name: X509v3 Subject Alternative Name

Critical: no
Content:
DNS:sys169.qa.fortinet.cm

Name: X509v3 Key Usage

Critical: no
Content:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key
Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only

Name: X509v3 Extended Key Usage

Critical: no
Content:
TLS Web Server Authentication, TLS Web Client Authentication

EMS configuration needs user to confirm server certificate.

Do you wish to add the above certificate to trusted remote certificates? (y/n)y

Troubleshooting

Certificate not trusted

When configuring a new connection to an EMS server, the certificate might not be trusted.

FortiOS 6.4.13 Administration Guide 165

Fortinet Inc.
Fortinet Security Fabric

When you click Authorize, a warning displays: The server certificate cannot be authenticated with installed CA
certificates. Please install its CA certificates on this FortiGate.
In the CLI, an error message displays when you try to verify the certificate:
# execute fctems verify Win2K16-EMS
certificate not configured/verified: 2
Could not verify server certificate based on current certificate authorities.
Error 1--92-60-0 in get SN call: EMS Certificate is not signed by a known CA.

The default FortiClient EMS certificate that is used for the SDN connection is signed by the CA certificate that is saved on
the Windows server when FortiClient EMS is first installed. You can manually export and install it on the FortiGate.

To manually export and install the certificate on to the FortiGate:

1. Export the EMS certificate on the server that EMS is installed on:
a. On the Windows server that EMS is installed on, go to Settings > Manage computer certificates.
b. In the certificate management module, go to Trusted Root Certification Authorities > Certificates.
c. Right click on the certificate issued by FortiClient Enterprise Management Server and select All Tasks > Export.
d. The Certificate Export Wizard opens. Click Next.

FortiOS 6.4.13 Administration Guide 166

Fortinet Inc.
Fortinet Security Fabric

e. Select Base-64 encoded X.509, then click Next.

f. Enter a file name for the certificate and click Browse to select the folder where it will be located, then click Next.
g. Review the settings, then click Finish. The certificate is downloaded to the specified folder.
2. On the FortiGate, import the certificate:
a. Go to System > Certificate. By default, the Certificate option is not visible, see Feature visibility on page 1065
for information.
b. Click Import > CA Certificate.
c. Set Type to File, and click Upload to import the certificate from the management computer.
d. Click OK. The imported certificate is shown in the Remote CA Certificate section of the certificate table.
3. Try to authorize the certificate on the FortiGate:
a. Go to Security Fabric > Fabric Connectors and edit the FortiClient EMS connector. The connection status
should now say that the certificate is not authorized.
b. Click Authorize. The following warning is shown:

The warning can also be seen in the CLI:

# execute fctems verify Win2K16-EMS
failure in certificate configuration/verification: -4
Could not verify EMS. Error 1--94-0-401 in get SN call: Authentication denied.

4. Authorize the FortiGate on EMS:

a. Log in to the EMS server console and go to Administration > Fabric Devices.
b. Select the serial number of the FortiGate device, then click Authorize.
5. Try to authorize the certificate on the FortiGate again:
a. On the FortiGate, go to Security Fabric > Fabric Connectors and edit the FortiClient EMS connector.
b. Click Authorize.
c. When presented with the EMS server certificate, click Accept to accept the certificate.
Your connection should now be successful and authorized.

FortiOS 6.4.13 Administration Guide 167

Fortinet Inc.
 Fortinet Security Fabric

d. Click OK.

Synchronizing FortiClient EMS tags and configurations

An option under the FortiClient EMS settings on the FortiGate consolidates the setup of EMS connectors to support EMS
tags. EMS tags are pulled into the FortiGate via TCP/8013 and automatically synced with the EMS server. They are
converted into read-only dynamic firewall addresses that can be used in firewall policies, routing, and so on.

You can test connectivity to the EMS on the FortiGate with the diagnose endpoint
fctems test-connectivity <EMS_ENTRY_NAME> command.

These examples presume the following have been configured in FortiClient EMS:
l Tags have been created on the Compliance Verification > Compliance Verification Rules page.

l There are registered users who match the defined tags that are visible on the Compliance Verification > Host Tag

FortiOS 6.4.13 Administration Guide 168

Fortinet Inc.
Fortinet Security Fabric

Monitor page.

To configure FortiClient EMS with tag synchronization in the GUI:

1. Configure the EMS Fabric Connector:

a. On the root FortiGate, go to Security Fabric > Fabric Connectors.
b. Click Create New and click FortiClient EMS.
c. Enable Synchronize firewall addresses.

d. Configure the other settings as needed and validate the certificate.

e. Click OK.
2. Go to Policy & Objects > Addresses and hover over the EMS tag to view which IPs it resolves to.

FortiOS 6.4.13 Administration Guide 169

Fortinet Inc.
Fortinet Security Fabric

3. Configure a firewall policy:

a. Go to Policy & Objects > Firewall Policy and create a new policy.
b. For the Source Address, add the EMS tag dynamic address.

c. Configure the other settings as needed.

d. Click OK.

To configure FortiClient EMS with tag synchronization in the CLI:

1. Configure the EMS Fabric Connector:

config endpoint-control fctems
edit "ems137"
set fortinetone-cloud-authentication disable
set server "172.16.200.137"
set https-port 443
set source-ip 0.0.0.0
set pull-sysinfo enable
set pull-vulnerabilities enable
set pull-avatars enable
set pull-tags enable
set call-timeout 5000
set certificate "REMOTE_Cert_1"
next
end

2. Verify which IPs the dynamic firewall address resolves to:

# diagnose firewall dynamic list
List all dynamic addresses:
FCTEMS0580226579_ems137_vuln_critical_tag: ID(118)
ADDR(10.1.100.120)
ADDR(10.1.100.198)

FortiOS 6.4.13 Administration Guide 170

Fortinet Inc.
 Fortinet Security Fabric

FCTEMS0580226579_ems137_winscp_tag: ID(155)
ADDR(100.100.100.141)

FCTEMS0580226579_ems137_win10_tag: ID(182)
ADDR(10.1.100.120)
# diagnose firewall dynamic address FCTEMS0580226579_ems137_vuln_critical_tag
FCTEMS0580226579_ems137_vuln_critical_tag: ID(118)
ADDR(10.1.100.120)
ADDR(10.1.100.198)

Total dynamic list entries: 1.

Total dynamic addresses: 2
Total dynamic ranges: 0

3. Configure a firewall policy that uses the EMS tag dynamic firewall address as a source.

Configuring FortiNAC

A FortiNAC device can be added to the Security Fabric on the root FortiGate. After the device has been added and
authorized, you can log in to the FortiNAC from the FortiGate topology views.

Adding a FortiNAC to the Security Fabric requires a FortiNAC with a license issued in the year
2020 or later that includes an additional certificate. The device cannot be added if it has an
older license. Use the licensetool in the FortiNAC CLI to determine if your license includes
the additional certificate.

To add a FortiNAC to the Security Fabric:

1. On the FortNAC, configure telemetry and input the IP address of the root FortiGate. See Security Fabric Connection
in the FortiNAC Administration Guide for more information.
2. On the root FortiGate, authorize the FortiNAC.
3. Verify the connection status in the topology views.

To authorize the FortiNAC on the root FortiGate in the GUI:

1. Go to Security Fabric > Fabric Connectors.

2. The FortiNAC device will be highlighted in the topology list in the right panel with the status Waiting for
Authorization.

FortiOS 6.4.13 Administration Guide 171

Fortinet Inc.
Fortinet Security Fabric

3. Click on the highlighted FortiNAC and select Authorize.

Optionally, you can also deny authorization to the FortiNAC to remove it from the list.

To authorize the FortiNAC on the root FortiGate in the CLI:

config system csf

config trusted-list
edit "FNVMCATM20000306"
set action accept
next
end
end

To verify the connection status:

1. After the FortiNAC is authorized, go to Security Fabric > Physical Topology and confirm that it is included in the
topology.

2. Go to Security Fabric > Logical Topology and confirm the FortiNAC is also displayed there.

FortiOS 6.4.13 Administration Guide 172

Fortinet Inc.
 Fortinet Security Fabric

3. Run the following command in the CLI to view information about the FortiNAC device's status:
# diagnose sys csf downstream-devices fortinac
{
"path":"FG5H1E5818900126:FNVMCATM20000306",
"mgmt_ip_str":"10.1.100.197",
"mgmt_port":0,
"admin_port":8443,
"serial":"FNVMCATM20000306",
"host_name":"adnac",
"device_type":"fortinac",
"upstream_intf":"port2",
"upstream_serial":"FG5H1E5818900126",
"is_discovered":true,
"ip_str":"10.1.100.197",
"downstream_intf":"eth0",
"authorizer":"FG5H1E5818900126",
"idx":1
}

To log in to the FortiNAC from the FortiGate:

1. On the FortiGate, go to Security Fabric > Physical Topology or Security Fabric > Logical Topology.
2. Click on the FortiNAC and select Login to <serial_number>.

A new tab will open to the FortiNAC log in page.

3. Enter the username and password to log in to the FortiNAC.

Configuring FortiAP and FortiSwitch

FortiAP and FortiSwitch devices can be authorized in the Security Fabric with one click. After connecting a FortiAP or
FortiSwitch device to an authorized FortiGate, it will automatically be listed in the topology tree.

If the default auto-auth-extension-device settings on the FortiAP or FortiSwitch have

been modified, manual authorization in the Security Fabric may not be required.

For more information about configuring FortiAPs, see Configuring the FortiGate interface to manage FortiAP units and
Discovering, authorizing, and deauthorizing FortiAP units.
For more information about configuring FortiSwitches, see Using the FortiGate GUI.

FortiOS 6.4.13 Administration Guide 173

Fortinet Inc.
 Fortinet Security Fabric

To authorize FortiAP and FortiSwitch devices:

1. Connect the FortiAP or FortiSwitch device to a FortiGate.

2. On the root FortiGate, go to Security Fabric > Fabric Connectors. The new device is shown in the Topology tree.
3. Click the device and select Authorize.

Configuring FortiMail

FortiMail can be authorized into the Security Fabric using either the gutter on the Fabric Connectors page, or by pre-
authorizing using the FortiMail serial number or certificate.

To join the Security Fabric from FortiMail:

1. Go to System > Customization and click the Corporate Security Fabric tab (or the Corporate Security Fabric tab in
FortiMail 6.4.2 and earlier).
2. Click the toggle to enable the Fabric.
3. Enter the Upstream IP Address (root FortiGate) and the Management IP of the FortiMail.
4. Click Apply.

Authorizing using FortiOS

If the FortiMail was added to the Security Fabric but not pre-authorized, you can authorize it in FortiOS on the Fabric
Connectors page.

FortiOS 6.4.13 Administration Guide 174

Fortinet Inc.
Fortinet Security Fabric

To authorize FortiMail:

1. Go to Security Fabric > Fabric Connectors.

2. In the topology tree, hover over the FortiMail and click Authorize.

3. Verify the certificate is correct, then click Accept.

Pre-authorizing using the FortiMail certificate

FortiMail can be pre-authorized using its serial number or certificate. When you pre-authorize, the FortiMail can join at
any time, and you will not need to authorize it FortiOS. In this example, FortiMail is pre-authorized using a certificate.

To pre-authorize FortiMail using a third-party or default certificate:

1. Log in to FortiMail.
2. Download the certificate. For example, in Chrome:
a. In the left side of the address bar, click the icon to view the site information.
b. Click Certificate.
c. Click the Details tab, then click Copy to File.

d. The Certificate Export Wizard opens. Click Next to continue.

FortiOS 6.4.13 Administration Guide 175

Fortinet Inc.
 Fortinet Security Fabric

e. For the file format, select Base-64 encoded X.509 (.CER), then click Next.

f. Browse to the folder location and enter a file name, then click Next.
g. Click Finish, then click OK to close the dialog box.
3. In FortiOS, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
4. Beside Device authorization, click Edit and configure the following:
a. Enter the FortiMail serial number.
b. For Authorization type, select Serial Number.
c. For Certificate, upload the .CER file you saved previously.

d. Click OK.

Configuring FortiVoice

A FortiVoice can be added to the Security Fabric on the root FortiGate. Once the FortiVoice is added and authorized, you
can log in to the device from the Security Fabric topology pages or the topology tree. A FortiVoice can be authorized in
FortiOS, or can be pre-authroized with its serial number or certificate. A FortiVoice can be added to the dashboard as a
Fabric device widget.

Authorizing using the FortiOS GUI

To authorize a FortiVoice to join the Security Fabric:

1. On the FortiVoice, enable the Security Fabric. See Enabling Security Fabric in the FortiVoice Phone System
Administration Guide.

FortiOS 6.4.13 Administration Guide 176

Fortinet Inc.
Fortinet Security Fabric

2. On the root FortiGate, go to Security Fabric > Fabric Connectors. The FortiVoice is highlighted in the topology list in
the right panel with the status Waiting for Authorization.
3. Click the highlighted FortiVoice and select Authorize.

4. Verify that the certificate is correct, then click Accept.

Pre-authorizing using the FortiVoice certificate

A FortiVoice can be pre-authorized using its serial number or certificate. When pre-authorizing, the FortiVoice can join at
any time, and it will not need to be authorized in FortiOS. In the following example, the FortiVoice is pre-authorized using
a certificate.

To pre-authorize a FortiVoice using a third-party or default certificate in the GUI:

1. Log in to the FortiVoice.

2. Download the certificate. For example, in Chrome:
a. In the left side of the address bar, click the icon to view the site information.
b. Click Certificate.

FortiOS 6.4.13 Administration Guide 177

Fortinet Inc.
Fortinet Security Fabric

c. In the Certificate window, click the Details tab, then click Copy to File.

d. The Certificate Export Wizard opens. Click Next.

e. Set the format to Base-64 encoded X.509 (.CER), then click Next.

f. Browse to the folder location, enter a file name, then click Next.
g. Click Finish, then click OK to close the wizard.
3. In FortiOS, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

FortiOS 6.4.13 Administration Guide 178

Fortinet Inc.
Fortinet Security Fabric

4. Beside Device authorization, click Edit.

5. Click Create New and enter the following:
a. In the Name field, enter the FortiVoice serial number.
b. Set the Authorization type to Certificate.
c. Upload the .CER file.

d. Click OK, then close the Device authorization pane.

To pre-authorize a FortiVoice using a third-party or default certificate in the CLI:

config system csf

config trusted-list
edit "FOV-300E"
set action accept
set authorization-type certificate
set certificate "-----BEGIN CERTIFICATE-----
...
<encrypted_certificate_data>
...
-----END CERTIFICATE-----"
next
end
end

To verify the connection status:

1. After the FortiVoice is authorized, go to Security Fabric > Physical Topology and confirm that it is included in the
topology.

FortiOS 6.4.13 Administration Guide 179

Fortinet Inc.
 Fortinet Security Fabric

2. Go to Security Fabric > Logical Topology and confirm the FortiVoice is also displayed there.

Logging in to the FortiVoice using the Security Fabric

To log in using a topology page:

1. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology.
2. Click on the FortiVoice and select Login to <serial_number>.

To log in using the Fabric Connectors page:

1. Go to Security Fabric > Fabric Connectors.

2. In the topology tree, click the FortiVoice and select Login to <serial_number>.

Configuring additional devices

The following Fortinet devices are supported by the Security Fabric:

l FortiADC
l FortiDDoS
l FortiSandbox
l Configuring FortiMail on page 174

FortiOS 6.4.13 Administration Guide 180

Fortinet Inc.
Fortinet Security Fabric

l FortiWeb
l FortiWLC

Security Fabric supports standalone FortiSandbox devices, FortiSandbox HA-Cluster primary,

and FortiSandbox cluster IP.

In FortiOS, the device details can be shown in the Security Fabric and Fabric Device dashboard widgets, as well as the
Fabric Connectors page, and physical and logical topologies.

To add one or more of the devices to the Security Fabric in the GUI:

1. On the root FortiGate, go to Security Fabric > Fabric Connectors.

2. Click Create New and select Fabric Device.
3. Enter the Name, IP, HTTPS port for the device.

FortiSandbox only supports HTTPS port 443.

4. Click Generate to generate an access token. The Generate Access Token pane opens.
a. Enter the device's username and password.
b. Click OK.
5. Click OK.
6. Add more devices as required.
The additional devices are shown on the Fabric Connectors page under Other Fortinet Products and in the
Topology tree.

FortiOS 6.4.13 Administration Guide 181

Fortinet Inc.
 Fortinet Security Fabric

To add one or more of the devices to the Security Fabric in the CLI:

config system csf

...
config fabric-device
edit "FortiADC"
set device-ip 172.18.64.36
set access-token xxxxxx
next
end
end

Using the Security Fabric

Dashboard widgets

Security Fabric widgets can be added to FortiGate dashboards, including:

l Security Fabric status on page 182
l Fabric Device on page 183
l FortiGate Cloud on page 184

Security Fabric status

The Security Fabric status widget shows a summary of the devices in the Security Fabric.

FortiOS 6.4.13 Administration Guide 182

Fortinet Inc.
Fortinet Security Fabric

Hover the cursor over the top icons to view pop-ups showing the statuses of the devices in the fabric.
The device tree shows devices that are connected, or could be connected, to you Security Fabric, according to the
following color scheme:
l Blue: connected to the network
l Gray: not configured or not detected
l Red: no longer connected or not authorized
Hover over a device in the tree to view details about the device, such as it's serial number, operation mode, IP address,
CPU and memory usage, and others, depending on the device type.
Unauthorized FortiAP and FortiSwitch devices are highlighted in the list, and can be authorized by clicking on the device
name.

Fabric Device

The Fabric Device widget shows statistics and system information about the selected fabric device.
For a FortiMail device, the widget can show:
l Mail Statistics: a chart of the total messages and total spam messages over time.
l Statistics Summary: a pie chart summarizes mail statistics.
l System Information: The FortiMail System Information widget
l System Usage: System usage information, such as CPU, memory, and disk usage, as well as the number of active
sessions.

FortiOS 6.4.13 Administration Guide 183

Fortinet Inc.
Fortinet Security Fabric

FortiGate Cloud

The FortiGate Cloud widget shows the FortiGate Cloud status and information. If your account is not activated, you can
activate it from the widget.

To activate your FortiGate Cloud account:

1. Click on the Not Activated button and select Activate. The Activate FortiGate Cloud pane opens.
2. If you already have an account:
a. Fill in your email address, password, country or region, and reseller.
b. Click OK.
3. If you are creating an account:
a. In the FortiCloud field select Create Account.
b. Fill in all of the required information.
c. Click OK.

Topology

The full Security Fabric topology can be viewed on the root FortiGate. Downstream FortiGate devices' topology views do
not include upstream devices.
The Physical Topology shows the physical structure of your network, including all connected devices and the
connections between them. The Logical Topology shows information about the interfaces that connect devices to the
Security Fabric. Only Fortinet devices are shown in the topologies.
In both topology pages, you can use filtering and sorting options to control the information that is shown. Hover the
cursor over a device icon, port number, or endpoint to open a tooltip that shows information about that specific device,
port, or endpoint. Right-click on a device to log in to it or to deauthorize it. Right-click on an endpoint to perform various
tasks, including drilling down for more details on sources or compromised hosts, quarantining the host, and banning the
IP address.
The small number that might be shown on the top right corner of a device icon is the number of security ratings
recommendations or warnings for that device. The color of the circle shows the severity of the highest security rating
check that failed. Clicking it opens the Security Rating page. See Security rating on page 238 for more information.

FortiOS 6.4.13 Administration Guide 184

Fortinet Inc.
Fortinet Security Fabric

Servers and server clusters are represented by squares with rounded corners. They are grouped separately from
circular endpoints. Devices are grouped by type and are colored based on their risk level. Endpoint groups are
represented by donut charts or bubble packs depending on the current view settings (see Endpoint groups for more
information). The size of the bubbles in the topology vary based on traffic volume.
AWS assets are grouped by AWS security groups or subnets, and information about detected Common Vulnerabilities
and Exposures (CVEs), as well as the instance details and ID, are shown.

Views

The topology views can be focused using filters and by sorting in different ways to help you locate the information that
you need.
Select one of Access Device or No Access Device to only show access or no access devices in the physical topology.
From the Endpoint Option dropdown list, select one of the following views:
l Device Traffic: Organize devices by traffic.
l Device Count: Organize devices by the number of devices connected to it.
l Device Operating System: Organize devices by operating system.
l Device Hardware Vendor: Organize devices by hardware vendor.
l Risk: Only include devices that have endpoints with medium, high, or critical risk values of the specified type: All,
Compromised Host, Vulnerability, or Threat Score.
l No Devices: Do not show endpoints.
The time period dropdown list filters the view by time. Options include: now (real time), 5 minutes, 1 hour, 24 hours, or 7
days.

Endpoint groups

The Device Traffic and Device Count views display endpoint groups as donut charts, with the total number of endpoints
in the group in the center of the chart. Each sector of the donut chart represents a different endpoint operating system.

FortiOS 6.4.13 Administration Guide 185

Fortinet Inc.
Fortinet Security Fabric

To zoom in on a donut chart, click any chart sector. Each sector represents a different endpoint OS. Hovering over each
sector allows you to see the OS that the sector represents and the number of endpoints that have that OS installed.

In this example, the endpoint group contains a total of nine endpoints, with the following OSes installed:

Donut sector color OS Number of endpoints

Orange Linux 2

Green FortiMail 1

Red FortiManager 1

Blue Other 5

To view the endpoint group in a bubble pack display, click the + button in the center of the donut chart. You can view
each individual endpoint in the bubble pack view.

FortiOS 6.4.13 Administration Guide 186

Fortinet Inc.
Fortinet Security Fabric

WAN cloud

The WAN cloud icon includes a dropdown menu for selecting where the destination data comes from. The available
options are: Internet, Owner, IP Address, and Country/Region. These options are only available when the filtering is
based on Device Traffic.
When Owner is selected, the destination hosts are shown as donut charts that show the percentage of internal (with
private IP addresses) and Internet hosts. Hover over either color in the chart to see additional information.

To view more details, right-click on the chart and select Destination Owner Details. The Top Destination Owners by
Bytes widget opens. Click the green icon (Standalone FortiView page icon) to add the widget to a new dashboard.

FortiOS 6.4.13 Administration Guide 187

Fortinet Inc.
Fortinet Security Fabric

Alternatively, you can add the FortiView Destination Owners widget as a standalone page or to an existing dashboard
(see Adding FortiView widgets on page 104).

FortiAP and FortiSwitch devices

Newly discovered FortiAP and FortiSwitch devices are initial shown in the topologies with gray icons to indicate that they
have not been authorized. To authorize a device, click on the device icon or name and select Authorize. Once
authorized, the device icon will turn blue.
Right-click on an authorized FortiAP device to Deauthorize or Restart the device. Right-click on a FortiSwitch device to
Deauthorize, Restart, or Upgrade the device, or to Connect to the CLI.
FortiAP and FortiSwitch links are enhanced to show link aggregation groups for the inter-switch link (ISL-LAG). To
differentiate them from physical links, ISL-LAG links are shown with a thicker line. The endpoint circles can also be used
as a reference to identify ISL-LAG groups that have more than two links.

Critical risks

Click the Critical Risks button to see a list of endpoints that are deemed critical risks, organized by threat severity. These
are the red endpoints in the current topology view.

For each endpoint, the user's photo, name, IP address, email address, and phone number are shown. The number of
vulnerabilities of each severity is shown, and if the IoC verdict is that the endpoint is compromised.
If applicable, the endpoint's host can be quarantined or their IP address banned, by clicking the Quarantine Host on Ban
IP button.

FortiOS 6.4.13 Administration Guide 188

Fortinet Inc.
Fortinet Security Fabric

The dropdown menu also provides options to drill down to more information on compromised hosts or endpoint
vulnerabilities.

Click Drill Down to Compromised Hosts to open the Top Compromised Hosts page that shows a summary for the
selected endpoint.

Compromised host information can also be viewed on the FortiAnalyzer in SOC > FortiView > Threats > Compromised
Hosts.

The FortiAnalyzer must have a FortiGuard Indicators of Compromise service license in order
to see compromised hosts.

Click Drill Down to Endpoint Vulnerability to open the vulnerabilities page that shows a summary of the vulnerabilities on
the selected endpoint.

FortiAnalyzer

The Security Fabric topology can also be seen on the FortiAnalyzer device. In the Device Manager, FortiGate devices
are shown as part of a Security Fabric group with an asterisk next to the name of the root FortiGate.

FortiOS 6.4.13 Administration Guide 189

Fortinet Inc.
Fortinet Security Fabric

To view the Security Fabric topology, right-click on the fabric group and select Fabric Topology. Only Fortinet devices
are shown in the Security Fabric topology views.

Topology view — consolidated risk

The topology view shows endpoints based on their highest severity event.
In the default topology view, you can view hosts with critical vulnerabilities and compromised hosts identified as critical
risks.
The consolidated Risk view mode displays different risks within the Security Fabric topology. You can use the Risk view
mode to filter threats by Compromised Hosts, Vulnerability, and Threat Score.

To access the default topology view:

1. Go to Security Fabric > Physical Topology.

The default topology view highlights hosts with critical vulnerabilities and compromised hosts as critical risks (three
critical risks in the example).

FortiOS 6.4.13 Administration Guide 190

Fortinet Inc.
Fortinet Security Fabric

a. Hover over the tooltips for more details.

2. To view the critical risk summary, click Critical Risks.

The Critical Risks pane displays on the right-side of the screen.

To access the consolidated Risk view mode:

1. In the view option dropdown button, select Risk.

FortiOS 6.4.13 Administration Guide 191

Fortinet Inc.
Fortinet Security Fabric

2. Select one of the following options from the Risk Type dropdown menu:
l All

l Compromised Hosts

l Vulnerability

FortiOS 6.4.13 Administration Guide 192

Fortinet Inc.
Fortinet Security Fabric

l Threat Score

Viewing and controlling network risks via topology view

This topic shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security
Fabric > Logical Topology view.
In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a
FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another
FortiSwitch (Access).

This topic consists of the following steps:

1. View the compromised endpoint host.
2. Quarantine the compromised endpoint host.
3. Run diagnose commands.

To view the compromised endpoint host:

1. Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a
malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the
website.
2. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the
Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict.
The endpoint host is compromised.

FortiOS 6.4.13 Administration Guide 193

Fortinet Inc.
Fortinet Security Fabric

3. Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is highlighted
in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

To quarantine the compromised endpoint host:

1. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.

2. Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
3. Go to Monitor > Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The
quarantined endpoint host displays in the content pane.
4. On the endpoint host, open a browser and visit a website such as https://www.fortinet.com/. If the website cannot be
accessed, this confirms that the endpoint host is quarantined.

To run diagnose commands:

1. To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream
command in the root FortiGate (Edge) CLI. The output should resemble the following:
Edge # diagnose sys csf downstream
1: FG101ETK18002187 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent:
FG201ETK18902514
path:FG201ETK18902514:FG101ETK18002187
data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443
authorizer:FG201ETK18902514
2. To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose sys
csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the following:

Marketing # diagnose sys csf upstream

Upstream Information:
Serial Number:FG201ETK18902514
IP:192.168.7.2
Connecting interface:wan1
Connection status:Authorized
3. To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream
FortiGate (Marketing) CLI:
Marketing # show user quarantine
config user quarantine
config targets
edit "PC2"
set description "Manually quarantined"
config macs
edit 00:0c:29:3d:89:39

FortiOS 6.4.13 Administration Guide 194

Fortinet Inc.
 Fortinet Security Fabric

set description "manual-qtn Hostname: PC2"

next
end
next
end
end

Deploying the Security Fabric

This topic provides an example of deploying Security Fabric with three downstream FortiGates connecting to one root
FortiGate. To deploy Security Fabric, you need a FortiAnalyzer running firmware version 6.2 or later.

FortiOS 6.4.13 Administration Guide 195

Fortinet Inc.
Fortinet Security Fabric

The following shows a sample network topology with three downstream FortiGates (Accounting, Marketing, and Sales)
connected to the root FortiGate (Edge).

To configure the root FortiGate (Edge):

1. Configure interfaces:
a. In the root FortiGate (Edge), go to Network > Interfaces.
b. Edit port16:
l Set Role to DMZ.

l For the interface connected to FortiAnalyzer, set the IP/Network Mask to 192.168.65.2/255.255.255.0

FortiOS 6.4.13 Administration Guide 196

Fortinet Inc.
Fortinet Security Fabric

c. Edit port10:
l Set Role to LAN.

l For the interface connected to the downstream FortiGate (Accounting), set the IP/Network Mask to

192.168.10.2/255.255.255.0
d. Edit port11:
l Set Role to LAN.

l For the interface connected to the downstream FortiGate (Marketing), set the IP/Network Mask to

192.168.200.2/255.255.255.0
2. Configure Security Fabric:
a. In the root FortiGate (Edge), go to Security Fabric > Fabric Connectors and double-click the Security Fabric
Setup card.
b. For Status, click Enable.
c. Set the Security Fabric role to Serve as Fabric Root. The FortiAnalyzer settings can be configured.
d. Enter the FortiAnalyzer IP (192.168.65.10) and select and Upload option (the default is Real Time).
e. Click Test Connectivity.
A warning message indicates that the FortiGate is not authorized on the FortiAnalyzer. The authorization is
configured in a later step on the FortiAnalyzer.
f. Click OK. The FortiAnalyzer serial number is verified.
g. Enter a Fabric name, such as Office-Security-Fabric.
h. Ensure Allow other Security Fabric devices to join is enabled and add port10 and port11.
i. Click OK.
3. Create a policy to allow the downstream FortiGate (Accounting) to access the FortiAnalyzer:
a. In the root FortiGate (Edge), go to Policy & Objects > Addresses.
b. Click Create New.
l Set Name to FAZ-addr.

l Set Type to Subnet.

l Set Subnet/IP Range to 192.168.65.10/32.

l Set Interface to any.

c. Click OK.
d. Click Create New.
l Set Name to Accounting.

l Set Type to Subnet.

l Set Subnet/IP Range to 192.168.10.10/32.

l Set Interface to any.

e. Click OK.
f. In the root FortiGate (Edge), go to Policy & Objects > Firewall Policy and click Create New.
l Set Name to Accounting-to-FAZ.

l Set srcintf to port10.

l Set dstintf to port16.

l Set srcaddr to Accounting-addr.

l Set dstaddr to FAZ-addr.

l Set Action to Accept.

l Set Schedule to Always.

l Set Service to All.

l Enable NAT.

l Set IP Pool Configuration to Use Outgoing Interface Address.

FortiOS 6.4.13 Administration Guide 197

Fortinet Inc.
Fortinet Security Fabric

g. Click OK.
4. Create a policy to allow the two downstream FortiGates (Marketing and Sales) to access the FortiAnalyzer:
a. In the root FortiGate (Edge), go to Policy & Objects > Addresses and click Create New.
l Set Name to Marketing-addr.

l Set Type to Subnet.

l Set Subnet/IP Range to 192.168.200.10/32.

l Set Interface to any.

b. Click OK.
c. In the root FortiGate (Edge), go to Policy & Objects > Firewall Policy and click Create New.
l Set Name to Marketing-to-FAZ.

l Set srcintf to port11.

l Set dstintf to port16.

l Set srcaddr to Marketing-addr.

l Set dstaddr to FAZ-addr.

l Set Action to Accept.

l Set Schedule to Always.

l Set Service to All.

l Enable NAT.

l Set IP Pool Configuration to Use Outgoing Interface Address.

d. Click OK.

To configure the downstream FortiGate (Accounting):

1. Configure interface:
a. In the downstream FortiGate (Accounting), go to Network > Interfaces.
b. Edit interface wan1:
l Set Role to WAN.

l For the interface connected to root, set the IP/Network Mask to 192.168.10.10/255.255.255.0

2. Configure the default static route to connect to the root FortiGate (Edge):
a. In the downstream FortiGate (Accounting), go to Network > Static Routes and click Create New or Create New
> IPv4 Static Route.
l Set Destination to 0.0.0.0/0.0.0.0.

l Set Interface to wan1.

l Set Gateway Address to 192.168.10.2.

b. Click OK.
3. Configure Security Fabric:
a. In the downstream FortiGate (Accounting), go to Security Fabric > Fabric Connectors and double-click the
Security Fabric Setup card.
b. For Status, click Enable.
FortiAnalyzer automatically enables logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate
(Edge) when FortiGate (Accounting) connects to the root FortiGate (Edge).
c. Set the Security Fabric role to Join Existing Fabric.
d. Upstream FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.10.2
set in the previous step.
e. Disable Allow other FortiGates to join, because there is no downstream FortiGate connecting to it.
f. Click OK.

FortiOS 6.4.13 Administration Guide 198

Fortinet Inc.
Fortinet Security Fabric

To configure the downstream FortiGate (Marketing):

1. Configure interface:
a. In the downstream FortiGate (Marketing), go to Network > Interfaces.
b. Edit port12:
l Set Role to LAN.

l For the interface connected to the downstream FortiGate (Sales), set the IP/Network Mask to

192.168.135.11/255.255.255.0.
c. Edit wan1:
l Set Role to WAN.

l For the interface connected to the root FortiGate (Edge), set the IP/Network Mask to

192.168.200.10/255.255.255.0.
2. Configure the default static route to connect to the root FortiGate (Edge):
a. In the downstream FortiGate (Marketing), go to Network > Static Routes and click Create New or Create New >
IPv4 Static Route.
l Set Destination to 0.0.0.0/0.0.0.0.

l Set Interface to wan1.

l Set Gateway Address to 192.168.200.2.

b. Click OK.
3. Configure Security Fabric:
a. In the downstream FortiGate (Marketing), go to Security Fabric > Fabric Connectors and double-click the
Security Fabric Setup card.
b. For Status, click Enable.
FortiAnalyzer automatically enables logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate
(Edge) when FortiGate (Marketing) connects to the root FortiGate (Edge).
c. Set the Security Fabric role to Join Existing Fabric.
d. Upstream FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.200.2
set in the previous step.
e. Enable Allow other FortiGates to join and add port12.
f. Click OK.
4. Create a policy to allow another downstream FortiGate (Sales) going through FortiGate (Marketing) to access the
FortiAnalyzer:
a. In the downstream FortiGate (Marketing), go to Policy & Objects > Addresses and click Create New.
l Set Name to FAZ-addr.

l Set Type to Subnet.

l Set Subnet/IP Range to 192.168.65.10/32.

l Set Interface to any.

b. Click OK.
c. Click Create New.
l Set Name to Sales-addr.

l Set Type to Subnet.

l Set Subnet/IP Range to 192.168.135.10/32.

l Set Interface to any.

d. Click OK.

FortiOS 6.4.13 Administration Guide 199

Fortinet Inc.
Fortinet Security Fabric

e. In the downstream FortiGate (Marketing), go to Policy & Objects > Firewall Policy and click Create New.
l Set Name to Sales-to-FAZ.

l Set srcintf to port12.

l Set dstintf to wan1.

l Set srcaddr to Sales-addr.

l Set dstaddr to FAZ-addr.

l Set Action to Accept.

l Set Schedule to Always.

l Set Service to All.

l Enable NAT.

l Set IP Pool Configuration to Use Outgoing Interface Address.

f. Click OK.

To configure the downstream FortiGate (Accounting):

1. Configure interface:
a. In the downstream FortiGate (Accounting), go to Network > Interfaces.
b. Edit interface wan1:
l Set Role to WAN.

l For the interface connected to root, set the IP/Network Mask to 192.168.10.10/255.255.255.0

2. Configure the default static route to connect to the root FortiGate (Edge):
a. In the downstream FortiGate (Accounting), go to Network > Static Routes and click Create New or Create New
> IPv4 Static Route.
l Set Destination to 0.0.0.0/0.0.0.0.

l Set Interface to wan1.

l Set Gateway Address to 192.168.10.2.

b. Click OK.
3. Configure Security Fabric:
a. In the downstream FortiGate (Accounting), go to Security Fabric > Fabric Connectors and double-click the
Security Fabric Setup card.
b. For Status, click Enable.
FortiAnalyzer automatically enables logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate
(Edge) when FortiGate (Accounting) connects to the root FortiGate (Edge).
c. Set the Security Fabric role to Join Existing Fabric.
d. Upstream FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.10.2
set in the previous step.
e. Disable Allow other FortiGates to join, because there is no downstream FortiGate connecting to it.
f. Click OK.

To configure the downstream FortiGate (Sales):

1. Configure interface:
a. In the downstream FortiGate (Sales), go to Network > Interfaces.
b. Edit wan2:
l Set Role to WAN.

l For the interface connected to the upstream FortiGate (Marketing), set the IP/Network Mask to

192.168.135.10/255.255.255.0.

FortiOS 6.4.13 Administration Guide 200

Fortinet Inc.
Fortinet Security Fabric

2. Configure the default static route to connect to the upstream FortiGate (Marketing):
a. In the downstream FortiGate (Sales), go to Network > Static Routes and click Create New or Create New >
IPv4 Static Route.
l Set Destination to 0.0.0.0/0.0.0.0.

l Set Interface to wan2.

l Set Gateway Address to 192.168.135.11.

b. Click OK.
3. Configure Security Fabric:
a. In the downstream FortiGate (Sales), go to Security Fabric > Fabric Connectors and double-click the Security
Fabric Setup card.
b. For Status, click Enable.
FortiAnalyzer automatically enables logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate
(Edge) when FortiGate (Sales) connects to the root FortiGate (Edge).
c. Set the Security Fabric role to Join Existing Fabric.
d. Upstream FortiGate IP is filled in automatically with the default static route Gateway Address of
192.168.135.11 set in the previous step.
e. Disable Allow other FortiGates to join, because there is no downstream FortiGate connecting to it.
f. Click OK.

To authorize downstream FortiGates (Accounting, Marketing, and Sales) on the root FortiGate (Edge):

1. In the root FortiGate (Edge), go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup
card.
The Topology tree highlights two connected FortiGates with their serial numbers and asks you to authorize the
highlighted devices.
2. Select the highlighted FortiGates and select Authorize.
After they are authorized, the two downstream FortiGates (Accounting and Marketing) appear in the Topology tree
in the Security Fabric > Fabric Connectors > Security Fabric Setup page. This means that the two downstream
FortiGates (Accounting and Marketing) have successfully joined the Security Fabric.
3. The Topology tree now highlights the FortiGate with the serial number that is connected to the downstream
FortiGate (Marketing) and asks you to authorize the highlighted device.
4. Select the highlighted FortiGates and select Authorize.
After it is authorized, the downstream FortiGate ( Sales) appears in the Topology tree in the Security Fabric > Fabric
Connectors > Security Fabric Setup page. This means that the downstream FortiGates (Sales) has successfully
joined the Security Fabric.

To use FortiAnalyzer to authorize all the Security Fabric FortiGates:

1. Authorize all the Security Fabric FortiGates on the FortiAnalyzer side:

a. On the FortiAnalyzer, go to System Settings > Network > All Interfaces.
b. Edit port1 and set IP Address/Netmask to 192.168.65.10/255.255.255.0.
c. Go to Device Manager > Unauthorized. All of the FortiGates are listed as unauthorized.
i. Select all the FortiGates and select Authorize. The FortiGates are now listed as authorized.
After a moment, a warning icon appears beside the root FortiGate (Edge) because the FortiAnalyzer
needs administrative access to the root FortiGate (Edge) in the Security Fabric.
ii. Click the warning icon and enter the admin username and password of the root FortiGate (Edge).

FortiOS 6.4.13 Administration Guide 201

Fortinet Inc.
Fortinet Security Fabric

2. Check FortiAnalyzer status on all the Security Fabric FortiGates:

a. On each FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
b. Check that Storage usage information is shown.

To check Security Fabric deployment result:

1. On FortiGate (Edge), go to Dashboard > Status.

The Security Fabric widget displays all the FortiGates in the Security Fabric.

2. On FortiGate (Edge), go to Security Fabric > Physical Topology.

This page shows a visualization of access layer devices in the Security Fabric.

3. On FortiGate (Edge), go to Security Fabric > Physical Topology.

This dashboard shows information about the interfaces of each device in the Security Fabric.

FortiOS 6.4.13 Administration Guide 202

Fortinet Inc.
 Fortinet Security Fabric

To run diagnose commands:

1. Run the diagnose sys csf authorization pending-list command in the root FortiGate to show the
downstream FortiGate pending for root FortiGate authorization:
Edge # diagnose sys csf authorization pending-list
Serial IP Address HA-Members Path
------------------------------------------------------------------------------------
FG201ETK18902514 0.0.0.0 FG3H1E5818900718:FG201ETK18902514

2. Run the diagnose sys csf downstream command in the root or middle FortiGate to show the downstream
FortiGates after they join Security Fabric:
Edge # diagnose sys csf downstream
1: FG201ETK18902514 (192.168.200.10) Management-IP: 0.0.0.0 Management-port:0
parent: FG3H1E5818900718
path:FG3H1E5818900718:FG201ETK18902514
data received: Y downstream intf:wan1 upstream intf:port11 admin-port:443
authorizer:FG3H1E5818900718
2: FGT81ETK18002246 (192.168.10.10) Management-IP: 0.0.0.0 Management-port:0 parent:
FG3H1E5818900718
path:FG3H1E5818900718:FGT81ETK18002246
data received: Y downstream intf:wan1 upstream intf:port10 admin-port:443
authorizer:FG3H1E5818900718
3: FG101ETK18002187 (192.168.135.10) Management-IP: 0.0.0.0 Management-port:0
parent: FG201ETK18902514
path:FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187
data received: Y downstream intf:wan2 upstream intf:port12 admin-port:443
authorizer:FG3H1E5818900718

3. Run the diagnose sys csf upstream command in any downstream FortiGate to show the upstream FortiGate
after downstream FortiGate joins Security Fabric:
Marketing # diagnose sys csf upstream
Upstream Information:
Serial Number:FG3H1E5818900718
IP:192.168.200.2
Connecting interface:wan1
Connection status:Authorized

Synchronizing objects across the Security Fabric

When the Security Fabric is enabled, various objects such as addresses, services, and schedules are synced from the
upstream FortiGate to all downstream devices by default. FortiOS has the following settings for object synchronization
across the Security Fabric:
l Set object synchronization (fabric-object-unification) to default or local on a downstream device.
l Set a per object option to toggle whether the specific Fabric object will be synchronized or not. After upgrading from
6.4.3, this option is disabled for supported Fabric objects. The synchronized Fabric objects are kept as locally
created objects on downstream FortiGates.
l Define the number of task workers to handle synchronizations.
The firewall object synchronization wizard helps identify objects that are not synchronized and resolves any conflicts. A
warning message appears in the topology tree if there is a conflict.

FortiOS 6.4.13 Administration Guide 203

Fortinet Inc.
Fortinet Security Fabric

Summary of CLI commands

Object synchronization can be configured as follows:

config system csf
set fabric-object-unification {default | local}
set configuration-sync {default | local}
set fabric-workers <integer>
...
next
end

Parameter Description

fabric-object-unification default: Global CMDB objects will be synchronized in the Security Fabric.
local: Global CMDB objects will not be synchronized to and from this device.
This command is available on the root FortiGate. If set to local, the device does
not synchronize objects from the root, but will send the synchronized objects
downstream.

configuration-sync default: Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central

Management to root node.
local: Do not synchronize configuration with root node.
If downstream FortiGates are set to local, the synchronized objects from the root
to downstream are not applied locally. However, the downstream FortiGate will
send the configuration to lower FortiGates.

fabric-workers Define how many task worker process are created to handle synchronizations (1-
4, default = 2). The worker processes dies if there is no task to perform after 60
seconds.

The per object setting can be configured on the root FortiGate as follows:
config firewall <object>
edit <name>
set fabric-object {enable | disable}
...
next
end

Where:
l <object> is one of the following: address, address6, addrgrp, addrgrp6, service category, service
custom, service group, schedule group, schedule onetime, or schedule recurring.
l Enabling fabric-object sets the object as a Security Fabric-wide global object that is synchronized to
downstream FortiGates.
l Disabling fabric-object sets the object as local to this Security Fabric member.

FortiOS 6.4.13 Administration Guide 204

Fortinet Inc.
Fortinet Security Fabric

Sample topology

In this Security Fabric, the root FortiGate (FGTA-1) has fabric-object-unification set to default so the Fabric
objects can be synchronized to the downstream FortiGate. The level 1 downstream FortiGate (FGTB-1) has
configuration-sync set to local, so it will not apply the synchronized objects locally. The level 2 downstream
FortiGate (FGTC) has configuration-sync set to default, so it will apply the synchronized objects locally.
In this example, firewall addresses and address groups are used. Other supported Fabric objects have the same
behaviors. The following use cases illustrate common synchronization scenarios:
l If no conflicts exist, firewall addresses and address groups can be synchronized to downstream FortiGates (see
example below).
l If a conflict exists between the root and downstream FortiGates, it can be resolved with the conflict resolution
wizard. After the conflict is resolved, the firewall addresses and address groups can be synchronized to
downstream FortiGates (see example below).
l If set fabric-object (Fabric synchronization option in the GUI) is disabled for firewall addresses and address
groups on the root FortiGate, they will not be synchronized to downstream FortiGates (see example below).

To configure the FortiGates used in this example:

FGTA-1 # config system csf

set status enable
set group-name "csf_script"
set fabric-object-unification default
...
end
FGTB-1 # config system csf
set status enable
set upstream-ip 10.2.200.1
set configuration-sync local
...  
end
FGTC # config system csf
set status enable
set upstream-ip 192.168.7.2
set configuration-sync default
...
end

To synchronize a firewall address and address group in the Security Fabric:

1. Configure the firewall address on the root FortiGate:

FGTA-1 # config firewall address
edit "add_subnet_1"

FortiOS 6.4.13 Administration Guide 205

Fortinet Inc.
Fortinet Security Fabric

set fabric-object enable

set subnet 22.22.22.0 255.255.255.0
next
end

2. Configure the address group on the root FortiGate:

FGTA-1 # config firewall addrgrp
edit "group_subnet_1"
set member "add_subnet_1"
set fabric-object enable
next
end

3. Check the firewall address and address group on the downstream FortiGates:
FGTB-1 # show firewall address add_subnet_1
entry is not found in table
FGTB-1 # show firewall addrgrp group_subnet_1
entry is not found in table

The synchronized objects are not applied locally on this FortiGate because configuration-sync is set to
local.
FGTC # show firewall address add_subnet_1
config firewall address
edit "add_subnet_1"
set uuid 378a8094-34cb-51eb-ce40-097f298fcfdc
set fabric-object enable
set subnet 22.22.22.0 255.255.255.0
next
end
FGTC # show firewall addrgrp group_subnet_1
config firewall addrgrp
edit "group_subnet_1"
set uuid 4d7a8a52-34cb-51eb-fce7-d93f76915319
set member "add_subnet_1"
set color 19
set fabric-object enable
next
end

The objects are synchronized on this FortiGate because configuration-sync is set to default.

To resolve a firewall address and address group conflict in the Security Fabric:

1. On FGTC, create a firewall address:

a. Go to Policy & Objects > Addresses and click Create New > Address.
b. Configure the following:

Name sync_add_1

IP/Netmask 33.33.33.0 255.255.255.0

FortiOS 6.4.13 Administration Guide 206

Fortinet Inc.
Fortinet Security Fabric

c. Click OK.
2. On FGTA-1 (Fabric root), create the firewall address with same name but a different subnet:
a. Go to Policy & Objects > Addresses and click Create New > Address.
b. Configure the following:

Name sync_add_1

IP/Netmask 11.11.11.0 255.255.255.0

Fabric synchronization Enable

c. Click OK.
3. Add the address to a different address group than what is configured on FGTC:
a. Go to Policy & Objects > Addresses and click Create New > Address Group.
b. Configure the following:

Name sync_group4

Members sync_add_1

Fabric synchronization Enable

FortiOS 6.4.13 Administration Guide 207

Fortinet Inc.
Fortinet Security Fabric

c. Click OK.
4. Go to Security Fabric > Fabric Connectors. In the topology tree, there is a message that Firewall objects are in
conflict with other FortiGates in the fabric.

FortiOS 6.4.13 Administration Guide 208

Fortinet Inc.
Fortinet Security Fabric

5. Resolve the conflict:

a. Click Review firewall object conflicts. The Firewall Object Synchronization pane opens.
b. Click Rename All Objects. The conflicted object will be renamed on the downstream FortiGate.

c. The conflict is resolved. Click Close to exit the Firewall Object Synchronization pane.

FortiOS 6.4.13 Administration Guide 209

Fortinet Inc.
Fortinet Security Fabric

d. The topology tree no longer indicates there is a conflict.

6. Verify the results on the downstream FortiGates:

a. On FGTB-1, go to Policy & Objects > Addresses.
b. Search for sync_add_1 and sync_group4. No results are found. The synchronized objects are not applied
locally on this FortiGate because configuration-sync is set to local.

c. On FGTC, go to Policy & Objects > Addresses.

d. Search for sync_add_1. The original firewall address sync_add_1 was renamed to sync_add_1_FGTC by
resolving the conflict on FGTA-1. The address sync_add_1 and address group sync_group4 are synchronized
from FGTA-1.

FortiOS 6.4.13 Administration Guide 210

Fortinet Inc.
Fortinet Security Fabric

To disable Fabric synchronization on the root FortiGate in the GUI:

1. On FGTA-1, create a firewall address:

a. Go to Policy & Objects > Addresses and click Create New > Address.
b. Configure the following:

Name add_subnet_3

IP/Netmask 33.33.33.0 255.255.255.0

Fabric synchronization Disable

c. Click OK.
2. Create the firewall address group and add the address:
a. Go to Policy & Objects > Addresses and click Create New > Address Group.
b. Configure the following:

Name group_subnet_3

Members add_subnet_3

Fabric synchronization Disable

c. Click OK.
3. On FGTB-1, go to Policy & Objects > Addresses and search for subnet_3. No results are found because Fabric
synchronization is disabled on the root FortiGate (FGTA-1).

4. On FGTC, go to Policy & Objects > Addresses and search for subnet_3. No results are found because Fabric
synchronization is disabled on the root FortiGate (FGTA-1).

To disable Fabric synchronization on the root FortiGate in the CLI:

1. Configure the firewall address on the root FortiGate:

FGTA-1 # config firewall address
edit "add_subnet_3"
set subnet 33.33.33.0 255.255.255.0
set fabric-object disable
next
end

2. Configure the address group on the root FortiGate:

FGTA-1 # config firewall addrgrp
edit "group_subnet_3"
set member "add_subnet_3"
set fabric-object disable

FortiOS 6.4.13 Administration Guide 211

Fortinet Inc.
 Fortinet Security Fabric

next
end

3. Check the firewall address and address group on the downstream FortiGates:
FGTB-1 # show firewall address add_subnet_3
entry is not found in table
FGTB-1 # show firewall addrgrp group_subnet_3
entry is not found in table
FGTC # show firewall address add_subnet_3
entry is not found in table
FGTC # show firewall addrgrp group_subnet_3
entry is not found in table

The objects are not synchronized from the root FortiGate (FGTA-1) because the fabric-object setting is
disabled.

Group address objects synchronized from FortiManager

Address objects from external connectors that are learned by FortiManager are synchronized to FortiGate. These
objects can be grouped together with the FortiGate CLI to simplify selecting connector objects in the FortiGate GUI.
Multiple groups can be created.
This option is only available for objects that are synchronized from FortiManager.

To add an object to a connector group:

config user adgrp

edit <object_name>
set server-name "FortiManager"
set connector-source <group_name>
next
end

Example

In this example, objects learned by the FortiManager from an Aruba ClearPass device are synchronized to the FortiGate.
Some of the objects are then added to a group called ClearPass to make them easier to find in the object list when
creating a firewall policy.

Prior to being grouped, the synchronized objects are listed under the FortiManager heading in the object lists.

FortiOS 6.4.13 Administration Guide 212

Fortinet Inc.
Fortinet Security Fabric

To add some of the objects to a group:

config user adgrp

edit "cp_test_FSSOROLE"
set server-name "FortiManager"
set connector-source "ClearPass"
next
edit "cp_test_[AirGroup v2]"
set server-name "FortiManager"
set connector-source "ClearPass"
next
end

The objects are now listed under the ClearPass heading.

FortiOS 6.4.13 Administration Guide 213

Fortinet Inc.
 Fortinet Security Fabric

Security Fabric over IPsec VPN

This is an example of configuring Security Fabric over IPsec VPN.

Sample topology

This sample topology shows a downstream FortiGate (HQ2) connected to the root FortiGate (HQ1) over IPsec VPN to
join Security Fabric.

Sample configuration

To configure the root FortiGate (HQ1):

1. Configure interface:
a. In the root FortiGate (HQ1), go to Network > Interfaces.
b. Edit port2:
l Set Role to WAN.

l For the interface connected to the Internet, set the IP/Network Mask to 10.2.200.1/255.255.255.0

c. Edit port6:
l Set Role to DMZ.

l For the interface connected to FortiAnalyzer, set the IP/Network Mask to 192.168.8.250/255.255.255.0

2. Configure the static route to connect to the Internet:

a. Go to Network > Static Routes and click Create New or Create New > IPv4 Static Route.
l Set Destination to 0.0.0.0/0.0.0.0.

l Set Interface to port2.

l Set Gateway Address to 10.2.200.2.

b. Click OK.
3. Configure IPsec VPN:
a. Go to VPN > IPsec Wizard.
l Set Name to To-HQ2.

l Set Template Type to Custom.

l Click Next.

l Set Authentication to Method.

l Set Pre-shared Key to 123456.

b. Leave all other fields in their default values and click OK.

FortiOS 6.4.13 Administration Guide 214

Fortinet Inc.
Fortinet Security Fabric

4. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
a. Go to Network > Interfaces.
b. Edit To-HQ2:
l Set Role to LAN.

l Set the IP/Network Mask to 10.10.10.1/255.255.255.255.

l Set Remote IP/Network Mask to 10.10.10.3/255.255.255.0.

5. Configure IPsec VPN local and remote subnet:

a. Go to Policy & Objects > Addresses.
b. Click Create New
l Set Name to To-HQ2_remote_subnet_2.

l Set Type to Subnet.

l Set IP/Network Mask to 10.10.10.3/32.

c. Click OK.
d. Click Create New
l Set Name to To-HQ2_local_subnet_1.

l Set Type to Subnet.

l Set IP/Network Mask to 192.168.8.0/24.

e. Click OK.
f. Click Create New
l Set Name to To-HQ2_remote_subnet_1.

l Set Type to Subnet.

l Set IP/Network Mask to 10.1.100.0/24.

g. Click OK.
6. Configure IPsec VPN static routes:
a. Go to Network > Static Routes
b. Click Create New or Create New > IPv4 Static Route.
l For Named Address, select Type and select To-HQ2_remote_subnet_1.

l Set Interface to To-HQ2.

Click OK.
c. Click Create New or Create New > IPv4 Static Route.
For Named Address, select Type and select To-HQ2_remote_subnet_1.
l

Set Interface to Blackhole.

l

l Set Administrative Distance to 254.

d. Click OK.
7. Configure IPsec VPN policies:
a. Go to Policy & Objects > Firewall Policy
b. Click Create New.
l Set Name to vpn_To-HQ2_local.

l Set Incoming Interface to port6.

l Set Outgoing Interface to To-HQ2.

l Set Source to To-HQ2_local_subnet_1.

l Set Destination to To-HQ2_remote_subnet_1.

l Set Schedule to Always.

l Set Service to All.

l Disable NAT.

FortiOS 6.4.13 Administration Guide 215

Fortinet Inc.
Fortinet Security Fabric

c. Click OK.
d. Click Create New.
l Set Name to vpn_To-HQ2_remote.

l Set Incoming Interface to To-HQ2.

l Set Outgoing Interface to port6.

l Set Source to To-HQ2_remote_subnet_1, To-HQ2_remote_subnet_2.

l Set Destination to To-HQ2_local_subnet_1.

l Set Schedule to Always.

l Set Service to All.

l Enable NAT.

l Set IP Pool Configuration to Use Outgoing Interface Address.

e. Click OK.
8. Configure Security Fabric:
a. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
b. For Status, click Enable.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging and Upload is set to Real
Time.
c. Set the Security Fabric role to Serve as Fabric Root. The FortiAnalyzer settings can be configured.
d. Enter the FortiAnalyzer IP (192.168.8.250).
e. Click OK. The FortiAnalyzer serial number is verified.
f. Enter a Fabric name, such as Office-Security-Fabric.
g. Ensure Allow other Security Fabric devices to join is enabled and add VPN interface To-HQ2.
h. Click OK.

To configure the downstream FortiGate (HQ2):

1. Configure interface:
a. Go to Network > Interfaces.
b. Edit interface wan1:
l Set Role to WAN.

l For the interface connected to the Internet, set the IP/Network Mask to 192.168.7.3/255.255.255.0.

c. Edit interface vlan20:

l Set Role to LAN.

l For the interface connected to local endpoint clients, set the IP/Network Mask to

10.1.100.3/255.255.255.0.
2. Configure the static route to connect to the Internet:
a. Go to Network > Static Routes and click Create New or Create New > IPv4 Static Route.
l Set Destination to 0.0.0.0/0.0.0.0.

l Set Interface to wan1.

l Set Gateway Address to 192.168.7.2.

b. Click OK.
3. Configure IPsec VPN:
a. Go to VPN > IPsec Wizard.
l Set VPN Name to To-HQ1.

l Set Template Type to Custom.

l Click Next.

FortiOS 6.4.13 Administration Guide 216

Fortinet Inc.
Fortinet Security Fabric

In the Network IP Address, enter 10.2.200.1.

l

Set Interface to wan1.

l

l Set Authentication to Method.

l Set Pre-shared Key to 123456.

b. Leave all other fields in their default values and click OK.
4. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
a. Go to Network > Interfaces.
b. Edit To-HQ1:
l Set Role to WAN.

l Set the IP/Network Mask to 10.10.10.3/255.255.255.255.

l Set Remote IP/Network Mask to 10.10.10.1/255.255.255.0.0.

5. Configure IPsec VPN local and remote subnet:

a. Go to Policy & Objects > Addresses.
b. Click Create New
l Set Name to To-HQ1_local_subnet_1.

l Set Type to Subnet.

l Set IP/Network Mask to 10.1.100.0/24.

c. Click OK.
d. Click Create New
l Set Name to To-HQ1_remote_subnet_1.

l Set Type to Subnet.

l Set IP/Network Mask to 192.168.8.0/24.

e. Click OK.
6. Configure IPsec VPN static routes:
a. Go to Network > Static Routes and click Create New or Create New > IPv4 Static Route.
l For Named Address, select Type and select To-HQ1_remote_subnet_1.

l Set Interface to To-HQ1.

b. Click OK.
c. Click Create New or Create New > IPv4 Static Route.
l For Named Address, select Type and select To-HQ1_remote_subnet_1.

l Set Interface to Blackhole.

l Set Administrative Distance to 254.

d. Click OK.
7. Configure IPsec VPN policies:
a. Go to Policy & Objects > Firewall Policy and click Create New.
l Set Name to vpn_To-HQ1_local.

l Set Incoming Interface to vlan20.

l Set Outgoing Interface to To-HQ1.

l Set Source to To-HQ1_local_subnet_1.

l Set Destination to To-HQ1_remote_subnet_1.

l Set Schedule to Always.

l Set Service to All.

l Disable NAT.

b. Click OK.

FortiOS 6.4.13 Administration Guide 217

Fortinet Inc.
Fortinet Security Fabric

c. Click Create New.

l Set Name to vpn_To-HQ1_remote.

l Set Incoming Interface to To-HQ1.

l Set Outgoing Interface to vlan20.

l Set Source to To-HQ1_remote_subnet_1.

l Set Destination to -HQ1_local_subnet_1.

l Set Schedule to Always.

l Set Service to All.

l Disable NAT.

d. Click OK.
8. Configure Security Fabric:
a. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
b. For Status, click Enable.
FortiAnalyzer automatically enables logging. FortiAnalyzer settings will be retrieved when the downstream
FortiGate connects to the root FortiGate.
c. Set the Security Fabric role to Join Existing Fabric.
d. Set the Upstream FortiGate IP to 10.10.10.1.
e. Click OK.

To authorize the downstream FortiGate (HQ2) on the root FortiGate (HQ1):

1. In the root FortiGate (HQ1), go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup
card.
The Topology tree highlights the connected FortiGate (HQ2) with the serial number and asks you to authorize the
highlighted device.
2. Select the highlighted FortiGates and select Authorize.
After authorization, the downstream FortiGate (HQ2) appears in the Topology tree in the Security Fabric > Fabric
Connectors > Security Fabric Setup page. This means the downstream FortiGate (HQ2) has successfully joined the
Security Fabric.

To check Security Fabric over IPsec VPN:

1. On the root FortiGate (HQ1), go to Security Fabric > Physical Topology.

The root FortiGate (HQ1) is connected by the downstream FortiGate (HQ2) with VPN icon in the middle.

2. On the root FortiGate (HQ1), go to Security Fabric > Logical Topology.

The root FortiGate (HQ1) VPN interface To-HQ2 is connected by downstream FortiGate (HQ2) VPN interface To-
HQ1 with VPN icon in the middle.

FortiOS 6.4.13 Administration Guide 218

Fortinet Inc.
 Fortinet Security Fabric

To run diagnose commands:

1. Run the diagnose sys csf authorization pending-list command in the root FortiGate (HQ1) to show
the downstream FortiGate pending for root FortiGate authorization:
HQ1 # diagnose sys csf authorization pending-list
Serial IP Address HA-Members
Path
------------------------------------------------------------------------------------
FG101ETK18002187 0.0.0.0
FG3H1E5818900718:FG101ETK18002187

2. Run the diagnose sys csf downstream command in the root FortiGate (HQ1) to show the downstream
FortiGate (HQ2) after it joins Security Fabric:
HQ1 # diagnose sys csf downstream
1: FG101ETK18002187 (10.10.10.3) Management-IP: 0.0.0.0 Management-port:0 parent:
FG3H1E5818900718
path:FG3H1E5818900718:FG101ETK18002187
data received: Y downstream intf:To-HQ1 upstream intf:To-HQ2 admin-port:443
authorizer:FG3H1E5818900718

3. Run the diagnose sys csf upstream command in the downstream FortiGate (HQ2) to show the root
FortiGate (HQ1) after the downstream FortiGate joins Security Fabric:
HQ2 # diagnose sys csf upstream
Upstream Information:
Serial Number:FG3H1E5818900718
IP:10.10.10.1
Connecting interface:To-HQ1
Connection status:Authorized

Leveraging LLDP to simplify security fabric negotiation

This feature enables LLDP reception on WAN interfaces, and prompts FortiGates that are joining the Security Fabric if
the upstream FortiGate asks.
l If an interface's role is undefined, LLDP reception and transmission inherit settings from the VDOM.
l If an interface's role is WAN, LLDP reception is enabled.
l If an interface's role is LAN, LLDP transmission is enabled.

When a FortiGate B's WAN interface detects that FortiGate A's LAN interface is immediately upstream (through the
default gateway), and FortiGate A has Security Fabric enabled, FortiGate B will show a notification on the GUI asking to
join the Security Fabric.

FortiOS 6.4.13 Administration Guide 219

Fortinet Inc.
Fortinet Security Fabric

To configure LLDP reception and join a Security Fabric:

1. Go To Network > Interfaces.

2. Configure an interface:
l If the interface's role is undefined, under Administrative Access, set Receive LLDP and Transmit LLDP to Use

VDOM Setting.

Using the CLI:

config system interface
edit "port3"
set lldp-reception vdom
set lldp-transmission vdom
set role undefined
...
next
end

l If the interface's role is WAN, under Administrative Access, set Receive LLDP to Enable and Transmit LLDP to
Use VDOM Setting.

Using the CLI:

FortiOS 6.4.13 Administration Guide 220

Fortinet Inc.
Fortinet Security Fabric

config system interface

edit "wan1"
set lldp-reception enable
set lldp-transmission vdom
set role wan
...
next
end

l If the interface's role is LAN, under Administrative Access, set Receive LLDP to Use VDOM Setting and
Transmit LLDP to Enable.

Using the CLI:

config system interface
edit "port2"
set lldp-reception vdom
set lldp-transmission enable
set role lan
...
next
end

A notification will be shown on FortiGate B.

3. Click the notification. The Core Network Security page with the Security Fabric settings opens. All the required
settings automatically configured.

FortiOS 6.4.13 Administration Guide 221

Fortinet Inc.
 Fortinet Security Fabric

4. Click OK to apply the settings, or use the following CLI commands:

config system csf
set status enable
set upstream-ip 10.2.200.1
end

Configuring the Security Fabric with SAML

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data
between one Identity Provider (IdP) and one or more Service Providers (SP). Both parties exchange messages using the
XML protocol as transport. FortiGate firewall devices can be configured as IdPs or SPs.
When the Security Fabric is enabled, you can configure the root FortiGate as the IdP. You can also configure
downstream FortiGates to be automatically configured as SPs, with all links required for SAML communication, when
added to the Security Fabric. Administrators must still be authorized on each device. Credentials are verified by the root
FortiGate, and login credentials are shared between devices. Once authorized, an administrator can move between
fabric devices without logging in again.
Optionally, the downstream FortiGate can also be manually configured as an SP, and then linked to the root FortiGate.
The authentication service is provided by the root FortiGate using local system admin accounts for authentication. Any of
the administrator account types can be used for SAML log in. After successful authentication, the administrator logs in to
the first downstream FortiGate SP, and can then connect to other downstream FortiGates that have the SSO account
properly configured, without needing to provide credentials again, as long as admins use the same browser session. In
summary, the root FortiGate IdP performs SAML SSO authentication, and individual device administrators define
authorization on FortiGate SPs by using security profiles.

Configuring single-sign-on in the Security Fabric

SAML SSO enables a single FortiGate device to act as the identify provider (IdP), while other FortiGate devices act as
service providers (SP) and redirect logins to the IdP.

Only the root FortiGate can be the identity provider (IdP). The downstream FortiGates can be
configured as service providers (SP).

The process is as follows:

1. Configuring the root FortiGate as the IdP on page 222
2. Configuring a downstream FortiGate as an SP on page 223
3. Configuring certificates for SAML SSO on page 225
4. Verifying the single-sign-on configuration on page 226
You can also use the CLI. See CLI commands for SAML SSO on page 227.

Configuring the root FortiGate as the IdP

FortiOS 6.4.13 Administration Guide 222

Fortinet Inc.
Fortinet Security Fabric

To configure the root FortiGate as the IdP:

1. Log in to the root FortiGate.

2. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
3. Enable SAML Single Sign-On. The Mode field is automatically populated as Identity Provider (IdP).
4. Enter an IP address in the Management IP/FQDN box.
5. Enter a management port in the Management port box.
The Management IP/FQDN will be used by the SPs to redirect the login request. The Management IP/FQDN and
Management port must be reachable from the user's device.
6. Select the IdP certificate.
7. Click OK.

Configuring a downstream FortiGate as an SP

There are two ways to configure the downstream FortiGate:

l From the root FortiGate
l From within the downstream device

An SP must be a member of the Security Fabric before you configure it.

To configure the downstream FortiGate from the root FortiGate:

1. Log in to the root FortiGate.

2. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

FortiOS 6.4.13 Administration Guide 223

Fortinet Inc.
Fortinet Security Fabric

3. In the Topology tree, hover over a FortiGate and click Configure.

The Configure pane opens.

4. Enable SAML Single Sign-On. The Mode field is automatically populated as Service Provider (SP).
5. Enter an IP address in the Management IP/FQDN box.
6. Enter a management port in the Management port box.
The Management IP/FQDN will be used by the IdP and so other SPs can redirect to each other. The Management
port must be reachable from the user's device.
7. Select a Default login page option.
8. Select one of the following Default admin profile types: prof_admin, super_admin, or super_admin_readonly. The
no_access_admin profile is set as the default.
9. Click OK.

To configure the downstream FortiGate within the device:

1. Log in to the downstream FortiGate.

2. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
3. Enable SAML Single Sign-On. The Mode field is automatically populated as Service Provider (SP).
4. Enter an IP address in the Management IP/FQDN box.
5. Enter a management port in the Management port box.
The Management IP/FQDN will be used by the IdP and so other SPs can redirect to each other. The Management
port must be reachable from the user's device.
6. Select a Default login page option.
7. Select one of the following Default admin profile types: prof_admin, super_admin, or super_admin_readonly. The
no_access_admin profile is set as the default.
8. Click OK.

FortiOS 6.4.13 Administration Guide 224

Fortinet Inc.
Fortinet Security Fabric

Configuring certificates for SAML SSO

Because communication between the root FortiGate IdP and FortiGate SPs is secured, you must select a local server
certificate in the IdP certificate option on the root FortiGate. When downstream SPs join the IdP (root FortiGate), the SP
automatically obtains the certificate.
In the following SP example, the IdP certificate displays REMOTE_Cert_2, which is the root server certificate for the IdP:

It is possible to manually import a certificate from an SP to the IdP so it can be used for authentication.

To manually import an SP certificate to an IdP:

1. Add the certificate:

a. On the SP, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
b. Click Advanced Options. The SAML SSO pane opens.
c. Enable SP certificate and select a certificate from the dropdown box.
d. Click Download. The certificate is downloaded on the local file system.
e. Click OK.

2. Import the certificate:

a. On the IdP, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
b. Click Advanced Options. The SAML SSO pane opens.
c. In the Service Providers table, select the SP from step 1 and click Edit.

FortiOS 6.4.13 Administration Guide 225

Fortinet Inc.
Fortinet Security Fabric

d. Enable SP certificate and in the dropdown box, click Import.

The Upload Remote Certificate window opens.

e. Click Upload and select the certificate downloaded in step 1.
f. Click OK. The certificate is imported.
g. Click OK.
h. In the IdP certificate list, select the certificate that you imported.
i. Click OK.

Verifying the single-sign-on configuration

After you have logged in to a Security Fabric member using SSO, you can navigate between any Security Fabric
member with SSO configured.

To navigate between Security Fabric members:

1. Log in to a Security Fabric member that is using SSO.

2. In the top banner, click the name of the device you are logged in to. A list of Security Fabric members displays.

3. Click a Security Fabric member. The login page appears.

4. Select the option to log in via Single-Sign-On.

You are now logged in to the Security Fabric member with SSO. The letters "SSO" also display beside the user
name in the top banner.
5. Go to System > Administrators > Single-Sign-On Administrator to view the list of SSO admins created.

FortiOS 6.4.13 Administration Guide 226

Fortinet Inc.
 Fortinet Security Fabric

CLI commands for SAML SSO

To enter a question mark (?) or a tab, Ctrl + V must be entered first. Question marks and tabs cannot be typed or copied
into the CLI Console or some SSH clients.

To configure the IdP:

config system saml

set status enable
set role identity-provider
set cert "Fortinet_Factory"
set server-address "172.16.106.74"
config service-providers
edit "csf_172.16.106.74:12443"
set prefix "csf_ngczjwqxujfsbhgr9ivhehwu37fml20"
set sp-entity-id "http://172.16.106.74/metadata/"
set sp-single-sign-on-url "https://172.16.106.74/saml/?acs"
set sp-single-logout-url "https://172.16.106.74/saml/?sls"
set sp-portal-url "https://172.16.106.74/saml/login/"
config assertion-attributes
edit "username"
next
edit "[email protected]"
set type email
next
end
next
end
end

To configure an SP:

config system saml

set status enable
set cert "Fortinet_Factory"
set idp-entity-id "http://172.16.106.74/saml-idp/csf_
ngczjwqxujfsbhgr9ivhehwu37fml20/metadata/"
set idp-single-sign-on-url "https://172.16.106.74/csf_
ngczjwqxujfsbhgr9ivhehwu37fml20/login/"
set idp-single-logout-url "https://172.16.106.74/saml-idp/csf_
ngczjwqxujfsbhgr9ivhehwu37fml20/logout/"
set idp-cert "REMOTE_Cert_1"
set server-address "172.16.106.74:12443"
end

To configure an SSO administrator:

config system sso-admin

edit "SSO-admin-name"
set accprofile <SSO admin user access profile>
set vdom <Virtual domain(s) that the administrator can access>
next
end

FortiOS 6.4.13 Administration Guide 227

Fortinet Inc.
 Fortinet Security Fabric

SAML SSO with pre-authorized FortiGates

You can set up SAML SSO authentication in a Security Fabric environment by starting with a root FortiGate that has one
or more pre-authorized FortiGates.
After the initial configuration, you can add more downstream FortiGates to the Security Fabric, and they are
automatically configured with default values for a service provider.

To set up basic SAML SSO for the Security Fabric:

1. Log in to the root FortiGate of the Security Fabric.

2. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
3. Join two pre-authorized FortiGates to the root FortiGate.

4. Configure the IdP (see Configuring the root FortiGate as the IdP on page 222).
5. Configure the SPs (see Configuring a downstream FortiGate as an SP on page 223).

Navigating between Security Fabric members with SSO

After you have logged in to a Security Fabric member by using SSO, you can navigate between any Security Fabric
member with SSO configured. This can be done using the Security Fabric members dropdown menu or by logging in to a
FortiGate SP from the root FortiGate IdP.

Security Fabric members dropdown

The Security Fabric members dropdown menu allows you to easily switch between all FortiGate devices that are
connected to the Security Fabric. You can also use this menu to customize a FortiGate in the Security Fabric.

To navigate between Security Fabric members:

1. Log in to a Security Fabric member by using SSO.

2. In the top banner, click the name of the device you are logged into with SSO.
A list of Security Fabric members is displayed.

3. Click the Security Fabric member.

You are logged in to the Security Fabric member without further authentication.

FortiOS 6.4.13 Administration Guide 228

Fortinet Inc.
Fortinet Security Fabric

To customize a FortiGate in the Security Fabric:

1. In the Security Fabric members dropdown menu, hover the cursor over a FortiGate so the tooltip is shown.
2. Click Configure. The Configure pane opens.

3. Edit the settings as required.

4. Click OK.

Logging in to an SP from the root IdP

The following example describes how to log in to a root FortiGate IdP, and navigate to other FortiGate SPs in the
Security Fabric without further authentication. The local administrator account is named test3. The local administrator
account must also be available as an SSO administrator account on all downstream FortiGate SPs. Different tabs of the
same browser are used to log in to the various FortiGates.

To log in to a FortiGate SP from a root FortiGate IdP:

1. Log in to the root FortiGate IdP by using the local administrator account.
In this example, the local administrator account is named test3.
2. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
3. In the Topology tree, click one of the downstream FortiGate SPs, and select Login to <name of FortiGate>.

The login screen is displayed.

4. In the login screen, select Single Sign-On.
By using cookies in your local browser for the already-authenticated SSO administrator, FortiGate logs you in to the
downstream FortiGate SP as the SSO administrator. In this example, the SSO administrator name is test3.

FortiOS 6.4.13 Administration Guide 229

Fortinet Inc.
Fortinet Security Fabric

5. While still logged into the root FortiGate IdP in your browser, go to the browser tab for the root FortiGate IdP, and log
in to another FortiGate SP that is displayed on the Security Fabric pane in the GUI.

SAML SSO login uses SAML_IDP session cookies of already authenticated admin users in your local browser
cache to send to the root FortiGate IdP for authentication. If your browser cache is manually cleared, or you close
your browser, you must authenticate again.

It is possible to log in to one downstream FortiGate SP in a Security Fabric, and then open
another tab in your browser to connect to another FortiGate SP that is not a member of the
Security Fabric.
This is useful in cases where the SSO administrator and the local system administrator on the
FortiGate SP both have the same login name, but are two different entities.

FortiOS 6.4.13 Administration Guide 230

Fortinet Inc.
 Fortinet Security Fabric

Integrating FortiAnalyzer management using SAML SSO

When a FortiGate is configured as the SAML SSO IdP, FortiAnalyzer can register itself as the SP (FortiAnalyzer must be
running version 6.4.0). Once registered, FortiAnalyzer will be added automatically to the Security Fabric navigation in
FortiOS. A similar dropdown navigation is displayed in FortiAnalyzer where users can navigate to the FortiGate using
SAML SSO.
The following example assumes the root FortiGate (FGTA-1, server address 172.17.48.225:4431) has been configured
as the SAML SSO IdP, and FortiAnalyzer logging has been enabled in the Security Fabric settings.

To enable FortiAnalyzer as a Fabric SP in the GUI:

1. In FortiAnalyzer, go to System Settings > Admin > SAML SSO.

2. For Single Sign-On Mode, click Fabric SP and enter the SP Address.

3. Click Apply.
FortiAnalyzer will automatically register itself on the FortiGate as an appliance visible in the list of SPs. Go to
Security Fabric > Fabric Connectors, edit the Security Fabric Setup connector, then click Advanced Options to view
the list of SPs.

To enable FortiAnalyzer as a Fabric SP in the CLI:

1. In FortiAnalyzer, enable the device as a Fabric SP:

config system saml
set status enable
set role FAB-SP

FortiOS 6.4.13 Administration Guide 231

Fortinet Inc.
Fortinet Security Fabric

set server-address "172.17.48.225:4253"

end

FortiAnalyzer will register itself on the FortiGate as an appliance. To view the configuration in FortiOS:
show system saml
config service-providers
edit "appliance_172.17.48.225:4253"
set prefix "csf_p0m9dvltwt28r3gt87runs2nb929mwz"
set sp-entity-id "http://172.17.48.225:4253/metadata/"
set sp-single-sign-on-url "https://172.17.48.225:4253/saml/?acs"
set sp-single-logout-url "https://172.17.48.225:4253/saml/?sls"
set sp-portal-url "https://172.17.48.225:4253/saml/login/"
config assertion-attributes
edit "username"
next
edit "profilename"
set type profile-name
next
end
next
end

To navigate between devices using SAML SSO:

1. Log in to the root FortiGate.

2. In the toolbar, click the device name to display the Security Fabric members dropdown.
3. Hover over the FortiAnalyzer and click Login.

4. Log in to the FortiAnalyzer using SAML SSO.

FortiOS 6.4.13 Administration Guide 232

Fortinet Inc.
 Fortinet Security Fabric

5. In the toolbar, click the Security Fabric members dropdown to navigate between other FortiGates.

Integrating FortiManager management using SAML SSO

When a FortiGate is configured as the SAML SSO IdP, FortiManager can be added as an SP.

To configure FortiManager as a Fabric SP:

1. On the root FortiGate, go to Security Fabric > Fabric Connectors, and edit the Security Fabric Setup connector.
2. In the Security Fabric Settings section, click Advanced Options.
3. In the Service Providers section, click Create New.
4. Enter a name and a prefix for the SP. FortiOS generates a unique prefix, but you can enter your own.
5. In SP address, enter the FortiManager address including the port number.

6. Click OK.
7. In FortiManager, go to System Settings > Admin > SAML SSO and in the Single Sign-On Mode section, click
Service Provider (SP).

FortiOS 6.4.13 Administration Guide 233

Fortinet Inc.
 Fortinet Security Fabric

8. Configure the IdP Settings:

a. For IdP Type, click Fortinet.
b. For IdP Address, enter the root FortiGate address including the port number.
c. Enter the Prefix of the SP.
d. For IdP Certificate, import the same certificate used on the root FortiGate.
e. Click Apply.

9. To verify that the configuration works, log out of FortiManager and log in using the Login via Single-Sign-On link.

Advanced option - FortiGate SP changes

From a root FortiGate IdP, you can edit each of the FortiGate SPs. For example, you can edit a FortiGate SP to generate
a new prefix, or you can add or modify SAML attributes. When you generate a new prefix value, it is propagated to the
respective downstream FortiGates.

To edit an SP from the root FortiGate (IdP):

1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
2. Click Advanced Options. The SAML SSO pane opens.
3. In the Service Providers table, select a device, and click Edit. The Edit Service Provider pane opens.
4. Edit the settings as needed.
5. Click OK.

FortiOS 6.4.13 Administration Guide 234

Fortinet Inc.
 Fortinet Security Fabric

Advanced option - unique SAML attribute types

The default SAML attribute type is username. When the attribute type is set to username, SSO administrator accounts
created on FortiGate SPs use the login username that is provided by the user for authentication on the root FortiGate
IdP.
Because user names might not be unique, cases can occur where the user name is the same for the SSO administrator
and the local administrator on the FortiGate SP. As a result, you might be unable to distinguish between actions taken by
the local administrator and the SSO administrator on the FortiGate SP when looking at the system log. By using a unique
SAML attribute type, such as an email address, you can create unique user names to better track what actions were
taken by each administrator.

To configure a unique SAML attribute using the GUI:

1. On the root FortiGate (IdP), assign a unique email address to local administrator.
In this example, the local administrator name is test3.
a. Go to System > Administrators, and expand the list of local users.
b. Select the local user, and click Edit.
c. In the Type field, select Match a user on a remote server group.
d. In the Remote User Group field, select a group.
e. In the Email Address field, enter the email address.
f. Click OK.

FortiOS 6.4.13 Administration Guide 235

Fortinet Inc.
Fortinet Security Fabric

2. On the root FortiGate (IdP), update the SAML configuration:

a. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
b. Click Advanced Options. The SAML SSO pane opens.
c. In the Service Providers table, select the FortiGate, and click Edit. The Edit Service Provider pane opens.
d. For SP type, select Custom.
e. In the SAML Attribute section for Type, select Email address.
f. Beside Type, select Email address.
g. Click OK.

After the administrator (test3) logs in to the FortiGate SP for the first time, SAML authentication occurs on FortiGate SP.
A new SSO administrator account is created, and the account name is now the email address instead of the login name
(test3).

FortiOS 6.4.13 Administration Guide 236

Fortinet Inc.
Fortinet Security Fabric

To view the new SSO administrator account:

1. In the SP, go to System > Administrators, and expand the list of SSO administrators.
The email address ([email protected]) is listed as the account name:

If the SAML attribute had been set to the default setting of username, the user name for the SSO administrator
account would have been (test3).

To view the SSO administrator activity in the log files:

1. In the SP, go to Log & Report > Events.

Because the SAML attribute is set to Custom, the SSO administrator account [email protected] is used as the
user name on the FortiGate SP, and it appears in the log files:

To configure a unique SAML attribute using the CLI:

config system saml

set status enable
set role identity-provider
set cert "fgt_g_san_extern_new"
set server-address "172.18.60.187"
config service-providers
edit "csf_172.18.60.185"
set prefix "csf_avju0tk4oiodifz3kbh2fms8dw688hn"
set sp-entity-id "http://172.18.60.185/metadata/"
set sp-single-sign-on-url "https://172.18.60.185/saml/?acs"
set sp-single-logout-url "https://172.18.60.185/saml/?sls"
set sp-portal-url "https://172.18.60.185/saml/login/"
config assertion-attributes
edit "username"
next
end
next
edit "FGTA-180"
set prefix "yxs8uhq47b5b2urq"
set sp-entity-id "http://172.18.60.180/metadata/"

FortiOS 6.4.13 Administration Guide 237

Fortinet Inc.
 Fortinet Security Fabric

set sp-single-sign-on-url "https://172.18.60.180/saml/?acs"

set sp-single-logout-url "https://172.18.60.180/saml/?sls"
set sp-portal-url "https://172.18.60.180/saml/login/"
config assertion-attributes
edit "username"
next
end
next
edit "FGTA-184"
set prefix "3dktfo0gbxtldbts"
set sp-entity-id "http://172.18.60.184/metadata/"
set sp-single-sign-on-url "https://172.18.60.184/saml/?acs"
set sp-single-logout-url "https://172.18.60.184/saml/?sls"
set sp-portal-url "https://172.18.60.184/saml/login/"
config assertion-attributes
edit "username"
set type email
next
end
next
end
end

The csf_172.18.60.185 service provider was automatically added when the FortiGate SP 172.18.60.185 joined the
root FortiGate IdP in the Security Fabric.
All sp-* options, such as sp-portal-url, are set with default values when a service provider is created, but can be
modified using the CLI or GUI.

Security rating

The security rating uses real-time monitoring to analyze your Security Fabric deployment, identify potential
vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and
calculate Security Fabric scores.
To view the security rating, go to Security Fabric > Security Rating on the root FortiGate.
The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and
Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.

FortiOS 6.4.13 Administration Guide 238

Fortinet Inc.
Fortinet Security Fabric

The scorecards show an overall letter grade and breakdown of the performance in sub-categories. Clicking a scorecard
drills down to a detailed report of itemized results and compliance recommendations. The point score represents the net
score for all passed and failed items in that area. In the drill down report, hover the cursor over a score to view the
calculation breakdown.
The report includes the security controls that were tested against, linking to specific FSBP or PCI compliance policies.
Click the FSBP and PCI buttons to reference the corresponding standard. Users can search or filter the report results.

Certain remediations marked with an EZ symbol represent configuration recommendations that support Easy Apply. In
the panel on the right, in the Recommendations section, click Apply to apply the changes to resolve the failed security
control.

The report table can be customized by adding more columns, such as Category, to view, filter, or sort the results based
on scorecard categories. Click the gear icon to customize the table.

FortiOS 6.4.13 Administration Guide 239

Fortinet Inc.
Fortinet Security Fabric

Users can also export the reports as CSV or JSON files by clicking the Export dropdown.

To exit the current view, click the icon beside the scorecard title to return to the summary view.

For more information about security ratings, and details about each of the checks that are performed, go to Security Best
Practices & Security Rating Feature.

The following licensing options are available for security rating checks:
l A base set of free checks

l A licensed set that requires a FortiGuard Security Rating Service subscription

The base set can be run locally on any FortiGate and on all other devices in the Security
Fabric. On licensed FortiGates, ratings scores can be submitted to and received from
FortiGuard for ranking networks by percentile.
For a list of base and licensed security rating checks, see FortiGuard Security Rating Service.

Security rating check scheduling

Security rating checks by default are scheduled to run automatically every four hours.

To disable automatic security checks using the CLI:

config system global

security-rating-run-on-schedule disable
end

To manually run a report using the CLI:

# diagnose report-runner trigger

Opt out of ranking

Security rating scores can be submitted to FortiGuard for comparison with other organizations' scores, allowing a
percentile score to be calculated. If you opt out of submitting your score, only an absolute score will be available.

FortiOS 6.4.13 Administration Guide 240

Fortinet Inc.
Fortinet Security Fabric

To opt out of submitting the score using the CLI:

config system global

set security-rating-result-submission {enable | disable}
end

Logging the security rating

The results of past security checks is available in Log & Report > Events by selecting Security Rating Events from the
event type dropdown list.

An event filter subtype can be created for the Security Fabric rating so that event logs are created on the root FortiGate
that summarize the results of a check, and show detailed information for the individual tests.

To configure security rating logging using the CLI:

config log eventfilter

set security-rating enable
end

Multi VDOM mode

In multi VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device.
Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-
only access can only view the report.
On the report scorecards, the Scope column shows the VDOM or VDOMs that the check was run on. On checks that
support Easy Apply, the remediation can be run on all of the associated VDOMs.

FortiOS 6.4.13 Administration Guide 241

Fortinet Inc.
 Fortinet Security Fabric

The security rating event log is available on the root VDOM.

Security Fabric score

The Security Fabric score is calculated when a security rating check is run, based on the severity level of the checks that
are passed or failed. A higher scores represents a more secure network. Points are added for passed checks and
removed for failed checks.

Severity level Weight (points)

Critical 50

High 25

Medium 10

Low 5

To calculate the number of points awarded to a device for a passed check, the following equation is used:

<severity level weight>

score =  × <secure FortiGate multiplier>
<# of FortiGates>

The secure FortiGate multiplier is determined using logarithms and the number of FortiGate devices in the Security
Fabric.
For example, if there are four FortiGate devices in the Security Fabric that all pass the compatible firmware check, the
score for each FortiGate device is calculated with the following equation:

50
 × 1.292 = 16.15 points
4

All of the FortiGate devices in the Security Fabric must pass the check in order to receive the points. If any one of the
FortiGate devices fails a check, the devices that passed are not awarded any points. For the device that failed the check,
the following equation is used to calculated the number of points that are lost:

FortiOS 6.4.13 Administration Guide 242

Fortinet Inc.
 Fortinet Security Fabric

score = <severity level weight> x <secure FortiGate multiplier>

For example, if the check finds two critical FortiClient vulnerabilities, the score is calculated with the following equation:

-50  × 2 = -100 points

Scores are not affected by checks that do not apply to your network. For example, if there are no FortiAP devices in the
Security Fabric, no points will be added or subtracted for the FortiAP firmware version check.

Automation stitches

Automation stitches automate the activities between the different components in the Security Fabric, decreasing the
response times to security events. Events from any source in the Security Fabric can be monitored, and action
responses can be set up to any destination.

Automation stitches can also be used on FortiGate devices that are not part of a Security
Fabric.

Automation stitches that use cloud-based actions, such as AWS Lambda and Azure Function, have the option to delay
an action after the previous action is completed.
An automation stitch consists of two parts, the trigger and the actions. The trigger is the condition or event on the
FortiGate that activates the action, for example, a specific log, or a failed log in attempt. The action is what the FortiGate
does in response to the trigger.
Diagnose commands are available in the CLI to test, log, and display the history and settings of stitches.

Automation stitches can only be created on the root FortiGate in a Security Fabric.

Creating automation stitches

To create an automation stitch, a trigger event and a response action or actions are selected. Automation stitches can be
tested after they are created.

FortiOS 6.4.13 Administration Guide 243

Fortinet Inc.
Fortinet Security Fabric

To create an automation stitch in the GUI:

1. On the root FortiGate, go to Security Fabric > Automation.

2. Click Create New. The New Automation Stitch page opens.

3. Enter the following information:

Name Enter a name for the automation stitch.

Status Enable/disable the stitch.

FortiGate Select the FortiGate device to apply the automation stitch to, or select All
FortiGates to apply it to all of them.

Trigger Select a trigger.

Action Select and configure one or more actions.

Minimum interval (seconds) Enter a minimum time interval during which notifications for the same trigger
event will not be sent.
After the time interval elapses, an alert is sent that includes the last event since
the time interval elapsed.

4. Click OK.

To create an automation stitch in the CLI:

1. Create an automation trigger:

config system automation-trigger
edit <automation-trigger-name>
set trigger-type {event-based | scheduled}
set event-type <option>
set license-type <option>
set ioc-level {medium | high}
set logid <integer>
set trigger-frequency {hourly | daily | weekly | monthly}
set trigger-weekday <option>
set trigger-day <integer>
set trigger-hour <integer>
set trigger-minute <integer>
set faz-event-severity <string>

FortiOS 6.4.13 Administration Guide 244

Fortinet Inc.
Fortinet Security Fabric

set faz-event-tags <string>

next
end

The available options will vary depending on the selected event type.
2. Create an automation action:
config system automation-action
edit <name>
set action-type <option>
set email-to <names>
set email-from <string>
set email-subject <string>
set message <string>
set minimum-interval <integer>
set delay <integer>
set required {enable | disable}
set aws-api-id <string>
set aws-region <string>
set aws-domain <string>
set aws-api-stage <string>
set aws-api-path <string>
set aws-api-key <string>
set azure-app <string>
set azure-function <string>
set azure-domain <string>
set azure-function-authorization {anonymous | function | admin}
set azure-api-key <string>
set gcp-function-region <string>
set gcp-project <string>
set gcp-function-domain <string>
set gcp-function <string>
set alicloud-account-id <string>
set alicloud-region <string>
set alicloud-function-domain <string>
set alicloud-version <string>
set alicloud-service <string>
set alicloud-function <string>
set alicloud-function-authorization {anonymous | function}
set alicloud-access-key-id <string>
set alicloud-access-key-secret <string>
set protocol {http | https}
set method {post | put | get | patch | delete}
set uri <string>
set http-body <string>
set port <integer>
set headers <header>
set script <string>
set security-tag <string>
set sdn-connector <connector_name>
next
end

Enter edit 0 to get the next available ID.

FortiOS 6.4.13 Administration Guide 245

Fortinet Inc.
Fortinet Security Fabric

3. Create an automation destination:

config system automation-destination
edit <name>
set type {fortigate | ha-cluster}
set destination <serial numbers>
set ha-group-id <integer>
next
end

4. Create the automation stitch:

config system automation-stitch
edit <automation-stitch-name>
set status {enable | disable}
set trigger <trigger-name>
set action <action-name>
set destination <serial-number>
next
end

To test an automation stitch:

In the GUI, go to Security Fabric > Automation, right-click on the automation stitch and select Test Automation Stitch.
In the CLI, enter the following command:
diagnose automation test <stitch-name> <log>

Default automation stitches

The Automation menu contains eight webhook automation stitches, including an Incoming Webhook Quarantine trigger
for API calls to the FortiGate, as well as a predefined License Expired Notification that replaces the existing license
expiry alerts.
The automation stitches are available in new FortiGate installations and after upgrading from previous versions.
The following default stitches are included in the Automation menu:
l Compromised Host Quarantine
l Incoming Webhook quarantine
l HA Failover
l Network Down
l Reboot
l FortiAnalyzer Connection Down
l License Expired Notification
l Security rating Notification
To view the CLI configurations for the new automation stitches, see CLI configuration on page 250. To view the
automation stitches in the GUI, go to Security Fabric > Automation.

FortiOS 6.4.13 Administration Guide 246

Fortinet Inc.
Fortinet Security Fabric

Triggering a stitch example

To trigger an Incoming Webhook Quarantine stitch in the GUI:

1. Create new API user:

a. Go to System > Administrators.
b. Click Create New > REST API Admin.
c. Configure the New REST API Admin settings, and record the API key.

2. Get the sample cURL request:

a. Go to Security Fabric > Automation.
b. Under Incoming Webhook, right-click Incoming Webhook Quarantine, and select Edit.
c. Click Enabled, to enable the rule.
d. In the API admin key field, enter the API key you recorded in the previous step. A Sample cURL request is
created.
e. Copy the Sample cURL request.

FortiOS 6.4.13 Administration Guide 247

Fortinet Inc.
Fortinet Security Fabric

3. Execute the request:

a. Edit the sample cURL you recorded in the previous step.
b. Add parameters to the data field ("mac" and "fctuid"), and then execute the request.
root@pc:~# curl -k -X POST -H 'Authorization: Bearer
cfgtct1mmx3fQxr4khb994p7swdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid":
"0000BB0B0ABD0D00B0D0A0B0E0F0B00B"}'
https://172.16.116.226/api/v2/monitor/system/automation-
stitch/webhook/Incoming%20Webhook%20Quarantine
{
"http_method":"POST",
"status":"success",
"http_status":200,
"serial":"FGT00E0Q00000000",
"version":"v6.4.0",
"build":1545

Encode spaces in the automation-stitch name with %20. For example,

Incoming%20Webhook%20Quarantine

The automation rule Incoming Webhook Quarantine is triggered. The MAC address is quarantined in FortiGate and
an event log is created. The FortiClient UUID is quarantined by EMS on the server side.

FortiOS 6.4.13 Administration Guide 248

Fortinet Inc.
Fortinet Security Fabric

To trigger an Incoming Webhook Quarantine stitch in the CLI:

1. Create new API user and record the API key:

config system api-user
edit "api"
set api-key ENC SH00vqP0GKWKyZNz0FP0/jq00O0Ka/DHVEKdxUi+0kRDNKPpZppnnMk0KeunBI=
set accprofile "api_profile"
set vdom "root"
config trusthost
edit 1
set ipv4-trusthost 10.6.30.0 200.200.200.0
next
end
next
end
2. Configure the automation stitch:
config system automation-stitch
edit "Incoming Webhook Quarantine"
set status enable
set trigger "Incoming Webhook Quarantine"
set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_
quarantine-forticlient"
next
end
3. Add parameters in the data field ("mac" and "fctuid"), then execute the request on a device:
root@pc56:~# curl -k -X POST -H 'Authorization: Bearer
cfgtct1mmx0fQxr4khb000p70wdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid":
"3000BB0B0ABD0D00B0D0A0B0E0F0B00B"}'
https://100.10.100.200/api/v2/monitor/system/automation-
stitch/webhook/Incoming%20Webhook%20Quarantine
{
"http_method":"POST",
"status":"success",
"http_status":200,
"serial":"FGT80E0Q00000000",
"version":"v6.4.0",

FortiOS 6.4.13 Administration Guide 249

Fortinet Inc.
Fortinet Security Fabric

"build":1545

Encode spaces in the automation-stitch name with %20. For example,

Incoming%20Webhook%20Quarantine

The automation rule Incoming Webhook Quarantine is triggered. The MAC address is quarantined in FortiGate, and
an event log is created. The FortiClient UUID will be quarantined on the EMS server side.
config user quarantine
config targets
edit "0c:0a:00:0c:ce:b0"
config macs
edit 0c:0a:00:0c:ce:b0
set description "Quarantined by automation stitch: Incoming Webhook
Quarantine"
next
end
next
end
end
date=2020-02-14 time=15:37:48 logid="0100046600" type="event" subtype="system"
level="notice" vd="root" eventtime=1581723468644200712 tz="-0800"
logdesc="Automation stitch triggered" stitch="Incoming Webhook Quarantine"
trigger="Incoming Webhook Quarantine" stitchaction="Compromised Host Quarantine_
quarantine,Compromised Host Quarantine_quarantine-forticlient" from="log"
msg="stitch:Incoming Webhook Quarantine is triggered."

CLI configuration

Compromised host

config system automation-action

edit "Compromised Host Quarantine_quarantine"
set action-type quarantine
set minimum-interval 0
set delay 0
set required disable
next
edit "Compromised Host Quarantine_quarantine-forticlient"
set action-type quarantine-forticlient
set minimum-interval 0
set delay 0
set required disable
next
end
config system automation-trigger
edit "Compromised Host Quarantine"
set trigger-type event-based
set event-type ioc
set ioc-level high
next
end
config system automation-stitch
edit "Compromised Host Quarantine"
set status disable
set trigger "Compromised Host Quarantine"

FortiOS 6.4.13 Administration Guide 250

Fortinet Inc.
Fortinet Security Fabric

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_

quarantine-forticlient"
next
end

FortiAnalyzer connection down

config system automation-action

edit "FortiAnalyzer Connection Down_ios-notification"
set action-type ios-notification
set minimum-interval 0
set delay 0
set required disable
next
end
config system automation-trigger
edit "FortiAnalyzer Connection Down"
set trigger-type event-based
set event-type event-log
set logid 22902
next
end
config system automation-stitch
edit "FortiAnalyzer Connection Down"
set status enable
set trigger "FortiAnalyzer Connection Down"
set action "FortiAnalyzer Connection Down_ios-notification"
next
end

Network down

config system automation-action

edit "Network Down_email"
set action-type email
set email-from ''
set email-subject "Network Down"
set minimum-interval 0
set delay 0
set required disable
set message "%%log%%"
next
end
config system automation-trigger
edit "Network Down"
set trigger-type event-based
set event-type event-log
set logid 20099
config fields
edit 1
set name "status"
set value "DOWN"
next
end
next
end
config system automation-stitch

FortiOS 6.4.13 Administration Guide 251

Fortinet Inc.
Fortinet Security Fabric

edit "Network Down"

set status disable
set trigger "Network Down"
set action "Network Down_email"
next
end

HA failover

config system automation-action

edit "HA Failover_email"
set action-type email
set email-from ''
set email-subject "HA Failover"
set minimum-interval 0
set delay 0
set required disable
set message "%%log%%"
next
end
config system automation-trigger
edit "HA Failover"
set trigger-type event-based
set event-type ha-failover
next
end
config system automation-stitch
edit "HA Failover"
set status disable
set trigger "HA Failover"
set action "HA Failover_email"
next
end

Incoming Webhook Quarantine

config system automation-action

edit "Compromised Host Quarantine_quarantine"
set action-type quarantine
set minimum-interval 0
set delay 0
set required disable
next
edit "Compromised Host Quarantine_quarantine-forticlient"
set action-type quarantine-forticlient
set minimum-interval 0
set delay 0
set required disable
next
end
config system automation-trigger
edit "Incoming Webhook Call"
set trigger-type event-based
set event-type incoming-webhook
next
end
config system automation-stitch

FortiOS 6.4.13 Administration Guide 252

Fortinet Inc.
Fortinet Security Fabric

edit "Incoming Webhook Quarantine"

set status disable
set trigger "Incoming Webhook Call"
set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_
quarantine-forticlient"
next
end

License expired

config system automation-action

edit "License Expired Notification_ios-notification"
set action-type ios-notification
set minimum-interval 0
set delay 0
set required disable
next
end
config system automation-trigger
edit "License Expired Notification"
set trigger-type event-based
set event-type license-near-expiry
set license-type any
next
end
config system automation-stitch
edit "License Expired Notification"
set status enable
set trigger "License Expired Notification"
set action "License Expired Notification_ios-notification"
next
end

Reboot

config system automation-action

edit "Reboot_email"
set action-type email
set email-from ''
set email-subject "Reboot"
set minimum-interval 0
set delay 0
set required disable
set message "%%log%%"
next
end
config system automation-trigger
edit "Reboot"
set trigger-type event-based
set event-type reboot
next
end
config system automation-stitch
edit "Reboot"
set status disable
set trigger "Reboot"
set action "Reboot_email"

FortiOS 6.4.13 Administration Guide 253

Fortinet Inc.
 Fortinet Security Fabric

next
end

Security rating

config system automation-action

edit "Security Rating Notification_ios-notification"
set action-type ios-notification
set minimum-interval 0
set delay 0
set required disable
next
end
config system automation-trigger
edit "Security Rating Notification"
set trigger-type event-based
set event-type security-rating-summary
set report-type PostureReport
next
end
config system automation-stitch
edit "Security Rating Notification"
set status enable
set trigger "Security Rating Notification"
set action "Security Rating Notification_ios-notification"
next
end

Chaining and delaying actions

Automation stitches that use cloud-based or webhook actions have the option to delay an action after the previous action
is completed. The execution of the actions can be delayed by up to 3600 seconds (one hour).
To configure this option in the GUI, select a cloud-based action, then enter the required value, in seconds, in the action
configuration's Delay field.
To configure a delay in the CLI, use the following command:
config system automation-action
edit <name>
set action-type {aws-lambda | azure-function | google-cloud-function | alicloud-
function | webhook}
set required {enable | disable}
set delay <seconds>
next
end

Triggers

The following table outlines the available automation stitch triggers:

FortiOS 6.4.13 Administration Guide 254

Fortinet Inc.
Fortinet Security Fabric

Trigger Description

Compromised Host An Indicator of Compromise (IoC) is detected on a host endpoint.

The threat level must be selected and can be Medium or High. If Medium is
selected, both medium and high level threats are included.
Note: Additional actions are available only for Compromised Host triggers:
l Access Layer Quarantine

l Quarantine FortiClient via EMS

l Assign VMware NSX Security Tag

l IP Ban

Security Rating Summary A summary is available for a recently run Security Rating.

Configuration Change A FortiGate configuration change has occurred.

Reboot A FortiGate is rebooting.

Low memory This option is only available in the CLI.

Conserve mode due to low memory. See Execute a CLI script based on memory
and CPU thresholds on page 294 for an example.

High CPU This option is only available in the CLI.

High CPU usage. See Execute a CLI script based on memory and CPU
thresholds on page 294 for an example.

License Expiry A FortiGuard license is expiring.

The license type must be selected. Options include:
l FortiCare Support

l FortiGuard Web Filter

l FortiGuard AntiSpam

l FortiGuard AntiVirus

l FortiGuard IPS

l FortiGuard Management Service

l FortiGate Cloud

HA Failover An HA failover is occurring.

AV & IPS DB Update The antivirus and IPS database is updating.

FortiOS Event Log The specified FortiOS log has occurred.

The event must be selected from the event list.

FortiAnalyzer Event Handler The specified FortiAnalyzer event handler has occurred. See FortiAnalyzer event
handler trigger on page 256 for details.

Schedule A scheduled monthly, weekly, daily, or hourly trigger. Set to occur on a specific
minute of an specific hour on a specific day.

FortiGate Cloud-Based IOC IOC detection from the FortiGate Cloud IOC service.
This option requires an IOC license, a web filter license, and FortiCloud logging
must be enabled.

FortiOS 6.4.13 Administration Guide 255

Fortinet Inc.
Fortinet Security Fabric

FortiAnalyzer event handler trigger

You can trigger automation stitches based on FortiAnalyzer event handlers. This allows you to define rules based on
complex correlations across devices, log types, frequencies, and other criteria.
To set up a FortiAnalyzer event handler trigger:
1. Configure a FortiGate event handler on the FortiAnalyzer
2. Configure FortiAnalyzer logging on the FortiGate on page 256
3. Configure an automation stitch that is triggered by a FortiAnalyzer event handler on page 257

Configure a FortiGate event handler on the FortiAnalyzer

On the FortiAnalyzer, configure an event handler for the automation stitch. In this example, the event handler is triggered
when an administrator logs in to the FortiGate.

To configure an event handler on the FortiAnalyzer:

1. Go to Incidents & Events > Handlers > FortiGate Event Handlers.

2. Configure an event handler for the automation stitch.

3. Click OK.

Configure FortiAnalyzer logging on the FortiGate

See Configuring FortiAnalyzer on page 150 for more information.

To configure FortiAnalyzer logging in the GUI:

1. Go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
2. Click Enabled and configure the settings as needed.
3. Click OK.

FortiOS 6.4.13 Administration Guide 256

Fortinet Inc.
Fortinet Security Fabric

To configure FortiAnalyzer logging in the CLI:

config log fortianalyzer setting

set status enable
set server "10.6.30.250"
set serial "FL-4HET318900407"
set upload-option realtime
set reliable enable
end

Configure an automation stitch that is triggered by a FortiAnalyzer event handler

When a FortiAnalyzer event handler is triggered, it sends a notification to the FortiGate automation framework, which
generates a log and triggers the automation stitch.

To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the GUI:

1. Go to Security Fabric > Automation.

2. Click Create New.
3. In the Trigger section, select FortiAnalyzer Event Handler.
4. Set Event handler name to the event that was created on the FortiAnalyzer.
5. Set the Event severity, and select or create an Event tag.

6. In the Action section, select Email and configure the email recipient and message.
7. Click OK.

To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the CLI:

1. Create an automation action:

config system automation-action
edit "auto-faz-1_email"
set action-type email
set email-to "[email protected]"
set email-subject "CSF stitch alert"
set message "User login FortiGate successfully."

FortiOS 6.4.13 Administration Guide 257

Fortinet Inc.
Fortinet Security Fabric

next
end

2. Create an automation trigger:

config system automation-trigger
edit "auto-faz-1"
set event-type faz-event
set faz-event-name "system-log-handler2"
set faz-event-severity "medium"
set faz-event-tags "User login successfully"
next
end

3. Create the automation stitch:

config system automation-stitch
edit "auto-faz-1"
set trigger "auto-faz-1"
set action "auto-faz-1_email"
next
end

View the trigger event log

To see the trigger event log in the GUI:

1. Log in to the FortiGate.

The FortiAnalyzer sends notification to the FortiGate automation framework, generates an event log on the
FortiGate, and triggers the automation stitch.
2. Go to Log & Report > Events and select System Events.

To see event logs in the CLI:

execute log display

...
date=2019-02-05 time=14:16:17 logid="0100046600" type="event" subtype="system"
level="notice" vd="root" eventtime=1549404977 logdesc="Automation stitch triggered"
stitch="auto-faz-1" trigger="auto-faz-1" from="log" msg="stitch:auto-faz-1 is triggered."
...

FortiOS 6.4.13 Administration Guide 258

Fortinet Inc.
 Fortinet Security Fabric

Sample email

The email sent by the action will look similar to the following:

Actions

The following table outlines the available automation stitch actions. Multiple actions can be added and reorganized as
needed by dragging and dropping.

Action Description

Alert Generate a FortiOS dashboard alert.

This option is only available in the CLI.

CLI Script Run one or more CLI scripts. See CLI script action on page 260 for details. See
Execute a CLI script based on memory and CPU thresholds on page 294 for an
example.

Disable SSID Disable the SSID interface.

This option is only available in the CLI.

Email Send a custom email message to the selected recipients. At least one recipient
and an email subject must be specified.
The email body can use parameters from logs or previous action results.
Wrapping the parameter with %% will replace the expression with the JSON value
for the parameter, for example: %%results.source%% is the source property from
the previous action.

FortiExplorer Notification Send push notifications to FortiExplorer.

The FortiGate must be registered to FortiCare on the iOS App that will receive the
notification.

Access Layer Quarantine This option is only available for Compromised Host triggers.
Impose a dynamic quarantine on multiple endpoints based on the access layer.

Quarantine FortiClient via This option is only available for Compromised Host triggers.
EMS Use FortiClient EMS to block all traffic from the source addresses that are flagged
as compromised hosts.
Quarantined devices are flagged on the Security Fabric topology views. Go to the
Dashboard > Users & Devices > Quarantine widget to view and manage
quarantined IP addresses.

Quarantine via FortiNAC This option is only available for Compromised Host and Incoming Webhook
triggers.
Use FortiNAC to quarantine a client PC and disable its MAC address. See
Quarantine via FortiNAC action on page 262 for details.

FortiOS 6.4.13 Administration Guide 259

Fortinet Inc.
Fortinet Security Fabric

Action Description

Assign VMware NSX Security This option is only available for Compromised Host triggers.
Tag If an endpoint instance in a VMware NSX environment is compromised, the
configured security tag is assigned to the compromised endpoint. See Assign
VMware NSX security tag action on page 266 and Assign VMware NSX-T
security tag action on page 269 for details.

IP Ban This option is only available for Compromised Host triggers.

Block all traffic from the source addresses flagged by the IoC.
Go to the Dashboard > Users & Devices > Quarantine widget to view and manage
quarantined IP addresses.

AWS Lambda Send log data to an integrated AWS service. See AWS Lambda action on page
273 for details.

Azure Function Send log data to an Azure function. See Azure Function action on page 275 for
details.

Google Cloud Function Send log data to a Google Cloud function. See Google Cloud Function action on
page 277 for details.

AliCloud Function Send log data to an AliCloud function. See AliCloud Function action on page 279
for details.

Slack Notification Send a notification to a Slack channel. See Slack Notification action on page 282
for details.

Webhook Send an HTTP request using a REST callback. See Webhook action on page 285
for details, and Slack integration webhook on page 291 and Microsoft Teams
integration webhook on page 292 for examples.

CLI script action

CLI scripts can be run when an automation stitch is triggered. The scripts can be manually entered, uploaded as a file, or
recorded in the CLI console. The output of the script can be sent as an email action.

The maximum size of the CLI script action output is 16K characters.

In this example, the script sets the idle timeout value to 479 minutes, and sends an email with the script output.

To configure a CLI script automation stitch in the GUI:

1. Go to Security Fabric > Automation.

2. Click Create New.
3. Enter a name for the stitch, and select the FortiGate devices that it will be applied to.
4. Select a trigger, such as Security Rating Summary.
5. Select CLI Script and Email actions.
6. Configure the CLI script:

FortiOS 6.4.13 Administration Guide 260

Fortinet Inc.
Fortinet Security Fabric

l To manually enter the script, type it into the Script field.

l To upload a script file, click Upload and locate the file on your management computer.
l To record the script in the CLI console, click >_Record in CLI console, then enter the CLI commands.

7. Configure the email action.

8. Click OK.

To configure a CLI script automation stitch in the CLI:

1. Create an automation action:

config system automation-action
edit "set admintimeout479"
set action-type cli-script
set minimum-interval 0
set delay 0
set required enable
set script "config system global
set admintimeout 479
end"
next
edit "auto-cli-1_email"
set action-type email

FortiOS 6.4.13 Administration Guide 261

Fortinet Inc.
Fortinet Security Fabric

set email-to "[email protected]"

set email-subject "CSF stitch alert"
set message "%%results%%"
set minimum-interval 0
next
end

2. Create an automation trigger:

config system automation-trigger
edit "auto-cli-1"
set trigger-type event-based
set event-type security-rating-summary
next
end

3. Create the automation stitch:

config system automation-stitch
edit "auto-cli-1"
set status enable
set trigger "auto-cli-1"
set action "set admintimeout479" "auto-cli-1_email"
next
end

Email sample

The email sent by the action will look similar to the following:

Quarantine via FortiNAC action

Users can configure an automation stitch with the Quarantine via FortiNAC action with a Compromised Host or Incoming
Webhook trigger. When the automation is triggered, the client PC will be quarantined and its MAC address is disabled in
the configured FortiNAC.
In this example, the FortiNAC has been configured to join an enabled Security Fabric (see FortiNAC for more
information).
The FortiNAC must also be configured to isolate disabled hosts:
l Endpoints connecting to FortiWiFi or wired ports on FortiGate:
l See the requisite Configure FortiNAC section in the FortiGate Endpoint Management Integration Guide.
l Endpoints connecting to FortiAP:
l Set the Dead End VLAN. See Model configuration.
l Endpoints connecting to FortiSwitch:
l Set the Dead End VLAN. See Model configuration.
l Add the switch to the physical address filtering group. See Systems groups and Modify a group.

FortiOS 6.4.13 Administration Guide 262

Fortinet Inc.
Fortinet Security Fabric

To configure a FortiNAC quarantine automation stitch in the GUI:

1. Configure the automation stitch:

a. Go to Security Fabric > Automation and click Create New.
b. In the Trigger section, select Incoming Webhook.
c. In the Action section, select Quarantine via FortiNAC.
d. Click OK.

2. Create a new API user and generate the API key:

a. Go to System > Administrators and click Create New > REST API Admin.
b. Configure the settings as needed.

FortiOS 6.4.13 Administration Guide 263

Fortinet Inc.
Fortinet Security Fabric

c. Click OK. The New API key window opens.

d. Copy the key to the clipboard and click Close.
e. Click OK.
3. Add the API key to the automation stitch:
a. Go to Security Fabric > Automation and edit the automation stitch created in step 1.
b. Paste the key in the API admin key field.
c. Click OK.

4. On a Linux PC accessible by the FortiGate, create a cURL request to trigger the automation stitch:
root@pc56:~# curl -k -X POST -H 'Authorization: Bearer ckx7d9xdzzx14Nztd1Ncr701dpwwy9' -
-data '{ "srcip": "1.1.1.1", "mac":"00:0C:29:0B:A6:16", "fctuid":
"A8BA0B12DA694E47BA4ADF24F8358E2F"}'
https://172.17.48.225:4431/api/v2/monitor/system/automation-stitch/webhook/auto_webhook

FortiOS 6.4.13 Administration Guide 264

Fortinet Inc.
Fortinet Security Fabric

5. In FortiOS, verify the automation stitch is triggered and the action is executed:
a. Go to Log & Report > Events and select System Events to confirm that the stitch was activated.
b. Go to Security Fabric > Automation to see the last time that the stitch was triggered.

In FortiNAC, the Host View shows the status of the client PC. It is quarantined and its MAC address is disabled.

To configure a FortiNAC quarantine automation stitch in the CLI:

1. Configure the automation stitch:

config system automation-action
edit "auto_webhook_quarantine-fortinac"
set action-type quarantine-fortinac
next
end
config system automation-trigger
edit "auto_webhook"
set event-type incoming-webhook
next
end
config system automation-stitch
edit "auto_webhook"
set trigger "auto_webhook"
set action "auto_webhook_quarantine-fortinac"
next
end

2. Create a new API user and generate the API key:

config system api-user
edit "g-api-rw-user"
set api-key ENC SH2SHFEtfJQ9OsfH/keh4kdULAp3V4ps7HkxBuDIzpR4Cmsckaa9wJ6kw28dFQ=
set accprofile "super_admin"
set vdom "root"

FortiOS 6.4.13 Administration Guide 265

Fortinet Inc.
Fortinet Security Fabric

config trusthost
edit 1
set ipv4-trusthost 10.6.30.0 255.255.255.0
next
end
next
end

3. On a Linux PC accessible by the FortiGate, create a cURL request to trigger the automation stitch:
root@pc56:~# curl -k -X POST -H 'Authorization: Bearer ckx7d9xdzzx14Nztd1Ncr701dpwwy9' -
-data '{ "srcip": "1.1.1.1", "mac":"00:0C:29:0B:A6:16", "fctuid":
"A8BA0B12DA694E47BA4ADF24F8358E2F"}'
https://172.17.48.225:4431/api/v2/monitor/system/automation-stitch/webhook/auto_webhook

4. In FortiOS, verify the automation stitch is triggered and the action is executed:
# diagnose test application autod 2
csf: enabled  root:yes
version:1592949233 sync time:Tue Jun 23 15:03:15 2020

total stitches activated: 1

stitch: auto_webhook
destinations: all
trigger: auto_webhook

(id:15)service=auto_webhook

local hit: 1 relayed to: 0 relayed from: 0

actions:
auto_webhook_quarantine-fortinac type:quarantine-fortinac interval:0

date=2020-06-23 time=15:25:44 logdesc="Internal Message" path="system" name="automation-

stitch" action="webhook" mkey="auto_webhook" srcip="1.1.1.1" mac="00:0C:29:0B:A6:16"
fctuid="A8BA0B12DA694E47BA4ADF24F8358E2F" vdom="root" service="auto_webhook"

date=2020-06-23 time=15:25:44 logid="0100046600" type="event" subtype="system"

level="notice" vd="root" eventtime=1592951144401490054 tz="-0700" logdesc="Automation
stitch triggered" stitch="auto_webhook" trigger="auto_webhook" stitchaction="auto_
webhook_quarantine-fortinac" from="log" msg="stitch:auto_webhook is triggered."

Assign VMware NSX security tag action

If an endpoint instance in a VMware NSX environment is compromised, this action will assign the configured security tag
to the compromised endpoint.
This action is only available when the automation trigger is set to compromised host.
To set up the NSX quarantine action, you need to:
1. Configure a VMware NSX SDN connector
2. Configure an NSX security tag automation stitch
3. Configure FortiAnalyzer logging on the FortiGate

FortiOS 6.4.13 Administration Guide 266

Fortinet Inc.
Fortinet Security Fabric

Configure a VMware NSX SDN connector

The FortiGate retrieves security tags from the VMware NSX server through the connector.

To configure a VMware NSX SDN connector in the GUI:

1. Go to Security Fabric > External Connectors.

2. Click Create New.
3. Select VMware NSX.
4. Configure the settings.

5. Click OK.

To configure a VMware NSX SDN connector in the CLI:

config system sdn-connector

edit "nsx"
set type nsx
set server "172.18.64.32"
set username "admin"
set password xxxxxx
next
end

Configure an NSX security tag automation stitch

Security tags are retrieved from the VMware NSX server through the NSX SDN connector.

To configure an NSX security tag automation stitch in the GUI:

1. Go to Security Fabric > Automation.

2. Click Create New.
3. In the Trigger section, select Compromised Host.
4. In the Action section, select Assign VMware NSX Security Tag.

FortiOS 6.4.13 Administration Guide 267

Fortinet Inc.
Fortinet Security Fabric

5. Configure the settings.

6. Click OK.

To configure an NSX security tag automation stitch in the CLI:

1. Create an automation action:

config system automation-action
edit "pcui-test_quarantine-nsx"
set action-type quarantine-nsx
set security-tag "pcui-tag2"
set sdn-connector "nsx"
next
end

2. Create an automation trigger:

config system automation-trigger
edit "pcui-test"
set ioc-level high
next
end

3. Create the automation stitch:

config system automation-stitch
edit "pcui-test"
set trigger "pcui-test"
set action "pcui-test_quarantine-nsx"
next
end

Configure FortiAnalyzer logging on the FortiGate

The FortiAnalyzer is used to send endpoint compromise notification to the FortiGate.

See Configuring FortiAnalyzer on page 150 for more information.

To configure FortiAnalyzer logging in the GUI:

1. Go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
2. Click Enabled and configure the settings as needed.
3. Click Apply.

FortiOS 6.4.13 Administration Guide 268

Fortinet Inc.
Fortinet Security Fabric

To configure FortiAnalyzer logging in the CLI:

config log fortianalyzer setting

set status enable
set server "172.18.64.234"
set serial "FL-8HFT718900132"
set upload-option realtime
set reliable enable
end

When an endpoint instance is compromised

When an endpoint instance, such as pcui-ubuntu2, in the VMware NSX environment is compromised, the automation
stitch is triggered. The FortiGate then assigns the configured security tag, pcui-tag2 in this example, to the compromised
NSX endpoint instance.

Assign VMware NSX-T security tag action

VMware NSX SDN connectors' vCenter server and credentials can be configured so the FortiGate resolves NSX-T VMs.
The FortiGate uses the Assign VMWare NSX Security Tag automation action to assign a tag to the VM through an
automation stitch.
The FortiGate is notified of a compromised host on the NSX-T network by an incoming webhook or other means, such as
FortiGuard IOC. An automation stitch can be configured to process this trigger and action it by assigning a VMware NSX
security tag on the VM instance.

To configure an automation stitch to assign a security tag to NSX-T VMs in the GUI:

1. Configure the NSX SDN connector:

a. Go to Security Fabric > External Connectors and click Create New.
b. Select VMware NSX.
c. Configure the connector settings.

FortiOS 6.4.13 Administration Guide 269

Fortinet Inc.
Fortinet Security Fabric

d. Enable vCenter Settings and configure as needed.

e. Click OK.
2. Configure the automation stitch:
a. Go to Security Fabric > Automation and click Create New.
b. In the Trigger section, select Incoming Webhook.
c. In the Action section, select Assign VMwareNSX Security Tag.
d. Enable Specify NSX server(s) and enter a server.
e. Enter a Security tag.

FortiOS 6.4.13 Administration Guide 270

Fortinet Inc.
Fortinet Security Fabric

f. Click OK.

3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer
3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}'
https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
{
"http_method":"POST",
"status":"success",
"http_status":200,
"serial":"FGVM08TM20000220",
"version":"v6.4.0",
"build":1608
}

FortiOS 6.4.13 Administration Guide 271

Fortinet Inc.
Fortinet Security Fabric

The automation stitch is triggered and the configured tag is added to the NSX-T VM.

In FortiOS, the Security Fabric > Automation page shows the last trigger time.

To configure an automation stitch to assign a security tag to NSX-T VMs in the CLI:

1. Configure the NSX SDN connector:

config system sdn-connector
edit "nsx_t25"
set type nsx
set server "172.18.64.205"
set username "admin"
set password xxxxxx
set vcenter-server "172.18.64.201"
set vcenter-username "[email protected]"
set vcenter-password xxxxxx
next
end

2. Configure the automation stitch:

config system automation-action
edit "auto_webhook_quarantine-nsx"
set action-type quarantine-nsx
set security-tag "automation_tag"
set sdn-connector "nsx_t25"
next
end
config system automation-trigger
edit "auto_webhook"
set trigger-type event-based
set event-type incoming-webhook
next
end
config system automation-stitch
edit "auto_webhook"
set status enable

FortiOS 6.4.13 Administration Guide 272

Fortinet Inc.
Fortinet Security Fabric

set trigger "auto_webhook"

set action "auto_webhook_quarantine-nsx"
next
end

3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer
3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}'
https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
{
"http_method":"POST",
"status":"success",
"http_status":200,
"serial":"FGVM08TM20000220",
"version":"v6.4.0",
"build":1608
}

To verify the automation stitch is triggered and the action is executed:

# diagnose test application autod 2

csf: enabled root:yes

version:1586883541 sync time:Tue Apr 14 11:04:05 2020

total stitches activated: 1

stitch: auto_webhook
destinations: all
trigger: auto_webhook

(id:15)service=auto_webhook

local hit: 1 relayed to: 0 relayed from: 0

actions:
auto_webhook_quarantine-nsx type:quarantine-nsx interval:0
security tag:automation_tag
sdn connector:
nsx_t25;

AWS Lambda action

AWS Lambda functions can be called when an automation stitch is triggered.

To configure an AWS Lambda function automation stitch in the GUI:

1. Go to Security Fabric > Automation.

2. Click Create New.
3. Enter a name for the stitch, and select the FortiGate devices that it will be applied to.
4. Select a trigger, such as Security Rating Summary.

FortiOS 6.4.13 Administration Guide 273

Fortinet Inc.
Fortinet Security Fabric

5. Select AWS Lambda Function and configure its settings.

Name The action name.

Delay The amount of time after the previous action before this action executes, in
seconds (0 - 3600, default = 0).

API gateway The API gateway URL, in the format:

{restapi-id}.execute-api.{region}.{domain}/{stage}/{path}
The CLI must be used to manually enter the individual parameters.

API key The API key configured in your API gateway.

HTTP header The HTTP request header name and value. Multiple headers can be added.

+ Click to add another action.

Actions can be reorganized as needed by dragging and dropping.

Name The action name.

Delay The amount of time after the previous action before this action executes, in
seconds (0 - 3600, default = 0).

6. Click OK.

To configure an AWS Lambda function automation stitch in the CLI:

1. Create an automation action:

config system automation-action
edit "aws-action-1"
set action-type aws-lambda
set aws-api-id "0100000000"
set aws-region "us-east-2"
set aws-api-stage "default"
set aws-api-path "xxxxx-autobatoon-XXX-lambdaXXX"
set aws-api-key *************
next
end

FortiOS 6.4.13 Administration Guide 274

Fortinet Inc.
Fortinet Security Fabric

2. Create an automation trigger:

config system automation-trigger
edit "auto-aws"
set event-type security-rating-summary
next
end

3. Create the automation stitch:

config system automation-stitch
edit "auto-aws"
set trigger "auto-aws"
set action "aws-action-1"
next
end

When the automation stitch is triggered, the FortiGate shows the stitch trigger time:

In AWS, the log shows that the function was called, executed, and finished.

Azure Function action

Azure functions can be called when an automation stitch is triggered.

To configure an Azure function automation stitch in the GUI:

1. Go to Security Fabric > Automation.

2. Click Create New.
3. Enter a name for the stitch, and select the FortiGate devices that it will be applied to.
4. Select a trigger, such as Security Rating Summary.

FortiOS 6.4.13 Administration Guide 275

Fortinet Inc.
Fortinet Security Fabric

5. Select Azure Function and configure its settings.

Name The action name.

Delay The amount of time after the previous action before this action executes, in
seconds (0 - 3600, default = 0).

API gateway The API gateway URL, in the format:

{application}.{domain}/api/{function}
The CLI must be used to manually enter the individual parameters.

Authorization The authorization level: Anonymous, Function, or Admin.

API key The API key configured in your API gateway.

This options is only available when Authorization is not Anonymous.

HTTP header The HTTP request header name and value. Multiple headers can be added.

+ Click to add another action.

Actions can be reorganized as needed by dragging and dropping.

6. Click OK.

To configure an Azure function automation stitch in the CLI:

1. Create an automation action:

config system automation-action
edit "azure_function"
set action-type azure-function
set azure-app "xxxxx00-no-delete-xxxx"
set azure-function "headersResponse"
set azure-function-authorization function
set azure-api-key **********
set headers "header1:value1" "header2:value2"
next
end

FortiOS 6.4.13 Administration Guide 276

Fortinet Inc.
Fortinet Security Fabric

2. Create an automation trigger:

config system automation-trigger
edit "auto-azure"
set event-type security-rating-summary
next
end

3. Create the automation stitch:

config system automation-stitch
edit "auto-azure"
set trigger "auto-azure"
set action "azure_function"
next
end

When the automation stitch is triggered, the FortiGate shows the stitch trigger time:

In Azure, the function log shows that the function was called, executed, and finished:

Google Cloud Function action

Google Cloud functions can be called when an automation stitch is triggered.

FortiOS 6.4.13 Administration Guide 277

Fortinet Inc.
Fortinet Security Fabric

To configure a Google Cloud function automation stitch in the GUI:

1. Go to Security Fabric > Automation.

2. Click Create New.
3. Enter a name for the stitch, and select the FortiGate devices that it will be applied to.
4. Select a trigger, such as Security Rating Summary.
5. Select Google Cloud Function and configure its settings.

Name The action name.

Delay The amount of time after the previous action before this action executes, in
seconds (0 - 3600, default = 0).

API gateway The API gateway URL, in the format:

{region}-{project}{domain}/{function}
The CLI must be used to manually enter the individual parameters.

HTTP header The HTTP request header name and value. Multiple headers can be added.

+ Click to add another action.

Actions can be reorganized as needed by dragging and dropping.

6. Click OK.

To configure a Google Cloud function automation stitch in the CLI:

1. Create an automation action:

config system automation-action
edit "google-echo"
set action-type google-cloud-function
set gcp-function-region "us-central1"
set gcp-project "xxx-xxxxxxx-000-000000"
set gcp-function-domain "cloudfunctions.net"
set gcp-function "xxxx-echo"
set headers "echo-header:echo-value"
next
end

FortiOS 6.4.13 Administration Guide 278

Fortinet Inc.
Fortinet Security Fabric

2. Create an automation trigger:

config system automation-trigger
edit "auto-google1"
set event-type security-rating-summary
next
end

3. Create the automation stitch:

config system automation-stitch
edit "auto-google1"
set trigger "auto-google1"
set action "google-echo"
next
end

When the automation stitch is triggered, the FortiGate shows the stitch trigger time:

In Google Cloud, go to Logs to see the function log showing that the configured function was called, executed, and
finished:

AliCloud Function action

AliCloud functions can be called when an automation stitch is triggered.

FortiOS 6.4.13 Administration Guide 279

Fortinet Inc.
Fortinet Security Fabric

To configure an AliCloud function automation stitch in the GUI:

1. Go to Security Fabric > Automation.

2. Click Create New.
3. Enter a name for the stitch, and select the FortiGate devices that it will be applied to.
4. Select a trigger, such as Security Rating Summary.
5. Select AliCloud Function and configure its settings.

Name The action name.

Delay The amount of time after the previous action before this action executes, in
seconds (0 - 3600, default = 0).

HTTP URL The HTTP URL, in the format:

{account id}.{region}.{domain}/{version}/proxy/{service}/
{function}
The CLI must be used to manually enter the individual parameters.

Authorization The authorization level: Anonymous, or Function.

AccessKey ID The access key ID

This options is only available when Authorization is Function.

AccessKey Secret The access key secret.

This options is only available when Authorization is Function.

HTTP header The HTTP request header name and value. Multiple headers can be added.

+ Click to add another action.

Actions can be reorganized as needed by dragging and dropping.

6. Click OK.

FortiOS 6.4.13 Administration Guide 280

Fortinet Inc.
Fortinet Security Fabric

To configure an AliCloud function automation stitch in the CLI:

1. Create an automation action:

config system automation-action
edit "Ali-Action-1"
set action-type alicloud-function
set alicloud-account-id "0000000000000000"
set alicloud-region "us-east-1"
set alicloud-version "2099-99-99"
set alicloud-service "test-function"
set alicloud-function "echoBodyAuth"
set alicloud-function-authorization function
set alicloud-access-key-id "XXXXXxXXXXxxxxxx"
set alicloud-access-key-secret xxxxxx
next
end

2. Create an automation trigger:

config system automation-trigger
edit "auto-ali"
set event-type security-rating-summary
next
end

3. Create the automation stitch:

config system automation-stitch
edit "auto-ali"
set trigger "auto-ali"
set action "Ali-Action-1"
next
end

When the automation stitch is triggered, the FortiGate shows the stitch trigger time:

In AliCloud, the function log shows that the function was called, executed, and finished:

FortiOS 6.4.13 Administration Guide 281

Fortinet Inc.
Fortinet Security Fabric

Slack Notification action

To configure an automation stitch with a Slack Notification action, you first need to configure an incoming webhook in
Slack. Then you can enter the webhook URL when you configure the Slack Notification action.
This example uses a Security Rating Summary trigger in the automation stitch with two Slack Notification actions with
different notification messages. One message is a custom message, and the other is for the Security Rating Summary
log with a 90 second delay.

To create an Incoming Webhook in Slack:

1. Go to the Slack website, and create a workspace.

2. Create a Slack application for the workspace.

3. Add an Incoming Webhook to a channel in the workspace (see Sending messages using Incoming Webhooks for
more details).

FortiOS 6.4.13 Administration Guide 282

Fortinet Inc.
Fortinet Security Fabric

4. Activate the Incoming Webhook, and copy the Webhook URL to the clipboard.

To configure an automation stitch with Slack Notification actions in the GUI:

1. Go to Security Fabric > Automation and click Create New.

2. Enter a name for the stitch, and select the FortiGate devices that it will be applied to.
3. For Trigger, select Security Rating Summary.
4. For action, select Slack Notification, and configure the notification settings.
a. First action:

Name slack1

Delay 0

URL Paste the webhook URL from the clipboard

Message This is test for slack notification.

b. Click the + and configure the second action:

Name slack2

Delay 90

URL Paste the webhook URL from the clipboard

Message %%log%%

FortiOS 6.4.13 Administration Guide 283

Fortinet Inc.
Fortinet Security Fabric

5. Click OK.
6. Run the automation stitch to trigger the action.

To configure an automation stitch with Slack Notification actions in the CLI:

1. Create the Slack Notification actions:

config system automation-action
edit "slack1"
set action-type slack-notification
set minimum-interval 0
set delay 0
set required disable
set message "This is test for slack notification."
set uri "hooks.slack.com/services/xxxxxxxxx/xxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx"
next
edit "slack2"
set action-type slack-notification
set minimum-interval 0
set delay 90
set required disable
set message "%%log%%"
set uri "hooks.slack.com/services/xxxxxxxxx/xxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx"
next
end
2. Create the automation trigger:
config system automation-trigger
edit "auto-rating"
set trigger-type event-based
set event-type security-rating-summary
next

FortiOS 6.4.13 Administration Guide 284

Fortinet Inc.
Fortinet Security Fabric

end
3. Configure the automation stitch:
config system automation-stitch
edit "auto-rating"
set status enable
set trigger "auto-rating"
set action "slack1" "slack2"
next
end
4. Trigger the automation stitch.
The notification action is triggered in FortiGate.

The message you entered in the automation stitch is delivered to the Slack channel.

Webhook action

The webhook automation stitch action makes HTTP and HTTPS requests to a specified server, with custom headers,
bodies, ports, and methods. It can be used to leverage the ubiquity of HTML requests and APIs to integrate with many
other tools.

The URI and HTTP body can use parameters from logs or previous action results. Wrapping
the parameter with %% will replace the expression with the JSON value for the parameter, for
example: %%results.source%% is the source property from the previous action.

FortiOS 6.4.13 Administration Guide 285

Fortinet Inc.
Fortinet Security Fabric

In this example, a specific log message (failed administrator log in attempt) triggers the FortiGate to send the contents of
the log to a server. The server responds with a generic reply. This example assumes that the server is already
configured and able to communicate with the FortiGate.

To configure the webhook automation stitch in the GUI:

1. Go to Security Fabric > Automation.

2. Click Create New.
3. Enter a name for the stitch, and select the FortiGate devices that it will be applied to.
4. Select the trigger FortiOS Event Log.
5. Set Event to Admin login failed.
6. Select Webhook and configure the settings:

Name The action name.

Delay The amount of time after the previous action before this action executes, in
seconds (0 - 3600, default = 0).

Protocol The request protocol to use: HTTP or HTTPS.

Method The request method: POST, PUT, GET, PATCH, or DELETE.

URI The request API URI.

Port The protocol port.

HTTP body The request body, if required, as a serialized JSON string.

Use the parameter %%log%% to send the contents of the log from the trigger.

HTTP header The HTTP request header name and value.

FortiOS 6.4.13 Administration Guide 286

Fortinet Inc.
Fortinet Security Fabric

+ Click to add another action.

Actions can be reorganized as needed by dragging and dropping.

7. Click OK.

To configure the webhook automation stitch in the CLI:

1. Create the automation action:

config system automation-action
edit "Send Log To Server"
set action-type webhook
set uri "172.16.200.44"
set http-body "%%log%%"
set port 80
set headers "Header:1st Action"
next
end

2. Create an automation trigger:

config system automation-trigger
edit "badLogin"
set event-type event-log
set logid 32002
next
end

3. Create the automation stitch:

config system automation-stitch
edit "badLogin"
set trigger "badLogin"
set action "Send Log To Server"
next
end

To test the automation stitch:

1. Attempt to log in to the FortiGate with an incorrect username or password.

2. On the server, check the log to see that its contents have been sent by the FortiGate.

The body content is replaced with the log of the trigger.

FortiOS 6.4.13 Administration Guide 287

Fortinet Inc.
Fortinet Security Fabric

3. On the FortiGate, go to Log & Report > Events and select System Events to confirm that the stitch was activated.

4. Go to Security Fabric > Automation to see the last time that the stitch was triggered.

Diagnose commands
l Enable log dumping:
# diagnose test application autod 1
autod dumped total:1 logs, num of logids:1
autod log dumping is enabled

vdom:root(0) logid:32002 len:408 log:

date=2019-05-30 time=17:41:03 logid="0100032002" type="event" subtype="system"
level="alert" vd="root" eventtime=1559263263858888451 tz="-0700" logdesc="Admin login
failed" sn="0" user="admin" ui="http(10.6.30.254)" method="http" srcip=10.6.30.254
dstip=10.6.30.5 action="login" status="failed" reason="passwd_invalid"
msg="Administrator admin login failed from http(10.6.30.254) because of invalid
password"
autod log dumping is disabled

autod logs dumping summary:

logid:32002 count:1

autod dumped total:1 logs, num of logids:1

FortiOS 6.4.13 Administration Guide 288

Fortinet Inc.
Fortinet Security Fabric

l Show automation settings:

# diagnose test application autod 2
csf: enabled root:yes
total stitches activated: 2

stitch: badLogin
destinations: all
trigger: badLogin

local hit: 6 relayed to: 6 relayed from: 6

actions:
Send Log To Server type:webhook interval:0
delay:0 required:no
proto:0 method:0 port:80
uri: 172.16.200.44
http body: %%log%%
headers:
0. Header:1st Action

l Show automation statistics:

# diagnose test application autod 3

stitch: badLogin

local hit: 1 relayed to: 1 relayed from: 1

last trigger:Wed Jul 10 12:14:14 2019
last relay:Wed Jul 10 12:14:14 2019

actions:
Send Log To Server:
done: 1 relayed to: 1 relayed from: 1
last trigger:Wed Jul 10 12:14:14 2019
last relay:Wed Jul 10 12:14:14 2019

logid2stitch mapping:
id:32002 local hit: 3 relayed to: 3 relayed from: 3
badLogin

action run cfg&stats:

total:55 cur:0 done:55 drop:0
email:
flags:10
stats: total:4 cur:0 done:4 drop:0
ios-notification:
flags:1
stats: total:0 cur:0 done:0 drop:0
alert:
flags:0
stats: total:0 cur:0 done:0 drop:0
disable-ssid:
flags:7
stats: total:0 cur:0 done:0 drop:0
quarantine:
flags:7
stats: total:0 cur:0 done:0 drop:0

FortiOS 6.4.13 Administration Guide 289

Fortinet Inc.
Fortinet Security Fabric

quarantine-forticlient:
flags:4
stats: total:0 cur:0 done:0 drop:0
quarantine-nsx:
flags:4
stats: total:0 cur:0 done:0 drop:0
ban-ip:
flags:7
stats: total:0 cur:0 done:0 drop:0
aws-lambda:
flags:11
stats: total:21 cur:0 done:21 drop:0
webhook:
flags:11
stats: total:6 cur:0 done:6 drop:0
cli-script:
flags:10
stats: total:4 cur:0 done:4 drop:0
azure-function:
flags:11
stats: total:0 cur:0 done:0 drop:0
google-cloud-function:
flags:11
stats: total:0 cur:0 done:0 drop:0
alicloud-function:
flags:11
stats: total:20 cur:0 done:20 drop:0

l Enable debug output and turn on automation debug messages for about 30 minutes:
# diagnose debug enable
# diagnose debug application autod -1
__auto_generate_generic_curl_request()-358: Generating generic automation CURL request
for action (Send Log To Server).
__auto_generate_generic_curl_request()-406: Generic automation CURL request POST data
for action (Send Log To Server):
date=2019-05-30 time=16:44:43 logid="0100032002" type="event" subtype="system"
level="alert" vd="root" eventtime=1559259884209355090 tz="-0700" logdesc="Admin login
failed" sn="0" user="admin" ui="http(10.6.30.254)" method="http" srcip=10.6.30.254
dstip=10.6.30.5 action="login" status="failed" reason="passwd_invalid"
msg="Administrator admin login failed from http(10.6.30.254) because of invalid
password"

__auto_generic_curl_request_close()-512: Generic CURL request response body from

http://172.16.200.44:
{
"userId": 1,
"id": 1,
"title": "Test Response",
"body": "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
}

FortiOS 6.4.13 Administration Guide 290

Fortinet Inc.
Fortinet Security Fabric

Slack integration webhook

A webhook can be created to post messages and notifications to Slack. For information about using incoming webhooks
in Slack, see https://api.slack.com/incoming-webhooks.
In this example, a configuration change triggers the FortiGate to post a message to Slack.

To create a webhook automation stitch for Slack integration in the GUI:

1. Go to Security Fabric > Automation.

2. Click Create New.
3. Enter a name for the stitch.
4. Select the trigger Configuration Change.
5. Select Webhook and configure the settings:

6. Click OK.

To create a webhook automation stitch for Slack integration in the CLI:

1. Create the automation action:

config system automation-action
edit "send to Slack"
set action-type webhook
set protocol https
set uri "hooks.slack.com/services/XXXXXXXX"
set http-body "{\"channel\": \"#delivery\", \"username\": \"tleela\", \"text\":
\"Configuration changed\", \"icon_emoji\": \":worried:\"}"
set port 443
set headers "Content-type:application/json"

FortiOS 6.4.13 Administration Guide 291

Fortinet Inc.
Fortinet Security Fabric

next
end

2. Create the automation trigger:

config system automation-trigger
edit "config change"
set event-type config-change
next
end

3. Create the automation stitch:

config system automation-stitch
edit "Slack"
set trigger "config change"
set action "send to Slack"
next
end

Microsoft Teams integration webhook

A webhook can be created to post messages and notifications to Microsoft Teams.

In this example, a configuration change triggers the FortiGate to post a message to Teams.

To create a webhook automation stitch for Teams integration in the GUI:

1. Create an incoming webhook in Teams. See https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-

and-connectors/how-to/add-incoming-webhook for information.
2. Go to Security Fabric > Automation.
3. Click Create New.
4. Enter a name for the stitch.
5. Select the trigger Configuration Change.

FortiOS 6.4.13 Administration Guide 292

Fortinet Inc.
Fortinet Security Fabric

6. Select Webhook and configure the settings:

The URI is the URL from the incoming webhook created in Teams. The HTTP body can also contain log
parameters.
7. Click OK.

To create a webhook automation stitch for Teams integration in the CLI:

1. Create an incoming webhook in Teams. See https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-

and-connectors/how-to/add-incoming-webhook for information.
2. Create the automation action:
config system automation-action
edit "send to Teams"
set action-type webhook
set protocol https
set uri
"outlook.office.com/webhook/XXXXXXXXXXXX/IncomingWebhook/XXXXXXXXXXXX/XXXXXXXXXXXX"
set http-body "{ \"text\": \"<message to send>\" }"
set port 443
set headers "Content-type:application/json"
next
end

3. Create the automation trigger:

config system automation-trigger
edit "Teams"
set event-type config-change
next
end

FortiOS 6.4.13 Administration Guide 293

Fortinet Inc.
 Fortinet Security Fabric

4. Create the automation stitch:

config system automation-stitch
edit "Teams"
set trigger "Teams"
set action "send to Teams"
next
end

For information about more advanced messages that can be configured and sent to the
webhook, see https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-
connectors/how-to/connectors-using

Execute a CLI script based on memory and CPU thresholds

Automation stitches can be created to run a CLI script and send an email message when memory or CPU usage
exceeds specified thresholds.

The maximum size of the CLI script action output is 16K characters. In cases where the output
exceeds 16K, the email received will contain truncated output. To avoid this, it is
recommended to limit the number of commands per script.

Automation stitches that use Conserve Mode and High CPU triggers can only be created in the
CLI. Once created, they can be edited in the GUI.

To define CPU and memory usage thresholds:

config system global

set cpu-use-threshold <percent>
set memory-use-threshold-extreme <percent>
set memory-use-threshold-green <percent>
set memory-use-threshold-red <percent>
end

Where:

cpu-use-threshold Threshold at which CPU usage is reported, in percent of total possible CPU
utilization (default = 90).
memory-use-threshold- Threshold at which memory usage is considered extreme, and new sessions are
extreme dropped, in percent of total RAM (default = 95).
memory-use-threshold- Threshold at which memory usage forces the FortiGate to exit conserve mode, in
green percent of total RAM (default = 82).
memory-use-threshold-red Threshold at which memory usage forces the FortiGate to enter conserve mode,
in percent of total RAM (default = 88).

FortiOS 6.4.13 Administration Guide 294

Fortinet Inc.
Fortinet Security Fabric

Configuring a high memory usage stitch

In this example, an automation stitch is created that runs two CLI scripts to collect debug information, and then two email
messages will be received with CLI output to a specified email address when the memory usage causes the FortiGate to
enter conserve mode.

Since the output in this example will exceed 16K, two scripts are used. The CLI scripts are run
sequentially, and an email is sent out each time a script runs.

To create an automation stitch for high memory usage:

1. Create the automation trigger:

config system automation-trigger
edit "auto_high_memory"
set event-type low-memory
next
end

2. Create the automation actions:

config system automation-action
edit "high_memory_debug1"
set action-type cli-script
set script "diagnose sys top 5 20 5
diagnose sys session full-stat
get system performance status"
set output-size 10
set timeout 0
set accprofile "super_admin"
next
edit "auto_high_memory_email1"
set action-type email
set email-to "[email protected]"
set email-subject "CSF stitch alert: high_memory1"
set message "%%results%%"
next
edit "high_memory_debug2"
set action-type cli-script
set script "diagnose sys session full-stat
diagnose hardware sysinfo shm
diagnose hardware sysinfo memory"
set accprofile "super_admin"
next
edit "auto_high_memory_email2"
set action-type email
set email-to "[email protected]"
set email-subject "CSF stitch alert: high_memory2"
set message "%%results%%"
next
end

FortiOS 6.4.13 Administration Guide 295

Fortinet Inc.
Fortinet Security Fabric

3. Create the automation stitch:

config system automation-stitch
edit "auto_high_memory"
set trigger "auto_high_memory"
set action "high_memory_debug1" "auto_high_memory_email1" "high_memory_debug2"
"auto_high_memory_email2"
next
end

Results

When the FortiGate enters conserve mode due to the memory-use-threshold-red being exceeded, the GUI
displays a notice, and the auto_high_memoryautomation stitch is triggered. This causes the CLI scripts to run and the
scripts' results are emailed to the specified address.

Here is sample text from the email message:

CSF stitch alert: high_memory1
[email protected]
Tue 05/16/2023 5:34 PM
########## script name: autod.0 ##########
========== #1, 2023-05-16 17:34:17 ==========
Client_Fgt $  diagnose sys top 5 20 3
Run Time: 0 days, 0 hours and 0 minutes 61U, 0N, 6S, 33I, 0WA, 0HI, 0SI, 0ST; 1356T, 129F
ipshelper 2601 S < 61.6 8.0 0
ipsengine 2745 S < 4.9 8.5 0
cmdbsvr 2528 S N 0.0 7.9 0
cmdbsvr 2529 S 0.0 5.0 0
scanunitd 2610 S < 0.0 3.8 0
miglogd 2603 S 0.0 3.6 0
cw_acd 2634 S 0.0 3.4 0
node 2574 S 0.0 3.3 0
forticron 2584 S 0.0 2.9 0
miglogd 2693 S 0.0 2.8 0
reportd 2604 S 0.0 2.5 0
httpsd 2573 S 0.0 2.4 0

Configuring a high CPU usage stitch

Similar to the previous example, an automation stitch can be created that runs a CLI script to collect debug information,
and then email the results of the script to a specified email address when CPU usage threshold is exceeded (High CPU

FortiOS 6.4.13 Administration Guide 296

Fortinet Inc.
Fortinet Security Fabric

trigger type).
The following commands are recommended for collecting debug information, but they are not the only options. Other
commands can be used.
diagnose sys cmdb info
diagnose sys vd list | grep fib
diagnose sys top 5 20 2
diagnose sys session full-stat
diagnose sys session list | grep "\<dirty\>" –c
get system performance status
diagnose sys session full-stat
diagnose hardware sysinfo memory
diagnose sys cmdb info
diagnose sys vd list | grep fib

Public and private SDN connectors

Cloud SDN connectors provide integration and orchestration of Fortinet products with public and private cloud solutions.
In a typical cloud environment, resources are dynamic and often provisioned and scaled on-demand. By using an SDN
connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security
Fabric.
To protect the East-West or North-South traffic in these environments, the FortiGate uses the SDN connector to sync the
dynamic addresses that these volatile environments use. You can then configure the dynamic address objects as
sources or destinations for firewall policies. When you make changes to cloud environment resources, such as moving
them to a new location or assigning different IP addresses to them, you do not need to modify the policy in FortiOS, as
the SDN connector syncs changes to the cloud address objects.
These configurations consist of three primary steps:
1. Configure the cloud SDN connector to connect your FortiGate and public or private cloud account.
2. Create dynamic address objects to use the SDN connector. Use filters to sync only cloud address objects that you
require.
3. Apply the dynamic address objects to your firewall policy to protect your traffic.
This chapter explores the steps in detail and describes how to connect to each currently supported cloud platform. This
chapter does not discuss cloud account role-based or permission requirements. The respective cloud documents
contain this information.
The following external connector categories are available in the Security Fabric: Public SDN, Private SDN,
Endpoint/Identity, and Threat Feeds.

FortiOS 6.4.13 Administration Guide 297

Fortinet Inc.
 Fortinet Security Fabric

If VDOMs are enabled, SDN and Threat Feeds connectors are in the global settings, and
Endpoint/Identity connectors are per VDOM.

Getting started with public and private SDN connectors

You can use SDN connectors to connect your FortiGate to public and private cloud solutions. By using an SDN
connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security
Fabric. You can use SDN connector address objects to create policies that provide dynamic access control based on
cloud environment attribute changes. There is no need to manually reconfigure addresses and policies whenever
changes to the cloud environment occur.
There are four steps to creating and using an SDN connector:
1. Gather the required information. The required information depends on which public or private cloud solution
SDN connector you are configuring.
2. Creating the SDN connector on page 299
3. Creating an SDN connector address on page 299
4. Adding the address to a firewall policy on page 301
The following provides general instructions for creating an SDN connector and using the dynamic address object in a
firewall policy. For instructions for specific public and private cloud solutions, see the relevant topic in this guide. For
advanced scenarios regarding SDN connectors, see the appropriate FortiOS 6.4 cloud platform guide.

FortiOS 6.4.13 Administration Guide 298

Fortinet Inc.
Fortinet Security Fabric

Creating the SDN connector

To create an SDN connector in the GUI:

1. Go to Security Fabric > External Connectors.

2. Click Create New.
3. Click the desired public or private cloud.
4. Enter the Name, Status, and Update Interval for the connector.
5. Enter previously collected information for the connector as needed.
6. Click OK.

To create an SDN connector in the CLI:

config system sdn-connector

edit <name>
set status {enable | disable}
set type {connector type}
...
set update-interval <integer>
next
end

The available CLI commands vary depending on the selected SDN connector type.

Creating an SDN connector address

You can use an SDN connector address in the following ways:

l As the source or destination address for firewall policies.
l To automatically update changes to addresses in the public or private cloud environment, based on specified filters.
l To automatically apply changes to firewall policies that use the address, based on specified filters.

To create an SDN connector address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Configure the address:
a. Set the Type to Dynamic.
b. From the Sub Type dropdown list, select Fabric Connector Address.
c. From the SDN Connector dropdown list, select the desired SDN connector.
d. From the Filter dropdown list, configure the desired filter. The filters available depend on the selected SDN
connector type. The SDN connector automatically populates and updates IP addresses only for instances that
satisfy the filter requirements. In this example, the address automatically populates and updates IP addresses
only for AliCloud instances that belong to the specified security group:

FortiOS 6.4.13 Administration Guide 299

Fortinet Inc.
Fortinet Security Fabric

You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR are
specified, AND is interpreted first, then OR.
e. Configure other settings as desired.
f. Click OK.
4. Ensure that the SDN connector resolves dynamic firewall IP addresses as configured:
a. Go to Policy & Objects > Addresses.
b. Hover over the address that you created to see a list of IP addresses for instances that satisfy the filter that you
configured. In this case, the IP addresses of instances that belong to the specified security group display:

To create an SDN connector address in the CLI:

1. Create the address:

config firewall address
edit <name>
set type dynamic
set sdn <sdn_connector>
set visibility enable
set associated-interface <interface_name>
set color <integer>
...
set comment <comment>
config tagging
edit <name>
set category <string>
set tags <strings>
next
end
next
end

FortiOS 6.4.13 Administration Guide 300

Fortinet Inc.
Fortinet Security Fabric

2. Ensure that the SDN connector resolves dynamic firewall IP addresses as configured by running show. The
following shows example output:
config firewall address
edit "ali-address-security"
set type dynamic
config list
edit "10.0.0.16"
next
edit "10.0.0.17"
next
edit "10.0.20.20"
next
end
...
next
end

The available CLI commands vary depending on the selected SDN connector type.

Adding the address to a firewall policy

You can use an SDN connector address as the source or destination address in a policy.

To add the address to a firewall policy in the GUI:

1. Go to Policy & Objects > Firewall Policy.

2. Click Create New.
3. Use the SDN connector address as the source or destination address.
4. Configure the remaining settings as needed.
5. Click OK.

To add the address to a firewall policy in the CLI:

config firewall policy

edit 0
set name <name>
set srcintf <port_name>
set dstintf <port_name>
set srcaddr <firewall_address>
set dstaddr <firewall_address>
set action accept
set schedule <schedule>
set service <service>
next
end

FortiOS 6.4.13 Administration Guide 301

Fortinet Inc.
 Fortinet Security Fabric

Connector tooltips

In Security Fabric > External Connectors, hover over an SDN connector to view a tooltip that shows basic configuration
information.

Three buttons provide additional information:

Button Information

View Connector Objects Connector's dynamic objects, such as filters and instances.

View Policies List of policies that use the dynamic addresses from the connector.

View Automation Rules List of automation actions that use the connector.

AliCloud SDN connector using access key

FortiOS automatically updates dynamic addresses for AliCloud using an AliCloud SDN connector, including mapping the
following attributes from AliCloud instances to dynamic address groups in FortiOS:
l ImageId
l InstanceId
l SecurityGroupId
l VpcId
l VSwitchId
l TagKey
l TagValue

To configure AliCloud SDN connector using the GUI:

1. Configure the AliCloud SDN connector:

a. Go to Security Fabric > External Connectors.
b. Click Create New, and select AliCloud.
c. Configure as shown, substituting the access key, secret, and region ID for your deployment. The update

FortiOS 6.4.13 Administration Guide 302

Fortinet Inc.
Fortinet Security Fabric

interval is in seconds.

2. Create a dynamic firewall address for the configured AliCloud SDN connector:
a. Go to Policy & Objects > Addresses.
b. Click Create New, then select Address.
c. Configure the address as shown, selecting the desired filter in the Filter dropdown list. In this example, the
address automatically populates and updates IP addresses only for AliCloud instances that belong to the
specified security group:

3. Ensure that the AliCloud SDN connector resolves dynamic firewall IP addresses:
a. Go to Policy & Objects > Addresses.
b. Hover over the address created in step 2 to see a list of IP addresses for instances that belong to the security
group configured in step 2:

FortiOS 6.4.13 Administration Guide 303

Fortinet Inc.
 Fortinet Security Fabric

To configure AliCloud SDN connector using CLI commands:

1. Configure the AliCloud SDN connector:

config system sdn-connector
edit "ali1"
set type acs
set access-key "LTAIKmERWEuEOChg"
set secret-key xxxxx
set region "us-west-1"
set update-interval 30
next
end
2. Create a dynamic firewall address for the configured AliCloud SDN connector with the supported AliCloud filter. In
this example, the AliCloud SDN connector automatically populates and updates IP addresses only for instances
that belong to the specified security group:
config firewall address
edit "ali-address-security"
set type dynamic
set sdn "ali1"
set filter "SecurityGroupId=sg-rj9bp5ax5kwy3gqdizqb"
next
end
3. Confirm that the AliCloud SDN connector resolves dynamic firewall IP addresses using the configured filter:
config firewall address
edit "ali-address-security"
set type dynamic
set sdn "ali1"
set filter "SecurityGroupId=sg-rj9bp5ax5kwy3gqdizqb"
config list
edit "10.0.0.16"
next
edit "10.0.0.17"
next
edit "10.0.0.20"
next
end
next
end

AWS SDN connector using certificates

FortiOS automatically updates dynamic addresses for AWS using an AWS SDN connector, including mapping attributes
from AWS instances to dynamic address groups in FortiOS.
Configuring the SDN connector using the GUI, then checking the configuration using the CLI is recommended.

To configure an AWS SDN connector using the GUI:

1. Configure the AWS SDN connector:

a. Go to Security Fabric > External Connectors.
b. Click Create New, and select Amazon Web Services (AWS).
c. In the Access key ID field, enter the key created in the AWS management portal.

FortiOS 6.4.13 Administration Guide 304

Fortinet Inc.
Fortinet Security Fabric

d. In the Secret access key field, enter the secret access key accompanying the access key.
e. In the Region name field, enter the region name. Refer to AWS Regions and Endpoints for the desired region
name.
f. In the VPC ID field, enter the VPC ID within the specified region you desire to cover with the SDN connector.
g. Click OK.
2. Check the configuration using the CLI:
config system sdn-connector
edit "<connector-name>"
show
The output resembles the following:
config system sdn-connector
edit "<connector-name>"
set access-key "<example-access-key>"
set secret-key ENC <example-secret-key>
set region "us-west-2"
set vpc-id "vpc-e1e4b587"
set update-interval 1
next
end
If you see that the SDN connector is not enabled in Security Fabric > External Connectors in the GUI, run the
following commands to enable the SDN connector:
diagnose deb application awsd -1
diagnose debug enable
The output may display an error like the following:
FGT # awsd sdn connector AWS_SDN prepare to update
awsd sdn connector AWS_SDN start updating
aws curl response err, 403
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not
authorized to perform this
operation.</Message></Error></Errors><RequestID>8403cc11-b185-41da-ad6d-
23bb4db7d00a</RequestID></Response>
awsd curl failed 403
awsd sdn connector AWS_SDN failed to get instance list
aws curl response err, 403
{"Message":"User: arn:aws:iam::956224459807:user/jcarcavallo is not authorized to
perform: eks:ListClusters on resource: arn:aws:eks:us-east-
1:956224459807:cluster/*"}
awsd sdn connector AWS_SDN get EKS cluster list failed
awsd sdn connector AWS_SDN list EKS cluster failed
awsd sdn connector AWS_SDN start updating IP addresses
awsd sdn connector AWS_SDN finish updating IP addresses
awsd reap child pid: 569
In this case, you must configure power user access for the current administrator in the AWS management console:

FortiOS 6.4.13 Administration Guide 305

Fortinet Inc.
Fortinet Security Fabric

After configuring power user access, run the following commands:

diagnose deb application awsd -1
diagnose debug enable
The output should display without error, as follows:
FGT # AWSD: update sdn connector AWS_SDN status to enabled
awsd sdn connector AWS_SDN prepare to update
awsd sdn connector AWS_SDN start updating
awsd get ec2 instance info successfully
awsd sdn connector AWS_SDN start updating IP addresses
awsd sdn connector AWS_SDN finish updating IP addresses
awsd reap child pid: 893
The AWS connector is now enabled.
3. Create a dynamic firewall address for the configured AWS SDN connector:
a. Go to Policy & Objects > Addresses.
b. Click Create New, then select Address.
c. From the Type dropdown list, select Dynamic.
d. From the Sub Type dropdown list, select Fabric Connector Address.

FortiOS 6.4.13 Administration Guide 306

Fortinet Inc.
Fortinet Security Fabric

e. In the Filter field, add the desired filters. The following filters are supported:

Description Key Example value

Architecture architecture x86

Autoscaling group AutoScaleGroup 10703c-4f731e90-fortigate-payg-

auto-scaling-group

AZ placement.availabilityzone us-east-1a

Group name placement.groupname

Image ID imageId ami-123456

Instance ID instanceId i-12345678

Instance type instanceType t2.micro

Key name keyName

Kubernetes cluster k8s_cluster

Kubernetes label and its name k8s_label.Name

Kubernetes namespace k8s_namespace

Kubernetes node name k8s_nodename

Kubernetes pod name k8s_podname

Kubernetes region k8s_region

Kubernetes service name k8s_servicename

Kubernetes zone k8s_zone

Private DNS name privateDnsName ip-172-31-10-211.us-west-

2.compute.internal

Public DNS name publicDnsName ec2-54-202-168-254.us-west-

2.compute.amazonaws.com

Security group ID SecurityGroupId

Subnet ID subnetId sub-123456

Tag and its name. This key tag.Name

supports a maximum of eight tags.

Tenancy placement placement.tenancy

VPC ID VpcId

FortiOS 6.4.13 Administration Guide 307

Fortinet Inc.
Fortinet Security Fabric

4. Ensure that the AWS SDN connector resolves dynamic firewall IP addresses:

a. Go to Policy & Objects > Addresses.
b. Hover over the address created in step 2 to see a list of IP addresses for instances that belong to the security
group configured in step 2.
The following is an example for a public SDN address type:

The following is an example for a private SDN address type:

To configure AWS SDN connector using CLI commands:

1. Configure the AWS connector:

config system sdn-connector
edit "<connector-name>"
set access-key "<example-access-key>"
set secret-key ENC <example-secret-key>
set region "us-west-2"
set vpc-id "vpc-e1e4b587"
set update-interval 1
next
end
2. Create a dynamic firewall address for the configured AWS SDN connector with the supported filter:
config firewall address
edit "aws-ec2"
set type dynamic
set sdn "<connector-name>"
set filter "SecurityGroupId=sg-05f4749cf84267548"

FortiOS 6.4.13 Administration Guide 308

Fortinet Inc.
Fortinet Security Fabric

set sdn-addr-type public

next
edit "aws-eks1"
set type dynamic
set sdn "<connector-name>"
set filter "K8S_Region=us-west-2"
next
end
3. Confirm that the AWS SDN connector resolves dynamic firewall IP addresses using the configured filter:
config firewall address
edit "aws-ec2"
set type dynamic
set sdn "<connector-name>"
set filter "SecurityGroupId=sg-05f4749cf84267548"
set sdn-addr-type public
config list
edit "34.222.246.198"
next
edit "54.188.139.177"
next
edit "54.218.229.229"
next
end
next
edit "aws-eks1"
set type dynamic
set sdn "<connector-name>"
set filter "K8S_Region=us-west-2"
config list
edit "192.168.114.197"
next
edit "192.168.167.20"
next
edit "192.168.180.72"
next
edit "192.168.181.186"
next
edit "192.168.210.107"
next
end
next
end

To add an EC2 instance to test automatic address population:

1. Assume that you want to boot up another instance with an IP address of 34.222.246.178, which is currently
stopped. This instance belongs to the security group that the aws-ec2 address is filtering for. In the AWS
management portal, start the instance.
2. Verify that the instance is running.
3. At this point, running show again shows the SDN connector has automatically populated and added the
34.222.246.178 instance.
config firewall address
edit "aws-ec2"
set type dynamic
set sdn "<connector-name>"

FortiOS 6.4.13 Administration Guide 309

Fortinet Inc.
 Fortinet Security Fabric

set filter "SecurityGroupId=sg-05f4749cf84267548"

set sdn-addr-type public
config list
edit "34.222.246.198"
next
edit "54.188.139.177"
next
edit "54.218.229.229"
next
edit "34.222.246.178"
next
end
next
end
Therefore, administrators do not need to add this instance to the address manually. When a firewall policy is applied
to this address, 34.222.246.178 is automatically covered.

Azure SDN connector using service principal

FortiOS automatically updates dynamic addresses for Azure using Azure SDN connector, including mapping attributes
from Azure instances to dynamic address groups in FortiOS.

To configure the Azure SDN connector using service principal:

1. Create an Azure SDN connector:

a. Go to Security Fabric > External Connectors and click Create New.
b. Select Microsoft Azure.
c. Configure the connector. See Azure SDN connector service principal configuration requirements:

d. Click OK.
2. Create a dynamic firewall address for the Azure connector.
a. Go to Policy & Objects > Addresses and click Create New > Address.
b. From the Type dropdown list, select Dynamic.
c. From the Sub Type dropdown list, select Fabric Connector Address.

FortiOS 6.4.13 Administration Guide 310

Fortinet Inc.
 Fortinet Security Fabric

d. From the SDN Connector dropdown list, select the Azure SDN connector.
e. In the Filter field, add filters as desired. The Azure SDN connector supports the following filters:
l vm=<VM name>

l securitygroup=<nsg id>

l vnet=<VNet id>

l subnet=<subnet id>

l vmss=<VM scale set>

l tag.<key>=<value>

l servicetag=<value>

l tag.<key>=<value>

f. Click OK.
g. Hover the cursor over the address name to see the dynamic IP addresses that the connector resolves.

Cisco ACI SDN connector using a standalone connector

Cisco ACI (Application Centric Infrastructure) SDN connectors can be used in dynamic firewall addresses.
The Fortinet SDN Connector for Cisco ACI and Nuage Networks is a standalone connector that connects to SDN
controllers within Cisco ACI and Nuage Networks. You must configure a connection to the Fortinet SDN connector in
FortiOS to query the dynamic addresses.

To configure a Cisco ACI connector in the GUI:

1. Create the Cisco ACI SDN connector:

a. Go to Security Fabric > External Connectors and click Create New.
b. In the Private SDN section, click Application Centric Infrastructure (ACI).
c. In the Cisco ACI Connector section, for Type, select Fortinet SDN Connector and configure the remaining
settings as needed.
d. Click OK.

FortiOS 6.4.13 Administration Guide 311

Fortinet Inc.
Fortinet Security Fabric

2. Create the dynamic firewall address for the connector:

a. Go to Policy & Objects > Addresses and click Create New > Address.
b. Configure the following settings:
i. For Type, select Dynamic.
ii. For Sub Type, select Fabric Connector Address.
iii. For SDN Connector, select the first ACI connector.
iv. Configure the remaining settings as needed.
c. Click OK.

To verify the dynamic firewall IPs are resolved by the SDN connector in the GUI:

1. Go to Policy & Objects > Addresses.

2. In the address table, hover over the address to view which IPs it resolves to.

To configure a Cisco ACI connector in the CLI:

1. Create the SDN connector:

config system sdn-connector
edit "aci1"
set type aci
set server "172.18.64.31"
set username "admin"
set password xxxxxxx
next
end

2. Create the dynamic firewall address for the connector:

config firewall address
edit "aci-address1"
set type dynamic
set sdn "aci1"
set color 17
set tenant "wqdai-ten"

FortiOS 6.4.13 Administration Guide 312

Fortinet Inc.
 Fortinet Security Fabric

set epg-name "EPG-in"

set sdn-tag "fffff"
next
end

To verify the dynamic firewall IPs are resolved by the SDN connector in the CLI:

# diagnose firewall dynamic list

List all dynamic addresses:

aci1.aci.wqdai-ten.EPG-in.fffff: ID(171)
ADDR(192.168.100.20)

ClearPass endpoint connector via FortiManager

ClearPass Policy Manager (CPPM) is a network access system that can send information about authenticated users to
third party systems, such as a FortiGate or FortiManager.
In this example, communications are established between CPPM and FortiManager, and then the FortiManager
forwards information to a managed FortiGate. On the FortiGate, the user information can be used in firewall policies and
added to FSSO dynamic addresses.

Configure the FortiManager

Establish communications between FortiManager and CPPM so that FortiManager can synchronize CPPM user groups.
See Creating a ClearPass connector in the FortiManager Administration Guide.

FortiManager forwards the group information to managed FortiGates.

FortiOS 6.4.13 Administration Guide 313

Fortinet Inc.
Fortinet Security Fabric

Adding CPPM FSSO user groups to a local user group

To add CPPM user groups to a local user group in the GUI:

1. On the FortiGate, go to User & Authentication > User Groups.

2. Click Create New.
3. Enter a name for the group and set Type to Fortinet Single Sign-On (FSSO).
4. Click the Members field, and add one or more FSSO groups.
FSSO groups can come from multiple sources; CPPM FSSO groups are prefixed with cp_ and are listed under the
FortiManager heading.

5. Click OK.

To add CPPM user groups to a local user group in the CLI:

config user group

edit fsso-group
set group-type fsso-service
set member "cp_test_[Employee]" "cp_test_FSSOROLE"
next
end

Using the local FSSO user group in a firewall policy

To add the local FSSO user group to a firewall policy in the GUI:

1. Go to Policy & Objects > Firewall Policy.

2. Create a new policy, or edit an existing one.

FortiOS 6.4.13 Administration Guide 314

Fortinet Inc.
Fortinet Security Fabric

3. Click in the Source field and add the fsso-group user group.

CPPM user groups can also be added directly to the policy.

4. Click OK.

To add the local FSSO user group to a firewall policy in the CLI:

config firewall policy

edit 1
set name "pol1"
set srcintf "port2"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "fsso-group"
set nat enable
next
end

Verification

To verify that a user was added to the FSSO list on the FortiGate:

1. Log on to the client and authenticate with CPPM.

After successful authentication, the user is added to the FSSO list on the FortiGate.

FortiOS 6.4.13 Administration Guide 315

Fortinet Inc.
Fortinet Security Fabric

2. On the FortiGate, go to Monitor > Firewall User Monitor to verify that the user was added.

The user group cp_test_FSSOROLE is listed separately because the user is a member of that group on the CPPM.

To verify that traffic can pass the firewall:

1. Log on to the client and browse to an external website.

2. On the FortiGate, go to FortiView > Sources.
3. Double-click on the user and select the Destinations tab to verify that traffic is being passed by the firewall.

To verify the user address groups:

show user adgrp

config user adgrp
edit "cp_test_FSSOROLE"
set server-name "FortiManager"
next
edit "cp_test_[AirGroup v1]"
set server-name "FortiManager"
next
edit "cp_test_[AirGroup v2]"
set server-name "FortiManager"
next
edit "cp_test_[Aruba TACACS read-only Admin]"
set server-name "FortiManager"
next
edit "cp_test_[Aruba TACACS root Admin]"
set server-name "FortiManager"
next
edit "cp_test_[BYOD Operator]"
set server-name "FortiManager"
next
edit "cp_test_[Contractor]"
set server-name "FortiManager"
next
edit "cp_test_[Device Registration]"
set server-name "FortiManager"
next
...

FortiOS 6.4.13 Administration Guide 316

Fortinet Inc.
 Fortinet Security Fabric

edit "CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM"
set server-name "Local FSSO Agent" <----- !!!
next
end

GCP SDN connector using service account

FortiOS automatically updates dynamic addresses for GCP using a GCP SDN connector, including mapping attributes
from GCP instances to dynamic address groups in FortiOS.

To configure a GCP connector using the GUI:

1. In FortiOS, go to Security Fabric > External Connectors.

2. Click Create New, and select Google Cloud Platform (GCP).
Note you can create only one SDN Connector per connector type. For example, you can create one entry for GCP.
3. Configure the connector as follows:
a. Projects: Select Simple.
b. Name: Enter the name of the GCP project. The VMs whose IP addresses you want to populate should be
running within this project.
c. Service account email: Enter the email address associated with the service account that calls APIs to the GCP
project specified.
d. Private key: Enter the private key statement as shown in the text box. For details, see Creating a GCP service
account.
e. Click OK.

Once the connector is successfully configured, a green indicator appears at the bottom right corner. If the indicator
is red, the connector is not working. See Troubleshooting GCP SDN Connector.

FortiOS 6.4.13 Administration Guide 317

Fortinet Inc.
Fortinet Security Fabric

4. Create a dynamic firewall address for the configured GCP SDN connector:
a. Go to Policy & Objects > Addresses. Click Create New, then select Address.
b. Configure the address:
i. Name: Enter the desired name.
ii. Type: Select Dynamic.
iii. Fabric Connector Type: Select Google Cloud Platform (GCP).
iv. Filter: The SDN connector automatically populates and updates only instances that match this filtering
condition. Currently GCP supports the following filters:
l id=<instance id> : This matches an VM instance ID.

l name=<instance name> : This matches a VM instance name.

l zone=<gcp zones> : This matches a zone name.

l network=<gcp network name> : This matches a network name.

l subnet=<gcp subnet name> : This matches a subnet name.

l tag=<gcp network tags> : This matches a network tag.

l label.<gcp label key>=<gcp label value> : This matches a free form GCP label key and

its value.
In the example, the filter is set as 'network=default & zone=us-central-1f’. This configuration
populates all IP addresses that belong to the default network in the zone us-central-1f.
You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR
are specified, AND is interpreted first, then OR.
Note that wildcards (such as the asterisk) are not allowed in filter values.

v. Click OK.
The address has been created. Wait for a few minutes before the setting takes effect. You will know that the
address is in effect when the exclamation mark disappears from the address entry. When you hover over the
address, you can see the list of populated IP addresses.

FortiOS 6.4.13 Administration Guide 318

Fortinet Inc.
 Fortinet Security Fabric

If the exclamation mark does not disappear, check the address settings.

IBM Cloud SDN connector using API keys

FortiOS can automatically update dynamic addresses for IBM Cloud using an SDN connector.

To configure IBM Cloud SDN connectors using the GUI:

1. Create SDN connectors for compute generation 1 and 2:

a. Go to Security Fabric > External Connectors.
b. Click Create New, then select IBM Cloud.
c. Configure the connector for computer generation 1:

d. Click OK.
e. Click Create New, then select IBM Cloud.

FortiOS 6.4.13 Administration Guide 319

Fortinet Inc.
Fortinet Security Fabric

f. Configure the connector for computer generation 2:

g. Click OK.
2. Create dynamic firewall addresses for the configured connectors:
a. Go to Policy & Objects > Addresses.
b. Click Create New > Address.
c. From the Type dropdown list, select Dynamic.
d. From the Sub Type dropdown list, select Fabric Connector Address.
e. From the SDN Connector dropdown list, select the IBM SDN connector.
f. In the Filter field, add the desired filters. The following filters are supported:
l <InstanceId>

l <InstanceName>

l <ImageId>

l <ImageName>

l <Architecture>

l <Profile>

l <Vpc>

l <Zone>

l <Subnet>

l <ResourceGroup>

g. Click OK.
h. Click Create New > Address.

FortiOS 6.4.13 Administration Guide 320

Fortinet Inc.
Fortinet Security Fabric

i. Repeat the process for computer generation 2:

j. Click OK.
3. Ensure that the connectors resolve dynamic firewall IP addresses:
a. Go to Policy & Objects > Addresses.
b. Hover over the addresses created in step 2 to see a list of IP addresses that the connector has resolved:

To configure IBM Cloud SDN connectors using the CLI:

1. Create SDN connectors for compute generation 1 and 2:

config system sdn-connector
edit "ibm_gen1"
set status enable
set type ibm
set api-key xxxxxx
set compute-generation 1
set ibm-region us-south
set update-interval 60
next
edit "ibm_gen2"
set status enable
set type ibm
set api-key xxxxxx
set compute-generation 2
set ibm-region us-east
set update-interval 60
next
end

2. Create dynamic firewall addresses for the configured connectors:

config firewall address
edit "ibm_gen1_add1"
set type dynamic

FortiOS 6.4.13 Administration Guide 321

Fortinet Inc.
Fortinet Security Fabric

set sdn "ibm_gen1"

set color 19
set filter "Vpc=alex-vpc1"
next
edit "ibm_gen2_add1"
set type dynamic
set sdn "ibm_gen2"
set color 19
set filter "ResourceGroup=alex-grp2"
next
end

3. Ensure that the connectors resolve dynamic firewall IP addresses:

# show firewall address ibm_gen1_add1
config firewall address
edit "ibm_gen1_add1"
set uuid 586841c4-7f46-51ea-dc66-dbf840af03d3
set type dynamic
set sdn "ibm_gen1"
set color 19
set filter "Vpc=alex-vpc1"
config list
edit "10.240.0.49"
next
edit "10.240.0.75"
next
edit "169.61.227.88"
next
edit "52.117.170.31"
next
end
next
end
# show firewall address ibm_gen2_add1
config firewall address
edit "ibm_gen2_add1"
set uuid 5868c4f0-7f46-51ea-2b79-b5170fbfd4a8
set type dynamic
set sdn "ibm_gen2"
set color 19
set filter "ResourceGroup=alex-grp2"
config list
edit "10.241.128.4"
next
edit "10.241.128.5"
next
edit "10.241.129.4"
next
edit "52.117.126.69"
next
end
next
end

FortiOS 6.4.13 Administration Guide 322

Fortinet Inc.
 Fortinet Security Fabric

Kubernetes (K8s) SDN connectors

The following topics provide information about configuring Kubernetes SDN connectors:
l AWS Kubernetes (EKS) SDN connector using access key on page 323
l Azure Kubernetes (AKS) SDN connector using client secret on page 325
l GCP Kubernetes (GKE) SDN connector using service account on page 328
l Oracle Kubernetes (OKE) SDN connector using certificates on page 330
l Private cloud K8s SDN connector using secret token on page 334

AWS Kubernetes (EKS) SDN connector using access key

AWS SDN connectors support dynamic address groups based on AWS Kubernetes (EKS) filters.

To enable an AWS SDN connector to fetch IP addresses from AWS Kubernetes:

1. Go to Security Fabric > External Connectors. Click Create New, then select Amazon Web Services (AWS).
Configure the SDN connector as desired. See AWS SDN connector using certificates on page 304

2. Go to Policies & Objects > Addresses. Click Create New > Address to create a dynamic firewall address for the
configured SDN connector using the supported Kubernetes filter.
3. From the Type dropdown list, select Dynamic.
4. From the Sub Type dropdown list, select Fabric Connector Address.
5. From the SDN Connector dropdown list, select the desired SDN connector.
6. In the Filter field, add the desired filters. The following filters are supported:

Filter Description

k8s_cluster Name of Kubernetes cluster.

k8s_namespace Namespace of a Kubernetes service or pod.

k8s_svcname Name of a Kubernetes service.

k8s_nodename Name of a Kubernetes node.

FortiOS 6.4.13 Administration Guide 323

Fortinet Inc.
Fortinet Security Fabric

Filter Description

k8s_zone Zone of a Kubernetes node.

k8s_region Region of a Kubernetes node.

k8s_podname Name of a Kubernetes pod.

k8s_label.xxx Name of label of a Kubernetes resource (cluster/service/node/pod).

7. Configure the rest of the settings, then click OK.

8. Ensure that the SDN connector resolves the dynamic firewall address IP addresses by going to Policy & Objects >
Addresses and hovering over the newly created address.

To configure an AWS Kubernetes SDN connector through the CLI:

1. Configure the SDN connector:

config system sdn-connector
edit "aws1"
set type aws
set access-key "AKIAIJNKE75ANVN5AEQA"
set secret-key xxxxx
set region "us-west-2"
set update-interval 30
next
end
2. Create a dynamic firewall address for the SDN connector with a supported Kubernetes filter:
config firewall address
edit "aws-pod"
set type dynamic

FortiOS 6.4.13 Administration Guide 324

Fortinet Inc.
Fortinet Security Fabric

set sdn "aws1"

set filter "K8S_PodName=aws-node-g6zhx"
next
end
The SDN connector resolves the dynamic firewall address IP address:
config firewall address
edit "aws-pod"
set type dynamic
set sdn "aws1"
set filter "K8S_PodName=aws-node-g6zhx"
config list
edit "192.168.114.197"
next
end
next
end

Azure Kubernetes (AKS) SDN connector using client secret

Azure SDN connectors support dynamic address groups based on Azure Kubernetes (AKS) filters.

To enable an Azure SDN connector to fetch IP addresses from Azure Kubernetes:

1. Configure the Azure SDN connector:

a. Go to Security Fabric > External Connectors.
b. Click Create New, and select Azure.
c. Configure as shown substituting the region, tenant and client IDs, and client secret for your deployment. See
Azure SDN connector service principal configuration requirements.

2. Create a dynamic firewall address for the configured K8s SDN connector:
a. Go to Policy & Objects > Addresses.
b. Click Create New, then select Address.
c. From the Type dropdown list, select Dynamic.
d. From the Sub Type dropdown list, select Fabric Connector Address.
e. From the SDN Connector dropdown list, select the desired SDN connector.

FortiOS 6.4.13 Administration Guide 325

Fortinet Inc.
Fortinet Security Fabric

f. In the Filter field, add the desired filter. The following filters are supported:

Filter Description

k8s_cluster Name of Kubernetes cluster.

k8s_namespace Namespace of a Kubernetes service or pod.

k8s_svcname Name of a Kubernetes service.

k8s_nodename Name of a Kubernetes node.

k8s_zone Zone of a Kubernetes node.

k8s_region Region of a Kubernetes node.

k8s_podname Name of a Kubernetes pod.

k8s_label.xxx Name of label of a Kubernetes resource (cluster/service/node/pod).

In this example, the address is configured to automatically populate and update IP addresses only for
instances that belong to the zhmKC cluster:

3. Ensure that the K8s SDN connector resolves dynamic firewall IP addresses:

a. Go to Policy & Objects > Addresses.
b. Hover over the address created in step 2 to see a list of IP addresses for instances that belong to the

FortiOS 6.4.13 Administration Guide 326

Fortinet Inc.
Fortinet Security Fabric

zhmKC cluster as configured in step 2:

To configure an Azure Kubernetes SDN connector through the CLI:

1. Configure the SDN connector:

config system sdn-connector
edit "azure1"
set type azure
set tenant-id "942b80cd-1b14-42a1-8dcf-4b21dece61ba"
set client-id "14dbd5c5-307e-4ea4-8133-68738141feb1"
set client-secret xxxxx
set update-interval 30
next
end
2. Create a dynamic firewall address for the SDN connector with a supported Kubernetes filter. In this example, the
address will automatically populate and update IP addresses only for instances that belong to the zhmKC cluster:
config firewall address
edit "az-k8s-cluster"
set type dynamic
set sdn "azure1"
set filter "K8S_Cluster=zhmKC"
next
end
3. Confirm that the Azure SDN connector resolves dynamic firewall IP addresses using the configured filter:
config firewall address
edit "az-k8s-cluster"
set type dynamic
set sdn "azure1"
set filter "K8S_Cluster=zhmKC"
config list
edit "10.240.0.4"
next
edit "10.240.0.5"
next
edit "10.244.0.10"
next
end

FortiOS 6.4.13 Administration Guide 327

Fortinet Inc.
Fortinet Security Fabric

next
end

GCP Kubernetes (GKE) SDN connector using service account

Google Cloud Platform (GCP) SDN connectors support dynamic address groups based on GCP Kubernetes Engine
(GKE) filters.

To enable a GCP SDN connector to fetch IP addresses from GKE:

1. Configure an SDN connector for GCP:

a. Go to Security Fabric > External Connectors. Click Create New, and select Google Cloud Platform (GCP).
b. Enter a connector name, then configure the following settings for the GCP connector:
i. Projects: Select Simple.
ii. Name: Enter the name of the GCP project.
iii. Service account email: Enter the email address associated with the service account that will call APIs to
the GCP project specified above.
iv. Private key: Enter the private key statement.

c. Click OK.
2. Go to Policies & Objects > Addresses and create a dynamic firewall address for the configured SDN connector
using the supported Kubernetes filter.
3. To filter out the Kubernetes IP addresses, select the address filter or filters. The following filters are supported:

Filter Description

k8s_cluster Name of Kubernetes cluster.

k8s_namespace Namespace of a Kubernetes service or pod.

k8s_svcname Name of a Kubernetes service.

FortiOS 6.4.13 Administration Guide 328

Fortinet Inc.
Fortinet Security Fabric

Filter Description

k8s_nodename Name of a Kubernetes node.

k8s_zone Zone of a Kubernetes node.

k8s_region Region of a Kubernetes node.

k8s_podname Name of a Kubernetes pod.

k8s_label.xxx Name of label of a Kubernetes resource (cluster/service/node/Pod).

In this example, the GCP SDN connector will automatically populate and update IP addresses only for instances
that belong to the zhm-kc3 cluster:

4. Configure the rest of the settings, then click OK.

The dynamic firewall address IP is resolved by the SDN connector.

FortiOS 6.4.13 Administration Guide 329

Fortinet Inc.
Fortinet Security Fabric

To configure a GCP Kubernetes SDN connector through the CLI:

1. Configure an SDN connector for Kubernetes:

config system sdn-connector
edit "gcp1"
set type gcp
config gcp-project-list
edit "dev-project-001-166400"
next
set service-account "[email protected]"
set private-key **********
set update-interval 30
next
end
2. Create a dynamic firewall address for the SDN connector with a supported Kubernetes filter:
config firewall address
edit "gcp-k8s-cluster"
set type dynamic
set sdn "gcp1"
set filter "K8S_Cluster=zhm-kc3"
next
end
The dynamic firewall address IP is resolved by the SDN connector:
config firewall address
edit "gcp-k8s-cluster"
set type dynamic
set sdn "gcp1"
set filter "K8S_Cluster=zhm-kc3"
config list
edit "10.0.2.4"
next
edit "10.0.2.7"
next
edit "10.28.0.13"
next
end
next
end

Oracle Kubernetes (OKE) SDN connector using certificates

OCI SDN connectors support dynamic address groups based on Oracle Kubernetes (OKE) filters.

To enable an OCI SDN connector to fetch IP addresses from Oracle Kubernetes:

1. Configure the OCI SDN connector:

a. Go to Security Fabric > External Connectors.
b. Click Create New, and select Oracle Cloud Infrastructure (OCI).
c. Configure as shown substituting the region, tenant and client IDs, and client secret for your deployment. The

FortiOS 6.4.13 Administration Guide 330

Fortinet Inc.
Fortinet Security Fabric

update interval is in seconds.

2. Create dynamic firewall addresses for the configured SDN connector with supported Kubernetes filter:
a. Go to Policy & Objects > Addresses.
b. Click Create New, then select Address.

FortiOS 6.4.13 Administration Guide 331

Fortinet Inc.
Fortinet Security Fabric

c. In the Filter field, select the desired filters. The following filters are supported:

Filter Description

k8s_cluster Name of Kubernetes cluster.

k8s_namespace Namespace of a Kubernetes service or pod.

k8s_svcname Name of a Kubernetes service.

k8s_nodename Name of a Kubernetes node.

k8s_zone Zone of a Kubernetes node.

k8s_region Region of a Kubernetes node.

k8s_podname Name of a Kubernetes pod.

k8s_label.xxx Name of label of a Kubernetes resource (cluster/service/node/Pod).

FortiOS 6.4.13 Administration Guide 332

Fortinet Inc.
Fortinet Security Fabric

3. Confirm that the SDN connector resolves dynamic firewall IP addresses:

a. Go to Policy & Objects > Addresses.
b. Hover over the address created in step 2 to see a list of IP addresses for instances:

To configure an SDN connector through the CLI:

1. Configure the OCI SDN connector:

config system sdn-connector
edit "oci1"
set type oci
set tenant-id
"ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs5
5cxxx"
set user-id
"ocid1.user.oc1..aaaaaaaaq2lfspeo3uetzbzpiv2pqvzzevozccnys347stwssvizqlatfx
xx"
set compartment-id
"ocid1.compartment.oc1..aaaaaaaaelxxdjazqo7nzczpgypyiqcgkmytjry6nfq5345vw7e
avpwnmxxx"
set oci-region ashburn
set oci-cert "cert-sha2"
set update-interval 30
next
end
2. Create dynamic firewall addresses for the configured SDN connector with supported Kubernetes filter:
config firewall address
edit "k8s_nodename"
set type dynamic
set sdn "oci1"
set filter "K8S_NodeName=129.213.120.172"
next
end
3. Confirm that the SDN connector resolves dynamic firewall IP addresses:
config firewall address
edit "k8s_nodename"
set type dynamic

FortiOS 6.4.13 Administration Guide 333

Fortinet Inc.
Fortinet Security Fabric

set sdn "oci1"

set filter "K8S_NodeName=129.213.120.172"
config list
edit "10.0.32.2"
next
edit "10.244.2.2"
next
edit "10.244.2.3"
next
edit "10.244.2.4"
next
edit "10.244.2.5"
next
end
next
end

Private cloud K8s SDN connector using secret token

FortiOS automatically updates dynamic and cluster IP addresses for Kubernetes (K8s) by using a K8s SDN connector,
enabling FortiOS to manage K8s pods as global address objects, as with other connectors. This includes mapping the
following attributes from K8s instances to dynamic address groups in FortiOS:

Filter Description

Namespace Filter service IP addresses in a given namespace.

ServiceName Filter service IP addresses by the given service name.

NodeName Filter node IP addresses by the given node name.

PodName Filter IP addresses by the pod name.

Label.XXX Filter service or node IP addresses with the given label XXX. For example: K8S_
Label.app=nginx.

FortiOS 6.2.3 and later collects cluster IP addresses in addition to external IP addresses for exposed K8s services.

There is no maximum limit for the number of IP addresses populated with the filters.

To configure K8s SDN connector using the GUI:

1. Configure the K8s SDN connector:

a. Go to Security Fabric > External Connectors > Create New Connector.
b. Select Kubernetes.
c. In the IP field, enter the IP address that you obtained in Obtaining the IP address, port, and secret token in
Kubernetes.
d. In the Port field, select Specify, then enter the port that you obtained in Obtaining the IP address, port, and
secret token in Kubernetes.

FortiOS 6.4.13 Administration Guide 334

Fortinet Inc.
Fortinet Security Fabric

e. In the Secret token field, enter the token that you obtained in Obtaining the IP address, port, and secret token in
Kubernetes.
f. Configure the other fields as desired.
2. Create a dynamic firewall address for the configured K8S SDN connector:
a. Go to Policy & Objects > Addresses.
b. Click Create New, then select Address.
c. Configure the address as shown, selecting the desired filter in the Filter dropdown list. In this example, the
K8s SDN connector will automatically populate and update IP addresses only for node instances that match
the specified node name:

3. Ensure that the K8s SDN connector resolves dynamic firewall IP addresses:

a. Go to Policy & Objects > Addresses.
b. Hover over the address created in step 2 to see a list of IP addresses for node instances that match the node
name configured in step 2:

To configure K8s SDN connector using CLI commands:

1. Configure the K8s SDN connector:

config system sdn-connector
edit "kubernetes1"
set type kubernetes

FortiOS 6.4.13 Administration Guide 335

Fortinet Inc.
Fortinet Security Fabric

set server "<IP address obtained in Obtaining the IP address, port, and secret
token in Kubernetes>"
set server-port <Port obtained in Obtaining the IP address, port, and secret token
in Kubernetes>
set secret-token <Secret token obtained in Obtaining the IP address, port, and
secret token in Kubernetes>
set update-interval 30
next
end
2. Create a dynamic firewall address for the configured K8s SDN connector with the supported K8s filter. In this
example, the K8s SDN connector will automatically populate and update IP addresses only for node instances that
match the specified node name:
config firewall address
edit "k8s_nodename"
set type dynamic
set sdn "kubernetes1"
set filter "K8S_NodeName=van-201669-pc1"
next
end
3. Confirm that the K8s SDN connector resolves dynamic firewall IP addresses using the configured filter:
config firewall address
edit "k8s_nodename"
set type dynamic
set sdn "kubernetes1"
set filter "K8S_NodeName=van-201669-pc1"
config list
edit "172.16.65.227"
next
end
next
end

To troubleshoot the connection:

1. In FortiOS, run the following commands:

diagnose deb application kubed -1
diagnose debug enable
2. Reset the connection on the web UI to generate logs and troubleshoot the issue. The following shows the output in
the case of a failure:

The following shows the output in the case of a success:

FortiOS 6.4.13 Administration Guide 336

Fortinet Inc.
 Fortinet Security Fabric

Nuage SDN connector using server credentials

You can use Nuage SDN connectors in dynamic firewall addresses.

The Fortinet SDN Connector for Cisco ACI and Nuage Networks is a standalone connector that connects to SDN
controllers within Cisco ACI and Nuage Networks. You must configure a connection to the Fortinet SDN connector in
FortiOS to query the dynamic addresses.

To configure a Nuage connector in the GUI:

1. Create the Nuage SDN connector:

a. Go to Security Fabric > External Connectors and click Create New.
b. In the Private SDN section, click Nuage Virtualized Services Platform.
c. Configure the settings as needed.
d. Click OK.

2. Create the dynamic firewall address for the connector:

a. Go to Policy & Objects > Addresses and click Create New > Address.
b. Configure the following settings:
i. For Type, select Dynamic.
ii. For Sub Type, select Fabric Connector Address.

FortiOS 6.4.13 Administration Guide 337

Fortinet Inc.
Fortinet Security Fabric

iii. For SDN Connector, select the Nuage connector.

iv. Configure the remaining settings as needed.
c. Click OK.

To verify the SDN connector resolves the dynamic firewall IP addresses in the GUI:

1. Go to Policy & Objects > Addresses.

2. In the address table, hover over an address to view which IP addresses it resolves to.

To configure a Nuage connector in the CLI:

1. Create the SDN connector:

config system sdn-connector
edit "nuage1"
set type nuage
set server "172.18.64.27"
set server-port 5671
set username "admin"
set password xxxxxxx
next
end

2. Create the dynamic firewall address for the connector:

config firewall address
edit "nuage-address1"
set type dynamic
set sdn "nuage1"
set color 19
set organization "nuage/L3"
set subnet-name "Subnet20"
next
end

To verify the SDN connector resolves the dynamic firewall IP addresses in the CLI:

# diagnose firewall dynamic list

List all dynamic addresses:

nuage1.nuage.nuage/L3.Subnet20.*: ID(196)

FortiOS 6.4.13 Administration Guide 338

Fortinet Inc.
 Fortinet Security Fabric

ADDR(192.168.20.92)
ADDR(192.168.20.240)

OCI SDN connector using certificates

You can configure SDN connector integration with Oracle Cloud Infrastructure (OCI).

To configure an OCI SDN connector in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

2. In the Public SDN section, select Oracle Cloud Infrastructure (OCI).
3. Configure the connector as desired:
a. User ID: Enter the OCID of the OCI user who belongs to the administrator group. See Certificate-based SDN
connector requirements.
b. For the OCI Certificate field, you must select a certificate that satisfies OCI key size limits. The minimum size is
2048 bits. Do one of the following:
i. Select the built-in default certificate called Fortinet_Factory.
ii. Follow steps 1-2 in Using custom certificates to configure a custom certificate.

4. Click OK.
5. At this stage, you must register the certificate's fingerprint to the specified OCI user.
a. Go to the OCI user, then API Keys > Add Public Key.
b. If you selected the Fortinet_Factory certificate in step 2f, do the following:
i. In FortiOS, go to System > Certificate. Select Fortinet_Factory, then click Download.
ii. You now have the Fortinet_Factory.cer file. Create a public key file in PEM format from it, using a freely
available tool of your choice such as OpenSSL.
c. Copy and paste the content of the certificate PEM key file in the Add Public Key window in OCI. Click Add.

FortiOS 6.4.13 Administration Guide 339

Fortinet Inc.
Fortinet Security Fabric

d. You now see the fingerprint.

You can configure the following for the fingerprint:

1. Update Interval: The default value is 60 seconds. You can change the value to between 1 and 3600
seconds.
2. Status: Green means that the connector is enabled. You can disable it at any time by toggling the switch.
e. Click OK.
6. Go to Policy & Objects > Addresses and click Create New > Address.
7. Configure the address as needed, selecting the OCI connector in the SDN Connector field. The following filters are
supported:
'vm_name=<vm name>': matches VM instance name.
'instance_id=<instance id>': matches instance OCID.
'tag.<key>=<value>': matches freeform tag key and its value.
'definedtag.<namespace>.<key>=<value>': matches a tag namespace, tag key, and its value.

8. Click OK.

To configure an OCI SDN connector in the CLI:

1. Configure an SDN connector:

config system sdn-connector
edit "oci1"
set status enable
set type oci
set tenant-id
"ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa77xxxxxx54bbbbbb4xxxx35xx55xxxx"
set user-id
"ocid1.user.oc1..aaaaaaaaa2laaaaa3aaaaaaaaaabbbbbbbbbbcccc3ccccccccccxxxxxxxx"
set compartment-id
"ocid1.compartment.oc1..aaaaaaaaaaaaaaaaaa7bbbbbbbbbbcccccccccc6xxx53xxxx7xxxxxxxxxx"
set oci-region "us-ashburn-1"

FortiOS 6.4.13 Administration Guide 340

Fortinet Inc.
 Fortinet Security Fabric

set oci-region-type commercial

set oci-cert "cert-sha2"
set update-interval 30
next
end

2. Create a dynamic firewall address for the SDN connector with a supported filter:
config firewall address
edit "oci-address-1"
set type dynamic
set sdn "oci1"
set filter "CompartmentName=DevelopmentEngineering"
next
end

To confirm that dynamic firewall addresses are resolved by the SDN connector:

1. In the CLI, check that the addresses are listed:

config firewall address
edit "oci-address-1"
set type dynamic
set sdn "oci1"
set filter "CompartmentName=DevelopmentEngineering"
config list
edit "10.0.0.11"
next
edit "10.0.0.118"
next
...
next
end
next
end

2. In the GUI, go to Policy & Objects > Addresses and hover the cursor over the address name.

OpenStack SDN connector using node credentials

To configure OpenStack SDN connector using node credentials:

1. Go to Security Fabric > External Connectors.

2. Click Create New, then select OpenStack (Horizon).

FortiOS 6.4.13 Administration Guide 341

Fortinet Inc.
Fortinet Security Fabric

3. Configure the fields as follows:

a. Name: Name the connector as desired.
b. IP: Enter the OpenStack management component's IP address. Generally you can find it in the OpenStack
identity.

c. User name: Enter the specified node's administrator name.

d. Password: Enter the administrator password.

4. Click OK. The SDN connector is now configured.

To configure a dynamic firewall address:

The next step is to create an address that will be used as an address group or single address that acts as the
source/destination for firewall policies. The address is based on IP addresses and contains VM instances' IP addresses.
No matter what changes occur to the instances, the SDN connector populates and updates the changes automatically
based on the specified filtering condition so that administrators do not need to reconfigure the address content manually.
Appropriate firewall policies using the address are applied to instances that are members of the address.

FortiOS 6.4.13 Administration Guide 342

Fortinet Inc.
Fortinet Security Fabric

1. Go to Policy & Objects > Address. Click Create New, then select Address.
2. Configure the address as follows:
a. Name: Name the address as desired.
b. Type: Select Dynamic.
c. Sub Type: Select Fabric Connector Address.
d. SDN Connector: Select openstack.
e. Filter: The SDN connector automatically populates and updates only IP addresses belonging to the specified
filter that matches the condition. OpenStack Horizon connectors support the following filters:
i. id=<instance id>: This matches a VM instance ID.
ii. name=<instance name>: This matches a VM instance name.
iii. flavor=<instance flavor name>: This matches an instance flavor name.
iv. keypair=<key pair name>: This matches a key pair name.
v. network=<net name>: This matches a network name.
vi. project=<project name>: This matches a project name.
vii. availabilityzone=<zone name>: This matches an availability zone name.
viii. servergroup=<group name>: This matches a server group name.
ix. securitygroup=<security group name>: This matches a security group name.
x. metadata.<key>=<value>: This matches metadata with its key and value pair.
You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR are
specified, AND is interpreted first, then OR.
For example, you could enter flavor=m1.nano&project=admin. In this case, IP addresses of instances that
match both the flavor name and project name are populated. Wildcards (asterisks) are not allowed in values.

In this example, let's use project=admin, assuming the project name is admin.

FortiOS 6.4.13 Administration Guide 343

Fortinet Inc.
Fortinet Security Fabric

3. Click OK after completing all required fields.

4. Ensure that the address was created.

5. After a few minutes, the new address takes effect. Hover your cursor on the address to see a list of IP addresses
and instances with the project name "admin".

FortiOS 6.4.13 Administration Guide 344

Fortinet Inc.
 Fortinet Security Fabric

VMware ESXi SDN connector using server credentials

Dynamic addresses for VMware ESXi and vCenter servers can be automatically updated by using a VMware ESXi
SDN connector, including mapping the following attributes from VMware ESXi and vCenter objects to dynamic address
groups in FortiOS:
l vmid
l host
l name
l uuid
l vmuuid
l vmnetwork
l guestid
l guestname
l annotation

To configure VMware ESXi SDN connector using the GUI:

1. Configure the VMware ESXi SDN connector:

a. Go to Security Fabric > External Connectors.
b. Click Create New, and select VMware ESXi.
c. Configure the fields, using the server IP address, username, and password for your deployment.
The update interval is in seconds. The password cannot contain single or double quotes.

2. Create a dynamic firewall address for the configured VMware ESXi SDN connector:
a. Go to Policy & Objects > Addresses.
b. Click Create New, then select Address.
c. Configure the address:
i. From the Type dropdown list, select Dynamic.
ii. From the Sub Type dropdown list, select Fabric Connector Address.
iii. From the SDN Connector dropdown list, select the connector that you created.
iv. In the Filter dropdown list, select the desired filter. In this example, the VMware ESXi SDN connector
automatically populates and updates IP addresses only for instances that belong to VLAN80.

FortiOS 6.4.13 Administration Guide 345

Fortinet Inc.
Fortinet Security Fabric

v. Configure other fields as desired, then click OK.

3. Ensure that the VMware ESXi SDN connector resolves dynamic firewall IP addresses:
a. Go to Policy & Objects > Addresses.
b. Hover over the address created in step 2 to see a list of IP addresses for instances that belong to VLAN80 as
configured in step 2:

To configure VMware ESXi SDN connector using CLI commands:

1. Configure the VMware ESXi SDN connector:

config system sdn-connector
edit "vmware1"
set type vmware
set server "172.17.48.222"
set username "example_username"
set password xxxxx
set update-interval 30
next
end
2. Create a dynamic firewall address for the configured VMware ESXi SDN connector with the supported VMware
ESXi filter. In this example, the VMware ESXi SDN connector automatically populates and updates IP addresses
only for instances that belong to the specified VLAN:
config firewall address
edit "vmware-network"
set type dynamic

FortiOS 6.4.13 Administration Guide 346

Fortinet Inc.
 Fortinet Security Fabric

set sdn "vmware1"

set filter "vmnetwork=VLAN80"
next
end
3. Confirm that the VMware ESXi SDN connector resolves dynamic firewall IP addresses using the configured filter:
config firewall address
edit "vmware-network"
set type dynamic
set sdn "vmware1"
set filter "vmnetwork=VLAN80"
config list
edit "192.168.8.240"
next
end
next
end

VMware NSX-T Manager SDN connector using NSX-T Manager credentials

This feature provides SDN connector configuration for VMware NSX-T manager. You can import specific groups, or all
groups from the NSX-T Manager.

To configure SDN connector for NSX-T Manager in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

2. In the Private SDN section, click VMware NSX.

3. Configure the settings and click OK.

To configure SDN connector for NSX-T Manager in the CLI:

config system sdn-connector

edit "nsx_t24"
set type nsx
set server "172.18.64.205"
set username "admin"
set password xxxxxx

FortiOS 6.4.13 Administration Guide 347

Fortinet Inc.
Fortinet Security Fabric

next
end

To import a specific group from the NSX-T Manager:

# execute nsx group import nsx_t24 root csf_ns_group

[1] 336914ba-0660-4840-b0f1-9320f5c5ca5e csf_ns_group:
Name:csf_ns_group
Address:1.1.1.0
Address:1.1.1.1
Address:172.16.10.104
Address:172.16.20.104
Address:172.16.30.104
Address:2.2.2.0
Address:2.2.2.2
Address:4.4.4.0
Address:5.5.5.0
Address:6.6.6.6
Address:7.7.7.7

To import all groups from NSX-T Manager:

# execute nsx group import nsx_t24 root

[1] 663a7686-b9a3-4659-b06f-b45c908349a0 ServiceInsertion_NSGroup:
Name:ServiceInsertion_NSGroup
Address:10.0.0.2
[2] 336914ba-0660-4840-b0f1-9320f5c5ca5e csf_ns_group:
Name:csf_ns_group
Address:1.1.1.0
Address:1.1.1.1
Address:172.16.10.104
Address:172.16.20.104
Address:172.16.30.104
Address:2.2.2.0
Address:2.2.2.2
Address:4.4.4.0
Address:5.5.5.0
Address:6.6.6.6
Address:7.7.7.7
[3] c462ec4d-d526-4ceb-aeb5-3f168cecd89d charlie_test:
Name:charlie_test
Address:1.1.1.1
Address:2.2.2.2
Address:6.6.6.6
Address:7.7.7.7
[4] ff4dcb08-53cf-46bd-bef4-f7aeda9c0ad9 fgt:
Name:fgt
Address:172.16.10.101
Address:172.16.10.102
Address:172.16.20.102
Address:172.16.30.103
[5] 3dd7df0d-2baa-44e0-b88f-bd21a92eb2e5 yongyu_test:
Name:yongyu_test
Address:1.1.1.0
Address:2.2.2.0

FortiOS 6.4.13 Administration Guide 348

Fortinet Inc.
Fortinet Security Fabric

Address:4.4.4.0
Address:5.5.5.0

To view the dynamic firewall IP addresses that are resolved by the SDN connector in the GUI:

1. Go to Policy & Objects > Addresses to view the IP addresses resolved by an SDN connector.

To view the dynamic firewall IP addresses that are resolved by the SDN connector in the CLI:

# show firewall address csf_ns_group

config firewall address
edit "csf_ns_group"
set uuid ee4a2696-bacd-51e9-f828-59457565b880
set type dynamic
set sdn "nsx_t24"
set obj-id "336914ba-0660-4840-b0f1-9320f5c5ca5e"
config list
edit "1.1.1.0"
next
edit "1.1.1.1"
next
edit "172.16.10.104"
next
edit "172.16.20.104"
next
edit "172.16.30.104"
next
edit "2.2.2.0"
next
edit "2.2.2.2"
next
edit "4.4.4.0"
next
edit "5.5.5.0"
next
edit "6.6.6.6"
next
edit "7.7.7.7"
next
end

FortiOS 6.4.13 Administration Guide 349

Fortinet Inc.
 Fortinet Security Fabric

next
end

Multiple concurrent SDN connectors

You can configure multiple instances configured for every SDN connector. The specific connector instance must be
specified when creating a dynamic firewall address.
This topic provides examples of how to create two Microsoft Azure SDN connectors and use them in new dynamic
firewall addresses.

To create and use two new SDN connectors with the CLI:

1. Create two new SDN connectors:

config system sdn-connector
edit "azure1"
set type azure
set tenant-id "942b80cd-bbbb-42a1-8888-4b21dece61ba"
set subscription-id "2f96c44c-cccc-4621-bbbb-65ba45185e0c"
set client-id "14dbd5cc-3333-4ea4-8888-68738141feb1"
set client-secret xxxxx
set update-interval 30
next
edit "azure2"
set type azure
set tenant-id "942b80cd-bbbb-42a1-8888-4b21dece61ba"
set client-id "3baa0acc-ffff-4444-b292-0777a2c36be6"
set client-secret xxxxx
set update-interval 30
next
end

2. Create new dynamic firewall addresses that use the new connectors:
config firewall address
edit "azure-address-location1"
set type dynamic
set color 2
set sdn azure1
set filter "location=WestUs"
next
edit "azure-address-location2"
set type dynamic
set color 2
set sdn azure2
set filter "location=NorthEurope"
next
end

To create and use two new SDN connectors with the GUI:

1. Create two new SDN connectors:

a. Go to Security Fabric > External Connectors, and click Create New in the toolbar.
b. Click on Microsoft Azure.

FortiOS 6.4.13 Administration Guide 350

Fortinet Inc.
Fortinet Security Fabric

c. Fill in the required information, then click OK.

d. Repeat the steps for the second connector.

Two Microsoft Azure connectors will now be created.

2. Create new dynamic firewall addresses that use the new connectors:
a. Go to Policy and Objects > Addresses and click Create New > Address in the toolbar.
b. Enter a name for the address, and select Fabric Connector Address for the Type.

FortiOS 6.4.13 Administration Guide 351

Fortinet Inc.
 Fortinet Security Fabric

c. Select one of the previously created SDN connectors from the SDN Connector drop down list.

d. Configure the rest of the required information, then click OK to create the address.
e. Repeat the steps to create the second address, selecting the other Microsoft Azure SDN connector.

Filter lookup in SDN connectors

When configuring dynamic address mappings for filters in SDN connectors for Azure, GCP, OpenStack, Kubernetes,
and AliCloud, FortiGate can query the filters automatically.

To use the filter lookup:

1. Navigate to Policy & Objects > Addresses.

2. Create or edit an SDN connector type dynamic IP address.
Supported SDN connector types include: AWS, Azure, GCP, OpenStack, Kubernetes, and AliCloud. The example
below is for an Azure SDN connector.
3. In the address Filter field, you can perform the following actions:
l List all available filters.

FortiOS 6.4.13 Administration Guide 352

Fortinet Inc.
Fortinet Security Fabric

l Search the available filters.

FortiOS 6.4.13 Administration Guide 353

Fortinet Inc.
Fortinet Security Fabric

l Create custom filters.

FortiOS 6.4.13 Administration Guide 354

Fortinet Inc.
 Fortinet Security Fabric

l Set filter logic [and|or].

Support for wildcard SDN connectors in filter configurations

Wildcards are supported for SDN connectors when configuring dynamic address filters.
The following SDN connector types are currently supported:
l AWS
l Azure
l Google Cloud Platform
l Kubernetes
l OpenStack
l Oracle Cloud Infrastructure
l VMware ESXi

To configure a dynamic address filter for AWS in the GUI:

1. Create the SDN connector:

a. Go to Security Fabric > External Connectors.
b. Click Create New.
c. In the Public SDN section, click Amazon Web Services (AWS).
d. Configure the settings as needed.
e. Click OK.
2. Create the dynamic firewall address:
a. Go to Policy & Objects > Addresses.
b. Click Create New > Address
c. Enter a name for the address, then configure the following settings:
l Set Type to Dynamic.

l Set Sub Type to Fabric Connector Address.

l Set SDN Connector to aws1.

FortiOS 6.4.13 Administration Guide 355

Fortinet Inc.
Fortinet Security Fabric

l Set SDN address type to Private.

l For Filter, click Create, enter Tag.Name=aws*, the click OK.

d. Click OK.
3. In the address table, hover over the address to view what IPs it resolves to.

4. In AWS, verify to confirm the IP addresses match.

To configure a dynamic address filter for AWS in the CLI:

1. Configure the SDN connector:

config firewall address
edit "aws-address-1"
set type dynamic
set sdn "aws1"
set filter "Tag.Name=aws*"
set sdn-addr-type public
next
end

2. Create the dynamic firewall address and verify where the IP addresses resolve to:
config firewall address
edit "aws-address-1"
set type dynamic
set sdn "aws1"

FortiOS 6.4.13 Administration Guide 356

Fortinet Inc.
 Fortinet Security Fabric

set filter "Tag.Name=aws*"

set sdn-addr-type public
config list
edit "18.234.167.123"
next
edit "3.81.41.167"
next
edit "52.87.157.127"
next
end
next
end

3. In AWS, verify that the IP addresses match.

Endpoint/Identity connectors

SSO fabric connectors integrate SSO authentication into the network. This allows users to enter their credentials only
once, and have those credentials reused when accessing other network resources through the FortiGate.
The following fabric connectors are available:
l Fortinet single sign-on agent on page 357
l Poll Active Directory server on page 358
l Symantec endpoint connector on page 358
l RADIUS single sign-on agent on page 364
l Exchange Server connector on page 367

Fortinet single sign-on agent

To create an FSSO agent connector in the GUI:

1. Go to Security Fabric > External Connectors.

2. Click Create New.
3. In the Endpoint/Identity section, click FSSO Agent on Windows AD.

4. Fill in the Name, and Primary FSSO Agent server IP address or name and Password.

FortiOS 6.4.13 Administration Guide 357

Fortinet Inc.
 Fortinet Security Fabric

5. Optionally, add more FSSO agents by clicking the plus icon.

6. Optionally, enable Trusted SSL certificate and select or import a certificate.
7. Select the User group source:
l Collector Agent: User groups will be pushed to the FortiGate from the collector agent. Click Apply & Refresh to

fetch group filters from the collector agent.

l Local: User groups will be specified in the FortiGate unit's configuration. Select the LDAP server from the list,

then click Edit to select the Users, Groups, and Organizational Units. Optionally, enable Proactively retrieve
from LDAP server and configure the Search filter and Interval.
8. Click OK.

Poll Active Directory server

The FortiGate unit can authenticate users and allow them network access based on groups membership in Windows
Active Directory (AD).

To create an AD server connector in the GUI:

1. Go to Security Fabric > External Connectors.

2. Click Create New.
3. In the Endpoint/Identity section, click Poll Active Directory Server.

4. Fill in the Server IP/Name, User, and Password for the AD server.
5. Select the LDAP server from the list.
6. If necessary, disable Enable Polling. This can be used to temporarily stop the FortiGate from polling security event
logs on the Windows logon server, for troubleshooting purposes.
7. Click OK.

Symantec endpoint connector

With the Fabric connector for Symantec Endpoint Protection Manager (SEPM), you can use the client IP information
from SEPM to assign to dynamic IP addresses on FortiOS.
When communication between FortiGate and SEPM is established, FortiGate polls every minute for updates via TLS
over port 8446. You can use the CLI to change the default one minute polling interval.
For example, you can create a dynamic Fabric Connector IP address subtype and use it in firewall policies as the source
address. The dynamic IP address contains all IP addresses sent by SEPM.

FortiOS 6.4.13 Administration Guide 358

Fortinet Inc.
Fortinet Security Fabric

This example shows a dynamic IP address with SEPM and one client PC managed by SEPM using FortiGate as the
default gateway.

To configure SEPM on a managed client PC:

1. In SEPM, create client packages for client hosts and group them into SEPM groups.
You can install packages locally on clients or download them directly from SEPM.

2. When a package is installed on the client host, the host is considered managed by SEPM.
Even if the host has multiple interfaces, only one IP per host is displayed.

To configure Symantec endpoint connector on FortiGate in the GUI:

1. Go to Security Fabric > External Connectors and click Create New:

a. In the Endpoint/Identity section, click Symantec Endpoint Protection.
b. Fill in the Name, and set the Status and Update Interval.
c. Set Server to the SEPM IP address.
d. Enter the Username and Password for the server.

FortiOS 6.4.13 Administration Guide 359

Fortinet Inc.
Fortinet Security Fabric

e. To limit the domain or group that is monitored, enter them in the requisite fields.

f. Click OK.
When the connection is established, you can see a green up arrow in the bottom right of the card. You might
need to refresh your browser to see the established connection.
2. Go to Policy & Objects > Addresses and click Create New > Address:
a. Fill in the address Name.
b. Set Type to Dynamic.
c. Set Sub Type to Fabric Connector Address.
d. Set SDN Connector to the fabric connector that you just created.
e. Add Filters as needed.

f. Click OK.

Filter options are only available for active computers that are configured and registered
in SEPM. Free-form filters can be created manually by clicking Create and entering the
filter, in the format: filter_type=value.
Possible manual filter types are: GroupName, GroupID, ComputerName,
ComputerUUID, and OSName. For example: GroupName=MyGroup.

3. Go to Policy & Objects > Addresses and hover the cursor over the name of the new address to see the resolved IP
addresses of the host.

FortiOS 6.4.13 Administration Guide 360

Fortinet Inc.
Fortinet Security Fabric

4. Go to Policy & Objects > Firewall Policy, click Create New, and add a policy that uses the dynamic IP address.

To verify the configuration:

1. On the client PC, check that it is managed by SEPM to access the Internet.

FortiOS 6.4.13 Administration Guide 361

Fortinet Inc.
Fortinet Security Fabric

2. On the FortiGate, you can check in Dashboard > FortiView Sources and Log & Report > Forward Traffic.

Because this traffic is not authenticated traffic but is based on source IP address only, it is
not shown in the GUI firewall monitor or in the diagnose firewall auth list CLI
command.

To configure Symantec endpoint connector on FortiGate in the CLI:

1. Create the fabric connector:

config system sdn-connector
edit "sepm-217"
set type sepm
set server "172.18.60.217"
set username "admin"
set password *********
set status enable
next
end

2. Create the dynamic IP address:

config firewall address
edit "sepm-ip"
set type dynamic
set sdn "sepm-217"
set filter "ComputerName=win10-1"
config list
edit "10.1.100.187"
next
edit "10.6.30.187"
next

FortiOS 6.4.13 Administration Guide 362

Fortinet Inc.
Fortinet Security Fabric

edit "172.16.200.187"
next
end
next
end

3. Add the dynamic IP address to the firewall policy:

config firewall policy
edit 1
set name "pol1"
set srcintf "port2"
set dstintf "port1"
set srcaddr "sepm-ip"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set logtraffic all
set fsso disable
set nat enable
next
end

To troubleshoot Symantec SD connector in the CLI:

# diagnose debug application sepmd -1

Output is sent every minute (default). All IPv4 learned from SEPM. IPv6 also sent but not
yet supported.

2019-09-09 12:01:09 sepmd sdn connector sepm-217 start updating IP addresses

2019-09-09 12:01:09 sepmd checking firewall address object sepm-ip, vd 0
2019-09-09 12:01:09 sepmd sdn connector sepm-217 finish updating IP addresses
2019-09-09 12:01:09 sepmd reap child pid: 18079
2019-09-09 12:02:09 sepmd sdn connector sepm-217 prepare to update
2019-09-09 12:02:09 sepmd sdn connector sepm-217 start updating
2019-09-09 12:02:09 sepm-217 sdn connector will retrieve token after 9526 secs
2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 172.16.200.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 10.6.30.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 10.1.100.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:02:09 2001:0000:0000:0000:0000:0000:0000:0187 is not in IPv4 presentation

FortiOS 6.4.13 Administration Guide 363

Fortinet Inc.
 Fortinet Security Fabric

format

2019-09-09 12:02:09 sepmd sdn connector sepm-217 start updating IP addresses

2019-09-09 12:02:09 sepmd checking firewall address object sepm-ip, vd 0
2019-09-09 12:02:09 sepmd sdn connector sepm-217 finish updating IP addresses
2019-09-09 12:02:09 sepmd reap child pid: 18089
2019-09-09 12:03:09 sepmd sdn connector sepm-217 prepare to update
2019-09-09 12:03:09 sepmd sdn connector sepm-217 start updating
2019-09-09 12:03:09 sepm-217 sdn connector will retrieve token after 9466 secs
2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 172.16.200.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 10.6.30.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 10.1.100.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:03:09 2001:0000:0000:0000:0000:0000:0000:0187 is not in IPv4 presentation
format

To list the SEPM daemon SDN connectors:

# diagnose test application sepmd 1

sepm SDN connector list:
name: sepm-217, status: enabled, updater_interval: 60

To list the SEPM daemon SDN filters:

# diagnose test application sepmd 2

sepm SDN connector sepm-217 filter list:
name: sepm-ip, vd 0, filter 'ComputerName=win10-1'

RADIUS single sign-on agent

With RADIUS single sign-on (RSSO), a FortiGate can authenticate users who have authenticated on a remote RADIUS
server. Based on which user group the user belongs to, the security policy applies the appropriate UTM profiles.
The FortiGate does not interact with the remote RADIUS server; it only monitors RADIUS accounting records that the
server forwards (originating from the RADIUS client). These records include the user IP address and user group. The
remote RADIUS server sends the following accounting messages to the FortiGate:

Message Action

Start If the information in the start message matches the RSSO configuration on the
FortiGate, the user is added to the local list of authenticated firewall users.

FortiOS 6.4.13 Administration Guide 364

Fortinet Inc.
Fortinet Security Fabric

Message Action

Stop The user is removed from the local list of authenticated firewall users because the
user session no longer exists on the RADIUS server.

You can configure an RSSO agent connector using the FortiOSGUI; however, in most cases, you will need to use the
CLI. There are some default options you may need to modify, which can only be done in the CLI.

To configure an RSSO agent connector:

1. Create the new connector:

a. Go to Security Fabric > External Connectors.
b. Click Create New.
c. In the Endpoint/Identity section, click RADIUS Single Sign-On Agent. The New Fabric Connector pane opens.
d. Enter the connector name.
e. Enable Use RADIUS Shared Secret.

The value entered in Use RADIUS Shared Secret must be identical to what the remote
RADIUS server uses to authenticate when it sends RADIUS accounting messages to
the FortiGate.

f. Enable Send RADIUS Responses.

You should enable Send RADIUS Responses because some RADIUS servers
continue to send the same RADIUS accounting message several times if there is no
response.

g. Click OK.
2. Edit the network interface:
a. Go to Network > Interfaces.
b. Double-click the interface that will receive the RADIUS accounting messages. The Edit Interface pane opens.
c. In the Administrative Access section, select the RADIUS Accounting checkbox. This will open listening for port
1813 on this interface. The FortiGate will then be ready to receive RADIUS accounting messages.
d. Click OK.
3. Create a local RSSO user group:
a. Go to User & Authentication > User Groups.
b. Click Create New.
c. Enter the group name.

FortiOS 6.4.13 Administration Guide 365

Fortinet Inc.
Fortinet Security Fabric

d. For the Type field, click RADIUS Single-Sign-ON (RSSO).

e. Enter a value for RADIUS Attribute Value.
This value by default is the class attribute. The FortiGate uses the content of this attribute in RADIUS
accounting start messages to map a user to a FortiGate group, which then can be used in firewall policies.
In this example configuration, the FortiGate will only add a remote RADIUS user to the local firewall user list if
the class attribute in the RADIUS accounting START message contains the value group1.

If your users are in multiple groups, you will need to add multiple local RSSO user
group.

If the RADIUS attribute value used to map users to a local RSSO group is different than
the RADIUS attribute in the RADIUS accounting messages forwarded by the server,
you must change it in the CLI.

f. Click OK.
4. Edit the local RSSO agent to modify default options using the CLI.
For example, the default value for rsso-endpoint-attribute might work in common remote access scenarios
where users are identified by their unique Calling-Station-Id, but in other scenarios the user name might be in
a different attribute.
config user radius
edit "Local RSSO Agent"
set rsso-endpoint-attribute <attribute>
set sso-attribute <attribute>
next
end

5. Add the local RSSO user group to a firewall policy.

Verifying the RSSO configuration

Verification requires a working remote RADIUS server configured for RADIUS accounting forwarding and wireless or
wired clients that use RADIUS for user authentication.
For a quick test, you can use one of the publicly available RADIUS test tools to send RADIUS accounting start and stop
messages to the FortiGate. You can also use radclient.

To verify the RSSO configuration:

1. In radclient, enter the RADIUS attributes. These attributes are then executed with the FortiGate IP parameters
(sends accounting messages to port 1813) and shared password you configured. -x is used for verbose output:

FortiOS 6.4.13 Administration Guide 366

Fortinet Inc.
 Fortinet Security Fabric

root@ControlPC:~# echo "Acct-Status-Type =Start,Framed-Ip-Address=10.1.100.185,User-

Name=test2,Acct-Session-Id=0211a4ef,Class=group1,Calling-Station-Id=00-0c-29-44-BE-B8" | 
radclient -x 10.1.100.1 acct 123456                   
Sending Accounting-Request of id 180 to 10.1.100.1 port 1813
Acct-Status-Type = Start
Framed-IP-Address = 10.1.100.185
User-Name = "test2"
Acct-Session-Id = "0211a4ef"
Class = 0x67726f757031
Calling-Station-Id = "00-0c-29-44-BE-B8"
rad_recv: Accounting-Response packet from host 10.1.100.1 port 1813, id=180, length=20
root@ControlPC:~#

2. Verify that the user is in the local firewall user list with the correct type (rsso) and local firewall group (rsso-
group1):
# diagnose firewall auth l

10.1.100.185, test2
type: rsso, id: 0, duration: 5, idled: 5
flag(10): radius
server: vdom1
packets: in 0 out 0, bytes: in 0 out 0
group_id: 3
group_name: rsso-group-1

----- 1 listed, 0 filtered ------

Exchange Server connector

FortiGate can collect additional information about authenticated users from corporate Microsoft Exchange Servers. After
a user logs in, the additional information can be viewed in various parts of the GUI.
The Exchange connector must be mapped to the LDAP server that is used for authentication.
The following attributes are retrieved:

USER_INFO_FULL_NAME USER_INFO_COMPANY USER_INFO_CITY

USER_INFO_FIRST_NAME USER_INFO_DEPARTMENT USER_INFO_STATE
USER_INFO_LAST_NAME USER_INFO_GROUP USER_INFO_POSTAL_CODE
USER_INFO_LOGON_NAME USER_INFO_TITLE USER_INFO_COUNTRY
USER_INFO_TELEPHONE USER_INFO_MANAGER USER_INFO_ACCOUNT_EXPIRES
USER_INFO_EMAIL USER_INFO_STREET
USER_INFO_USER_PHOTO USER_INFO_POST_OFFICE_BOX

Kerberos Key Distribution Center (KDC) automatic discovery is enabled by default. The FortiGate must be able to use
DNS to resolve the KDC IP addresses, otherwise the FortiGate will be unable to retrieve additional user information from
the Exchange Server.
KDC automatic discovery can be disabled, and one or more internal IP addresses that the FortiGate can reach can be
configured for KDC.
The Override server IP address is enabled when the IP address of the Exchange server cannot be resolved by DNS and
must be entered manually.

FortiOS 6.4.13 Administration Guide 367

Fortinet Inc.
Fortinet Security Fabric

To configure an Exchange connector in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

2. In the Endpoint/Identity section, click Exchange Server.
3. Set Name to exchange140.
4. Set Exchange account to [email protected].
Administrator is the username, W2K8-SERV1 is the exchange server name, and FORTINET-FSSO.COM is the
domain name.
5. Set Password to the password.
6. Enable Override server IP address and set it to 10.1.100.140.
7. Ensure that Auto-discover KDC is enabled.

If Auto-discover KDC is disabled, one or more KDC IP addresses can be manually entered.
8. Click OK.

To link the connector to the LDAP server in the GUI:

1. Go to User & Authentication > LDAP Servers.

2. Edit an existing LDAP server, or click Create New to create a new one.
3. Enable Exchange server, and select the connector from the list.
4. Configure the remaining settings as required.

5. Click OK.

FortiOS 6.4.13 Administration Guide 368

Fortinet Inc.
Fortinet Security Fabric

To configure an Exchange connector with automatic KDC discovery in the CLI:

config user exchange

edit "exchange140"
set server-name "W2K8-SERV1"
set domain-name "FORTINET-FSSO.COM"
set username "Administrator"
set password **********
set ip 10.1.100.140
set auto-discover-kdc enable
next
end

To link the connector to the LDAP server in the CLI:

config user ldap

edit "openldap"
set server "172.18.60.213"
set cnid "cn"
set dn "dc=fortinet-fsso,dc=com"
set type regular
set username "cn=Manager,dc=fortinet-fsso,dc=com"
set password **********
set group-member-check group-object
set group-object-filter "(&(objectclass=groupofnames)(member=*))"
set member-attr "member"
set user-info-exchange-server "exchange140"
next
end

Verification

To verify that KDC auto-discovery is working:

# diagnose wad debug enable category all

# diagnose wad debug enable level verbose
# diagnose debug enable
# diagnose wad user exchange test-auto-discover
wad_diag_session_acceptor(3115): diag socket 20 accepted.
__wad_fmem_open(557): fmem=0x12490bd8, fmem_name='cmem 9188 bucket', elm_sz=9188, block_
sz=73728, overhead=0, type=advanced
Starting auto-discover test for all configured user-exchanges.
[NOTE]: If any errors are returned, try manually configuring IPs for the reported errors.

wad_rpc_nspi_test_autodiscover_kdc(1835): Starting DNS SRV request for srv(0x7f938e052050)

query(_kerberos._udp.FORTINET-FSSO.COM)
wad_dns_send_srv_query(705): 1:0: sending DNS SRV request for remote peer _kerberos._
udp.FORTINET-FSSO.COM id=0
1: DNS response received for remote host _kerberos._udp.FORTINET-FSSO.COM req-id=0
wad_dns_parse_srv_resp(409): _kerberos._udp.FORTINET-FSSO.COM: resp_type(SUCCESS)
srv[0]: name(w2k12-serv1.fortinet-fsso.com) port(88) priority(0) weight(100)
addr[0]: 10.1.100.131
addr[1]: 10.6.30.131
addr[2]: 172.16.200.131

FortiOS 6.4.13 Administration Guide 369

Fortinet Inc.
Fortinet Security Fabric

addr[3]: 2003::131
addr[4]: 2001::131
srv[1]: name(fsso-core-DC.Fortinet-FSSO.COM) port(88) priority(0) weight(100)
addr[0]: 10.6.30.16
addr[1]: 172.16.200.16
srv[2]: name(w2k12-serv1.Fortinet-FSSO.COM) port(88) priority(0) weight(100)
addr[0]: 10.1.100.131
addr[1]: 172.16.200.131
addr[2]: 10.6.30.131
addr[3]: 2001::131
addr[4]: 2003::131
wad_rpc_nspi_dns_on_discover_kdc_done(1787): Received response for DNS autodiscover req
(0x7f938dfe8050) query(_kerberos._udp.FORTINET-FSSO.COM) n_rsp(3)

Completed auto-discover test for all configured user-exchanges.

To check the collected information after the user has been authenticated:

1. In the GUI, go to Dashboard > Users & Devices, expand the Firewall Users widget, and hover over the user name.
2. In the CLI, run the following diagnose command:
# diagnose wad user info 20 test1
'username' = 'test1'
'sourceip' = '10.1.100.185'
'vdom' = 'root'
'cn' = 'test1'
'givenName' = 'test1'
'sn' = 'test101'
'userPrincipalName' = '[email protected]'
'telephoneNumber' = '604-123456'
'mail' = '[email protected]'
'thumbnailPhoto' = '/tmp/wad/user_info/76665fff62ffffffffffffffffffff75ff68fffffffffa'
'company' = 'Fortinet'
'department' = 'Release QA'
'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'streetAddress' = 'One Backend Street 1901'
'l' = 'Burnaby'
'st' = 'BC'
'postalCode' = '4711'
'co' = 'Canada'
'accountExpires' = '9223372036854

If the results are not as expected, verify what information FortiGate can collect from the Exchanger Server:
# diagnose test application wad 2500
# diagnose test application wad 162

FortiOS 6.4.13 Administration Guide 370

Fortinet Inc.
 Fortinet Security Fabric

Threat feeds

The FortiGate dynamically imports an external list from an HTTP/HTTPS server in the form of a plain text file. The
imported list is then available as a threat feed, which can be used to enforce special security requirements, such as long-
term policies to always allow or block access to certain websites, or short-term requirements to block access to known
compromised locations. The threat feeds are dynamically synchronized and are updated periodically so that any
changes are immediately imported by FortiOS.

If the FortiGate loses connectivity with the external server, the threat feed will continue to
function despite the Connection Status error or reboot. However, the threat feed will not be
updated and no new entries will be added until the connection is re-established.

There are four types of threat feeds:

FortiGuard The FortiGate dynamically imports a text file from an external server, which contains one URL
Category per line. See FortiGuard category threat feed on page 374 for more information.

IP Address The FortiGate dynamically imports a text file from an external server, which contains one IP/IP
range/subnet per line. See IP address threat feed on page 377 for more information.

Domain Name The FortiGate dynamically imports a text file from an external server, which contains one
domain per line. Simple wildcards are supported. See Domain name threat feed on page 380
for more information.

Malware Hash The FortiGate dynamically imports a text file from an external server, which contains one hash
per line in the format <hex hash> [optional hash description]. Each line supports
MD5, SHA1, and SHA256 hex hashes. See Malware hash threat feed on page 381 for more
information.

External resources file format

File format requirements for a HTTP/HTTPS external resources file:

l The file is in plain text format with each URL list, IP address, domain name, or malware hash occupying one line.
Comments can be added by using the number sign, for example: # This is a test.
l The file is limited to 10 MB or 128 KB (128 × 1024 = 131072) entries, whichever limit is hit first.
l The entry limit also follows the table size limitation defined by CMDB per model.
l The external resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
l The external resources type as category (URL list) and domain (domain name list) share the category number
range 192 to 221 (total of 30 categories).
l There is no duplicated entry validation for the external resources file (entry inside each file or inside different files).
l If the number of entries exceed the limit, a warning is displayed. Additional entries beyond the threshold will not be
loaded.
For domain name list (type = domain):
l Simple wildcards are allowed in the domain name list, for example: *.test.com.
l IDN (international domain name) is supported.

FortiOS 6.4.13 Administration Guide 371

Fortinet Inc.
 Fortinet Security Fabric

For IP address list (type = address):

l The IP address can be a single IP address, subnet address, or address range. For example, 192.168.1.1,
192.168.10.0/24, or 192.168.100.1-192.168.100.254.
l The address can be an IPv4 or IPv6 address. An IPv6 address does not need to be in [ ] format.
For URL list (type = category):
l The scheme is optional, and will be truncated if found; https:// and http:// are not required.
l Wildcards are allowed at the beginning or end or the URL, for example: *.domain.com or domain.com.*.
l IDN and UTF encoding URL are supported .
l The URL can be an IPv4 or IPv6 address. An IPv6 URL must be in [ ] format.
For malware hash list (type = malware):
l The malware hash list follows a strict format in order for its contents to be valid. Malware hash signature entries
must be separated into each line. A valid signature must follow this format:
# MD5 Entry with hash description
aa67243f746e5d76f68ec809355ec234 md5_sample1

# SHA1 Entry with hash description

a57983cb39e25ab80d7d3dc05695dd0ee0e49766 sha1_sample2

# SHA256 Entry with hash description

ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379 sha256_sample1

# Entry without hash description

0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521

# Invalid entries
7688499dc71b932feb126347289c0b8a_md5_sample2
7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3

To determine the external resource table size limit for your device:

# print tablesize
...
system.external-resource: 0 256 512
...

In this example, a FortiGate 60E has a global limit of 512 and a per-VDOM limit of 256. A FortiGate 60E can configure up
to 512 feeds. Each feed is limited to a maximum size of 10 MB or 131072 entries, whichever is reached first. The total
number of feeds is limited by the available memory on the device.

Configuring a threat feed

A threat feed can be configured on the Security Fabric > External Connectors page. After clicking Create New, there are
four threat feed options available: FortiGuard Category, IP Address, Domain Name, and Malware Hash.
This topic includes two example threat feed configurations:
l Configuring a basic threat feed
l Configuring threat feed authentication

FortiOS 6.4.13 Administration Guide 372

Fortinet Inc.
Fortinet Security Fabric

Configuring a basic threat feed

The threat feed will periodically fetch entries from the URI using HTTP or HTTPS.

To configure the threat feed in the GUI:

1. Go to Security Fabric > External Connectors.

2. Click Create New.
3. In the Threat Feeds section, click on the required feed type.
4. Configure the connector settings:

Name Enter a name for the threat feed connector.

URI of external resource Enter the link to the external resource file. The file should be a plain text file
with one entry on each line.

HTTP basic authentication Enable/disable basic HTTP authentication. When enabled, enter the
username and password in the requisite fields. See Configuring threat feed
authentication for more information.

Refresh Rate The time interval to refresh the external resource, in minutes (1 - 43200,
default = 5).
The applicable threat feed will be triggered to refresh between 0 minutes and
the configured value. When the refresh is triggered, if another task is being
processed be the schedule worker, the refresh task will be added to the queue.

Comments Optionally, enter a description of the connector.

Status Enable/disable the connector.

5. Click OK.

To configure the threat feed in the CLI:

config system external-resource

edit <name>
set status {enable | disable}
set type {category | address | domain | malware}
set category <integer, 192-221>
set username <string>
set password <string>
set comments <string>
*set resource <resource-uri>
set user-agent <string>
set refresh-rate <integer>
set source-ip <ip address>
set interface-select-method {auto | sdwan | specify}
next
end

The parameter marked with an asterisk (*) is mandatory and must be filled in. The category parameter must be set
when the type is either category or domain. Other parameters have either default values or are optional.

FortiOS 6.4.13 Administration Guide 373

Fortinet Inc.
 Fortinet Security Fabric

Configuring threat feed authentication

Threat feed external connectors support username and password authentication.

To enable username and password authentication in a threat feed connector:

1. Go Security Fabric > External Connectors.

2. Click Create New, or edit an existing threat feed connector.
3. Enable HTTP basic authentication.
4. Enter the Username and Password.

5. Click OK.

Viewing the update history

To review the update history of a threat feed, go to Security Fabric > External Connectors, select a feed, and click Edit.
The Last Update field shows the date and time that the feed was last updated.
Click View Entries to view the current entries in the list.

FortiGuard category threat feed

A FortiGuard category threat feed is a dynamic list that contains URLs and is periodically updated from an external
server. The list is stored in text file format on an external server. After the FortiGate imports this list, it becomes available
as a category in the Remote Categories group of web filter profiles that can be used to allow, block, or monitor URLs
matching this category. A category threat feed can also be used solely or grouped with other categories to be used for
exemptions within an SSL/SSH profile that performs full SSL inspection.

FortiOS 6.4.13 Administration Guide 374

Fortinet Inc.
Fortinet Security Fabric

Multiple custom categories can be defined by creating a FortiGuard Category threat feed for each category.
Text file example:
http://example/com.url
https://example.com/url
http://example.com:8080/url

The file contains one URL per line. See External resources file format for more information about the URL list formatting
style.

Example configuration

In this example, a list of URLs is imported using the FortiGuard category threat feed. The newly created threat feed is set
to block in the web filter profile, and the web filter profile is applied to a firewall policy. Any traffic that passes through the
FortiGate and matches the URLs in the threat feed list will be dropped.

To configure a FortiGuard category threat feed in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

2. In the Threat Feeds section, click FortiGuard Category.
3. Set the Name to Custom-Remote-FGD.
4. Set the URI of external resource to https://192.168.10.13/Override_URLs.txt.
5. Configure the remaining settings as needed, then click OK.
6. Edit the connector, then click View Entries to view the URL in the feed, which is https://www.facebook.com.

To configure a FortiGuard category threat feed in the CLI:

config system external-resource

edit "Custom-Remote-FGD"
set type category
set category 192
set resource "https://192.168.10.13/Override_URLs.txt"
next
end

FortiOS 6.4.13 Administration Guide 375

Fortinet Inc.
Fortinet Security Fabric

To apply a FortiGuard category threat feed in a web filter profile:

1. Go to Security Profiles > Web Filter and create a new web filter profile, or edit an existing one.
2. Enable FortiGuard category based filter.
3. In the Remote Categories group, set the action for the Custom-Remote-FGD category to Block.
4. Configure the remaining settings as needed, then click OK.

To apply the web filter profile in a firewall policy:

1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.
2. Configure the policy fields as required.
3. Under Security Profiles, enable Web Filter and select the profile used in the previous procedure.
4. Enable Log Allowed Traffic.
5. Click OK.

URLs that match the FortiGuard category threat feed list are rated as the category matching the corresponding
FortiGuard category threat feed, overriding their original domain rating.

To view the web filer logs:

1. Go to Log & Report > Web Filter.

2. View the log details in the GUI, or download the log file:
1: date=2023-02-06 time=09:31:04 eventtime=1675704664795395841 tz="-0800"
logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning"
vd="root" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy"
sessionid=509983 srcip=172.20.120.13 srcport=54645 srccountry="Reserved" srcintf="port2"
srcintfrole="undefined" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec"
dstip=157.240.3.35 dstport=443 dstcountry="United States" dstintf="port3"
dstintfrole="wan" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=6
httpmethod="GET" service="HTTPS" hostname="www.facebook.com" agent="Mozilla/5.0 (Windows
NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140
Safari/537.36 Edge/18.17763" profile="default" action="blocked" reqtype="referral"
url="https://www.facebook.com/"
referralurl="https://www.google.com/url?url=https://www.facebook.com/&q=facebook&rct=j&s
a=X&source=suggest&ct=res&oi=suggest_nav&usg=AOvVaw3XzIKieZE-
CH5KqZaBe775&oq=facebook&gs_l=heirloom-
hp..0.5j0i512i433i131i10l3j0i512i433i10l3j0i512i433i131i10l2j0i512i433i10.1716.3397.0.58
24.8.8.0.0.0.0.85.609.8.8.0....0...1ac.1.34.heirloom-hp..0.8.608.798UUeJkbN0"
sentbyte=527 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in
policy" ratemethod="domain" cat=192 catdesc="Custom-Remote-FGD"

Applying a FortiGuard category threat feed in an SSL/SSH profile

A FortiGuard category threat feed can be applied in an SSL/SSH profile where full SSL inspection mode is used.
The threat feed category can be selected in the exempt category list. HTTPS requests that match the URLs in the
threat feed list will be exempted from SSL deep inspection. This example uses the Custom-Remote-FGD threat
feed configured in the previous example.

FortiOS 6.4.13 Administration Guide 376

Fortinet Inc.
 Fortinet Security Fabric

To configure the SSL/SSH profile:

a. Go to Security Profiles > SSL/SSH Inspection and create a new profile, or edit an existing one.
b. Set the Inspection method to Full SSL Inspection.
c. In the Exempt from SSL Inspection section, locate Web categories. Click the + and add Custom-Remote-FGD
in the FORTIGUARD CATEGORY THREAT FEED section.
d. Enable Log SSL exemptions.
e. Click OK.

To apply the SSL/SSH inspection profile in a firewall policy:

a. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.
b. Configure the policy fields as required.
c. Under Security Profiles, set SSL Inspection to the profile used in the previous procedure.
d. Enable Log Allowed Traffic.
e. Click OK.
URLs that match the FortiGuard category threat feed list are rated as the FortiGuard category threat feed, overriding
their original domain rating.

To view the SSL logs:

a. Go to Log & Report > SSL.

b. View the log details in the GUI, or download the log file:
1: date=2023-02-06 time=11:23:54 eventtime=1675711434094550877 tz="-0800"
logid="1701062009" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice"
vd="root" action="exempt" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad"
policytype="policy" sessionid=531331 service="SSL" profile="custom-deep-inspection"
srcip=172.20.120.13 srcport=52805 srccountry="Reserved" dstip=157.240.3.35
dstport=443 dstcountry="United States" srcintf="port2" srcintfrole="undefined"
dstintf="port3" dstintfrole="wan" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec"
dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=17 tlsver="tls1.3"
sni="www.facebook.com" cipher="0x1301" authalgo="ecdsa" kxproto="ecdhe"
eventsubtype="user-category" cat=192 catdesc="Custom-Remote-FGD"
hostname="www.facebook.com" msg="SSL connection is exempted based on user category
rating.

IP address threat feed

An IP address threat feed is a dynamic list that contains IPv4 and IPv6 addresses, address ranges, and subnets. The list
is periodically updated from an external server and stored in text file format on an external server. After the FortiGate
imports this list, it can be used as a source or destination in firewall policies and proxy policies.It can also be used as an
external IP block list in DNS filter profiles.
Text file example:
192.168.2.100
172.200.1.4/16
172.16.1.2/24
172.16.8.1-172.16.8.100

FortiOS 6.4.13 Administration Guide 377

Fortinet Inc.
Fortinet Security Fabric

2001:0db8::eade:27ff:fe04:9a01/120
2001:0db8::eade:27ff:fe04:aa01-2001:0db8::eade:27ff:fe04:ab01

The file contains one IPv4 or IPv6 address, address range, or subnet per line. See External resources file format for
more information about the IP list formatting style.

Example configuration

In this example, a list of destination IP addresses is imported using the IP address threat feed. The newly created threat
feed is then used as a destination in a firewall policy with the action set to deny. Any traffic that passes through the
FortiGate and matches the defined firewall policy will be dropped.

To configure an IP address threat feed in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

2. In the Threat Feeds section, click IP Address.
3. Set the Name to AWS_IP_Blocklist.
4. Set the URI of external resource to https://s3.us-east-2.amazonaws.com/ip-blocklist/ip.txt.
5. Configure the remaining settings as required, then click OK.
6. Edit the connector, then click View Entries to view the IP addresses in the feed.

To configure an IP address threat feed in the CLI:

config system external-resource

edit "AWS_IP_Blocklist"
set type address
set resource "https://s3.us-east-2.amazonaws.com/ip-blocklist/ip.txt"
next
end

FortiOS 6.4.13 Administration Guide 378

Fortinet Inc.
Fortinet Security Fabric

To apply an IP address threat feed in a firewall policy:

1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.
2. Configure the policy fields as required.
3. In the Destination field, click the + and select AWS_IP_Blocklist from the list (in the IP ADDRESS FEED section).
4. Set Action to DENY.
5. Enable Log Allowed Traffic.
6. Click OK.

Applying an IP address threat feed as an external IP block list in a DNS filter profile

An IP address threat feed can be applied by enabling External IP Block Lists in a DNS filter profile. Any DNS query that
passes through the FortiGate and resolves to any of the IP addresses in the threat feed list will be dropped.

To configure the DNS filter profile:

1. Go to Security Profiles > DNS Filter and create a new profile, or edit an existing one.
2. Enable External IP Block Lists.
3. Click the + and select AWS_IP_Blocklist from the list.
4. Click OK.

To apply the DNS filter profile in a firewall policy:

1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.
2. Configure the policy fields as required.
3. Under Security Profiles, enable DNS Filter and select the profile used in the previous procedure.
4. Enable Log Allowed Traffic.
5. Click OK.

IP addresses that match the IP address threat feed list will be blocked.

To view the DNS query logs:

1. Go to Log & Report > DNS Query.

2. View the log details in the GUI, or download the log file:
1: date=2023-02-06 time=15:06:50 eventtime=1675724810452621179 tz="-0800"
logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning"
vd="root" policyid=0 sessionid=555999 srcip=172.20.120.13 srcport=59602
srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.20.120.12
dstport=53 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=17
profile="default" xid=24532 qname="dns.google" qtype="A" qtypeval=1 qclass="IN"
ipaddr="208.91.112.55" msg="Domain was blocked because it is in the domain-filter list"
action="redirect" domainfilteridx=0 domainfilterlist="AWS_IP_Block_list"

FortiOS 6.4.13 Administration Guide 379

Fortinet Inc.
 Fortinet Security Fabric

Domain name threat feed

A domain name threat feed is a dynamic list that contains domains and periodically updates from an external server. The
list is stored in a text file format on an external server. After the FortiGate imports this list, it becomes available as a
category in the Remote Categories group of DNS filter profiles that can be used to allow, block, or monitor domains
matching this category. Multiple custom categories can be defined by creating a domain name threat feed for each
category.
Text file example:
mail.*.example.com
*-special.example.com
www.*example.com
example.com

The file contains one domain name per line. See External resources file format for more information about the domain list
formatting style.

Example configuration

In this example, a list of domain names is imported using the domain name threat feed. The newly created threat feed is
set to monitor in the DNS filter profile, and the DNS filter profile is applied to a firewall policy. Any traffic that passes
through the FortiGate and matches any of the domain names in the threat feed list will be monitored.

To configure a domain name threat feed in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

2. In the Threat Feeds section, click Domain Name.
3. Set the Name to Domain_monitor_list.
4. Set the URI of external resource to https://192.168.10.13/external_domain_list.txt.
5. Configure the remaining settings as required, then click OK.
6. Edit the connector, then click View Entries to view the domain names in the feed (fortinet.com and example.com).

FortiOS 6.4.13 Administration Guide 380

Fortinet Inc.
 Fortinet Security Fabric

To configure a domain name threat feed in the CLI:

config system external-resource

edit "Domain_monitor_list”
set type domain
set category 194
set resource "http://192.168.10.13/external_domain_list.txt"
next
end

To apply a domain name threat feed in a DNS filter profile:

1. Go to Security Profiles > DNS Filter and create a new web filter profile, or edit an existing one.
2. Enable FortiGuard category based filter.
3. In the Remote Categories group, set the action for the Domain_monitor_list category to Monitor.
4. Configure the remaining settings as needed, then click OK.

To apply the DNS filter profile in a firewall policy:

1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.
2. Configure the policy fields as required.
3. Under Security Profiles, enable DNS Filter and select the profile used in the previous procedure.
4. Enable Log Allowed Traffic.
5. Click OK.

Domains that match the domain threat feed list are rated as domain threat feed, overriding their original domain rating.

To view the DNS query logs:

1. Go to Log & Report > DNS Query.

2. View the log details in the GUI, or download the log file:
1: date=2023-02-03 time=10:44:16 eventtime=1675449856658521042 tz="-0800"
logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice"
vd="root" policyid=0 sessionid=265870 srcip=172.20.120.13 srcport=59662
srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.20.120.12
dstport=53 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=17
profile="default" xid=35624 qname="example.com" qtype="A" qtypeval=1 qclass="IN"
ipaddr="93.184.216.34" msg="Domain is monitored" action="pass" cat=194 catdesc="Domain_
monitor_list"
2: date=2023-02-03 time=10:44:08 eventtime=1675449848683418535 tz="-0800"
logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice"
vd="root" policyid=0 sessionid=265537 srcip=172.20.120.13 srcport=57434
srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.20.120.12
dstport=53 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=17
profile="default" xid=31194 qname="fortinet.com" qtype="A" qtypeval=1 qclass="IN"
ipaddr="3.1.92.70, 52.220.222.172" msg="Domain is monitored" action="pass" cat=194
catdesc="Domain_monitor_list"

Malware hash threat feed

FortiOS 6.4.13 Administration Guide 381

Fortinet Inc.
Fortinet Security Fabric

A malware hash threat feed is a dynamic list that contains malware hashes and periodically updates from an external
server. The list is stored in text file format on an external server. After the FortiGate imports this list, it is automatically
used for virus outbreak prevention on antivirus profiles when Use external malware block list is enabled. Similar to
FortiGuard outbreak prevention, the malware hash threat feed is not supported in AV quick scan mode.
Text file example:
292b2e6bb027cd4ff4d24e338f5c48de
dda37961870ce079defbf185eeeef905 Trojan-Ransom.Win32.Locky.abfl
3fa86717650a17d075d856a41b3874265f8e9eab Trojan-Ransom.Win32.Locky.abfl
c35f705df9e475305c0984b05991d444450809c35dd1d96106bb8e7128b9082f Trojan-
Ransom.Win32.Locky.abfl

The file contains one malware hash per line. See External resources file format for more information about the malware
hash list formatting style.

For optimal performance, do not mix different hashes in the list. Only use one MD5, SHA1, or
SHA256.

Example configuration

In this example, a list of malware hashes is imported using the malware threat feed. The newly created threat feed is
applied to an antivirus profile, and the antivirus profile is applied to a firewall policy. Any traffic that passes through the
FortiGate and matches the malware hashes in the threat feed list will be dropped.

To configure a malware hash threat feed in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

2. In the Threat Feeds section, click Malware Hash.
3. Set the Name to AWS_Malware_Hash.
4. Set the URI of external resource to https://s3.us-west-2.amazonaws.com/malware.txt.
5. Configure the remaining settings as required, then click OK.
6. Edit the connector, then click View Entries to view the hash list.

FortiOS 6.4.13 Administration Guide 382

Fortinet Inc.
Fortinet Security Fabric

To configure a malware hash threat feed in the CLI:

config system external-resource

edit "AWS_Malware_Hash"
set type malware
set resource "https://s3.us-west-2.amazonaws.com/malware.txt"
next
end

To apply a malware hash threat feed in an antivirus profile:

1. Go to Security Profiles > AntiVirus and create a new web filter profile, or edit an existing one.
2. Enable Use external malware block list.
3. Click the + and select AWS_Malware_Hash from the list.
4. Configure the remaining settings as needed, then click OK.

To apply the antivirus profile in a firewall policy:

1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.
2. Configure the policy fields as required.
3. Under Security Profiles, enable AntiVirus and select the profile used in the previous procedure.
4. Set SSL Inspection to deep-inspection to inspect HTTPS traffic.
5. Enable Log Allowed Traffic.
6. Click OK.

To view the antivirus logs:

1. Go to Log & Report > AntiVirus.

2. View the log details in the GUI, or download the log file:
1: date=2023-02-03 time=15:42:41 eventtime=1675467761491047388 tz="-0800"
logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning"
vd="root" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy"
msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=293915
srcip=172.20.120.13 dstip=192.168.10.13 srcport=53515 dstport=80 srccountry="Reserved"
dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port3"
dstintfrole="wan" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstuuid="3342cb44-9140-
51ed-5dbe-8e0787bedeec" proto=6 direction="incoming" filename="test.jpg"
quarskip="Quarantine-disabled" virus="a1a74a39788854b75d454dc9c83c612b" viruscat="File
Hash" dtype="external-blocklist" filehash="a1a74a39788854b75d454dc9c83c612b"
filehashsrc="AWS_Malware_Hash" url="http://192.168.10.13/test.jpg" profile="default"
agent="curl/7.55.1" httpmethod="GET" analyticssubmit="false" crscore=10 craction=2
crlevel="medium"

To verify the scanunit daemon:

# diagnose sys scanunit file-hash list

malware 'a1a74a39788854b75d454dc9c83c612b' vf_id 0 uuid 15752 profile 'AWS_Malware_Hash'
description ''

The list of external hashes has been updated.

FortiOS 6.4.13 Administration Guide 383

Fortinet Inc.
Fortinet Security Fabric

Monitoring the Security Fabric using FortiExplorer for Apple TV

FortiExplorer for Apple TV allows you to use a TV screen to monitor your entire Security Fabric.
FortiExplorer for Apple TV is an analysis tool that provides easy to use NOC and SOC monitoring capabilities. The app
features real-time data traffic, visual alerts, as well as a general overview of hardware devices, operating systems, and
interfaces. The monitor also provides a wireless health summary of your entire network across multiple buildings. If an
access point goes offline, you will be notified about the network's health. After the issues are resolved, you will
immediately see the health update on your screen.

Getting started with FortiExplorer for Apple TV

Download FortiExplorer for Apple TV from the app store on Apple TV. After the app is installed, add devices using the
Apple TV remote or by sharing a login profile with FortiExplorer. Once the devices are added, you can use FortiExplorer
for Apple TV to view real-time data in the Network Operations Center, Security Operations Center, and Software-Defined
Branch.

To get started with FortiExplorer for Apple TV:

1. Download the app and add devices to FortiExplorer for Apple TV.
You can add devices by sharing a login profile with FortiExplorer or logging into the device directly on FortiExplorer
for Apple TV.
2. View the physical topology of the Fabric to identify risks
3. View the Fabric components as seen on the root FortiGate.
4. View an executive summary of the three largest areas of security focus in the Security Fabric.
5. View data collected by FortiAnalyzer on the endpoints on your network.
6. View vulnerability data collected by FortiClient EMS.

FortiOS 6.4.13 Administration Guide 384

Fortinet Inc.
Fortinet Security Fabric

7. Use the Software-Defined Branch module to monitor interface SD-WAN usage and associated service level
agreements.

NOC and SOC example

In this example, you have configured your FortiGates, FortiAnalyzer and other devices in your Security Fabric. Now you
want to use FortiExplorer for Apple TV to display the status of the devices on a TV in your Network Operation Center or
Security Operation Center.

Topology

This topology has a Headquarter and two Branches. Within the Headquarter is the Enterprise Core and two FortiGates
acting as ISFWs. In addition, an on-premise FortiAnalyzer collects all logging information from the fabric devices. The
FortiClient EMS manages all the endpoints within the topology.
The two branches are configured with SD-WAN with VPN overlays to the Enterprise Core. Traffic is steered towards the
overlays and underlays based on SD-WAN Rules.
Using FortiExplorer for Apple TV, you will be able to monitor the different components in this topology.

To take advantage of the views in the FortiExplorer for Apple TV, you should configure:
l Security Fabric on all FortiGates. See Configuring the root FortiGate and downstream FortiGates on page 144.
l FortiAnalyzer Logging. See Configuring FortiAnalyzer on page 150.
l FortiClient EMS. See Configuring FortiClient EMS on page 162

FortiOS 6.4.13 Administration Guide 385

Fortinet Inc.
Fortinet Security Fabric

Adding the root FortiGate to FortiExplorer for Apple TV

By adding the root FortiGate, you can view the entire topology and navigate to branch FortiGates in the SD-WAN view. If
you are already using FortiExplorer on a mobile device, you can connect the same FortiGate device to Apple TV by
sharing the login credentials on both devices. Alternatively, you can manually connect to your root FortiGate directly from
the app.

To share login credentials between FortiExplorer and FortiExplorer for Apple TV:

1. Connect the FortiExplorer and FortiExplorer for Apple TV devices to the same network.
2. On FortiExplorer for Apple TV, click New FortiGate.
3. In FortiExplorer, go to My Fabric.
4. Swipe right on the device you want to share, and tap Share Login Profile.

FortiOS 6.4.13 Administration Guide 386

Fortinet Inc.
Fortinet Security Fabric

5. Tap Share to Apple TV.

6. On Apple TV, click Accept. FortiExplorer for Apple TV confirms the request and proceeds to the device main menu.

FortiOS 6.4.13 Administration Guide 387

Fortinet Inc.
Fortinet Security Fabric

To add devices to FortiExplorer for Apple TV:

1. In the Devices menu, click New FortiGate. The Login to FortiGate dialog box is displayed.
2. In the IP Address/Host Name field, take one of the following actions:
l Enter the device IP address and port, if not using the default admin port 443

l Enter the full host name including the domain. Enter port if not using the default admin port 443.

3. Enter the Username and Password for the FortiGate device.

4. Click Remember to save time entering the login credentials later.
5. Click Login. The device is added to FortiExplorer for Apple TV.

If the IP or hostname is not defined in the CN or SAN field of your certificate, you will
receive a prompt that "Your connection is not private". You may choose to continue with
your connection.

FortiOS 6.4.13 Administration Guide 388

Fortinet Inc.
Fortinet Security Fabric

Viewing the Fabric Topology monitor

Use the Fabric Topology monitor to view the physical topology of the Fabric to identify risks. FortiGate devices with
version 6.4. and above can drilldown further to see additional information for devices such as FortiGates, FortiAPs, and
FortiSwitches.
To view the Fabric Topology monitor, go to Network Operations Center > Fabric Topology. This monitor displays the
same information as the Physical Topology on the FortiGate

Use your remote to navigate through the devices in the Fabric topology. Click a device to view the drilldown information.
To return to the default view, click the Menu button.

Viewing the Fabric Overview monitor

Use the Fabric Overview monitor to view the Fabric components as seen on the Dashboard of the Fabric Root FortiGate
in the example topology. Each device must be authorized and be part of the Fabric.
For information about configuring the Security Fabric, see Fortinet Security Fabric on page 140
To view the Fabric Overview monitor, go to Network Operations Center > Fabric Overview.

FortiOS 6.4.13 Administration Guide 389

Fortinet Inc.
Fortinet Security Fabric

The Security Fabric monitor has multiple panes. To see data populated on the panes, ensure that proper configurations
are applied on the Fabric devices:

Pane Description Configuration

Fabric Connectors Displays external SDN connectors that are Configure Security Fabric > External
enabled. Connectors.

Security Fabric Displays the number of devices in the Configure Security Fabric > Fabric
Overview topology. Connectors.

Attack Surface Displays devices detected by the FortiGate Ensure Device Detection is configured on the
with a server tag. interfaces(s). Go to Network > Interfaces.

Device Inventory Displays devices based on Hardware Vendor Ensure Device Detection is configured on the
and detected OS interface(s). Go to Network > Interfaces.

Endpoint Coverage Displays the number of online devices and Ensure Device Detection is configured on the
the percentage of Unscanned, Vulnerable, interface(s). Vulnerability scan results come
and Secured devices. from FortiClient EMS. Go to Network >
Interfaces.

Device related information only corresponds to devices local to the FortiGate. Device
information from downstream FortiGates do not propagate to the Upstream FortiGate.

FortiOS 6.4.13 Administration Guide 390

Fortinet Inc.
Fortinet Security Fabric

Viewing the Security Rating monitor

The Security Rating monitor is separated into three major scorecards: Security Posture, Fabric Coverage, and
Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.
To see the Security Rating summary, the root FortiGate and all FortiGates within the Fabric should have the proper
FortiGuard Security Rating license. Security rating is performed on the root FortiGate. Its reports are generated
periodically.
To view the Security Rating monitor, go to Network Operations Center > Security Rating.

The scorecards show an overall score of the performance and sub-categories. The point score represents the net score
for all passed and failed items in that area.
For more information about the Security Rating score, see Security Fabric score on page 242.

Viewing the Compromised Hosts monitor

The Compromised Hosts monitor leverages the data collected by FortiAnalyzer on the endpoints on your network. To
see compromised hosts, the FortiAnalyzer must have a FortiGuard Indicators of Compromise license. The IOC service
helps identify compromised hosts based on infected websites that it may have visited.
This monitor captures the same information as seen on the Compromised Hosts monitor on the FortiGate.

FortiOS 6.4.13 Administration Guide 391

Fortinet Inc.
Fortinet Security Fabric

To view the Compromised Hosts monitor:

1. Go to Security Operations Center > Compromised Hosts.

2. In the left-hand pane, scroll through the user list. The monitor displays three panes:
l The User Information pane displays the user's contact information and IP address.

l The Topology View pane displays the user's location in the topology.

l The Verdict View pane displays the Malware, Detected Method, and Security Action.

Viewing the Vulnerability Monitor

The Vulnerability Monitor obtains data from FortiClient EMS. It displays vulnerabilities detected by the FortiClient
endpoint, categorized into Critical, High, Medium and Low risk. In this example, an on-premise FortiClient EMS is
connected on the root FortiGate’s Fabric Connector.
This monitor captures the same information as seen on the Top Vulnerable Endpoint Devices monitor on the FortiGate.

FortiOS 6.4.13 Administration Guide 392

Fortinet Inc.
Fortinet Security Fabric

To view the Vulnerability Monitor:

1. Go to Security Operations Center > Vulnerability Monitor. The monitor displays a user list and their vulnerabilities.
2. Use your remote to scroll through the user list. The vulnerability details are displayed on the right side of the monitor.

l The User Information pane displays the user's contact details and IP address.
l The Vulnerability Summary pane displays the number of vulnerabilities categorized into Critical, High, Medium
and Low risk.
l The Topology View pane displays the user's location in the topology.
l The Top Vulnerabilities pane displays the top vulnerabilities by severity.

Using the SD-WAN monitor

In the example topology, the branches are configured to use SD-WAN. You can use the top-right navigation menu in the
SD-WAN monitor to navigate to the Branch FortiGate to display information about the SD-WAN.
To view the SD-WAN monitor, go to Software-Defined Branch > SD-WAN Monitor.
The SD-WAN monitor summarizes the SD-WAN members, Zones, SD-WAN Rules and health checks deployed on the
FortiGate. It shows the interface member's SD-WAN usage and its associated service level agreements. The monitor
contains a chart that shows if the ports are meeting the SLA target for bandwidth, jitter and latency per the health check
in use in each SD-WAN Rule.

FortiOS 6.4.13 Administration Guide 393

Fortinet Inc.
Fortinet Security Fabric

Some of the SD-WAN statistics are only available in FOS 6.4.1 and higher.

To view SD-WAN usage charts:

1. In the SD-WAN Overview area, Use your remote to select the SD-WAN Usage pane.
2. Scroll left and right to view Bandwidth, Volume and Sessions charts for the VIRTUAL-WAN-LINK and Underlay
interfaces in the SD-WAN Zones pane.

To view SLA targets:

1. In the SD-WAN Rules area, use your remote to scroll the rules pane at the left-side of the monitor.
l The Destinations pane displays the destination details.

l The Performance SLA pane displays the SLA targets for the rule.

l The SD-WAN Active Interface pane displays a checkmark next to the active interface.

FortiOS 6.4.13 Administration Guide 394

Fortinet Inc.
Fortinet Security Fabric

2. Use your remote to navigate between the Latency, Jitter, and Packet Loss charts.

To view a branch in the topology:

1. Use your remote to swipe to the top navigation in the monitor. Wait for the topology to load.
2. At the top-right of the monitor, select the current device.

3. Select the device you want to view.

Troubleshooting

The following topics provide troubleshooting information for the Fortinet Security Fabric:

FortiOS 6.4.13 Administration Guide 395

Fortinet Inc.
 Fortinet Security Fabric

l Viewing a summary of all connected FortiGates in a Security Fabric on page 396

l Diagnosing automation stitches on page 398

Viewing a summary of all connected FortiGates in a Security Fabric

In downstream FortiGates, the diagnose sys csf global command shows a summary of all of the connected
FortiGates in the Security Fabric.

To view a Security Fabric summary on a downstream FortiGate:

# diagnose sys csf global

Current vision:
[
{
"path":"FGVM01TM19000001",
"mgmt_ip_str":"104.196.102.183",
"mgmt_port":10403,
"sync_mode":1,
"saml_role":"identity-provider",
"admin_port":443,
"serial":"FGVM01TM19000001",
"host_name":"admin-root",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":1010,
"subtree_members":[
{
"serial":"FGVM01TM19000002"
},
{
"serial":"FGVM01TM19000003"
},
{
"serial":"FGVM01TM19000004"
},
{
"serial":"FGVM01TM19000005"
}
]
},
{
"path":"FGVM01TM19000001:FGVM01TM19000002",
"mgmt_ip_str":"104.196.102.183",
"mgmt_port":10423,
"sync_mode":1,
"saml_role":"service-provider",
"admin_port":443,
"serial":"FGVM01TM19000002",
"host_name":"Branch_Office_01",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":1010,

FortiOS 6.4.13 Administration Guide 396

Fortinet Inc.
Fortinet Security Fabric

"upstream_intf":"Branch-HQ-A",
"upstream_serial":"FGVM01TM19000001",
"parent_serial":"FGVM01TM19000001",
"parent_hostname":"admin-root",
"upstream_status":"Authorized",
"upstream_ip":22569994,
"upstream_ip_str":"10.100.88.1",
"subtree_members":[
],
"is_discovered":true,
"ip_str":"10.0.10.2",
"downstream_intf":"To-HQ-A",
"idx":1
},
{
"path":"FGVM01TM19000001:FGVM01TM19000003",
"mgmt_ip_str":"104.196.102.183",
"mgmt_port":10407,
"sync_mode":1,
"saml_role":"service-provider",
"admin_port":443,
"serial":"FGVM01TM19000003",
"host_name":"Enterprise_Second_Floor",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":1010,
"upstream_intf":"port3",
"upstream_serial":"FGVM01TM19000001",
"parent_serial":"FGVM01TM19000001",
"parent_hostname":"admin-root",
"upstream_status":"Authorized",
"upstream_ip":22569994,
"upstream_ip_str":"10.100.88.1",
"subtree_members":[
],
"is_discovered":true,
"ip_str":"10.100.88.102",
"downstream_intf":"port1",
"idx":2
},
{
"path":"FGVM01TM19000001:FGVM01TM19000004",
"mgmt_ip_str":"104.196.102.183",
"mgmt_port":10424,
"sync_mode":1,
"saml_role":"service-provider",
"admin_port":443,
"serial":"FGVM01TM19000004",
"host_name":"Branch_Office_02",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":1010,
"upstream_intf":"HQ-MPLS",
"upstream_serial":"FGVM01TM19000001",

FortiOS 6.4.13 Administration Guide 397

Fortinet Inc.
 Fortinet Security Fabric

"parent_serial":"FGVM01TM19000001",
"parent_hostname":"admin-root",
"upstream_status":"Authorized",
"upstream_ip":22569994,
"upstream_ip_str":"10.100.88.1",
"subtree_members":[
],
"is_discovered":true,
"ip_str":"10.0.12.3",
"downstream_intf":"To-HQ-MPLS",
"idx":3
},
{
"path":"FGVM01TM19000001:FGVM01TM19000005",
"mgmt_ip_str":"104.196.102.183",
"mgmt_port":10404,
"sync_mode":1,
"saml_role":"service-provider",
"admin_port":443,
"serial":"FGVM01TM19000005",
"host_name":"Enterprise_First_Floor",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":1010,
"upstream_intf":"port3",
"upstream_serial":"FGVM01TM19000001",
"parent_serial":"FGVM01TM19000001",
"parent_hostname":"admin-root",
"upstream_status":"Authorized",
"upstream_ip":22569994,
"upstream_ip_str":"10.100.88.1",
"subtree_members":[
],
"is_discovered":true,
"ip_str":"10.100.88.101",
"downstream_intf":"port1",
"idx":4
}
]

Diagnosing automation stitches

Diagnose commands are available to:

l Test an automation stitch
l Enable or disable log dumping for automation stitches
l Display the settings of every automation stitch
l Display statistics on every automation stitch

To test an automation stitch:

diagnose automation test <automation-stitch-name>

Example:

FortiOS 6.4.13 Administration Guide 398

Fortinet Inc.
Fortinet Security Fabric

# diagnose automation test HA-failover

automation test is done. stitch:HA-failover

To toggle log dumping:

diagnose test application autod 1

Examples:
# diagnose test application autod 1
autod log dumping is enabled
# diagnose test application autod 1
autod log dumping is disabled

autod logs dumping summary:

autod dumped total:7 logs, num of logids:4

To display the settings for all of the automation stitches:

diagnose test application autod 2

Example:
# diagnose test application autod 2
csf: enabled root:yes
total stitches activated: 3

stitch: Compromised-IP-Banned
destinations: all
trigger: Compromised-IP-Banned

local hit: 0 relayed to: 0 relayed from: 0

actions:
Compromised-IP-Banned_ban-ip type:ban-ip interval:0

stitch: HA-failover
destinations: HA-failover_ha-cluster_25;
trigger: HA-failover

local hit: 0 relayed to: 0 relayed from: 0

actions:
HA-failover_email type:email interval:0
subject: HA Failover
mailto:[email protected];

stitch: rebooot
destinations: all
trigger: reboot

local hit: 0 relayed to: 0 relayed from: 0

actions:
action1 type:alicloud-function interval:0
delay:1 required:yes
Account ID: id
Region: region
Function domain: fc.aliyuncs.com
Version: versoin

FortiOS 6.4.13 Administration Guide 399

Fortinet Inc.
Fortinet Security Fabric

Service name: serv

Function name: funcy
headers:

To display statistic on all of the automation stitches:

diagnose test application autod 3

Example:
stitch: Compromised-IP-Banned
local hit: 0 relayed to: 0 relayed from: 0
last trigger:Wed Dec 31 20:00:00 1969
last relay:Wed Dec 31 20:00:00 1969
actions:
Compromised-IP-Banned_ban-ip:
done: 1 relayed to: 0 relayed from: 0
last trigger:Wed Dec 31 20:00:00 1969
last relay:

stitch: HA-failover
local hit: 0 relayed to: 0 relayed from: 0
last trigger:Thu May 24 11:35:22 2018
last relay:Thu May 24 11:35:22 2018
actions:
HA-failover_email:
done: 1 relayed to: 1 relayed from: 1
last trigger:Thu May 24 11:35:22 2018
last relay:Thu May 24 11:35:22 2018

stitch: rebooot
local hit: 2 relayed to: 1 relayed from: 1
last trigger:Fri May 3 13:30:56 2019
last relay:Fri May 3 13:30:23 2019
actions:
action1
done: 1 relayed to: 0 relayed from: 0
last trigger:Fri May 3 13:30:56 2019
last relay:

logid2stitch mapping:
id:20103 local hit: 0 relayed to: 0 relayed from: 0
License Expiry
lambada

id:32138 local hit: 2 relayed to: 1 relayed from: 1

Compromised-IP-Banned
HA-failover
rebooot

action run cfg&stats:

total:2 cur:0 done:1 drop:1
email:
flags:10
stats: total:1 cur:0 done:1 drop:0
ios-notification:
flags:1

FortiOS 6.4.13 Administration Guide 400

Fortinet Inc.
Fortinet Security Fabric

stats: total:0 cur:0 done:0 drop:0

alert:
flags:0
stats: total:0 cur:0 done:0 drop:0
disable-ssid:
flags:7
stats: total:0 cur:0 done:0 drop:0
quarantine:
flags:7
stats: total:0 cur:0 done:0 drop:0
quarantine-forticlient:
flags:4
stats: total:0 cur:0 done:0 drop:0
quarantine-nsx:
flags:4
stats: total:0 cur:0 done:0 drop:0
ban-ip:
flags:7
stats: total:0 cur:0 done:0 drop:0
aws-lambda:
flags:11
stats: total:0 cur:0 done:0 drop:0
webhook:
flags:11
stats: total:0 cur:0 done:0 drop:0
cli-script:
flags:10
stats: total:0 cur:0 done:0 drop:0
azure-function:
flags:11
stats: total:1 cur:0 done:0 drop:1
google-cloud-function:
flags:11
stats: total:0 cur:0 done:0 drop:0
alicloud-function:
flags:11
stats: total:0 cur:0 done:0 drop:0

FortiOS 6.4.13 Administration Guide 401

Fortinet Inc.
Network

The following topics provide information about network settings:

l Interfaces on page 402
l DNS on page 458
l Explicit and transparent proxies on page 471
l SD-WAN on page 675
l DHCP servers and relays on page 525
l Static routing on page 534
l Dynamic routing on page 559
l Multicast on page 609
l FortiExtender on page 614
l Direct IP support for LTE/4G on page 618
l LLDP reception on page 621
l Virtual routing and forwarding on page 624
l NetFlow on page 646
l sFlow on page 660
l IPv6 on page 662

Interfaces

Physical and virtual interfaces allow traffic to flow between internal networks, and between the internet and internal
networks. FortiGate has options for setting up interfaces and groups of subnetworks that can scale as your organization
grows. You can create and edit VLAN, EMAC-VLAN, switch interface, zones, and so on.
The following topics provide information about interfaces:
l Interface settings on page 403
l Aggregation and redundancy on page 406
l VLANs on page 408
l Enhanced MAC VLANs on page 414
l Inter-VDOM routing on page 417
l Software switch on page 423
l Hardware switch on page 425
l Zone on page 428
l Virtual Wire Pair on page 430
l Virtual VLAN switch on page 431
l Failure detection for aggregate and redundant interfaces on page 437
l VLAN inside VXLAN on page 438
l Virtual Wire Pair with VXLAN on page 440
l QinQ 802.1Q in 802.1ad on page 442

FortiOS 6.4.13 Administration Guide 402

Fortinet Inc.
 Network

l QinQ 802.1Q in 802.1Q on page 443

l Assign a subnet with the FortiIPAM service on page 445
l Implementing VRF on page 624
l Interface MTU packet size on page 452
l One-arm sniffer on page 454
l Captive portals on page 455

Interface settings

Administrators can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different
options for configuring interfaces when FortiGate is in NAT mode or transparent mode.

To configure an interface in the GUI:

1. Go to Network > Interfaces.

2. Click Create New > Interface.
3. Configure the interface fields:

Interface Name Physical interface names cannot be changed.

Alias Enter an alternate name for a physical interface on the FortiGate unit. This
field appears when you edit an existing physical interface. The alias does not
appear in logs.
The maximum length of the alias is 25 characters.

Type The configuration type for the interface, such as VLAN or Software Switch.

Link Status Indicates whether the interface is connected to a network or not (link status is
up or down). This field is available when you edit an existing physical interface.

Interface This field is available when Type is set to VLAN.

Select the name of the physical interface that you want to add a VLAN
interface to. Once created, the VLAN interface is listed below its physical
interface in the Interface list.
You cannot change the physical interface of a VLAN interface except when
you add a new VLAN interface.

VLAN ID This field is available when Type is set to VLAN.

Enter the VLAN ID. The VLAN ID can be any number between 1 and 4094 and
must match the VLAN ID added by the IEEE 802.1Q-compliant router or
switch that is connected to the VLAN subinterface.
The VLAN ID cannot be edited after the interface is added.

Virtual Domain Select the virtual domain to add the interface to.
Only administrator accounts with the super_admin profile can change the
Virtual Domain.

Role Set the role setting for the interface. Different settings will be shown or hidden
when editing an interface depending on the role.

FortiOS 6.4.13 Administration Guide 403

Fortinet Inc.
Network

l LAN: Used to connected to a local network of endpoints. It is default role

for new interfaces.
l WAN: Used to connected to the internet. When WAN is selected, the
Estimated bandwidth setting is available, and the following settings are
not: DHCP server, Create address object matching subnet, Device
detection, Security mode, One-arm sniffer, Dedicate to extension/fortiap
modes, and Admission Control.and will show Estimated Bandwidth
settings.
l DMZ: Used to connected to the DMZ. When selected, DHCP server and
Security mode are not available.
l Undefined: The interface has no specific role. When selected, Create
address object matching subnet is not available.

Interface Members This section can has different formats depending on the Type:
Software Switch: This field is read-only, and shows the interfaces that belong
to the virtual interface of the software switch.
802.3ad Aggregate or Redundant Interface: This field includes the available
and selected interface lists.

Addressing mode Select the addressing mode for the interface.

l Manual: Add an IP address and netmask for the interface. If IPv6

configuration is enabled,you can add both an IPv4 and an IPv6 address.

l DHCP: Get the interface IP address and other network settings from a

DHCP server.
l PPPoE: Get the interface IP address and other network settings from a

PPPoE server. This option is only available on the low-end FortiGate

models.
l Auto-managed by FortiIPAM: Assign subnets to prevent duplicate

IP addresses from overlapping within the same Security Fabric. See

Assign a subnet with the FortiIPAM service on page 445.
l One-Arm Sniffer: Set the interface as a sniffer port so it can be used to

detect attacks.

IP/Netmask If Addressing Mode is set to Manual, enter an IPv4 address and subnet mask
for the interface. FortiGate interfaces cannot have multiple IP addresses on
the same subnet.

IPv6 Address/Prefix If Addressing Mode is set to Manual and IPv6 support is enabled, enter an
IPv6 address and subnet mask for the interface. A single interface can have an
IPv4 address, IPv6 address, or both.

Create address object This option is available when Role is set to LAN or DMZ.
matching subnet Enable this option to automatically create an address object that matches the
interface subnet.

Secondary IP Address Add additional IPv4 addresses to this interface.

IPv4 Administrative Access Select the types of administrative access permitted for IPv4 connections to this
interface. See Configure administrative access to interfaces on page 405.

FortiOS 6.4.13 Administration Guide 404

Fortinet Inc.
Network

IPv6 Administrative Access Select the types of administrative access permitted for IPv6 connections to this
interface. See Configure administrative access to interfaces on page 405.

DHCP Server Select to enable a DHCP server for the interface.

Device Detection Enable/disable passively gathering device identity information about the
devices on the network that are connected to this interface.

Security Mode Enable/disable captive portal authentication for this interface. After enabling
captive portal authentication, you can configure the authentication portal, user
and group access, custom portal messages, exempt sources and
destinations/services, and redirect after captive portal.

Outbound shaping profile Enable/disable traffic shaping on the interface. This allows you to enforce
bandwidth limits on individual interfaces. See Interface-based traffic shaping
profile on page 1270 for more information.

Comments Enter a description of the interface of up to 255 characters.

Status Enable/disable the interface.

l Enabled: The interface is active and can accept network traffic.

l Disabled: The interface is not active and cannot accept traffic.

4. Click OK.

To configure an interface in the CLI:

config system interface

edit "<Interface_Name>"
set vdom "<VDOM_Name>"
set mode static/dhcp/pppoe
set ip <IP_address> <netmask>
set security-mode {none | captive-portal}
set egress-shaping-profile <Profile_name>
set device-identification {enable | disable}
set allowaccess ping https ssh http
set secondary-IP enable
config secondaryip
edit 1
set ip 9.1.1.2 255.255.255.0
set allowaccess ping https ssh snmp http
next
end
next
end

Configure administrative access to interfaces

You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure
access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing
interfaces that you don't want them to access, such as public-facing ports.
As a best practice, you should configure administrative access when you're setting the IP address for a port.

FortiOS 6.4.13 Administration Guide 405

Fortinet Inc.
 Network

To configure administrative access to interfaces in the GUI:

1. Go to Network > Interfaces.

2. Create or edit an interface.
3. In the Administrative Access section, select which protocols to enable for IPv4 and IPv6 Administrative Access.

HTTPS Allow secure HTTPS connections to the FortiGate GUI through this interface. If
configured, this option is enabled automatically.

HTTP Allow HTTP connections to the FortiGate GUI through this interface. This option can
only be enabled if HTTPS is already enabled.

PING The interface responds to pings. Use this setting to verify your installation and for
testing.

FMG-Access Allow FortiManager authorization automatically during the communication

exchanges between FortiManager and FortiGate devices.

SSH Allow SSH connections to the CLI through this interface.

SNMP Allow a remote SNMP manager to request SNMP information by connecting to this
interface.

FTM Allow FortiToken Mobile Push (FTM) access.

RADIUS Accounting Allow RADIUS accounting information on this interface.

Security Fabric Allow Security Fabric access. This enables FortiTelemetry and CAPWAP.
Connection

Aggregation and redundancy

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated
(combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred
automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.
This feature is similar to redundant interfaces. The major difference is a redundant interface group only uses one link at a
time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).
An interface is available to be an aggregate interface if:
l It is a physical interface and not a VLAN interface or subinterface.
l It is not already part of an aggregate or redundant interface.
l It is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs.
l It does not have an IP address and is not configured for DHCP or PPPoE.
l It is not referenced in any security policy, VIP, IP Pool, or multicast policy.
l It is not an HA heartbeat interface.
l It is not one of the FortiGate-5000 series backplane interfaces.
When an interface is included in an aggregate interface, it is not listed on the Network > Interfaces page. Interfaces still
appear in the CLI although configuration for those interfaces do not take affect. You cannot configure the interface
individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.

FortiOS 6.4.13 Administration Guide 406

Fortinet Inc.
Network

Sample configuration

This example creates an aggregate interface on a FortiGate-140D POE using ports 3-5 with an internal IP address of
10.1.1.123, as well as the administrative access to HTTPS and SSH.

To create an aggregate interface using the GUI:

1. Go to Network > Interfaces and select Create New > Interface.

2. For Interface Name, enter Aggregate.
3. For the Type, select 802.3ad Aggregate.
4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
5. For Addressing mode, select Manual.
6. For the IP address for the port, enter 10.1.1.123/24.
7. For Administrative Access, select HTTPS and SSH.
8. Select OK.

To create an aggregate interface using the CLI:

FG140P3G15800330 (aggregate) # show

config system interface
edit "aggregate"
set vdom "root"
set ip 10.1.1.123 255.255.255.0
set allowaccess ping https ssh snmp http fgfm radius-acct capwap ftm
set type aggregate
set member "port3" "port4" "port5"
set device-identification enable
set lldp-transmission enable
set fortiheartbeat enable
set role lan
set snmp-index 45
next
end

Redundancy

In a redundant interface, traffic only goes over one interface at any time. This differs from an aggregated interface where
traffic goes over all interfaces for increased bandwidth. This difference means redundant interfaces can have more
robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.
An interface is available to be in a redundant interface if:
l It is a physical interface and not a VLAN interface.
l It is not already part of an aggregated or redundant interface.
l It is in the same VDOM as the redundant interface.
l It does not have an IP address and is not configured for DHCP or PPPoE.
l It has no DHCP server or relay configured on it.
l It does not have any VLAN subinterfaces.
l It is not referenced in any security policy, VIP, or multicast policy.
l It is not monitored by HA.
l It is not one of the FortiGate-5000 series backplane interfaces.

FortiOS 6.4.13 Administration Guide 407

Fortinet Inc.
Network

When an interface is included in a redundant interface, it is not listed on the Network > Interfaces page. You cannot
configure the interface individually and it is not available for inclusion in security policies, VIPs, or routing.

Sample configuration

To create a redundant interface using the GUI:

1. Go to Network > Interfaces and select Create New > Interface.

2. For Interface Name, enter Redundant.
3. For the Type, select Redundant Interface.
4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
5. For Addressing mode, select Manual.
6. For the IP address for the port, enter 10.13.101.100/24.
7. For Administrative Access, select HTTPS and SSH.
8. Select OK.

To create a redundant interface using the CLI:

config system interface

edit "red"
set vdom "root"
set ip 10.13.101.100 255.255.255.0
set allowaccess https http
set type redundant
set member "port4" "port5" "port6"
set device-identification enable
set role lan
set snmp-index 9
next
end

VLANs

Virtual Local Area Networks (VLANs) multiply the capabilities of your FortiGate unit and can also provide added network
security. VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller
domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network
security.

VLANs in NAT mode

In NAT mode, the FortiGate unit functions as a layer-3 device. In this mode, the FortiGate unit controls the flow of
packets between VLANs and can also remove VLAN tags from incoming VLAN packets. The FortiGate unit can also
forward untagged packets to other networks such as the Internet.
In NAT mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-compliant switches or routers. The trunk
link transports VLAN-tagged packets between physical subnets or networks. When you add VLAN subinterfaces to the
FortiGate's physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate
unit directs packets with VLAN IDs to subinterfaces with matching IDs.

FortiOS 6.4.13 Administration Guide 408

Fortinet Inc.
Network

You can define VLAN subinterfaces on all FortiGate physical interfaces. However, if multiple virtual domains are
configured on the FortiGate unit, you only have access to the physical interfaces on your virtual domain. The FortiGate
unit can tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a
different VLAN tag to outgoing packets.
Normally in VLAN configurations, the FortiGate unit's internal interface is connected to a VLAN trunk, and the external
interface connects to an Internet router that is not configured for VLANs. In this configuration, the FortiGate unit can
apply different policies for traffic on each VLAN interface connected to the internal interface, which results in less
network traffic and better security.

Sample topology

In this example, two different internal VLAN networks share one interface on the FortiGate unit and share the connection
to the Internet. This example shows that two networks can have separate traffic streams while sharing a single interface.
This configuration can apply to two departments in a single company or to different companies.
There are two different internal network VLANs in this example. VLAN_100 is on the 10.1.1.0/255.255.255.0 subnet, and
VLAN_200 is on the 10.1.2.0/255.255.255.0 subnet. These VLANs are connected to the VLAN switch.
The FortiGate internal interface connects to the VLAN switch through an 802.1Q trunk. The internal interface has an IP
address of 192.168.110.126 and is configured with two VLAN subinterfaces (VLAN_100 and VLAN_200). The external
interface has an IP address of 172.16.21.2 and connects to the Internet. The external interface has no VLAN
subinterfaces.
When the VLAN switch receives packets from VLAN_100 and VLAN_200, it applies VLAN ID tags and forwards the
packets of each VLAN both to local ports and to the FortiGate unit across the trunk link. The FortiGate unit has policies
that allow traffic to flow between the VLANs, and from the VLANs to the external network.

Sample configuration

In this example, both the FortiGate unit and the Cisco 2950 switch are installed and connected and basic configuration
has been completed. On the switch, you need access to the CLI to enter commands. No VDOMs are enabled in this

FortiOS 6.4.13 Administration Guide 409

Fortinet Inc.
Network

example.
General configuration steps include:
1. Configure the external interface.
2. Add two VLAN subinterfaces to the internal network interface.
3. Add firewall addresses and address ranges for the internal and external networks.
4. Add security policies to allow:
l the VLAN networks to access each other.

l the VLAN networks to access the external network.

To configure the external interface:

config system interface

edit external
set mode static
set ip 172.16.21.2 255.255.255.0
end

To add VLAN subinterfaces:

config system interface

edit VLAN_100
set vdom root
set interface internal
set type vlan
set vlanid 100
set mode static
set ip 10.1.1.1 255.255.255.0
set allowaccess https ping
next
edit VLAN_200
set vdom root
set interface internal
set type vlan
set vlanid 200
set mode static
set ip 10.1.2.1 255.255.255.0
set allowaccess https ping
end

To add the firewall addresses:

config firewall address

edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
end

FortiOS 6.4.13 Administration Guide 410

Fortinet Inc.
Network

To add security policies:

Policies 1 and 2 do not need NAT enabled, but policies 3 and 4 do need NAT enabled.
config firewall policy
edit 1
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf VLAN_200
set dstaddr VLAN_200_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 2
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf VLAN_100
set dstaddr VLAN_100_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 3
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
edit 4
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
end

VLANs in transparent mode

In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide services such as antivirus
scanning, web filtering, spam filtering, and intrusion protection to traffic. Some limitations of transparent mode is that you

FortiOS 6.4.13 Administration Guide 411

Fortinet Inc.
Network

cannot use SSL VPN, PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent mode
apply to IEEE 802.1Q VLAN trunks passing through the unit.
You can insert the FortiGate unit operating in transparent mode into the VLAN trunk without making changes to your
network. In a typical configuration, the FortiGate unit internal interface accepts VLAN packets on a VLAN trunk from a
VLAN switch or router connected to internal network VLANs. The FortiGate external interface forwards VLAN-tagged
packets through another VLAN trunk to an external VLAN switch or router and on to external networks such as the
Internet. You can configure the unit to apply different policies for traffic on each VLAN in the trunk.
To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the same VLAN ID, one to the
internal interface and the other to the external interface. You then create a security policy to permit packets to flow from
the internal VLAN interface to the external VLAN interface. If required, create another security policy to permit packets to
flow from the external VLAN interface to the internal VLAN interface. Typically in transparent mode, you do not permit
packets to move between different VLANs. Network protection features such as spam filtering, web filtering, and anti-
virus scanning, are applied through the UTM profiles specified in each security policy, enabling very detailed control over
traffic.
When the FortiGate unit receives a VLAN-tagged packet on a physical interface, it directs the packet to the VLAN
subinterface with the matching VLAN ID. The VLAN tag is removed from the packet and the FortiGate unit then applies
security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through a
VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding
physical interface.

Sample topology

In this example, the FortiGate unit is operating in transparent mode and is configured with two VLANs: one with an ID of
100 and the other with ID 200. The internal and external physical interfaces each have two VLAN subinterfaces, one for
VLAN_100 and one for VLAN_200.
The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the internal VLAN_200 network is
10.200.0.0/255.255.0.0.
The internal networks are connected to a Cisco 2950 VLAN switch which combines traffic from the two VLANs onto one
in the FortiGate unit's internal interface. The VLAN traffic leaves the FortiGate unit on the external network interface,
goes on to the VLAN switch, and on to the Internet. When the FortiGate units receives a tagged packet, it directs it from
the incoming VLAN subinterface to the outgoing VLAN subinterface for that VLAN.
In this example, we create a VLAN subinterface on the internal interface and another one on the external interface, both
with the same VLAN ID. Then we create security policies that allow packets to travel between the VLAN_100_int
interface and the VLAN_100_ext interface. Two policies are required: one for each direction of traffic. The same is
required between the VLAN_200_int interface and the VLAN_200_ext interface, for a total of four security policies.

FortiOS 6.4.13 Administration Guide 412

Fortinet Inc.
Network

Sample configuration

There are two main steps to configure your FortiGate unit to work with VLANs in transparent mode:
1. Add VLAN subinterfaces.
2. Add security policies.
You can also configure the protection profiles that manage antivirus scanning, web filtering, and spam filtering.

To add VLAN subinterfaces:

config system interface

edit VLAN_100_int
set type vlan
set interface internal
set vlanid 100
next
edit VLAN_100_ext
set type vlan
set interface external
set vlanid 100
next
edit VLAN_200_int
set type vlan
set interface internal
set vlanid 200
next
edit VLAN_200_ext
set type vlan
set interface external
set vlanid 200
end

FortiOS 6.4.13 Administration Guide 413

Fortinet Inc.
Network

To add security policies:

config firewall policy

edit 1
set srcintf VLAN_100_int
set srcaddr all
set dstintf VLAN_100_ext
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 2
set srcintf VLAN_100_ext
set srcaddr all
set dstintf VLAN_100_int
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 3
set srcintf VLAN_200_int
set srcaddr all
set dstintf VLAN_200_ext
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 4
set srcintf VLAN_200_ext
set srcaddr all
set dstintf VLAN_200_int
set dstaddr all
set action accept
set schedule always
set service ALL
end

Enhanced MAC VLANs

The Media Access Control (MAC) Virtual Local Area Network (VLAN) feature in Linux allows you to configure multiple
virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.
FortiGate implements an enhanced MAC VLAN consisting of a MAC VLAN with bridge functionality. Because each MAC
VLAN has a unique MAC address, virtual IP addresses (VIPs) and IP pools are supported, and you can disable Source
Network Address Translation (SNAT) in policies.
MAC VLAN cannot be used in a transparent mode virtual domain (VDOM). In a transparent mode VDOM, a packet
leaves an interface with the MAC address of the original source instead of the interface’s MAC address. FortiGate
implements an enhanced version of MAC VLAN where it adds a MAC table in the MAC VLAN which learns the MAC
addresses when traffic passes through.

FortiOS 6.4.13 Administration Guide 414

Fortinet Inc.
Network

If you configure a VLAN ID for an enhanced MAC VLAN, it won’t join the switch of the underlying interface. When a
packet is sent to this interface, a VLAN tag is inserted in the packet and the packet is sent to the driver of the underlying
interface. When the underlying interface receives a packet, if the VLAN ID doesn’t match, it won’t deliver the packet to
this enhanced MAC VLAN interface.

When using a VLAN ID, the ID and the underlying interface must be a unique pair, even if the
belong to different VDOMs. This is because the underlying, physical interface uses the VLAN
ID as the identifier to dispatch traffic among the VLAN and enhanced MAC VLAN interfaces.

If you use an interface in an enhanced MAC VLAN, do not use it for other purposes such as a management interface, HA
heartbeat interface, or in Transparent VDOMs.
If a physical interface is used by an EMAC VLAN interface, you cannot use it in a Virtual Wire Pair.
In high availability (HA) configurations, enhanced MAC VLAN is treated as a physical interface. It’s assigned a unique
physical interface ID and the MAC table is synchronized with the secondary devices in the same HA cluster.

In HA configurations, FortiGate assigns a virtual MAC to each interface. Virtual interfaces,

such as EMAC VLAN interfaces with underlying NPU VLINK interface, are an exception and
do not get assigned virtual MAC addresses.

Example 1: Enhanced MAC VLAN configuration for multiple VDOMs that use the same
interface or VLAN

In this example, a FortiGate is connected, through port 1 to a router that’s connected to the Internet. Three VDOMs share
the same interface (port 1) which connects to the same router that’s connected to the Internet. Three enhanced MAC
VLAN interfaces are configured on port 1 for the three VDOMs. The enhanced MAC VLAN interfaces are in the same IP
subnet segment and each have unique MAC addresses.
The underlying interface (port 1) can be a physical interface, an aggregate interface, or a VLAN interface on a physical or
aggregate interface.

FortiOS 6.4.13 Administration Guide 415

Fortinet Inc.
Network

To configure enhanced MAC VLAN for this example in the CLI:

config system interface

edit port1.emacvlan1
set vdom VDOM1
set type emac-vlan
set interface port1
next
edit port 1.emacvlan2
set vdom VDOM2
set type emac-vlan
set interface port1
next
edit port1.emacvlan3
set vdom VDOM3
set type emac-vlan
set interface port1
next
end

Example 2: Enhanced MAC VLAN configuration for shared VDOM links among multiple
VDOMs

In this example, multiple VDOMs can connect to each other using enhanced MAC VLAN on network processing unit
(NPU) virtual link (Vlink) interfaces.
FortiGate VDOM links (NPU-Vlink) are designed to be peer-to-peer connections and VLAN interfaces on NPU Vlink
ports use the same MAC address. Connecting more than two VDOMs using NPU Vlinks and VLAN interfaces is not
recommended.

To configure enhanced MAC VLAN for this example in the CLI:

config system interface

edit npu0_vlink0.emacvlan1
set vdom VDOM1
set type emac-vlan
set interface npu0_vlink0
next

FortiOS 6.4.13 Administration Guide 416

Fortinet Inc.
 Network

edit npu0_vlink0.emacvlan2
set vdom VDOM3
set type emac-vlan
set interface npu0_vlink0
next
edit npu0_vlink1.emacvlan1
set vdom VDOM2
set type emac-vlan
set interface npu0_vlink1
next
end

Example 3: Enhanced MAC VLAN configuration for unique MAC addresses for each
VLAN interface on the same physical port

Some networks require a unique MAC address for each VLAN interface when the VLAN interfaces share the same
physical port. In this case, the enhanced MAC VLAN interface is used the same way as normal VLAN interfaces.
To configure this, use the set vlanid command for the VLAN tag. The VLAN ID and interface must be a unique pair,
even if they belong to different VDOMs.

To configure enhanced MAC VLAN:

config system interface

edit <interface-name>
set type emac-vlan
set vlanid <VLAN-ID>
set interface <physical-interface>
next
end

FortiGate supports a maximum of 512 EMAC VLAN interfaces per underlying interface, and a
maximum of 600 MAC addresses including EMAC VLAN interfaces.

Inter-VDOM routing

VDOM links allow VDOMs to communicate internally without using additional physical interfaces.
Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual interfaces that connect VDOMs. A
VDOM link contains a pair of interfaces, each one connected to a VDOM and forming either end of the inter-VDOM
connection.
When VDOMs are configured on your FortiGate unit, configuring inter-VDOM routing and VDOM links is like creating a
VLAN interface. VDOM links can be managed in either the CLI or in the network interface list in the GUI.

A VDOM link cannot share the same name as a VDOM.

FortiOS 6.4.13 Administration Guide 417

Fortinet Inc.
Network

VDOM link does not support traffic offload. If you want to use traffic offload, use NPU-VDOM-
LINK.

To configure a VDOM link in the GUI:

1. In the Global VDOM, go to Network > Interfaces.

2. Click Create New > VDOM Link.
3. Configure the fields, including the Name, Virtual Domain, IP information, Administrative Access, and others, then
click OK.

By default, VDOM links are created as point-to-point (ppp) links. If required, the link type can
be changed in the CLI.
For example, when running OSPF in IPv6, a link-local address is required in order to
communicate with OSPF neighbors. For a VDOM link to obtain a link-local address its type
must be set to ethernet.

To configure a VDOM link in the CLI:

config global
config system vdom-link
edit "<vdom-link-name>"
set type {ppp | ethernet}
next
end
config system interface
edit "<vdom-link-name0>"
set vdom "<VDOM Name>"
set type vdom-link
next
edit "<vdom-link-name1>"
set vdom "<VDOM Name>"
set type vdom-link
next
end
end

To delete a VDOM link in the GUI:

1. In the Global VDOM, go to Network > Interfaces.

2. Select a VDOM Link and click Delete.

To delete a VDOM link in the CLI:

config global
config system vdom-link
delete <VDOM-LINK-Name>
end
end

FortiOS 6.4.13 Administration Guide 418

Fortinet Inc.
Network

Example

This example shows how to configure a FortiGate unit to use inter-VDOM routing.
Two departments of a company, Accounting and Sales, are connected to one FortiGate. The company uses a single ISP
to connect to the Internet.
This example includes the following general steps. We recommend following the steps in the order below.

Create the VDOMs

To enable VDOMs:

config system global

set vdom-mode multi-vdom
end

You will be logged out of the device when VDOM mode is enabled.

To create the Sales and Accounting VDOMs:

config global
config vdom
edit Accounting
next
edit Sales
next
end
end

Configure the physical interfaces

Next, configure the physical interfaces. This example uses three interfaces on the FortiGate unit: port2 (internal), port3
(DMZ), and port1 (external). Port2 and port3 interfaces each have a department’s network connected. Port1 is for all
traffic to and from the Internet and uses DHCP to configure its IP address, which is common with many ISPs.

To configure the interfaces:

config global
config system interface
edit port2
set alias AccountingLocal
set vdom Accounting
set mode static

FortiOS 6.4.13 Administration Guide 419

Fortinet Inc.
Network

set ip 172.100.1.1 255.255.0.0

set allowaccess https ping ssh
set description "The accounting dept internal interface"
next
edit port3
set alias SalesLocal
set vdom Sales
set mode static
set ip 192.168.1.1 255.255.0.0
set allowaccess https ping ssh
set description "The sales dept. internal interface"
next
edit port1
set alias ManagementExternal
set vdom root
set mode dhcp
set allowaccess https ssh snmp
set description "The system wide management interface."
next
end
end

Configure the VDOM links

To complete the connection between each VDOM and the management VDOM, add the two VDOM links. One pair is the
Accounting – management link and the other is the Sales – management link.
When configuring inter-VDOM links, you do not have to assign IP addresses to the links unless you are using advanced
features such as dynamic routing that require them. Not assigning IP addresses results in faster configuration and more
available IP addresses on your networks.

To configure the Accounting and management VDOM link:

config global
config system vdom-link
edit AccountVlnk
next
end
config system interface
edit AccountVlnk0
set vdom Accounting
set ip 11.11.11.2 255.255.255.0
set allowaccess https ping ssh
set description "Accounting side of the VDOM link"
next
edit AccountVlnk1
set vdom root
set ip 11.11.11.1 255.255.255.0
set allowaccess https ping ssh
set description "Management side of the VDOM link"
next
end
end

FortiOS 6.4.13 Administration Guide 420

Fortinet Inc.
Network

To configure the Sales and management VDOM link:

config global
config system vdom-link
edit SalesVlnk
next
end
config system interface
edit SalesVlnk0
set vdom Sales
set ip 12.12.12.2 255.255.255.0
set allowaccess https ping ssh
set description "Sales side of the VDOM link"
next
edit SalesVlnk1
set vdom root
set ip 12.12.12.1 255.255.255.0
set allowaccess https ping ssh
set description "Management side of the VDOM link"
next
end
end

Configure the firewall and security profile

With the VDOMs, physical interfaces, and VDOM links configured, the firewall must now be configured to allow the
proper traffic. Firewalls are configured per-VDOM, and firewall objects and routes must be created for each VDOM
separately.

To configure the firewall policies from AccountingLocal to Internet:

config vdom
edit Accounting
config firewall policy
edit 1
set name "Accounting-Local-to-Management"
set srcintf port2
set dstintf AccountVlnk0
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
edit root
config firewall policy
edit 2
set name "Accounting-VDOM-to-Internet"
set srcintf AccountVlnk1
set dstintf port1
set srcaddr all
set dstaddr all

FortiOS 6.4.13 Administration Guide 421

Fortinet Inc.
Network

set action accept

set schedule always
set service ALL
set nat enable
next
end
next
end

To configure the firewall policies from SalesLocal to the Internet:

config vdom
edit Sales
config firewall policy
edit 3
set name "Sales-local-to-Management"
set srcintf port3
set dstintf SalesVlnk0
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
edit root
config firewall policy
edit 4
set name "Sales-VDOM-to-Internet"
set srcintf SalesVlnk1
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
end

Test the configuration

When the inter-VDOM routing has been configured, test the configuration to confirm proper operation. Testing
connectivity ensures that physical networking connections, FortiGate unit interface configurations, and firewall policies
are properly configured.
The easiest way to test connectivity is to use the ping and traceroute commands to confirm the connectivity of
different routes on the network.
Test both from AccountingLocal to the internet and from SalesLocal to the internet.

FortiOS 6.4.13 Administration Guide 422

Fortinet Inc.
 Network

Software switch

A software switch is a virtual switch that is implemented at the software or firmware level and not at the hardware level. A
software switch can be used to simplify communication between devices connected to different FortiGate interfaces. For
example, using a software switch, you can place the FortiGate interface connected to an internal network on the same
subnet as your wireless interfaces. Then devices on the internal network can communicate with devices on the wireless
network without any additional configuration on the FortiGate unit, such as additional security policies.
A software switch can also be useful if you require more hardware ports for the switch on a FortiGate unit. For example, if
your FortiGate unit has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and you need one more port, you can create
a soft switch that can include the four-port switch and the DMZ interface, all on the same subnet. These types of
applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces such as those in
FortiWiFi and FortiAP units.
Similar to a hardware switch, a software switch functions like a single interface. It has one IP address and all the
interfaces in the software switch are on the same subnet. Traffic between devices connected to each interface are not
regulated by security policies, and traffic passing in and out of the switch are controlled by the same policy.
When setting up a software switch, consider the following:
l Ensure that you have a back up of the configuration.
l Ensure that you have at least one port or connection, such as the console port, to connect to the FortiGate unit. If
you accidentally combine too many ports, you need a way to undo errors.
l The ports that you include must not have any link or relation to any other aspect of the FortiGate unit, such as DHCP
servers, security policies, and so on.
l For increased security, you can create a captive portal for the switch to allow only specific user groups access to the
resources connected to the switch.
Some of the difference between software and hardware switches are:

Feature Software switch Hardware switch

Processing Packets are processed in software by the Packets are processed in hardware by the
CPU. hardware switch controller, or SPU where
applicable.

STP Not Supported Supported

Wireless SSIDs Supported Not Supported

Intra-switch traffic Allowed by default. Can be explicitly set to Allowed by default.

require a policy.

To create a software switch in the GUI:

1. Go to Network > Interfaces.

2. Click Create New > Interface.
3. Set Type to Software Switch.
4. Configure the Name, Interface members, and other fields as required.
To add an interface to a software switch, it cannot be referenced by an existing configuration and its IP address
must be set to 0.0.0.0/0.0.0.0.
5. Click OK.

FortiOS 6.4.13 Administration Guide 423

Fortinet Inc.
Network

To create a software switch in the CLI:

config system switch-interface

edit <interface>
set vdom <vdom>
set member <interface_list>
set type switch
next
end
config system interface
edit <interface>
set vdom <vdom>
set type switch
set ip <ip_address>
set allowaccess https ssh ping
next
end

To add an interface to a software switch, it cannot be referenced by an existing configuration and its IP address must be
set to 0.0.0.0/0.0.0.0.

Example

For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1 interface to facilitate
wireless synchronizing from an iPhone and a local computer. Because synchronizing between two subnets is
problematic, putting both interfaces on the same subnet allows the synchronizing will work. The software switch will
accomplish this.
1. Clear the interfaces and back up the configuration:
a. Ensure the interfaces are not used for other security policy or for other use on the FortiGate unit.
b. Check the WiFi and DMZ1 ports to ensure that DHCP is not enabled and that there are no other dependencies
on these interfaces.
c. Save the current configuration so that it can be recovered if something foes wrong.
2. Merge the WiFi port and DMZ1 port to create a software switch named synchro with an IP address of 10.10.21.12
and administrative access for HTTPS, SSH and PING:
config system switch-interface
edit synchro
set vdom "root"
set type switch
set member dmz1 wifi
next
end
config system interface
edit synchro
set ip 10.10.21.12 255.255.255.0
set allowaccess https ssh ping
next
end

After the switch is set up, you add security policies, DHCP servers, and any other settings that are required.

FortiOS 6.4.13 Administration Guide 424

Fortinet Inc.
 Network

Hardware switch

A hardware switch is a virtual switch interface that groups different ports together so that the FortiGate can use the group
as a single interface. Supported FortiGate models have a default hardware switch called either internal or lan. The
hardware switch is supported by the chipset at the hardware level.
Ports that are connected to the same hardware switch behave like they are on the same physical switch in the same
broadcast domain. Ports can be removed from a hardware switch and assigned to another switch or used as standalone
interfaces.
Some of the difference between hardware and software switches are:

Feature Hardware switch Software switch

Processing Packets are processed in hardware by the Packets are processed in software by the
hardware switch controller, or SPU where CPU.
applicable.

STP Supported Not Supported

Wireless SSIDs Not Supported Supported

Intra-switch traffic Allowed by default. Allowed by default. Can be explicitly set to

require a policy.

To change the ports in a hardware switch in the GUI:

1. Go to Network > Interface and edit the hardware switch.

2. Click inside the Interface members field.

3. Select interfaces to add or remove them from the hardware switch, then click Close.
To add an interface to a hardware switch, it cannot be referenced by an existing configuration and its IP address
must be set to 0.0.0.0/0.0.0.0.
4. Click OK.
Removed interfaces will now be listed as standalone interfaces in the Physical Interface section.

To remove ports from a hardware switch in the CLI:

config system virtual-switch

edit "internal"
config port

FortiOS 6.4.13 Administration Guide 425

Fortinet Inc.
Network

delete internal2
delete internal5
...
end
next
end

To add ports to a hardware switch in the CLI:

config system virtual-switch

edit "internal"
set physical-switch "sw0"
config port
edit "internal1"
next
edit "internal3"
next
edit "internal4"
next
edit "internal6"
next
end
next
end

To add an interface to a hardware switch, it cannot be referenced by an existing configuration and its IP address must be
set to 0.0.0.0/0.0.0.0.

Using 802.1X on virtual switches for certain NP6 platforms

802.1X is supported under the hardware switch interface on the following NP6 platforms: FG-30xE, FG-40xE, and FG-
110xE.
In this example, port3 and port4 are part of a hardware switch interface. The hardware switch acts as a virtual switch so
that devices can connect directly to these ports and perform 802.1X authentication on the port.

FortiOS 6.4.13 Administration Guide 426

Fortinet Inc.
Network

Prerequisites:

1. Configure a RADIUS server (see RADIUS servers on page 1970).

2. Define a user group named test to use the remote RADIUS server and for 802.1X authentication (see User
definition and groups on page 1950).
3. Configure a hardware switch (named 18188) with port3 and port4 as the members.
4. Configure a firewall policy that allows traffic from the 18188 hardware switch to go to the internet.
5. Enable 802.1X authentication on the client devices.

To configure 802.1X authentication on a hardware switch in the GUI:

1. Go to Network > Interfaces and edit the hardware switch.

2. In the Network section, enable Security mode and select 802.1X.
3. Click the + to add the User group.
4. Click OK.

To configure 802.1X authentication on a hardware switch in the CLI:

1. Configure the virtual hardware switch interfaces:

config system virtual-switch
edit "18188"
set physical-switch "sw0"
config port
edit "port3"
next
edit "port4"
next
end
next
end

2. Configure 802.1X authentication:

config system interface
edit "18188"
set vdom "vdom1"
set ip 1.1.1.1 255.255.255.0
set allowaccess ping https ssh snmp fgfm ftm
set type hard-switch
set security-mode 802.1X
set security-groups "test"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 52
next
end

FortiOS 6.4.13 Administration Guide 427

Fortinet Inc.
Network

To verify the that the 802.1X authentication was successful:

1. Get a client connected to port3 to authenticate to access the internet.

2. In FortiOS, verify the 802.1X authentication port status:
# diagnose sys 802-1x status

Virtual switch '18188' (default mode) 802.1x member status:

port3: Link up, 802.1X state: authorized
port4: Link up, 802.1X state: unauthorized

Zone

Zones are a group of one or more physical or virtual FortiGate interfaces that you can apply security policies to control
inbound and outbound traffic. Grouping interfaces and VLAN subinterfaces into zones simplifies the creation of security
policies where a number of network segments can use the same policy settings and protection profiles.
When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Each interface
still has its own address. Routing is still done between interfaces, that is, routing is not affected by zones. You can use
security policies to control the flow of intra-zone traffic.
For example, in the sample configuration below, the network includes three separate groups of users representing
different entities on the company network. While each group has its own set of ports and VLANs in each area, they can
all use the same security policy and protection profiles to access the Internet. Rather than the administrator making nine
separate security policies, he can make administration simpler by adding the required interfaces to a zone and creating
three policies.

Sample configuration

You can configure policies for connections to and from a zone but not between interfaces in a zone. For this example,
you can create a security policy to go between zone 1 and zone 3, but not between WAN2 and WAN1, or WAN1 and
DMZ1.

FortiOS 6.4.13 Administration Guide 428

Fortinet Inc.
Network

To create a zone in the GUI:

1. Go to Network > Interfaces.

If VDOMs are enabled, go to the VDOM to create a zone.

2. Click Create New > Zone.

3. Configure the Name and add the Interface Members.

To configure a zone to include the internal interface and a VLAN using the CLI:

config system zone

edit Zone_1
set interface internal VLAN_1
set intrazone deny/allow
next
end

Using zone in a firewall policy

To configure a firewall policy to allow any interface to access the Internet using the CLI:

config firewall policy

edit 2
set name "2"
set srcintf "Zone_1"
set dstintf "port15"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

Intra-zone traffic

In the zone configuration you can set intrazone deny to prohibit the different interfaces in the same zone to talk to
each other.
For example, if you have ten interfaces in your zone and the intrazone setting is deny. You now want to allow traffic
between a very small number of networks on different interfaces that are part of the zone but you do not want to disable
the intra-zone blocking.
In this example, the zone VLANs are defined as: 192.168.1.0/24, 192.168.2.0/24, ... 192.168.10.0/24.
This policy allows traffic from 192.168.1.x to 192.168.2.x even though they are in the same zone and intra-zone blocking
is enabled. The intra-zone blocking acts as a default deny rule and you have to specifically override it by creating a policy
within the zone.

FortiOS 6.4.13 Administration Guide 429

Fortinet Inc.
 Network

To enable intra-zone traffic, create the following policy:

Source Interface Zone-name, e.g., Vlans

Source Address 192.168.1.0/24

Destination Zone-name (same as Source Interface, i.e., Vlans)

Destination Address 192.168.2.0/24

Virtual Wire Pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode
VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a
virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual
wire pair. Redundant and 802.3ad aggregate (LACP) interfaces can be included in a virtual wire pair.
Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port
pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the
request’s MAC address pair.

Example

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate
operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the
ISFW over the virtual wire pair.

Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before
creating a virtual wire pair, make sure you have a different port configured to allow admin
access using your preferred protocol.

To add a virtual wire pair using the CLI:

config system virtual-wire-pair

edit "VWP-name"
set member "port3" "port4"
set wildcard-vlan disable
next
end

FortiOS 6.4.13 Administration Guide 430

Fortinet Inc.
 Network

To add a virtual wire pair using the GUI:

1. Go to Network > Interfaces.

2. Click Create New > Virtual Wire Pair.
3. Select the Interface Members to add to the virtual wire pair.
These interfaces cannot be part of a switch, such as the default LAN/internal interface.
4. If required, enable Wildcard VLAN and set the VLAN Filter.
5. Click OK.

To create a virtual wire pair policy using the CLI:

config firewall policy

edit 1
set name "VWP-Policy"
set srcintf "port3" "port4"
set dstintf "port3" "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set fsso disable
next
end

To create a virtual wire pair policy using the GUI:

1. Go to Policy & Objects > Firewall Virtual Wire Pair Policy.

2. Click Create New.
3. Select the direction that traffic is allowed to flow.
4. Configure the other fields.
5. Click OK.

Virtual VLAN switch

The hardware switch ports on FortiGate models that support virtual VLAN switches can be used as a layer 2 switch.
Virtual VLAN switch mode allows 802.1Q VLANs to be assigned to ports, and the configuration of one interface as a
trunk port.
The following FortiGate series are supported in FortiOS 6.4: 60F, 100E, 100F, 140E, 300E, 400E, 1100E, 1800F, 2600F,
4200F, and 4400F.
The virtual-switch-vlan option must be enabled in the CLI to configure VLAN switch mode from the GUI or CLI.

To enable VLAN switches:

config system global

set virtual-switch-vlan enable
end

FortiOS 6.4.13 Administration Guide 431

Fortinet Inc.
Network

After this setting is enabled, any previously configured hardware switches will appear in the Network > Interfaces page
under VLAN Switch.

To enable VLAN switch mode in the GUI:

1. Go to System > Settings.

2. In the View Settings section, enable VLAN switch mode.
3. Click Apply.

Basic configurations

Hardware switch ports can be configured as either a VLAN switch port or a trunk port. The available interfaces and
allowable VLAN IDs that can be used depend on the FortiGate model. It is recommended to remove ports from the
default VLAN switch before you begin configurations.

To create a new VLAN and assign ports in the GUI:

1. Go to Network > Interfaces and click Create New > Interface.

2. Enter a name and configure the following:
a. Set the Type to VLAN Switch.
b. Enter a VLAN ID.
c. Click the + and add the Interface Members.
d. Configure the Address and Administrative Access settings as needed.
3. Click OK.

To create a new VLAN and assign ports in the CLI:

1. Configure the VLAN:

config system virtual-switch
edit "VLAN10"
set physical-switch "sw0"
set vlan 10
config port
edit "internal1"
next
edit "internal2"
next
end
next
end

2. Configure the VLAN switch interface addressing:

config system interface
edit "VLAN10"
set vdom "root"
set ip 192.168.10.99 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type hard-switch
next
end

FortiOS 6.4.13 Administration Guide 432

Fortinet Inc.
Network

To designate an interface as a trunk port:

config system interface

edit internal5
set trunk enable
next
end

Example 1: HA using a VLAN switch

In this example, two FortiGates in an HA cluster are connected to two ISP routers. Instead of connecting to external L2
switches, each FortiGate connects to each ISP router on the same hardware switch port on the same VLAN. A trunk port
connects the two FortiGates to deliver the 802.1Q tagged traffic to the other. A full mesh between the FortiGate cluster
and the ISP routers is achieved where no single point of failure will cause traffic disruptions.

This example assumes that the HA settings are already configured. The interface and VLAN switch settings are identical
between cluster members and synchronized. See HA using a hardware switch to replace a physical switch on page 975
for a similar example that does not use a VLAN switch.

To configure the VLAN switches:

1. Configure the ISP interfaces with the corresponding VLAN IDs:

config system virtual-switch
edit "ISP1"
set physical-switch "sw0"
set vlan 2951
config port
edit "port1"
next
end
next
edit "ISP2"
set physical-switch "sw0"
set vlan 2952
config port

FortiOS 6.4.13 Administration Guide 433

Fortinet Inc.
Network

edit "port2"
next
end
next
end

2. Configure the VLAN switch interface addressing:

config system interface
edit "ISP1"
set vdom "root"
set ip 192.168.10.99 255.255.255.0
set allowaccess ping
set type hard-switch
next
edit "ISP2"
set vdom "root"
set ip 192.168.20.99 255.255.255.0
set allowaccess ping
set type hard-switch
next
end

3. Designate port15 as the trunk port:

config system interface
edit port15
set trunk enable
next
end

4. Configure firewall policies to allow outgoing traffic on the ISP1 and ISP2 interfaces:
config firewall policy
edit 1
set srcintf "port11"
set dstintf "ISP1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set srcintf "port11"
set dstintf "ISP2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

FortiOS 6.4.13 Administration Guide 434

Fortinet Inc.
Network

Example 2: LAN extension

In this example, two hardware switch ports are assigned VLAN10, and two ports are assigned VLAN20 on FortiGate B.
The wan2 interface is designated as the trunk port, and is connected to the upstream FortiGate A. The corresponding
VLAN subinterfaces VLAN10 and VLAN20 on the upstream FortiGate allow further access to other networks.

The available interfaces and VLAN IDs varies between FortiGate models. The FortiGate B in
this example is a 60F model.

To configure FortiGate B:

1. Configure the VLAN interfaces:

config system virtual-switch
edit "VLAN10"
set physical-switch "sw0"
set vlan 10
config port
edit "internal1"
next
edit "internal2"
next
end
next
edit "VLAN20"
set physical-switch "sw0"
set vlan 20
config port
edit "internal3"
next
edit "internal4"
next
end
next
end

FortiOS 6.4.13 Administration Guide 435

Fortinet Inc.
Network

2. Configure the VLAN switch interface addressing:

config system interface
edit "VLAN10"
set vdom "root"
set ip 192.168.10.99 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type hard-switch
next
edit "VLAN20"
set vdom "root"
set ip 192.168.20.99 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type hard-switch
next
end

3. Designate wan2 as the trunk port:

config system interface
edit wan2
set trunk enable
next
end

To configure FortiGate A:

1. Configure the VLAN subinterfaces:

config system interface
edit "VLAN10"
set ip 192.168.10.98 255.255.255.0
set allowaccess ping https ssh
set role lan
set interface "dmz"
set vlanid 10
next
edit "VLAN20"
set ip 192.168.20.98 255.255.255.0
set allowaccess ping https ssh
set role lan
set interface "dmz"
set vlanid 20
next
end

2. Configure the DHCP server on VLAN10:

config system dhcp server
edit 0
set dns-service default
set default-gateway 192.168.10.98
set netmask 255.255.255.0
set interface "VLAN10 "
config ip-range
edit 1
set start-ip 192.168.10.100
set end-ip 192.168.10.254

FortiOS 6.4.13 Administration Guide 436

Fortinet Inc.
 Network

next
end
set timezone-option default
next
end

3. Configure firewall policies that allow traffic from the VLAN10 and VLAN20 interfaces to the internet:
config firewall policy
edit 0
set name "VLAN10-out"
set srcintf "VLAN10"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 0
set name "VLAN20-out"
set srcintf "VLAN20"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

To test the connection:

1. Connect a PC to internal1 on FortiGate B.

2. Verify that it receives an IP address from FortiGate A’s DHCP server.
3. From the PC, ping FortiGate B on 192.168.10.99.
4. Ping FortiGate A on 192.168.10.98.
5. Connect to the internet. Traffic is allowed by the VLAN10-out policy.

Failure detection for aggregate and redundant interfaces

When an aggregate or redundant interface goes down, the corresponding fail-alert interface changes to down. When an
aggregate or redundant interface comes up, the corresponding fail-alert interface changes to up.

FortiOS 6.4.13 Administration Guide 437

Fortinet Inc.
 Network

Fail-detect for aggregate and redundant interfaces can be configured using the CLI.

To configure an aggregate interface so that port3 goes down with it:

config system interface

edit "agg1"
set vdom "root"
set fail-detect enable
set fail-alert-method link-down
set fail-alert-interfaces "port3"
set type aggregate
set member "port1" "port2"
next
end

To configure a redundant interface so that port4 goes down with it:

config system interface

edit "red1"
set vdom "root"
set fail-detect enable
set fail-alert-method link-down
set fail-alert-interfaces "port4"
set type redundant
set member "port1" "port2"
next
end

VLAN inside VXLAN

VLANs can be assigned to VXLAN interfaces. In a data center network where VXLAN is used to create an L2 overlay
network and for multitenant environments, a customer VLAN tag can be assigned to VXLAN interface. This allows the
VLAN tag from VLAN traffic to be encapsulated within the VXLAN packet.

To configure VLAN inside VXLAN on HQ1:

1. Configure VXLAN:
config system vxlan
edit "vxlan1"
set interface port1
set vni 1000
set remote-ip 173.1.1.1
next
end

FortiOS 6.4.13 Administration Guide 438

Fortinet Inc.
Network

2. Configure system interface:

config system interface
edit vlan100
set vdom root
set vlanid 100
set interface dmz
next
edit vxlan100
set type vlan
set vlanid 100
set vdom root
set interface vxlan1
next
end

3. Configure software-switch:
config system switch-interface
edit sw1
set vdom root
set member vlan100 vxlan100
set intra-switch-policy implicit
next
end

The default intra-switch-policy implicit behavior allows traffic between member

interfaces within the switch. Therefore, it is not necessary to create firewall policies to allow
this traffic.

Instead of creating a software-switch, it is possible to use a virtual-wire-pair as well. See

Virtual Wire Pair with VXLAN on page 440.

To configure VLAN inside VXLAN on HQ2:

1. Configure VXLAN:
config system vxlan
edit "vxlan2"
set interface port25
set vni 1000
set remote-ip 173.1.1.2
next
end
2. Configure system interface:
config system interface
edit vlan100
set vdom root
set vlanid 100
set interface port20
next
edit vxlan100
set type vlan
set vlanid 100
set vdom root

FortiOS 6.4.13 Administration Guide 439

Fortinet Inc.
 Network

set interface vxlan2

next
end
3. Configure software-switch:
config system switch-interface
edit sw1
set vdom root
set member vlan100 vxlan100
next
end

To verify the configuration:

Ping PC1 from PC2.

The following is captured on HQ2:

This captures the VXLAN traffic between 172.1.1.1 and 172.1.1.2 with the VLAN 100 tag inside.

Virtual Wire Pair with VXLAN

Virtual wire pairs can be used with VXLAN interfaces.

In this examples, VXLAN interfaces are added between FortiGate HQ1 and FortiGate HQ2, a virtual wire pair is added in
HQ1, and firewall policies are created on both HQ1 and HQ2.

FortiOS 6.4.13 Administration Guide 440

Fortinet Inc.
Network

To create VXLAN interface on HQ1:

config system interface

edit "port11"
set vdom "root"
set ip 10.2.2.1 255.255.255.0
set allowaccess ping https ssh snmp telnet
next
end
config system vxlan
edit "vxlan1"
set interface "port11"
set vni 1000
set remote-ip "10.2.2.2"
next
end

To create VXLAN interface on HQ2:

config system interface

edit "port11"
set vdom "root"
set ip 10.2.2.2 255.255.255.0
set allowaccess ping https ssh snmp http
next
end
config system vxlan
edit "vxlan1"
set interface "port11"
set vni 1000
set remote-ip "10.2.2.1"
next
end
config system interface
edit "vxlan1"
set vdom "root"
set ip 10.1.100.2 255.255.255.0
set allowaccess ping https ssh snmp
next
end

To create a virtual wire pair on HQ1:

config system virtual-wire-pair

edit "vwp1"
set member "port10" "vxlan1"
next
end

To create a firewall policy on HQ1:

config firewall policy

edit 5
set name "vxlan-policy"
set srcintf "port10" "vxlan1"

FortiOS 6.4.13 Administration Guide 441

Fortinet Inc.
 Network

set dstintf "port10" "vxlan1"

set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set fsso disable
next
end

To create a firewall policy on HQ2:

config firewall policy

edit 5
set name "1"
set srcintf "port13"
set dstintf "vxlan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next
end

QinQ 802.1Q in 802.1ad

QinQ (802.1ad) allows multiple VLAN tags to be inserted into a single frame, and can be configured on supported
FortiGate devices.
In this example, the customer connects to a provider that uses 802.1ad double-tagging to separate their customer
VLANs. The FortiGate connecting to the provider double-tags its frames with an outer provider-tag (S-Tag) and an inner
customer-tag (C-Tag).

The customer identifies itself with the provider-tag (S-Tag) 232 and uses the customer-tag (C-Tag) 444 for traffic to its
VLAN.

FortiOS 6.4.13 Administration Guide 442

Fortinet Inc.
 Network

To configure the interfaces:

1. Configure the interface to the provider that uses the outer tag (S-Tag):
config system interface
edit "vlan-8021ad"
set vdom "root"
set vlan-protocol 8021ad
set device-identification enable
set role lan
set snmp-index 47
set interface "PORT"
set vlanid 232
next
end

2. Configure a dynamic VLAN interface that uses the inner tag (C-Tag):
config system interface
edit "DVLAN"
set vdom "vdom1"
set device-identification enable
set role lan
set snmp-index 48
set interface "vlan-8021ad"
set vlanid 444
next
end

The following FortiGate devices are not supported: 3800D, 3810D, 3815D, 3960E, 3980E.

QinQ 802.1Q in 802.1Q

QinQ (802.1Q in 802.1Q) is supported for FortiGate VM models, where multiple VLAN tags can be inserted into a single
frame.

In this example, the FortiGate VM is connected to a provider vSwitch and then a customer switch. The FortiGate
encapsulates the frame with an outer 802.1Q tag of VLAN 100 and an inner 802.1Q tag of VLAN 200; port5 is used as
the physical port. The provider vSwitch strips the outer tag and forwards traffic to the appropriate customer. Then the
customer switch strips the inner tag and forwards the packet to the appropriate customer VLAN.

FortiOS 6.4.13 Administration Guide 443

Fortinet Inc.
Network

To configure the interfaces:

1. Configure the interface to the provider that uses the outer tag:
config system interface
edit "vlan-8021q"
set vdom "root"
set device-identification enable
set role lan
set interface "port5"
set vlan-protocol 8021q
set vlanid 100
next
end

2. Configure the interface to the provider that uses the inner tag:
config system interface
edit "vlan-qinq8021q"
set vdom "root"
set ip 1.1.1.71 255.255.255.0
set allowaccess ping https ssh snmp http
set device-identification enable
set role lan
set interface "vlan-8021q"
set vlanid 200
next
end

To verify the traffic:

1. From the FortiGate, ping 1.1.1.72:

# execute ping 1.1.1.72
PING 1.1.1.72 (1.1.1.72): 56 data bytes
64 bytes from 1.1.1.72: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 1.1.1.72: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 1.1.1.72: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 1.1.1.72: icmp_seq=3 ttl=255 time=0.1 ms
^C
--- 1.1.1.72 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms

2. Verify the packet capture frame header output captured from the FortiGate's port5:
Frame 2: 106 bytes on wire (848 bits), 106 bytes captured (848 bits)
Ethernet II, Src: VMware_93:ae:8f (00:50:56:93:ae:8f), Dst: VMware_93:e3:72
(00:50:56:93:e3:72)
Destination: VMware_93:e3:72 (00:50:56:93:e3:72)
Source: VMware_93:ae:8f (00:50:56:93:ae:8f)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = DEI: Ineligible
.... 0000 0110 0100 = ID: 100
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 200

FortiOS 6.4.13 Administration Guide 444

Fortinet Inc.
 Network

000. .... .... .... = Priority: Best Effort (default) (0)

...0 .... .... .... = DEI: Ineligible
.... 0000 1100 1000 = ID: 200
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 1.1.1.71, Dst: 1.1.1.72
Internet Control Message Protocol

The outer tag (first tag) is an 802.1Q tag with VLAN ID 100. The inner tag (second tag) is also an 802.1Q tag with
VLAN ID 200.

Assign a subnet with the FortiIPAM service

The FortiIPAM (IP Address Management) service automatically assigns subnets to FortiGate to prevent duplicate
IP addresses from overlapping within the same Security Fabric.
After the FortiIPAM registration is synced to FortiGuard from FortiCare, FortiGate can use FortiIPAM to automatically
assign IP addresses based on the configured network size for the FortiGate interface.

Requirements:

Register the FortiIPAM service for FortiGate in FortiCare.

FortiIPAM is a paid service.

To verify the FortiIPAM service registration in the GUI:

1. Go to System > FortiGuard to verify the FortiIPAM service is registered. If the service is registered, the FortiIPAM
area at the bottom of the page displays a check mark as well as the license expiry date.

FortiOS 6.4.13 Administration Guide 445

Fortinet Inc.
Network

Example

In this example, you will configure port5 on FortiGate Root to be managed by FortiIPAM and specify the network size.
Next you will enable DHCP on the interface to supply IP addresses to this network.
Once FortiIPAM is designated as the IP source, you will configure the port5 interface on FortiGate Downstream to obtain
an IP from DHCP to connect it to FortiGate Root and add it to the Security Fabric. Lastly, you will use FortiIPAM to
assign IP addresses to the Internal Network.
1. On FortiGate Root, edit port5 and configure the interface to be managed by FortiIPAM.
a. Go to Network > Interfaces, and double-click port5 to edit it. The Edit Interface window opens.
b. From the Role dropdown, select LAN.
c. In the Addressing mode area, select Auto-managed by FortiIPAM. An information icon appears next to
IP/Netmask and below the Network Size dropdown indicating FortiIPAM will allocate an IP subnet with the
selected size.
d. From the Network Size dropdown, select the size of the network segment for this interface.
e. Enable DHCP Server to allow the interface to supply IP addresses to this network.
You do not need to configure Address range and Netmask. These will be configured by FortiIPAM.
f. Click OK. Port5 gets an IP address from FortiIPAM corresponding to the network size. It will also start assigning
addresses through DHCP. Refresh this page if an IP has not been assigned.

FortiOS 6.4.13 Administration Guide 446

Fortinet Inc.
Network

2. View the IP allocation map.

a. Go to Network > Interfaces, and double-click port5 to view it.
b. In the IP/Netmask area, click Show Global IP Allocation Map. You are redirected to FortiCloud.

c. Click Login. The FortiIPAM portal opens. The List View displays the assigned IP entries.
d. Double-click an IP entry and click the Source tab. The IP source appears in the Device column. The Interface
column displays the port. Assign Type displays Auto. Last Updated displays the assign time.

3. On FortiGate Root go to Network > Interfaces. The DHCP Server settings are configured automatically.

FortiOS 6.4.13 Administration Guide 447

Fortinet Inc.
Network

4. On FortiGate Downstream, configure port5 to obtain an IP from DHCP.

a. Go to System > FortiGuard, and verify FortiIPAM is licensed.
b. Go to Network > Interfaces, and double click port5 to edit it.
c. In the Addressing mode area, select DHCP and click OK. The interface will get its IP address from the DHCP
server configured on FortiGate Root.
d. In Network > Interfaces, double-click port5. The following fields appear in the Address area:
l Status.

l Obtained IP/Netmask

l Expiry Date

l Acquired DNS

5. Add FortiGate Downstream to the Security Fabric.

a. Go to Security Fabric > Fabric Connectors. In the Security Fabric Settings area, set Status to Enabled.
b. In the Upstream FortiGate IP field, enter the IP address for FortiGate Root, and click OK. The Topology pane
shows the connection is established.

6. On FortiGate Downstream, configure port6 to use FortiIPAM.

a. Go to Network > Interfaces. Double-click port6 to edit it.
b. From the Role dropdown, select LAN.
c. In the Address mode area, select Auto-managed by FortiIPAM.
d. From the Network size dropdown, select a different network size. In this example, the network size was
increased to 512.

FortiOS 6.4.13 Administration Guide 448

Fortinet Inc.
Network

e. Wait a while and then double-click port6. The IP/Netmask is auto-populated.

f. Enable DHCP Server to allow the interface to supply IP addresses to this network.
7. Go back to the FortiIPAM portal in FortiCloud.
a. The List View tab shows the IP addresses for the downstream FortiGates.
b. Select a subnet, and click the Source tab. The source details show that the IP is different from the root
FortiGate, preventing conflicts.

To view the FortiIPAM service details in the CLI:

Use the diagnose command to view the FortiIPAM service information in FortiGate.
Root-E (global) # diagnose test update info
...
System contracts:
...
IPMC,Thu Apr 15 17:00:00 2021

FortiOS 6.4.13 Administration Guide 449

Fortinet Inc.
Network

You can also use the REST API to get the FortiIPAM service information.
https://172.16.116.xxx/api/v2/monitor/license/status
..."fortiipam_cloud":{
"type":"live_cloud_service",
"status":"licensed",
"expires":1618531200,
"entitlement":"IPMC"
}

To configure FortiIPAM in the CLI:

1. On FortiGate Root , edit port5 and configure the interface to be managed by FortiIPAM. Use managed-
subnetwork-size to specify the network size of the network segment for this interface.
In this example, the network size 256.
config system interface
edit "port5"
set ip-managed-by-fortiipam enable
set managed-subnetwork-size 256
next
end
2. On the same interface, enable DHCP server on this interface to supply IP addresses to this network.

No configuration is required unless you need to change the defaults.

config system dhcp server

edit 1
set interface "port5"
set dhcp-settings-from-fortiipam enable
next
end
3. Once FortiIPAM completes the address configuration, the configurations will appear as follows:
show system interface
...
edit "port5"
set vdom "root"
set ip 10.128.6.1 255.255.255.0
set allowaccess ping https ssh http fabric
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 5
set ip-managed-by-fortiipam enable
next
...
end
show system dhcp server
edit 1
set dns-service default
set default-gateway 10.128.6.1
set netmask 255.255.255.0

FortiOS 6.4.13 Administration Guide 450

Fortinet Inc.
Network

set interface "port5"

config ip-range
edit 1
set start-ip 10.128.6.1
set end-ip 10.128.6.254
next
end
set dhcp-settings-from-fortiipam enable
config exclude-range
edit 1
set start-ip 10.128.6.1
set end-ip 10.128.6.1
next
end
next
end
4. On FortiGate Downstream, configure port5 to obtain an IP from DHCP.
config system interface
edit "port5"
set mode dhcp
next
end
5. After the IP is assigned and the device is connected to FortiGate Root , add FortiGate Downstream to the Security
Fabric.
6. Once FortiGate Downstream is connected to the Security Fabric, you can configure the port6 interface to use the
FortiIPAM service as well.
7. On FortiGate Downstream , set the interface to be managed by the FortiIPAM service, and increase the managed-
subnetwork-size value.
In this example, the network size was increased to 512.
config system interface
edit "port5"
set ip-managed-by-fortiipam enable
set managed-subnetwork-size 512
next
end
8. Configure the DHCP server on this port to assign IP addresses to this subnet.
config system dhcp server
edit 1
set interface "port6"
set dhcp-settings-from-fortiipam enable
next
end

FortiOS 6.4.13 Administration Guide 451

Fortinet Inc.
 Network

9. Go to the FortiIPAM Portal to view the IP addresses.

Interface MTU packet size

Changing the maximum transmission unit (MTU) on FortiGate interfaces changes the size of transmitted packets. Most
FortiGate device's physical interfaces support jumbo frames that are up to 9216 bytes, but some only support 9000 or
9204 bytes.
To avoid fragmentation, the MTU should be the same as the smallest MTU in all of the networks between the FortiGate
and the destination. If the packets sent by the FortiGate are larger than the smallest MTU, then they are fragmented,
slowing down the transmission. Packets with the DF flag set in the IPv4 header are dropped and not fragmented .
On many network and endpoint devices, the path MTU is used to determine the smallest MTU and to transmit packets
within that size.
l ASIC accelerated FortiGate interfaces, such as NP6, NP7, and SOC4 (np6xlite), support MTU sizes up to 9216
bytes.
l FortiGate VMs can have varying maximum MTU sizes, depending on the underlying interface and driver.
l Virtual interfaces, such as VLAN interfaces, inherit their MTU size from their parent interface.

To verify the supported MTU size:

config system interface

edit <interface>
set mtu-override enable
set mtu ?
<integer> Maximum transmission unit (<min>-<max>)
next
end

To change the MTU size:

config system interface

edit <interface>
set mtu-override enable
set mtu <max bytes>

FortiOS 6.4.13 Administration Guide 452

Fortinet Inc.
Network

next
end

Maximum MTU size on a path

To manually test the maximum MTU size on a path, you can use the ping command on a Windows computer.
For example, you can send ICMP packets of a specific size with a DF flag, and iterate through increasing sizes until the
ping fails.
l The -f option specifies the Do not Fragment (DF) flag.
l The -l option specifies the length, in bytes, of the Data field in the echo Request messages. This does not include
the 8 bytes for the ICMP header and 20 bytes for the IP header. Therefore, if the maximum MTU is 1500 bytes, then
the maximum supported data size is: 1500 - 8 - 20 = 1472 bytes.

To determine the maximum MTU size on a path:

1. In Windows command prompt, try a likely MTU size:

>ping 4.2.2.1 -l 1472 -f
Pinging 4.2.2.1 with 1472 bytes of data:
Reply from 4.2.2.1: bytes=1472 time=41ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=42ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=103ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=38ms TTL=52

Ping statistics for 4.2.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 38ms, Maximum = 103ms, Average = 56ms

2. Increase the size and try the ping again:

>ping 4.2.2.1 -l 1473 -f

Pinging 4.2.2.1 with 1473 bytes of data:

Request timed out.

Ping statistics for 4.2.2.1:

Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

The second test fails, so the maximum MTU size on the path is 1472 bytes + 8-byte ICMP header + 20-byte IP
header = 1500 bytes

Maximum segment size

The TCP maximum segment size (MSS) is the maximum amount of data that can be sent in a TCP segment. The MSS is
the MTU size of the interface minus the 20 byte IP header and 20 byte TCP header. By reducing the TCP MSS, you can
effectively reduce the MTU size of the packet.
The TCP MSS can be configured in a firewall policy, or directly on an interface.

FortiOS 6.4.13 Administration Guide 453

Fortinet Inc.
 Network

To configure the MSS in a policy:

config firewall policy

edit <policy ID>
set srcintf "internal"
set dstintf "wan1"
set srcaddr "10.10.10.6"
set dstaddr "all"
set schedule "always"
set service "ALL"
set tcp-mss-sender 1448
set tcp-mss-receiver 1448
next
end

To configure the MSS on an interface:

config system interface

edit "wan2"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm
set type physical
set tcp-mss 1448
set role wan
next
end

One-arm sniffer

You can use a one-arm sniffer to configure a physical interface as a one-arm intrusion detection system (IDS). Traffic
sent to the interface is examined for matches to the configured security profile. The matches are logged, and then all
received traffic is dropped. Sniffing only reports on attacks; it does not deny or influence traffic.
You can also use the one-arm sniffer to configure the FortiGate to operate as an IDS appliance to sniff network traffic for
attacks without actually processing the packets. To configure a one-arm IDS, enable sniffer mode on a physical interface
and connect the interface to the SPAN port of a switch or a dedicated network tab that can replicate the traffic to the
FortiGate.
To assign an interface as a sniffer interface in the GUI, go to Network > Interfaces and edit the interface. For Addressing
mode, select One-Arm Sniffer.
If the option is not available, the interface is in use. Ensure that the interface is not selected in any firewall policies,
routes, virtual IPs, or other features where a physical interface is specified. The option does not appear it the role is set to
WAN. Ensure the role is set to LAN, DMZ, or undefined.
The following table lists some of the one-arm sniffer settings you can configure:

Field Description

Filters Enable this setting to include filters that define a more granular sniff of network
traffic. Select specific hosts, ports, VLANs, and protocols.

FortiOS 6.4.13 Administration Guide 454

Fortinet Inc.
 Network

Field Description

In all cases, enter a number or range for the filter type. The standard protocols
are:
l UDP: 17

l TCP: 6

l ICMP: 1

Include IPv6 Packets If the network is running IPv4 and IPv6 addresses, enable this setting to sniff both
types; otherwise, the FortiGate will only sniff IPv4 traffic.

Include Non-IPv6 Packets Enable this setting for a more intense content scan of the traffic.

Security Profiles The following profiles are configurable in the GUI and CLI:
l Antivirus

l Web filter

l Application control

l IPS

The following profiles are only configurable in the CLI:

l Email filter

l DLP

l IPS DoS

CPU usage and packet loss

Traffic scanned on the one-arm sniffer interface is processed by the CPU, even if there is an SPU, such as NPU or CP,
present. The one-arm sniffer may cause higher CPU usage and perform at a lower level than traditional inline scanning,
which uses NTurbo or CP to accelerate traffic when present.
The absence of high CPU usage does not indicate the absence of packet loss. Packet loss may occur due to the
capacity of the TAP devices hitting maximum traffic volume during mirroring, or on the FortiGate when the kernel buffer
size is exceeded and it is unable to handle bursts of traffic.

Captive portals

A captive portal is used to enforce authentication before web resources can be accessed. Until a user authenticates
successfully, any HTTP request returns the authentication page. After successfully authenticating, a user can access the
requested URL and other web resources, as permitted by policies. The captive portal can also be configured to only
allow access to members of specific user groups.
Captive portals can be hosted on the FortiGate or an external authentication server. They can be configured on any
network interface, including VLAN and WiFi interfaces. On a WiFi interface, the access point appears open, and the
client can connect to access point with no security credentials, but then sees the captive portal authentication page. See
Configuring WiFi captive portal security, in the FortiWiFi and FortiAP Configuration Guide for more information.
All users on the interface are required to authenticate. Exemption lists can be created for devices that are unable to
authenticate, such as a printer that requires access to the internet for firmware upgrades.

FortiOS 6.4.13 Administration Guide 455

Fortinet Inc.
Network

To configure a captive portal in the GUI:

1. Go to Network > Interfaces and edit the interface that the users connect to. The interface Role must be LAN or
Undefined.
2. Enable Security mode.

3. Configure the following settings, then click OK.

Authentication Portal Configure the location of the portal:

l Local: the portal is hosted on the FortiGate unit.

l External: enter the FQDN or IP address of external portal.

User access Select if the portal applies to all users, or selected user groups:
l Restricted to Groups: restrict access to the selected user groups. The

Login page is shown when a user tried to log in to the captive portal.
l Allow all: all users can log in, but access will be defined by relevant
policies. The Disclaimer page is shown when a user tried to log in to the
captive portal.

Customize portal messages Enable to use custom portal pages, then select a replacement message
group. See Custom captive portal pages on page 457.

Exempt sources Select sources that are exempt from the captive portal.
Each exemption is added as a rule in an automatically generated exemption
list.

Exempt Select destinations and services that are exempt from the captive portal.
destinations/services Each exemption is added as a rule in an automatically generated exemption
list.

Redirect after Captive Portal Configure website redirection after successful captive portal authentication:
l Original Request: redirect to the initially browsed to URL .

l Specific URL: redirect to the specified URL.

To configure a captive portal in the CLI:

1. If required, create a security exemption list:

config user security-exempt-list
edit <list>
config rule
edit 1
set srcaddr <source(s)>
set dstaddr <source(s)>

FortiOS 6.4.13 Administration Guide 456

Fortinet Inc.
Network

set service <service(s)>

next
edit 2
set srcaddr <source(s)>
set dstaddr <source(s)>
set service <service(s)>
next
end
next
end

2. Configure captive portal authentication on the interface:

config system interface
edit <interface>
set security-mode {none | captive-portal}
set security-external-web <string>
set replacemsg-override-group <group>
set security-redirect-url <string>
set security-exempt-list <list>
set security-groups <group(s)>
next
end

Custom captive portal pages

Portal pages are HTML files that can be customized to meet user requirements.
Most of the text and some of the HTML in the message can be changed. Tags are enclosed by double percent signs
(%%); most of them should not be changed because they might carry information that the FortiGate unit needs. For
information about customizing replacement messages, see Modifying replacement messages on page 1038.
The images on the pages can be replaced. For example, your organization's logo can replace the Fortinet logo. For
information about uploading and using new images in replacement messages, see Replacement message images on
page 1040.
The following pages are used by captive portals:

Login Page Requests user credentials.

The %%QUESTION%% tag provides the Please enter the required information to
continue. text.
This page is shown to users that are trying to log in when User access is set to
Restricted to Groups.

Login Failed Page Reports that incorrect credentials were entered, and requests correct credentials.
The %%FAILED_MESSAGE%% tag provides the Firewall authentication failed.
Please try again. text.

Disclaimer Page A statement of the legal responsibilities of the user and the host organization that
the user must agree to before proceeding. This page is shown users that are
trying to log in when User access is set to Allow all.

Declined Disclaimer Page Shown if the user does not agree to the statement on the Disclaimer page. Access
is denied until the user agrees to the disclaimer.

FortiOS 6.4.13 Administration Guide 457

Fortinet Inc.
 Network

DNS

Domain name system (DNS) is used by devices to locate websites by mapping a domain name to a website’s IP
address.
A FortiGate can serve different roles based on user requirements:
l A FortiGate can control what DNS server a network uses.
l A FortiGate can function as a DNS server.
FortiGuard Dynamic DNS (DDNS) allows a remote administrator to access a FortiGate's Internet-facing interface using a
domain name that remains constant even when its IP address changes.
FortiOS supports DNS configuration for both IPv4 and IPv6 addressing. When a user requests a website, the FortiGate
looks to the configured DNS servers to provide the IP address of the website in order to know which server to contact to
complete the transaction.
The FortiGate queries the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP
or web servers defined by their domain names.
The following topics provide information about DNS:
l Important DNS CLI commands on page 458
l DNS domain list on page 460
l FortiGate DNS server on page 461
l DDNS on page 464
l DNS latency information on page 467
l DNS over TLS on page 469
l DNS troubleshooting on page 470

Important DNS CLI commands

DNS settings can be configured with the following CLI command:

config system dns
set primary <ip_address>
set secondary <ip_address>
set dns-over-tls {enable | disable | enforce}
set ssl-certificate <string>
set domain <domains>
set ip6-primary <ip6_address>
set ip6-secondary <ip6_address>
set timeout <integer>
set retry <integer>
set dns-cache-limit <integer>
set dns-cache-ttl <integer>
set cache-notfound-responses {enable | disable}
set source-ip <class_ip>
end

For a FortiGate with multiple logical CPUs, you can set the DNS process number from 1 to the number of logical CPUs.
The default DNS process number is 1.

FortiOS 6.4.13 Administration Guide 458

Fortinet Inc.
Network

config system global

set dnsproxy-worker-count <integer>
end

dns-over-tls

DNS over TLS (DoT) is a security protocol for encrypting and wrapping DNS queries and answers via the Transport
Layer Security (TLS) protocol. It can be enabled, disabled, or enforced:
l disable: Disable DNS over TLS (default).
l enable: Use TLS for DNS queries if TLS is available.
l enforce: Use only TLS for DNS queries. Does not fall back to unencrypted DNS queries if TLS is unavailable.
For more information, see DNS over TLS on page 469.

cache-notfound-responses

When enabled, any DNS requests that are returned with NOT FOUND can be stored in the cache. The DNS server is not
asked to resolve the host name for NOT FOUND entries. By default, this option is disabled.

dns-cache-limit

Set the number of DNS entries that are stored in the cache (0 to 4294967295, default = 5000). Entries that remain in the
cache provide a quicker response to requests than going out to the Internet to get the same information.

dns-cache-ttl

The duration that the DNS cache retains information, in seconds (60 to 86400 (1 day), default = 1800).

VDOM DNS

When the FortiGate is in multi-vdom mode, DNS is handled by the management VDOM. However in some cases,
administrators may want to configure custom DNS settings on a non-management VDOM. For example, in a multi-
tenant scenario, each VDOM might be occupied by a different tenant, and each tenant might require its own DNS server.

To configure a custom VDOM within a non-management VDOM:

config vdom
edit <vdom>
config system vdom-dns
set vdom-dns enable
set primary <primary_DNS>
set secondary <secondary_DNS>
set protocol {cleartext dot doh}
set ip6-primary <primary_IPv6_DNS>
set ip6-secondary <secondary_IPv6_DNS>
set source-ip <IP_address>

FortiOS 6.4.13 Administration Guide 459

Fortinet Inc.
 Network

set interface-select-method {auto | sdwan | specify}

end

DNS domain list

You can configure up to eight domains in the DNS settings using the GUI or the CLI.
When a client requests a URL that does not include an FQDN, FortiOS resolves the URL by traversing through the DNS
domain list and performing a query for each domain until the first match is found.
By default, FortiGate uses FortiGuard's DNS servers:
l Primary: 208.91.112.53
l Secondary: 208.91.112.52
You can also customize the DNS timeout time and the number of retry attempts.

To configure a DNS domain list in the GUI:

1. Go to Network > DNS.

2. Set DNS Servers to Specify.
3. Configure the primary and secondary DNS servers as needed.
4. In the Local Domain Name field, enter the first domain (sample.com in this example).
5. Click the + to add more domains (example.com and domainname.com in this example). You can enter up to eight
domains.

6. Configure additional DNS settings as needed.

7. Click Apply.

To configure a DNS domain list in the CLI:

config system dns

set primary 172.16.200.1
set domain "sample.com" "example.com" "domainname.com"
end

FortiOS 6.4.13 Administration Guide 460

Fortinet Inc.
 Network

Verify the DNS configuration

In the following example, the local DNS server has the entry for host1 mapped to the FQDN of host1.sample.com, and
the entry for host2 is mapped to the FQDN of host2.example.com.

To verify that the DNS domain list is configured:

1. Open Command Prompt.

2. Enter ping host1.
The system returns the following response:
PING host1.sample.com (1.1.1.1): 56 data bytes
As the request does not include an FQDN, FortiOS traverses the configured DNS domain list to find a match.
Because host1 is mapped to the host1.sample.com, FortiOS resolves host1 to sample.com, the first entry in the
domain list.
3. Enter ping host2.
The system returns the following response:
PING host2.example.com (2.2.2.2): 56 data bytes
FortiOS traverses the domain list to find a match. It first queries sample.com, the first entry in the domain list, but
does not find a match. It then queries the second entry in the domain list, example.com. Because host2 is mapped
to the FQDN of host2.example.com, FortiOS resolves host2 to example.com.

DNS timeout and retry settings

The DNS timeout and retry settings can be customized using the CLI.
config system dns
set timeout <integer>
set retry <integer>
end

Variable Description

timeout <integer> The DNS query timeout interval, in seconds (1 - 10, default = 5).

retry <integer> The number of times to retry the DNS query (0 - 5, default - 2).

FortiGate DNS server

You can create local DNS servers for your network. Depending on your requirements, you can either manually maintain
your entries (primary DNS server), or use it to refer to an outside source (secondary DNS server).
A local, primary DNS server requires that you to manually add all URL and IP address combinations. Using a primary
DNS server for local services can minimize inbound and outbound traffic, and access time. Making it authoritative is not
recommended, because IP addresses can change, and maintaining the list can become labor intensive.
A secondary DNS server refers to an alternate source to obtain URL and IP address combinations. This is useful when
there is a primary DNS server where the entry list is maintained.
FortiGate as a DNS server also supports TLS connections to a DNS client. See DNS over TLS on page 469 for details.
By default, DNS server options are not available in the FortiGate GUI.

FortiOS 6.4.13 Administration Guide 461

Fortinet Inc.
Network

To enable DNS server options in the GUI:

1. Go to System > Feature Visibility.

2. Enable DNS Database in the Additional Features section.
3. Click Apply.

Example configuration

This section describes how to create an unauthoritative primary DNS server. The interface mode is recursive so that, if
the request cannot be fulfilled, the external DNS servers will be queried.

To configure FortiGate as a primary DNS server in the GUI:

1. Go to Network > DNS Servers.

2. In the DNS Database table, click Create New.
3. Set Type to Primary.
4. Set View to Shadow.
The View setting controls the accessibility of the DNS server. If you select Public, external users can access or use
the DNS server. If you select Shadow, only internal users can use it.
5. Enter a DNS Zone, for example, WebServer.
6. Enter the Domain Name of the zone, for example, fortinet.com.
7. Enter the Hostname of the DNS server, for example, Corporate.
8. Enter the Contact Email Address for the administrator, for example, [email protected].
9. Disable Authoritative.

10. Add DNS entries:

a. In the DNS Entries table, click Create New.
b. Select a Type, for example Address (A).

FortiOS 6.4.13 Administration Guide 462

Fortinet Inc.
Network

c. Set the Hostname, for example web.example.com.

d. Configure the remaining settings as needed. The options vary depending on the selected Type.
e. Click OK.
11. Add more DNS entries as needed.
12. Click OK.
13. Enable DNS services on an interface:
a. Go to Network > DNS Servers.
b. In the DNS Service on Interface table, click Create New.
c. Select the Interface for the DNS server, such as wan2.
d. Set the Mode to Recursive.

e. Click OK.

To configure FortiGate as a primary DNS server in the CLI:

config system dns-database

edit WebServer
set domain example.com
set type master
set view shadow
set ttl 86400
set primary-name corporate
set contact [email protected]
set authoritative disable
config dns-entry
edit 1
set hostname web.example.com
set type A
set ip 192.168.21.12
set status enable
next
end
next
end
config system dns-server
edit wan1
set mode recursive
next
end

FortiOS 6.4.13 Administration Guide 463

Fortinet Inc.
Network

DDNS

If your external IP address changes regularly and you want a static domain name, you can configure the external
interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to
your company firewall. You can configure FortiGuard as the DDNS server using the GUI or CLI.
A license or subscription is not required to use the DDNS service, but configuring DDNS in the GUI is not supported if:
l The FortiGate model is a 1000-series or higher.
l The FortiGate is a VM.
l The DNS server is not using FortiGuard as the DNS.

FortiGate does not support DDNS when in transparent mode.

Sample topology

In this example, FortiGuard DDNS is enabled and the DDNS server is set to float-zone.com. Other DDNS server options
include fortiddns.com and fortidyndns.com.

To configure FortiGuard as the DDNS server in the GUI:

1. Go to Network > DNS

2. Enable FortiGuard DDNS.
3. Select the Interface with the dynamic connection.
4. Select the Server that you have an account with.

FortiOS 6.4.13 Administration Guide 464

Fortinet Inc.
Network

5. Enter your Unique Location.

6. Click Apply.

To configure FortiGuard as the DDNS server in the CLI:

config system ddns

edit 1
set ddns-server FortiGuardDDNS
set ddns-domain "branch.float-zone.com"
set monitor-interface "wan1"
next
end

DDNS servers other than FortiGuard

If you do not have a FortiGuard subscription, or want to use a different DDNS server, you can configure a DDNS server
for each interface. Only the first configure port appears in the GUI. The available commands vary depending on the
selected DDNS server.

To configure DDNS servers other than FortiGuard in the CLI:

config system ddns

edit <DDNS_ID>
set monitor-interface <external_interface>
set ddns-server <ddns_server_selection>
...
next
end

Refresh DDNS IP addresses

You can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically checks the DDNS server that is
configured.

To configure FortiGate to refresh DDNS IP addresses using the CLI:

config system ddns

edit 1
set ddns-server FortiGuardDDNS

FortiOS 6.4.13 Administration Guide 465

Fortinet Inc.
Network

set use-public-ip enable

set update-interval seconds
next
end

Disable cleartext

When clear-text is disabled, FortiGate uses the SSL connection to send and receive (DDNS) updates.

To disable cleartext and set the SSL certificate using the CLI:

config system ddns

edit <1>
set clear-text disable
set ssl-certificate <cert_name>
next
end

DDNS update override

A DHCP server has an override command option that allows DHCP server communications to go through DDNS to
perform updates for the DHCP client. This enforces a DDNS update of the A field every time even if the DHCP client
does not request it. This allows support for the allow, ignore, and deny client-updates options.

To enable DDNS update override using the CLI:

config system dhcp server

edit 1
set ddns-update enable
set ddns-update_override enable
set ddns-server-ip <ddns_server_ip>
set ddns-zone <ddns_zone>
next
end

Troubleshooting

To debug DDNS:

# diagnose debug application ddnscd -1

# diagnose debug enable

To check if a DDNS server is available:

# diagnose test application ddnscd 3

Not available:
FortiDDNS status:
ddns_ip=0.0.0.0 ddns_port=443 svr_num=0 domain_num=0

Available:

FortiOS 6.4.13 Administration Guide 466

Fortinet Inc.
 Network

FortiDDNS status:
ddns_ip=208.91.113.230 ddns_port=443 svr_num=1 domain_num=3
svr[0]= 208.91.113.230
domain[0]= fortiddns.com
domain[1]= fortidyndns.com
domain[2]= float-zone.com

DNS latency information

High latency in DNS traffic can result in an overall sluggish experience for end-users. In the DNS Settings pane, you can
quickly identify DNS latency issues in your configuration.
Go to Network > DNS to view DNS latency information in the right side bar. If you use FortiGuard DNS, latency
information for DNS, DNS filter, web filter, and outbreak prevention servers is also visible. Hover your pointer over a
latency value to see when it was last updated.

To view DNS latency information using the CLI:

# diagnose test application dnsproxy 2

worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=2001::1 latency=1494 updated=73311
vfid=0 server=208.91.112.52 latency=1405 updated=2547
vfid=0 server=208.91.112.53 latency=19 updated=91
SDNS latency info:
vfid=0 server=173.243.138.221 latency=1 updated=707681
DNS_CACHE: alloc=35, hit=26
RATING_CACHE: alloc=1, hit=49
DNS UDP: req=66769 res=63438 fwd=83526 alloc=0 cmp=0 retrans=16855 to=3233
cur=111 switched=8823467 num_switched=294 v6_cur=80 v6_switched=7689041 num_v6_
switched=6
ftg_res=8 ftg_fwd=8 ftg_retrans=0
DNS TCP: req=0, res=0, fwd=0, retrans=0 alloc=0, to=0
FQDN: alloc=45 nl_write_cnt=9498 nl_send_cnt=21606 nl_cur_cnt=0
Botnet: searched=57 hit=0 filtered=57 false_positive=0

To view the latency from web filter and outbreak protection servers using the CLI:

# diagnose debug rating

Locale : english

FortiOS 6.4.13 Administration Guide 467

Fortinet Inc.
Network

Service : Web-filter
Status : Enable
License : Contract

Service : Antispam
Status : Disable

Service : Virus Outbreak Prevention

Status : Disable

-=- Server List (Tue Jan 22 08:03:14 2019) -=-

IP Weight RTT Flags TZ Packets Curr Lost Total Lost Updated Time
173.243.138.194 10 0 DI -8 700 0 2 Tue Jan 22 08:02:44
2019
173.243.138.195 10 0 -8 698 0 4 Tue Jan 22 08:02:44
2019
173.243.138.198 10 0 -8 698 0 4 Tue Jan 22 08:02:44
2019
173.243.138.196 10 0 -8 697 0 3 Tue Jan 22 08:02:44
2019
173.243.138.197 10 1 -8 694 0 0 Tue Jan 22 08:02:44
2019
96.45.33.64 10 22 D -8 701 0 6 Tue Jan 22 08:02:44
2019
64.26.151.36 40 62 -5 704 0 10 Tue Jan 22 08:02:44
2019
64.26.151.35 40 62 -5 703 0 9 Tue Jan 22 08:02:44
2019
209.222.147.43 40 70 D -5 696 0 1 Tue Jan 22 08:02:44
2019
66.117.56.42 40 70 -5 697 0 3 Tue Jan 22 08:02:44
2019
66.117.56.37 40 71 -5 702 0 9 Tue Jan 22 08:02:44
2019
65.210.95.239 40 74 -5 695 0 1 Tue Jan 22 08:02:44
2019
65.210.95.240 40 74 -5 695 0 1 Tue Jan 22 08:02:44
2019
45.75.200.88 90 142 0 706 0 12 Tue Jan 22 08:02:44
2019
45.75.200.87 90 155 0 714 0 20 Tue Jan 22 08:02:44
2019
45.75.200.85 90 156 0 711 0 17 Tue Jan 22 08:02:44
2019
45.75.200.86 90 159 0 704 0 10 Tue Jan 22 08:02:44
2019
62.209.40.72 100 157 1 701 0 7 Tue Jan 22 08:02:44
2019
62.209.40.74 100 173 1 705 0 11 Tue Jan 22 08:02:44
2019
62.209.40.73 100 173 1 699 0 5 Tue Jan 22 08:02:44
2019
121.111.236.179 180 138 9 706 0 12 Tue Jan 22 08:02:44
2019
121.111.236.180 180 138 9 704 0 10 Tue Jan 22 08:02:44

FortiOS 6.4.13 Administration Guide 468

Fortinet Inc.
 Network

2019

DNS over TLS

DNS over TLS (DoT) is a security protocol for encrypting and wrapping DNS queries and answers via the TLS protocol.
The goal of DNS over TLS is to increase user privacy and security by preventing eavesdropping and manipulation of
DNS data via man-in-the-middle attacks. There is an option in the FortiOS DNS profile settings to enforce DoT for this
added security.
Before enabling DoT , ensure that it is supported by the DNS servers. The default FortiGuard DNS servers do not
support DoT queries, and will drop these packets. At times, the latency status of the DNS servers might also appear high
or unreachable.
Disabling DoT is recommended when it is not supported by the DNS servers.

To configure DoT in the GUI:

1. Go to Network > DNS. The DNS Settings pane opens.

2. For DNS over TLS, click Enforce.

3. Click Apply.

To configure DoT in the CLI:

config system dns

set primary 8.8.8.8
set dns-over-tls enforce
set ssl-certificate "Fortinet_Factory"
end

FortiGuard DNS rating service

DNS over TLS connections to the FortiGuard secure DNS server is supported. The CLI options are only available when
fortiguard-anycast is enabled. DNS filtering connects to the FortiGuard secure DNS server over anycast by
default.

To configure DoT to the secure DNS server in the CLI:

config system fortiguard

set fortiguard-anycast enable
set fortiguard-anycast-source fortinet
set anycast-sdns-server-ip 0.0.0.0
set anycast-sdns-server-port 853
end

FortiOS 6.4.13 Administration Guide 469

Fortinet Inc.
 Network

DNS troubleshooting

The following diagnose command can be used to collect DNS debug information. If you do not specify worker ID, the
default worker ID is 0.
# diagnose test application dnsproxy
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
99. Restart dnsproxy worker

To view useful information about the ongoing DNS connection:

# diagnose test application dnsproxy 3

Important fields include:

tls 1 if the connection is TLS, 0 if the connection is not TLS.

rt The round trip time of the DNS latency.
probe The number of probes sent.

To dump the second DNS worker's cache:

diagnose test application dnsproxy 7 1

To enable debug on the second worker:

diagnose debug application dnsproxy -1 1

To enable debug on all workers by specifying -1 as worker ID:

diagnose debug application dnsproxy -1 -1

FortiOS 6.4.13 Administration Guide 470

Fortinet Inc.
 Network

Explicit and transparent proxies

This section contains instructions for configuring explicit and transparent proxies.
l Explicit web proxy on page 471
l Transparent proxy on page 476
l FTP proxy on page 475
l Proxy policy addresses on page 479
l Proxy policy security profiles on page 487
l Explicit proxy authentication on page 493
l Transparent web proxy forwarding on page 499
l Upstream proxy authentication in transparent proxy mode on page 500
l Multiple dynamic header count on page 502
l Restricted SaaS access on page 504
l Explicit proxy and FortiSandbox Cloud on page 513
l Proxy chaining (web proxy forwarding servers) on page 515
l Agentless NTLM authentication for web proxy on page 520
l Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers on page 523
l Learn client IP addresses on page 524

Explicit web proxy

Explicit web proxy can be configured on FortiGate for proxying HTTP and HTTPS traffic.
To deploy explicit proxy, individual client browsers can be manually configured to send requests directly to the proxy, or
they can be configured to download proxy configuration instructions from a Proxy Auto-Configuration (PAC) file.
When explicit proxy is configured on an interface, the interface IP address can be used by client browsers to forward
requests directly to the FortiGate. FortiGate also supports PAC file configuration.

For FortiOS 6.4.9 and above, SSL VPN web mode and explicit web proxy features will not
work with the following configuration:
1. An IP pool with ARP reply enabled is configured.
2. This IP pool is configured as the source IP address in either a firewall policy for SSL VPN
web mode or in a proxy policy for explicit web proxy.
3. A matching blackhole route is configured for IP pool reply traffic.
Configuring an IP pool as the source NAT IP address in a regular firewall policy works as
before.
See IP pools and blackhole route configuration on page 1131 for details.

To configure explicit web proxy in the GUI:

1. Enable and configure explicit web proxy:

a. Go to Network > Explicit Proxy.
b. Enable Explicit Web Proxy.
c. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.

FortiOS 6.4.13 Administration Guide 471

Fortinet Inc.
Network

d. Configure the remaining settings as needed.

e. Click Apply.
2. Create an explicit web proxy policy:
a. Go to Policy & Objects > Proxy Policy.
b. Click Create New.
c. Set Proxy Type to Explicit Web and Outgoing Interface to port1.

FortiOS 6.4.13 Administration Guide 472

Fortinet Inc.
Network

d. Also set Source and Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.

e. Click OK to create the policy.

This example creates a basic policy. If required, security profiles can be enabled, and deep
SSL inspection can be selected to inspect HTTPS traffic.

FortiOS 6.4.13 Administration Guide 473

Fortinet Inc.
Network

3. Configure a client to use the FortiGate explicit proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the
PAC file.

To configure explicit web proxy in the CLI:

1. Enable and configure explicit web proxy:

config web-proxy explicit
set status enable
set ftp-over-http enable
set socks enable
set http-incoming-port 8080
set ipv6-status enable
set unknown-http-version best-effort
end
config system interface
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set explicit-web-proxy enable
set snmp-index 12
end
next
end

2. Create an explicit web proxy policy:

config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
next
end

This example creates a basic policy. If required, security profiles can be enabled, and deep
SSL inspection can be selected to inspect HTTPS traffic.

3. Configure a client to use the FortiGate explicit web proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the
PAC file.

FortiOS 6.4.13 Administration Guide 474

Fortinet Inc.
 Network

FTP proxy

FTP proxies can be configured on the FortiGate so that FTP traffic can be proxied. When the FortiGate is configured as
an FTP proxy, FTP client applications should be configured to send FTP requests to the FortiGate.

To configure explicit FTP proxy in the GUI:

1. Enable and configure explicit FTP proxy:

a. Go to Network > Explicit Proxy.
b. Enable Explicit FTP Proxy.
c. Select port2 as the Listen on Interfaces and set the HTTP Port to 21.
d. Configure the Default Firewall Policy Action as needed.

e. Click Apply.
2. Create an explicit FTP proxy policy:
a. Go to Policy & Objects > Proxy Policy.
b. Click Create New.
c. Set Proxy Type to FTP and Outgoing Interface to port1.
d. Also set Source and Destination to all, Schedule to always, and Action to ACCEPT.

e. Click OK to create the policy.

FortiOS 6.4.13 Administration Guide 475

Fortinet Inc.
 Network

This example creates a basic policy. If required, security profiles can be enabled.

3. Configure the FTP client application to use the FortiGate IP address.

To configure explicit FTP proxy in the CLI:

1. Enable and configure explicit FTP proxy:

config ftp-proxy explicit
set status enable
set incoming-port 21
end
config system interface
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set explicit-ftp-proxy enable
set snmp-index 12
end
next
end

2. Create an explicit FTP proxy policy:

config firewall proxy-policy
edit 4
set proxy ftp
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
next
end

This example creates a basic policy. If required, security profiles can be enabled.

3. Configure the FTP client application to use the FortiGate IP address.

Transparent proxy

In a transparent proxy deployment, the user's client software, such as a browser, is unaware that it is communicating
with a proxy.
Users request Internet content as usual, without any special client configuration, and the proxy serves their requests.
FortiGate also allows user to configure in transparent proxy mode.

FortiOS 6.4.13 Administration Guide 476

Fortinet Inc.
Network

To configure transparent proxy in the GUI:

1. Configure a regular firewall policy with HTTP redirect:

a. Go to Policy & Objects > Firewall Policy.
b. Click Create New.
c. Name the policy appropriately, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
d. Also set Source and Destination to all, Schedule to always, Service to ALL, and Action to ACCEPT.
e. Set Inspection Mode to Proxy-based and SSL Inspection to deep-inspection.

f. Configure the remaining settings as needed.

g. Click OK.

By default, HTTP redirect can only be enabled in the CLI. Enable Policy Advanced
Options in Feature Visibility to configure it in the GUI. See Feature visibility on page
1065 on page 1 for more information.
To redirect HTTPS traffic, SSL inspection is required.

2. Configure a transparent proxy policy:

a. Go to Policy & Objects > Proxy Policy.
b. Click Create New.
c. Set Proxy Type to Transparent Web, set the Incoming Interface to port2, and set the Outgoing Interface to
port1.

FortiOS 6.4.13 Administration Guide 477

Fortinet Inc.
Network

d. Also set Source and Destination to all, Scheduleto always, Service to webproxy, and Action to ACCEPT.

e. Configure the remaining settings as needed.

f. Click OK to create the policy.

This example creates a basic policy. If required, security profiles can be enabled, and deep
SSL inspection can be selected to inspect HTTPS traffic.

3. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate
as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent
proxy policy.

To configure transparent proxy in the CLI:

1. Configure a regular firewall policy with HTTP redirect:

config firewall policy
edit 1
set name "1"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set http-policy-redirect enable
set fsso disable
set ssl-ssh-profile "deep-inspection"
set nat enable
next
end

FortiOS 6.4.13 Administration Guide 478

Fortinet Inc.
 Network

2. Configure a transparent proxy policy:

config firewall proxy-policy
edit 5
set proxy transparent-web
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
next
end

This example creates a basic policy. If required, security profiles can be enabled, and deep
SSL inspection can be selected to inspect HTTPS traffic.

3. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate
as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent
proxy policy.

Proxy policy addresses

Proxy addresses are designed to be used only by proxy policies. The following address types are available:
l Host regex match on page 480
l URL pattern on page 480
l URL category on page 481
l HTTP method on page 482
l HTTP header on page 483
l User agent on page 484
l Advanced (source) on page 485
l Advanced (destination) on page 486

Fast policy match

The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate
devices.
When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different
proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at
a time from the beginning of the policy list.
Fast policy matching is enabled by default, and can be configured with the following CLI command:
config web-proxy global
set fast-policy-match {enable | disable}
end

FortiOS 6.4.13 Administration Guide 479

Fortinet Inc.
Network

Host regex match

In this address type, a user can create a hostname as a regular expression. Once created, the hostname address can be
selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the
regular expression.
This example creates a host regex match address with the pattern qa.[a-z]*.com.

To create a host regex match address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to Host Regex,
l Type to Host Regex Match, and
l Host Regex Pattern to qa.[a-z]*.com.

4. Click OK.

To create a host regex match address in the CLI:

config firewall proxy-address

edit "Host Regex"
set type host-regex
set host-regex "qa.[a-z]*.com"
next
end

URL pattern

In this address type, a user can create a URL path as a regular expression. Once created, the path address can be
selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the
regular expression.
This example creates a URL pattern address with the pattern /filetypes/.

FortiOS 6.4.13 Administration Guide 480

Fortinet Inc.
Network

To create a URL pattern address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,

l Name to URL Regex,

l Type to URL Pattern,

l Host to all, and

l URL Path Regex to /filetypes/.

4. Click OK.

To create a URL pattern address in the CLI:

config firewall proxy-address

edit "URL Regex"
set type url
set host "all"
set path "/filetypes/"
next
end

URL category

In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be
selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the URL
category.
The example creates a URL category address for URLs in the Education category. For more information about
categories, see https://fortiguard.com/webfilter/categories.
For information about creating and using custom local and remote categories, see Web rating override on page 1504
and Threat feeds on page 371.

To create a URL category address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.

FortiOS 6.4.13 Administration Guide 481

Fortinet Inc.
Network

3. Set the following:

l Category to Proxy Address,

l Name to url-category,

l Type to URL Category,

l Host to all, and

l URL Category to Education.

4. Click OK.

To create a URL category address in the CLI:

config firewall proxy-address

edit "url-category"
set type category
set host "all"
set category 30
next
end

To see a list of all the categories and their numbers, when editing the address, enter set category ?.

HTTP method

In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method
options are supported, including: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, and TRACE. Once
created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block
requests that match the selected HTTP method.
The example creates a HTTP method address that uses the GET method.

To create a HTTP method address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,

l Name to method_get,

l Type to HTTP Method,

FortiOS 6.4.13 Administration Guide 482

Fortinet Inc.
Network

l Host to all, and

l Request Method to GET.

4. Click OK.

To create a HTTP method address in the CLI:

config firewall proxy-address

edit "method_get"
set type method
set host "all"
set method get
next
end

HTTP header

In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can
be selected as a source of a proxy policy. This means that a policy will only allow or block requests where the HTTP
header matches the regular expression.
This example creates a HTTP header address with the pattern Q[A-B].

To create a HTTP header address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,

l Name to HTTP-header,

l Type to HTTP Header,

l Host to all,

l Header Name to Header_Test, and

l Header Regex to Q[A-B].

FortiOS 6.4.13 Administration Guide 483

Fortinet Inc.
Network

4. Click OK.

To create a HTTP header address in the CLI:

config firewall proxy-address

edit "method_get"
set type header
set host "all"
set header-name "Header_Test"
set header "Q[A-B]"
next
end

User agent

In this address type, a user can create an address based on the names of the browsers that are used as user agents.
Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can
be selected as a source of a proxy policy. This means that a policy will only allow or block requests from the specified
user agent.
This example creates a user agent address for Google Chrome.

To create a user agent address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,

l Name to UA-Chrome,

l Type to User Agent,

l Host to all, and

l User Agent to Google Chrome.

FortiOS 6.4.13 Administration Guide 484

Fortinet Inc.
Network

4. Click OK.

To create a user agent address in the CLI:

config firewall proxy-address

edit "UA-Chrome"
set type ua
set host "all"
set ua chrome
next
end

Advanced (source)

In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent,
and HTTP header. Once created, the address can be selected as a source of a proxy policy. This means that a policy will
only allow or block requests that match the selected address.
This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with
the pattern Q[A-B].

To create an advanced (source) address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,

l Name to advanced_src,

l Type to Advanced (Source),

l Host to all,

l Request Method to GET,

l User Agent to Google Chrome, and

l HTTP header to Header_Test : Q[A-B].

FortiOS 6.4.13 Administration Guide 485

Fortinet Inc.
Network

4. Click OK.

To create an advanced (source) address in the CLI:

config firewall proxy-address

edit "advance_src"
set type src-advanced
set host "all"
set method get
set ua chrome
config header-group
edit 1
set header-name "Header_Test"
set header "Q[A-B]"
next
end
next
end

Advanced (destination)

In this address type, a user can create an address based on URL pattern and URL category parameters. Once created,
the address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests
that match the selected address.
This example creates an address with the URL pattern /about that are in the Education category. For more information
about categories, see https://fortiguard.com/webfilter/categories.

To create an advanced (destination) address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,

l Name to Advanced-dst,

FortiOS 6.4.13 Administration Guide 486

Fortinet Inc.
 Network

l Type to Advanced (Destination),

l Host to all,
l URL Path Regex to /about, and
l URL Category to Education.

4. Click OK.

To create an advanced (destination) address in the CLI:

config firewall proxy-address

edit "Advanced-dst"
set type dst-advanced
set host "ubc"
set path "/about"
set category 30
next
end

Proxy policy security profiles

Web proxy policies support most security profile types.

Security profiles must be created before they can be used in a policy, see Security Profiles on
page 1306 for information.

Explicit web proxy policy

The security profiles supported by explicit web proxy policies are:

l AntiVirus
l Web Filter
l Application Control
l IPS
l DLP Sensor
l ICAP

FortiOS 6.4.13 Administration Guide 487

Fortinet Inc.
Network

l Web Application Firewall

l SSL Inspection

To configure security profiles on an explicit web proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.

2. Click Create New.
3. Set the following:

Proxy Type Explicit Web

Outgoing Interface port1

Source all

Destination all

Schedule always

Service webproxy

Action ACCEPT

4. In the Firewall / Network Options section, set Protocol Options to default.

5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been
created):

AntiVirus av

Web Filter urlfiler

Application Control app

IPS Sensor-1

DLP Sensor dlp

ICAP default

Web Application Firewall default

SSL Inspection deep-inspection

FortiOS 6.4.13 Administration Guide 488

Fortinet Inc.
Network

6. Click OK to create the policy.

To configure security profiles on an explicit web proxy policy in the CLI:

config firewall proxy-policy

edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set utm-status enable
set av-profile "av"
set webfilter-profile "urlfilter"
set dlp-sensor "dlp"
set ips-sensor "sensor-1"
set application-list "app"
set icap-profile "default"
set waf-profile "default"
set ssl-ssh-profile "deep-inspection"
next
end

FortiOS 6.4.13 Administration Guide 489

Fortinet Inc.
Network

Transparent proxy

The security profiles supported by transparent proxy policies are:

l AntiVirus
l Web Filter
l Application Control
l IPS
l DLP Sensor
l ICAP
l Web Application Firewall
l SSL Inspection

To configure security profiles on a transparent proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.

2. Click Create New.
3. Set the following:

Proxy Type Transparent Web

Incoming Interfae port2

Outgoing Interface port1

Source all

Destination all

Schedule always

Service webproxy

Action ACCEPT

4. In the Firewall / Network Options section, set Protocol Options to default.

5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been
created):

AntiVirus av

Web Filter urlfiler

Application Control app

IPS Sensor-1

DLP Sensor dlp

ICAP default

Web Application Firewall default

SSL Inspection deep-inspection

FortiOS 6.4.13 Administration Guide 490

Fortinet Inc.
Network

6. Click OK to create the policy.

To configure security profiles on a transparent proxy policy in the CLI:

config firewall proxy-policy

edit 2
set proxy transparent-web
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set utm-status enable
set av-profile "av"
set webfilter-profile "urlfilter"
set dlp-sensor "dlp"
set ips-sensor "sensor-1"
set application-list "app"
set icap-profile "default"
set waf-profile "default"
set ssl-ssh-profile "certificate-inspection"
next
end

FortiOS 6.4.13 Administration Guide 491

Fortinet Inc.
Network

FTP proxy

The security profiles supported by FTP proxy policies are:

l AntiVirus
l Application Control
l IPS
l DLP Sensor

To configure security profiles on an FTP proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.

2. Click Create New.
3. Set the following:

Proxy Type FTP

Outgoing Interface port1

Source all

Destination all

Schedule always

Action ACCEPT

4. In the Firewall / Network Options section, set Protocol Options to default.

5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been
created):

AntiVirus av

Application Control app

IPS Sensor-1

DLP Sensor dlp

FortiOS 6.4.13 Administration Guide 492

Fortinet Inc.
 Network

6. Click OK to create the policy.

To configure security profiles on an FTP proxy policy in the CLI:

config firewall proxy-policy

edit 3
set proxy ftp
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set utm-status enable
set av-profile "av"
set dlp-sensor "dlp"
set ips-sensor "sensor-1"
set application-list "app"
next
end

Explicit proxy authentication

FortiGate supports multiple authentication methods. This topic explains using an external authentication server with
Kerberos as the primary and NTLM as the fallback.

To configure Explicit Proxy with authentication:

1. Enable and configure the explicit proxy on page 494.

2. Configure the authentication server and create user groups on page 494.
3. Create an authentication scheme and rules on page 496.

FortiOS 6.4.13 Administration Guide 493

Fortinet Inc.
Network

4. Create an explicit proxy policy and assign a user group to the policy on page 497.
5. Verify the configuration on page 498.

Enable and configure the explicit proxy

To enable and configure explicit web proxy in the GUI:

1. Go to Network > Explicit Proxy.

2. Enable Explicit Web Proxy.
3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
4. Configure the remaining settings as needed.
5. Click Apply.

To enable and configure explicit web proxy in the CLI:

config web-proxy explicit

set status enable
set ftp-over-http enable
set socks enable
set http-incoming-port 8080
set ipv6-status enable
set unknown-http-version best-effort
end
config system interface
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set explicit-web-proxy enable
set snmp-index 12
end
next
end

Configure the authentication server and create user groups

Since we are using an external authentication server with Kerberos authentication as the primary and NTLM as the
fallback, Kerberos authentication is configured first and then FSSO NTLM authentication is configured.
For successful authorization, the FortiGate checks if user belongs to one of the groups that is permitted in the security
policy.

To configure an authentication server and create user groups in the GUI:

1. Configure Kerberos authentication:

a. Go to User & Authentication > LDAP Servers.
b. Click Create New.

FortiOS 6.4.13 Administration Guide 494

Fortinet Inc.
Network

c. Set the following:

Name ldap-kerberos

Server IP 172.18.62.220

Server Port 389

Common Name Identifier cn

Distinguished Name dc=fortinetqa,dc=local

d. Click OK
2. Define Kerberos as an authentication service. This option is only available in the CLI. For information on generating
a keytab, see Generating a keytab on a Windows server on page 498.
3. Configure FSSO NTLM authentication:
FSSO NTLM authentication is supported in a Windows AD network. FSSO can also provide NTLM authentication
service to the FortiGate unit. When a user makes a request that requires authentication, the FortiGate initiates
NTLM negotiation with the client browser, but does not process the NTLM packets itself. Instead, it forwards all the
NTLM packets to the FSSO service for processing.
a. Go to Security Fabric > External Connectors.
b. Click Create New and select Fortinet Single Sign-On Agent from the Endpoint/Identity category.
c. Set the Name to FSSO, Primary FSSO Agent to 172.16.200.220, and enter a password.
d. Click OK.
4. Create a user group for Kerberos authentication:
a. Go to User & Authentication > User Groups.
b. Click Create New.
c. Set the Name to Ldap-Group, and Type to Firewall.
d. In the Remote Groups table, click Add, and set the Remote Server to the previously created ldap-kerberos
server.
e. Click OK.
5. Create a user group for NTLM authentication:
a. Go to User & Authentication > User Groups.
b. Click Create New.
c. Set the Name to NTLM-FSSO-Group, Type to Fortinet Single Sign-On (FSSO), and add FORTINETQA/FSSO
as a member.
d. Click OK.

To configure an authentication server and create user groups in the CLI:

1. Configure Kerberos authentication:

config user ldap
edit "ldap-kerberos"
set server "172.18.62.220"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********
next
end

FortiOS 6.4.13 Administration Guide 495

Fortinet Inc.
Network

2. Define Kerberos as an authentication service:

config user krb-keytab
edit "http_service"
set pac-data disable
set principal "HTTP/[email protected]"
set ldap-server "ldap-kerberos"
set keytab
"BQIAAABFAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEAAE
ACKLCMonpitnVAAAARQACABBGT1JUSU5FVFFBLkxPQ0FMAARIVFRQABRGR1QuRk9SVElORVRRQS5MT0NBTAAAAAE
AAAAABAADAAiiwjKJ6YrZ1QAAAE0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAAURkdULkZPUlRJTkVUUUEuTE9
DQUwAAAABAAAAAAQAFwAQUHo9uqR9cSkzyxdzKCEXdwAAAF0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAAURkd
ULkZPUlRJTkVUUUEuTE9DQUwAAAABAAAAAAQAEgAgzee854Aq1HhQiKJZvV4tL2Poy7hMIARQpK8MCB//BIAAAAB
NAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEABEAEG49vHE
iiBghr63Z/lnwYrU="
next
end

For information on generating a keytab, see Generating a keytab on a Windows server on page 498.
3. Configure FSSO NTLM authentication:
config user fsso
edit "1"
set server "172.18.62.220"
set password *********
next
end

4. Create a user group for Kerberos authentication:

config user group
edit "Ldap-Group"
set member "ldap" "ldap-kerberos"
next
end

5. Create a user group for NTLM authentication:

config user group
edit "NTLM-FSSO-Group"
set group-type fsso-service
set member "FORTINETQA/FSSO"
next
end

Create an authentication scheme and rules

Explicit proxy authentication is managed by authentication schemes and rules. An authentication scheme must be
created first, and then the authentication rule.

To create an authentication scheme and rules in the GUI:

1. Create an authentication scheme:

a. Go to Policy & Objects > Authentication Rules.
b. Click Create New > Authentication Schemes.

FortiOS 6.4.13 Administration Guide 496

Fortinet Inc.
Network

c. Set the Name to Auth-scheme-Negotiate and select Negotiate as the Method.

d. Click OK.
2. Create an authentication rule:
a. Go to Policy & Objects > Authentication Rules.
b. Click Create New > Authentication Rules.
c. Set the Name to Auth-Rule, Source Address to all, and Protocol to HTTP.
d. Enable Authentication Scheme, and select the just created Auth-scheme-Negotiate scheme.
e. Click OK.

To create an authentication scheme and rules in the CLI:

1. Create an authentication scheme:

config authentication scheme
edit "Auth-scheme-Negotiate"
set method negotiate <<< Accepts both Kerberos and NTLM as fallback
next
end

2. Create an authentication rule:

config authentication rule
edit "Auth-Rule"
set status enable
set protocol http
set srcaddr "all"
set ip-based enable
set active-auth-method "Auth-scheme-Negotiate"
set comments "Testing"
next
end

Create an explicit proxy policy and assign a user group to the policy

To create an explicit proxy policy and assign a user group to it in the GUI:

1. Go to Policy & Objects > Proxy Policy.

2. Click Create New.
3. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
4. Set Source to all, and the just created user groups NTLM-FSSO-Group and Ldap-Group.
5. Also set Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.
6. Click OK.

To create an explicit proxy policy and assign a user group to it in the CLI:

config firewall proxy-policy

edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"

FortiOS 6.4.13 Administration Guide 497

Fortinet Inc.
Network

set action accept

set schedule "always"
set logtraffic all
set groups "NTLM-FSSO-Group" "Ldap-Group"
set av-profile "av"
set ssl-ssh-profile "deep-custom"
next
end

Verify the configuration

Log in using a domain and system that would be authenticated using the Kerberos server, then enter the diagnose
wad user list CLI command to verify:
# diagnose wad user list
ID: 8, IP: 10.1.100.71, VDOM: vdom1
user name : [email protected]
duration : 389
auth_type : IP
auth_method : Negotiate
pol_id : 1
g_id : 1
user_based : 0
expire : no
LAN:
bytes_in=4862 bytes_out=11893
WAN:
bytes_in=7844 bytes_out=1023

Log in using a system that is not part of the domain. The NTLM fallback server should be used:
# diagnose wad user list
ID: 2, IP: 10.1.100.202, VDOM: vdom1
user name : TEST31@FORTINETQA
duration : 7
auth_type : IP
auth_method : NTLM
pol_id : 1
g_id : 5
user_based : 0
expire : no
LAN:
bytes_in=6156 bytes_out=16149
WAN:
bytes_in=7618 bytes_out=1917

Generating a keytab on a Windows server

A keytab is used to allow services that are not running Windows to be configured with service instance accounts in the
Active Directory Domain Service (AD DS). This allows Kerberos clients to authenticate to the service through Windows
Key Distribution Centers (KDCs).
For an explanation of the process, see https://docs.microsoft.com/en-us/windows-server/administration/windows-
commands/ktpass.

FortiOS 6.4.13 Administration Guide 498

Fortinet Inc.
 Network

To generate a keytab on a Windows server:

1. On the server, create a user for the FortiGate:

l The service name is the FQDN for the explicit proxy interface, such as the hostname in the client browser proxy
configuration. In this example, the service name is FGT.
l The account only requires domain users membership.
l The password must be very strong.
l The password is set to never expire.
2. Add the FortiGate FQDN in to the Windows DNS domain, as well as in-addr.arpa.
3. Generate the Kerberos keytab using the ktpass command on Windows servers and many domain workstations:
# ktpass -princ HTTP/<domain name of test fgt>@realm -mapuser <user> -pass <password> -
crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab

For example:
ktpass -princ HTTP/[email protected] -mapuser FGT -pass ***********
-crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab

If the FortiGate is handling multiple keytabs in Kerberos authentication, use different

passwords when generating each keytab.

4. Encode the keytab to base64 in a text file:

l On Windows: certutil -encode fgt.keytab tmp.b64 && findstr /v /c:- tmp.b64 >
fgt.txt
l On Linux: base64 fgt.keytab > fgt.txt
l On MacOS: base64 -i fgt.keytab -o fgt.txt
5. Use the code in fgt.txt as the keytab parameter when configuring the FortiGate.

Transparent web proxy forwarding

In FortiOS, there is an option to enable proxy forwarding for transparent web proxy policies and regular firewall policies
for HTTP and HTTPS.
In previous versions of FortiOS, you could forward proxy traffic to another proxy server (proxy chaining) with explicit
proxy. Now, you can forward web traffic to the upstream proxy without having to reconfigure your browsers or publish a
proxy auto-reconfiguration (PAC) file.
Once configured, the FortiGate forwards traffic generated by a client to the upstream proxy. The upstream proxy then
forwards it to the server.

To enable proxy forwarding using the CLI:

1. Configure the web proxy forwarding server:

config web-proxy forward-server
edit "PC_03"
set ip 172.16.200.46
set healthcheck enable
set monitor "http://www.google.ca"

FortiOS 6.4.13 Administration Guide 499

Fortinet Inc.
 Network

next
end

2. Append the web proxy forwarding server to a firewall policy:

config firewall policy
edit 1
set name "LAN to WAN"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set webproxy-forward-server "PC_03"
set fsso disable
set av-profile "av"
set ssl-ssh-profile "deep-custom"
set nat enable
next
end

Upstream proxy authentication in transparent proxy mode

A downstream proxy FortiGate that needs to be authenticated by the upstream web proxy can use the basic
authentication method to send its username and password, in the base64 format, to the upstream web proxy for
authentication. If the authentication succeeds, web traffic that is forwarded from the downstream proxy FortiGate to the
upstream proxy can be accepted and forwarded to its destinations.
In this example, a school has a FortiGate acting as a downstream proxy that is configured with firewall policies for each
user group (students and staff). In each policy, a forwarding server is configured to forward the web traffic to the
upstream web proxy.
The username and password that the upstream web proxy uses to authenticate the downstream proxy are configured on
the forwarding server, and are sent to the upstream web proxy with the forwarded HTTP requests.

Username Password

student.proxy.local:8080 students ABC123

staff.proxy.local:8081 staff 123456

On the downstream FortiGate, configure forwarding servers with the usernames and passwords for authentication on
the upstream web proxy, then apply those servers to firewall policies for transparent proxy. For explicit web proxy, the
forwarding servers can be applied to proxy policies.
When the transparent proxy is configured, clients can access websites without configuring a web proxy in their browser.
The downstream proxy sends the username and password to the upstream proxy with forwarded HTTP requests to be
authenticated.

FortiOS 6.4.13 Administration Guide 500

Fortinet Inc.
Network

To configure the forwarding server on the downstream FortiGate:

config web-proxy forward-server

edit "Student_Upstream_WebProxy"
set addr-type fqdn
set fqdn "student.proxy.local"
set port 8080
set username "student"
set password ABC123
next
edit "Staff_Upstream_WebProxy"
set addr-type fqdn
set fqdn "staff.proxy.local"
set port 8081
set username "staff"
set password 123456
next
end

To configure firewall policies for transparent proxy:

config firewall policy

edit 1
set srcintf "Vlan_Student"
set dstintf "port9"
set srcaddr "Student_Subnet"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
set webproxy-forward-server "Student_Upstream_WebProxy"
set nat enable
next
edit 2
set srcintf "Vlan_Staff"
set dstintf "port9"
set srcaddr "Staff_Subnet"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
set webproxy-forward-server "Staff_Upstream_WebProxy"
set nat enable
next
end

FortiOS 6.4.13 Administration Guide 501

Fortinet Inc.
 Network

Multiple dynamic header count

Multiple dynamic headers are supported for web proxy profiles, as well as Base64 encoding and the append/new
options.
Administrators only have to select the dynamic header in the profile. The FortiGate will automatically display the
corresponding static value. For example, if the administrator selects the $client-ip header, the FortiGate will display
the actual client IP address.
The supported headers are:

$client-ip Client IP address

$user Authentication user name
$domain User domain name
$local_grp Firewall group name
$remote_grp Group name from authentication server
$proxy_name Proxy realm name

To configure dynamic headers using the CLI:

Since authentication is required, FSSO NTLM authentication is configured in this example.

1. Configure LDAP:
config user ldap
edit "ldap-kerberos"
set server "172.18.62.220"
set cnid "cn"a
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********
next
end

2. Configure FSSO:
config user fsso
edit "1"
set server "172.18.62.220"
set password *********
next
end

3. Configure a user group:

config user group
edit "NTLM-FSSO"
set group-type fsso-service
set member "FORTINETQA/FSSO"
next
end

FortiOS 6.4.13 Administration Guide 502

Fortinet Inc.
Network

4. Configure an authentication scheme:

config authentication scheme
edit "au-sch-ntlm"
set method ntlm
next
end

5. Configure an authentication rule:

config authentication rule
edit "au-rule-fsso"
set srcaddr "all"
set active-auth-method "au-sch-ntlm"
next
end

6. Create a web proxy profile that adds a new dynamic and custom Via header:
config web-proxy profile
edit "test"
set log-header-change enable
config headers
edit 1
set name "client-ip"
set content "$client-ip"
next
edit 2
set name "Proxy-Name"
set content "$proxy_name"
next
edit 3
set name "user"
set content "$user"
next
edit 4
set name "domain"
set content "$domain"
next
edit 5
set name "local_grp"
set content "$local_grp"
next
edit 6
set name "remote_grp"
set content "$remote_grp"
next
edit 7
set name "Via"
set content "Fortigate-Proxy"
next
end
next
end

7. In the proxy policy, append the web proxy profile created in the previous step:
config firewall proxy-policy
edit 1

FortiOS 6.4.13 Administration Guide 503

Fortinet Inc.
 Network

set proxy explicit-web

set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set logtraffic all
set groups "NTLM-FSSO"
set webproxy-profile "test"
set utm-status enable
set av-profile "av"
set webfilter-profile "content"
set ssl-ssh-profile "deep-custom"
next
end

8. Once traffic is being generated from the client, look at the web filter logs to verify that it is working.
The corresponding values for all the added header fields displays in the Change headers section at the bottom of
the Log Details pane.
1: date=2019-02-07 time=13:57:24 logid="0344013632" type="utm" subtype="webfilter"
eventtype="http_header_change" level="notice" vd="vdom1" eventtime=1549576642 policyid=1
transid=50331689 sessionid=1712788383 user="TEST21@FORTINETQA" group="NTLM-FSSO"
profile="test" srcip=10.1.100.116 srcport=53278 dstip=172.16.200.46 dstport=80
srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6
service="HTTP" url="http://172.16.200.46/" agent="curl/7.22.0" chgheaders="Added=client-
ip: 10.1.100.116|Proxy-Name: 1.1 100D.qa|user: TEST21|domain: FORTINETQA|local_grp:
NTLM-FSSO|remote_grp: FORTINETQA/FSSO|Via: Fortigate-Proxy"

Restricted SaaS access

Large organizations may want to restrict SaaS access to resources like Microsoft Office 365, Google Workspace, and
Dropbox by tenant to block non-company login attempts and secure the users from accessing non-approved cloud
resources. Many cloud vendors enable this by applying tenant restrictions for access control. For example, users

FortiOS 6.4.13 Administration Guide 504

Fortinet Inc.
Network

accessing Microsoft 365 applications with tenant restrictions through the corporate proxy will only be allowed to log in as
the company’s tenant and access the organization’s applications.
To implement this, access requests from the clients pass through the company’s web proxy, which inserts headers to
notify the SaaS service to apply tenant restrictions with the permitted tenant list. Users are redirected the SaaS service
login page, and are only allowed to log in if they belong to the permitted tenant list.
For more information, refer to the vendor-specific documentation:
l Office 365: Restrict access to a tenant
l Google Workspace: Block access to consumer accounts
l Dropbox: Network control

Basic configuration

A web proxy profile can specify access permissions for Microsoft Office 365, Google Workspace, and Dropbox by
inserting vendor-defined headers that restrict access to the specific accounts. Custom headers can also be inserted for
any destination. The web proxy profile can then be applied to a firewall policy to control the header's insertion.

To implement Office 365 tenant restriction, Google Workspace account access control, and Dropbox
network access control:

1. Configure a web proxy profile according to the vendors' specifications:

a. Set the header name (defined by the service provider).
b. Set the traffic destination (the service provider).
c. Set the HTTP header content to be inserted into the traffic (defined by your settings).
config web-proxy profile
edit <name>
config headers
edit <id>
set name <string>
set dstaddr <address>
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content <string>
next
end
next
end

2. Apply the web proxy profile to a policy. SSL deep inspection must be used in the firewall policy:

The following table lists the vendor-specific config headers settings that must be configured in the web proxy profile
(config web-proxy profile):

Setting Vendor specification

Microsoft Office 365 Google Workspace Dropbox

name <string> l Restrict- l X-GoogApps- l X-Dropbox-allowed-
Access-To- Allowed-Domains Team-Ids

FortiOS 6.4.13 Administration Guide 505

Fortinet Inc.
Network

Setting Vendor specification

Microsoft Office 365 Google Workspace Dropbox

Tenants
l Restrict-
Access-Context
dstaddr l Use the built-in l Use the built-in G l Use the built-in
<address> Microsoft Suite address. wildcard.dropbox.com
Office 365 address.
address.
content <string> l Enter the domain for l Enter the domain. l Enter the Dropbox team ID.
Restrict-
Access-To-
Tenants.
l Enter the directory ID
for Restrict-
Access-Context.

Due to vendors' changing requirements, these settings may no longer comply with the vendors' official guidelines. See
the vendor documentation for more details.

Microsoft Office 365 example

In this example, a web proxy profile is created to control permissions for Microsoft Office 365 to allow corporate domains
and deny personal accounts, such as Hotmail and Outlook that are accessed through login.live.com.

1. When a user attempts to access login.microsoftonline.com, login.microsoft.com, or login.windows.net, the traffic will
match a proxy inspection mode firewall policy with the assigned web proxy profile.
2. The web proxy profile adds new headers to the customer tenant, indicating the allowed domain and restricted
access for personal accounts. Next, the FortiGate starts a new connection with the Microsoft Office 365 domain
controller including the new headers.
3. The Microsoft Office 365 domain controller assesses this data and will allow or deny this access, then sends a reply
to the FortiGate.
4. The FortiGate sends a reply to the client.
The FortiGate will only indicate the correct domains to be allowed or denied through the headers to Microsoft. The
custom sign-in portal in the browser is generated by Microsoft.

Configuration summary

The following must be configured in FortiOS:

FortiOS 6.4.13 Administration Guide 506

Fortinet Inc.
Network

l An FQDN address for login.live.com

l An SSL inspection profile that uses deep inspection with an exemption for login.live.com

Ensure that the firewall certificate is installed on the client machines. A company certificate
signed by an internal CA is recommended.

l A web filter profile in proxy mode with static URL filters for the SNI URLs
l A web proxy profile that adds new headers to the customer tenant
l A firewall policy using proxy mode inspection that applies the configured SSL SSL inspection, web filter, and web
proxy profiles
The Restrict-Access-To-Tenants and Restrict-Access-Context headers are inserted for incoming requests
to: login.microsoftonline.com, login.microsoft.com, and login.windows.net, which are part of the Microsoft Office
365 address group.
To restrict access to personal accounts using the login.live.com domain, the sec-Restrict-Tenant-Access-
Policy header is inserted and uses restrict-msa as the header content.
Before configuring the FortiGate, collect the information related to the company domain in the Office 365 contract.
l Restrict-Access-To-Tenants: your <domain.com>
l Restrict-Access-Context: Directory ID

To find the Directory ID related to the domain, locate it in the Azure portal, or use the
whatismytenantid.com open tool.

To configure the FortiGate:

1. Add the FQDN address for login.live.com:

config firewall address
edit "login.live.com"
set type fqdn
set fqdn "login.live.com"
next
end

2. Configure the SSL inspection profile. In this example, the deep-inspection profile is cloned, and the live.com
FQDN is removed from the exemption list.
a. Clone the deep-inspection profile:
config firewall ssl-ssh-profile
clone "deep-inspection" to "Tenant"
end

b. Edit the Tenant profile and remove live.com from the config ssl-exempt list.
3. Configure the URL filter list:
config webfilter urlfilter
edit 1
set name "Auto-webfilter-urlfilter"
config entries

FortiOS 6.4.13 Administration Guide 507

Fortinet Inc.
Network

edit 1
set url "login.microsoftonline.com"
set action allow
next
edit 2
set url "login.microsoft.com"
set action allow
next
edit 3
set url "login.windows.net"
set action allow
next
edit 4
set url "login.live.com"
set action allow
next
end
next
end

4. Configure the web filter profile:

config webfilter profile
edit "Tenant"
set comment "Office 365"
set feature-set proxy
config web
set urlfilter-table 1
end
next
end

5. Configure the web proxy profile (enter the header names exactly as shown):
config web-proxy profile
edit "SaaS-Tenant-Restriction"
set header-client-ip pass
set header-via-request pass
set header-via-response pass
set header-x-forwarded-for pass
set header-x-forwarded-client-cert pass
set header-front-end-https pass
set header-x-authenticated-user pass
set header-x-authenticated-groups pass
set strip-encoding disable
set log-header-change disable
config headers
edit 1
set name "Restrict-Access-To-Tenants"
set dstaddr "login.microsoft.com" "login.microsoftonline.com"
"login.windows.net"
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content <domain>
next

FortiOS 6.4.13 Administration Guide 508

Fortinet Inc.
Network

edit 2
set name "Restrict-Access-Context"
set dstaddr "login.microsoftonline.com" "login.microsoft.com"
"login.windows.net"
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content <directory_ID>
next
edit 3
set name "sec-Restrict-Tenant-Access-Policy"
set dstaddr "login.live.com"
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content "restrict-msa"
next
end
next
end

6. Configure the firewall policy:

config firewall policy
edit 10
set name "Tenant"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "users-lan"
set dstaddr "login.microsoft.com" "login.microsoftonline.com"
"login.windows.net" "login.live.com"
set schedule "always"
set service "HTTP" "HTTPS"
set utm-status enable
set inspection-mode proxy
set webproxy-profile "SaaS-Tenant-Restriction"
set ssl-ssh-profile "Tenant"
set webfilter-profile "Tenant"
set logtraffic all
set nat enable
next
end

FortiOS 6.4.13 Administration Guide 509

Fortinet Inc.
Network

Testing the access

To test the access to corporate domains and personal accounts:

1. Get a client to log in with their corporate email using the login.microsoftonline.com domain.

2. The client is able to enter their credentials and log in successfully.

FortiOS 6.4.13 Administration Guide 510

Fortinet Inc.
Network

3. Get a client to log in to their personal Outlook account.

4. After the client enters their credentials, a message appears that they cannot access this resource because it is
restricted by the cross-tenant access policy.

FortiOS 6.4.13 Administration Guide 511

Fortinet Inc.
Network

Verifying the header insertion

To verify the header insertion for corporate domains and personal accounts:

1. On the FortiGate, start running the WAD debugs:

# diagnose wad debug enable category http
# diagnose wad debug enable level info
# diagnose debug enable

2. After a client attempts to access corporate domains, verify that the header information is sent to the Microsoft Active
Directory:
[I][p:234][s:2481][r:33] wad_dump_fwd_http_req :2567 hreq=0x7fc75f0cd468
Forward request to server:
POST /common/GetCredentialType?mkt=en-US HTTP/1.1
Host: login.microsoftonline.com
Connection: keep-alive
Content-Length: 1961
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
hpgrequestid: d7f706a8-1143-4cdd-ad52-1cc69dc7bb00
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/101.0.4951.54 Safari/537.36
client-request-id: 5c3d196d-5939-45cc-a45b-232b9ed13fce
...
Restrict-Access-To-Tenants: fortinet-us.com
Restrict-Access-Context: ********-****-452f-8535-************

3. After a client attempts to access a personal account, verify that the header information is sent to the Microsoft Active
Directory:
[I][p:234][s:2519][r:34] wad_dump_fwd_http_req :2567 hreq=0x7fc75f0ce6a8
Forward request to server:
GET /oauth20_authorize.srf?client_id=4765445b-32c6-49b0-83e6-
1d93765276ca&scope=openid+profile+https%3a%2f%2fwww.office.com%2fv2%2fOfficeHome.All&red
irect_uri=https%3a%2f%2fwww.office.com%2flandingv2&response_type=code+id_
token&state=7tAtndYhcA3132S--UOTyLVEtyIZs8FgndTpeYM9mJ1EeA-
X5nfqrSalnnPH41cHxfHGug6N5cbliK676v6xZgszgH_
JARVKrptZwBvjI2cbnZ4mttYNNdK1FTlbEtu5VBjgtBOX2u6v3F_
9g7UikCpGTnBRGhvO2pyTndT3EEIyAHvhg9LsKRtY3kxce8dQkfk1iDjLcc3q-01r4rpxSx2xZSbwg_
KkAN3kCRQ9uLfE0ziHAcpvunuKmzGBWKnBhC4sJJkXrMEfXwCg4nsOjg&response_mode=form_
post&nonce=637877163655610380.MjNjZmM4NzQtOTU5My00OGZlLTk0NTItZTE5NDU2YjVlODdjNjViOTQwYm
UtOTZlMS00M2Y5LTkyN2MtN2QyMjgwNjcxY2Uz&x-client-SKU=ID_NETSTANDARD2_0&x-client-
Ver=6.12.1.0&uaid=5c3d196d593945cca45b232b9ed13fce&msproxy=1&issuer=mso&tenant=common&u
i_locales=en-US&epct=AQABAAAAAAD--DLA3VO7QrddgJg7WevrfA6SLaDsJUcjb1Bg9OKonF3d_
lfNJsdDAIH5hlJdUSGejEBIqsko-A7JX67PzaGdEJgOIGa37VhJzGTYBZ-KgATe9FHssnNmLjM_
dojr0dAT83xDhiqQTN2-UcYdcP2s3vPainF7Nqes5ecXRaEoE9Vw9-
sN7jfASOkPRWW03aI6buz0niABvA860YOWDb98vdJWPGkWE-euDr6n8_
zI5iAA&jshs=0&username=****************%40outlook.com&login_
hint=***************%40outlook.com HTTP/1.1
Host: login.live.com
Connection: keep-alive
...
Referer: https://login.microsoftonline.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
sec-Restrict-Tenant-Access-Policy: restrict-msa

FortiOS 6.4.13 Administration Guide 512

Fortinet Inc.
 Network

Explicit proxy and FortiSandbox Cloud

Explicit proxy connections can leverage FortiSandbox Cloud for advanced threat scanning and updates. This allows
FortiGates behind isolated networks to connect to FortiCloud services.

To configure FortiGuard services to communicate with an explicit proxy server:

config system fortiguard

set proxy-server-ip 172.16.200.44
set proxy-server-port 3128
set proxy-username "test1"
set proxy-password *********
end

To verify the explicit proxy connection to FortiSandbox Cloud:

# diagnose debug application forticldd -1

Debug messages will be on for 30 minutes.
# diagnose debug enable
[2942] fds_handle_request: Received cmd 23 from pid-2526, len 0
[40] fds_queue_task: req-23 is added to Cloud-sandbox-controller
[178] fds_svr_default_task_xmit: try to get IPs for Cloud-sandbox-controller
[239] fds_resolv_addr: resolve aptctrl1.fortinet.com
[169] fds_get_addr: name=aptctrl1.fortinet.com, id=32, cb=0x2bc089
[101] dns_parse_resp: DNS aptctrl1.fortinet.com -&gt; 172.16.102.21
[227] fds_resolv_cb: IP-1: 172.16.102.21
[665] fds_ctx_set_addr: server: 172.16.102.21:443
[129] fds_svr_default_pickup_server: Cloud-sandbox-controller: 172.16.102.21:443
[587] fds_https_start_server: server: 172.16.102.21:443
[579] ssl_new: SSL object is created
[117] https_create: proxy server 172.16.200.44 port:3128
[519] fds_https_connect: https_connect(172.16.102.21) is established.
[261] fds_svr_default_on_established: Cloud-sandbox-controller has connected to
ip=172.16.102.21
[268] fds_svr_default_on_established: server-Cloud-sandbox-controller handles cmd-23
[102] fds_pack_objects: number of objects: 1
[75] fds_print_msg: FCPC: len=109
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Command=RegionList
[81] fds_print_msg: Firmware=FG101E-FW-6.02-0917

FortiOS 6.4.13 Administration Guide 513

Fortinet Inc.
Network

[81] fds_print_msg: SerialNumber=FG101E4Q17002429

[81] fds_print_msg: TimeZone=-7
[75] fds_print_msg: http req: len=248
[81] fds_print_msg: POST https://172.16.102.21:443/FCPService HTTP/1.1
[81] fds_print_msg: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[81] fds_print_msg: Host: 172.16.102.21:443
[81] fds_print_msg: Cache-Control: no-cache
[81] fds_print_msg: Connection: close
[81] fds_print_msg: Content-Type: application/octet-stream
[81] fds_print_msg: Content-Length: 301
[524] fds_https_connect: http request to 172.16.102.21: header=248, ext=301.
[257] fds_https_send: sent 248 bytes: pos=0, len=248
[265] fds_https_send: 172.16.102.21: sent 248 byte header, now send 301-byte body
[257] fds_https_send: sent 301 bytes: pos=0, len=301
[273] fds_https_send: sent the entire request to server: 172.16.102.21:443
[309] fds_https_recv: read 413 bytes: pos=413, buf_len=2048
[332] fds_https_recv: received the header from server: 172.16.102.21:443, [HTTP/1.1 200
Content-Type: application/octet-stream
Content-Length: 279
Date: Thu, 20 Jun 2019 16:41:11 GMT
Connection: close]
[396] fds_https_recv: Do memmove buf_len=279, pos=279
[406] fds_https_recv: server: 172.16.102.21:443, buf_len=279, pos=279
[453] fds_https_recv: received a packet from server-172.16.102.21:443: sz=279, objs=1
[194] __ssl_data_ctx_free: Done
[839] ssl_free: Done
[830] ssl_disconnect: Shutdown
[481] fds_https_recv: obj-0: type=FCPR, len=87
[294] fds_svr_default_on_response: server-Cloud-sandbox-controller handles cmd-23
[75] fds_print_msg: fcpr:  len=83
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Response=202
[81] fds_print_msg: ResponseItem=Region:Europe,Global,Japan,US
[81] fds_print_msg: existing:Japan
[3220] aptctrl_region_res: Got rsp: Region:Europe,Global,Japan,US
[3222] aptctrl_region_res: Got rsp: Region existing:Japan
[439] fds_send_reply: Sending 28 bytes data.
[395] fds_free_tsk: cmd=23; req.noreply=1
# [136] fds_on_sys_fds_change: trace
[2942] fds_handle_request: Received cmd 22 from pid-170, len 0
[40] fds_queue_task: req-22 is added to Cloud-sandbox-controller
[587] fds_https_start_server: server: 172.16.102.21:443
[579] ssl_new: SSL object is created
[117] https_create: proxy server 172.16.200.44 port:3128
[519] fds_https_connect: https_connect(172.16.102.21) is established.
[261] fds_svr_default_on_established: Cloud-sandbox-controller has connected to
ip=172.16.102.21
[268] fds_svr_default_on_established: server-Cloud-sandbox-controller handles cmd-22
[102] fds_pack_objects: number of objects: 1
[75] fds_print_msg: FCPC: len=146
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Command=UpdateAPT
[81] fds_print_msg: Firmware=FG101E-FW-6.02-0917
[81] fds_print_msg: SerialNumber=FG101E4Q17002429
[81] fds_print_msg: TimeZone=-7
[81] fds_print_msg: TimeZoneInMin=-420

FortiOS 6.4.13 Administration Guide 514

Fortinet Inc.
 Network

[81] fds_print_msg: DataItem=Region:US

[75] fds_print_msg: http req: len=248
[81] fds_print_msg: POST https://172.16.102.21:443/FCPService HTTP/1.1
[81] fds_print_msg: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[81] fds_print_msg: Host: 172.16.102.21:443
[81] fds_print_msg: Cache-Control: no-cache
[81] fds_print_msg: Connection: close
[81] fds_print_msg: Content-Type: application/octet-stream
[81] fds_print_msg: Content-Length: 338
[524] fds_https_connect: http request to 172.16.102.21: header=248, ext=338.
[257] fds_https_send: sent 248 bytes: pos=0, len=248
[265] fds_https_send: 172.16.102.21: sent 248 byte header, now send 338-byte body
[257] fds_https_send: sent 338 bytes: pos=0, len=338
[273] fds_https_send: sent the entire request to server: 172.16.102.21:443
[309] fds_https_recv: read 456 bytes: pos=456, buf_len=2048
[332] fds_https_recv: received the header from server: 172.16.102.21:443, [HTTP/1.1 200
Content-Type: application/octet-stream
Content-Length: 322
Date: Thu, 20 Jun 2019 16:41:16 GMT
Connection: close]
[396] fds_https_recv: Do memmove buf_len=322, pos=322
[406] fds_https_recv: server: 172.16.102.21:443, buf_len=322, pos=322
[453] fds_https_recv: received a packet from server-172.16.102.21:443: sz=322, objs=1
[194] __ssl_data_ctx_free: Done
[839] ssl_free: Done
[830] ssl_disconnect: Shutdown
[481] fds_https_recv: obj-0: type=FCPR, len=130
[294] fds_svr_default_on_response: server-Cloud-sandbox-controller handles cmd-22
[75] fds_print_msg: fcpr:  len=126
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Response=202
[81] fds_print_msg: ResponseItem=Server1:172.16.102.51:514
[81] fds_print_msg: Server2:172.16.102.52:514
[81] fds_print_msg: Contract:20210215
[81] fds_print_msg: NextRequest:86400
[615] parse_apt_contract_time_str: The APTContract is valid to Mon Feb 15 23:59:59 2021
[616] parse_apt_contract_time_str: FGT current local time is Thu Jun 20 09:41:16 2019
[3289] aptctrl_update_res: Got rsp: APT=172.16.102.51:514 APTAlter=172.16.102.52:514 next-
upd=86400
[395] fds_free_tsk: cmd=22; req.noreply=1

Proxy chaining (web proxy forwarding servers)

For the explicit web proxy you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy
sessions to other proxy servers. Proxy chaining can be used to forward web proxy sessions from the FortiGate unit to
one or more other proxy servers on your network or on a remote network. You can use proxy chaining to integrate the
FortiGate explicit web proxy with a web proxy solution that you already have in place.
A FortiGate unit can forward sessions to most web proxy servers including a remote FortiGate unit with the explicit web
proxy enabled. No special configuration of the explicit web proxy on the remote FortiGate unit is required.
You can deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite
offices and a main office. If each office has a FortiGate unit, users at each of the satellite offices can use their local
FortiGate unit as an explicit web proxy server. The satellite office FortiGate units can forward explicit web proxy sessions
to an explicit web proxy server at the central office. From here the sessions can connect to web servers on the Internet.

FortiOS 6.4.13 Administration Guide 515

Fortinet Inc.
Network

FortiGate proxy chaining does not support web proxies in the proxy chain authenticating each other.
The following examples assume explicit web proxy has been enabled.

To enable explicit web proxy in the GUI:

1. Go to System > Feature Visibility.

2. In the Security Features column, enable Explicit Proxy.
3. Configure the explicit web proxy settings. See Explicit web proxy on page 471.

To add a web proxy forwarding server in the GUI:

1. Go to Network > Explicit Proxy. The Explicit Proxy page opens.

2. In the Web Proxy Forwarding Servers section, click Create New.
3. Configure the server settings and click OK.

Name Enter the name of the forwarding server.

Proxy Address Type Select the type of IP address of the forwarding server. A forwarding server can
have an FQDN or IP address.

Proxy Address Enter the IP address of the forwarding server.

Port Enter the port number on which the proxy receives connections. Traffic leaving
the FortiGate explicit web proxy for this server has its destination port number
changed to this number.

Server Down Action Select the action the explicit web proxy will take if the forwarding server is
down.
l Block: Blocks the traffic if the remote server is down.

l Use Original Server: Forwards the traffic from the FortiGate to its

destination as if no forwarding server is configured.

Health Monitor Select to enable health check monitoring.

Health Check Monitor Site Enter the address of a remote site.

Example

The following example adds a web proxy forwarding server named fwd-srv at address proxy.example.com and port
8080.

To add a web proxy forwarding server in the CLI:

config web-proxy forward-server

edit fwd-srv
set addr-type fqdn
set fqdn proxy.example.com
set port 8080
end

FortiOS 6.4.13 Administration Guide 516

Fortinet Inc.
Network

Web proxy forwarding server monitoring and health checking

By default, a FortiGate unit monitors a web proxy forwarding server by forwarding a connection to the remote server
every 10 seconds. The remote server is assumed to be down if it does not respond to the connection. FortiGate
continues checking the server. The server is assumed to be back up when the server sends a response. If you enable
health checking, the FortiGate unit attempts to get a response from a web server every 10 seconds by connecting
through the remote forwarding server.
You can configure health checking for each remote server and specify a different website to check for each one.
If the remote server is found to be down you can configure the FortiGate unit to block sessions until the server comes
back up or to allow sessions to connect to their destination, bypassing the remote forwarding server. You cannot
configure the FortiGate unit to fail over to another remote forwarding server.

To configure proxy server monitor and health checking in the GUI:

1. Go to Network > Explicit Proxy. The Explicit Proxy page opens.

2. In the Web Proxy Forwarding Servers section, select a server and click Editi.
3. Configure the Server Down Action and Health Monitor settings.

Server Down Action Select the action the explicit web proxy will take if the forwarding server is
down.
l Block: Blocks the traffic if the remote server is down.

l Use Original Server: Forwards the traffic from the FortiGate to its

destination as if no forwarding server configured.

Health Monitor Select to enable health check monitoring.

Health Check Monitor Site Enter the address of a remote site.

4. Click OK.

Example

The following example enables health checking for a web proxy forwarding server and sets the server down option to
bypass the forwarding server if it is down.

To configure proxy server monitor and health checking in the CLI:

config web-proxy forward-server

edit fwd-srv
set healthcheck enable
set monitor http://example.com
set server-down-option pass
end

Grouping forwarding servers and load balancing traffic to the servers

You can add multiple web proxy forwarding servers to a forwarding server group and then add the server group to an
explicit web proxy policy instead of adding a single server. Forwarding server groups are created from the FortiGate CLI
but can be added to policies from the web-based manager (or from the CLI).
When you create a forwarding server group you can select a load balancing method to control how sessions are load
balanced to the forwarding servers in the server group. Two load balancing methods are available:

FortiOS 6.4.13 Administration Guide 517

Fortinet Inc.
Network

l Weighted load balancing sends more sessions to the servers with higher weights. You can configure the weight for
each server when you add it to the group.
l Least-session load balancing sends new sessions to the forwarding server that is processing the fewest sessions.
When you create a forwarding server group you can also enable affinity. Enable affinity to have requests from the same
client processed by the same server. This can reduce delays caused by using multiple servers for a single multi-step
client operation. Affinity takes precedence over load balancing.
You can also configure the behavior of the group if all of the servers in the group are down. You can select to block traffic
or you can select to have the traffic pass through the FortiGate explicit proxy directly to its destination instead of being
sent to one of the forwarding servers.

Example

The following example adds a forwarding server group that uses weighted load balancing to load balance traffic to three
forwarding servers. Server weights are configured to send most traffic to server2. The group has affinity enabled
and blocks traffic if all of the forward servers are down.

To configure load balancing in the CLI:

config web-proxy forward-server

edit server_1
set ip 172.20.120.12
set port 8080
next
edit server_2
set ip 172.20.120.13
set port 8000
next
edit server_3
set ip 172.20.120.14
set port 8090
next
end
config web-proxy forward-server-group
edit New-fwd-group
set affinity enable
set ldb-method weighted
set group-down-option block
config server-list
edit server_1
set weight 10
next
edit server_2
set weight 40
next
edit server_3
set weight 10
next
end

Adding proxy chaining to an explicit web proxy policy

You can enable proxy chaining for web proxy sessions by adding a web proxy forwarding server or server group to an
explicit web proxy policy. In a policy you can select one web proxy forwarding server or server group. All explicit web

FortiOS 6.4.13 Administration Guide 518

Fortinet Inc.
Network

proxy traffic accepted by this security policy is forwarded to the specified web proxy forwarding server or server group.

To add an explicit web proxy forwarding server in the GUI:

1. Go to Policy & Objects > Proxy Policy and click Create New.
2. Configure the policy settings:

Proxy Type Explicit Web

Outgoing Interface wan1

Source Internal_subnet

Destination all

Schedule always

Service webproxy

Action Accept

3. Enable Web Proxy Forwarding Server and select the forwarding server, (for example,fwd-srv).
4. Click OK.

Example

The following example adds a security policy that allows all users on the 10.31.101.0 subnet to use the explicit web
proxy for connections through the wan1 interface to the Internet. The policy forwards web proxy sessions to a remote
forwarding server named fwd-srv.

To add an explicit web proxy forwarding server in the CLI:

config firewall proxy-policy

edit 0
set proxy explicit-web
set dstintf "wan1"
set srcaddr "Internal_subnet"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set webproxy-forward-server "fwd-srv"
end

Using TLS 1.3 with web proxy forward servers

A FortiGate can handle TLS 1.3 traffic in both deep and certificate inspection modes.

Example

The following example demonstrates that the Squid server and the FortiGate can handle TLS 1.3 traffic.

FortiOS 6.4.13 Administration Guide 519

Fortinet Inc.
 Network

The following output from the Squid server demonstrates that the FortiGate supports TLS 1.3 traffic and forwards the
hello retry request back to the client PC. The client PC then sends the client hello again, and the connection is
successfully established.

Agentless NTLM authentication for web proxy

Agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:
l Multiple servers
l Individual users
You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high
service stability.
You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS
matches the user's group information from an LDAP server.

To support multiple domain controllers for agentless NTLM using the CLI:

1. Configure an LDAP server:

config user ldap
edit "ldap-kerberos"
set server "172.18.62.177"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"

FortiOS 6.4.13 Administration Guide 520

Fortinet Inc.
Network

set type regular

set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********
next
end
2. Configure multiple domain controllers:
config user domain-controller
edit "dc1"
set ip-address 172.18.62.177
config extra-server
edit 1
set ip-address 172.18.62.220
next
end
set ldap-server "ldap-kerberos"
next
end
3. Create an authentication scheme and rule:
config authentication scheme
edit "au-ntlm"
set method ntlm
set domain-controller "dc1"
next
end
config authentication rule
edit "ru-ntlm"
set srcaddr "all"
set ip-based disable
set active-auth-method "au-ntlm"
next
end
4. In the proxy policy, append the user group for authorization:
config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set groups "ldap-group"
set utm-status enable
set av-profile "av"
set ssl-ssh-profile "deep-custom"
next
end
This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication
request to the first domain controller. Later when another user logs in, the FortiGate sends the authentication
request to another domain controller.
5. Verify the behavior after the user successfully logs in:
# diagnose wad user list
ID: 1825, IP: 10.1.100.71, VDOM: vdom1
user name : test1
duration : 497

FortiOS 6.4.13 Administration Guide 521

Fortinet Inc.
Network

auth_type : Session
auth_method : NTLM
pol_id : 1 g_id : 5
user_based : 0 e
xpire : 103
LAN:
bytes_in=2167 bytes_out=7657
WAN:
bytes_in=3718 bytes_out=270

To support individual users for agentless NTLM using the CLI:

1. Configure an LDAP server:

config user ldap
edit "ldap-kerberos"
set server "172.18.62.177"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********
next
end
2. Configure the user group and allow user-based matching:
config user group
edit "ldap-group"
set member "ldap" "ldap-kerberos"
config match
edit 1
set server-name "ldap-kerberos"
set group-name "test1"
next
end
next
end
3. Create an authentication scheme and rule:
config authentication scheme
edit "au-ntlm"
set method ntlm
set domain-controller "dc1"
next
end
config authentication rule
edit "ru-ntlm"
set srcaddr "all"
set ip-based disable
set active-auth-method "au-ntlm"
next
end
4. In the proxy policy, append the user group for authorization:
config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"

FortiOS 6.4.13 Administration Guide 522

Fortinet Inc.
 Network

set service "web"

set action accept
set schedule "always"
set groups "ldap-group"
set utm-status enable
set av-profile "av"
set ssl-ssh-profile "deep-custom"
next
end
This implementation lets you configure a single user instead of a whole group. The FortiGate will now allow the user
named test1.

To verify the configuration using the CLI:

diagnose wad user list

ID: 1827, IP: 10.1.15.25, VDOM: vdom1
user name : test1
duration : 161
auth_type : Session
auth_method : NTLM
pol_id : 1
g_id : 5
user_based : 0
expire : 439
LAN:
bytes_in=1309 bytes_out=4410
WAN:
bytes_in=2145 bytes_out=544

Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers

Multiple LDAP servers can be configured in Kerberos keytabs and agentless NTLM domain controllers for multi-forest
deployments.

To use multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers:

1. Add multiple LDAP servers:

config user ldap
edit "ldap-kerberos"
set server "172.16.200.98"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password xxxxxxxxx
next
edit "ldap-two"
set server "172.16.106.128"
set cnid "cn"
set dn "OU=Testing,DC=ad864r2,DC=com"
set type regular
set username "cn=Testadmin,cn=users,dc=AD864R2,dc=com"
set password xxxxxxxxx

FortiOS 6.4.13 Administration Guide 523

Fortinet Inc.
 Network

next
end

2. Configure a Kerberos keytab entry that uses both LDAP servers:

config user krb-keytab
edit "http_service"
set pac-data disable
set principal "HTTP/[email protected]"
set ldap-server "ldap-kerberos" "ldap-two"
set keytab xxxxxxxxx
next
end

3. Configure a domain controller that uses both LDAP servers:

config user domain-controller
edit "dc1"
set ip-address 172.16.200.98
set ldap-server "ldap-two" "ldap-kerberos"
next
end

Learn client IP addresses

Learning the actual client IP addresses is imperative for authorization. This function identifies the real client IP address
when there is a NATing device between the FortiGate and the client.
config web-proxy global
set learn-client-ip {enable | disable}
set learn-client-ip-from-header {true-client-ip | x-real-ip | x-forwarded-for}
set learn-client-ip-srcaddr <address> ... <address>
end

learn-client-ip {enable | Enable/disable learning the client's IP address from headers.

disable}
learn-client-ip-from- Learn client IP addresses from the specified headers.
header {true-client-
ip | x-real-ip | x-
forwarded-for}
learn-client-ip-srcaddr The source address names.
<address> ...
<address>

Example

In this example, the real client IP address is used to match a policy for FSSO authentication.

To enable learning the client IP address:

config web-proxy global

set proxy-fqdn "default.fqdn"
set webproxy-profile "default"
set learn-client-ip enable

FortiOS 6.4.13 Administration Guide 524

Fortinet Inc.
Network

set learn-client-ip-from-header x-forwarded-for

set learn-client-ip-srcaddr "all"
end

To configure the proxy policy:

config firewall proxy-policy

edit 1
set proxy explicit-web
set dstintf "mgmt1"
set srcaddr "all"
set dstaddr "all"
set service "w"
set action accept
set schedule "always"
set groups "fsso1"
set utm-status enable
set av-profile "default"
set dlp-sensor "default"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
next
end

To configure the authentication scheme and rule:

config authentication scheme

edit "scheme1"
set method fsso
next
end
config authentication rule
edit "rule1"
set srcaddr "all"
set sso-auth-method "scheme1"
next
end

DHCP servers and relays

A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host
computers must be configured to obtain their IP addresses using DHCP. You can configure one or more DHCP servers
on any FortiGate interface.
A DHCP server can be in server or relay mode. In server mode, you can define one or more address ranges it assigns
addresses from, and options such as the default gateway, DNS server, lease time, and other advanced options. In relay
mode, the interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses
to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients
arrive at the unit.
If an interface is connected to multiple networks through routers, you can add a DHCP server for each network. The IP
range of each DHCP server must match the network address range. The routers must be configured for DHCP relay.

FortiOS 6.4.13 Administration Guide 525

Fortinet Inc.
 Network

DHCP server options are not available in transparent mode.

For more information about options, see:

l DHCP options on page 530
l IP address assignment with relay agent information option on page 531
l DHCP client options on page 533

Configure DHCP on the FortiGate

A DHCP server can be configured on an interface in the GUI from Network > Interfaces.

To add a DHCP server on the GUI:

1. Go to Network > Interfaces.

2. Edit an interface.
3. Enable the DHCP Server option and configure the settings.
4. Click OK.

Field Description

Address Range By default, the FortiGate unit assigns an address range based on the address of
the interface for the complete scope of the address.
For example, if the interface address is 172.20.120.230, the default range created
is 172.20.120.231 to 172.20.120.254.
Select the range and select Edit to adjust the range or select Create New to add a
different range.

Netmask Enter the netmask of the addresses that the DHCP server assigns.

Default Gateway Select this to use either Same as Interface IP or select Specify and enter the IP
address of the default gateway that the DHCP server assigns to DHCP clients.

DNS Server Select this to use Same as system DNS, Same as Interface IP or select Specify
and enter the IP address of the DNS server.

Mode Select the type of DHCP server FortiGate will be. By default, it is a Server. Select
Relay if needed. When Relay is selected, the above configuration is replaced by a
field to enter the DHCP Server IP address.

DHCP Server IP This appears only when Mode is Relay. Enter the IP address of the DHCP server
where FortiGate obtains the requested IP address.

Type Select this to use the DHCP in Regular or IPsec mode.

Additional DHCP Options Use this to create new DHCP options.

Add from DHCP Client List If the client is currently connected and using an IP address from the DHCP server,
you can select this option to select the client from the list.

FortiOS 6.4.13 Administration Guide 526

Fortinet Inc.
 Network

To add a DHCP server on the CLI:

config system dhcp server

edit 1
set dns-service default
set default-gateway 192.168.1.2
set netmask 255.255.255.0
set interface "port1"
config ip-range
edit 1
set start-ip 192.168.1.1
set end-ip 192.168.1.1
next
edit 2
set start-ip 192.168.1.3
set end-ip 192.168.1.254
next
end
set timezone-option default
set tftp-server "172.16.1.2"
next
end

Default DHCP server for low-end FortiGates

On low-end FortiGate units, a DHCP server is configured on the internal interface, by default, with the following values:

Field Value

Address Range 192.168.1.110 to 192.168.1.210

Netmask 255.255.255.0

Default Gateway 192.168.1.99

Lease Time 7 days

DNS Server 1 192.168.1.99

These settings are appropriate for the default internal interface IP address of 192.168.1.99. If you change this address to
a different network, you need to change the DHCP server settings to match.

Configuring the lease time

The lease time determines the length of time an IP address remains assigned to a client. Once the lease expires, the
address is released for allocation to the next client that requests an IP address.

To configure the lease time:

config system dhcp server

edit <server_entry_number>
set interface <interface>
set netmask <netmask>

FortiOS 6.4.13 Administration Guide 527

Fortinet Inc.
 Network

set lease-time <seconds>

next
end

The default lease time is seven days. To have an unlimited lease time, set the value to zero.
The lease time can also be configured in the GUI in the Lease time field within the DHCP server section of the Edit
Interface dialog.

Configuring TFTP servers

You can configure multiple TFTP servers for a DHCP server. For example, you may want to configure a main TFTP
server and a backup TFTP server.
The tftp-server command allows you to configure the TFTP servers, using either their hostnames or IP addresses.
Separate multiple server entries with spaces.

To configure TFTP servers:

config system dhcp server

edit <server ID>
set interface <interface>
set netmask <netmask>
set tftp-server <hostname/IP address> <hostname/IP address>
next
end

TFTP servers can also be configured in the GUI in the TFTP server(s) field within the DHCP server > Advanced section
of the Edit Interface dialog.

Configuring the DHCP renew time

You can set a minimum DHCP renew time for an interface acting as a DHCP client. This option is available only when
mode is set to DCHP.

To set the DHCP renew time:

config system interface

edit <name>
set vdom <vdom>
set interface <interface>
set mode dhcp
set dhcp-renew-time <seconds>
next
end

The possible values for dhcp-renew-time are 300 to 605800 seconds (five minutes to seven days). To use the renew
time that the server provides, set this entry to 0.

FortiOS 6.4.13 Administration Guide 528

Fortinet Inc.
 Network

FortiGate DHCP works with DDNS to allow FQDN connectivity to leased IP

addresses

As clients are assigned IP addresses, they send back information that would be found in an A record to the FortiGate
DHCP server, which can take this information and pass it back to a corporate DNS server so that even devices using
leased IP address can be reached using FQDNs. You can configure the settings for this feature using the ddns-update
CLI command and some other DDNS related options. Please refer to DDNS update override in the DDNS on page 464
topic for further details.

Breaking an address lease

If you need to end an IP address lease, you can break the lease. This is useful if you have limited addresses and longer
lease times when some leases are no longer necessary, for example, with corporate visitors.

To break a lease:

# execute dhcp lease-clear <ip_address>

To break a lease for all IP addresses for the DHCP servers in the current VDOM:

# execute dhcp lease-clear all

Excluding addresses in DHCP

If you have a large address range for the DHCP server, you can block a range of addresses that will not be included in
the available addresses for the connecting users using the config exclude-range subcommand.

To exclude addresses in DHCP:

config system dhcp server

edit <server_entry_number>
config exclude-range
edit <sequence_number>
set start-ip <address>
set end-ip <address>
next
end
next
end

Viewing information about DHCP server connections

To view information about DHCP server connections, go to Dashboard > Network and expand the DHCP monitor widget.
On this page, you can also add IP addresses to the reserved IP address list.

FortiOS 6.4.13 Administration Guide 529

Fortinet Inc.
 Network

DHCP options

When adding a DHCP server, you can include DHCP codes and options. The DHCP options are BOOTP vendor
information fields that provide additional vendor-independent configuration parameters to manage the DHCP server. For
example, you might need to configure a FortiGate DHCP server that gives out a separate option as well as an IP
address, such as an environment that needs to support PXE boot with Windows images.
The option numbers and codes are specific to the application. The documentation for the application indicates the values
to use. The option is a value between 1 and 255.
For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions.

Option 82

The DHCP relay agent information option (option 82 in RFC 3046) helps protect the FortiGate against attacks such as
spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation.
This option is disabled by default. However, when dhcp-relay-service is enabled, dhcp-relay-agent-option
becomes enabled.

To configure the DHCP relay agent option using the CLI:

config system interface

edit <interface>
set vdom root
set dhcp-relay-service enable
set dhcp-relay-ip <ip>
set dhcp-relay-agent-option enable
set vlanid <id>
next
end

See IP address assignment with relay agent information option on page 531 for an example.

Option 42

This option specifies a list of the NTP servers available to the client by IP address.

config system dhcp server
edit 2
set ntp-service {local | default | specify}
set ntp-server1 <class_ip>
set ntp-server2 <class_ip>
set ntp-server3 <class_ip>
next
end

The NTP service options include:

l local: The IP address of the interface that the DHCP server is added to becomes the client's NTP server
IP address.
l default: Clients are assigned the FortiGate's configured NTP servers.
l specify: Specify up to three NTP servers in the DHCP server configuration.

FortiOS 6.4.13 Administration Guide 530

Fortinet Inc.
 Network

DHCP server option fields

In place of specific fields, the DHCP server maintains a table for the potential options. The FortiOS DHCP server
supports up to a maximum of 30 custom options. These optional fields are set in the CLI.

To get to the DHCP server:

config system dhcp server

edit <integer - ID of the specific DHCP server>
config options
edit <integer>
set code <option integer>
set type {hex | string | ip | fqdn}
set value <option content for DHCP option types hex and string>
next
end
end

IP address assignment with relay agent information option

Option 82 (DHCP relay information option) helps protect the FortiGate against attacks such as spoofing (or forging) of IP
and MAC addresses, and DHCP IP address starvation.

The following CLI variables are included in the config system dhcp server > config reserved-address
command:

circuit-id-type {hex | DHCP option type; hex or string (default).

string}
circuit-id <value> Option 82 circuit ID of the client that will get the reserved IP address.
Format: vlan-mod-port
l vlan: VLAN ID (2 bytes)

l mod: 1 = snoop, 0 = relay (1 byte)

l port: port number (1 byte)

remote-id-type {hex | DHCP option type; hex or string (default).

string}
remote-id <value> Option 82 remote ID of the client that will get the reserved IP address.
Format: the MAC address of the client.
type {mac | option82} The DHCP reserved address type; mac (default) or option82.

FortiOS 6.4.13 Administration Guide 531

Fortinet Inc.
Network

To create an IP address assignment rule using option 82 in the GUI:

1. Go to Network > Interfaces.

2. Edit an existing port, or create a new one.

The port Role must be LAN or Undefined.

3. Enable DHCP Server.

4. Configure the address ranges and other settings as needed.
5. Click + to expand the Advanced options.

6. In the IP Address Assignment Rules table, click Create New.

The Create New IP Address Assignment Rule pane opens.
7. Configure the new rule:
a. For the Type, select DHCP Relay Agent.
b. Enter the Circuit ID and Remote ID.
c. Enter the IP address that will be reserved.

FortiOS 6.4.13 Administration Guide 532

Fortinet Inc.
 Network

8. Click OK.

To create an IP address assignment rule using option 82 with the CLI:

config system dhcp server

edit 1
set netmask 255.255.255.0
set interface "port4"
config ip-range
edit 1
set start-ip 192.168.2.100
set end-ip 192.168.2.254
next
end
config reserved-address
edit 1
set type option82
set ip 192.168.2.100
set circuit-id-type hex
set circuit-id "00010102"
set remote-id-type hex
set remote-id "704ca5e477d6"
next
end
next
end

DHCP client options

When an interface is in DHCP addressing mode, DHCP client options can be configured in the CLI. For example, a
vendor class identifier (usually DCHP client option 60) can be specified so that a request can be matched by a specific
DHCP offer.
Multiple options can be configured, but any options not recognized by the DHCP server are discarded.

To configure client option 60 - vendor class identifier:

config system interface

edit port1
set vdom vdom1
set mode dhcp
config client-options
edit 1

FortiOS 6.4.13 Administration Guide 533

Fortinet Inc.
 Network

set code 60
set type hex
set value aabbccdd
next
end
set type physical
set snmp-index 4
next
end

Variable Description
code <integer> DHCP client option code (0 - 255, default = 0).
See Dynamic Host Configuration Protocol (DHCP) and Bootstrap Protocol
(BOOTP) Parameters for a list of possible options.
type {hex | string | ip | DHCP client option type (default = hex).
fqdn}
value <string> DHCP client option value.
ip <ip> DHCP client option IP address. This option is only available when type is ip.

Static routing

Static routing is one of the foundations of firewall configuration. It is a form of routing in which a device uses manually-
configured routes. In the most basic setup, a firewall will have a default route to its gateway to provide network access. In
a more complex setup with dynamic routing, ADVPN, or SD-WAN involved, you would still likely find static routes being
deployed.
This section explores concepts in using static routing and provides examples in common use cases:
l Routing concepts on page 535
l Policy routes on page 547
l Equal cost multi-path on page 549
l Dual internet connections on page 553
The following topics include additional information about static routes:
l Deploying the Security Fabric on page 195
l Security Fabric over IPsec VPN on page 214
l Viewing and controlling network risks via topology view on page 193
l Adding a static route on page 681
l NAT mode on page 926
l NAT and transparent mode on page 935
l IPsec VPN in an HA environment on page 1661
l IPsec VPN to Azure with virtual network gateway on page 1583
l FortiGate as dialup client on page 1605
l ADVPN with BGP as the routing protocol on page 1725
l ADVPN with OSPF as the routing protocol on page 1734
l ADVPN with RIP as the routing protocol on page 1743

FortiOS 6.4.13 Administration Guide 534

Fortinet Inc.
 Network

l Basic site-to-site VPN with pre-shared key on page 1546

l Site-to-site VPN with digital certificate on page 1551
l Site-to-site VPN with overlapping subnets on page 1557
l Tunneled Internet browsing on page 1636
l FortiGate multiple connector support on page 2153
l IPsec aggregate for redundancy and traffic load-balancing on page 1667
l Use MAC addresses in SD-WAN rules and policy routes on page 728
l Using BGP tags with SD-WAN rules on page 764

Routing concepts

This section contains the following topics:

l Default route on page 535
l Adding or editing a static route on page 535
l Configuring FQDNs as a destination address in static routes on page 536
l Routing table on page 537
l Viewing the routing database on page 540
l Kernel routing table on page 540
l Route cache on page 542
l Route look-up on page 542
l Blackhole routes on page 543
l Reverse path look-up on page 544
l Asymmetric routing on page 544
l Routing changes on page 546

Default route

The default route has a destination of 0.0.0.0/0.0.0.0, representing the least specific route in the routing table. It is
a catch all route in the routing table when traffic cannot match a more specific route. Typically this is configured with a
static route with an administrative distance of 10. In most instances, you will configure the next hop interface and the
gateway address pointing to your next hop. If your FortiGate is sitting at the edge of the network, your next hop will be
your ISP gateway. This provides internet access for your network.
Sometimes the default route is configured through DHCP. On some desktop models, the WAN interface is preconfigured
in DHCP mode. Once the WAN interface is plugged into the network modem, it will receive an IP address, default
gateway, and DNS server. FortiGate will add this default route to the routing table with a distance of 5, by default. This
will take precedence over any default static route with a distance of 10. Therefore, take caution when you are configuring
an interface in DHCP mode, where Retrieve default gateway from server is enabled. You may disable it and/or change
the distance from the Network > Interfaces page when you edit an interface.

Adding or editing a static route

To add a static route using the GUI:

1. Go to Network > Static Routes and click Create New.

2. Enter the following information:

FortiOS 6.4.13 Administration Guide 535

Fortinet Inc.
Network

Dynamic Gateway When enabled, a selected DHCP/PPPoE interface will automatically retrieve
its dynamic gateway.

Destination l Subnet
Enter the destination IP address and netmask. A value of
0.0.0.0/0.0.0.0 creates a default route.
l Named Address
Select an address or address group object. Only addresses with static
route configuration enabled will appear on the list. This means a
geography type address cannot be used.
l Internet Service
Select an Internet Service. These are known IP addresses of popular
services across the Internet.

Interface Select the name of the interface that the static route will connect through.

Gateway Address Enter the gateway IP address. When selecting an IPsec VPN interface or SD-
WAN creating a blackhole route, the gateway cannot be specified.

Administrative Distance Enter the distance value, which will affect which routes are selected first by
different protocols for route management or load balancing. The default is 10.

Advanced Options Optionally, expand Advanced Options and enter a Priority. When two routes
have an equal distance, the route with a lower priority number will take
precedence. The default is 0.

3. Click OK.

Configuring FQDNs as a destination address in static routes

You can configure FQDN firewall addresses as destination addresses in a static route, using either the GUI or the CLI.
In the GUI, to add an FQDN firewall address to a static route in the firewall address configuration, enable the Static
Route Configuration option. Then, when you configure the static route, set Destination to Named Address.

To configure an FQDN as a destination address in a static route using the CLI:

config firewall address

edit 'Fortinet-Documentation-Website'
set type fqdn
set fqdn docs.fortinet.com
set allow-routing enable
next
end
config router static
edit 0
set dstaddr Fortinet-Documentation-Website
...
next
end

FortiOS 6.4.13 Administration Guide 536

Fortinet Inc.
Network

Routing table

A routing table consists of only the best routes learned from the different routing protocols. The most specific route
always takes precedence. If there is a tie, then the route with a lower administrative distance will be injected into the
routing table. If administrative distances are also equal, then all the routes are injected into the routing table, and Cost
and Priority become the deciding factors on which a route is preferred. If these are also equal, then FortiGate will use
Equal cost multi-path on page 549 to distribute traffic between these routes.

Viewing the routing table in the GUI

You can view routing tables in the FortiGate GUI under Dashboard > Network > Static & Dynamic Routing by default.
Expand the widget to see the full page. Additionally, if you want to convert the widget into a dashboard, click on the Save
as Monitor icon on the top right of the page.
You can also monitor policy routes by toggling from Static & Dynamic to Policy on the top right corner of the page. The
active policy routes include policy routes that you created, SD-WAN rules, and Internet Service static routes. It also
supports downstream devices in the Security Fabric.
The following figure show an example of the static and dynamic routes in the Routing Monitor:

To view more columns, right-click on the column header to select the columns to be displayed:

Field Description

IP Version Shows whether the route is IPv4 or IPv6.

Network The IP addresses and network masks of destination networks that the FortiGate can reach.

Gateway IP The IP addresses of gateways to the destination networks.

FortiOS 6.4.13 Administration Guide 537

Fortinet Inc.
Network

Field Description

Interfaces The interface through which packets are forwarded to the gateway of the destination network.

Distance The administrative distance associated with the route. A lower value means the route is
preferable compared to other routes to the same destination.

Type The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or BGP):
l Connected: All routes associated with direct connections to FortiGate interfaces

l Static: The static routes that have been added to the routing table manually

l RIP: All routes learned through RIP

l RIPNG: All routes learned through RIP version 6 (which enables the sharing of routes

through IPv6 networks)

l BGP: All routes learned through BGP

l OSPF: All routes learned through OSPF

l OSPF6: All routes learned through OSPF version 6 (which enables the sharing of routes

through IPv6 networks)

l IS-IS: All routes learned through IS-IS

l HA: RIP, OSPF, and BGP routes synchronized between the primary unit and the

subordinate units of a high availability (HA) cluster. HA routes are maintained on

subordinate units and are visible only if you're viewing the router monitor from a virtual
domain that is configured as a subordinate virtual domain in a virtual cluster.

Metric The metric associated with the route type. The metric of a route influences how the FortiGate
dynamically adds it to the routing table. The following are types of metrics and the protocols
they are applied to:
l Hop count: Routes learned through RIP

l Relative cost: Routes learned through OSPF

l Multi-Exit Discriminator (MED): Routes learned through BGP. By default, the MED value

associated with a BGP route is zero. However, the MED value can be modified
dynamically. If the value was changed from the default, the Metric column displays a non-
zero value.

Priority In static routes, priorities are 0 by default. When two routes have an equal distance, the route
with the lower priority number will take precedence.

VRF Virtual routing and forwarding (VRF) allows multiple routing table instances to co-exist. VRF
can be assigned to an Interface. Packets are only forwarded between interfaces with the
same VRF.

Up Since The total accumulated amount of time that a route learned through RIP, OSPF, or BGP has
been reachable.

Viewing the routing table in the CLI

Viewing the routing table using the CLI displays the same routes as you would see in the GUI.
If VDOMs are enabled on the FortiGate, all routing-related CLI commands must be run within a VDOM and not in the
global context.

FortiOS 6.4.13 Administration Guide 538

Fortinet Inc.
Network

To view the routing table using the CLI:

# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 172.31.0.1, MPLS [1/0]via 192.168.2.1, port1 [1/0] via
192.168.122.1, port2
S 1.2.3.4/32 [10/0] via 172.16.100.81, VLAN100
C 10.10.2.0/24 is directly connected, hub
C 10.10.2.1/32 is directly connected, hub
O 10.10.10.0/24 [110/101] via 192.168.2.1, port1, 01:54:18
C 10.253.240.0/20 is directly connected, wqt.root
S 110.2.2.122/32 [22/0] via 2.2.2.2, port2, [3/3]
C 172.16.50.0/24 is directly connected, WAN1-VLAN50
C 172.16.60.0/24 is directly connected, WAN2-VLAN60
C 172.16.100.0/24 is directly connected, VLAN100
C 172.31.0.0/30 is directly connected, MPLS
C 172.31.0.2/32 is directly connected, MPLS
B 192.168.0.0/24 [20/0] via 172.31.0.1, MPLS, 00:31:43
C 192.168.2.0/24 is directly connected, port1
C 192.168.20.0/24 is directly connected, port3
C 192.168.99.0/24 is directly connected, Port1-VLAN99
C 192.168.122.0/24 is directly connected, port2
Routing table for VRF=10
C 172.16.101.0/24 is directly connected, VLAN101

Examining an entry:

B 192.168.0.0/24 [20/0] via 172.31.0.1, MPLS, 00:31:43

Value Description
B BGP. The routing protocol used.
192.168.0.0/24 The destination of this route, including netmask.
[20/0] 20 indicates an administrative distance of 20 out of a range of 0 to 255. 0 is an
additional metric associated with this route, such as in OSPF.
172.31.0.1 The gateway or next hop.
MPLS The interface that the route uses.

00:31:43 The age of the route in HH:MM:SS.

FortiOS 6.4.13 Administration Guide 539

Fortinet Inc.
Network

Viewing the routing database

The routing database consists of all learned routes from all routing protocols before they are injected into the routing
table. This likely lists more routes than the routing table as it consists of routes to the same destinations with different
distances. Only the best routes are injected into the routing table. However, it is useful to see all learned routes for
troubleshooting purposes.

To view the routing database using the CLI:

# get router info routing-table database

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
Routing table for VRF=0
S *> 0.0.0.0/0 [1/0] via 172.31.0.1, MPLS
*> [1/0] via 192.168.2.1, port1
*> [1/0] via 192.168.122.1, port2
S *> 1.2.3.4/32 [10/0] via 172.16.100.81, VLAN100
C *> 10.10.2.0/24 is directly connected, hub
C *> 10.10.2.1/32 is directly connected, hub
O *> 10.10.10.0/24 [110/101] via 192.168.2.1, port1, 02:10:17
C *> 10.253.240.0/20 is directly connected, wqt.root
S *> 110.2.2.122/32 [22/0] via 2.2.2.2, port2, [3/3]
C *> 172.16.50.0/24 is directly connected, WAN1-VLAN50
C *> 172.16.60.0/24 is directly connected, WAN2-VLAN60
C *> 172.16.100.0/24 is directly connected, VLAN100
O 172.31.0.0/30 [110/201] via 192.168.2.1, port1, 00:47:36
C *> 172.31.0.0/30 is directly connected, MPLS

Selected routes are marked by the > symbol. In the above example, the OSPF route to destination 172.31.0.0/30 is
not selected.

Kernel routing table

The kernel routing table makes up the actual Forwarding Information Base (FIB) that used to make forwarding decisions
for each packet. The routes here are often referred to as kernel routes. Parts of this table are derived from the routing
table that is generated by the routing daemon.

To view the kernel routing table using the CLI:

# get router info kernel

tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0
gwy=172.31.0.1 flag=04 hops=0 oif=31(MPLS)
gwy=192.168.2.1 flag=04 hops=0 oif=3(port1)
gwy=192.168.122.1 flag=04 hops=0 oif=4(port2)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 192.168.122.98/255.255.255.255/0->1.1.1.1/32
pref=0.0.0.0 gwy=192.168.122.1 dev=4(port2)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 172.31.0.2/255.255.255.255/0->1.1.1.1/32
pref=0.0.0.0 gwy=172.31.0.1 dev=31(MPLS)

FortiOS 6.4.13 Administration Guide 540

Fortinet Inc.
Network

tab=254 vf=0 scope=0 type=1 proto=17 prio=0 192.168.2.5/255.255.255.255/0->1.1.1.1/32

pref=0.0.0.0 gwy=192.168.2.1 dev=3(port1)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->1.2.3.4/32 pref=0.0.0.0
gwy=172.16.100.81 dev=20(VLAN100)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 192.168.122.98/255.255.255.255/0->8.8.8.8/32
pref=0.0.0.0 gwy=192.168.122.1 dev=4(port2)

The kernel routing table entries are:

Value Description
tab Table number: It will either be 254 (unicast) or 255 (multicast).
vf Virtual domain of the firewall: It is the VDOM index number. If
VDOMs are not enabled, this number is 0.
type Type of routing connection. Valid values include:
l 0 - unspecific

l 1 - unicast

l 2 - local

l 3 - broadcast

l 4 - anycast

l 5 - multicast

l 6 - blackhole

l 7 - unreachable

l 8 - prohibited

proto Type of installation that indicates where the route came from.
Valid values include:
l 0 - unspecific

l 2 - kernel

l 11 - ZebOS routing module

l 14 - FortiOS

l 15 - HA

l 16 - authentication based

l 17 - HA1

prio Priority of the route. Lower priorities are preferred.

->0.0.0.0/0 The IP address and subnet mask of the destination.

(->x.x.x.x/mask)

pref Preferred next hop along this route.

gwy Gateway: The address of the gateway this route will use.
dev Outgoing interface index: This number is associated with the
interface for this route. If VDOMs are enabled, the VDOM is
also included here. If an interface alias is set for this interface, it
is also displayed here.

FortiOS 6.4.13 Administration Guide 541

Fortinet Inc.
Network

Route cache

The route cache contains recently used routing entries in a table. It is consulted before the routing table to speed up the
route look-up process.

To view the route cache using the CLI:

# diagnose ip rtcache list

family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=00000200
0.0.0.0@0-&gt;208.91.113.230@3(port1) gwy=192.168.2.1 prefsrc=192.168.2.5
ci: ref=0 lastused=1 expire=0 err=00000000 used=5 br=0 pmtu=1500

family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=00000200

192.168.2.5@0-&gt;8.8.8.8@3(port1) gwy=192.168.2.1 prefsrc=0.0.0.0
ci: ref=0 lastused=0 expire=0 err=00000000 used=2 br=0 pmtu=1500

family=02 tab=254 vrf=0 vf=0 type=02 tos=8 flag=80000200

8.8.8.8@31(MPLS)-&gt;172.31.0.2@6(root) gwy=0.0.0.0 prefsrc=172.31.0.2
ci: ref=1 lastused=0 expire=0 err=00000000 used=0 br=0 pmtu=16436

family=02 tab=254 vrf=0 vf=0 type=02 tos=0 flag=84000200

192.168.20.6@5(port3)-&gt;192.168.20.5@6(root) gwy=0.0.0.0 prefsrc=192.168.20.5
ci: ref=2 lastused=0 expire=0 err=00000000 used=1 br=0 pmtu=16436
...

The size of the route cache is calculated by the kernel, but can be modified.

To modify the size of the route cache:

config system global

set max-route-cache-size <number_of_cache_entries>
end

Route look-up

Route look-up typically occurs twice in the life of a session. Once when the first packet is sent by the originator and once
more when the first reply packet is sent from the responder. When a route look-up occurs, the routing information is
written to the session table and the route cache. If routing changes occur during the life of a session, additional routing
look-ups may occur.
FortiGate performs a route look-up in the following order:
1. Policy-based routes: If a match occurs and the action is to forward, traffic is forwarded based on the policy route.
2. Route Cache: If there are no matches, FortiGate looks for the route in the route cache.
3. Forwarding Information Base, otherwise known as the kernel routing table.
4. If no match occurs, the packet is dropped.

Searching the routing table

When there are many routes in your routing table, you can perform a quick search by using the search bar to specify your
criteria, or apply filters on the column header to display only certain routes. For example, if you want to only display static
routes, you may use "static" as the search term, or filter by the Type field with value Static.

FortiOS 6.4.13 Administration Guide 542

Fortinet Inc.
Network

Route look-up on the other hand provides a utility for you to enter criteria such as Destination, Destination Port, Source,
Protocol and/or Source Interface, in order to determine the route that a packet will take. Once you click Search, the
corresponding route will be highlighted.
You can also use the CLI for a route look-up. The CLI provides a basic route look-up tool.

To look-up a route in the CLI:

# get router info routing-table details 4.4.4.4

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
* 172.31.0.1, via MPLS distance 0
* 192.168.2.1, via port1 distance 0
* 192.168.122.1, via port2 distance 0

Blackhole routes

Sometimes upon routing table changes, it is not desirable for traffic to be routed to a different gateway. For example, you
may have traffic destined for a remote office routed through your IPsec VPN interface. When the VPN is down, traffic will
try to re-route to another interface. However, this may not be viable and traffic will instead be routed to your default route
through your WAN, which is not desirable. Traffic may also be routed to another VPN, which you do not want. For such
scenarios, it is good to define a blackhole route so that traffic is dropped when your desired route is down. Upon
reconnection, your desired route is once again added to the routing table and your traffic will resume routing to your
desired interface. For this reason, blackhole routes are created when you configure an IPsec VPN using the IPsec
wizard.

For FortiOS 6.4.9 and above, SSL VPN web mode and explicit web proxy features will not
work with the following configuration:
1. An IP pool with ARP reply enabled is configured.
2. This IP pool is configured as the source IP address in either a firewall policy for SSL VPN
web mode or in a proxy policy for explicit web proxy.
3. A matching blackhole route is configured for IP pool reply traffic.
Configuring an IP pool as the source NAT IP address in a regular firewall policy works as
before.
See IP pools and blackhole route configuration on page 1131 for details.

To create a blackhole route in the GUI:

1. Go to Network > Static Routes.

2. Click Create New. The New Static Route screen appears.
3. Specify a Destination type.
4. Select Blackhole from the Interface field.
5. Type the desired Administrative Distance.
6. Click OK.

Route priority for a Blackhole route can only be configured from the CLI.

FortiOS 6.4.13 Administration Guide 543

Fortinet Inc.
Network

Reverse path look-up

Whenever a packet arrives at one of the interfaces on a FortiGate, the FortiGate determines whether the packet was
received on a legitimate interface by doing a reverse look-up using the source IP address in the packet header. This
protects against IP spoofing attacks. If the FortiGate does not have a route to the source IP address through the interface
on which the packet was received, the FortiGate drops the packet as per Reverse Path Forwarding (RPF) check. There
are two modes of RPF – feasible path and strict. The default feasible RPF mode checks only for the existence of at least
one active route back to the source using the incoming interface. The strict RPF check ensures the best route back to the
source is used as the incoming interface.

To configure a strict Reverse Path Forwarding check in the CLI:

config system settings

set strict-src-check enable
end

You can remove RPF state checks without needing to enable asymmetric routing by disabling state checks for traffic
received on specific interfaces. Disabling state checks makes a FortiGate less secure and should only be done with
caution for troubleshooting purposes.

To remove Reverse Path Forwarding checks from the state evaluation process in the CLI:

config system interface

edit <interface_name>
set src-check disable
next
end

Asymmetric routing

Asymmetric routing occurs when request and response packets follow different paths that do not cross the same firewall.
In the following topology, traffic between PC1 and PC2 takes two different paths.

Traffic from PC1 to PC2 goes through the FortiGate, while traffic from PC2 to PC1 does not.
In TCP, if the packets in the request and response directions follow different paths, the FortiGate will block the packets,
since the TCP three-way handshake is not established through the FortiGate.

FortiOS 6.4.13 Administration Guide 544

Fortinet Inc.
Network

Scenario 1: PC1 starts a TCP connection with PC2

1. The TCP SYN is allowed by the FortiGate.

2. The TCP SYN/ACK bypasses the FortiGate.
3. The TCP ACK is blocked by the FortiGate.
4. Subsequent TCP packets are blocked by the FortiGate.

Scenario 2: PC2 starts a TCP connection with PC1

1. The TCP SYN bypasses the FortiGate.

2. The TCP SYN/ACK is blocked by the FortiGate.
3. Subsequent TCP packets are blocked by the FortiGate.
In ICMP, consider the following scenarios.

Scenario 1: PC1 pings PC2

1. The ICMP request passes through the FortiGate. A session is created.

2. The ICMP reply bypasses the FortiGate, but reaches PC1. The ping is successful.
3. The ICMP request passes through the FortiGate, and it matches the previous session.
4. The ICMP reply bypasses the FortiGate, but it reaches PC1. The ping is successful.
5. Subsequent ICMP requests are allowed by the FortiGate.

Scenario 2: PC2 pings PC1

1. The ICMP request bypasses the FortiGate, but it reaches PC1.

2. The ICMP reply passes through the FortiGate. No session is matched, and the packet is dropped.
3. Subsequent ICMP replies are blocked by the FortiGate.
If an ICMP request does not pass through the FortiGate, but the response passes through the FortiGate, then by default
it blocks the packet as invalid.

Permitting asymmetric routing

If required, the FortiGate can be configured to permit asymmetric routing.

To permit asymmetric routing:

config system settings

set asymroute enable
end

This setting should be used only when the asymmetric routing issue cannot be resolved by ensuring both directions of
traffic pass through the FortiGate.
When asymmetric routing is enabled and occurs, the FortiGate cannot inspect all traffic. Potentially malicious traffic may
pass through and compromise the security of the network.
Asymmetric routing behaves as follows when it is permitted by the FortiGate:

FortiOS 6.4.13 Administration Guide 545

Fortinet Inc.
Network

TCP packets

Scenario 1: PC1 starts a TCP connection with PC2

1. The TCP SYN is allowed by the FortiGate. The FortiGate creates a session, checks the firewall policies, and applies
the configuration from the matching policy (UTM inspection, NAT, traffic shaping, and so on).
2. The TCP SYN/ACK bypasses the FortiGate.
3. The TCP ACK is allowed by the FortiGate. The packet matches the previously created session.
4. Subsequent TCP packets are allowed by the FortiGate. The packets in the session can also be offloaded where
applicable.

Scenario 2: PC2 starts a TCP connection with PC1

1. The TCP SYN bypasses the FortiGate.

2. The TCP SYN/ACK is allowed by the FortiGate. No session is matched. The packet passes to the CPU and is
forwarded based on the routing table.
3. The TCP ACK bypasses the FortiGate.
4. Subsequent TCP packets are allowed by the FortiGate. The FortiGate acts as a router that only makes routing
decisions. No security inspection is performed.

ICMP packets

Scenario 1: PC1 pings PC2

1. There is no difference from when asymmetric routing is disabled.

Scenario 2: PC2 pings PC1

1. The ICMP request bypasses the FortiGate, but it reaches PC1.

2. The ICMP reply passes through the FortiGate. No session is matched. The packet passes to the CPU and is
forwarded based on the routing table.
3. Subsequent ICMP replies are allowed by the FortiGate. The FortiGate acts as a router that only makes routing
decisions. No security inspection is performed.

UDP packets

Asymmetric routing does not affect UDP packets. UDP packets are checked by the session table regardless of
asymmetric routing. A policy is required to allow UDP.

Routing changes

When routing changes occur, routing look-up may occur on an existing session depending on certain configurations.

Routing changes without SNAT

When a routing change occurs, FortiGate flushes all routing information from the session table and performs new routing
look-up for all new packets on arrival by default. You can modify the default behavior using the following commands:
config system interface
edit <interface>

FortiOS 6.4.13 Administration Guide 546

Fortinet Inc.
 Network

set preserve-session-route enable

next
end

By enabling preserve-session-route, the FortiGate marks existing session routing information as persistent.
Therefore, routing look-up only occurs on new sessions.

Routing changes with SNAT

When SNAT is enabled, the default behavior is opposite to that of when SNAT is not enabled. After a routing change
occurs, sessions with SNAT keep using the same outbound interface as long as the old route is still active. This may be
the case if the priority of the static route was changed. You can modify this default behavior using the following
commands:
config system global
set snat-route-change enable
end

By enabling snat-route-change, sessions with SNAT will require new route look-up when a routing change occurs.
This will apply a new SNAT to the session.

Policy routes

Policy routing allows you to specify an interface to route traffic. This is useful when you need to route certain types of
network traffic differently than you would if you were using the routing table. You can use the incoming traffic's protocol,
source or destination address, source interface, or port number to determine where to send the traffic.
When a packet arrives, the FortiGate starts at the top of the policy route list and attempts to match the packet with a
policy. For a match to be found, the policy must contain enough information to route the packet. At a minimum, this
requires the outgoing interface to forward the traffic, and the gateway to route the traffic to. If one or both of these are not
specified in the policy route, then the FortiGate searches the routing table to find the best active route that corresponds
to the policy route. If no routes are found in the routing table, then the policy route does not match the packet. The
FortiGate continues down the policy route list until it reaches the end. If no matches are found, then the FortiGate does a
route lookup using the routing table.

Policy routes are sometimes referred to as Policy-based routes (PBR).

Configuring a policy route

In this example, a policy route is configured to send all FTP traffic received at port1 out through port4 and to a next hop
router at 172.20.120.23. To route FTP traffic, the protocol is set to TCP (6) and the destination ports are set to 21 (the
FTP port).

To configure a policy route in the GUI:

1. Go to Network > Policy Routes.

2. Click Create New > Policy Route.

FortiOS 6.4.13 Administration Guide 547

Fortinet Inc.
Network

3. Configure the following fields:

Incoming interface port1

Source Address 0.0.0.0/0.0.0.0

Destination Address 0.0.0.0/0.0.0.0

Protocol TCP

Destination ports 21 - 21

Type of service 0x00

Bit Mask 0x00

Outgoing interface Enable and select port4

Gateway address 172.20.120.23

4. Click OK.

To configure a policy route in the CLI:

config router policy

edit 1
set input-device "port1"
set src "0.0.0.0/0.0.0.0"
set dst "0.0.0.0/0.0.0.0"
set protocol 6
set start-port 21
set end-port 21
set gateway 172.20.120.23
set output-device "port4"
set tos 0x00
set tos-mask 0x00
next
end

FortiOS 6.4.13 Administration Guide 548

Fortinet Inc.
 Network

Moving a policy route

A routing policy is added to the bottom of the table when it is created. Routing policies can be moved to a different
location in the table to change the order of preference. In this example, routing policy 3 will be moved before routing
policy 2.

To move a policy route in the GUI:

1. Go to Network > Policy Routes.

2. In the table, select the policy route.

3. Drag the selected policy route to the desired position.

To move a policy route in the CLI:

config router policy

move 3 after 1
end

Equal cost multi-path

Equal cost multi-path (ECMP) is a mechanism that allows a FortiGate to load-balance routed traffic over multiple
gateways. Just like routes in a routing table, ECMP is considered after policy routing, so any matching policy routes will
take precedence over ECMP.
ECMP pre-requisites are as follows:
l Routes must have the same destination and costs. In the case of static routes, costs include distance and priority
l Routes are sourced from the same routing protocol. Supported protocols include static routing, OSPF, and BGP

ECMP and SD-WAN implicit rule

ECMP and SD-WAN implicit rule are essentially similar in the sense that an SD-WAN implicit rule is processed after SD-
WAN service rules are processed. See Implicit rule on page 714 to learn more.
The following table summarizes the different load-balancing algorithms supported by each:

FortiOS 6.4.13 Administration Guide 549

Fortinet Inc.
Network

ECMP SD-WAN Description

(GUI) (CLI)
source-ip-based Source IP source-ip-based Traffic is divided equally between the
interfaces. Sessions that start at the same
source IP address use the same path.
This is the default selection.
weight-based Sessions weight-based The workload is distributed based on the
number of sessions that are connected
through the interface.
The weight that you assign to each interface
is used to calculate the percentage of the
total sessions allowed to connect through an
interface, and the sessions are distributed to
the interfaces accordingly.
usage-based Spillover usage-based The interface is used until the traffic
bandwidth exceeds the ingress and egress
thresholds that you set for that interface.
Additional traffic is then sent through the next
interface member.
source-dest-ip- Source-Destination source-dest-ip- Traffic is divided equally between the
based IP based interfaces. Sessions that start at the same
source IP address and go to the same
destination IP address use the same path.

Not supported Volume measured-volume- This mode is supported in SD-WAN only.

based
The workload is distributed based on the
number of packets that are going through the
interface.

To configure the ECMP algorithm from the CLI:

l At the VDOM-level:
config system settings
set v4-ecmp-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-
based}
end
l If SD-WAN is enabled, the above option is not available and ECMP is configured under the SD-WAN settings:
config system sdwan
set sdwan enable
set load-balance-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-
based | measured-volume-based}
end

For ECMP in IPv6, the mode must also be configured under SD-WAN.
# diagnose sys vd list
system fib version=63
list virtual firewall info:
name=root/root index=0 enabled fib_ver=40 use=168 rt_num=46 asym_rt=0 sip_helper=0, sip_nat_
trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0

FortiOS 6.4.13 Administration Guide 550

Fortinet Inc.
Network

ecmp=source-ip-based, ecmp6=source-ip-based asym_rt6=0 rt6_num=55 strict_src_check=0 dns_

log=1 ses_num=20 ses6_num=0 pkt_num=19154477

To change the number of paths allowed by ECMP:

config system settings

set ecmp-max-paths <number of paths>
end

Setting ecmp-max-paths to the lowest value of 1 is equivalent to disabling ECMP.

ECMP configuration examples

The following examples demonstrate the behavior of ECMP in different scenarios:

l Example 1: Default ECMP on page 551
l Example 2: Same distance, different priority on page 552
l Example 3: Weight-based ECMP on page 552
l Example 4: Load-balancing BGP routes on page 553

Example 1: Default ECMP

config router static
edit 1
set gateway 172.16.151.1
set device "port1"
next
edit 2
set gateway 192.168.2.1
set device "port2"
next
end

# get router info routing-table all

Routing table for VRF=0
S*    0.0.0.0/0 [10/0] via 172.16.151.1, port1
[10/0] via 192.168.2.1, port2
C    172.16.151.0/24 is directly connected, port1
C    192.168.2.0/24 is directly connected, port2

FortiOS 6.4.13 Administration Guide 551

Fortinet Inc.
Network

Result:

Both routes are added to the routing table and load-balanced based on the source IP.

Example 2: Same distance, different priority

config router static
edit 1
set gateway 172.16.151.1
set priority 5
set device "port1"
next
edit 2
set gateway 192.168.2.1
set device "port2"
next
end

# get router info routing-table all

Routing table for VRF=0
S*    0.0.0.0/0 [10/0] via 192.168.2.1, port2
[10/0] via 172.16.151.1, port1, [5/0]
C    172.16.151.0/24 is directly connected, port1
C    192.168.2.0/24 is directly connected, port2

Result:

Both routes are added to the routing table, but traffic is routed to port2 which has a lower priority value with a default of
0.

Example 3: Weight-based ECMP

config router static
edit 3
set dst 10.10.30.0 255.255.255.0
set weight 80
set device "vpn2HQ1"
next
edit 5
set dst 10.10.30.0 255.255.255.0
set weight 20
set device "vpn2HQ2"
next
end

# get router info routing-table all

Routing table for VRF=0
...
S    10.10.30.0/24 [10/0] is directly connected, vpn2HQ1, [0/80]
[10/0] is directly connected, vpn2HQ2, [0/20]
C    172.16.151.0/24 is directly connected, port1
C    192.168.0.0/24 is directly connected, port3
C    192.168.2.0/24 is directly connected, port2

FortiOS 6.4.13 Administration Guide 552

Fortinet Inc.
 Network

Result:

Both routes are added to the routing table, but 80% of the sessions to 10.10.30.0/24 are routed to vpn2HQ1, and
20% are routed to vpn2HQ2.

Example 4: Load-balancing BGP routes

config router bgp
set as 64511
set router-id 192.168.2.86
set ebgp-multipath enable
config neighbor
edit "192.168.2.84"
set remote-as 64512
next
edit "192.168.2.87"
set remote-as 64512
next
end
end

# get router info routing-table all

Routing table for VRF=0
...
C    172.16.151.0/24 is directly connected, port1
C    192.168.0.0/24 is directly connected, port3
C    192.168.2.0/24 is directly connected, port2
B    192.168.80.0/24 [20/0] via 192.168.2.84, port2, 00:00:33
[20/0] via 192.168.2.87, port2, 00:00:33

Result:

The network 192.168.80.0/24 is advertised by two BGP neighbors. Both routes are added to the routing table, and
traffic is load-balanced based on Source IP.
For multiple BGP paths to be added to the routing table, you must enable ebgp-multipath for eBGP or ibgp-
multipath for iBGP. These settings are disabled by default.

Dual internet connections

Dual internet connections, also referred to as dual WAN or redundant internet connections, refers to using two FortiGate
interfaces to connect to the Internet. This is generally accomplished with SD-WAN, but this legacy solution provides the
means to configure dual WAN without using SD-WAN. You can use dual internet connections in several ways:
l Link redundancy: If one interface goes down, the second interface automatically becomes the main connection.
l Load sharing: This ensures better throughput.
l Use a combination of link redundancy and load sharing.

FortiOS 6.4.13 Administration Guide 553

Fortinet Inc.
Network

This section describes the following dual internet connection scenarios:

l Scenario 1: Link redundancy and no load-sharing on page 554
l Scenario 2: Load-sharing and no link redundancy on page 556
l Scenario 3: Link redundancy and load-sharing on page 558

Scenario 1: Link redundancy and no load-sharing

Link redundancy ensures that if your Internet access is no longer available through a certain port, the FortiGate uses an
alternate port to connect to the Internet.
In this scenario, two interfaces, WAN1 and WAN2, are connected to the Internet using two different ISPs. WAN1 is the
primary connection. In the event of a failure of WAN1, WAN2 automatically becomes the connection to the Internet. For
this configuration to function correctly, you must configure the following settings:
l Link health monitor on page 554: To determine when the primary interface (WAN1) is down and when the
connection returns.
l Routing on page 555: Configure a default route for each interface.
l Security policies on page 556: Configure security policies to allow traffic through each interface to the internal
network.

Link health monitor

Adding a link health monitor is required for routing failover traffic. A link health monitor confirms the device interface
connectivity by probing a gateway or server at regular intervals to ensure it is online and working. When the server is not
accessible, that interface is marked as down.
Set the interval (how often to send a ping) and failtime (how many lost pings are considered a failure). A smaller
interval value and smaller number of lost pings results in faster detection, but creates more traffic on your network.
The link health monitor supports both IPv4 and IPv6, and various other protocols including ping, tcp-echo, udp-echo,
http, and twamp.

FortiOS 6.4.13 Administration Guide 554

Fortinet Inc.
Network

To add a link health monitor (IPv4) using the CLI:

config system link-monitor

edit <link-monitor-name>
set addr-mode ipv4
set srcintf <interface-name>
set server <server-IP-address>
set protocol {ping tcp-echo udp-echo http twamp}
set gateway-ip <gateway-IP-address>
set interval <seconds>
set failtime <retry-attempts>
set recoverytime <number-of-successful-responses>
set status enable
next
end

Option Description
set update-cascade-interface {enable | This option is used in conjunction with fail-detect and fail-
disable} alert options in interface settings to cascade the link
failure down to another interface. See the Bring other
interfaces down when link monitor fails KB article for
details.
set update-static-route {enable | disable} When the link fails, all static routes associated with the
interface will be removed.

Routing

You must configure a default route for each interface and indicate your preferred route as follows:
l Specify different distances for the two routes. The lower of the two distance values is declared active and placed in
the routing table
OR
l Specify the same distance for the two routes, but give a higher priority to the route you prefer by defining a lower
value. Both routes will be added to the routing table, but the route with a higher priority will be chosen as the best
route
In the following example, we will use the first method to configure different distances for the two routes. You might not be
able to connect to the backup WAN interface because the FortiGate does not route traffic out of the backup interface.
The FortiGate performs a reverse path look-up to prevent spoofed traffic. If an entry cannot be found in the routing table
that sends the return traffic out through the same interface, the incoming traffic is dropped.

To configure the routing of the two interfaces using the GUI:

1. Go to Network > Static Routes, and click Create New.

2. Enter the following information:

Destination For an IPv4 route, enter a subnet of 0.0.0.0/0.0.0.0.

For an IPv6 route, enter a subnet of ::/0.

Interface Select the primary connection. For example, wan1.

FortiOS 6.4.13 Administration Guide 555

Fortinet Inc.
Network

Gateway Address Enter the gateway address.

Administrative Distance Leave as the default of 10.

3. Click OK.
4. Repeat the above steps to set Interface to wan2 and Administrative Distance to 20.

To configure the routing of the two interfaces using the CLI:

config router {static | static6}

edit 0
set dst 0.0.0.0 0.0.0.0
set device wan1
set gateway <gateway_address>
set distance 10
next
edit 0
set dst 0.0.0.0 0.0.0.0
set device wan2
set gateway <gateway_address>
set distance 20
next
end

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1,
regular traffic is allowed to pass through WAN2, as it did with WAN1. This ensures that failover occurs with minimal effect
to users.

Scenario 2: Load-sharing and no link redundancy

Load sharing may be accomplished in a few of the following ways of the many possible ways:
l By defining a preferred route with a lower distance, and specifying policy routes to route certain traffic to the
secondary interface.
l By defining routes with same distance values but different priorities, and specifying policy routes to route certain
traffic to the secondary interface.
l By defining routes with same distance values and priorities, and use equal-cost multi-path (ECMP) routing to
equally distribute traffic between the WAN interfaces.
In our example, we will use the first option for our configuration. In this scenario, because link redundancy is not required,
you do not have to configure a link monitor.

Traffic behaviour without a link monitor is as follows:

l If the remote gateway is down but the primary WAN interface of a FortiGate is still up, the

FortiGate will continue to route traffic to the primary WAN. This results in traffic
interruptions.
l If the primary WAN interface of a FortiGate is down due to physical link issues, the

FortiGate will remove routes to it and the secondary WAN routes will become active.
Traffic will failover to the secondary WAN.

FortiOS 6.4.13 Administration Guide 556

Fortinet Inc.
Network

Routing

Configure routing as you did in Scenario 1: Link redundancy and no load-sharing on page 554 above.

Policy routes

By configuring policy routes, you can redirect specific traffic to the secondary WAN interface. This works in this case
because policy routes are checked before static routes. Therefore, even though the static route for the secondary WAN
is not in the routing table, traffic can still be routed using the policy route.
In this example, we will create a policy route to route traffic from one address group to the secondary WAN interface.

To configure a policy route from the GUI:

1. Go to Network > Policy Routes, and click Create New.

2. Enter the following information:

Incoming interface Define the source of the traffic. For example, internal.

Source Address If we prefer to route traffic only from a group of addresses, define an address or
address group, and add here.

Destination Address Because we want to route all traffic from the address group here, we do not specify a
destination address.

Protocol Specify any protocol.

Action Forward traffic.

Outgoing interface Select the secondary WAN as the outbound interface. For example, wan2.

Gateway address Input the gateway address for your secondary WAN.
Because its default route has a higher distance value and is not added to the routing
table, the gateway address must be added here.

3. Click OK.

To configure a policy route from the CLI:

config router policy

edit 1
set input-device "internal"
set srcaddr "Laptops"
set gateway <gateway_address>
set output-device "wan2"
next
end

Security policies

Your security policies should allow all traffic from internal to WAN1. Because link redundancy is not needed, you do
not need to duplicate all WAN1 policies to WAN2. You will only need to define policies used in your policy route.

FortiOS 6.4.13 Administration Guide 557

Fortinet Inc.
Network

Scenario 3: Link redundancy and load-sharing

In this scenario, both the links are available to distribute Internet traffic with the primary WAN being preferred more.
Should one of the interfaces fail, the FortiGate will continue to send traffic over the other active interface. The
configuration is a combination of both the link redundancy and the load-sharing scenarios. The main difference is that
the configured routes have equal distance values, with the route with a higher priority being preferred more. This ensures
both routes are active in the routing table, but the route with a higher priority will be the best route.

Link health monitor

Link monitor must be configured for both the primary and the secondary WAN interfaces. This ensures that if the primary
or the secondary WAN fails, the corresponding route is removed from the routing table and traffic re-routed to the other
WAN interface.
For configuration details, see sample configurations in Scenario 1: Link redundancy and no load-sharing on page 554.

Routing

Both WAN interfaces must have default routes with the same distance. However, preference is given to the primary
WAN by giving it a higher priority.

To configure the routing of the two interfaces using the CLI:

config router {static | static6}

edit 0
set dst 0.0.0.0 0.0.0.0
set device wan1
set gateway <gateway_address>
set distance 10
set priority 0
next
edit 0
set dst 0.0.0.0 0.0.0.0
set device wan2
set gateway <gateway_address>
set distance 10
set priority 10
next
end

Policy routes

The policy routes configuration is very similar to that of the policy routes in Scenario 2: Load-sharing and no link
redundancy on page 556, except that the gateway address should not be specified. When a policy route is matched and
the gateway address is not specified, the FortiGate looks at the routing table to obtain the gateway. In case the
secondary WAN fails, traffic may hit the policy route. Because there is no gateway specified and the route to the
secondary WAN is removed by the link monitor, the policy route will by bypassed and traffic will continue through the
primary WAN. This ensures that the policy route is not active when the link is down.

FortiOS 6.4.13 Administration Guide 558

Fortinet Inc.
Network

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1,
regular traffic is allowed to pass through WAN2, as it was with WAN1. This ensures that failover occurs with minimal
effect to users.

Dynamic routing

Dynamic routing protocols attempt to build a map of the network topology to identify the best routes to reach different
destinations. Instead of manually defining static routes, which is not scalable, dynamic routing typically involves defining
neighbors and peer routers that share their network topology and routing updates with each other. Protocols like
distance vector, link state, and path vector are used by popular routing protocols. FortiGate supports RIP, OSPF, BGP,
and IS-IS, which are interoperable with other vendors. When different dynamic routing protocols are used, the
administrative distance of each protocol helps the FortiGate decide which route to pick.

Go to System > Feature Visibility and enable Advanced Routing to configure dynamic routing
options in the GUI. See Feature visibility on page 1065 for more information.

This section includes:

l RIP on page 560
l OSPF on page 577
l BGP on page 588
l BFD on page 605
To view the routing table and perform route look-ups in the GUI, go to Dashboard > Network and expand the Routing
widget.

To view the routing table from the CLI:

# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

FortiOS 6.4.13 Administration Guide 559

Fortinet Inc.
 Network

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S*   0.0.0.0/0 [5/0] via 192.168.0.1, wan1
C    10.10.10.0/24 is directly connected, internal
C    169.254.2.1/32 is directly connected, Dialup-test
C    172.31.0.0/30 is directly connected, toKVM-MPLS
C    172.31.0.1/32 is directly connected, toKVM-MPLS
C    192.168.0.0/24 is directly connected, wan1
O    192.168.2.0/24 [110/101] via 10.10.10.11, internal, 00:00:26
S    192.168.20.0/24 [10/0] via 172.31.0.2, toKVM-MPLS
[10/0] via 10.10.10.11, internal

RIP

Routing Information Protocol (RIP) is a distance-vector routing protocol that is intended for small and relatively
homogeneous networks. It works well when there are minimal redundant paths and limited hop counts. FortiGate
supports RIP version 1 (RFC 1058), RIP version 2 (RFC 2453), and RIPng (RFC 2080).

Basic configuration

To configure the FortiGate to participate in RIP using the most basic configurations in the GUI:

1. Go to Network > RIP.

2. Set the Version.
3. Add the networks that the FortiGate will advertise in and that will participate in RIP.
4. If the interface settings, such as passive interface, authentication, or enabling send/receive updates, must be
edited, add the interfaces to the Interface table.
5. Click Apply.

To configure the FortiGate to participate in RIP using the most basic configurations in the CLI:

config router rip

config network
edit 1
set prefix <subnet> <netmask>
next
end
config interface
edit <interface>
set receive-version 2
set send-version 2
next
end
end

FortiOS 6.4.13 Administration Guide 560

Fortinet Inc.
Network

Default route injection

Enabling Inject default route (default-information-originate) advertises a default route into the FortiGate's
RIP network.

To enable/disable default route injection in the GUI:

1. Go to Network > RIP.

2. Expand the Advanced Options.
3. Enable/disable Inject Default Route.
4. Click OK.

To enable/disable default route injection in the CLI:

config router rip

set default-information-originate {enable | disable}
end

Default metric

The default metric setting sets the default metric for all redistributed routes. If the default metric is set to five, and static
routes are redistributed, then static routes have a metric of five. This value can be overridden by setting a specific metric
value for a protocol. For example, the static route metric can be set to two, overriding the default metric.
config router rip
set default-metric 5
config redistribute "static"
set status enable
set metric 2
end
end

The default metric is five, but redistributed static routes have a metric of two. So, the default metric is overridden and the
metric for redistributed static routes is two.

Timers

RIP uses the update, timeout, and garbage timers to regulate its performance. The default timer settings are effective in
most configurations. When customizing the settings, you must ensure that the new settings are compatible with your
local routers and access servers.
Go to Network > RIP and expand the Advanced Options to configure the timers in the GUI, or use the CLI:
config router rip
set timeout-timer <seconds>
set update-timer <seconds>
set garbage-timer <seconds>
end

FortiOS 6.4.13 Administration Guide 561

Fortinet Inc.
Network

Update timer

The update timer sets the interval between routing updates. The default value is 30 seconds. Randomness is added to
help prevent network congestion due to multiple routers trying to update their neighbors simultaneously. The update
timer must be at least three times shorter than the timeout timer.
If there is significant RIP traffic on the network, you can increase the update timer to send fewer updates. You must apply
the same increase to all routers on the network to avoid timeouts that degrade your network speed.

Timeout timer

The timeout timer is the maximum amount of time that a reachable route is kept in the routing table since its last update.
The default value is 180 seconds. If an update for the route is received before the timeout period elapses, then the timer
is reset. The timeout timer should be at least three times longer than the update timer.
If routers are not responding to updates in time, increasing the timeout timer can help. A longer timeout timer results in
longer update periods, and the FortiGate could wait a considerable amount of time for all of the timers to expire on an
unresponsive route.

Garbage timer

The garbage timer is the amount of time that the FortiGate advertises a route as unreachable before deleting the route
from the routing table. The default value is 120 seconds.
If the timer is short, older routes are removed from the routing table more quickly, resulting in a smaller routing table. This
can be useful for large networks, or if the network changes frequently.

Authentication and key chain

RIP version 1 (RIPv1) has no authentication. RIP version 2 (RIPv2) uses text passwords or authentication keys to
ensure that the routing information exchanged between routers is reliable. For authentication to work, both the sending
and receiving routers must be set to use authentication and must be configured with the same password or keys. An
authentication key that uses authentication key chains is more secure than a text password because the intervals when
the key is valid can be configured.
A key chain is a list of one or more authentication keys that each have send and receive lifetimes. Keys are used to
authenticate routing packets only during the keys specified lifetimes. The FortiGate migrates from one key to the next
according to the scheduled lifetimes. The sending and receiving routers should have synchronized system dates and
times to ensure that both ends are using the same keys at the same times. You can overlap the key lifetimes to make
sure that a key is always available, even if there is some difference in the system times.

To configure a text password in the GUI:

1. Go to Network > RIP.

2. In the Interfaces table, click Create New, or edit an existing interface.
3. Enable Authentication and select Text or MD5.
4. Click Change, and enter the password.
5. Configure the remaining settings as needed.
6. Click OK.
7. Click Apply.

FortiOS 6.4.13 Administration Guide 562

Fortinet Inc.
Network

To configure a text password in the CLI:

config router rip

config interface
edit <interface>
set auth-mode {text | md5}
set auth-string **********
next
end
end

To configure a key chain with two sequentially valid keys and use it in a RIP interface:

config router key-chain

edit rip_key
config key
edit 1
set accept-lifetime 09:00:00 23 02 2020 09:00:00 17 03 2020
set send-lifetime 09:00:00 23 02 2020 09:00:00 17 03 2020
set key-string **********
next
edit 2
set accept-lifetime 09:01:00 17 03 2020 09:00:00 1 04 2020
set send-lifetime 09:01:00 17 03 2020 09:00:00 1 04 2020
set key-string **********
next
end
next
end
config router rip
config interface
edit port1
set auth-keychain "rip_key"
next
end
end

Passive RIP interfaces

By default, an active RIP interface keeps the FortiGate routing table current by periodically asking neighbors for routes
and sending out route updates. This can generate a significant amount of extra traffic in a large network.
A passive RIP interface listens to updates from other routers, but does not send out route updates. This can reduce
network traffic when there are redundant routers in the network that would always send out essentially the same
updates.
This example shows how to configure a passive RIPv2 interface on port1 using MD5 authentication.

To configure a passive RIP interface in the GUI:

1. Go to Network > RIP.

2. In the Interfaces table, click Create New.
3. Set Interface to the required interface.

FortiOS 6.4.13 Administration Guide 563

Fortinet Inc.
Network

4. Enable Passive.
5. Enable Authentication and set it to MD5.
6. Click Change and enter a password.
7. Set Receive Version to 2.
8. Click OK.

To configure a passive RIP interface in the CLI:

config router rip

set passive-interface "port1"
config interface
edit "port1"
set auth-mode md5
set auth-string **********
set receive-version 2
set send-version 2
next
end
end

RIP and IPv6

RIP next generation (RIPng) is an extension of RIPv2 that includes support for IPv6.

Basic RIP example

In this example, a medium-sized network is configured using RIPv2.

l Two core routers, RIP Router2 and RIP Router3, connect to the ISP router for two redundant paths to the internet.
l Two other routers, RIP Router1 and RIP Router4, connect to the two core routers and to different local networks.
l The ISP router is using RIP for its connections to the core routers, and redistributes its default route to the network -
that is, default route injection is enabled.
l The ISP router uses NAT and has a static route to the internet. None of the other routers use NAT or static routes.

FortiOS 6.4.13 Administration Guide 564

Fortinet Inc.
Network

All of the FortiGate routers are configured as shown, using netmask 255.255.255.0. Firewall policies have been
configured to allow the required traffic to flow across the interfaces.

Router Interface Interface name IP address

port1 LoSales 10.11.101.101

Router1 port2 vd12link0 10.11.201.101

port3 vd13link0 10.11.202.101

port1 vd23link0 10.12.101.102

port2 vd12link1 10.11.201.102

Router2
port3 vd42link1 10.14.201.102

port4 vdr2link1 172.20.120.102

port1 vd23link1 10.12.101.103

port2 vd13link1 10.11.202.103

Router3
port3 vd43link1 10.14.202.103

port4 vdr3link1 172.20.121.103

FortiOS 6.4.13 Administration Guide 565

Fortinet Inc.
Network

Router Interface Interface name IP address

port1 LoAccounting 10.14.101.104

Router4 port2 vd42link0 10.14.201.104

port3 vd43link0 10.14.202.104

port1 port1 To internet

ISP Router port2 vdr2link0 172.20.120.5

port3 vdr3link0 172.20.121.5

After configuring each router, you can check the status of the connections by viewing the RIP database, RIP interfaces,
and routing table. See Verifying the configuration on page 570.
After the network is configured, you can test it to ensure that when network events occur, such as a downed link, routing
updates are triggered and converge as expected. See Testing the configuration and routing changes on page 574.

ISP router

To configure the ISP Router in the GUI:

1. Go to Network > RIP.

2. Set the Version to 2.
3. Under Networks, add two networks:
l 172.20.120.0/255.255.255.0
l 172.20.121.0/255.255.255.0
4. Add the interfaces:
a. In the Interfaces table, click Create New.
b. Set Interface to port2.
c. Leave the remaining settings as their default values.
d. Click OK.
e. Repeat these steps for port3.
5. Under Advanced Options, enable Inject Default Route.
This setting allows the ISP router to share its default 0.0.0.0 routes with other routers in the RIP network.
6. Click Apply.

To configure the ISP Router in the CLI:

config router rip

set default-information-originate enable
config network
edit 1
set prefix 172.20.121.0 255.255.255.0
next
edit 2
set prefix 172.20.120.0 255.255.255.0
next
end

FortiOS 6.4.13 Administration Guide 566

Fortinet Inc.
Network

config interface
edit "port2"
set receive-version 2
set send-version 2
next
edit "port3"
set receive-version 2
set send-version 2
next
end
end

Router2 and Router3

Router2 and Router3 RIP configurations have different IP addresses, but are otherwise the same.

To configure Router2 and Router3 in the GUI:

1. Go to Network > RIP.

2. Set the Version to 2.
3. Under Networks, add the IP addresses for each port:

10.12.101.0/255.255.255.0

10.11.201.0/255.255.255.0
Router2
10.14.201.0/255.255.255.0

172.20.120.0/255.255.255.0

10.12.101.0/255.255.255.0

10.11.202.0/255.255.255.0
Router3
10.14.202.0/255.255.255.0

172.20.121.0/255.255.255.0

4. Add the interfaces:

a. In the Interfaces table, click Create New.
b. Set Interface to port1.
c. Leave the remaining settings as their default values.
d. Click OK.
e. Repeat these steps for port2, port3, and port4.
5. Click Apply.

To configure Router2 in the CLI:

config router rip

config network
edit 1
set prefix 10.12.101.0 255.255.255.0
next
edit 2

FortiOS 6.4.13 Administration Guide 567

Fortinet Inc.
Network

set prefix 10.11.201.0 255.255.255.0

next
edit 3
set prefix 10.14.201.0 255.255.255.0
next
edit 4
set prefix 172.20.120.0 255.255.255.0
next
end
config interface
edit "port1"
set receive-version 2
set send-version 2
next
edit "port2"
set receive-version 2
set send-version 2
next
edit "port3"
set receive-version 2
set send-version 2
next
edit "port4"
set receive-version 2
set send-version 2
next
end
end

To configure Router3 in the CLI:

config router rip

config network
edit 1
set prefix 10.12.101.0 255.255.255.0
next
edit 2
set prefix 10.11.202.0 255.255.255.0
next
edit 3
set prefix 10.14.202.0 255.255.255.0
next
edit 4
set prefix 172.20.121.0 255.255.255.0
next
end
config interface
edit "port1"
set receive-version 2
set send-version 2
next
edit "port2"
set receive-version 2
set send-version 2
next
edit "port3"

FortiOS 6.4.13 Administration Guide 568

Fortinet Inc.
Network

set receive-version 2
set send-version 2
next
edit "port4"
set receive-version 2
set send-version 2
next
end
end

Router1 and Router4

Router1 and Router4 RIP configurations have different IP addresses, but are otherwise the same.

To configure Router1 and Router4 in the GUI:

1. Go to Network > RIP.

2. Set the Version to 2.
3. Under Networks, add the IP addresses for each port:

10.11.101.0/255.255.255.0

Router1 10.11.201.0/255.255.255.0

10.11.202.0/255.255.255.0

10.14.101.0/255.255.255.0

Router4 10.14.201.0/255.255.255.0

10.14.202.0/255.255.255.0

4. Add the interfaces:

a. In the Interfaces table, click Create New.
b. Set Interface to port1.
c. For port1 only, enable Passive.
d. Leave the remaining settings as their default values.
e. Click OK.
f. Repeat these steps for port2 and port3, making sure that Passive is disabled.
5. Click Apply.

To configure Router1 in the CLI:

config router rip

config network
edit 1
set prefix 10.11.101.0 255.255.255.0
next
edit 2
set prefix 10.11.201.0 255.255.255.0
next
edit 3
set prefix 10.11.202.0 255.255.255.0

FortiOS 6.4.13 Administration Guide 569

Fortinet Inc.
Network

next
end
set passive-interface "port1"
config interface
edit "port1"
set receive-version 2
set send-version 2
next
edit "port2"
set receive-version 2
set send-version 2
next
edit "port3"
set receive-version 2
set send-version 2
next
end
end

To configure Router4 in the CLI:

config router rip

config network
edit 1
set prefix 10.14.101.0 255.255.255.0
next
edit 2
set prefix 10.14.201.0 255.255.255.0
next
edit 3
set prefix 10.14.202.0 255.255.255.0
next
end
set passive-interface "port1"
config interface
edit "port1"
set receive-version 2
set send-version 2
next
edit "port2"
set receive-version 2
set send-version 2
next
edit "port3"
set receive-version 2
set send-version 2
next
end
end

Verifying the configuration

The interface's names are shown in the debugs. The same commands should also be run on the other routers.

FortiOS 6.4.13 Administration Guide 570

Fortinet Inc.
Network

To verify the configuration after the ISP router, Router2, and Route3 have been configured:

This verification can be done after the ISP router, Router2, and Router3 have been configured. Only Router2's debugs
are shown.
1. Check the RIP interface information:
# get router info rip interface
Router2 is up, line protocol is up
RIP is not enabled on this interface
ssl.Router2 is up, line protocol is up
RIP is not enabled on this interface
vdr2link1 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
172.20.120.102/24
vd12link1 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.11.201.102/24
vd42link1 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.14.201.102/24
vd23link0 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.12.101.102/24

RIP starts exchanging routes as soon as the networks are added to the Router2 and Router3 configurations
because the RIP interfaces are active by default, and start sending and receiving RIP updates when a matching
interface on the subnet is found. The interface configuration allows the interface settings to be fine tuned, in this
case to specify only RIPv2 support.
2. Check the RIP database:
# get router info rip database
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 172.20.120.5 2 172.20.120.5 vdr2link1 02:55
Rc 10.11.201.0/24 1 vd12link1

FortiOS 6.4.13 Administration Guide 571

Fortinet Inc.
Network

R 10.11.202.0/24 10.12.101.103 2 10.12.101.103 vd23link0 02:33

Rc 10.12.101.0/24 1 vd23link0
Rc 10.14.201.0/24 1 vd42link1
R 10.14.202.0/24 10.12.101.103 2 10.12.101.103 vd23link0 02:33
Rc 172.20.120.0/24 1 vdr2link1
R 172.20.121.0/24 10.12.101.103 2 10.12.101.103 vd23link0 02:33

3. Check the routing table:

# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
R* 0.0.0.0/0 [120/2] via 172.20.120.5, vdr2link1, 13:37:23
C 10.11.201.0/24 is directly connected, vd12link1
R 10.11.202.0/24 [120/2] via 10.12.101.103, vd23link0, 14:10:01
C 10.12.101.0/24 is directly connected, vd23link0
C 10.14.201.0/24 is directly connected, vd42link1
R 10.14.202.0/24 [120/2] via 10.12.101.103, vd23link0, 14:10:01
C 172.20.120.0/24 is directly connected, vdr2link1
R 172.20.121.0/24 [120/2] via 10.12.101.103, vd23link0, 13:20:36

Router2 has learned the default gateway from the ISP router, and has learned of other networks from Router3.
4. If firewall policies are correctly configured, the outside network can be reached:
# execute ping-options source 10.11.201.102
# execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=115 time=4.5 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=4.2 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=4.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=115 time=4.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=115 time=4.1 ms
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 4.1/4.2/4.5 ms
# execute traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 172.20.120.5 0.101 ms 0.030 ms 0.014 ms
2 172.16.151.1 0.169 ms 0.144 ms 0.131 ms
3 * * *

To verify the configuration after Router1 and Router4 have also been configured:

This verification can be done after Router1 and Router4 have been configured. Only Router1's debugs are shown.
1. Check the RIP interface information:
# get router info rip interface
Router1 is up, line protocol is up
RIP is not enabled on this interface
ssl.Router1 is up, line protocol is up
RIP is not enabled on this interface

FortiOS 6.4.13 Administration Guide 572

Fortinet Inc.
Network

vd12link0 is up, line protocol is up

Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.11.201.101/24
vd13link0 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.11.202.101/24
LoSales is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Enabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.11.101.101/24
127.0.0.1/8

2. Check the RIP database:

# get router info rip database
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 10.11.202.103 3 10.11.202.103 vd13link0 02:35
Rc 10.11.101.0/24 1 LoSales
Rc 10.11.201.0/24 1 vd12link0
Rc 10.11.202.0/24 1 vd13link0
R 10.12.101.0/24 10.11.202.103 2 10.11.202.103 vd13link0 02:35
R 10.14.101.0/24 10.11.202.103 3 10.11.202.103 vd13link0 02:35
R 10.14.201.0/24 10.11.201.102 2 10.11.201.102 vd12link0 02:30
R 10.14.202.0/24 10.11.202.103 2 10.11.202.103 vd13link0 02:35
R 172.20.120.0/24 10.11.201.102 2 10.11.201.102 vd12link0 02:30
R 172.20.121.0/24 10.11.202.103 2 10.11.202.103 vd13link0 02:35

3. Check the routing table:

# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
R* 0.0.0.0/0 [120/3] via 10.11.202.103, vd13link0, 00:09:42
C 10.11.101.0/24 is directly connected, LoSales
C 10.11.201.0/24 is directly connected, vd12link0
C 10.11.202.0/24 is directly connected, vd13link0

FortiOS 6.4.13 Administration Guide 573

Fortinet Inc.
Network

R 10.12.101.0/24 [120/2] via 10.11.202.103, vd13link0, 00:09:42

R 10.14.101.0/24 [120/3] via 10.11.202.103, vd13link0, 00:09:42
R 10.14.201.0/24 [120/2] via 10.11.201.102, vd12link0, 00:09:42
R 10.14.202.0/24 [120/2] via 10.11.202.103, vd13link0, 00:09:42
R 172.20.120.0/24 [120/2] via 10.11.201.102, vd12link0, 00:09:42
R 172.20.121.0/24 [120/2] via 10.11.202.103, vd13link0, 00:09:42

4. If firewall policies are correctly configured, the accounting network and the internet are reachable from the sales
network:
# execute ping-options source 10.11.101.101
# execute ping 10.14.101.104
PING 10.14.101.104 (10.14.101.104): 56 data bytes
64 bytes from 10.14.101.104: icmp_seq=0 ttl=254 time=0.1 ms
64 bytes from 10.14.101.104: icmp_seq=1 ttl=254 time=0.0 ms
64 bytes from 10.14.101.104: icmp_seq=2 ttl=254 time=0.0 ms
64 bytes from 10.14.101.104: icmp_seq=3 ttl=254 time=0.0 ms
64 bytes from 10.14.101.104: icmp_seq=4 ttl=254 time=0.0 ms
--- 10.14.101.104 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.1 ms
# execute traceroute 10.14.101.104
traceroute to 10.14.101.104 (10.14.101.104), 32 hops max, 3 probe packets per hop, 84
byte packets
1 10.11.202.103 0.079 ms 0.029 ms 0.013 ms
2 10.14.101.104 0.043 ms 0.020 ms 0.010 ms
# execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=114 time=4.3 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=4.1 ms
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.1/4.2/4.3 ms
# execute traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 10.11.202.103 0.094 ms 0.036 ms 0.030 ms
2 172.20.121.5 0.216 ms 0.045 ms 0.038 ms

Testing the configuration and routing changes

After the network is configured, test it to ensure that when network events occur, such as a downed link, routing updates
are triggered and converge as expected.
In the following examples, we disable certain links to simulate network outages, then verify that routing and connectivity
is restored after the updates have converged.

Example 1 - ISP router port3 interface goes down

In this example, a link outage occurs on port3 of the ISP router. Consequently, all routers must use Router2, and not
Router3, to reach the internet. Note the RIP database before and after the link failure, and the time taken for the route
updates to propagate and return to a functioning state.
Router4's debugs are shown.
Before:

FortiOS 6.4.13 Administration Guide 574

Fortinet Inc.
Network

# get router info rip database

Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 10.14.202.103 3 10.14.202.103 vd43link0 02:31
R 10.11.101.0/24 10.14.202.103 3 10.14.202.103 vd43link0 02:31
R 10.11.201.0/24 10.14.201.102 2 10.14.201.102 vd42link0 02:47
R 10.11.202.0/24 10.14.202.103 2 10.14.202.103 vd43link0 02:31
R 10.12.101.0/24 10.14.202.103 2 10.14.202.103 vd43link0 02:31
Rc 10.14.101.0/24 1 LoAccounting
Rc 10.14.201.0/24 1 vd42link0
Rc 10.14.202.0/24 1 vd43link0
R 172.20.120.0/24 10.14.201.102 2 10.14.201.102 vd42link0 02:47
R 172.20.121.0/24 10.14.202.103 2 10.14.202.103 vd43link0 02:31
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
R* 0.0.0.0/0 [120/3] via 10.14.202.103, vd43link0, 02:45:15
R 10.11.101.0/24 [120/3] via 10.14.202.103, vd43link0, 02:44:49
R 10.11.201.0/24 [120/2] via 10.14.201.102, vd42link0, 02:45:15
R 10.11.202.0/24 [120/2] via 10.14.202.103, vd43link0, 02:45:15
R 10.12.101.0/24 [120/2] via 10.14.202.103, vd43link0, 02:45:15
C 10.14.101.0/24 is directly connected, LoAccounting
C 10.14.201.0/24 is directly connected, vd42link0
C 10.14.202.0/24 is directly connected, vd43link0
R 172.20.120.0/24 [120/2] via 10.14.201.102, vd42link0, 02:45:15
R 172.20.121.0/24 [120/2] via 10.14.202.103, vd43link0, 02:45:15
# execute traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 10.14.202.103 0.187 ms 0.054 ms 0.030 ms
2 172.20.121.5 0.117 ms 0.062 ms 0.040 ms
3 * * *

After:
l You might see different routes, and the routes might change, while convergence is occurring. During convergence,
the metric for your default route increases to 16.
# get router info rip database
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 10.14.202.103 16 10.14.202.103 vd43link0 01:50

l After convergence is complete, the RIP database will look similar to the following:
# get router info rip database
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 10.14.201.102 3 10.14.201.102 vd42link0 02:53
R 10.11.101.0/24 10.14.202.103 3 10.14.202.103 vd43link0 03:00

FortiOS 6.4.13 Administration Guide 575

Fortinet Inc.
Network

R 10.11.201.0/24 10.14.201.102 2 10.14.201.102 vd42link0 02:53

R 10.11.202.0/24 10.14.202.103 2 10.14.202.103 vd43link0 03:00
R 10.12.101.0/24 10.14.202.103 2 10.14.202.103 vd43link0 03:00
Rc 10.14.101.0/24 1 LoAccounting
Rc 10.14.201.0/24 1 vd42link0
Rc 10.14.202.0/24 1 vd43link0
R 172.20.120.0/24 10.14.201.102 2 10.14.201.102 vd42link0 02:53

l The default router should point to Router2, with the same number of hops:
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
R* 0.0.0.0/0 [120/3] via 10.14.201.102, vd42link0, 00:05:24
R 10.11.101.0/24 [120/3] via 10.14.202.103, vd43link0, 02:58:13
R 10.11.201.0/24 [120/2] via 10.14.201.102, vd42link0, 02:58:39
R 10.11.202.0/24 [120/2] via 10.14.202.103, vd43link0, 02:58:39
R 10.12.101.0/24 [120/2] via 10.14.202.103, vd43link0, 02:58:39
C 10.14.101.0/24 is directly connected, LoAccounting
C 10.14.201.0/24 is directly connected, vd42link0
C 10.14.202.0/24 is directly connected, vd43link0
R 172.20.120.0/24 [120/2] via 10.14.201.102, vd42link0, 02:58:39
# execute traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 10.14.201.102 0.167 ms 0.063 ms 0.029 ms
2 172.20.120.5 0.117 ms 0.073 ms 0.041 ms
3 172.16.151.1 0.303 ms 0.273 ms 0.253 ms

Example 2- Additional link failures on Router2

In addition to the link failure on the ISP router in example, port1 and port3 on Router2 have also failed. This means that
Router4 must go through Router3, Router1, Router2, then the ISP router to reach the internet. Note that, for a period of
time, some routes' metrics increase to 16. If no better routes are found for these networks, then they eventually
disappear.
After the convergence completes, the RIP database and routing table on Router4 should resemble the following:
# get router info rip database
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 10.14.202.103 5 10.14.202.103 vd43link0 02:54
R 10.11.101.0/24 10.14.202.103 3 10.14.202.103 vd43link0 02:54
R 10.11.201.0/24 10.14.202.103 3 10.14.202.103 vd43link0 02:54
R 10.11.202.0/24 10.14.202.103 2 10.14.202.103 vd43link0 02:54
Rc 10.14.101.0/24 1 LoAccounting
Rc 10.14.202.0/24 1 vd43link0
R 172.20.120.0/24 10.14.202.103 4 10.14.202.103 vd43link0 02:54
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area

FortiOS 6.4.13 Administration Guide 576

Fortinet Inc.
Network

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
R* 0.0.0.0/0 [120/5] via 10.14.202.103, vd43link0, 00:03:54
R 10.11.101.0/24 [120/3] via 10.14.202.103, vd43link0, 03:10:12
R 10.11.201.0/24 [120/3] via 10.14.202.103, vd43link0, 00:03:54
R 10.11.202.0/24 [120/2] via 10.14.202.103, vd43link0, 03:10:38
C 10.14.101.0/24 is directly connected, LoAccounting
C 10.14.202.0/24 is directly connected, vd43link0
R 172.20.120.0/24 [120/4] via 10.14.202.103, vd43link0, 00:03:54

Reaching the internet on the default gateway now requires five hops from Router4:
# execute traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 10.14.202.103 0.087 ms 0.026 ms 0.012 ms
2 10.11.202.101 0.045 ms 0.024 ms 0.025 ms
3 10.11.201.102 0.048 ms 0.024 ms 0.015 ms
4 172.20.120.5 0.050 ms 0.028 ms 0.019 ms
5 * * *

OSPF

Open Shortest Path First (OSPF) is a link state routing protocol that is commonly used in large enterprise networks with
L3 switches, routers, and firewalls from multiple vendors. It can quickly detect link failures, and converges network traffic
without networking loops. It also has features to control which routes are propagated, allowing for smaller routing tables,
and provides better load balancing on external links when compared to other routing protocols.
To configure OSPF in the GUI, go to Network > OSPF:

Option Description

Router ID A unique ID to identify your router in the network, typically in the format x.x.x.x.

Areas The areas that the router is part of. For each are area, define the Area ID, Type,
and Authentication method.

Networks The networks that OSPF is enabled in, and the area that they belong to.

Interfaces OSPF interfaces for transmitting and receiving packets. Configure interface
properties, such as Network Type, Cost, Hello interval, and others.

Summary Addresses Summary addresses that summarize your routes to reduce the size of the routing
table.

Default Settings (7.0) The default settings for Inject default route, Metric type, Metric value, and Route
map.

Redistribute Enable redistribution by protocol. Configure the Metric value, Metric type, Tag,
and Route map.

Advanced Settings Advanced settings, including ABR type, Default metric, Restart mode, and BFD.

FortiOS 6.4.13 Administration Guide 577

Fortinet Inc.
Network

Option Description

Distance Settings The distance setting for each route type: External (E1, E2), Inter Area (IA), and
Intra Area (O).

Overflow Settings Overflow settings to control the LSDB overflow criteria.

This section includes the following topics:

l Basic OSPF example on page 578

Basic OSPF example

In this example, three FortiGate devices are configured in an OSPF network.

l Router1 is the Designated Router (DR). It has the highest priority and the lowest IP address, to ensure that it
becomes the DR.
l Router2 is the Backup Designated Router (BDR). It has a high priority to ensure that it becomes the BDR.
l Router3 is the Autonomous System Border Router (ASBR). It routes all traffic to the ISP BGP router for internet
access. It redistributes routes from BGP and advertises a default route to its neighbors. It can allow different types of
routes, learned outside of OSPF, to be used in OSPF. Different metrics can be assigned to these routes to make
them more or less preferred than regular OSPF routes. Route maps could be used to further control what prefixes
are advertised or received from the ISP.

FortiGate Interface IP address

port1 10.11.101.1
Router1 (DR)
port2 10.11.102.1

port3 192.168.102.1

FortiOS 6.4.13 Administration Guide 578

Fortinet Inc.
Network

FortiGate Interface IP address

port1 10.11.101.2

Router2 (BDR) port2 10.11.103.2

port3 192.168.103.2

port1 10.11.102.3

Router3 (ASBR) port2 10.11.103.3

port3 172.20.120.3

l Firewall policies are already configured to allow unfiltered traffic in both directions between all of the connected
interfaces.
l The interfaces are already configured, and NAT is only used for connections to public networks. The costs for all of
the interfaces is left at 0.
l The OSPF network belongs to Area 0, and is not connected to any other OSPF networks. All of the routers are part
of the backbone 0.0.0.0 area, so no inter-area communications are needed.
l Router3 redistributes BGP routes into the OSPF AS and peers with the ISP BGP Router over eBGP. For information
about configuring BGP, see BGP on page 588.
l The advertised networks - 10.11.101.0, 10.11.102.0, and 10.11.103.0 - are summarized by 10.11.0.0/16. Additional
networks are advertised individually by the /24 subnet.

Router1

To configure Router1 in the GUI:

1. Go to Network > OSPF.

2. Set Router ID to 10.11.101.1.
3. In the Areas table, click Create New and set the following:

Area ID 0.0.0.0

Type Regular

Authentication None

4. Click OK.
5. In the Networks table, click Create New and set the following:

Area 0.0.0.0

IP/Netmask 10.11.0.0 255.255.0.0

6. Click OK.
7. In the Networks table, click Create New again and set the following:

Area 0.0.0.0

IP/Netmask 192.168.102.0 255.255.255.0

8. Click OK.

FortiOS 6.4.13 Administration Guide 579

Fortinet Inc.
Network

9. In the Interfaces table, click Create New and set the following:

Name Router1-Internal-DR

Interface port1

Cost 0

Priority 255

Authentication None

Timers l Hello Interval: 10

l Dead Interval: 40

10. Click OK.

11. In the Interfaces table, click Create New again and set the following:

Name Router1-External

Interface port2

Cost 0

Authentication None

Timers l Hello Interval: 10

l Dead Interval: 40

12. Click OK.

13. Click Apply.

To configure Router1 in the CLI:

config router ospf

set router-id 10.11.101.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "Router1-Internal-DR"
set interface "port1"
set priority 255
set dead-interval 40
set hello-interval 10
next
edit "Router1-External"
set interface "port2"
set dead-interval 40
set hello-interval 10
next
end
config network
edit 1
set prefix 10.11.0.0 255.255.0.0
next

FortiOS 6.4.13 Administration Guide 580

Fortinet Inc.
Network

edit 2
set prefix 192.168.102.0 255.255.255.0
next
end
end

Router2

To configure Router2 in the GUI:

1. Go to Network > OSPF.

2. Set Router ID to 10.11.101.2.
3. In the Areas table, click Create New and set the following:

Area ID 0.0.0.0

Type Regular

Authentication None

4. Click OK.
5. In the Networks table, click Create New and set the following:

Area 0.0.0.0

IP/Netmask 10.11.0.0 255.255.0.0

6. Click OK.
7. In the Networks table, click Create New again and set the following:

Area 0.0.0.0

IP/Netmask 192.168.103.0 255.255.255.0

8. Click OK.
9. In the Interfaces table, click Create New and set the following:

Name Router2-Internal

Interface port1

Cost 0

Priority 250

Authentication None

Timers l Hello Interval: 10

l Dead Interval: 40

10. Click OK.

11. In the Interfaces table, click Create New again and set the following:

Name Router2-External

FortiOS 6.4.13 Administration Guide 581

Fortinet Inc.
Network

Interface port2

Cost 0

Authentication None

Timers l Hello Interval: 10

l Dead Interval: 40

12. Click OK.

13. Click Apply.

To configure Router2 in the CLI:

config router ospf

set router-id 10.11.101.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "Router2-Internal"
set interface "port1"
set priority 250
set dead-interval 40
set hello-interval 10
next
edit "Router2-External"
set interface "port2"
set dead-interval 40
set hello-interval 10
next
end
config network
edit 1
set prefix 10.11.0.0 255.255.0.0
next
edit 2
set prefix 192.168.103.0 255.255.255.0
next
end
end

Router3

To configure Router3 in the GUI:

1. Go to Network > OSPF.

2. Set Router ID to 10.11.103.3.
3. Under Default Settings, set Inject default route to Regular Areas.
A default route must be present on Router3 to advertise it to other routers.
4. Enable Redistribute BGP and use the default settings.
5. In the Areas table, click Create New and set the following:

FortiOS 6.4.13 Administration Guide 582

Fortinet Inc.
Network

Area ID 0.0.0.0

Type Regular

Authentication None

6. Click OK.
7. In the Networks table, click Create New and set the following:

Area 0.0.0.0

IP/Netmask 10.11.0.0 255.255.0.0

8. Click OK.
9. In the Interfaces table, click Create New and set the following:

Name Router3-Internal

Interface port1

Cost 0

Authentication None

Timers l Hello Interval: 10

l Dead Interval: 40

10. Click OK.

11. In the Interfaces table, click Create New again and set the following:

Name Router3-Internal2

Interface port2

Cost 0

Authentication None

Timers l Hello Interval: 10

l Dead Interval: 40

12. Click OK.

13. Click Apply.

To configure Router3 in the CLI:

config router ospf

set default-information-originate enable
set router-id 10.11.103.3
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "Router3-Internal"
set interface "port1"
set dead-interval 40

FortiOS 6.4.13 Administration Guide 583

Fortinet Inc.
Network

set hello-interval 10
next
edit "Router3-Internal2"
set interface "port2"
set dead-interval 40
set hello-interval 10
next
end
config network
edit 1
set prefix 10.11.0.0 255.255.0.0
next
end
config redistribute "bgp"
set status enable
end
end

To configure BGP on Router3 in the CLI:

config router bgp

set as 64511
set router-id 1.1.1.1
config neighbor
edit "172.20.120.5"
set remote-as 64512
next
end
config network
edit 1
set prefix 172.20.120.0 255.255.255.0
next
end
end

For more information on configuring BGP, see BGP on page 588.

Testing the configuration

Both the network connectivity and OSPF routing are tested. When a link goes down, routes should converge as
expected.

Working state

l Router3:
Router3 # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
10.11.101.1 1 Full/Backup 00:00:34 10.11.102.1 port1
10.11.101.2 1 Full/Backup 00:00:38 10.11.103.2 port2
Router3 # get router info ospf status
Routing Process "ospf 0" with ID 10.11.103.3
Process uptime is 18 hours 52 minutes
Process bound to VRF default

FortiOS 6.4.13 Administration Guide 584

Fortinet Inc.
Network

Conforms to RFC2328, and RFC1583Compatibility flag is disabled

Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
This router is an ASBR (injecting external routing information)
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 3. Checksum 0x021B78
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 2
External LSA database is unlimited.
Number of LSA originated 16
Number of LSA received 100
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE)
Number of interfaces in this area is 2(2)
Number of fully adjacent neighbors in this area is 2
Area has no authentication
SPF algorithm last executed 00:37:36.690 ago
SPF algorithm executed 13 times
Number of LSA 6. Checksum 0x03eafa
Router3 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
B* 0.0.0.0/0 [20/0] via 172.20.120.5, port3, 01:10:12
O 10.11.101.0/24 [110/2] via 10.11.103.2, port2, 00:39:34
[110/2] via 10.11.102.1, port1, 00:39:34
C 10.11.102.0/24 is directly connected, port1
C 10.11.103.0/24 is directly connected, port2
C 172.20.120.0/24 is directly connected, port3
O 192.168.102.0/24 [110/2] via 10.11.102.1, port1, 02:24:59
O 192.168.103.0/24 [110/2] via 10.11.103.2, port2, 02:14:32
B 192.168.160.0/24 [20/0] via 172.20.120.5, port3, 19:08:39
B 192.168.170.0/24 [20/0] via 172.20.120.5, port3, 01:10:12

l Router2:
Router2 # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
10.11.101.1 255 Full/DR 00:00:35 10.11.101.1 port1
10.11.103.3 1 Full/DR 00:00:38 10.11.103.3 port3
Router2 # get router info ospf status
Routing Process "ospf 0" with ID 10.11.101.2
Process uptime is 2 hours 53 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes

FortiOS 6.4.13 Administration Guide 585

Fortinet Inc.
Network

Supports opaque LSA

Do not support Restarting
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 3. Checksum 0x021979
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 2
External LSA database is unlimited.
Number of LSA originated 5
Number of LSA received 128
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE)
Number of interfaces in this area is 3(3)
Number of fully adjacent neighbors in this area is 2
Area has no authentication
SPF algorithm last executed 00:47:49.990 ago
SPF algorithm executed 15 times
Number of LSA 6. Checksum 0x03e8fb
Router2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
O*E2 0.0.0.0/0 [110/10] via 10.11.103.3, port2, 01:03:58
C 10.11.101.0/24 is directly connected, port1
O 10.11.102.0/24 [110/2] via 10.11.103.3, port2, 00:49:01
[110/2] via 10.11.101.1, port1, 00:49:01
C 10.11.103.0/24 is directly connected, port2
O 192.168.102.0/24 [110/2] via 10.11.101.1, port1, 00:49:01
C 192.168.103.0/24 is directly connected, port3
O E2 192.168.160.0/24 [110/10] via 10.11.103.3, port2, 01:39:31
O E2 192.168.170.0/24 [110/10] via 10.11.103.3, port2, 01:19:39

The default route advertised by Router3 using default-information-originate is considered an OSPF E2

route. Other routes redistributed from BGP are also E2 routes.
l Router1:
Router1 # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
10.11.101.2 250 Full/Backup 00:00:36 10.11.101.2 port1
10.11.103.3 1 Full/DR 00:00:37 10.11.102.3 port2
Router1 # get router info ospf status
Routing Process "ospf 0" with ID 10.11.101.1
Process uptime is 3 hours 7 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting

FortiOS 6.4.13 Administration Guide 586

Fortinet Inc.
Network

SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 3. Checksum 0x02157B
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 2
External LSA database is unlimited.
Number of LSA originated 2
Number of LSA received 63
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE)
Number of interfaces in this area is 3(3)
Number of fully adjacent neighbors in this area is 2
Area has no authentication
SPF algorithm last executed 00:54:08.160 ago
SPF algorithm executed 11 times
Number of LSA 6. Checksum 0x03e6fc
Router1 # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0 [110/10] via 10.11.102.3, port2, 01:09:48
C 10.11.101.0/24 is directly connected, port1
C 10.11.102.0/24 is directly connected, port2
O 10.11.103.0/24 [110/2] via 10.11.102.3, port2, 00:54:49
[110/2] via 10.11.101.2, port1, 00:54:49
C 192.168.102.0/24 is directly connected, port3
O 192.168.103.0/24 [110/2] via 10.11.101.2, port1, 00:54:49
O E2 192.168.160.0/24 [110/10] via 10.11.102.3, port2, 01:45:21
O E2 192.168.170.0/24 [110/10] via 10.11.102.3, port2, 01:25:29

Link down state

If port1 is disconnected on Router3:

l Router3:
Router3 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
B* 0.0.0.0/0 [20/0] via 172.20.120.5, VLAN20, 01:29:25
O 10.11.101.0/24 [110/2] via 10.11.103.2, port2, 00:00:09
C 10.11.103.0/24 is directly connected, port2
C 172.20.120.0/24 is directly connected, port3
O 192.168.102.0/24 [110/3] via 10.11.103.2, port2, 00:00:09
O 192.168.103.0/24 [110/2] via 10.11.103.2, port2, 02:33:45

FortiOS 6.4.13 Administration Guide 587

Fortinet Inc.
Network

B 192.168.160.0/24 [20/0] via 172.20.120.5, port3, 19:27:52

B 192.168.170.0/24 [20/0] via 172.20.120.5, port3, 01:29:25

l Router2:
Router2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
O*E2 0.0.0.0/0 [110/10] via 10.11.103.3, port2, 01:16:36
C 10.11.101.0/24 is directly connected, port1
O 10.11.102.0/24 [110/2] via 10.11.101.1, port1, 00:02:27
C 10.11.103.0/24 is directly connected, port2
O 192.168.102.0/24 [110/2] via 10.11.101.1, port1, 01:01:39
C 192.168.103.0/24 is directly connected, port3
O E2 192.168.160.0/24 [110/10] via 10.11.103.3, port2, 01:52:09
O E2 192.168.170.0/24 [110/10] via 10.11.103.3, port2, 01:32:17

l Router1:
Router1 # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0 [110/10] via 10.11.101.2, port1, 00:05:14
C 10.11.101.0/24 is directly connected, port1
C 10.11.102.0/24 is directly connected, port2
O 10.11.103.0/24 [110/2] via 10.11.101.2, port1, 00:05:15
C 192.168.102.0/24 is directly connected, port3
O 192.168.103.0/24 [110/2] via 10.11.101.2, port1, 01:03:50
O E2 192.168.160.0/24 [110/10] via 10.11.101.2, port1, 00:05:14
O E2 192.168.170.0/24 [110/10] via 10.11.101.2, port1, 00:05:14

BGP

Border Gateway Protocol (BGP) is a standardized routing protocol that is used to route traffic across the internet. It
exchanges routing information between Autonomous Systems (AS) on the internet and makes routing decisions based
on path, network policies, and rule sets. BGP contains two distinct subsets: internal BGP (iBGP) and external BGP
(eBGP). iBGP is intended for use within your own networks. eBGP is used to connect different networks together and is
the main routing protocol for the internet backbone.
To configure BGP in the GUI, go to Network > BGP:

Option Description

Local AS The AS number for the local router.

FortiOS 6.4.13 Administration Guide 588

Fortinet Inc.
Network

Option Description

Router ID A unique ID to identify your router in the network, typically in the format x.x.x.x.

Neighbors The neighbors that the FortiGate will be peering with. Configure the remote
router's AS number, any other properties used for peering with the neighbor, and
IPv4 and IPv6 filtering.

Networks The networks to be advertised to other BGP routers.

Redistribute Enable redistribution by protocol.

Advanced Options Advanced settings, including Cluster ID, Timers, and Redistribute.

This section includes the following topics:

l Basic BGP example on page 589
l Route filtering with a distribution list on page 597
l Troubleshooting BGP on page 601

Basic BGP example

In this example, BGP is configured on two FortiGate devices. The FortiGates are geographically separated, and form
iBGP peering over a VPN connection. FGT_A also forms eBGP peering with ISP2.
FGT_A learns routes from ISP2 and redistributes them to FGT_B while preventing any iBGP routes from being
advertised.
The internal networks behind the FortiGates can communicate with each other, and the internal networks behind FGT_B
can traverse FGT_A to reach networks that are advertised by ISP2.

l FGT_A and FGT_B have static routes to each other through ISP1. ISP1 does not participate in BGP.
l The IPsec VPN tunnel between FGT_A and FGT_B is configured with wildcard 0.0.0.0/0 networks for phase2 local
and remote selectors. The VPN interfaces have IP addresses already configured and are used for peering between
FGT_A and FGT_B.
l FGT_A is configure to peer with ISP2 on 10.10.108.86.
l The firewall policies between FGT_A and FGT_B are not NATed. The firewall policies egressing on wan2 are
NATed.

FortiOS 6.4.13 Administration Guide 589

Fortinet Inc.
Network

Configuring iBGP peering

To configure FGT_A to establish iBGP peering with FGT_B in the GUI:

1. Go to Network > BGP.

2. Set Local AS to 64511
3. Set Router ID to 1.1.1.1.
4. In the Neighbors table, click Create New and set the following:

IP 10.100.201.88

Remote AS 64511

5. Click OK.
6. Under Networks, set IP/Netmask to 192.168.86.0/24.
7. Click Apply.
8. In the CLI, set the interface used as the source IP address of the TCP connection (where the BGP session,
TCP/179, is connecting from) for the neighbor (update-source) to toFGTB.

To configure FGT_A to establish iBGP peering with FGT_B in the CLI:

config router bgp

set as 64511
set router-id 1.1.1.1
config neighbor
edit "10.100.201.88"
set remote-as 64511
set update-source "toFGTB"
next
end
config network
edit 1
set prefix 192.168.86.0 255.255.255.0
next
end
end

To configure FGT_B to establish iBGP peering with FGT_A in the GUI:

1. Go to Network > BGP.

2. Set Local AS to 64511
3. Set Router ID to 2.2.2.2.
4. In the Neighbors table, click Create New and set the following:

IP 10.100.201.86

Remote AS 64511

5. Click OK.
6. Under Networks, set IP/Netmask to 192.168.88.0/24.
7. Click Apply.

FortiOS 6.4.13 Administration Guide 590

Fortinet Inc.
Network

8. In the CLI, set the interface used as the source IP address of the TCP connection (where the BGP session,
TCP/179, is connecting from) for the neighbor (update-source) to toFGTA.

To configure FGT_B to establish iBGP peering with FGT_A in the CLI:

config router bgp

set as 64511
set router-id 2.2.2.2
config neighbor
edit "10.100.201.86"
set remote-as 64511
set update-source "toFGTA"
next
end
config network
edit 1
set prefix 192.168.88.0 255.255.255.0
next
end
end

To check the FGT_A and FGT_B peering:

1. Check the BGP neighbors:

# get router info bgp neighbors

2. Check the networks learned from neighbors:

# get router info bgp network

3. Check that the routes are added to the routing table:

# get router info routing-table all

To see the neighborship status, network, and routing table command outputs for the completed example, see
Troubleshooting and debugging on page 593.

Configuring eBGP peering

By establishing eBGP peering with ISP2, learned routes will have a distance of 20 and will automatically be propagated
to iBGP peers. iBGP peers do not change the next hop when they advertise a route. To make FGT_B receive a route
with FGT_A as the next hop, and not ISP 2's network, Next hop self (next-hop-self) is enabled for routes advertised
to FGT_B.
Additionally, to peer with another router that is multiple hops away, enable ebg-enforce-multihop in the neighbor
configuration.
In this example, the iBGP routes are automatically advertised to the eBGP neighbor, so a route map is created to deny
iBGP routes from being advertised to ISP 2. Prefixes from ISP 2 are advertised to FGT_A and FGT_B, but no prefixes
are advertised from FGT_A to ISP 2.

FortiOS 6.4.13 Administration Guide 591

Fortinet Inc.
Network

To configure FGT_A to establish eBGP peering with ISP 2:

1. Configure a route map to prevent advertisement of iBGP routes to ISP 2:

config router route-map
edit "exclude1"
config rule
edit 1
set action deny
set match-origin igp
next
end
next
end

2. Update the BGP configuration:

config router bgp
config neighbor
edit "10.10.102.87"
set remote-as 64512
set route-map-out "exclude1"
next
edit "10.100.201.88"
set next-hop-self enable
next
end
end

To see the neighborship status, network, and routing table command outputs for the completed example, see
Troubleshooting and debugging on page 593.

Firewall policies

On FGT_A configure the following policies:

l Allow the internal subnet to the VPN interface. Do not enable NAT. Enable security profiles as required.
l Allow the VPN interface to the internal subnet. Do not enable NAT. Enable security profiles as required.
l Allow the internal subnet to wan2. Enable NAT and security profiles as required.
l Allow VPN traffic from toFGTA to wan2. Enable NAT and security profiles as required.
On FGT_B configure the following policies:
l Allow the internal subnet to the VPN interface. Do not enable NAT. Enable security profiles as required.
l Allow the VPN interface to the internal subnet. Do not enable NAT. Enable security profiles as required.

To verify that pinging from FGT_B to FGT_A is successful:

FGT_B # execute ping-options source 192.168.88.88

FGT_B # execute ping 192.168.86.86
PING 192.168.86.86 (192.168.86.86): 56 data bytes
64 bytes from 192.168.86.86: icmp_seq=0 ttl=255 time=0.5 ms
...
--- 192.168.86.86 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.5 ms

FortiOS 6.4.13 Administration Guide 592

Fortinet Inc.
Network

To verify that pinging from FGT_B to a subnet in ISP 2 is successful:

FGT_B # execute ping-options source 192.168.88.88

FGT_B # execute ping 172.16.201.87
PING 172.16.201.87 (172.16.201.87): 56 data bytes
64 bytes from 172.16.201.87: icmp_seq=0 ttl=254 time=0.6 ms
...
--- 172.16.201.87 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.6 ms

FGT_B # execute traceroute-options source 192.168.88.88

FGT_B # execute traceroute 172.16.201.87
traceroute to 172.16.201.87 (172.16.201.87), 32 hops max, 3 probe packets per hop, 84 byte
packets
1 10.100.201.86 0.315 ms 0.143 ms 0.110 ms
2 172.16.201.87 0.258 ms 0.144 ms 0.222 ms

Troubleshooting and debugging

When troubleshooting issues, logically step through the debugs. For example, if peering cannot be established between
FGT_A and FGT_B:
1. Verify the basic connectivity between the FGT_A wan1 interface and the FGT_B port1 interface.
2. Verify that the VPN between FGT_A and FGT_B is established.
3. Verify the connectivity between the VPN interfaces.
4. Check the neighborship status on each peer. Use the BGP state to help determine the possible issue, for example:

Idle state The local FortiGate has not started the BGP process with the neighbor. This could be
because the eBGP peer is multiple hops away, but multihop is not enabled.

Connect The local FortiGate has started the BGP process, but has not initiated a TCP connection,
possibly due to improper routing.

Active The local FortiGate has initiated a TCP connection, but there is no response. This might
indicate issues with the delivery or the response from the remote peer.

5. If there are issues establishing the TCP connection, use the command diagnose sniffer packet any 'tcp
and port 179' to identify the problem at the packet level.
The following outputs show instances where all of the configurations are completed, peering has formed, and routes
have been exchanged. The debug output during each configuration step might differ from these outputs. These debug
outputs can be used to help identify what might be missing or misconfigured on your device.

To verify the status of the neighbors:

FGT_A # get router info bgp neighbors

VRF 0 neighbor table:
BGP neighbor is 10.10.102.87, remote AS 64512, local AS 64511, external link
BGP version 4, remote router ID 192.168.2.87
BGP state = Established, up for 01:54:37
Last read 00:00:29, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received (old and new)

FortiOS 6.4.13 Administration Guide 593

Fortinet Inc.
Network

Address family IPv4 Unicast: advertised and received

Address family IPv6 Unicast: advertised and received
Received 513 messages, 1 notifications, 0 in queue
Sent 517 messages, 2 notifications, 0 in queue
Route refresh request: received 0, sent 0
Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 5, neighbor version 0
Index 3, Offset 0, Mask 0x8
Community attribute sent to this neighbor (both)
Outbound path policy configured
Route map for outgoing advertisements is *exclude1root
4 accepted prefixes, 4 prefixes in rib
0 announced prefixes
For address family: IPv6 Unicast
BGP table version 1, neighbor version 0
Index 3, Offset 0, Mask 0x8
Community attribute sent to this neighbor (both)
0 accepted prefixes, 0 prefixes in rib
0 announced prefixes
Connections established 4; dropped 3
Local host: 10.10.102.86, Local port: 20364
Foreign host: 10.10.102.87, Foreign port: 179
Nexthop: 10.10.102.86
Nexthop interface: wan2
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Last Reset: 01:54:42, due to BGP Notification sent
Notification Error Message: (CeaseUnspecified Error Subcode)
BGP neighbor is 10.100.201.88, remote AS 64511, local AS 64511, internal link
BGP version 4, remote router ID 2.2.2.2
BGP state = Established, up for 01:54:07
Last read 00:00:11, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received (old and new)
Address family IPv4 Unicast: advertised and received
Address family IPv6 Unicast: advertised and received
Received 527 messages, 3 notifications, 0 in queue
Sent 543 messages, 8 notifications, 0 in queue
Route refresh request: received 0, sent 0
Minimum time between advertisement runs is 30 seconds
Update source is toFGTB
For address family: IPv4 Unicast
BGP table version 5, neighbor version 4
Index 1, Offset 0, Mask 0x2
NEXT_HOP is always this router
Community attribute sent to this neighbor (both)
1 accepted prefixes, 1 prefixes in rib
5 announced prefixes
For address family: IPv6 Unicast
BGP table version 1, neighbor version 1
Index 1, Offset 0, Mask 0x2
Community attribute sent to this neighbor (both)
0 accepted prefixes, 0 prefixes in rib

FortiOS 6.4.13 Administration Guide 594

Fortinet Inc.
Network

0 announced prefixes
Connections established 7; dropped 6
Local host: 10.100.201.86, Local port: 179
Foreign host: 10.100.201.88, Foreign port: 6245
Nexthop: 10.100.201.86
Nexthop interface: toFGTB
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Last Reset: 01:54:12, due to BGP Notification received
Notification Error Message: (CeaseUnspecified Error Subcode)
FGT_B # get router info bgp neighbors
VRF 0 neighbor table:
BGP neighbor is 10.100.201.86, remote AS 64511, local AS 64511, internal link
BGP version 4, remote router ID 1.1.1.1
BGP state = Established, up for 01:56:04
Last read 00:00:48, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received (old and new)
Address family IPv4 Unicast: advertised and received
Address family IPv6 Unicast: advertised and received
Received 532 messages, 3 notifications, 0 in queue
Sent 526 messages, 3 notifications, 0 in queue
Route refresh request: received 0, sent 0
Minimum time between advertisement runs is 30 seconds
Update source is toFGTA
For address family: IPv4 Unicast
BGP table version 4, neighbor version 3
Index 1, Offset 0, Mask 0x2
Community attribute sent to this neighbor (both)
5 accepted prefixes, 5 prefixes in rib
1 announced prefixes
For address family: IPv6 Unicast
BGP table version 1, neighbor version 1
Index 1, Offset 0, Mask 0x2
Community attribute sent to this neighbor (both)
0 accepted prefixes, 0 prefixes in rib
0 announced prefixes
Connections established 7; dropped 6
Local host: 10.100.201.88, Local port: 6245
Foreign host: 10.100.201.86, Foreign port: 179
Nexthop: 10.100.201.88
Nexthop interface: toFGTA
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Last Reset: 01:56:09, due to BGP Notification sent
Notification Error Message: (CeaseUnspecified Error Subcode)

# get router info bgp neighbors <neighbor's IP> can also be used to verify the status of a specific
neighbor.

FortiOS 6.4.13 Administration Guide 595

Fortinet Inc.
Network

To verify the networks learned from neighbors or a specific network:

FGT_A # get router info bgp network

VRF 0 BGP table version is 5, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 172.16.201.0/24 10.10.102.87 0 0 0 64512 i <-/1>
*> 172.16.202.0/24 10.10.102.87 0 0 0 64512 i <-/1>
*> 172.16.203.0/24 10.10.102.87 0 0 0 64512 i <-/1>
*> 172.16.204.0/24 10.10.102.87 0 0 0 64512 i <-/1>
*> 192.168.86.0 0.0.0.0 100 32768 0 i <-/1>
*>i192.168.88.0 10.100.201.88 0 100 0 0 i <-/1>
Total number of prefixes 6
FGT_A # get router info bgp network 172.16.201.0
VRF 0 BGP routing table entry for 172.16.201.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
10.100.201.88
Original VRF 0
64512
10.10.102.87 from 10.10.102.87 (192.168.2.87)
Origin IGP metric 0, localpref 100, valid, external, best
Last update: Tue Dec 15 22:52:08 2020
FGT_A # get router info bgp network 192.168.88.0
VRF 0 BGP routing table entry for 192.168.88.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
Local
10.100.201.88 from 10.100.201.88 (2.2.2.2)
Origin IGP metric 0, localpref 100, valid, internal, best
Last update: Tue Dec 15 22:52:39 2020
FGT_B # get router info bgp network
VRF 0 BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i172.16.201.0/24 10.100.201.86 0 100 0 0 64512 i <-/1>
*>i172.16.202.0/24 10.100.201.86 0 100 0 0 64512 i <-/1>
*>i172.16.203.0/24 10.100.201.86 0 100 0 0 64512 i <-/1>
*>i172.16.204.0/24 10.100.201.86 0 100 0 0 64512 i <-/1>
*>i192.168.86.0 10.100.201.86 0 100 0 0 i <-/1>
*> 192.168.88.0 0.0.0.0 100 32768 0 i <-/1>
Total number of prefixes 6

To verify the routing tables on FGT_A and FGT_B:

FGT_A # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2

FortiOS 6.4.13 Administration Guide 596

Fortinet Inc.
Network

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 172.16.151.1, port1, [5/0]
[10/0] via 192.168.2.1, port2, [10/0]
C 10.10.101.0/24 is directly connected, wan1
C 10.10.102.0/24 is directly connected, wan2
S 10.10.103.0/24 [10/0] via 10.10.101.84, wan1
C 10.100.201.0/24 is directly connected, toFGTB
C 10.100.201.86/32 is directly connected, toFGTB
C 172.16.151.0/24 is directly connected, port1
B 172.16.201.0/24 [20/0] via 10.10.102.87, wan2, 02:09:50
B 172.16.202.0/24 [20/0] via 10.10.102.87, wan2, 02:09:50
B 172.16.203.0/24 [20/0] via 10.10.102.87, wan2, 02:09:50
B 172.16.204.0/24 [20/0] via 10.10.102.87, wan2, 02:09:50
C 192.168.2.0/24 is directly connected, port2
C 192.168.86.0/24 is directly connected, vlan86
B 192.168.88.0/24 [200/0] via 10.100.201.88, toFGTB, 02:09:19
FGT_B # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.10.103.84, port1
C 10.10.103.0/24 is directly connected, port1
C 10.100.201.0/24 is directly connected, toFGTA
C 10.100.201.88/32 is directly connected, toFGTA
B 172.16.201.0/24 [200/0] via 10.100.201.86, toFGTA, 02:11:36
B 172.16.202.0/24 [200/0] via 10.100.201.86, toFGTA, 02:11:36
B 172.16.203.0/24 [200/0] via 10.100.201.86, toFGTA, 02:11:36
B 172.16.204.0/24 [200/0] via 10.100.201.86, toFGTA, 02:11:36
B 192.168.86.0/24 [200/0] via 10.100.201.86, toFGTA, 02:11:36
C 192.168.88.0/24 is directly connected, vlan88

Route filtering with a distribution list

During BGP operations, routes can be propagated between BGP peers and redistributed from other routing protocols. In
some situations, advertising routes from one peer to another might need to be prevented.
The Basic BGP example on page 589 explains using a route map to filter routes that are learned from iBGP to prevent
them from propagating to an eBGP peer. In this example, a distribution list is used to prevent certain routes from one
peer from being advertised to another peer.

FortiOS 6.4.13 Administration Guide 597

Fortinet Inc.
Network

l A company has its own web and email servers in an OSPF area, and needs to advertise routes to these resources
to external peers. Users, routers, and other server all reside in the OSPF area.
l The FortiGate acts as the BGP border router, redistributing routes from the company's network to its BGP peers. It
is connected to the OSPF area using its DMZ interface.
l Two ISP managed BGP peers in an AS (Peer 1 and Peer 2) are used to access the internet, and routes must not to
be advertised from Peer 1 to Peer 2. The manufacturers of these routers, and information about other devices on
the external BGP AS, are not known.
l Routes to the BGP peers are redistributed so that external locations can access the web and email servers in the
OSPF area. The FortiGate device's external interfaces and the BGP peers are in different ASs, and form eBGP
peers.
l Other networking devices must be configured for BGP. The peer routers must be updated with the FortiGate
device's BGP information, including IP addresses, AS number, and any specific capabilities that are used, such as
IPv6, graceful restart, BFD, and so on.
l It is assumed that security policies have been configured to allow traffic between the networks and NAT is not used.
To tighten security, only the required services should be allowed inbound to the various servers.
l In a real life scenario, public IP addresses would be used in place of private IP addresses.

Configuring BGP

In this example, Peer 1 routes are blocked from being advertised to Peer 2 using an access list. All incoming routes from
Peer 1 are blocked when updates are sent to Peer 2.
Routes learned from OSPF are redistributed into BGP. EBGP multi path is enabled to load-balance traffic between the
peers using ECMP. See Equal cost multi-path on page 549 for more information.

To configure BGP:

1. Configure an access list to block Peer 1 routes:

config router access-list
edit "block_peer1"
config rule
edit 1
set action deny
set prefix 172.21.111.0 255.255.255.0
set exact-match enable
next

FortiOS 6.4.13 Administration Guide 598

Fortinet Inc.
Network

end
next
end

2. Configure BGP:
config router bgp
set as 65001
set router-id 10.11.201.110
set ebgp-multipath enable
config neighbor
edit "172.21.111.5"
set remote-as 65001
next
edit "172.22.222.5"
set distribute-list-out "block_peer1"
set remote-as 65001
next
end
config redistribute "ospf"
set status enable
end
end

Configuring OSPF

In this example, all of the traffic is within the one OSPF area, and there are other OSPF routers in the network. When
adjacencies are formed, other routers receive the routes advertised from the FortiGate that are redistributed from BGP.

To configure OSPF in the GUI:

1. Go to Network > OSPF.

2. Set Router ID to 10.11.201.110.
3. In the Areas table, click Create New and set the following:

Area ID 0.0.0.0

Type Regular

Authentication None

4. Click OK.
5. In the Networks table, click Create New and set the following:

Area 0.0.0.0

IP/Netmask 10.11.201.0 255.255.255.0

6. Click OK.
7. In the Interfaces table, click Create New and set the following:

Name OSPF_dmz_network

Interface dmz

8. Click OK.

FortiOS 6.4.13 Administration Guide 599

Fortinet Inc.
Network

9. Under Redistribute, enable BGP and set the metric value to 1.

10. Click Apply.

To configure OSPF in the CLI:

config router ospf

set router-id 10.11.201.110
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "OSPF_dmz_network"
set interface "dmz"
next
end
config network
edit 1
set prefix 10.11.201.0 255.255.255.0
next
end
config redistribute "bgp"
set status enable
set metric 1
end
end

Testing the configuration

To test this configuration, run the standard connectivity checks, and also make sure that routes are being passed
between protocols as expected. Use the following checklist to help verify that the FortiGate is configured successfully:
1. Check that the FortiGate has established peering with BGP Peer 1 and Peer 2:
# get router info bgp summary
# get router info bgp neighbors

2. Check that the FortiGate has formed adjacency with OSPF neighbors:
# get router info ospf status
# get router info ospf neighbors

3. Check the routing table on the FortiGate to make sure that routes from both OSPF and BGP are included:
# get router info routing-table all

4. Check devices in the OSPF network for internet connectivity and to confirm that routes redistributed from BGP are
in their routing tables.
5. Check the routing table on Peer 2 to confirm that no routes from Peer 1 are included.
6. Check that the routes from the internal OSPF network are redistributed to Peer 1 and Peer 2.
7. Verify connectivity to the HTTP and email servers.

FortiOS 6.4.13 Administration Guide 600

Fortinet Inc.
Network

Troubleshooting BGP

There are some features in BGP that are used to deal with problems that may arise. Typically, the problems with a BGP
network that has been configured involve routes going offline frequently. This is called route flap and causes problems
for the routers using that route.

Clearing routing table entries

To see if a new route is being properly added to the routing table, you can clear all or some BGP neighbor connections
(sessions) using the execute router clear bgp command.
For example, if you have 10 routes in the BGP routing table and you want to clear the specific route to IP address
10.10.10.1, enter the following CLI command:
# execute router clear bgp ip 10.10.10.1

To remove all routes for AS number 650001, enter the following CLI command:
# execute router clear bgp as 650001

Route flap

When routers or hardware along a route go offline and back online that is called a route flap. Flapping is the term that is
used if these outages continue, especially if they occur frequently.
Route flap is a problem in BGP because each time a peer or a route goes down, all the peer routers that are connected to
that out-of-service router advertise the change in their routing tables. This creates a lot of administration traffic on the
network and the same traffic re-occurs when that router comes back online. If the problem is something like a faulty
network cable that alternates online and offline every 10 seconds, there could easily be an overwhelming amount of
routing updates sent out unnecessarily.
Another possible reason for route flap occurs with multiple FortiGate devices in HA mode. When an HA cluster fails over
to the secondary unit, other routers on the network may see the HA cluster as being offline, resulting in route flap. While
this doesn't occur often, or more than once at a time, it can still result in an interruption in traffic which is disruptive for
network users. The easy solution for this problem is to increase the timers on the HA cluster, such as TTL timers, so they
don't expire during the failover process. Also, configuring graceful restart on the HA cluster helps with a smooth failover.
The first method of dealing with route flap is to check your hardware. If a cable is loose or bad, it can easily be replaced
and eliminate the problem. If an interface on the router is bad, either avoid using that interface or swap in a functioning
router. If the power source is bad on a router, either replace the power supply or use a power conditioning backup power
supply. These quick and easy fixes can save you from configuring more complex BGP options. However, if the route flap
is from another source, configuring BGP to deal with the outages will ensure your network users uninterrupted service.
Some methods of dealing with route flap in BGP include:
l Holdtime timer on page 601
l Dampening on page 602
l Graceful restart on page 603
l BFD on page 604

Holdtime timer

The first step to troubleshooting a flapping route is the holdtime timer. This timer reduces how frequently a route going
down will cause a routing update to be broadcast.

FortiOS 6.4.13 Administration Guide 601

Fortinet Inc.
Network

Once activated, the holdtime timer won't allow the FortiGate to accept any changes to that route for the duration of the
timer. If the route flaps five times during the timer period, only the first outage will be recognized by the FortiGate. For the
duration of the other outages, there won't be changes because the Fortigate is essentially treating this router as down. If
the route is still flapping after the timer expires, it will start again.
If the route isn't flapping (for example, if it goes down, comes up, and stays back up) the timer will still count down and the
route is ignored for the duration of the timer. In this situation, the route is seen as down longer than it really is but there
will be only the one set of route updates. This isn't a problem in normal operation because updates are not frequent.
The potential for a route to be treated as down when it's really up can be viewed as a robustness feature. Typically, you
don't want most of your traffic being routed over an unreliable route. So if there's route flap going on, it's best to avoid that
route if you can. This is enforced by the holdtime timer.

How to configure the holdtime timer

There are three different route flapping situations that can occur: the route goes up and down frequently, the route goes
down and back up once over a long period of time, or the route goes down and stays down for a long period of time.
These can all be handled using the holdtime timer.
For example, your network has two routes that you want to set the timer for. One is your main route (to 10.12.101.4) that
all of your Internet traffic goes through, and it can't be down for long if it's down. The second is a low speed connection to
a custom network that's used infrequently (to 10.13.101.4). The timer for the main route should be fairly short (for
example, 60 seconds). The second route timer can be left at the default, since it's rarely used.

To configure the BGP holdtime timer:

config router bgp

config neighbor
edit 10.12.101.4
set holdtime-timer 60
set keep-alive-timer 60
next
edit 10.13.101.4
set holdtime-timer 180
set keep-alive-timer 60
next
end
end

Dampening

Dampening is a method that's used to limit the amount of network problems due to flapping routes. With dampening, the
flapping still occurs but the peer routers pay less and less attention to that route as it flaps more often. One flap doesn't
start dampening, but the second flap starts a timer where the router won't use that route because it is considered
unstable. If the route flaps again before the timer expires, the timer continues to increase. There's a period of time called
the reachability half-life, after which a route flap will be suppressed for only half the time. This half-life comes into effect
when a route has been stable for a while but not long enough to clear all the dampening completely. For the flapping
route to be included in the routing table again, the suppression time must expire.
If the route flapping was temporary, you can clear the flapping or dampening from the FortiGate device's cache by using
one of the execute router clear bgp CLI commands:
# execute router clear bgp dampening {<ip_address> | <ip_address/netmask>}

or

FortiOS 6.4.13 Administration Guide 602

Fortinet Inc.
Network

# execute router clear bgp flap-statistics {<ip_address> | <ip_address/netmask>}

For example, to remove route flap dampening information for the 10.10.0.0/16 subnet, enter the following CLI command:
# execute router clear bgp dampening 10.10.0.0/16

To configure BGP route dampening:

config router bgp

set dampening {enable | disable}
set dampening-max-suppress-time <minutes_integer>
set dampening-reachability-half-life <minutes_integer>
set dampening-reuse <reuse_integer>
set dampening-route-map <routemap-name_str>
set dampening-suppress <limit_integer>
set dampening-unreachability-half-life <minutes_integer>
end

Graceful restart

BGP4 has the capability to gracefully restart.

In some situations, route flap is caused by routers that appear to be offline but the hardware portion of the router (control
plane) can continue to function normally. One example of this is when some software is restarting or being upgraded but
the hardware can still function normally.
Graceful restart is best used for these situations where routing won't be interrupted, but the router is unresponsive to
routing update advertisements. Graceful restart doesn't have to be supported by all routers in a network, but the network
will benefit when more routers support it.
FortiGate HA clusters can benefit from graceful restart. When a failover takes place, the HA cluster advertises that it is
going offline, and will not appear as a route flap. It will also enable the new HA main unit to come online with an updated
and usable routing table. If there is a flap, the HA cluster routing table will be out-of-date.
For example, the FortiGate is one of four BGP routers that send updates to each other. Any of those routers may support
graceful starting. When a router plans to go offline, it sends a message to its neighbors stating how long it expects to be
offline. This way, its neighboring routers don't remove it from their routing tables. However, if that router isn't back online
when expected, the routers will mark it offline. This prevents routing flap and its associated problems.
FortiGate devices support both graceful restart of their own BGP routing software and neighboring BGP routers.

To configure BGP graceful restart:

config router bgp

set graceful-restart {disable | enable}
set graceful-restart-time <seconds_integer>
set graceful-stalepath-time <seconds_integer>
set graceful-update-delay <seconds_integer>
config neighbor
edit 10.12.101.4
set capability-graceful-restart {enable | disable}
next
end
end

Before the restart, the router sends its peers a message to say it's restarting. The peers mark all the restarting router's
routes as stale, but they continue to use the routes. The peers assume the router will restart, check its routes, and take

FortiOS 6.4.13 Administration Guide 603

Fortinet Inc.
Network

care of them, if needed, after the restart is complete. The peers also know what services the restarting router can
maintain during its restart. After the router completes the restart, the router sends its peers a message to say it's done
restarting.

To restart the router:

# execute router restart

Scheduled time offline

Graceful restart is a means for a router to advertise that it is going to have a scheduled shutdown for a very short period
of time. When neighboring routers receive this notice, they will not remove that router from their routing table until after a
set time elapses. During that time, if the router comes back online, everything continues to function as normal. If that
router remains offline longer than expected, then the neighboring routers will update their routing tables as they assume
that the router will be offline for a long time.
The following example demonstrates if you want to configure graceful restart on the FortiGate where you expect the
FortiGate to be offline for no more than two minutes, and after three minutes the BGP network should consider the
FortiGate to be offline.

To configure graceful restart time settings:

config router bgp

set graceful-restart enable
set graceful-restart-time 120
set graceful-stalepath-time 180
end

BFD

Bidirectional Forwarding Detection (BFD) is a protocol that you can use to quickly locate hardware failures in the
network. Routers running BFD communicate with each other and if a timer runs out on a connection then that router is
declared down. BFD then communicates this information to the routing protocol and the routing information is updated.
For more information about BFD, see BFD on page 605.

BGP path selection process

Sometimes the FortiGate may receive multiple BGP paths from neighbors and must decide which is the best path to
take. The following criteria are used to determine the best path.
Consider only routes with no AS loops and a valid next hop, and then:
1. Prefer the highest weight (this attribute is local to the FortiGate).
2. Prefer the highest local preference (applicable within AS).
3. Prefer the route originated by the local router (next hop = 0.0.0.0).
4. Prefer the shortest AS path.
5. Prefer the lowest origin code (IGP > EGP > incomplete).
6. Prefer the lowest MED (exchanged between autonomous systems).
7. Prefer the EBGP path over IBGP path.
8. Prefer the path through the closest IGP neighbor.
9. Prefer the oldest route for EBGP paths.

FortiOS 6.4.13 Administration Guide 604

Fortinet Inc.
Network

10. Prefer the path with the lowest neighbor BGP router ID.
11. Prefer the path with the lowest neighbor IP address.

BFD

Bidirectional Forwarding Detection (BFD) is a protocol that you can use to quickly locate hardware failures in the
network. Routers running BFD send packets to each other at a negotiated rate. If packets from a BFD-enabled router fail
to arrive, that router is declared to be down. BFD communicates this information to the associated routing protocols and
the routing information is updated. It helps detect one way device failure and is used for fast convergence of routing
protocols.
BFD can run on an entire FortiGate, selected interfaces, or on a protocol, such as BGP, for all configured interfaces. The
configuration hierarchy allows each lower level to override the BFD setting of the upper level. For example, if you enable
BFD for an entire FortiGate, you can disable BFD for an interface or for BGP.

Echo mode and authentication are not supported for BFD on the FortiGate.

BFD can be enabled per device, VDOM, or interface. Once enabled, a BFD neighbor should be defined. Finally, enable
BFD on a route or routing protocol.

To configure BFD for an entire FortiGate:

config system settings

set bfd {enable | disable}
set bfd-desired-min-tx <ms>
set bfd-required-min-rx <ms>
set bfd-detect-mult <multiplier>
set bfd-dont-enforce-src-port {enable | disable}
end

To configure BFD for an interface:

config system interface

edit <interface-name>
set bfd {global | enable | disable}
set bfd-desired-min-tx <ms>
set bfd-required-min-rx <ms>
set bfd-detect-mult <multiplier>
next
end

To configure BFD neighbors:

config router {bfd | bfd6}

config neighbor
edit <IP-address>
set interface <interface-name>
next

FortiOS 6.4.13 Administration Guide 605

Fortinet Inc.
Network

end
end

To show BFD neighbors:

# get router {info | info6} bfd neighbor

To show BFD requests:

# get router {info | info6} bfd requests

BFD and static routes

BFD for static routes allows you to configure routing failover based on remote path failure detection. BFD removes a
static route from the routing table if the FortiGate can't reach the route's destination and returns the route to the routing
table if the route's destination is restored.
For example, you can add two static routes with BFD enabled. If one of the routes has a higher priority, all matching
traffic uses that route. If BFD determines that the link to the gateway of the route with the higher priority is down, the
higher priority route is removed from the routing table and all matching traffic uses the lower priority route. If the link to
the gateway for the higher priority route comes back up, BFD adds the route back into the routing table and all matching
traffic switches to use the higher priority route.
You can configure BFD for IPv4 and IPv6 static routes.

To configure BFD for static routes:

config router {static | static6}

edit <sequence-number>
set bfd {enable | disable}
set device <gateway-out-interface>
next
end

Example

The following example demonstrates the configuration of static routes between two FortiGates. There is a host behind
FortiGate 2 with an IP address of 1.1.1.1. FortiGate 1 has multiple paths to reach the host.

FortiOS 6.4.13 Administration Guide 606

Fortinet Inc.
Network

To configure static routes:

1. Configure FortiGate 1:
config system interface
edit "port1"
set vdom "root"
set ip 10.180.6.237 255.255.240.0
set allowaccess ping
set bfd enable
next
end
config router bfd
config neighbor
edit 10.180.4.136
set interface "port1"
next
end
end

2. Configure FortiGate 2:
config system interface
edit "port1"
set vdom "root"
set ip 10.180.4.136 255.255.240.0
set allowaccess ping
set bfd enable
next
end
config router bfd
config neighbor
edit 10.180.6.237
set interface "port1"
next
end
end

3. Configure two static routes:

config router static
edit 2
set dst 1.1.1.1 255.255.255.255
set gateway 10.180.4.136
set device "port1"
set bfd enable
next
edit 3
set dst 1.1.1.1 255.255.255.255
set gateway 10.180.2.44
set distance 20
set device "port1"
next
end

4. Confirm that BFD neighborship is established:

FortiOS 6.4.13 Administration Guide 607

Fortinet Inc.
Network

# get router info bfd neighbor

OurAddress NeighAddress State Interface LDesc/RDesc
10.180.6.237 10.180.4.136 UP port1 1/1

5. Review the active route in the routing table:

# get router info routing-table all
S 1.1.1.1/32 [10/0] via 10.180.4.136, port1
C 10.180.0.0/20 is directly connected, port1

The route with the lower distance is preferred in the routing table.

If port1 on FortiGate 2 goes down or FortiGate 1 is unable to reach 10.180.4.126, the BFD neighborship will go down.
# get router info bfd neighbor
OurAddress NeighAddress State Interface LDesc/RDesc
10.180.6.237 10.180.4.136 DOWN port1 1/1

With BFD neighborship down, the FortiGate is unable to reach 1.1.1.1/32 through gateway 10.180.4.136. The routing
table will be updated so that the route through gateway 10.180.2.44 is active in the routing table.
# get router info routing-table all
S 1.1.1.1/32 [20/0] via 10.180.2.44, port1
C 10.180.0.0/20 is directly connected, port1

BFD removes a static route from the routing table if the FortiGate cannot reach the route's destination. The static route
will be returned to the routing table is the route's destination is restored.

BFD and OSPF

You can configure BFD for Open Shortest Path First (OSPF) on a FortiGate. FortiGate supports BFD for OSPF for both
IPv4 and IPv6. BFD must be configured globally and per interface.

To configure BFD for OSPF:

config router {ospf | ospf6}

set bfd {enable | disable}
end

To enable BFD on a specific OSPF interface:

config router {ospf | ospf6}

set bfd enable
config {ospf-interface | ospf6-interface}
edit <ID>
set bfd {global | enable | disable}
set interface <interface-name>
set area-id <IP address>
next
end
end

FortiOS 6.4.13 Administration Guide 608

Fortinet Inc.
 Network

If BFD is configured when OSPF is not, no BFD packets will be sent. When both BFD and OSFP are configured, the
neighbors for both will be the same. Use the following commands to confirm that the neighbor IP addresses match:
# get router info ospf neighbor
# get router info bfd neighbor

BFD and BGP

While BGP can detect route failures, BFD can be configured to detect these failures more quickly, which allows for faster
responses and improved convergence. This can be balanced with the bandwidth BFD uses in its frequent route
checking.
The config router bgp commands allow you to set the addresses of the neighbor units that are also running BFD.
Both units must be configured with BFD in order to use it.

To configure BFD for BGP:

config router bgp

config neighbor
edit <neighbor-IP-address>
set bfd {enable | disable}
set remote-as <integer>
next
end
end

Troubleshooting BFD

You can troubleshoot BFD using the following commands:

# get router {info | info6} bfd neighbor
# get router {info | info6} bfd requests
# diagnose sniffer packet any <filter> <sniffer count>
# diagnose debug application bfdd <debug level>
# diagnose debug enable

Multicast

The following topics include information about multicast:

l Multicast routing and PIM support on page 609
l Configuring multicast forwarding on page 610

Multicast routing and PIM support

Multicasting (also called IP multicasting) consists of using a single multicast source to send data to many receivers.
Multicasting can be used to send data to many receivers simultaneously while conserving bandwidth and reducing
network traffic. Multicasting can be used for one-way delivery of media streams to multiple receivers and for one-way

FortiOS 6.4.13 Administration Guide 609

Fortinet Inc.
 Network

data transmission for news feeds, financial information, and so on. Many dynamic routing protocols such as RIPv2,
OSPF, and EIGRP use multicasting to share hello packets and routing information.
A FortiGate can operate as a Protocol Independent Multicast (PIM) version 2 router. FortiGates support PIM sparse
mode (RFC 4601) and PIM dense mode (RFC 3973), and can service multicast servers or receivers on the network
segment to which a FortiGate interface is connected. Multicast routing is not supported in transparent mode.
To support PIM communications, the sending and receiving applications, and all connecting PIM routers in between,
must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their
destinations. To enable source-to-destination packet delivery, sparse mode or dense mode must be enabled on the PIM
router interfaces. Sparse mode routers cannot send multicast messages to dense mode routers. If the FortiGate is
located between a source and a PIM router, between two PIM routers, or is connected directly to a receiver, you must
manually create a multicast policy to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the
source and destination.

PIM domains

A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least one bootstrap
router (BSR), and if sparse mode is enabled, a number of rendezvous points (RPs) and designated routers (DRs). When
PIM is enabled, the FortiGate can perform any of these functions at any time as configured.
A PIM domain can be configured in the GUI by going to Network > Multicast, or in the CLI using config router
multicast. Note that PIM version 2 must be enabled on all participating routers between the source and receivers. Use
config router multicast to set the global operating parameters.
When PIM is enabled, the FortiGate allocates memory to manage mapping information. The FortiGate communicates
with neighboring PIM routers to acquire mapping information and, if required, processes the multicast traffic associated
with specific multicast groups.
Instead of sending multiple copies of generated IP traffic to more than one specific IP destination address, PIM-enabled
routers encapsulate the data and use a Class D multicast group address (224.0.0.0 to 239.255.255.255) to forward
multicast packets to multiple destinations. A single stream of data can be sent because one destination address is used.
Client applications receive multicast data by requesting that the traffic destined for a certain multicast group address be
delivered to them.

Configuring multicast forwarding

There is sometimes confusion between the terms forwarding and routing. These two functions should not take place at
the same time. Multicast forwarding should be enabled when the FortiGate is in NAT mode and you want to forward
multicast packets between multicast routers and receivers. However, this function should not be enabled when the
FortiGate itself is operating as a multicast router, or has an applicable routing protocol that uses multicast.
Multicast forwarding is not supported on enhanced MAC VLAN interfaces. To use multicast with enhanced MAC VLAN
interfaces, use PIM (Multicast routing and PIM support on page 609).
There are two steps to configure multicast forwarding:
1. Enabling multicast forwarding on page 611
2. Configuring multicast policies on page 611

FortiOS 6.4.13 Administration Guide 610

Fortinet Inc.
Network

Enabling multicast forwarding

Multicast forwarding is enabled by default. If a FortiGate is operating in transparent mode, adding a multicast policy
enables multicast forwarding. In NAT mode you must use the multicast-forward setting to enable or disable
multicast forwarding.

Multicast forwarding in NAT mode

When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher
to all interfaces and VLAN interfaces, except the receiving interface. The TTL in the IP header will be reduced by 1. Even
though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets
through the FortiGate.

To enable multicast forwarding in NAT mode:

config system settings

set multicast-forward enable
end

Prevent the TTL for forwarded packets from being changed

You can use the multicast-ttl-notchange option so that the FortiGate does not increase the TTL value for
forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.

To prevent the TTL for forwarded packets from being changed: 

config system settings

set multicast-ttl-notchange enable
end

Disable multicast traffic from passing through the FortiGate without a policy check in
transparent mode

In transparent mode, the FortiGate does not forward frames with multicast destination addresses. The FortiGate should
not interfere with the multicast traffic used by routing protocols, streaming media, or other multicast communication. To
avoid any issues during transmission, you can disable multicast-skip-policy and configure multicast security
policies.

To disable multicast traffic from passing through the FortiGate without a policy check in transparent
mode:

config system settings

set multicast-skip-policy disable
end

Configuring multicast policies

Multicast packets require multicast policies to allow packets to pass from one interface to another. Similar to firewall
policies, in a multicast policy you specify the source and destination interfaces, and the allowed address ranges for the

FortiOS 6.4.13 Administration Guide 611

Fortinet Inc.
Network

source and destination addresses of the packets. You can also use multicast policies to configure source NAT and
destination NAT for multicast packets.
Keep the following in mind when configuring multicast policies:
l The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP address.
l The snat setting is optional. Use it when SNAT is needed.

IPv4 and IPv6 multicast policies can be configured in the GUI. Go to System > Feature
Visibility, and enable Multicast Policy and IPv6.

Sample basic policy

In this basic policy, multicast packets received on an interface are flooded unconditionally to all interfaces on the
forwarding domain, except the incoming interface.
config firewall multicast-policy
edit 1
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
next
end

The destination address (dstaddr) is a multicast address object. The all option corresponds to all multicast addresses
in the range 224.0.0.0-239.255.255.255.

Sample policy with specific source and destination interfaces

This multicast policy only applies to the source port wan1 and the destination port internal.
config firewall multicast-policy
edit 1
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
next
end

Sample policy with specific source address object

In this policy, packets are allowed to flow from wan1 to internal, and sourced by the address 172.20.120.129, which is
represented by the example_addr-1 address object.
config firewall multicast-policy
edit 1
set srcintf "wan1"
set dstintf "internal"
set srcaddr "example_addr-1"
set dstaddr "all"
next
end

FortiOS 6.4.13 Administration Guide 612

Fortinet Inc.
Network

Sample detailed policy

This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range
239.168.4.0-255. The policy allows the multicast packets to enter the internal interface and then exit the external
interface. When the packets leave the external interface, their source address is translated to 192.168.18.10.
config firewall address
edit "192.168.5.18"
set subnet 192.168.5.18 255.255.255.255
next
end
config firewall multicast-address
edit "239.168.4.0"
set start-ip 239.168.4.0
set end-ip 239.168.4.255
next
end
config firewall multicast-policy
edit 1
set srcintf "internal"
set dstintf "external"
set srcaddr "192.168.5.18"
set dstaddr "239.168.4.0"
set snat enable
set snat-ip 192.168.18.10
next
end

To configure multicast policies in the GUI, enable Multicast Policy in System > Feature
Visibility.

Using multi VDOM mode

When using multi VDOM mode, it is important to avoid causing a multicast network loop by creating an all-to-all multicast
policy. By default, on models that support NPU virtual links, changing the vdom-mode to multi-vdom will create a pair
of npu0_vlink0 and npu0_vlink1 interfaces in the same root VDOM. By virtue of the all-to-all multicast policy and the fact
the npu0_vlink interfaces are virtually connected, it forms a multicast network loop.
Therefore, when using multi VDOM mode:
1. Ensure there is no existing all-to-all multicast policy before changing to multi VDOM mode.
2. If an all-to-all multicast policy must be defined, ensure that no two connected interfaces (such as npu0_vlink0 and
npu0_vlink1) belong in the same VDOM.

This configuration will result in a multicast loop:

config system global

set vdom-mode multi-vdom
end
config firewall multicast-policy
edit 1

FortiOS 6.4.13 Administration Guide 613

Fortinet Inc.
 Network

set logtraffic enable

set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
next
end
show system interface
config system interface
edit "npu0_vlink0"
set vdom "root"
set type physical
next
edit "npu0_vlink1"
set vdom "root"
set type physical
next
end

FortiExtender

The following topics include information about FortiExtender:

l Adding a FortiExtender on page 614
l Data plan profiles on page 616

For information about configuring FortiExtender, see the FortiExtender Admin Guide (FGT-
Managed) and Admin Guide (Standalone).

Adding a FortiExtender

To add a FortiExtender to the FortiGate, create a virtual FortiExtender interface, then add a FortiExtender and assign the
interface to the modem. Like other interface types, the FortiExtender interface can be used in static routes, SD-WAN
(see Manage dual FortiExtender devices), policies, and other functions.

To create a virtual FortiExtender interface in the GUI:

1. Go to Network > Interfaces and click Create New > FortiExtender.

2. Enter a name for the interface.
3. Configure the remaining settings as needed. See Interface settings on page 403 for more details.

FortiOS 6.4.13 Administration Guide 614

Fortinet Inc.
Network

4. Click OK.

To edit a FortiExtender in the GUI:

FortiExtenders can only be manually added in the CLI.

1. Go to Network > FortiExtender and edit the FortiExtender.
2. Adjust the settings as required. See the FortiExtender Administration Guide for more information.

3. Click OK.
4. In the extenders list, right-click on the FortiExtender and select Diagnostics and Tools to review the modem and SIM
status, and other details about the FortiExtender.

To create a virtual FortiExtender interface in the CLI:

config system interface

edit "fext"
set vdom "root"
set mode dhcp
set allowaccess ping https speed-test
set type fext-wan
set estimated-upstream-bandwidth 1000
set estimated-downstream-bandwidth 500
next
end

FortiOS 6.4.13 Administration Guide 615

Fortinet Inc.
 Network

To configure the FortiExtender in the CLI:

config extender-controller extender

edit "FX211E0000000000"
set id "FX211E0000000000"
set authorized enable
config modem1
set ifname "fext"
end
next
end

To verify the modem settings in the CLI:

get extender modem-status FX211E0000000000 1

Modem 0:
physical_port: 2-1.2
manufacture: Sierra Wireless, Incorporated
product: Sierra Wireless, Incorporated
....

For information about configuring FortiExtender, see the FortiExtender Admin Guide (FGT-
Managed) and Admin Guide (Standalone).

Data plan profiles

The data plan profile allows users to configure connectivity settings based on modem, carrier, slot, SIM ID, or cost. Users
can also specify billing details related to the data plan, as well as smart switch thresholds to define when to switch over to
a different SIM.
A FortiExtender has multiple SIM card slots. Certain models also have multiple modems. Essentially, each modem can
make one connection with one of the two SIMs associated with the modem. The data plan profile allows users to create
general configurations that work across multiple SIMs, or specific profiles that work on a specific SIM. First, the data plan
matches the criteria based on the modem ID and type.

Syntax
config extender-controller dataplan
edit <name>
set modem-id {modem1 | modem2 | all}
set type {carrier | slot | iccid | generic}
next
end

Variable Description

set modem-id (Available on in the Select the match criterion based on the modem:
GUI) l modem1: Use modem 1.

l modem2: Use modem 2.

l all: Use both modems (default).

FortiOS 6.4.13 Administration Guide 616

Fortinet Inc.
Network

Variable Description

set type (Type in the GUI) Select the match criterion based on the type:
carrier: Assign by SIM carrier.
slot: Assign to SIM slot 1 or 2.
iccid: Assign to a specific SIM by ICCID.
generic: Compatible with any SIM (default). Assigned if no other data plan
matches the chosen SIM.

When a modem connects to the network through a SIM, it will read the SIM information and try to match a data plan
based on the modem ID and type. It then uses the data plan connectivity settings to connect (authentication, PDN type,
preferred subnet, APN, private network). The billing details (such as the monthly data limit) and smart switch threshold
settings define how the SIMs will be switched.
Multiple data plans can be configured:

Once the FortiExtender is controlled by the FortiGate, the data plan is sent to the FortiExtender. The format is identical
between devices.

To configure a data plan in the GUI:

1. Go to Network > FortiExtender and in the top menu, click Data plans.

2. Click Create New.
3. Enter a name and ensure that the Status is enabled.
4. Set Available on to All Modems or Modem 1.
5. Set the plan Type. If Carrier is selected, enter the carrier name. If ICCID is selected, enter the ICCID number.
6. Configure the other settings as needed.

7. Click OK.

FortiOS 6.4.13 Administration Guide 617

Fortinet Inc.
Network

To configure a data plan in the CLI:

config extender-controller dataplan

edit "Telus-modem1"
set modem-id modem1
set type carrier
set carrier "Telus"
set capacity 2000
set billing-date 30
next
edit "Fido-modem2"
set modem-id modem2
set type carrier
set carrier "Generic"
set capacity 3000
next
edit "Bell"
set type carrier
set carrier "Bell"
set APN "pda.bell.ca"
set capacity 6000
next
end

Direct IP support for LTE/4G

Direct IP is a public IP address that is assigned to a computing device, which allows the device to directly access the
internet.
When an LTE modem is enabled in FortiOS, a DHCP interface is created. As a result, the FortiGate can acquire direct IP
(which includes IP, DNS, and gateway) from the LTE network carrier.
Since some LTE modems require users to input the access point name (APN) for the LTE network, the LTE modem
configuration allows you to set the APN.

LTE modems can only be enabled by using the CLI.

To enable direct IP support using the CLI:

1. Enable the LTE modem:

config system lte-modem
set status enable
end

2. Check that the LTE interface was created:

config system interface
edit "wwan"
set vdom "root"

FortiOS 6.4.13 Administration Guide 618

Fortinet Inc.
Network

set mode dhcp

set status down
set distance 1
set type physical
set snmp-index 23
next
end

Shortly after the LTE modem joins its carrier network, wwan is enabled and granted direct IP:
# config system interface
(interface) # edit wwan
(wwan) # get
name : wwan
....
ip : 100.112.75.43 255.255.255.248
....
status : up
....
defaultgw : enable
DHCP Gateway : 100.112.75.41
Lease Expires : Thu Feb 21 19:33:27 2019
dns-server-override : enable
Acquired DNS1 : 184.151.118.254
Acquired DNS2 : 70.28.245.227
....

PCs can reach the internet via the following firewall policy:
config firewall policy
....
edit 5
set name "LTE"
set srcintf "port9"
set dstintf "wwan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set fsso disable
set nat enable
next
end

Sample LTE interface

When an LTE modem is enabled, you can view the LTE interface in the GUI and check the acquired IP, DNS, and
gateway.

To view the LTE interface in the GUI:

1. Go to Network > Interfaces.

2. Double-click the LTE interface to view the properties.

FortiOS 6.4.13 Administration Guide 619

Fortinet Inc.
Network

3. Look in the Address section to view the:

a. Obtained IP
b. Acquired DNS
c. Default Gateway
4. Click Return.

To configure the firewall policy that uses the LTE interface:

1. Go to Policy & Objects > Firewall Policy.

2. Double-click the LTE policy. The Edit Policy pane opens.
3. In the Outgoing Interface field, select the interface (wwan in this example).
4. Configure the rest of the policy as needed.

5. Click OK.

FortiOS 6.4.13 Administration Guide 620

Fortinet Inc.
Network

Limitations

l Most LTE modems have a preset APN in their SIM card. Therefore, the APN does not need to be set in the FortiOS
configuration. In cases where the internet cannot be accessed, consult with your carrier and set the APN in the LTE
modem configuration (for example, inet.bell.ca):
config system lte-modem
set status enable
set apn "inet.bell.ca"
end

l Some models, such as the FortiGate 30E-3G4G, have built-in LTE modems. In this scenario, the LTE modem is
enabled by default. The firewall policy via the LTE interface is also created by default. Once you plug in a SIM card,
your network devices can connect to the internet.

Sample FortiGate 30E-3G4G default configuration:

config system lte-modem

set status enable
set extra-init ''
set manual-handover disable
set force-wireless-profile 0
set authtype none
set apn ''
set modem-port 255
set network-type auto
set auto-connect disable
set gpsd-enabled disable
set data-usage-tracking disable
set gps-port 255
end

config firewall policy

....
edit 3
set srcintf "internal"
set dstintf "wwan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

LLDP reception

Natively, device detection can scan LLDP as a source for device identification. However, the FortiGate does not read or
store the full information. Enabling LLDP reception allows the FortiGate to receive and store LLDP messages, learn
about active neighbors, and makes the LLDP information available via the CLI, REST API, and SNMP.

FortiOS 6.4.13 Administration Guide 621

Fortinet Inc.
Network

You will need to enable device-identification at the interface level, and then lldp-reception can be enabled
on three levels: globally, per VDOM, or per interface.

To configure device identification on an interface:

config system interface

edit <port>
set device-identification enable
next
end

To configure LLDP reception globally:

config system global

set lldp-reception enable
end

To configure LLDP reception per VDOM:

config system setting

set lldp-reception enable
end

To configure LLDP reception per interface:

config system interface

edit <port>
set lldp-reception enable
next
end

To view the LLDP information in the GUI:

1. Go to Dashboard > Users & Devices.

2. Hover over the Device Inventory widget, and click Expand to Full Screen.

To view the received LLDP information in the CLI:

# diagnose user device list

hosts
vd root/0 44:0a:a0:0a:0a:0a gen 3 req S/2
created 10290s gen 1 seen 0s port3 gen 1
ip 172.22.22.22 src lldp
type 20 'Other Network Device' src lldp id 155 gen 2
os 'Artist EOS ' version '4.20.4' src lldp id 155
host 'artist' src lldp

FortiOS 6.4.13 Administration Guide 622

Fortinet Inc.
Network

To view additional information about LLDP neighbors and ports:

# diagnose lldprx neighbor {summary | details | clear}

# diagnose lldprx port {details | summary | neighbor | filter}
# diagnose lldprx port neighbor {summary | details}

Note that the port index in the output corresponds to the port index from the following command:
# diagnose netlink interface list port2 port3 | grep index
if=port2 family=00 type=1 index=4 mtu=1500 link=0 master=0
if=port3 family=00 type=1 index=5 mtu=1500 link=0 master=0

To view the received LLDP information in the REST API:

{
"http_method":"GET",
"results":[
{
"mac":"90:9c:9c:c9:c9:90",
"chassis_id":"90:9C:9C:C9:C9:90",
"port":19,
"port_id":"port12",
"port_desc":"port12",
"system_name":"S124DN3W00000000",
"system_desc":"FortiSwitch-124D v3.6.6,build0416,180515 (GA)",
"ttl":120,
"addresses":[
{
"type":"ipv4",
"address":"192.168.1.99"
}
]
}
],
"vdom":"root",
"path":"network",
"name":"lldp",
"action":"neighbors",
"status":"success",
"serial":"FG201E4Q00000000",
"version":"v6.2.0",
"build":866
}
{
"http_method":"GET",
"results":[
{
"name":"port1",
"rx":320,
"neighbors":1
}
],
"vdom":"root",
"path":"network",
"name":"lldp",

FortiOS 6.4.13 Administration Guide 623

Fortinet Inc.
 Network

"action":"ports",
"mkey":"port1",
"status":"success",
"serial":"FG201E4Q00000000",
"version":"v6.2.0",
"build":866
}

Virtual routing and forwarding

Virtual Routing and Forwarding (VRF) is used to divide the FortiGate's routing functionality (layer 3), including interfaces,
routes, and forwarding tables, into separate units. Packets are only forwarded between interfaces that have the same
VRF.
VDOMs divide the FortiGate into two or more complete and independent virtual units that include all FortiGate functions.
VDOMs can be used for routing segmentation, but that should not be the only reason to implement them when a less
complex solution (VRFs) can be used. VDOMs also support administration boundaries, but VRFs do not.
Up to 32 VRFs can be configured in each VDOM, but only ten VDOMs can be configured by default on a FortiGate (more
VDOMs can be configured on larger devices with additional licenses).
l Implementing VRF on page 624
l VRF routing support on page 626
l Route leaking between VRFs on page 631
l Route leaking between multiple VRFs on page 633
l IBGP and EBGP support in VRF on page 643

Implementing VRF

VRFs are always enabled and, by default, all routing is done in VRF 0. To use additional VRFs, assign a VRF ID to an
interface. All routes relating to that interface are isolated to that VRF specific routing table. Interfaces in one VRF cannot
reach interfaces in a different VRF.
If some traffic does have to pass between VRFs, route leaking can be used. See Route leaking between VRFs on page
631.

Enable Advanced Routing in System > Feature Visibility to configure VRFs.

To configure a VRF ID on an interface in the GUI:

1. Go to Network > Interfaces and click Create New > Interface.

2. Enter a value in the VRF ID field.
3. Configure the other settings as needed.

FortiOS 6.4.13 Administration Guide 624

Fortinet Inc.
Network

4. Click OK.
5. To add the VRF column in the interface table, click the gear icon, select VRF, and click Apply.

To configure a VRF ID on an interface in the CLI:

config system interface

edit test_interface
...
set vrf 14
next
end

FortiOS 6.4.13 Administration Guide 625

Fortinet Inc.
 Network

VRF routing support

VRF supports static routing, OSPF, and BGP. Other routing protocols require using VDOMs.

BGP

In this example, BGP is used to update the VRF that it is neighbors with.
The hub is configured with two neighbors connected to two interfaces. The branches are configured to match the hub,
with branch networks configured to redistribute into BGP.
Policies must be created on the hub and branches to allow traffic between them.

To configure the hub:

config router bgp

set as 65000
config neighbor
edit "10.101.101.2"
set soft-reconfiguration enable
set interface "port2"
set remote-as 65101
set update-source "port2"
next
edit "10.102.102.2"
set soft-reconfiguration enable
set interface "port3"
set remote-as 65102
set update-source "port3"
next
end
end

To configure branch 101:

config router bgp

set as 65101
config neighbor
edit "10.101.101.1"
set soft-reconfiguration enable
set interface "port2"
set remote-as 65000
set update-source "port2"
next

FortiOS 6.4.13 Administration Guide 626

Fortinet Inc.
Network

end
config redistribute connected
set status enable
end
end

To configure branch 102:

config router bgp

set as 65102
config neighbor
edit "10.102.102.1"
set soft-reconfiguration enable
set interface "port2"
set remote-as 65000
set update-source "port2"
next
end
config redistribute connected
set status enable
end
end

To verify the BGP neighbors and check the routing table on the hub:

# get router info bgp summary

BGP router identifier 192.168.0.1, local AS number 65000
BGP table version is 2
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pf

10.101.101.2 4 65101 4 4 2 0 0
10.102.102.2 4 65102 3 3 1 0 0

Total number of neighbors 2

# get router info routing-table all
Routing table for VRF=0
Codes (…)
S* 0.0.0.0/0 [10/0] via 192.168.0.254, port1
C 10.101.101.0/24 is directly connected, port2
C 10.102.102.0/24 is directly connected, port3
C 192.168.0.0/24 is directly connected, port1
B 192.168.101.0/24 [20/0] via 10.101.101.2, port2, 00:01:25
B 192.168.102.0/24 [20/0] via 10.102.102.2, port3, 00:00:50

To configure VRF on the hub:

1. Put the interfaces into VRF:

config system interface
edit port2
set vrf 10
next
edit port3

FortiOS 6.4.13 Administration Guide 627

Fortinet Inc.
Network

set vrf 20
next
end

2. Restart the router to reconstruct the routing tables:

# execute router restart

3. Check the routing tables:

# get router info routing-table all
Routing table for VRF=0
Codes (…)
S* 0.0.0.0/0 [10/0] via 192.168.0.254, port1
C 192.168.0.0/24 is directly connected, port1

Routing table for VRF=10

C 10.101.101.0/24 is directly connected, port2
B 192.168.101.0/24 [20/0] via 10.101.101.2, port2, 00:02:25

Routing table for VRF=20

C 10.102.102.0/24 is directly connected, port3
B 192.168.102.0/24 [20/0] via 10.102.102.2, port2, 00:01:50

4. Check the BGP summary:

# get router info bgp summary

VRF 10 BGP router identifier 10.101.101.1, local AS number 65000

BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State

10.101.101.2 4 65101 4 4 2 0 0

Total number of neighbors 1

VRF 10 BGP router identifier 10.101.101.1, local AS number 65000

BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State

10.102.102.2 4 65102 3 3 1 0 0

Total number of neighbors 1

OSPF

OSPF routes in VRFs work the same as BGP: the interface that OSPF is using is added to the VRF.

FortiOS 6.4.13 Administration Guide 628

Fortinet Inc.
Network

To configure the hub:

1. Configure OSPF:
config router ospf
set router-id 1.1.1.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit Branch101
set interface “port2”
set dead-interval 40
set hello-interval 10
next
edit Branch102
set dead-interval 40
set hello-interval 10
next
end
config network
edit 0
set prefix 10.101.101.0 255.255.255.0
next
edit 0
set prefix 10.102.102.0 255.255.255.0
next
edit 0
set prefix 192.168.1.0 255.255.255.0
next
end
end

2. Put the interfaces into VRF:

config system interface
edit port2
set vrf 10
next
edit port3
set vrf 20
next
end

To configure branch 101:

config router ospf

set router-id 101.101.101.101
config area
edit 0.0.0.0
next
end
config ospf-interface
edit HUB
set interface port2
set dead-interval 40

FortiOS 6.4.13 Administration Guide 629

Fortinet Inc.
Network

set hello-interval 10
next
end
config network
edit 0
set prefix 10.101.101.0 255.255.255.0
next
edit 0
set prefix 192.168.101.0 255.255.255.0
next
end
end

To check the routing table and OSPF summary:

# get router info routing-table ospf

# get router info ospf interface

Static route

Static routes in VRFs work the same as BGP and OSPF because the interface that the static route is using is added to
the VRF.

To add a VRF ID in a static route in the GUI:

1. Configure the interface:

a. Go to Network > Interfaces.
b. Click Create New > Interface or Edit an existing interface.
c. Enter a value in the VRF ID field.
d. Configure the other settings as needed.
e. Click OK.
2. Add a static route to the VRF using blackhole:
a. Go to Network > Static Routes.
b. Click Create New and select the type of static route.
c. Enter the Subnet.
d. In the Interface field, select Blackhole.
e. In the VRF ID field, enter the ID created in step one.
f. Click OK.

To add a VRF ID in a static route in the CLI:

1. Configure the interface:

config system interface
edit port2
set vrf 10
next
end

2. Add a static route to the VRF using blackhole:

FortiOS 6.4.13 Administration Guide 630

Fortinet Inc.
 Network

config router static

edit 3
set dst 0.0.0.0/0
set blackhole enable
set vrf 10
next
end

To check the routing table:

# get router info routing-table static

Route leaking between VRFs

Route leaking allows you to configure communication between VRFs. If route leaking is not configured, then the VRFs
are isolated. This example shows route leaking with BGP using virtual inter-VDOM links.
In this example, a hub FortiGate forms BGP neighbors with two branches. It learns the networks 192.168.101.0/24 and
192.168.102.0/24 from the neighbors and separates them into VRF 10 and VRF 20.
To leak the learned routes to each other, an inter-VDOM link (IVL) is formed. An IVL normally bridges two VDOMs, but in
this case the links reside on the same VDOM and are used to bridge the two VRFs. NPU links could also be used on
models that support it to deliver better performance.
VRF 10 has a leaked route to 192.168.102.0/24 on IVL link-10-20-0, and VRF 20 has a leaked route to 192.168.101.0/24
on IVL link-10-20-1,

To configure route leaking:

1. Configure inter-VDOM links:

config global
config system vdom-link
edit link-10-20-
next
end
config system interface
edit link-10-20-0
set vdom “root”
set vrf 10
set ip 10.1.1.1/30
next
edit link-10-20-1
set vdom “root”

FortiOS 6.4.13 Administration Guide 631

Fortinet Inc.
Network

set vrf 20
set ip 10.1.1.2/30
next
end
end

2. Create prefix lists:

These object define the subnet and mask that are leaked.
config router prefix-list
edit VRF10_Route
config rule
edit 1
set prefix 192.168.101.0 255.255.255.0
next
end
next
edit VRF20_Route
config rule
edit 1
set prefix 192.168.102.0 255.255.255.0
next
end
next
end

3. Create the route map:

The route map can be used to group one or more prefix lists.
config router route-map
edit "Leak_from_VRF10_to_VRF20"
config rule
edit 1
set match-ip-address "VRF10_Route"
next
end
next
edit "Leak_from_VRF20_to_VRF10"
config rule
edit 1
set match-ip-address "VRF20_Route"
next
end
next
end

4. Configure the VRF leak in BGP, specifying a source VRF, destination VRF, an the route map to use:
config router bgp
config vrf-leak
edit "10"
config target
edit "20"
set route-map "Leak_from_VRF10_to_VRF20"
set interface "link-10-20-0"
next
end

FortiOS 6.4.13 Administration Guide 632

Fortinet Inc.
 Network

next
edit "20"
config target
edit "10"
set route-map "Leak_from_VRF20_to_VRF10"
set interface "link-10-20-1"
next
end
next
end
end

5. Create policies to allow traffic between the VRFs.

Without a policy permitting traffic on the route between the VRFs, the VRFs are still isolated.

Route leaking between multiple VRFs

In this example, routing leaking between three VRFs in a star topology is configured. This allows the solution to be
scaled to more VRFs without building full mesh, one-to-one connections between each pair of VRFs. VLAN
subinterfaces are created on VDOM links to connect each VRF to the central VRF, allowing routes to be leaked from a
VRF to the central VRF, and then to the other VRFs. Static routes are used for route leaking in this example.
For instructions on creating route leaking between two VRFs, see Route leaking between VRFs on page 631.

Physical topology:

FortiOS 6.4.13 Administration Guide 633

Fortinet Inc.
Network

Logical topology:

In this example, a specific route is leaked from each of the VRFs to each of the other VRFs. VLAN subinterfaces are
created based on VDOM links to connect each VRF to the core VRF router.
Multi VDOM mode is enabled so that NP VDOM links can be used. The setup could be configured without enabling multi
VDOM mode by manually creating non-NP VDOM links, but this is not recommended as the links are not offloaded to the
NPU.
After VDOMs are enabled, all of the configuration is done in the root VDOM.

To configure the FortiGate:

1. Enable multi VDOM mode:

config system global
set vdom-mode multi-vdom
end

If the FortiGate has an NP, the VDOM links will be created:

# show system interface
config system interface
...
edit "npu0_vlink0"
set vdom "root"
set type physical
next
edit "npu0_vlink1"
set vdom "root"
set type physical
next
...
end

If multi VDOM mode is not used, the VDOM links can be manually created:

FortiOS 6.4.13 Administration Guide 634

Fortinet Inc.
Network

config system vdom-link

edit <name of vdlink>
next
end

2. Allow interface subnets to use overlapping IP addresses:

config vdom
edit root
config system settings
set allow-subnet-overlap enable
end

3. Configure the inter-connecting VLAN subinterfaces between VRF based on VDOM-LINK:

config system interface
edit "vlink0_Vlan_10"
set vdom "root"
set vrf 10
set ip 10.1.1.1 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink0_Vlan_10"
set role lan
set interface "npu0_vlink0"
set vlanid 10
next
edit "vlink1_Vlan_10"
set vdom "root"
set vrf 31
set ip 10.1.1.2 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink1_Vlan_10"
set role lan
set interface "npu0_vlink1"
set vlanid 10
next
edit "vlink0_Vlan_11"
set vdom "root"
set vrf 11
set ip 11.1.1.1 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink0_Vlan_11"
set role lan
set interface "npu0_vlink0"
set vlanid 11
next
edit "vlink1_Vlan_11"
set vdom "root"
set vrf 31
set ip 11.1.1.2 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink1_Vlan_11"
set role lan
set interface "npu0_vlink1"
set vlanid 11
next
edit "vlink0_Vlan_12"

FortiOS 6.4.13 Administration Guide 635

Fortinet Inc.
Network

set vdom "root"

set vrf 12
set ip 12.1.1.1 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink0_Vlan_12"
set role lan
set interface "npu0_vlink0"
set vlanid 12
next
edit "vlink1_Vlan_12"
set vdom "root"
set vrf 31
set ip 12.1.1.2 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink1_Vlan_12"
set role lan
set interface "npu0_vlink1"
set vlanid 12
next
end

4. Configure a zone to allow intrazone traffic between VLANs in the central VRF:
config system zone
edit "Core-VRF-Router"
set intrazone allow
set interface "vlink1_Vlan_10" "vlink1_Vlan_11" "vlink1_Vlan_12"
next
end

5. Add allow policies for the VRF31 core router:

config firewall policy
edit 0
set name "any_to_core_vrf31"
set srcintf "any"
set dstintf "Core-VRF-Router"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 0
set name "core_vrf31_to_any"
set srcintf "Core-VRF-Router"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

6. Configure VRF10, VRF11, and VRF12 on the Internal and WAN VLAN sub-interfaces:

FortiOS 6.4.13 Administration Guide 636

Fortinet Inc.
Network

config system interface

edit "Internal_VRF10"
set vdom "root"
set vrf 10
set ip 172.16.10.1 255.255.255.0
set allowaccess ping https ssh http
set alias "Internal_VRF10"
set role lan
set interface "internal"
set vlanid 10
next
edit "Internal_VRF11"
set vdom "root"
set vrf 11
set ip 172.16.11.1 255.255.255.0
set allowaccess ping https ssh http
set alias "Internal_VRF11"
set role lan
set interface "internal"
set vlanid 11
next
edit "Internal_VRF12"
set vdom "root"
set vrf 12
set ip 172.16.12.1 255.255.255.0
set allowaccess ping https ssh http
set alias "Internal_VRF12"
set role lan
set interface "internal"
set vlanid 12
next
edit "wan1_VRF10"
set vdom "root"
set vrf 10
set ip 202.100.10.1 255.255.255.0
set allowaccess ping
set alias "wan1_VRF10"
set role wan
set interface "wan1"
set vlanid 10
next
edit "wan1_VRF11"
set vdom "root"
set vrf 11
set ip 202.100.11.1 255.255.255.0
set allowaccess ping
set alias "wan1_VRF11"
set role wan
set interface "wan1"
set vlanid 11
next
edit "wan1_VRF12"
set vdom "root"
set vrf 12
set ip 202.100.12.1 255.255.255.0
set allowaccess ping

FortiOS 6.4.13 Administration Guide 637

Fortinet Inc.
Network

set alias "wan1_VRF12"

set role wan
set interface "wan1"
set vlanid 12
next
end

7. Configure static routing and route leaking between each VRF and Core-VRF-Router:
config router static
edit 1
set dst 172.16.10.0 255.255.255.0
set gateway 10.1.1.1
set device "vlink1_Vlan_10"
set comment "VRF31_Core_Router"
next
edit 2
set dst 172.16.11.0 255.255.255.0
set gateway 11.1.1.1
set device "vlink1_Vlan_11"
set comment "VRF31_Core_Router"
next
edit 3
set dst 172.16.12.0 255.255.255.0
set gateway 12.1.1.1
set device "vlink1_Vlan_12"
set comment "VRF31_Core_Router"
next
edit 4
set dst 172.16.11.0 255.255.255.0
set gateway 10.1.1.2
set device "vlink0_Vlan_10"
set comment "VRF10_Route_Leaking"
next
edit 5
set dst 172.16.12.0 255.255.255.0
set gateway 10.1.1.2
set device "vlink0_Vlan_10"
set comment "VRF10_Route_Leaking"
next
edit 6
set dst 172.16.10.0 255.255.255.0
set gateway 11.1.1.2
set device "vlink0_Vlan_11"
set comment "VRF11_Route_Leaking"
next
edit 7
set dst 172.16.12.0 255.255.255.0
set gateway 11.1.1.2
set device "vlink0_Vlan_11"
set comment "VRF11_Route_Leaking"
next
edit 8
set dst 172.16.10.0 255.255.255.0
set gateway 12.1.1.2
set device "vlink0_Vlan_12"

FortiOS 6.4.13 Administration Guide 638

Fortinet Inc.
Network

set comment "VRF12_Route_Leaking"

next
edit 9
set dst 172.16.11.0 255.255.255.0
set gateway 12.1.1.2
set device "vlink0_Vlan_12"
set comment "VRF12_Route_Leaking"
next
edit 10
set gateway 202.100.10.254
set device "wan1_VRF10"
set comment "VRF10_Default_Route"
next
edit 11
set gateway 202.100.11.254
set device "wan1_VRF11"
set comment "VRF11_Default_Route"
next
edit 12
set gateway 202.100.12.254
set device "wan1_VRF12"
set comment "VRF12_Default_Route"
next
end

In the GUI, go to Network > Static Routes to view the static routes.
8. Configure firewall policies for VRF10, VRF11, and VRF12
config firewall policy
edit 6
set name "VRF10_to_Internet_Policy"
set srcintf "Internal_VRF10"
set dstintf "wan1_VRF10"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 7
set name "VRF10_to_VRF_Leaking_Route"
set srcintf "Internal_VRF10"
set dstintf "vlink0_Vlan_10"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 8
set name "VRF_Leaking_Route_to_VRF10"
set srcintf "vlink0_Vlan_10"
set dstintf "Internal_VRF10"

FortiOS 6.4.13 Administration Guide 639

Fortinet Inc.
Network

set srcaddr "all"

set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 9
set name "VRF11_to_Internet_Policy"
set srcintf "Internal_VRF11"
set dstintf "wan1_VRF11"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 10
set name "VRF11_to_VRF_Leaking_Route"
set srcintf "Internal_VRF11"
set dstintf "vlink0_Vlan_11"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 11
set name "VRF_Leaking_Route_to_VRF11"
set srcintf "vlink0_Vlan_11"
set dstintf "Internal_VRF11"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 12
set name "VRF12_to_Internet_Policy"
set srcintf "Internal_VRF12"
set dstintf "wan1_VRF12"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 13
set name "VRF12_to_VRF_Leaking_Route"

FortiOS 6.4.13 Administration Guide 640

Fortinet Inc.
Network

set uuid 92bccf8e-b27b-51eb-3c56-6d5259af6299

set srcintf "Internal_VRF12"
set dstintf "vlink0_Vlan_12"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 14
set name "VRF_Leaking_Route_to_VRF12"
set srcintf "vlink0_Vlan_12"
set dstintf "Internal_VRF12"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

In the GUI, go to Policy & Objects > Firewall Policy to view the policies.

To check the results:

1. On the FortiGate, check the routing table to see each VRF:

# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0

C 10.6.30.0/24 is directly connected, mgmt

Routing table for VRF=10

S* 0.0.0.0/0 [10/0] via 202.100.10.254, wan1_VRF10
C 10.1.1.0/30 is directly connected, vlink0_Vlan_10
C 172.16.10.0/24 is directly connected, Internal_VRF10
S 172.16.11.0/24 [10/0] via 10.1.1.2, vlink0_Vlan_10
S 172.16.12.0/24 [10/0] via 10.1.1.2, vlink0_Vlan_10
C 202.100.10.0/24 is directly connected, wan1_VRF10

Routing table for VRF=11

S* 0.0.0.0/0 [10/0] via 202.100.11.254, wan1_VRF11
C 11.1.1.0/30 is directly connected, vlink0_Vlan_11
S 172.16.10.0/24 [10/0] via 11.1.1.2, vlink0_Vlan_11
C 172.16.11.0/24 is directly connected, Internal_VRF11
S 172.16.12.0/24 [10/0] via 11.1.1.2, vlink0_Vlan_11
C 202.100.11.0/24 is directly connected, wan1_VRF11

FortiOS 6.4.13 Administration Guide 641

Fortinet Inc.
Network

Routing table for VRF=12

S* 0.0.0.0/0 [10/0] via 202.100.12.254, wan1_VRF12
C 12.1.1.0/30 is directly connected, vlink0_Vlan_12
S 172.16.10.0/24 [10/0] via 12.1.1.2, vlink0_Vlan_12
S 172.16.11.0/24 [10/0] via 12.1.1.2, vlink0_Vlan_12
C 172.16.12.0/24 is directly connected, Internal_VRF12
C 202.100.12.0/24 is directly connected, wan1_VRF12

Routing table for VRF=31

C 10.1.1.0/30 is directly connected, vlink1_Vlan_10
C 11.1.1.0/30 is directly connected, vlink1_Vlan_11
C 12.1.1.0/30 is directly connected, vlink1_Vlan_12
S 172.16.10.0/24 [10/0] via 10.1.1.1, vlink1_Vlan_10
S 172.16.11.0/24 [10/0] via 11.1.1.1, vlink1_Vlan_11
S 172.16.12.0/24 [10/0] via 12.1.1.1, vlink1_Vlan_12

2. From the FW10-PC:

# ifconfig ens32
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.10.100 netmask 255.255.255.0 broadcast 172.16.10.255
inet6 fe80::dbed:c7fe:170e:e61c prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:2a:3a:17 txqueuelen 1000 (Ethernet)
RX packets 1632 bytes 160001 (156.2 KiB)
RX errors 0 dropped 52 overruns 0 frame 0
TX packets 2141 bytes 208103 (203.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.10.1 0.0.0.0 UG 100 0 0 ens32
172.16.10.0 0.0.0.0 255.255.255.0 U 100 0 0 ens32
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0

a. Ping a public IP address through VRF10:

# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=4.33 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=4.17 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=113 time=4.04 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 4.049/4.188/4.336/0.117 ms

b. Ping the internet gateway through VRF10:

# ping 202.100.10.254
PING 202.100.10.254 (202.100.10.254) 56(84) bytes of data.
64 bytes from 202.100.10.254: icmp_seq=1 ttl=254 time=0.294 ms
64 bytes from 202.100.10.254: icmp_seq=2 ttl=254 time=0.225 ms
64 bytes from 202.100.10.254: icmp_seq=3 ttl=254 time=0.197 ms
^C
--- 202.100.10.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.197/0.238/0.294/0.044 ms

FortiOS 6.4.13 Administration Guide 642

Fortinet Inc.
 Network

c. Ping the FW11-PC on VRF11 from VRF10:

# ping 172.16.11.100
PING 172.16.11.100 (172.16.11.100) 56(84) bytes of data.
64 bytes from 172.16.11.100: icmp_seq=1 ttl=61 time=0.401 ms
64 bytes from 172.16.11.100: icmp_seq=2 ttl=61 time=0.307 ms
64 bytes from 172.16.11.100: icmp_seq=3 ttl=61 time=0.254 ms
64 bytes from 172.16.11.100: icmp_seq=4 ttl=61 time=0.277 ms
64 bytes from 172.16.11.100: icmp_seq=5 ttl=61 time=0.262 ms
^C
--- 172.16.11.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.254/0.300/0.401/0.054 ms

3. On the FortiGate, sniff traffic between VRF10 and VRF11:

# diagnose sniffer packet any "icmp and host 172.16.11.100" 4 l 0
interfaces=[any]
filters=[icmp and host 172.16.11.100]
10.086656 Internal_VRF10 in 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086705 vlink0_Vlan_10 out 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086706 npu0_vlink0 out 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.086711 vlink1_Vlan_10 in 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.086739 vlink1_Vlan_11 out 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086740 npu0_vlink1 out 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.086744 vlink0_Vlan_11 in 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.086929 Internal_VRF11 out 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086930 internal out 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.087053 Internal_VRF11 in 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087061 vlink0_Vlan_11 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
10.087062 npu0_vlink0 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087066 vlink1_Vlan_11 in 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087071 vlink1_Vlan_10 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
10.087072 npu0_vlink1 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087076 vlink0_Vlan_10 in 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087176 Internal_VRF10 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
10.087177 internal out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
^C
20 packets received by filter
0 packets dropped by kernel

IBGP and EBGP support in VRF

Support is included for internal and external border gateway protocols (IBGP and EBGP) in virtual routing and forwarding
(VRF).
FortiGate can establish neighbor connections with other FortiGates or routers, and the learned routes are put into
different VRF tables according to the neighbor's settings.
This example uses the following topology:

FortiOS 6.4.13 Administration Guide 643

Fortinet Inc.
Network

l BGP routes learned from the Router1 neighbor are put into vrf10.
l BGP routes learned from the Router2 neighbor are put into vrf20.

To configure this example:

config system interface

edit port1
set vrf 10
next
edit port2
set vrf 20
next
end
config router bgp
config neighbor
edit "192.168.1.1"
set update-source port1
next
edit "192.168.2.1"
set interface port2
next
end
end

Results

Using the above topology:

l Both Router1 and Router2 establish OSPF and BGP neighbor with the FortiGate.
l Router1 advertises 10.10.1.0/24 into OSPF and 10.10.2.0/24 into BGP.
l Router2 advertises 20.20.1.0/24 into OSPF and 20.20.2.0/24 into BGP.
When port1 and port2 have not set VRF, all of the routing is in VRF=0:

FortiOS 6.4.13 Administration Guide 644

Fortinet Inc.
Network

# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [5/0] via 10.0.1.254, port9
C 10.0.1.0/24 is directly connected, port9
O 10.10.1.0/24 [110/10] via 192.168.1.1, port1, 00:18:31
B 10.10.2.0/24 [20/200] via 192.168.1.1, port1, 00:01:31
O 20.20.1.0/22 [110/10] via 192.168.2.1, port2, 00:19:05
B 20.20.2.0/24 [20/200] via 192.168.2.1, port2, 00:01:31
C 192.168.1.0/24 is directly connected, port1
C 192.168.2.0/24 is directly connected, port2

After VRF is set for BGP, BGP routes are added to the VRF tables along with OSPF and connected routes:
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [5/0] via 10.0.1.254, port9
C 10.0.1.0/24 is directly connected, port9

Routing table for VRF=10

O 10.10.1.0/24 [110/10] via 192.168.1.1, port1, 00:18:31
B 10.10.2.0/24 [20/200] via 192.168.1.1, port1, 00:01:31
C 192.168.1.0/24 is directly connected, port1

Routing table for VRF=20

O 20.20.1.0/22 [110/10] via 192.168.2.1, port2, 00:19:05
B 20.20.2.0/24 [20/200] via 192.168.2.1, port2, 00:01:31
C 192.168.2.0/24 is directly connected, port2

BGP neighbor groups

This feature is also supported in the BGP neighbor groups. For example:
config router bgp
config neighbor-group
edit "FGT"
set update-source "port1"
next
end
config neighbor-range
edit 1
set prefix 172.16.201.0 255.255.255.0
set neighbor-group "FGT"
next

FortiOS 6.4.13 Administration Guide 645

Fortinet Inc.
Network

end
end

Note that the set interface command is not supported.

NetFlow

NetFlow allows you to collect IP network traffic statistics for an interface, and then export those statistics for analysis.
NetFlow samplers, that sample every packet, are configured per interface. Full NetFlow is supported through the
information maintained in the firewall session.

To configure NetFlow:

config system netflow

set collector-ip <ip>
set collector-port <port>
set source-ip <ip>
set active-flow-timeout <integer>
set inactive-flow-timeout <integer>
set template-tx-timeout <integer>
set template-tx-counter <integer>
end

collector-ip <ip> Collector IP address.

collector-port <port> NetFlow collector port number (0 - 65535)
source-ip <ip> Source IP address, for communication with the NetFlow agent.
active-flow-timeout Timeout to report active flows, in minutes (1 - 60, default = 30).
<integer>
inactive-flow-timeout Timeout for periodic report of finished flows, in seconds (10 - 600, default = 15).
<integer>
template-tx-timeout Timeout for periodic template flowset transmission, in minutes (1 - 1440, default =
<integer> 30).
template-tx-counter Counter of flowset records, before resending a template flowset record (10 - 6000,
<integer> default = 20).

To configure NetFlow in a specific VDOM:

config vdom
edit <vdom>
config system vdom-netflow
set vdom-netflow enable
set collector-ip <ip>
set collector-port <port>
set source-ip <ip>
end
next
end

FortiOS 6.4.13 Administration Guide 646

Fortinet Inc.
 Network

To configure a NetFlow sampler on an interface:

config system interface

edit <interface>
set netflow-sampler {disable | tx | rx | both}
next
end

disable Disable the NetFlow protocol on this interface (default).

tx Monitor transmitted traffic on this interface.
rx Monitor received traffic on this interface.
both Monitor transmitted/received traffic on this interface.

Verification and troubleshooting

If data are not seen on the NetFlow collector after it has been configured, use the following sniffer commands to verify if
the FortiGate and the collector are communicating:
l By collector port:
# diagnose sniffer packet 'port <collector-port>' 6 0 a

l By collector IP address:
# diagnose sniffer packet 'host <collector-ip>' 6 0 a

NetFlow uses the sflow daemon. The current NetFlow configuration can be viewed using test level 3 or 4:
# diagnose test application sflowd 3
# diagnose test application sflowd 4
Netflow Cache Stats:
vdoms=1 Collectors=1 Cached_intf=2 Netflow_enabled_intf=1 Live_sessions=0 Session cache max
count:71950

NetFlow templates

Netflow uses templates to capture and categorize the data that it collects. FortiOS supports the following Netflow
templates:

Name Template ID Description

STAT_OPTIONS 256 Statistics information about exporter

APP_ID_OPTIONS 257 Application information

IPV4 258 No NAT IPv4 traffic

IPV6 259 No NAT IPv6 traffic

ICMP4 260 No NAT ICMPv4 traffic

ICMP6 261 No NAT ICMPv6 traffic

FortiOS 6.4.13 Administration Guide 647

Fortinet Inc.
Network

Name Template ID Description

IPV4_NAT 262 Source/Destination NAT IPv4 traffic

IPV4_AF_NAT 263 AF NAT IPv4 traffic (4->6)

IPV6_NAT 264 Source/Destination NAT IPv6 traffic

IPV6_AF_NAT 265 AF NAT IPv6 traffic (6->4)

ICMP4_NAT 266 Source/Destination NAT ICMPv4 traffic

ICMP4_AF_NAT 267 AF NAT ICMPv4 traffic (4->6)

ICMP6_NAT 268 Source/Destination NAT ICMPv6 traffic

ICMPv6_AF_NAT 269 AF NAT ICMPv6 traffic (6->4)

256 - STAT_OPTIONS

Description Statistics information about exporter

Scope Field Count 1

Data Field Count 7

Option Scope Length 4

Option Length 28

Padding 0000

Scope fields

Field # Field Type Length

1 System System (1) 2

Data fields

Field # Field Type Length

1 TOTAL_BYTES_EXP TOTAL_BYTES_EXP (40) 8

2 TOTAL_PKTS_EXP TOTAL_PKTS_EXP (41) 8

3 TOTAL_FLOWS_EXP TOTAL_FLOWS_EXP (42) 8

4 FLOW_ACTIVE_TIMEOUT FLOW_ACTIVE_TIMEOUT (36) 2

5 FLOW_INACTIVE_TIMEOUT FLOW_INACTIVE_TIMEOUT (37) 2

6 SAMPLING_INTERVAL SAMPLING_INTERVAL (34) 4

7 SAMPLING_ALGORITHM SAMPLING_ALGORITHM (35) 1

FortiOS 6.4.13 Administration Guide 648

Fortinet Inc.
Network

257 - APP_ID_OPTIONS

Description Application information

Scope Field Count 1

Data Field Count 4

Option Scope Length 4

Option Length 16

Padding 0000

Scope fields

Field # Field Type Length

1 System System (1) 2

Data fields

Field # Field Type Length

1 APPLICATION_ID APPLICATION_ID (95) 9

2 APPLICATION_NAME APPLICATION_NAME (96) 64

3 APPLICATION_DESC APPLICATION_DESC (94) 64

4 applicationCategoryName applicationCategoryName (372) 32

258 - IPV4

Description No NAT IPv4 traffic

Data Field Count 17

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

FortiOS 6.4.13 Administration Guide 649

Fortinet Inc.
Network

Field # Field Type Length

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IP_SRC_ADDR IP_SRC_ADDR (8) 4

17 IP_DST_ADDR IP_DST_ADDR (12) 4

259 - IPV6

Description No NAT IPv6 traffic

Data Field Count 17

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

FortiOS 6.4.13 Administration Guide 650

Fortinet Inc.
Network

Field # Field Type Length

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

17 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

260 - ICMP4

Description No NAT ICMPv4 traffic

Data Field Count 16

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IP_SRC_ADDR IP_SRC_ADDR (8) 4

16 IP_DST_ADDR IP_DST_ADDR(12) 4

FortiOS 6.4.13 Administration Guide 651

Fortinet Inc.
Network

261 - ICMP6

Description No NAT ICMPv6 traffic

Data Field Count 16

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

16 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

262 - IPV4_NAT

Description Source/Destination NAT IPv4 traffic

Data Field Count 21

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

FortiOS 6.4.13 Administration Guide 652

Fortinet Inc.
Network

Field # Field Type Length

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IP_SRC_ADDR IP_SRC_ADDR (8) 4

17 IP_DST_ADDR IP_DST_ADDR (12) 4

18 postNATSourceIPv4Address postNATSourceIPv4Address (225) 4

19 postNATDestinationIPv4Address postNATDestinationIPv4Address (226) 4

20 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

21 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

263 - IPV4_AF_NAT

Description AF NAT IPv4 traffic (4->6)

Data Field Count 21

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

FortiOS 6.4.13 Administration Guide 653

Fortinet Inc.
Network

Field # Field Type Length

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

17 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

18 postNATSourceIPv6Address postNATSourceIPv6Address (281) 16

19 postNATDestinationIPv6Address postNATDestinationIPv6Address (282) 16

20 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

21 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

264 - IPV6_NAT

Description Source/Destination NAT IPv6 traffic

Data Field Count 21

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

FortiOS 6.4.13 Administration Guide 654

Fortinet Inc.
Network

Field # Field Type Length

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IP_SRC_ADDR IP_SRC_ADDR (8) 4

17 IP_DST_ADDR IP_DST_ADDR (12) 4

18 postNATSourceIPv6Address postNATSourceIPv6Address (281) 16

19 postNATDestinationIPv6Address postNATDestinationIPv6Address (282) 16

20 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

21 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

265 - IPV6_AF_NAT

Description AF NAT IPv6 traffic (6->4)

Data Field Count 21

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

FortiOS 6.4.13 Administration Guide 655

Fortinet Inc.
Network

Field # Field Type Length

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

17 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

18 postNATSourceIPv4Address postNATSourceIPv4Address (225) 4

19 postNATDestinationIPv4Address postNATDestinationIPv4Address (226) 4

20 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

21 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

266 - ICMPV4_NAT

Description Source/Destination NAT ICMPv4 traffic

Data Field Count 20

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

FortiOS 6.4.13 Administration Guide 656

Fortinet Inc.
Network

Field # Field Type Length

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IP_SRC_ADDR IP_SRC_ADDR (8) 4

16 IP_DST_ADDR IP_DST_ADDR (12) 4

17 postNATSourceIPv4Address postNATSourceIPv4Address (225) 4

18 postNATDestinationIPv4Address postNATDestinationIPv4Address (226) 4

19 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

20 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

267 - ICMPV4_AF_NAT

Description AF NAT ICMPv4 traffic (4->6)

Data Field Count 20

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

FortiOS 6.4.13 Administration Guide 657

Fortinet Inc.
Network

Field # Field Type Length

14 flowEndReason flowEndReason (136) 1

15 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

16 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

17 postNATSourceIPv6Address postNATSourceIPv6Address (281) 16

18 postNATDestinationIPv6Address postNATDestinationIPv6Address (282) 16

19 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

20 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

268 - ICMPV6_NAT

Description Source/Destination NAT ICMPv6 traffic

Data Field Count 20

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IP_SRC_ADDR IP_SRC_ADDR (8) 4

16 IP_DST_ADDR IP_DST_ADDR (12) 4

FortiOS 6.4.13 Administration Guide 658

Fortinet Inc.
Network

Field # Field Type Length

17 postNATSourceIPv6Address postNATSourceIPv6Address (281) 16

18 postNATDestinationIPv6Address postNATDestinationIPv6Address (282) 16

19 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

20 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

269 - ICMPV6_AF_NAT

Description AF NAT ICMPv6 traffic (6->4)

Data Field Count 20

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

16 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

17 postNATSourceIPv4Address postNATSourceIPv4Address (225) 4

18 postNATDestinationIPv4Address postNATDestinationIPv4Address (226) 4

19 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

FortiOS 6.4.13 Administration Guide 659

Fortinet Inc.
 Network

Field # Field Type Length

20 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that may impact performance
and throughput. FortiGate supports sFlow v5. sFlow collector software is available from a number of third-party software
vendors. For more information about sFlow, see www.sflow.org.
The packet information that the FortiGate's sFlow agent collects depends on the interface type:
l On an internal interface, when the interface receives packets from devices with private IP addresses, the collected
information includes the private IP addresses.
l On an external, or WAN, interface, when the interface receives to route to or from the internet, the collected
information includes the IP address of the WAN interface as the source or destination interface, depending on the
direction of the traffic. It does not include IP addresses that are NATed on another interface.
sFlow datagrams contain the following information:
l Packet headers, such as MAC, IPv4, and TCP
l Sample process parameters, such as rate and pool
l Input and output ports
l Priority (802.1p and ToS)
l VLAN (802.1Q)
l Source prefixes, destination prefixes, and next hop addresses
l BGP source AS, source peer AS, destination peer AS, communities, and local preference
l User IDs (TACACS, RADIUS) for source and destination
l Interface statistics (RFC 1573, RFC 2233, and RFC 2358)

Configuring sFlow

sFlow can be configured globally, then on traffic VDOMs and individual interfaces.
When configuring sFlow on a VDOM, the collector can be specified, or the collector that is configured globally can be
used.
sFlow is supported on some interface types, such as physical, VLAN, and aggregate. It is not supported on virtual
interfaces, such as VDOM link, IPsec, GRE, or SSL. When configuring sFlow on an interface, the rate that the agent
samples traffic, the direction of that traffic, and the frequency that the agent sends sFlow datagrams to the sFlow
collector can be specified. If sFlow is configured on the VDOM that the interface belongs to, the agent sends datagrams
to the collector configured for the VDOM. Otherwise, the datagrams are sent to the collector that is configured globally.
Configuring sFlow for an interface disables NP offloading for all traffic on that interface.

FortiOS 6.4.13 Administration Guide 660

Fortinet Inc.
Network

To configure sFlow globally:

config system sflow

set collector-ip <ipv4_address>
set collector-port <port>
set source-ip <ipv4_address>
end

collector-ip <ipv4_ The IPv4 address of the sFlow collector that sFlow agents added to interface
address> (default = 0.0.0.0).
collector-port <port> The UDP port number used for sending sFlow datagrams (0 - 65535, default =
6343).
Only configured this option if required by the sFlow collector or your network
configuration.
source-ip <ipv4_address> The source IPv4 address that the sFlow agent used to send datagrams to the
collector (default = 0.0.0.0).
If this option is not configured, the FortiGate uses the IP address of the interface
that it sends the datagram through.

To configure sFlow for a VDOM:

config vdom
edit <vdom>
config system vdom-sflow
set vdom-sflow {enable | disable}
set collector-ip <ipv4_address>
set collector-port <port>
set source-ip <ipv4_address>
end
next
end

vdom-sflow {enable | Enable/disable the sFlow configuration for the current VDOM (default = disable).
disable}
collector-ip <ipv4_ The IPv4 address of the sFlow collector that sFlow agents added to interface
address> (default = 0.0.0.0).
If this option is not configured, the global setting will be used.
collector-port <port> The UDP port number used for sending sFlow datagrams (0 - 65535, default =
6343).
Only configured this option if required by the sFlow collector or your network
configuration.
If this option is not configured, the global setting will be used.
source-ip <ipv4_address> The source IPv4 address that the sFlow agent used to send datagrams to the
collector (default = 0.0.0.0).
If this option is not configured, the FortiGate uses the IP address of the interface
that it sends the datagram through.

FortiOS 6.4.13 Administration Guide 661

Fortinet Inc.
 Network

To configure sFlow on an interface:

config system interface

edit <interface>
set sflow-sampler {enable | disable}
set sample-rate <integer>
set polling-interval <integer>
set sample-direction {tx | rx | both}
next
end

sflow-sampler {enable | Enable/disable sFlow on this interface (default = disable).

disable}
sample-rate <integer> The average number of packets that the agent lets pass before taking a sample
(10 - 99999, default = 2000).
Setting a lower rate will sample a higher number of packets, increasing the
accuracy or the sampling data, but also increasing the CPU and network
bandwidth usage. The default value is recommended.
polling-interval The amount of time that the agent waits between sending datagrams to the
<integer> collector, in seconds (1 - 255, default = 20).
Setting a higher value lowers the amount of data that the agent sends across the
network, but makes the collector's view of the network less current.
sample-direction {tx | rx The direction of the traffic that the agent collects (default = both).
| both}

IPv6

The following topics provide information about IPv6:

l IPv6 overview on page 662
l IPv6 quick start on page 663
l IPv6 configuration examples on page 667

IPv6 overview

Internet Protocol version 6 (IPv6) is the latest version of the Internet Protocol (IP) and was developed to address the
limitations of its predecessor, IPv4. The primary issue with IPv4 is its limited number of addresses, which are based on a
32-bit scheme and have a theoretical limit of 2 to the power of 32. In contrast, IPv6 uses a 128-bit address scheme,
allowing for a much larger theoretical limit of 2 to the power of 128 addresses.
In simpler terms:
l IPv4 can support 4 294 967 296 addresses.
l IPv6 can support 340 282 366 920 938 463 463 374 607 431 768 211 456 addresses.
In addition to the expanded number of addresses, some of the other benefits of IPv6 include:

FortiOS 6.4.13 Administration Guide 662

Fortinet Inc.
 Network

l More efficient routing due to reduction in the size of routing tables. This is achieved through hierarchical address
allocation, which allows for more efficient routing of data packets.
l Reduced management requirements by supporting stateless auto-reconfiguration of hosts. This means that devices
can automatically configure their network settings without the need for manual intervention.
l Improved methods to change Internet Service Providers. With IPv6, it is easier for users to switch between different
ISPs without experiencing any service disruption.
l Better mobility support by providing seamless connection. This means that devices can move between different
networks without losing their connection.
l Multi-homing. This allows a device to have multiple network connections, providing increased reliability and
redundancy.
l Improved security with built-in support for IPSec. IPSec is a security protocol that provides authentication and
encryption for data transmitted over a network.
l IPv6 offers scoped addresses with link-local, unique local, and global address spaces. This allows for more flexible
addressing and improved network organization.

Address Type Notation Description Example

Link-local Unicast FE80::/10 Designed for use on a local link and are automatically configured FE80::1
on all interfaces. These addresses are not routable.

Unique Local FC00::/7 Similar to IPv4 private addresses and can be used on your own FC00::1
Unicast network. They are not routable globally. FD00::1

Global Unicast 2001::/3 Similar to IPv4 public addresses and can be used on the 2001::1
Internet. They are routable globally. 3000::1

See Internet Protocol Version 6 Address Space for more information.

IPv6 quick start

This section provides an introduction to setting up a few basic IPv6 settings on the FortiGate. See Basic administration
on page 46 for more information about basic FortiGate administration.

This chapter provides instructions for basic IPv6 configuration that should work in most cases,
regardless of whether the device has an existing IPv4 configuration or is a new FortiGate
device.

The topics covered in this section include:

l Configuring an interface on page 664
l Configuring the default route on page 664
l Configuring the DNS on page 665
l Configuring the address object on page 665
l Configuring the address group on page 665
l Configuring the firewall policy on page 666
Before starting, make sure to enable the IPv6 feature.

FortiOS 6.4.13 Administration Guide 663

Fortinet Inc.
Network

To enable IPv6 in the GUI:

1. Go to System > Feature Visibility.

2. Under Core Features, enable IPv6.
3. Click Apply.

Configuring an interface

To configure an interface in the GUI:

1. Go to Network > Interfaces.

2. Select an interface and click Edit.
3. In the Address section, enter the IPv6 Address/Prefix.
4. In the Administrative Access section, select the IPv6 access options as needed (such as PING, HTTPS, and SSH).
5. Click OK.

To configure an interface in the CLI:

config system interface

edit <interface name>
config ipv6
set ip6-address <IPv6 prefix>
set ip6-allowaccess{ping | https | ssh | snmp | http | telnet | fgfm | fabric}
end
next
end

Configuring the default route

Setting the default route enables basic routing to allow the FortiGate to return traffic to sources that are not directly
connected. The gateway address should be your existing router or L3 switch that the FortiGate is connected to. Set the
interface to be the interface the gateway is connected to.

To configure the default route in the GUI:

1. Go to Network > Static Routes.

2. Click Create New > IPv6 Static Route.
3. Leave the Destination prefix as ::/0. This is known as a default route, since it would match any IPv6 address.
4. Enter the Gateway Address.
5. Select an Interface.
6. Click OK.

To configure the default route in the CLI:

config router static6

edit 0
set gateway <IPv6 address>
set device <interface name>

FortiOS 6.4.13 Administration Guide 664

Fortinet Inc.
Network

next
end

Configuring the DNS

To configure a DNS domain list in the GUI:

1. Go to Network > DNS.

2. Under IPv6 DNS Settings, configure the primary and secondary DNS servers as needed.
3. Click Apply.

To configure a DNS domain list in the CLI:

config system dns

set ip6-primary <IPv6 address>
set ip6-secondary <IPv6 address>
end

Configuring the address object

Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies,
ZTNA, and so on. When creating an IPv6 address object, several different types of addresses can be specified similar to
IPv4 addresses. See Address Types on page 1202 for more information.

To configure an IPv6 address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Select Create New > Address.
3. In the Category field, select IPv6 Address.
4. Enter a Name for the address object.
5. In the Type field, select one of the types from the dropdown menu.
6. Configure the rest of the settings as required.
7. Click OK.

To configure an IPv6 address in the CLI:

config firewall address6

edit <name>
set type {ipprefix | iprange | fqdn | geography | dynamic | template | mac}
next
end

Configuring the address group

Address groups are designed for ease of use in the administration of the device. See Address group on page 1217 for
more information.

FortiOS 6.4.13 Administration Guide 665

Fortinet Inc.
Network

To create an address group:

1. Go to Policy & Objects > Addresses.

2. Go to Create New > Address Group.
3. In the Category field, select IPv6 Group.
4. Enter a Group name for the address object.
5. Select the + in the Members field. The Select Entries pane opens.
6. Select members of the group. It is possible to select more than one entry. Select the x icon in the field to remove an
entry.
7. Enter any additional information in the Comments field.
8. Click OK.

To configure an address group in the CLI:

config firewall addrgrp6

edit <name>
set member <name>
next
end

Configuring the firewall policy

A firewall policy must be in place for any traffic that passes through a FortiGate. See Firewall policy parameters on page
1114 for more information.

To create a firewall policy in the GUI:

1. Go to Policy & Objects > Firewall Policy.

2. Enter a Name and configure the following necessary settings:

Incoming Interface Incoming (ingress) interface

Outgoing Interface Outgoing (egress) interface

Source Source IPv6 address name and address group names

Destination Destination IPv6 address name and address group names

Schedule Schedule name

Service Service and service group names

Action Policy action

To configure a firewall policy in the CLI:

config firewall policy

edit <policyid>
set srcintf <name>
set dstintf <name>
set action {accept | deny}
set srcaddr6 <name>

FortiOS 6.4.13 Administration Guide 666

Fortinet Inc.
 Network

set dstaddr6 <name>

set schedule <name>
set service <name>
next
end

See IPv6 quick start example on page 667 for a sample configuration.

IPv6 configuration examples

The following topics provide instructions on different IPv6 configuration examples:

l IPv6 quick start example on page 667

IPv6 quick start example

In this example, a host belonging to a specific range on the internal IPv6 network can communicate exclusively with the
web server and FTP server.
Additionally, all internal clients can access the Internet.

Prerequisites

Before you begin to configure IPv6, please go through the following steps:
1. Obtain an IPv6 /48 global routing prefix, commonly known as a site prefix. To procure a 48-bit IPv6 site prefix for
your organization simply liaise with your ISP.
2. Design a subnetting plan for your organization's IPv6 network using a 16-bit subnet ID, allowing for up to 65 535
subnets. The specific scheme will depend on the network's size, structure, and the organization's needs.
At this stage, the following installation and configuration conditions are assumed:
l You have administrative access to the GUI or CLI.
l The FortiGate unit is incorporated into your WAN or other networks, but for simplicity, only the standalone ForiGate
configuration is displayed.

Topology

The following topology is used for this example:

FortiOS 6.4.13 Administration Guide 667

Fortinet Inc.
Network

l The company is assigned the site prefix of 2001:db8:d0c::/48 by their ISP.

l The IPv6 address for the Web Server is 2001:db8:d0c:3::1/64.
l The IPv6 address for the FTP Server is 2001:db8:d0c:3::2/64.
l The IPv6 address for the TFTP Server is 2001:db8:d0c:3::3/64.
l The range on the internal IPv6 network that can access both servers is from 2001:db8:d0c:2::1 to
2001:db8:d0c:2::32.
l The IPv6 address of port1 is 2001:db8:d0c:1::1/64.
l The IPv6 address of port2 is 2001:db8:d0c:2::f/64.
l The IPv6 address of port3 is 2001:db8:d0c:3::f/64.
l The IPv6 address of the default gateway is 2001:db8:d0c:1::f/64.

Please note that the IPv6 addresses used in this example are for illustrative purposes only and
should not be used in your environment.
The 2001:db8::/32 prefix is a special IPv6 prefix designated for use in documentation
examples. See RFC 3849 for more information.

To configure the example in the GUI:

1. Configure the IPv6 address on port1, port2 and port3:

a. Go to Network > Interfaces and edit port1.
b. For IPv6 addressing Mode, select manual and enter the IPv6 Address/Prefix.

IPv6 Address/Prefix 2001:db8:d0c:1::1/64

c. Click OK.
d. Repeat steps a and b for port2.

IPv6 Address/Prefix 2001:db8:d0c:2::f/64

e. Repeat steps a and b for port3.

IPv6 Address/Prefix 2001:db8:d0c:3::f/64

2. Configure the default route:

FortiOS 6.4.13 Administration Guide 668

Fortinet Inc.
Network

a. Go to Network > Static Routes.

b. Click Create New > IPv6 Static Route.
c. Configure the following settings:

Destination ::/0

Gateway Address 2001:db8:d0c:1::f

Interface port1

d. Select OK.
3. Configure the IPv6 firewall address for the Web Server:
a. Go to Policy & Objects > Addresses.
b. Select Create New > Address.
c. Select IPv6 Address and fill out the fields with the following information:

Name Web_Server

Type IPv6 Subnet

IPv6 Address 2001:db8:d0c:3::1/128

d. Select OK.
4. Configure the IPv6 firewall address for the FTP Server:
a. Go to Policy & Objects > Addresses.
b. Select Create New > Address.
c. Select IPv6 Address and fill out the fields with the following information:

Name FTP_Server

Type IPv6 Subnet

IPv6 Address 2001:db8:d0c:3::2/128

d. Select OK.
5. Configure the IPv6 address group, which includes both the Web and FTP servers:
a. Go to Policy & Objects > Addresses.
b. Select Create New > Address Group.
c. Select IPv6 Group and fill out the fields with the following information:

Group name Custom_Server

Members Web_Server, FTP_Server

d. Select OK.
6. Configure the IPv6 firewall address for the Internal IPv6 network range which can access both the Web and FTP
server:
a. Go to Policy & Objects > Addresses.
b. Select Create New > Address.

FortiOS 6.4.13 Administration Guide 669

Fortinet Inc.
Network

c. Select IPv6 Address and fill out the fields with the following information:

Name Internal_Custom_Range

Type IPv6 Range

IP Range 2001:db8:d0c:2::1 - 2001:db8:d0c:2::32

d. Select OK.
7. Configure the IPv6 firewall policy to allow IPv6 traffic from Internal_Custom_Range to Custom_Server:
a. Go to Policy & Objects > Firewall Policy.
b. Click Create New.
c. Name the policy and configure the following parameters:

Incoming Interface port2

Outgoing Interface port3

Source Internal_Custom_Range

Destination Custom_Server

Schedule always

Service FTP, HTTPS

Action ACCEPT

d. Click OK.
8. Configure the IPv6 firewall policy to allow IPv6 traffic from internal clients to the Internet:
a. Go to Policy & Objects > Firewall Policy.
b. Click Create New.
c. Name the policy and configure the following parameters:

Incoming Interface port2

Outgoing Interface port1

Source all

Destination all

Schedule always

Service ALL

Action ACCEPT

d. Click OK.

To configure the example in the CLI:

1. Configure the IPv6 address on port1, port2, and port3:

config system interface
edit "port1"
config ipv6

FortiOS 6.4.13 Administration Guide 670

Fortinet Inc.
Network

set ip6-address 2001:db8:d0c:1::1/64

end
next
edit "port2"
config ipv6
set ip6-address 2001:db8:d0c:2::f/64
end
next
edit "port3"
config ipv6
set ip6-address 2001:db8:d0c:3::f/64
end
next
end

2. Configure the default route:

config router static6
edit 0
set gateway 2001:db8:d0c:1::f
set device "port1"
next
end

3. Configure the IPv6 firewall address for the Web Server:

config firewall address6
edit "Web_Server"
set ip6 2001:db8:d0c:3::1/128
next
end

4. Configure the IPv6 firewall address for the FTP Server:

config firewall address6
edit "FTP_Server"
set ip6 2001:db8:d0c:3::2/128
next
end

5. Configure the IPv6 address group, which includes for the Web and FTP Servers:
config firewall addrgrp6
edit "Custom_Server"
set member "FTP_Server" "Web_Server"
next
end

6. Configure the IPv6 firewall address for the Internal IPv6 network range which can access both the Web and FTP
Server:
config firewall address6
edit "Internal_Custom_Range"
set type iprange
set start-ip 2001:db8:d0c:2::1
set end-ip 2001:db8:d0c:2::32
next
end

7. Configure the IPv6 firewall policy to allow IPv6 traffic from Internal_Custom_Range to Custom_Server:

FortiOS 6.4.13 Administration Guide 671

Fortinet Inc.
Network

config firewall policy

edit 1
set name "IPv6_internal_to_server"
set srcintf "port2"
set dstintf "port3"
set action accept
set srcaddr6 "Internal_Custom_Range"
set dstaddr6 "Custom_Server"
set schedule "always"
set service "FTP" "HTTPS"
set utm-status enable
set logtraffic all
next
end

8. Configure the IPv6 firewall policy to allow IPv6 traffic from Internal clients to the Internet:
config firewall policy
edit 1
set name "IPv6_internal_to_internet"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
next
end

Verification

The following commands can be used to verify that IPv6 traffic is entering and leaving the FortiGate as expected. See
Debugging the packet flow on page 2196 for more information.
diagnose debug enable
diagnose debug flow trace start6 200

The output below indicates that hosts belonging to the Internal_Custom_Range can successfully reach both the Web_
Server and FTP_Server defined in the Custom_Server address group.
However, they are unable to reach the TFTP server, as it is not included in the Custom_Server group. Furthermore,
hosts with IPv6 addresses that do not belong to the Internal_Custom_Range are not able to access Custom_Server.

Host belonging to Internal_Custom_Range accessing Web_Server:

id=65308 trace_id=21 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet

(proto=6, 2001:db8:d0c:2::1:55114->2001:db8:d0c:3::1:443) from port2."
id=65308 trace_id=21 func=resolve_ip6_tuple line=5102 msg="allocate a new session-0000006b"
id=65308 trace_id=21 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0
flags 40000001"
id=65308 trace_id=21 func=fw6_forward_handler line=501 msg="Check policy between port2 ->
port3"
id=65308 trace_id=21 func=fw6_forward_handler line=638 msg="Allowed by Policy-1:"

FortiOS 6.4.13 Administration Guide 672

Fortinet Inc.
Network

Host belonging to Internal_Custom_Range accessing FTP_Server:

id=65308 trace_id=6 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet

(proto=6, 2001:db8:d0c:2::32:50982->2001:db8:d0c:3::2:21) from port2."
id=65308 trace_id=6 func=resolve_ip6_tuple line=5102 msg="allocate a new session-00000053"
id=65308 trace_id=6 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0
flags 40000001"
id=65308 trace_id=6 func=fw6_forward_handler line=501 msg="Check policy between port2 ->
port3"
id=65308 trace_id=6 func=fw6_forward_handler line=638 msg="Allowed by Policy-1:"

Host belonging to Internal_Custom_Range accessing TFTP Server:

id=65308 trace_id=17 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet

(proto=17, 2001:db8:d0c:2::32:65316->2001:db8:d0c:3::3:69) from port2."
id=65308 trace_id=17 func=resolve_ip6_tuple line=5102 msg="allocate a new session-00000055"
id=65308 trace_id=17 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0
flags 40000001"
id=65308 trace_id=17 func=fw6_forward_handler line=501 msg="Check policy between port2 ->
port3"
id=65308 trace_id=17 func=fw6_forward_handler line=530 msg="Denied by forward policy check"

Host not belonging to Internal_Custom_Range accessing FTP_Server:

id=65308 trace_id=1 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet

(proto=6, 2001:db8:d0c:2::33:52555->2001:db8:d0c:3::2:21) from port2."
id=65308 trace_id=1 func=resolve_ip6_tuple line=5102 msg="allocate a new session-0000004d"
id=65308 trace_id=1 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0
flags 40000001"
id=65308 trace_id=1 func=fw6_forward_handler line=501 msg="Check policy between port2 ->
port3"
id=65308 trace_id=1 func=fw6_forward_handler line=530 msg="Denied by forward policy check"

Internal clients accessing the Internet:

The output below indicates that internal clients can successfully reach the internet.
1. Go to Log & Report > Forward Traffic.
2. View the log details in the GUI, or download the log file:
1: date=2023-05-10 time=13:22:54 eventtime=1683750174692262952 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=2001:db8:d0c:2::1 srcport=64780 srcintf="port2" srcintfrole="undefined"
dstip=64:ff9b::83fd:21c8 dstport=443 dstintf="port1" dstintfrole="undefined"
sessionid=15723 proto=6 action="close" policyid=2 policytype="policy" poluuid="ea8a972e-
d7e9-51ed-9b29-757f04e7194c" policyname="IPv6_internal_to_internet"
srccountry="Reserved" service="HTTPS" trandisp="noop" duration=3 sentbyte=47192
rcvdbyte=13199 sentpkt=49 rcvdpkt=48 appcat="unscanned"
2: date=2023-05-10 time=13:19:47 eventtime=1683749987902192921 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=2001:db8:d0c:2::33 srcport=51246 srcintf="port2" srcintfrole="undefined"
dstip=64:ff9b::349f:31c7 dstport=443 dstintf="port1" dstintfrole="undefined"
sessionid=15126 proto=6 action="close" policyid=2 policytype="policy" poluuid="ea8a972e-
d7e9-51ed-9b29-757f04e7194c" policyname="IPv6_internal_to_internet"

FortiOS 6.4.13 Administration Guide 673

Fortinet Inc.
Network

srccountry="Reserved" service="HTTPS" trandisp="noop" duration=59 sentbyte=5109

rcvdbyte=7726 sentpkt=13 rcvdpkt=11 appcat="unscanned"

FortiOS 6.4.13 Administration Guide 674

Fortinet Inc.
SD-WAN

The following topics provide information about SD-WAN:

l SD-WAN overview on page 675
l SD-WAN quick start on page 679
l SD-WAN zones on page 689
l Performance SLA on page 694
l SD-WAN rules on page 713
l Advanced routing on page 759
l VPN overlay on page 782
l Advanced configuration on page 812
l SD-WAN cloud on-ramp on page 828
l Hub and spoke SD-WAN deployment example on page 852
l Troubleshooting SD-WAN on page 864

SD-WAN overview

SD-WAN is a software-defined approach to managing Wide-Area Networks (WAN). It consolidates the physical
transport connections, or underlays, and monitors and load-balances traffic across the links. VPN overlay networks can
be built on top of the underlays to control traffic across different sites.
Health checks and SD-WAN rules define the expected performance and business priorities, allowing the FortiGate to
automatically and intelligently route traffic based on the application, internet service, or health of a particular connection.
WAN security and intelligence can be extended into the LAN by incorporating wired and wireless networks under the
same domain. FortiSwitch and FortiAP devices integrate seamlessly with the FortiGate to form the foundation of an SD-
Branch.
Some of the key benefits of SD-WAN include:
l Reduced cost with transport independence across MPLS, 4G/5G LTE, and others.
l Reduced complexity with a single vendor and single-pane-of-glass management.
l Improve business application performance thanks to increased availability and agility.
l Optimized user experience and efficiency with SaaS and public cloud applications.

SD-WAN components

SD-WAN can be broken down into three layers:

l Management and orchestration
l Control, data plane, and security
l Network access

FortiOS 6.4.13 Administration Guide 675

Fortinet Inc.
 SD-WAN

The control, data plane, and security layer can only be deployed on a FortiGate. The other two layers can help to scale
and enhance the solution. For large deployments, FortiManager and FortiAnalyzer provide the management and
orchestration capabilities FortiSwitch and FortiAP provide the components to deploy an SD-Branch.

Layer Functions Devices

Management and orchestration l Unified management FortiManager FortiAnalyzer

l Template based solution
l Zero touch provisioning
l Logging, monitoring, and analysis
l Automated orchestration using the
REST API

Control, data plane, and security l Consolidation of underlays and FortiGate

overlays into SD-WAN zones
l Scalable VPN solutions using ADVPN
l Static and dynamic routing definition
l SD-WAN health-checks and
monitoring
l Application-aware steering and
intelligence
l NGFW firewalling

Network access l Wired and wireless network FortiSwitch FortiAP

segmentation
l Built-in network access control

SD-WAN designs and architectures

The core functionalities of Fortinet's SD-WAN solution are built into the FortiGate. Whether the environment contains
one FortiGate, or one hundred, you can use SD-WAN by enabling it on the individual FortiGates.
At a basic level, SD-WAN can be deployed on a single device in a single site environment:

At a more advanced level, SD-WAN can be deployed in a multi-site, hub and spoke environment:

FortiOS 6.4.13 Administration Guide 676

Fortinet Inc.
 SD-WAN

At an enterprise or MSSP level, the network can include multiple hubs, possibly across multiple regions:

For more details, see the SD-WAN / SD-Branch Architecture for MSSPs guide.

SD-WAN designs principles

The Five-pillar approach, described in the SD-WAN / SD-Branch Architecture for MSSPs guide, is recommended when
designing a secure SD-WAN solution.

Pillar Overview

Underlay Choose the WAN links to use.

Overlay Choose the topology to interconnect your sites.

Routing Choose how to propagate routes between your sites.

FortiOS 6.4.13 Administration Guide 677

Fortinet Inc.
SD-WAN

Pillar Overview

Security Choose how to protect each of the available paths.

SD-WAN Choose the strategy used to pick one of the available paths.

Underlay

Determine the WAN links that will be used for the underlay network, such as your broadband link, MPLS, 4G/5G LTE
connection, and others.
For each link, determine the bandwidth, quality and reliability (packet loss, latency, and jitter), and cost. Use this
information to determine which link to prefer, what type of traffic to send across the each link, and to help you the
baselines for health-checks.

Overlay

VPN overlays are needed when traffic must travel across multiple sites. These are usually site-to-site IPsec tunnels that
interconnect branches, datacenters, and the cloud, forming a hub-and-spoke topology.
The management and maintenance of the tunnels should be considered when determining the overlay network
requirements. Manual tunnel configuration might be sufficient in a small environment, but could become unmanageable
as the environment size increases. ADVPN can be used to help scale the solution; see ADVPN on page 1721 for more
information.

Routing

Traditional routing designs manipulate routes to steer traffic to different links. SD-WAN uses traditional routing to build
the basic routing table to reach different destinations, but uses SD-WAN rules to steer traffic. This allows the steering to
be based on criteria such as destination, internet service, application, route tag, and the health of the link. Routing in an
SD-WAN solution is used to identify all possible routes across the underlays and overlays, which the FortiGate balances
using ECMP.
In the most basic configuration, static gateways that are configured on an SD-WAN member interface automatically
provide the basic routing needed for the FortiGate to balance traffic across the links. As the number of sites and
destinations increases, manually maintaining routes to each destination becomes difficult. Using dynamic routing to
advertise routes across overlay tunnels should be considered when you have many sites to interconnect.

Security

Security involves defining policies for access control and applying the appropriate protection using the FortiGate's
NGFW features. Efficiently grouping SD-WAN members into SD-WAN zones must also be considered. Typically,
underlays provide direct internet access and overlays provide remote internet or network access. Grouping the
underlays together into one zone, and the overlays into one or more zones could be an effective method.

SD-WAN

The SD-WAN pillar is the intelligence that is applied to traffic steering decisions. It is comprised of four primary elements:

FortiOS 6.4.13 Administration Guide 678

Fortinet Inc.
SD-WAN

l SD-WAN zones
SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies
as source and destination interfaces. You can define multiple zones to group SD-WAN interfaces together, allowing
logical groupings for overlay and underlay interfaces. Routing can be configured per zone.
See SD-WAN zones on page 689.
l SD-WAN members
Also called interfaces, SD-WAN members are the ports and interfaces that are used to run traffic. At least one
interface must be configured for SD-WAN to function.
See Configuring the SD-WAN interface on page 680.
l Performance SLAs
Also called health-checks, performance SLAs are used to monitor member interface link quality, and to detect link
failures. When the SLA falls below a configured threshold, the route can be removed, and traffic can be steered to
different links in the SD-WAN rule. They can also be used in SD-WAN rules to select the preferred member interface
for forwarding traffic.
See Performance SLA on page 694.
l SD-WAN rules
Also called services, SD-WAN rules control path selection. Specific traffic can be dynamically sent to the best link,
or use a specific route
Rules control the strategy that the FortiGate uses when selecting the outbound traffic interface, the SLAs that are
monitored when selecting the outgoing interface, and the criteria for selecting the traffic that adheres to the rule.
When no SD-WAN rules match the traffic, the implicit rule applies.
See SD-WAN rules on page 713.

SD-WAN quick start

This section provides an example of how to start using SD-WAN for load balancing and redundancy.
In this example, two ISP internet connections, wan1 (DHCP) and wan2 (static), use SD-WAN to balance traffic between
them at 50% each.

1. Configuring the SD-WAN interface on page 680

2. Adding a static route on page 681
3. Selecting the implicit SD-WAN algorithm on page 681
4. Configuring firewall policies for SD-WAN on page 682

FortiOS 6.4.13 Administration Guide 679

Fortinet Inc.
 SD-WAN

5. Link monitoring and failover on page 682

6. Results on page 683
7. Configuring SD-WAN in the CLI on page 687

Configuring the SD-WAN interface

First, SD-WAN must be enabled and member interfaces must be selected and added to a zone. The selected FortiGate
interfaces can be of any type (physical, aggregate, VLAN, IPsec, and others), but must be removed from any other
configurations on the FortiGate.
In this step, two interfaces are configured and added to the default SD-WAN zone (virtual-wan-link) as SD-WAN member
interfaces. This example uses a mix of static and dynamic IP addresses; your deployment could also use only one or the
other.
Once the SD-WAN members are created and added to a zone, the zone can be used in firewall policies, and the whole
SD-WAN can be used in static routes.

To configure SD-WAN members:

1. Configure the wan1 and wan2 interfaces. See Interface settings on page 403 for details.
a. Set the wan1 interface Addressing mode to DHCP and Distance to 10.

By default, a DHCP interface has a distance of 5, and a static route has a distance of
10. It is important to account for this when configuring your SD-WAN for 50/50 load
balancing by setting the DHCP interface's distance to 10.

b. Set the wan2 interface IP/Netmask to 10.100.20.1 255.255.255.0.

2. Go to Network > SD-WAN Zones. Routing for each SD-WAN interface is defined here.
3. Click Create New > SD-Member.
4. Set the Interface to wan1.
5. Leave SD-WAN Zone as virtual-wan-link.
6. As wan1 uses DHCP, leave Gateway set to 0.0.0.0.
If IPv6 visibility is enabled in the GUI, an IPv6 gateway can also be added for each member. See Feature visibility
on page 1065 for details.
7. Leave Cost as 0.
The Cost field is used by the Lowest Cost (SLA) strategy. The link with the lowest cost is chosen to pass traffic. The
lowest possible Cost is 0.

8. Set Status to Enable, and click OK.

FortiOS 6.4.13 Administration Guide 680

Fortinet Inc.
 SD-WAN

9. Repeat the above steps for wan2, setting Gateway to the ISP's gateway: 10.100.20.2.

Adding a static route

You must configure a default route for the SD-WAN. The default gateways for each SD-WAN member interface do not
need to be defined in the static routes table. FortiGate will decide what route or routes are preferred using Equal Cost
Multi-Path (ECMP) based on distance and priority.

To create a static route for SD-WAN:

1. Go to Network > Static Routes.

2. Click Create New. The New Static Route page opens.
3. Set Destination to Subnet, and leave the IP address and subnet mask as 0.0.0.0/0.0.0.0.
4. From the Interface drop-down list, select SD-WAN.

5. Ensure that Status is Enabled.

6. Click OK.

Selecting the implicit SD-WAN algorithm

SD-WAN rules define specific routing options to route traffic to an SD-WAN member.
If no routing rules are defined, the default Implicit rule is used. It can be configured to use one of five different load
balancing algorithms. See Implicit rule on page 714 for more details and examples.
This example shows four methods to equally balance traffic between the two WAN connections. Go to Network > SD-
WAN Rules and edit the sd-wan rule to select the method that is appropriate for your requirements.
l Source IP (CLI command: source-ip-based):
Select this option to balance traffic equally between the SD-WAN members according to a hash algorithm based on
the source IP addresses.
l Session (weight-based):
Select this option to balance traffic equally between the SD-WAN members by the session numbers ratio among its
members. Use weight 50 for each of the 2 members.

FortiOS 6.4.13 Administration Guide 681

Fortinet Inc.
 SD-WAN

l Source-Destination IP (source-dest-ip-based):
Select this option to balance traffic equally between the SD-WAN members according to a hash algorithm based on
the source and destination IP addresses.
l Volume (measured-volume-based):
Select this option to balance traffic equally between the SD-WAN members according to the bandwidth ratio among
its members.

Configuring firewall policies for SD-WAN

SD-WAN zones can be used in policies as source and destination interfaces. Individual SD-WAN members cannot be
used in policies.
You must configure a policy that allows traffic from your organization's internal network to the SD-WAN zone. Policies
configured with the SD-WAN zone apply to all SD-WAN interface members in that zone.

To create a firewall policy for SD-WAN:

1. Go to Policy & Objects > Firewall Policy.

2. Click Create New. The New Policy page opens.
3. Configure the following:

Name Enter a name for the policy.

Incoming Interface internal

Outgoing Interface virtual-wan-link

Source all

Destination all

Schedule always

Service ALL

Action ACCEPT

Firewall / Network Options Enable NAT and set IP Pool Configuration to Use Outgoing Interface Address.

Security Profiles Apply profiles as required.

Logging Options Enable Log Allowed Traffic and select All Sessions. This allows you to verify
results later.

4. Enable the policy, then click OK.

Link monitoring and failover

Performance SLA link monitoring measures the health of links that are connected to SD-WAN member interfaces by
sending probing signals through each link to a server, and then measuring the link quality based on latency, jitter, and
packet loss. If a link is broken, the routes on that link are removed and traffic is routed through other links. When the link
is working again, the routes are re-enabled. This prevents traffic being sent to a broken link and lost.

FortiOS 6.4.13 Administration Guide 682

Fortinet Inc.
 SD-WAN

In this example, the detection server IP address is 208.91.112.53. A performance SLA is created so that, if ping fails per
the metrics defined, the routes to that interface are removed and traffic is detoured to the other interface. The ping
protocol is used, but other protocols could also be selected as required.

To configure a performance SLA:

1. Go to Network > Performance SLA.

2. Click Create New. The New Performance SLA page opens.
3. Enter a name for the SLA and set Protocol to Ping.
4. In the Server field, enter the detection server IP address (208.91.112.53 in this example).
5. In the Participants field, select Specify and add wan1 and wan2.

SLA targets are not required for link monitoring.

6. Configure the required metrics in Link Status.
7. Ensure that Update static route is enabled. This disables static routes for the inactive interface and restores routes
on recovery.
8. Click OK.

Results

The following GUI pages show the function of the SD-WAN and can be used to confirm that it is setup and running
correctly:

FortiOS 6.4.13 Administration Guide 683

Fortinet Inc.
SD-WAN

l Interface usage on page 684

l Performance SLA on page 685
l Routing table on page 687
l Firewall policy on page 687

Interface usage

Go to Network > SD-WAN Zones to review the SD-WAN interfaces' usage.

Bandwidth

Select Bandwidth to view the amount of downloaded and uploaded data for each interface.

Volume

Select Volume to see donut charts of the received and sent bytes on the interfaces.

FortiOS 6.4.13 Administration Guide 684

Fortinet Inc.
SD-WAN

Sessions

Select Sessions to see a donut chart of the number of active sessions on each interface.

Performance SLA

Go to Network > Performance SLA and select the SLA from the table (server in this example) to view the packet loss,
latency, and jitter on each SD-WAN member in the health check server.

Packet loss

Select Packet Loss to see the percentage of packets lost for each member.

FortiOS 6.4.13 Administration Guide 685

Fortinet Inc.
SD-WAN

Latency

Select Latency to see the current latency, in milliseconds, for each member.

Jitter

Select Jitter to see the jitter, in milliseconds, for each member.

FortiOS 6.4.13 Administration Guide 686

Fortinet Inc.
 SD-WAN

Routing table

Go to Dashboard > Network and expand the Static & Dynamic Routing widget to review all static and dynamic routes.
For more information about the widget, see Static & Dynamic Routing Monitor on page 83.

Firewall policy

Go to Policy & Objects > Firewall Policy to review the SD-WAN policy.

Configuring SD-WAN in the CLI

This example can be entirely configured using the CLI.

To configure SD-WAN in the CLI:

1. Configure the wan1 and wan2 interfaces:

config system interface
edit "wan1"
set alias to_ISP1
set mode dhcp
set distance 10
next
edit "wan2"
set alias to_ISP2
set ip 10.100.20.1 255.255.255.0

FortiOS 6.4.13 Administration Guide 687

Fortinet Inc.
SD-WAN

next
end

2. Enable SD-WAN and add the interfaces as members:

config system sdwan
set status enable
config members
edit 1
set interface "wan1"
next
edit 2
set interface "wan2"
set gateway 10.100.20.2
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

3. Create a static route for SD-WAN:

config router static
edit 1
set sdwan enable
next
end

4. Select the implicit SD-WAN algorithm:

config system sdwan
set load-balance-mode {source-ip-based | weight-based | source-dest-ip-based |
measured-volume-based}
end

5. Create a firewall policy for SD-WAN:

config firewall policy
edit <policy_id>
set name <policy_name>
set srcintf "internal"
set dstintf "virtual-wan-link"
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set utm-status enable
set ssl-ssh-profile <profile_name>
set av-profile <profile_name>
set webfilter-profile <profile_name>
set dnsfilter-profile <profile_name>
set emailfilter-profile <profile_name>
set ips_sensor <sensor_name>
set application-list <app_list>

FortiOS 6.4.13 Administration Guide 688

Fortinet Inc.
SD-WAN

set voip-profile <profile_name>

set logtraffic all
set nat enable
set status enable
next
end

6. Configure a performance SLA:

config system sdwan
config health-check
edit "server"
set server "208.91.112.53"
set update-static-route enable
set members 1 2
next
end
end

Results

To view the routing table:

# get router info routing-table all

Routing table for VRF=0

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S* 0.0.0.0/0 [1/0] via 172.16.20.2, wan1

[1/0] via 10.100.20.2, wan2
C 10.100.20.0/24 is directly connected, wan2
C 172.16.20.2/24 is directly connected, wan1
C 192.168.0.0/24 is directly connected, internal

To diagnose the Performance SLA status:

FGT # diagnose sys sdwan health-check

Health Check(server):
Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0

SD-WAN zones

SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies as
source and destination interfaces.

FortiOS 6.4.13 Administration Guide 689

Fortinet Inc.
SD-WAN

You can define multiple zones to group SD-WAN interfaces together, allowing logical groupings for overlay and underlay
interfaces. The zones are used in firewall policies to allow for more granular control. SD-WAN members cannot be used
directly in policies.
Static routes use the entire SD-WAN, not just individual zones or members.

In the CLI:
l config system sdwan has replaced config system virtual-wan-link.

l diagnose sys sdwan has replaced diagnose sys virtual-wan-link.

l When configuring a static route, the sdwan variable has replaced the virtual-wan-

link variable.

When the Security Fabric is configured, SD-WAN zones are included in the Security Fabric topology views.

To create an SD-WAN zone in the GUI:

1. Go to Network > SD-WAN Zones.

The default SD-WAN zone is virtual-wan-link.

2. Click Create New > SD-WAN Zone.

3. Enter a name for the new zone.
4. If SD-WAN members have already been created, add the required members to the zone.
Members can also be added to the zone after it has been created by editing the zone, or when creating or editing the
member.

FortiOS 6.4.13 Administration Guide 690

Fortinet Inc.
SD-WAN

5. Click OK.

To create an SD-WAN interface member in the GUI:

1. Go to Network > SD-WAN Zones.

2. Click Create New > SD-WAN Member.
3. Select an interface.
The interface can also be left as none and selected later, or click +VPN to create an IPsec VPN for the SD-WAN
member.
4. Select the SD-WAN zone that the member will join. A member can also be moved to a different zone at any time.

5. Set the Gateway, Cost, and Status as required.

6. Click OK.
The interface list at Network > Interfaces shows the SD-WAN zones and their members.

To create a policy using the SD-WAN zone in the GUI:

1. Go to Policy & Objects > Firewall Policy, Policy & Objects > Proxy Policy, or Policy & Objects > Security Policy.
2. Click Create New .

FortiOS 6.4.13 Administration Guide 691

Fortinet Inc.
SD-WAN

3. Configure the policy settings as needed, selecting an SD-WAN zone or zones for the incoming and/or outgoing
interface.

4. Click OK.

To view SD-WAN zones in a Security Fabric topology:

1. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology. The SD-WAN zones and their
members are shown.

FortiOS 6.4.13 Administration Guide 692

Fortinet Inc.
SD-WAN

To configure SD-WAN in the CLI:

1. Enable SD-WAN and create a zone:

config system sdwan
set status enable
config zone
edit "vpn-zone"
next
end
end

2. Configure SD-WAN members and add them to a zone:

config system sdwan
config members
edit 1
set interface "to_FG_B_root"
set zone "vpn-zone"
next
edit 2
set interface "GRE_1"
set zone "vpn-zone"
next
end
end

To create a policy using the SD-WAN zone in the CLI:

config firewall policy

edit <policy_id>
set name <policy_name>
set srcintf internal
set dstintf vpn-zone

FortiOS 6.4.13 Administration Guide 693

Fortinet Inc.
 SD-WAN

set srcaddr all

set dstaddr all
set action accept
set schedule always
set service ALL
set utm-status enable
set ssl-ssh-profile <profile_name>
set av-profile <profile_name>
set webfilter-profile <profile_name>
set dnsfilter-profile <profile_name>
set emailfilter-profile <profile_name>
set ips_sensor <sensor_name>
set application-list <app_list>
set voip-profile <profile_name>
set logtraffic all
set nat enable
set status enable
next
end

Performance SLA

The following topics provide instructions on configuring performance SLA:

l Link health monitor on page 694
l Factory default health checks on page 697
l Health check options on page 699
l Link monitoring example on page 702
l SLA targets example on page 703
l Health check packet DSCP marker support on page 705
l Interface speedtest on page 705
l Monitor performance SLA on page 707
l SLA monitoring using the REST API on page 710

Link health monitor

Performance SLA link health monitoring measures the health of links that are connected to SD-WAN member interfaces
by sending probing signals through each link to a server and measuring the link quality based on latency, jitter, and
packet loss. If a link fails all of the health checks, the routes on that link are removed from the SD-WAN link load
balancing group, and traffic is routed through other links. When the link is working again the routes are reestablished.
This prevents traffic being sent to a broken link and lost.
When an SD-WAN member has multiple health checks configured, all of the checks must fail for the routes on that link to
be removed from the SD-WAN link load balancing group.
Two health check servers can be configured to ensure that, if there is a connectivity issue, the interface is at fault and not
the server. A server can only be used in one health check.

FortiOS 6.4.13 Administration Guide 694

Fortinet Inc.
SD-WAN

The FortiGate uses the first server configured in the health check server list to perform the health check. If the first server
is unavailable, then the second server is used. The second server continues to be used until it becomes unavailable, and
then the FortiGate returns to the first server, if it is available. If both servers are unavailable, then the health check fails.
You can configure the protocol that is used for status checks, including: Ping, HTTP, DNS, TCP echo, UDP echo, two-
way active measurement protocol (TWAMP), TCP connect, and FTP. In the GUI, only Ping, HTTP, and DNS are
available.
You can view link quality measurements at Network > Performance SLA. The table shows the default health checks, the
health checks that you configured, and information about each health check. The values shown in the Packet Loss,
Latency, and Jitter columns are for the health check server that the FortiGate is currently using. The green up arrows
indicate that the server is responding, and does not indicate if the health checks are being met. See Results on page 683
for more information.

To configure a link health monitor in the GUI:

1. Go to Network > Performance SLA and click Create New.

2. Set a Name for the SLA.
3. Set the Protocol that you need to use for status checks: Ping, HTTP, or DNS.
4. Set Server to the IP addresses of up to two servers that all of the SD-WAN members in the performance SLA can
reach.
5. Set Participants to All SD-WAN Members, or select Specify to choose specific SD-WAN members.
6. Set Enable probe packets to enable or disable sending probe packets.
7. Configure SLA Target:
If the health check is used in an SD-WAN rule that uses Manual or Best Quality strategies, enabling SLA Target is
optional. If the health check is used in an SD-WAN rule that uses Lowest Cost (SLA) or Maximum Bandwidth (SLA)
strategies, then SLA Target is enabled.
When SLA Target is enabled, configure the following:
l Latency threshold: Calculated based on last 30 probes (default = 5ms).
l Jitter threshold: Calculated based on last 30 probes (default = 5ms).
l Packet Loss threshold: Calculated based on last 100 probes (default = 0%).

8. In the Link Status section configure the following:

l Check interval: The interval in which the FortiGate checks the interface, in milliseconds (500 - 3600000, default

= 500).
l Failures before inactive: The number of failed status checks before the interface shows as inactive (1 - 3600,

default =5). This setting helps prevent flapping, where the system continuously transfers traffic back and forth
between links
l Restore link after: The number of successful status checks before the interface shows as active (1 - 3600,

default = 5). This setting helps prevent flapping, where the system continuously transfers traffic back and forth
between links
9. In the Actions when Inactive section, enable Update static route to disable static routes for inactive interfaces and
restore routes when interfaces recover.

FortiOS 6.4.13 Administration Guide 695

Fortinet Inc.
SD-WAN

10. Click OK.

To configure a link health monitor in the CLI:

config system sdwan

config health-check
edit "PingSLA"
set addr-mode {ipv4 | ipv6}
set server <server1_IP_address> <server2_IP_address>
set protocol {ping | tcp-echo | udp-echo | http | twamp | dns | tcp-connect |
ftp}
set probe-timeout <integer>
set probe-packets {enable | disable}
set interval <integer>
set failtime <integer>
set recoverytime <integer>
set update-static-route {enable | disable}
set members <member_number> ... <member_number>
config sla
edit 1
set link-cost-factor {latency jitter packet-loss}
set latency-threshold <integer>
set jitter-threshold <integer>
set packetloss-threshold <integer>
next
end
next
end
end

Additional settings are available for some of the protocols:

Protocol Additional options

http port <port_number>

http-get <url>
http-match <response_string>

FortiOS 6.4.13 Administration Guide 696

Fortinet Inc.
 SD-WAN

Protocol Additional options

twamp port <port_number>

security mode {none | authentication}
password <password>
packet-size <size>

ftp ftp {passive | port}

ftp-file <path>

For more examples see Health check options on page 699.

Factory default health checks

There are six predefined performance SLA profiles for newly created VDOMs or factory reset FortiGate devices:
l AWS
l System DNS
l FortiGuard
l Gmail
l Google Search
l Office 365
You can view and configure the SLA profiles in Network > Performance SLA.

After configuring a health check, you will be able to view packet loss, latency, and jitter data for the SLA profiles. If a
value is colored red, it means that it failed to meet the SLA requirements.

FortiOS 6.4.13 Administration Guide 697

Fortinet Inc.
SD-WAN

To configure the performance SLA profiles in the CLI:

config health-check
edit "Default_AWS"
set server "aws.amazon.com"
set protocol http
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5
next
end
next
edit "Default_DNS"
set system-dns enable
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5
next
end
next
edit "Default_FortiGuard"
set server "fortiguard.com"
set protocol http
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5

FortiOS 6.4.13 Administration Guide 698

Fortinet Inc.
 SD-WAN

next
end
next
edit "Default_Gmail"
set server "gmail.com"
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 2
next
end
next
edit "Default_Google Search"
set server "www.google.com"
set protocol http
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5
next
end
next
edit "Default_Office_365"
set server "www.office.com"
set protocol http
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5
next
end
next
end

Health check options

Health checks include several protocols and protocol specific options.

The health check protocol options include:

ping Use PING to test the link with the server.

FortiOS 6.4.13 Administration Guide 699

Fortinet Inc.
SD-WAN

tcp-echo Use TCP echo to test the link with the server.

udp-echo Use UDP echo to test the link with the server.

http Use HTTP-GET to test the link with the server.

twamp Use TWAMP to test the link with the server.

dns Use DNS query to test the link with the server.
The FortiGate sends a DNS query for an A Record and the response matches the expected IP
address.

tcp-connect Use a full TCP connection to test the link with the server.
The method to measure the quality of the TCP connection can be:
l half-open: FortiGate sends SYN and gets SYN-ACK. The latency is based on the

round trip between SYN and SYN-ACK (default).

l half-close: FortiGate sends FIN and gets FIN-ACK. The latency is based on the

round trip between FIN and FIN-ACK.

ftp Use FTP to test the link with the server.

The FTP mode can be:
l passive: The FTP health-check initiates and establishes the data connection (default).

l port: The FTP server initiates and establishes the data connection.

SD-WAN health checks can generate traffic that becomes quite high as deployments grow.
Please take this into consideration when setting DoS policy thresholds. For details on setting
DoS policy thresholds, refer to DoS protection on page 1169.

To use UDP-echo and TCP-echo as health checks:

config system sdwan

set status enable
config health-check
edit "h4_udp1"
set protocol udp-echo
set port 7
set server <server>
next
edit "h4_tcp1"
set protocol tcp-echo
set port 7
set server <server>
next
edit "h6_udp1"
set addr-mode ipv6
set server "2032::12"
set protocol udp-echo
set port 7
next
end
end

FortiOS 6.4.13 Administration Guide 700

Fortinet Inc.
SD-WAN

To use DNS as a health check, and define the IP address that the response must match:

config system sdwan

set status enable
config health-check
edit "h4_dns1"
set protocol dns
set dns-request-domain "ip41.forti2.com"
set dns-match-ip 1.1.1.1
next
edit "h6_dns1"
set addr-mode ipv6
set server "2000::15.1.1.4"
set protocol dns
set port 53
set dns-request-domain "ip61.xxx.com"
next
end
end

To use TCP Open (SYN/SYN-ACK) and TCP Close (FIN/FIN-ACK) to verify connections:

config system sdwan

set status enable
config health-check
edit "h4_tcpconnect1"
set protocol tcp-connect
set port 443
set quality-measured-method {half-open | half-close}
set server <server>
next
edit "h6_tcpconnect1"
set addr-mode ipv6
set server "2032::13"
set protocol tcp-connect
set port 444
set quality-measured-method {half-open | half-close}
next
end
end

To use active or passive mode FTP to verify connections:

config system sdwan

set status enable
config health-check
edit "h4_ftp1"
set protocol ftp
set port 21
set user "root"
set password ***********
set ftp-mode {passive | port}
set ftp-file "1.txt"
set server <server>
next
edit "h6_ftp1"

FortiOS 6.4.13 Administration Guide 701

Fortinet Inc.
 SD-WAN

set addr-mode ipv6

set server "2032::11"
set protocol ftp
set port 21
set user "root"
set password ***********
set ftp-mode {passive | port}
set ftp-file "2.txt"
next
end
end

Link monitoring example

Performance SLA link monitoring measures the health of links that are connected to SD-WAN member interfaces by
sending probing signals through each link to a server and measuring the link quality based on latency, jitter, and packet
loss. If a link is broken, the routes on that link are removed, and traffic is routed through other links. When the link is
working again, the routes are reenabbled. This prevents traffic being sent to a broken link and lost.

In this example:
l Interfaces wan1 and wan2 connect to the internet through separate ISPs
l The detection server IP address is 208.91.114.182
A performance SLA is created so that, if one link fails, its routes are removed and traffic is detoured to the other link.

To configure a Performance SLA using the GUI:

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 679 for details.
2. Go to Network > Performance SLA.
3. Click Create New. The Performance SLA page opens.
4. Enter a name for the SLA and select a protocol.
5. In the Server field, enter the detection server IP address (208.91.114.182 in this example).

FortiOS 6.4.13 Administration Guide 702

Fortinet Inc.
 SD-WAN

6. In the Participants field, select both wan1 and wan2.

7. Configured the remaining settings as needed, then click OK.

To configure a Performance SLA using the CLI:

config system sdwan

config health-check
edit "server"
set server "208.91.114.182"
set update-static-route enable
set members 1 2
next
end
end

To diagnose the Performance SLA status:

FGT # diagnose sys sdwan health-check

Health Check(server):
Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0

SLA targets example

SLA targets are a set of constraints that are used in SD-WAN rules to control the paths that traffic take.
The available constraints are:
l Latency threshold: Latency for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
l Jitter threshold: Jitter for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
l Packet loss threshold: Packet loss for SLA to make decision, in percentage (0 - 100, default = 0).

FortiOS 6.4.13 Administration Guide 703

Fortinet Inc.
SD-WAN

To configure Performance SLA targets using the GUI:

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 679 for details.
2. Go to Network > Performance SLA.
3. Create a new Performance SLA or edit an existing one. See Link monitoring example on page 702.
4. Enable SLA Targetsand configure the constraints. To add multiple SLA targets, use the CLI.

5. Configured the remaining settings as needed, then click OK.

To configure Performance SLA targets using the GUI:

config system sdwan

config health-check
edit "server"
set server "208.91.114.182"
set members 1 2
config sla
edit 1
set link-cost-factor latency jitter packet-loss
set latency-threshold 10
set jitter-threshold 10
set packetloss-threshold 1

FortiOS 6.4.13 Administration Guide 704

Fortinet Inc.
 SD-WAN

next
end
next
end
end

The link-cost-factor variable is used to select which constraints are enabled.

Health check packet DSCP marker support

SD-WAN health check probe packets support Differentiated Services Code Point (DSCP) markers for accurate
evaluation of the link performance for high priority applications by upstream devices.
When the SD-WAN health check packet is sent out, the DSCP can be set with a CLI command.

To mark health-check packets with DSCP:

config system sdwan

config health-check
edit <name>
set diffservcode <6 bits binary, range 000000-111111>
next
end
end

Interface speedtest

An interface speedtest can be performed on WAN interfaces in the GUI. The results of the test can be added to the
interface's Estimated bandwidth. The estimated upstream and downstream bandwidths can be used in SD-WAN service
rules to determine the best link to use when either Maximize Bandwidth or Best Quality strategies are selected.
An SD-WAN Network Monitor license is required to use the speedtest. The License widget and the System > FortiGuard
page show license status.

FortiOS 6.4.13 Administration Guide 705

Fortinet Inc.
SD-WAN

To run an interface speedtest in the GUI:

1. Go to Network > Interfaces.

2. Edit a WAN interface. The interfaces can be grouped by role using the grouping dropdown on the right side of the
toolbar.
3. Click Execute speed test in the right pane.

FortiOS 6.4.13 Administration Guide 706

Fortinet Inc.
 SD-WAN

4. When the test completes, click Apply results to estimated bandwidth.

The speedtest results are used to populate the Estimated bandwidth fields.
5. Click OK.

The FortiGate must be connected to FortiGuard, and able to reach either the AWS or Google
speedtest servers.

Monitor performance SLA

SD-WAN diagnostics can be used to help maintain your SD-WAN solution

Monitoring SD-WAN link quality status

Link quality plays a significant role in link selection for SD-WAN. Investigate any prolonged issues with packet loss,
latency, or jitter to ensure that your network does not experience degraded performance or an outage.
You can monitor the link quality status of SD-WAN interface members at Network > Performance SLA.

The live charts show the packet loss, latency, or jitter for the selected health check. Hover the cursor over a line in the
chart to see the specific value for that interface at that specific time.

FortiOS 6.4.13 Administration Guide 707

Fortinet Inc.
SD-WAN

The table shows information about each health check, including the configured servers, link quality data, and thresholds.
The colored arrow indicates the status of the interface when the last status check was performed: green means that the
interface was active, and red means that the interface was inactive. Hover the cursor over the arrow for additional
information.

Monitoring system event logs

The features adds an SD-WAN daemon function to keep a short, 10 minute history of SLA that can be viewed in the CLI.
Performance SLA results related to interface selection, session failover, and other information, can be logged. These
logs can then be used for long-term monitoring of traffic issues at remote sites, and for reports and views in
FortiAnalyzer.
The time intervals that Performance SLA fail and pass logs are generated in can be configured.

To configure the fail and pass logs' generation time interval:

config system sdwan

config health-check
edit "PingSLA"
set sla-fail-log-period 30
set sla-pass-log-period 60
next
end
end

To view the 10 minute Performance SLA link status history:

FGDocs # diagnose sys sdwan sla-log PingSLA 1

Timestamp: Fri Sep 4 10:32:37 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 4.455, jitter: 0.430, packet loss: 0.000%.
Timestamp: Fri Sep 4 10:32:37 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 4.461, jitter: 0.436, packet loss: 0.000%.
Timestamp: Fri Sep 4 10:32:38 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 4.488, jitter: 0.415, packet loss: 0.000%.
...
Timestamp: Fri Sep 4 10:42:36 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 6.280, jitter: 0.302, packet loss: 0.000%.
Timestamp: Fri Sep 4 10:42:37 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 6.261, jitter: 0.257, packet loss: 0.000%.
Timestamp: Fri Sep 4 10:42:37 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 6.229, jitter: 0.245, packet loss: 0.000%.

SLA pass logs

The FortiGate generates Performance SLA logs at the specified pass log interval (sla-pass-log-period) when SLA
passes.
3: date=2019-02-28 time=11:53:26 logid="0100022925" type="event" subtype="system"
level="information" vd="root" eventtime=1551383604 logdesc="Link monitor SLA information"
name="ping" interface="R160" status="up" msg="Latency: 0.013, jitter: 0.001, packet loss:
0.000%, inbandwidth: 0Mbps, outbandwidth: 0Mbps, bibandwidth: 0Mbps, sla_map: 0x1"
7: date=2019-02-28 time=11:52:26 logid="0100022925" type="event" subtype="system"
level="information" vd="root" eventtime=1551383545 logdesc="Link monitor SLA information"

FortiOS 6.4.13 Administration Guide 708

Fortinet Inc.
SD-WAN

name="ping" interface="R160" status="up" msg="Latency: 0.013, jitter: 0.002, packet loss:

0.000%, inbandwidth: 0Mbps, outbandwidth: 0Mbps, bibandwidth: 0Mbps, sla_map: 0x1"

In the FortiAnalyzer GUI:

SLA fail logs

The FortiGate generates Performance SLA logs at the specified fail log interval (sla-fail-log-period) when SLA
fails.
6: date=2019-02-28 time=11:52:32 logid="0100022925" type="event" subtype="system"
level="notice" vd="root" eventtime=1551383552 logdesc="Link monitor SLA information"
name="ping" interface="R150" status="down" msg="Latency: 0.000, jitter: 0.000, packet loss:
100.000%, inbandwidth: 0Mbps, outbandwidth: 200Mbps, bibandwidth: 200Mbps, sla_map: 0x0"
8: date=2019-02-28 time=11:52:02 logid="0100022925" type="event" subtype="system"
level="notice" vd="root" eventtime=1551383522 logdesc="Link monitor SLA information"
name="ping" interface="R150" status="down" msg="Latency: 0.000, jitter: 0.000, packet loss:
100.000%, inbandwidth: 0Mbps, outbandwidth: 200Mbps, bibandwidth: 200Mbps, sla_map: 0x0"

In the FortiAnalyzer GUI:

FortiOS 6.4.13 Administration Guide 709

Fortinet Inc.
 SD-WAN

SLA monitoring using the REST API

SLA log information and interface SLA information can be monitored using the REST API. This feature is also be used by
FortiManager as part of its detailed SLA monitoring and drill-down features.

Interface log command example:

https://172.172.172.9/api/v2/monitor/virtual-wan/interface-log
{
"http_method":"GET",
"results":[
{
"interface":"port13",
"logs":[
{
"timestamp":1547087168,
"tx_bandwidth":3447,
"rx_bandwidth":3457,
"bi_bandwidth":6904,
"tx_bytes":748875,
"rx_bytes":708799,
"egress_queue":[
]
},
{
"timestamp":1547087178,
"tx_bandwidth":3364,
"rx_bandwidth":3400,
"bi_bandwidth":6764,
"tx_bytes":753789,
"rx_bytes":712835,
"egress_queue":[
]
},
....
....

SLA log command example:

https://172.172.172.9/api/v2/monitor/virtual-wan/sla-log
{
"http_method":"GET",
"results":[
{
"name":"ping",
"interface":"spoke11-p1",
"logs":[
{
"timestamp":1614813142,
"link":"up",
"latency":0.13763333857059479,
"jitter":0.02996666356921196,
"packetloss":0
},

FortiOS 6.4.13 Administration Guide 710

Fortinet Inc.
SD-WAN

"child_intfs":{
"spoke11-p1_0":[
{
"timestamp":1614813142,
"link":"up",
"latency":0.12413334846496582,
"jitter":0.028366668149828911,
"packetloss":0
},

{
"name":"ping",
"interface":"spoke12-p1",
"logs":[
{
"timestamp":1614813143,
"link":"up",
"latency":0.11373332887887955,
"jitter":0.023099998012185097,
"packetloss":0
},

"child_intfs":{
"spoke12-p1_0":[
{
"timestamp":1614813143,
"link":"up",
"latency":0.0930333212018013,
"jitter":0.011033335700631142,
"packetloss":0
},
....
....

Health check command example:

https://172.172.172.9/api/v2/monitor/virtual-wan/health-check
{
"http_method":"GET",
"results":{
"ping":{
"spoke11-p1":{
"status":"up",
"latency":0.13406667113304138,
"jitter":0.023000005632638931,
"packet_loss":0,
"packet_sent":29722,
"packet_received":29718,
"sla_targets_met":[
1
],
"session":2,
"tx_bandwidth":1353,
"rx_bandwidth":1536,
"state_changed":1614798274,
"child_intfs":{

FortiOS 6.4.13 Administration Guide 711

Fortinet Inc.
SD-WAN

"spoke11-p1_0":{
"status":"up",
"latency":0.12929999828338623,
"jitter":0.028200000524520874,
"packet_loss":0,
"packet_sent":29626,
"packet_received":29625,
"sla_targets_met":[
1
],
"session":0,
"tx_bandwidth":2608,
"rx_bandwidth":1491,
"state_changed":0
}
}
},
"spoke12-p1":{
"status":"up",
"latency":0.11356667429208755,
"jitter":0.015699999406933784,
"packet_loss":0,
"packet_sent":29722,
"packet_received":29717,
"sla_targets_met":[
1
],
"session":2,
"tx_bandwidth":1353,
"rx_bandwidth":1536,
"state_changed":1614798274,
"child_intfs":{
"spoke12-p1_0":{
"status":"up",
"latency":0.095466658473014832,
"jitter":0.0092999991029500961,
"packet_loss":0,
"packet_sent":29687,
"packet_received":29686,
"sla_targets_met":[
1
],
"session":0,
"tx_bandwidth":1309,
"rx_bandwidth":2553,
"state_changed":0
}
}
}
}
},
....
....

FortiOS 6.4.13 Administration Guide 712

Fortinet Inc.
SD-WAN

CLI diagnose commands:

# diagnose sys sdwan intf-sla-log port13

Timestamp: Wed Jan 9 18:33:49 2019, used inbandwidth: 3208bps, used outbandwidth:
3453bps, used bibandwidth: 6661bps, tx bytes: 947234bytes, rx bytes: 898622bytes.
Timestamp: Wed Jan 9 18:33:59 2019, used inbandwidth: 3317bps, used outbandwidth:
3450bps, used bibandwidth: 6767bps, tx bytes: 951284bytes, rx bytes: 902937bytes.
Timestamp: Wed Jan 9 18:34:09 2019, used inbandwidth: 3302bps, used outbandwidth:
3389bps, used bibandwidth: 6691bps, tx bytes: 956268bytes, rx bytes: 907114bytes.
Timestamp: Wed Jan 9 18:34:19 2019, used inbandwidth: 3279bps, used outbandwidth:
3352bps, used bibandwidth: 6631bps, tx bytes: 958920bytes, rx bytes: 910793bytes.
Timestamp: Wed Jan 9 18:34:29 2019, used inbandwidth: 3233bps, used outbandwidth:
3371bps, used bibandwidth: 6604bps, tx bytes: 964374bytes, rx bytes: 914854bytes.
Timestamp: Wed Jan 9 18:34:39 2019, used inbandwidth: 3235bps, used outbandwidth:
3362bps, used bibandwidth: 6597bps, tx bytes: 968250bytes, rx bytes: 918846bytes.
Timestamp: Wed Jan 9 18:34:49 2019, used inbandwidth: 3165bps, used outbandwidth:
3362bps, used bibandwidth: 6527bps, tx bytes: 972298bytes, rx bytes: 922724bytes.
Timestamp: Wed Jan 9 18:34:59 2019, used inbandwidth: 3184bps, used outbandwidth:
3362bps, used bibandwidth: 6546bps, tx bytes: 977282bytes, rx bytes: 927019bytes.
# diagnose sys sdwan sla-log ping 1 spoke11-p1_0
Timestamp: Wed Mar 3 15:35:20 2021, vdom root, health-check ping, interface: spoke11-
p1_0, status: up, latency: 0.135, jitter: 0.029, packet loss: 0.000%.

# diagnose sys sdwan sla-log ping 2 spoke12-p1_0

Timestamp: Wed Mar 3 15:36:08 2021, vdom root, health-check ping, interface: spoke12-
p1_0, status: up, latency: 0.095, jitter: 0.010, packet loss: 0.000%.
# diagnose sys sdwan health-check
Health Check(ping):
Seq(1 spoke11-p1): state(alive), packet-loss(0.000%) latency(0.156), jitter(0.043) sla_
map=0x1
Seq(1 spoke11-p1_0): state(alive), packet-loss(0.000%) latency(0.128), jitter(0.024)
sla_map=0x1
Seq(2 spoke12-p1): state(alive), packet-loss(0.000%) latency(0.125), jitter(0.028) sla_
map=0x1
Seq(2 spoke12-p1_0): state(alive), packet-loss(0.000%) latency(0.093), jitter(0.008)
sla_map=0x1

SD-WAN rules

The following topics provide instructions on configuring SD-WAN rules:

l Implicit rule on page 714
l Best quality strategy on page 718
l Lowest cost (SLA) strategy on page 721
l Maximize bandwidth (SLA) strategy on page 724
l Minimum number of links for a rule to take effect on page 727
l Use MAC addresses in SD-WAN rules and policy routes on page 728
l SD-WAN traffic shaping and QoS on page 729
l SDN dynamic connector addresses in SD-WAN rules on page 734

FortiOS 6.4.13 Administration Guide 713

Fortinet Inc.
 SD-WAN

l Application steering using SD-WAN rules on page 737

l DSCP tag-based traffic steering in SD-WAN on page 748

Implicit rule

SD-WAN rules define specific policy routing options to route traffic to an SD-WAN member. When no explicit SD-WAN
rules are defined, or if none of the rules are matched, then the default implicit rule is used.
In an SD-WAN configuration, the default route usually points to the SD-WAN interface, so each active member's
gateway is added to the routing table's default route. FortiOS uses equal-cost multipath (ECMP) to balance traffic
between the interfaces. One of five load balancing algorithms can be selected:

Source IP (source-ip-based) Traffic is divided equally between the interfaces, including the SD-WAN interface.
Sessions that start at the same source IP address use the same path.
This is the default selection.

Sessions (weight-based) The workload is distributing based on the number of sessions that are connected
through the interface.
The weight that you assign to each interface is used to calculate the percentage of
the total sessions that are allowed to connect through an interface, and the
sessions are distributed to the interfaces accordingly.
Sessions with the same source and destination IP addresses (src-ip and dst-
ip) are forwarded to the same path, but are still considered in later session ratio
calculations.
An interface's weight value cannot be zero.

Spillover (usage-based) The interface is used until the traffic bandwidth exceeds the ingress and egress
thresholds that you set for that interface. Additional traffic is then sent through the
next SD-WAN interface member.

Source-Destination IP (source- Traffic is divided equally between the interfaces. Sessions that start at the same
dest-ip-based) source IP address and go to the same destination IP address use the same path.

Volume (measured-volume- The workload is distributing based on the number of packets that are going
based) through the interface.
The volume weight that you assign to each interface is used to calculate the
percentage of the total bandwidth that is allowed to go through an interface, and
the bandwidth is distributed to the interfaces accordingly.
An interface's volume value cannot be zero.

You cannot exclude an interface from participating in load balancing using the implicit rule. If
the weight or volume were set to zero in a previous FortiOS version, the value is treated as a
one.
Interfaces with static routes can be excluded from ECMP if they are configured with a lower
priority than other static routes.

Examples

The following four examples demonstrate how to use the implicit rules (load-balance mode).

FortiOS 6.4.13 Administration Guide 714

Fortinet Inc.
SD-WAN

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

Example 1

Outgoing traffic is equally balanced between wan1 and wan2, using source-ip-based or source-dest-ip-based mode.

Using the GUI:

1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See SD-WAN quick start on page 679 for details.
2. Go to Network > SD-WAN Rules.
3. Edit the sd-wan rule (the last default rule).
4. For the Load Balancing Algorithm, select either Source IP or Source-Destination IP.

5. Click OK.

Using the CLI:

1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 679 for details.
2. Set the load balancing algorithm:
Source IP based:
config system sdwan
set load-balance-mode source-ip-based
end

Source-Destination IP based:

FortiOS 6.4.13 Administration Guide 715

Fortinet Inc.
SD-WAN

config system sdwan

set load-balance-mode source-dest-ip-based
end

Example 2

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using weight-based mode: wan1 runs 80%
of the sessions, and wan2 runs 20% of the sessions.
Sessions with the same source and destination IP addresses (src-ip and dst-ip) will be forwarded to the same
path, but will still be considered in later session ratio calculations.

Using the GUI:

1. Go to Network > SD-WAN Rules.

2. Edit the sd-wan rule (the last default rule).
3. For the Load Balancing Algorithm, select Sessions.
4. Enter 80 in the wan1 field, and 20 in the wan2 field.

5. Click OK.

Using the CLI:

config system sdwan

set load-balance-mode weight-based
config members
edit 1
set interface "wan1"
set weight 80
next
edit 2
set interface "wan2"
set weight 20
next
end
end

Example 3

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using measured-volume-based mode:
wan1 runs 80% of the volume, and wan2 runs 20% of the volume.

FortiOS 6.4.13 Administration Guide 716

Fortinet Inc.
SD-WAN

Using the GUI:

1. Go to Network > SD-WAN Rules.

2. Edit the sd-wan rule (the last default rule).
3. For the Load Balancing Algorithm, select Volume.
4. Enter 80 in the wan1 field, and 20 in the wan2 field.
5. Click OK.

Using the CLI:

config system sdwan

set load-balance-mode measured-volume-based
config members
edit 1
set interface "wan1"
set volume-ratio 80
next
edit 2
set interface "wan2"
set volume-ratio 20
next
end
end

Example 4

Load balancing can be used to reduce costs when internet connections are charged at different rates. For example, if
wan2 charges based on volume usage and wan1 charges a fixed monthly fee, we can use wan1 at its maximum
bandwidth, and use wan2 for overflow.
In this example, wan1's bandwidth is 10Mbps down and 2Mbps up. Traffic will use wan1 until it reaches its spillover limit,
then it will start to use wan2. Note that auto-asic-offload must be disabled in the firewall policy.

Using the GUI:

1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See SD-WAN quick start on page 679 for details.
2. Go to Network > SD-WAN Rules.
3. Edit the sd-wan rule (the last default rule).
4. For the Load Balancing Algorithm, select Spillover.
5. Enter 10000 in the wan1 Ingress Spillover Threshold field, and 2000 in the wan1 Egress Spillover Threshold field.

FortiOS 6.4.13 Administration Guide 717

Fortinet Inc.
 SD-WAN

6. Click OK.

Using the CLI:

config system sdwan

set load-balance-mode usage-based
config members
edit 1
set interface "wan1"
set spillover-threshold 2000
set ingress-spillover-threshold 10000
next
end
end

Best quality strategy

SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of
five modes:
l auto: Interfaces are assigned a priority based on quality.
l Manual (manual): Interfaces are manually assigned a priority.
l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface.
l Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings. See Lowest cost (SLA)
strategy on page 721.
l Maximize Bandwith (SLA) (load-balance): Traffic is distributed among all available links based on the selected
load balancing algorithm. See Maximize bandwidth (SLA) strategy on page 724.
When using Best Quality mode, SD-WAN will choose the best link to forward traffic by comparing the link-cost-factor,
selected from one of the following:

GUI CLI Description

Latency latency Select a link based on latency.

Jitter jitter Select a link based on jitter.

Packet Loss packet-loss Select a link based on packet loss.

Downstream inbandwidth Select a link based on available bandwidth of incoming traffic.

Upstream outbandwidth Select a link based on available bandwidth of outgoing traffic.

Bandwidth bibandwidth Select a link based on available bandwidth of bidirectional traffic.

Customized profile custom-profile-1 Select link based on customized profile. If selected, set the
following weights:
l packet-loss-weight: Coefficient of packet-loss.

l latency-weight: Coefficient of latency.

l jitter-weight: Coefficient of jitter.

l bandwidth-weight: Coefficient of reciprocal of available

bidirectional bandwidth.

FortiOS 6.4.13 Administration Guide 718

Fortinet Inc.
SD-WAN

If the Downstream (inbandwidth), Upstream (outbandwidth), or Bandwidth (bibandwidth) quality criteria is used,
the FortiGate will compare the bandwidth based on the configured upstream and downstream bandwidth values.
The interface speedtest can be used to populate the bandwidth values based on the speedtest results. See Interface
speedtest on page 705 for details.

To manually configure the upstream and downstream bandwidth values:

config system interface

edit <interface>
set estimated-upstream-bandwidth <speed in kbps>
set estimated-downstream-bandwidth <speed in kbps>
next
end

Example

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet, and you
want Gmail services to use the link with the least latency.

To configure an SD-WAN rule to use Best Quality:

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 679 for details.
2. Create a new Performance SLA named google. See Link monitoring example on page 702.
3. Go to Network > SD-WAN Rules.
4. Click Create New. The Priority Rule page opens.
5. Enter a name for the rule, such as gmail.

FortiOS 6.4.13 Administration Guide 719

Fortinet Inc.
SD-WAN

6. Configure the following settings:

Field Setting

Internet Service Google-Gmail

Strategy Best Quality

Interface preference wan1 and wan2

Measured SLA google (created in step 2).

Quality criteria Latency

7. Click OK to create the rule.

To configure an SD-WAN rule to use priority:

config system sdwan

config health-check
edit "google"
set server "google.com"
set members 1 2
next
end
config service
edit 1
set name "gmail"
set mode priority
set internet-service enable
set internet-service-id 65646
set health-check "google"
set link-cost-factor latency
set priority-members 1 2
next

FortiOS 6.4.13 Administration Guide 720

Fortinet Inc.
 SD-WAN

end
end

To diagnose the Performance SLA status:

FGT # diagnose sys sdwan health-check google

Health Check(google):
Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys sdwan service 1

Service(1):

TOS(0x0/0x0), protocol(0: 1->65535), Mode(priority), link-cost-facotr(latency), link-

cost-threshold(10), health-check(google) Members:

1: Seq_num(2), alive, latency: 12.633, selected

2: Seq_num(1), alive, latency: 14.563, selected

Internet Service: Google-Gmail(65646)

As wan2 has a smaller latency, SD-WAN will put Seq_num(2) on top of Seq_num(1) and wan2 will be used to forward
Gmail traffic.

Lowest cost (SLA) strategy

SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of
five modes:
l auto: Interfaces are assigned a priority based on quality.
l Manual (manual): Interfaces are manually assigned a priority.
l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See Best
quality strategy on page 718.
l Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings.
l Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected
load balancing algorithm. See Maximize bandwidth (SLA) strategy on page 724.
When using Lowest Cost (SLA) mode (sla in the CLI), SD-WAN will choose the lowest cost link that satisfies SLA to
forward traffic. The lowest possible cost is 0. If multiple eligible links have the same cost, the Interface preference order
will be used to select a link.

FortiOS 6.4.13 Administration Guide 721

Fortinet Inc.
SD-WAN

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. The
cost of wan2 is less than that of wan1. You want to configure Gmail services to use the lowest cost interface, but the link
quality must meet a standard of latency: 10ms, and jitter: 5ms.

To configure an SD-WAN rule to use Lowest Cost (SLA):

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 679 for details.
2. Create a new Performance SLA named google that includes an SLA Target with Latency threshold = 10ms and
Jitter threshold = 5ms. See Link monitoring example on page 702.
3. Go to Network > SD-WAN Rules.
4. Click Create New. The Priority Rule page opens.
5. Enter a name for the rule, such as gmail.
6. Configure the following settings:

Field Setting

Internet Service Google-Gmail

FortiOS 6.4.13 Administration Guide 722

Fortinet Inc.
SD-WAN

Field Setting

Strategy Lowest Cost (SLA)

Interface preference wan1 and wan2

Required SLA target google (created in step 2).

7. Click OK to create the rule.

To configure an SD-WAN rule to use SLA:

config system sdwan

config members
edit 1
set interface "wan1"
set cost 10
next
edit 2
set interface "wan2"
set cost 5
next
end
config health-check
edit "google"
set server "google.com"
set members 1 2
config sla
edit 1
set latency-threshold 10
set jitter-threshold 5
next
end
next
end
config service
edit 1
set name "gmail"
set mode sla
set internet-service enable
set internet-service-id 65646
config sla
edit "google"
set id 1
next
end
set priority-members 1 2
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

FortiOS 6.4.13 Administration Guide 723

Fortinet Inc.
 SD-WAN

To diagnose the Performance SLA status:

FGT # diagnose sys sdwan health-check google

Health Check(google):
Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys sdwan service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)

Members:<<BR>>

1: Seq_num(2), alive, sla(0x1), cfg_order(1), selected

2: Seq_num(1), alive, sla(0x1), cfg_order(0), selected

Internet Service: Google.Gmail(65646)

When both wan1 and wan2 meet the SLA requirements, Gmail traffic will only use wan2. If only wan1 meets the SLA
requirements, Gmail traffic will only use wan1, even though it has a higher cost. If neither interface meets the
requirements, wan2 will be used.
If both interface had the same cost and both met the SLA requirements, the first link configured in set priority-
members would be used.

Maximize bandwidth (SLA) strategy

SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of
five modes:
l auto: Interfaces are assigned a priority based on quality.
l Manual (manual): Interfaces are manually assigned a priority.
l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See Best
quality strategy on page 718.
l Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings. See Lowest cost (SLA)
strategy on page 721.
l Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected
load balancing algorithm.
When using Maximize Bandwidth mode (load-balance in the CLI), SD-WAN will choose all of the links that satisfies
SLA to forward traffic based on a load balancing algorithm. The load balancing algorithm, or hash method, can be one of
the following:

round-robin All traffic are distributed to selected interfaces in equal portions and circular order.
This is the default method, and the only option available when using the GUI.

source-ip-based All traffic from a source IP is sent to the same interface.

source-dest-ip- All traffic from a source IP to a destination IP is sent to the same interface.
based

inbandwidth All traffic are distributed to a selected interface with most available bandwidth for incoming traffic.

FortiOS 6.4.13 Administration Guide 724

Fortinet Inc.
SD-WAN

outbandwidth All traffic are distributed to a selected interface with most available bandwidth for outgoing traffic.

bibandwidth All traffic are distributed to a selected interface with most available bandwidth for both incoming
and outgoing traffic.

When the inbandwidth, outbandwidth), or bibandwidth load balancing algorithm is used, the FortiGate will
compare the bandwidth based on the configured upstream and downstream bandwidth values.
The interface speedtest can be used to populate the bandwidth values based on the speedtest results. See Interface
speedtest on page 705 for details.

To manually configure the upstream and downstream bandwidth values:

config system interface

edit <interface>
set estimated-upstream-bandwidth <speed in kbps>
set estimated-downstream-bandwidth <speed in kbps>
next
end

ADVPN is not supported in this mode.

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. You
want to configure Gmail services to use both of the interface, but the link quality must meet a standard of latency: 10ms,
and jitter: 5ms. This can maximize the bandwidth usage.

To configure an SD-WAN rule to use Maximize Bandwidth (SLA):

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 679 for details.
2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and
Jitter threshold = 5ms. See Link monitoring example on page 702.
3. Go to Network > SD-WAN Rules.
4. Click Create New. The Priority Rule page opens.
5. Enter a name for the rule, such as gmail.

FortiOS 6.4.13 Administration Guide 725

Fortinet Inc.
SD-WAN

6. Configure the following settings:

Field Setting

Internet Service Google-Gmail

Strategy Maximize Bandwidth (SLA)

Interface preference wan1 and wan2

Required SLA target google (created in step 2).

7. Click OK to create the rule.

To configure an SD-WAN rule to use SLA:

config system sdwan

config health-check
edit "google"
set server "google.com"
set members 1 2
config sla
edit 1
set latency-threshold 10
set jitter-threshold 5
next
end
next
end
config service
edit 1
set name "gmail"
set addr-mode ipv4
set mode load-balance
set hash-mode round-robin

FortiOS 6.4.13 Administration Guide 726

Fortinet Inc.
 SD-WAN

set internet-service enable

set internet-service-name Google-Gmail
config sla
edit "google"
set id 1
next
end
set priority-members 1 2
next
end
end

To diagnose the performance SLA status:

FGT # diagnose sys sdwan health-check google

Health Check(google):
Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys sdwan service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance)

Members:<<BR>>

1: Seq_num(1), alive, sla(0x1), num of pass(1), selected

2: Seq_num(2), alive, sla(0x1), num of pass(1), selected

Internet Service: Google.Gmail(65646)

When both wan1 and wan2 meet the SLA requirements, Gmail traffic will use both wan1 and wan2. If only one of the
interfaces meets the SLA requirements, Gmail traffic will only use that interface.
If neither interface meets the requirements but health-check is still alive, then wan1 and wan2 tie. The traffic will try to
balance between wan1 and wan2, using both interfaces to forward traffic.

Minimum number of links for a rule to take effect

In sla and load-balance modes, you can specify the number of links that must be up for the rule to take effect.
Example
In this example, ports 1 to 4 each have 10Mbps of bandwidth, and port 5 has 50Mbps. An application requires 35Mbps of
bandwidth, so the SD-WAN rule balances the traffic between ports 1 to 4. If one of the links goes down, all of the traffic
must be passed to port 5, so the minimum required number of links is 4.

To set the minimum number of links in a rule:

config system sdwan

config service
edit 1
set mode load-balance
set minimum-sla-meet-members 4
set dst <destination>
config sla

FortiOS 6.4.13 Administration Guide 727

Fortinet Inc.
 SD-WAN

edit <sla>
set id <id>
next
end
set priority-members 1 2 3 4
next
end
end

Use MAC addresses in SD-WAN rules and policy routes

You can use MAC addresses as the source in SD-WAN rules and policy routes.
The FABRIC_DEVICE address object (a dynamic object that includes the IPs of Security Fabric devices) can be used as
a source or destination in SD-WAN rules and policy routes.
The diagnose ip proute match command accepts either the IP or MAC address format for the source:
diagnose ip proute match <destination> <source> <interface> <protocol> <port>

To configure a MAC address as a source for SD-WAN and a policy route:

1. Configure the MAC address:

config firewall address
edit "mac-add"
set type mac
set start-mac 70:4c:a5:86:de:56
set end-mac 70:4c:a5:86:de:56
next
end

2. Configure the policy route:

config router policy
edit 3
set srcaddr "mac-add"
set gateway 15.1.1.34
set output-device ha
next
end

3. Configure the SD-WAN rule:

config system sdwan
config service
edit 1
set dst "all"
set src "mac-add"
set priority-members 1
next
edit 2
set dst "FABRIC_DEVICE"
set priority-members 2
next
end
end

FortiOS 6.4.13 Administration Guide 728

Fortinet Inc.
 SD-WAN

To verify the policy route matching for a MAC address:

# diagnose ip proute match 3.1.1.34 70:4c:a5:86:de:56 port3 22 6

dst=3.1.1.34 src=0.0.0.0 smac=70:4c:a5:86:de:56 iif=11 protocol=22 dport=6
id=00000003 type=Policy Route
seq-num=3

SD-WAN traffic shaping and QoS

Use a traffic shaper in a firewall shaping policy to control traffic flow. You can use it to control maximum and guaranteed
bandwidth, or put certain traffic to one of the three different traffic priorities: high, medium, or low.
An advanced shaping policy can classify traffic into 30 groups. Use a shaping profile to define the percentage of the
interface bandwidth that is allocated to each group. Each group of traffic is shaped to the assigned speed limit based on
the outgoing bandwidth limit configured on the interface.
For more information, see Traffic shaping on page 1237.

Sample topology

Sample configuration

This example shows a typical customer usage where the customer's SD-WAN uses the default zone, and has two
member: wan1 and wan2, each set to 10Mb/s.
An overview of the procedures to configure SD-WAN traffic shaping and QoS with SD-WAN includes:
1. Give HTTP/HTTPS traffic high priority and give FTP low priority so that if there are conflicts, FortiGate will forward
HTTP/HTTPS traffic first.
2. Even though FTP has low priority, configure FortiGate to give it a 1Mb/s guaranteed bandwidth on each SD-WAN
member so that if there is no FTP traffic, other traffic can use all the bandwidth. If there is heavy FTP traffic, it can
still be guaranteed a 1Mb/s bandwidth.
3. Traffic going to specific destinations such as a VOIP server uses wan1 to forward, and SD-WAN forwards with an
Expedited Forwarding (EF) DSCP tag 101110.

FortiOS 6.4.13 Administration Guide 729

Fortinet Inc.
SD-WAN

To configure SD-WAN traffic shaping and QoS with SD-WAN in the GUI:

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route.
See SD-WAN quick start on page 679.
2. Add a firewall policy with Application Control enabled. See Configuring firewall policies for SD-WAN on page 682.
3. Go to Policy & Objects > Traffic Shapers and edit low-priority.
a. Enable Guaranteed Bandwidth and set it to 1000 kbps.
4. Go to Policy & Objects > Traffic Shaping Policy and click Create New.
a. Name the traffic shaping policy, for example, HTTP-HTTPS.
b. Set the following:

Source all

Destination all

Service HTTP and HTTPS

Outgoing virtual-wan-link

Shared Shaper Enable and set to high-priority

Reverse Shaper Enable and set to high-priority

c. Click OK.
5. Go to Policy & Objects > Traffic Shaping Policy and click Create New.
a. Name the traffic shaping policy, for example, FTP.
b. Set the following:

Source all

Destination all

Service FTP, FTP_GET, and FTP_PUT

Outgoing virtual-wan-link

Shared Shaper Enable and set to low-priority

Reverse Shaper Enable and set to low-priority

c. Click OK
6. Go to Network > SD-WAN Rules and click Create New.
a. Enter a name for the rule, such as Internet.
b. In the Destination section, click Address and select the VoIP server that you created in the firewall address.
c. Under Outgoing Interfaces select Manual.
d. For Interface preference select wan1.
e. Click OK.
7. Use CLI commands to modify DSCP settings. See the DSCP CLI commands below.

To configure the firewall policy using the CLI:

connfig firewall policy

edit 1
set name "1"

FortiOS 6.4.13 Administration Guide 730

Fortinet Inc.
SD-WAN

set srcintf "dmz"

set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set application-list "default"
set nat enable
next
end

To configure the firewall traffic shaper priority using the CLI:

config firewall shaper traffic-shaper

edit "high-priority"
set maximum-bandwidth 1048576
set per-policy enable
next
edit "low-priority"
set guaranteed-bandwidth 1000
set maximum-bandwidth 1048576
set priority low
set per-policy enable
next
end

To configure the firewall traffic shaping policy using the CLI:

config firewall shaping-policy

edit 1
set name "http-https"
set service "HTTP" "HTTPS"
set dstintf "virtual-wan-link"
set traffic-shaper "high-priority"
set traffic-shaper-reverse "high-priority"
set srcaddr "all"
set dstaddr "all"
next
edit 2
set name "FTP"
set service "FTP" "FTP_GET" "FTP_PUT"
set dstintf "virtual-wan-link"
set traffic-shaper "low-priority"
set traffic-shaper-reverse "low-priority"
set srcaddr "all"
set dstaddr "all"
next
end

To configure SD-WAN traffic shaping and QoS with SD-WAN in the CLI:

config system sdwan

set status enable

FortiOS 6.4.13 Administration Guide 731

Fortinet Inc.
SD-WAN

config members
edit 1
set interface "wan1"
set gateway 172.16.20.2
next
edit 2
set interface "wan2"
set gateway 10.100.20.2
next
end
config service
edit 1
set name "SIP"
set priority-members 1
set dst "voip-server"
set dscp-forward enable
set dscp-forward-tag 101110
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

To use the diagnose command to check if specific traffic is attached to the correct traffic shaper:

# diagnose firewall iprope list 100015

policy index=1 uuid_idx=0 action=accept

flag (0):
shapers: orig=high-priority(2/0/134217728) reply=high-priority(2/0/134217728)
cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 0 -> zone(2): 36 38
source(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
service(2):
[6:0x0:0/(1,65535)->(80,80)] helper:auto
[6:0x0:0/(1,65535)->(443,443)] helper:auto

policy index=2 uuid_idx=0 action=accept

flag (0):
shapers: orig=low-priority(4/128000/134217728) reply=low-priority(4/128000/134217728)
cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 0 -> zone(2): 36 38
source(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
service(3):
[6:0x0:0/(1,65535)->(21,21)] helper:auto

FortiOS 6.4.13 Administration Guide 732

Fortinet Inc.
SD-WAN

[6:0x0:0/(1,65535)->(21,21)] helper:auto
[6:0x0:0/(1,65535)->(21,21)] helper:auto

To use the diagnose command to check if the correct traffic shaper is applied to the session:

# diagnose sys session list

session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=5
origin-shaper=low-priority prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops
0B
reply-shaper=
per_ip_shaper=
class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255
state=may_dirty npu npd os mif route_preserve
statistic(bytes/packets/allow_err): org=868/15/1 reply=752/10/1 tuples=2
tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 66/0
orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0
hook=post dir=org act=snat 10.1.100.11:58241->172.16.200.55:21(172.16.200.1:58241)
hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58241(10.1.100.11:58241)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4
serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=0x100000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0,
vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: offload-denied helper
total session 1

To use the diagnose command to check the status of a shared traffic shaper:

# diagnose firewall shaper traffic-shaper list

name high-priority
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 0 KB/sec
current-bandwidth 0 B/sec
priority 2
tos ff
packets dropped 0
bytes dropped 0

name low-priority
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 125 KB/sec
current-bandwidth 0 B/sec
priority 4
tos ff
packets dropped 0
bytes dropped 0

name high-priority
maximum-bandwidth 131072 KB/sec

FortiOS 6.4.13 Administration Guide 733

Fortinet Inc.
 SD-WAN

guaranteed-bandwidth 0 KB/sec
current-bandwidth 0 B/sec
priority 2
policy 1
tos ff
packets dropped 0
bytes dropped 0

name low-priority
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 125 KB/sec
current-bandwidth 0 B/sec
priority 4
policy 2
tos ff
packets dropped 0
bytes dropped 0

SDN dynamic connector addresses in SD-WAN rules

SDN dynamic connector addresses can be used in SD-WAN rules. FortiGate supports both public (AWS, Azure, GCP,
OCI, AliCloud) and private (Kubernetes, VMware ESXi and NSX, OpenStack, ACI, Nuage) SDN connectors.
The configuration procedure for all of the supported SDN connector types is the same. This example uses an Azure
public SDN connector.

There are four steps to create and use an SDN connector address in an SD-WAN rule:
1. Configure the FortiGate IP address and network gateway so that it can reach the Internet.
2. Create an Azure SDN connector.
3. Create a firewall address to associate with the configured SDN connector.
4. Use the firewall address in an SD-WAN service rule.

To create an Azure SDN connector:

1. Go to Security Fabric > External Connectors.

2. Click Create New.
3. In the Public SDN section, click Microsoft Azure.

FortiOS 6.4.13 Administration Guide 734

Fortinet Inc.
SD-WAN

4. Enter the following:

Name azure1

Status Enabled

Update Interval Use Default

Server region Global

Directory ID 942b80cd-1b14-42a1-8dcf-4b21dece61ba

Application ID 14dbd5c5-307e-4ea4-8133-68738141feb1

Client secret xxxxxx

Resource path disabled

5. Click OK.

To create a firewall address to associate with the configured SDN connector:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Enter the following:

Category Address

Name azure-address

Type Dynamic

Sub Type Fabric Connector Address

SDN Connector azure1

SDN address type Private

Filter SecurityGroup=edsouza-centos

Interface Any

4. Click OK.

FortiOS 6.4.13 Administration Guide 735

Fortinet Inc.
SD-WAN

To use the firewall address in an SD-WAN service rule:

1. Go to Network > SD-WAN Rules.

2. Click Create New.
3. Set the Name to Azure1.
4. For the Destination Address select azure-address.
5. Configure the remaining settings as needed. See SD-WAN rules on page 713 for details.
6. Click OK.

Diagnostics

Use the following CLI commands to check the status of and troubleshoot the connector.

To see the status of the SDN connector:

# diagnose sys sdn status

SDN Connector Type Status Updating Last update

----------------------------------------------------------------------------------------
-
azure1 azure connected no n/a

To debug the SDN connector to resolve the firewall address:

# diagnose debug application azd -1

Debug messages will be on for 30 minutes.

...
azd sdn connector azure1 start updating IP addresses
azd checking firewall address object azure-address-1, vd 0
IP address change, new list:
10.18.0.4
10.18.0.12
...
...
# diagnose sys sdwan service

Service(2): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service role: standalone
Member sub interface:
Members:
1: Seq_num(1), alive, selected
Dst address:
10.18.0.4 - 10.18.0.4
10.18.0.12 - 10.18.0.12
... ...
... ...
... ...

FortiOS 6.4.13 Administration Guide 736

Fortinet Inc.
 SD-WAN

Application steering using SD-WAN rules

This topic covers how to use application steering in a topology with multiple WAN links. The following examples illustrate
how to use different strategies to perform application steering to accommodate different business needs:
l Static application steering with a manual strategy on page 737
l Dynamic application steering with lowest cost and best quality strategies on page 740

Static application steering with a manual strategy

This example covers a typical usage scenario where the SD-WAN has two members: MPLS and DIA. DIA is primarily
used for direct internet access to internet applications, such as Office365, Google applications, Amazon, and Dropbox.
MPLS is primarily used for SIP, and works as a backup when DIA is not working.

This example configures all SIP traffic to use MPLS while all other traffic uses DIA. If DIA is not working, the traffic will
use MPLS.

To configure an SD-WAN rule to use SIP and DIA in the GUI:

1. Add port1 (DIA) and port2 (MPLS) as SD-WAN members, and configure a static route. See Configuring the SD-
WAN interface on page 680 for details.
2. Create a firewall policy with an Application Control profile configured. See Configuring firewall policies for SD-WAN
on page 682 for details.
3. Go to Network > SD-WAN Rules.
4. Click Create New. The Priority Rule page opens.
5. Enter a name for the rule, such as SIP.
6. Click the Application field and select the applicable SIP applications from the Select Entries panel.
7. Under Outgoing Interfaces, select Manual.
8. For Interface preference, select MPLS.
9. Click OK.
10. Click Create New to create another rule.
11. Enter a name for the rule, such as Internet.
12. Click the Address field and select all from the panel.
13. Under Outgoing Interfaces, select Manual.

FortiOS 6.4.13 Administration Guide 737

Fortinet Inc.
SD-WAN

14. For Interface preference, select DIA.

15. Click OK.

To configure the firewall policy using the CLI:

config firewall policy

edit 1
set name "1"
set srcintf "dmz"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set fsso disable
set application-list "default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end

To configure an SD-WAN rule to use SIP and DIA using the CLI:

config system sdwan

set status enable
config members
edit 1
set interface "MPLS"
next
edit 2
set interface "DIA"
next

FortiOS 6.4.13 Administration Guide 738

Fortinet Inc.
SD-WAN

end
config service
edit 1
set name "SIP"
set internet-service enable
set internet-service-app-ctrl 34640 152305677 38938 26180 26179 30251
set priority-members 2
next
edit 2
set name "Internet"
set dst "all"
set priority-members 1
next
end
end

All SIP traffic uses MPLS. All other traffic goes to DIA. If DIA is broken, the traffic uses MPLS. If you use VPN instead of
MPLS to run SIP traffic, you must configure a VPN interface, for example vpn1, and then replace member 1 from MPLS
to vpn1 for SD-WAN member.

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

To use the diagnose command to check performance SLA status using the CLI:

# diagnose sys sdwan service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)

Members:<<BR>>

1: Seq_num(1), alive, selected

Internet Service: SIP(4294836224 34640) SIP.Method(4294836225 152305677) SIP.Via.NAT

(4294836226 38938) SIP_Media.Type.Application(4294836227 26180) SIP_Message(4294836228
26179) SIP_Voice(4294836229 30251)
# diagnose sys sdwan service 2

Service(2): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)

Members:<<BR>>

1: Seq_num(2), alive, selected

Dst address: 0.0.0.0-255.255.255.255

# diagnose sys sdwan internet-service-app-ctrl-list
Ctrl application(SIP 34640):Internet Service ID(4294836224)
Ctrl application(SIP.Method 152305677):Internet Service ID(4294836225)
Ctrl application(SIP.Via.NAT 38938):Internet Service ID(4294836226)
Ctrl application(SIP_Media.Type.Application 26180):Internet Service ID(4294836227)

FortiOS 6.4.13 Administration Guide 739

Fortinet Inc.
SD-WAN

Ctrl application(SIP_Message 26179):Internet Service ID(4294836228)

Ctrl application(SIP_Voice 30251):Internet Service ID(4294836229)

Dynamic application steering with lowest cost and best quality strategies

In this example, the SD-WAN has three members: two ISPs (DIA_1 and DIA_2) that are used for access to internet
applications, and an MPLS link that is used exclusively as a backup for business critical applications.

Business applications, such as Office365, Google, Dropbox, and SIP, use the Lowest Cost (SLA) strategy to provide
application steering, and traffic falls back to MPLS only if both ISP1 and ISP2 are down. Non-business applications, such
as Facebook and Youtube, use the Best Quality strategy to choose between the ISPs.

To configure the SD-WAN members, static route, and firewall policy in the GUI:

1. Add port1 (DIA_1), port2 (DIA_2), and port3 (MPLS) as SD-WAN members. Set the cost of DIA_1 and DIA_2 to 0,
and MPLS to 20. See Configuring the SD-WAN interface on page 680 for details.

2. Configure a static route. See Adding a static route on page 681 for details.
3. Create a firewall policy to allow traffic out on SD-WAN, with an Application Control profile configured. See
Configuring firewall policies for SD-WAN on page 682 for details.

To configure the SD-WAN rule and performance SLA checks for business critical application in the GUI:

1. Go to Network > SD-WAN Rules, and click Create New.

2. Set the name to BusinessCriticalApps.
This rule will steer your business critical traffic to the appropriate link based on the Lowest Cost (SLA).
3. Set Source address to all.

FortiOS 6.4.13 Administration Guide 740

Fortinet Inc.
SD-WAN

4. Under Destination, set Application to your required applications. In this example: Microsoft.Office.365,
Microsoft.Office.Online, Google.Docs, Dropbox, and SIP.
5. Under Outgoing Interfaces, select Lowest Cost (SLA).
The lowest cost is defined in the SD-WAN member interface settings (see Configuring the SD-WAN interface on
page 680). The lowest possible cost is 0, which represents the most preferred link. In this example, DIA_1 and DIA_
2 both have a cost of 0, while MPLS has a cost of 20 because it is used for backup.
6. In Interface preference, add the interfaces in order of preference when the cost of the links is tied. In this example,
DIA_1, DIA_2, then MPLS.
MPLS will always be chosen last, because it has the highest cost. DIA_1 and DIA_2 have the same cost, so an
interface is selected based on their order in the Interface preference list.
7. Set Required SLA target to ensure that only links that pass your SLA target are chosen in this SD-WAN rule:
a. Click in the Required SLA target field.
b. In the Select Entries pane, click Create. The New Performace SLA pane opens.
c. Set Name to BusinessCritical_HC.
This health check is used for business critical applications in your SD-WAN rule.
d. Leave Protocol set to Ping, and add up to two servers, such as office.com and google.com.
e. Set Participants to Specify, and add all three interfaces: DIA_1, DIA_2, and MPLS.
f. Enable SLA Target.
The attributes in your target determine the quality of your link. The SLA target of each link is compared when
determining which link to use based on the lowest cost. Links that meet the SLA target are preferred over links
that fail, and move to the next step of selection based on cost. If no links meet the SLA target, then they all
move to the next step.
In this example, disable Latency threshold and Jitter threshold, and set Packet loss threshold to 1.
g. Click OK.
h. Select the new performance SLA to set it as the Required SLA target.
When multiple SLA targets are added, you can choose which target to use in the SD-WAN rule.

FortiOS 6.4.13 Administration Guide 741

Fortinet Inc.
SD-WAN

8. Click OK to create the SD-WAN rule.

To configure the SD-WAN rule and performance SLA checks for non-business critical application in the
GUI:

1. Go to Network > SD-WAN Rules, and click Create New.

2. Set the name to NonBusinessCriticalApps.
This rule will steer your non-business critical traffic to the appropriate link based on the Best Quality. No SLA target
must be met, as the best link is selected based on the configured quality criteria and interface preference order.
3. Set Source address to all.
4. Under Destination, set Application to your required applications. In this example: Facebook, and Youtube.
5. Under Outgoing Interfaces, select Best Quality.
6. In Interface preference, add the interfaces in order of preference.
By default, a more preferred link has an advantage of 10% over a less preferred link. For example, when latency is
used, the preferred link’s calculated latency = real latency / (1+10%).

The preferred link advantage can be customized in the CLI when the mode is priority
(Best Quality) or auto:
config system sdwan
config service
edit <id>
set link-cost-threshold <integer>
next
end
end

FortiOS 6.4.13 Administration Guide 742

Fortinet Inc.
SD-WAN

7. Create and apply a new performance SLA profile:

a. Click in the Measured SLA field.
b. In the drop-down list, click Create. The New Performace SLA pane opens.
c. Set Name to NonBusinessCritical_HC.
This health check is used for non-business critical applications in your SD-WAN rule.
d. Leave Protocol set to Ping, and add up to two servers, such as youtube.com and facebook.com.
e. Set Participants to Specify, and add the DIA_1 and DIA_2 interfaces. In this example, MPLS is not used for
non-business critical applications.
f. Leave SLA Target disabled.
g. Click OK.
h. Select the new performance SLA from the list to set it as the Measured SLA.
8. Set Quality criteria as required. In this example, Latency is selected.
For bandwidth related criteria, such as Downstream, Upstream, and Bandwidth (bi-directional), the selection is
based on available bandwidth. An estimated bandwidth should be configured on the interface to provide a baseline,
maximum available bandwidth.

9. Click OK to create the SD-WAN rule.

To configure the SD-WAN members, static route, and firewall policy in the CLI:

1. Configure the interfaces:

config system interface
edit "port1"
set ip <class_ip&net_netmask>
set alias "DIA_1"
set role wan
next
edit "port2"
set ip <class_ip&net_netmask>

FortiOS 6.4.13 Administration Guide 743

Fortinet Inc.
SD-WAN

set alias "DIA_2"

set role wan
next
edit "port3"
set ip <class_ip&net_netmask>
set alias "MPLS"
set role wan
next
end

2. Configure the SD-WAN members:

config system sdwan
set status enable
config members
edit 1
set interface "port1"
set gateway 172.16.20.2
next
edit 2
set interface "port2"
set gateway 172.17.80.2
next
edit 3
set interface "port3"
set gateway 10.100.20.2
set cost 20
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

3. Configure a static route. See Adding a static route on page 681 for details.
4. Create a firewall policy to allow traffic out on SD-WAN, with an Application Control profile configured. See
Configuring firewall policies for SD-WAN on page 682 for details.

To configure the SD-WAN rule and performance SLA checks for business critical application in the CLI:

1. Configure the BusinessCriticalApps_HC health-check:

config system sdwan
config health-check
edit "BusinessCriticalApps_HC"
set server "office.com" "google.com"
set members 1 2 3
config sla
edit 1
set link-cost-factor packet-loss
set packetloss-threshold 1
next
end
next

FortiOS 6.4.13 Administration Guide 744

Fortinet Inc.
SD-WAN

end
end

2. Configure the BusinessCriticalApps service to use Lowest Cost (SLA):

config system sdwan
config service
edit 1
set name "BusinessCriticalApps"
set mode sla
set src "all"
set internet-service enable
set internet-service-app-ctrl 17459 16541 33182 16177 34640
config sla
edit "BusinessCriticalApps_HC"
set id 1
next
end
set priority-members 1 2 3
next
end
end

To configure the SD-WAN rule and performance SLA checks for non-business critical application in the
CLI:

1. Configure the nonBusinessCriticalApps_HC health-check:

config system sdwan
config health-check
edit "NonBusinessCriticalApps_HC"
set server "youtube.com" "facebook.com"
set members 1 2
next
end
end

2. Configure the BusinessCriticalApps service to use Lowest Cost (SLA):

config system sdwan
config service
edit 4
set name "NonBusinessCriticalApps"
set mode priority
set src "all"
set internet-service enable
set internet-service-app-ctrl 15832 31077
set health-check "NonBusinessCriticalApps_HC"
set priority-members 1 2
next
end
end

Verification

Check the following GUI pages, and run the following CLI commands to confirm that your traffic is being steered by the
SD-WAN rules.

FortiOS 6.4.13 Administration Guide 745

Fortinet Inc.
SD-WAN

Health checks

To verify the status of each of the health checks in the GUI:

1. Go to Network > Performance SLA and select each of the health checks from the list.

To verify the status of each of the health checks in the CLI:

# diagnose sys sdwan health-check

Health Check(BusinessCritical_HC):
Seq(1 port1): state(alive), packet-loss(0.000%) latency(12.884), jitter(0.919) sla_map=0x1
Seq(2 port2): state(alive), packet-loss(0.000%) latency(13.018), jitter(0.723) sla_map=0x1
Seq(3 port3): state(alive), packet-loss(0.000%) latency(13.018), jitter(0.923) sla_map=0x1
Health Check(NonBusinessCritical_HC):
Seq(1 port1): state(alive), packet-loss(0.000%) latency(6.888), jitter(0.953) sla_map=0x0
Seq(2 port2): state(alive), packet-loss(0.000%) latency(6.805), jitter(0.830) sla_map=0x0

FortiOS 6.4.13 Administration Guide 746

Fortinet Inc.
SD-WAN

Rule members and hit count

To verify the active members and hit count of the SD-WAN rule in the GUI:

1. Go to Network > SD-WAN Rules.

The interface that is currently selected by the rule has a checkmark next to its name in the Members column. Hover
the cursor over the checkmark to open a tooltip that gives the reason why that member is selected. If multiple
members are selected, only the highest ranked member is highlighted (unless the mode is Maximize Bandwidth
(SLA)).

To verify the active members and hit count of the SD-WAN rule in the CLI:

# diagnose sys sdwan service

Service(3): Address Mode(IPV4) flags=0x0

Gen(13), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members:
1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2 port2), alive, sla(0x1), cfg_order(1), cost(0), selected
3: Seq_num(3 port3), alive, sla(0x1), cfg_order(2), cost(20), selected
Internet Service: Dropbox(4294836727,0,0,0 17459) Google.Docs(4294836992,0,0,0 16541)
Microsoft.Office.365(4294837472,0,0,0 33182) Microsoft.Office.Online(4294837475,0,0,0 16177)
SIP(4294837918,0,0,0 34640)
Src address:
0.0.0.0-255.255.255.255

Service(4): Address Mode(IPV4) flags=0x0

Gen(211), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency),
link-cost-threshold(10), heath-check(NonBusinessCritical_HC)
Members:
1: Seq_num(1 port1), alive, latency: 5.712, selected
2: Seq_num(2 port2), alive, latency: 5.511, selected
Internet Service: Facebook(4294836806,0,0,0 15832) YouTube(4294838537,0,0,0 31077)
Src address:
0.0.0.0-255.255.255.255

Applications and sessions

To verify sessions in FortiView:

1. Go to a dashboard and add the Top Cloud Applications by Bytes widget. See Cloud application view on page 127
for details.

FortiOS 6.4.13 Administration Guide 747

Fortinet Inc.
 SD-WAN

2. Drill down on an application, such as YouTube, then select the Sessions tab.

To verify applications identified by Application Control in SD-WAN:

# diagnose sys sdwan internet-service-app-ctrl-list

Facebook(15832 4294836697): 31.13.67.20 6 443 Fri April 17 22:33:39 2020

Facebook(15832 4294836697): 31.13.67.35 6 443 Fri April 17 22:33:41 2020
Facebook(15832 4294836697): 31.13.70.36 6 443 Fri April 17 22:36:41 2020
Facebook(15832 4294836697): 157.240.11.22 6 443 Fri April 17 22:36:42 2020
Facebook(15832 4294836697): 157.240.11.35 6 443 Fri April 17 22:36:41 2020
YouTube(31077 4294838227): 172.217.24.150 6 443 Fri April 17 22:32:16 2020
YouTube(31077 4294838227): 172.217.25.78 6 443 Fri April 17 22:32:16 2020
YouTube(31077 4294838227): 216.58.220.129 6 443 Fri April 17 22:32:34 2020

DSCP tag-based traffic steering in SD-WAN

This document demonstrates the Differentiated Services Code Point (DSCP) tag-based traffic steering in Fortinet secure
SD-WAN. You can use this guide as an example to deploy DSCP tag-based traffic steering in Fortinet secure SD-WAN.
DSCP tags are often used to categorize traffic to provide quality of service (QoS). Based on DSCP tags, you can provide
SD-WAN traffic steering on an edge device.
In this example, we have two different departments at the Headquarters site - Customer Service and Marketing. Traffic
from each of these departments is marked with separate DSCP tags by the core switch, and passes through the core
switch to the edge FortiGate. The edge FortiGate reads the DSCP tags and steers traffic to the preferred interface based
on the defined SD-WAN rules.

FortiOS 6.4.13 Administration Guide 748

Fortinet Inc.
SD-WAN

In our example, we consider two types of traffic - social media traffic and VoIP traffic. VoIP traffic from Customer Service
is considered to be more important than social media traffic. Each of these traffic types is marked with a DSCP tag by the
core switch - VoIP traffic is marked with the DSCP tag of 011100, and social media traffic is marked with the DSCP tag
of 001100. The DSCP tagged traffic is then passed on to the edge FortiGate. The edge FortiGate identifies the DSCP
tagged traffic and based on the defined SD-WAN rules, the edge FortiGate steers:
l VoIP traffic to the preferred VPN overlay with the least jitter in order to provide the best quality of voice
communication with the remote VoIP server (PBX)
l Social media traffic to the preferred Internet link with a lower cost (less expensive and less reliable)
If you are familiar with SD-WAN configurations in FortiOS, you can directly jump to the Configuring SD-WAN rules on
page 752 section to learn how to configure the SD-WAN rules to perform traffic steering. Otherwise, you can proceed
with all of the following topics to configure the edge FortiGate:
l Configuring IPsec tunnels on page 750
l Configuring SD-WAN zones on page 750
l Configuring firewall policies on page 751
l Configuring Performance SLA test on page 751
l Configuring SD-WAN rules on page 752
l Results on page 756

FortiOS 6.4.13 Administration Guide 749

Fortinet Inc.
SD-WAN

Configuring IPsec tunnels

In our example, we have two interfaces Internet_A (port1) and Internet_B(port5) on which we have
configured IPsec tunnels Branch-HQ-A and Branch-HQ-B respectively. To learn how to configure IPsec tunnels, refer
to the IPsec VPNs on page 1520 section.
After you have configured the IPsec tunnels as required, verify your IPsec tunnels by navigating to VPN > IPsec Tunnels
from the tree menu on the left side of the GUI.

Configuring SD-WAN zones

In order for us to steer traffic based on SD-WAN rules, first we need to configure SD-WAN interface members and assign
them to SD-WAN zones. To know more about SD-WAN zones, refer to theSD-WAN zones on page 689 section.
In our example, we created two SD-WAN zones. The virtual-wan-link SD-WAN zone for the underlay traffic
passing through the Internet_A(port1) and Internet_B(port5) interfaces, and the Overlay SD-WAN zone for
the overlay traffic passing through the Branch-HQ-A and Branch-HQ-B interfaces.
Verify the configurations on the Network > SD-WAN Zones screen:

FortiOS 6.4.13 Administration Guide 750

Fortinet Inc.
SD-WAN

In the screenshot above, we have configured the Internet_A(port1) and Internet_B

(port5) SD-WAN interface members with their Cost values being 0 and 10 respectively. A
lower Cost value indicates that this member is the primary interface member, and is preferred
more than a member with a higher Cost value when using the Lowest Cost (SLA) strategy.

We also need to configure a static route that points to the SD-WAN interface. To know more about static routes, refer to
the Adding a static route on page 681 section.

Configuring firewall policies

Configure firewall policies for both the overlay and underlay traffic. To know more about firewall policies, refer to the
Policies on page 1113 section.
In this example, the Overlay-out policy governs the overlay traffic and the SD-WAN-Out policy governs the underlay
traffic. The firewall policies are configured accordingly.
Once created, verify the firewall policies by navigating to Policy & Objects > Firewall Policy:

The Security Profiles column indicates that the Overlay-out firewall policy for the overlay traffic is set up to not scan any
traffic, while the SD-WAN-Out firewall policy is set to scan all web traffic to identify and govern social media traffic as
Application Control profile is active.

Configuring Performance SLA test

Configure a performance SLA test that will be tied to the SD-WAN interface members we created and assigned to SD-
WAN zones. To know more about Performance SLA, refer to the SLA targets example on page 703 section.

FortiOS 6.4.13 Administration Guide 751

Fortinet Inc.
SD-WAN

In this example, we created a Performance SLA test Default_DNS with Internet_A(port1) and Internet_B
(port5) interface members as participants. We will use the created Performance SLA test to steer all web traffic
passing through the underlays other than social media traffic based on the Lowest Cost (SLA) strategy.

Configuring SD-WAN rules

Configure SD-WAN rules to govern the steering of DSCP tag-based traffic to the appropriate interfaces. Traffic will be
steered based on the Criteria configured as part of the SD-WAN rules configuration.
In our example, we configured three different SD-WAN rules to govern DSCP tagged traffic. We have one SD-WAN rule
each for VoIP traffic, social media traffic (Facebook in this case), and all other web traffic. VoIP traffic is always steered
to either of the two overlay SD-WAN zones - VPN_A_tunnel(Branch-HQ-A) or VPN_B_tunnel(Branch-HQ-B).
Similarly, social media traffic and other web traffic is always steered to either of the two underlay SD-WAN zones -
Internet_A(port1) or Internet_B(port5). The interface that is preferred by the system over another depends
upon the Criteria configured in the SD-WAN rule definition.
We configured the following SD-WAN rules:
l SD-WAN rule for VoIP traffic on page 752
l SD-WAN rule for social media traffic on page 753
l SD-WAN rule for other web traffic on page 754

SD-WAN rule for VoIP traffic

To configure SD-WAN rule for DSCP tagged VoIP traffic using the CLI:

FortiGate # config sys sdwan

config service
edit 5
set name "VoIP-Steer"
set mode priority
set tos 0x70
set tos-mask 0xf0
set dst "all"
set health-check "Default_DNS"
set link-cost-factor jitter
set priority-members 4 3
end

FortiOS 6.4.13 Administration Guide 752

Fortinet Inc.
SD-WAN

The VoIP-Steer SD-WAN rule configured above governs the DSCP tagged VoIP traffic.
DSCP values commonly are 6-bit binary numbers that are padded with zeros at the end. Therefore, in this example,
VoIP traffic with DSCP tag 011100 will become 01110000. This 8-bit binary number 01110000 is represented in its
hexadecimal form 0x70 as the tos (Type of Service bit pattern) value. The tos-mask (Type of Service evaluated bits)
hexadecimal value of 0xf0 (binary 11110000) is used to check the four most significant bits from the tos value in this
case. Hence, the first four bits of the tos (0111) will be used to match the first four bits of the DSCP tag in our policy
above. Only the non-zero bit positions are used for comparison and the zero bit positions are ignored from the tos-
mask.
We used the Best Quality strategy to define the Criteria to select the preferred interface from the overlay SD-WAN zone.
With the Best Quality strategy selected, the interface with the best measured performance is selected. The system
prefers the interface with the least Jitter.

To know more about configuring SD-WAN rules with the Best Quality strategy, refer to the Best quality strategy on page
718 section.

SD-WAN rule for social media traffic

To configure SD-WAN rule for DSCP tagged social media traffic using the CLI:

FortiGate # config sys sdwan

config service
edit 3
set name "Facebook-DSCP-steer"
set tos 0x30
set tos-mask 0xf0
set dst "all"
set priority-members 2 1
end

FortiOS 6.4.13 Administration Guide 753

Fortinet Inc.
SD-WAN

The Facebook-DSCP-steer SD-WAN rule configured above governs the DSCP tagged social media traffic.
DSCP values commonly are 6-bit binary numbers that are padded with zeros at the end. Therefore, in this example,
social media traffic with DSCP tag 001100 will become 00110000. This 8-bit binary number 00110000 is represented
in its hexadecimal form 0x30 as the tos (Type of Service bit pattern) value. The tos-mask (Type of Service evaluated
bits) hexadecimal value of 0xf0 (binary 11110000) is used to check the four most significant bits from the tos value in
this case. Hence, the first four bits of the tos (0011) will be used to match the first four bits of the DSCP tag in our policy
above. Only the non-zero bit positions are used for comparison and the zero bit positions are ignored from the tos-
mask.
We used a manual strategy to select the preferred interface from the underlay SD-WAN zone. We manually select the
preferred interface as Internet_B(port5) to steer all social media traffic to.

To know more about configuring SD-WAN rules with static application steering with a manual strategy, refer to the Static
application steering with a manual strategy on page 737 section.

SD-WAN rule for other web traffic

To configure SD-WAN rule for all other web traffic using the CLI:

FortiGate # config sys sdwan

config service
edit 2
set name "All-traffic"
set mode sla
set dst "all"
config sla
edit "Default_DNS"
set id 1
next
end
set priority-members 1 2

FortiOS 6.4.13 Administration Guide 754

Fortinet Inc.
SD-WAN

end

The All-traffic SD-WAN rule configured above governs all other web traffic.
We used the Lowest Cost (SLA) strategy to define the Criteria to select the preferred interface from the underlay SD-
WAN zone. With the Lowest Cost (SLA) strategy selected, the interface that meets the defined Performance SLA targets
(Default_DNS in our case) is selected. When there is a tie, the interface with the lowest assigned Cost (Internet_A
(port1) in our case) is selected.

To know more about configuring SD-WAN rules with the Lowest Cost (SLA) strategy, refer to the Lowest cost (SLA)
strategy on page 721 section.
Once configured, verify your SD-WAN rules by navigating to Network > SD-WAN Rules:

FortiOS 6.4.13 Administration Guide 755

Fortinet Inc.
SD-WAN

Results

The following sections show the function of the FortiGate and specifically of secure SD-WAN with respect to DSCP
tagged traffic steering, and can be used to confirm that it is setup and running correctly:
l Verifying the DSCP tagged traffic on FortiGate on page 756
l Verifying service rules on page 757
l Verifying traffic steering as per the defined SD-WAN rules on page 758
l Verifying steered traffic leaving the required interface on page 758

Verifying the DSCP tagged traffic on FortiGate

To verify the incoming DSCP tagged traffic, we used packet sniffing and converting the sniffed traffic to a desired format.
To know more about packet sniffing, refer to the Using the FortiOS built-in packet sniffer guide on the Fortinet
Knowledge Base.

For VoIP traffic that is marked with DSCP tag 0x70:

FortiGate # diagnose sniffer packet any '(ip and ip[1] & 0xfc == 0x70)' 6 0 l

We used the open-source packet analyzer Wireshark to verify that VoIP traffic is tagged with the 0x70 DSCP tag.

FortiOS 6.4.13 Administration Guide 756

Fortinet Inc.
SD-WAN

For web traffic marked with DSCP tag 0x30:

FortiGate # diagnose sniffer packet any '(ip and ip[1] & 0xfc == 0x30)' 6 0 l

We used the open-source packet analyzer Wireshark to verify that web traffic is tagged with the 0x30 DSCP tag.

Verifying service rules

The following CLI commands show the appropriate DSCP tags and the corresponding interfaces selected by the SD-
WAN rules to steer traffic:
FortiGate # diagnose sys sdwan service

Service(5): Address Mode(IPV4) flags=0x0

Gen(1), TOS(0x70/0xf0), Protocol(0: 1->65535), Mode(manual)
Members:
1: Seq_num(4 Branch-HQ-B), alive, selected
Dst address:
0.0.0.0-255.255.255.255

Service(3): Address Mode(IPV4) flags=0x0

Gen(1), TOS(0x30/0xf0), Protocol(0: 1->65535), Mode(manual)
Members:

FortiOS 6.4.13 Administration Guide 757

Fortinet Inc.
SD-WAN

1: Seq_num(2 port5), alive, selected

Dst address:
0.0.0.0-255.255.255.255

Service(2): Address Mode(IPV4) flags=0x0

Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members:
1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2 port5), alive, sla(0x1), cfg_order(1), cost(10), selected
Dst address:
0.0.0.0-255.255.255.255

Verifying traffic steering as per the defined SD-WAN rules

Go to Network > SD-WAN Rules to review the Hit Count on the appropriate SD-WAN interfaces.

Verifying steered traffic leaving the required interface

Go to Dashboard > Top Policies to confirm that web traffic (port 443) flows through the right underlay interface members,
and VoIP traffic flows through the right overlay interface member.
Web traffic leaves either Interface_A(port1) or Interface_B(port5).

VoIP traffic leaves the preferred VPN_B_Tunnel(Branch-HQ-B) interface.

FortiOS 6.4.13 Administration Guide 758

Fortinet Inc.
 SD-WAN

Advanced routing

The following topics provide instructions on SD-WAN advanced routing:

l Self-originating traffic on page 759
l Using BGP tags with SD-WAN rules on page 764
l BGP multiple path support on page 767
l Controlling traffic with BGP route mapping and service rules on page 770
l Applying BGP route-map to multiple BGP neighbors on page 776

Self-originating traffic

This topic applies to FortiOS 6.4.4 and later. In other versions, self-originating (local-out) traffic
behaves differently.

By default, self-originating traffic, such as Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and
others, relies on routing table lookups to determine the egress interface that is used to initiate the connection. Policy
routes generated by SD-WAN rules do not apply to this traffic.
Explicit proxy traffic uses policy routes and SD-WAN rules to select an egress interface. Self-originating VXLAN traffic
uses SD-WAN rules to select an egress interface.
For the following features, self-originating traffic can be configured to use SD-WAN rules or a specific interface:

PING

IPv4 and IPv6 pings can be configured to use SD-WAN rules:

execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}

FortiOS 6.4.13 Administration Guide 759

Fortinet Inc.
SD-WAN

DNS

DNS and non-management VDOM DNS traffic can use SD-WAN rules or a specific interface:
config system {dns | vdom-dns}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

interface-select-method {auto | Select the interface selection method:

sdwan | specify} l auto: Set the outgoing interface automatically (default).

l sdwan: Set the interface by SD-WAN or policy routing rules.

l specify: Set the interface manually.

interface <interface> Specify the outgoing interface. This option is only available and must be
configured when interface-select-method is specify.

FortiGuard

FortiGuard traffic can use SD-WAN rules or a specific interface:

config system fortiguard
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

RADIUS

RADIUS, and individual accounting servers, traffic can use SD-WAN rules or a specific interface:
config user radius
edit <name>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
config accounting-server
edit <name>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end
next
end

LDAP

LDAP traffic can use SD-WAN rules or a specific interface:

config user ldap
edit <name>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end

FortiOS 6.4.13 Administration Guide 760

Fortinet Inc.
SD-WAN

TACACS+

TACACS+ traffic can use SD-WAN rules or a specific interface:

config user tacacs+
edit <name>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end

Central management

Central management traffic can use SD-WAN rules or a specific interface:

config system central-management
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

FortiAnalyzer

FortiAnalyzer and FortiAnalyzer Cloud log traffic can use SD-WAN rules or a specific interface:
config log {fortianalyzer | fortianalyzer2 | fortianalyzer3 | fortianalyzer-cloud} {setting
| override-setting}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

FortiGate Cloud logging

FortiGate Cloud log traffic can use SD-WAN rules or a specific interface:
config log fortiguard setting
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

Syslog

Syslog traffic can use SD-WAN rules or a specific interface:

config log {syslog | syslog2 | syslog3} {setting | override-setting}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

Log disk upload

Log disk upload traffic can use SD-WAN rules or a specific interface:
config log disk setting
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

FortiOS 6.4.13 Administration Guide 761

Fortinet Inc.
SD-WAN

FortiSandbox

FortiSandbox traffic can use SD-WAN rules or a specific interface:

config system fortisandbox
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

FSSO

FSSO traffic can use SD-WAN rules or a specific interface:

config system fsso
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

NTP server

NTP server traffic can use SD-WAN rules or a specific interface:

config system ntp
config ntpserver
edit <id>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end
end

External resources

External resource traffic can use SD-WAN rules or a specific interface:

config system external-resource
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

DHCP proxy

DHCP proxy traffic can use SD-WAN rules or a specific interface:

config system settings
set dhcp-proxy-interface-select-method {auto | sdwan | specify}
set dhcp-proxy-interface <interface>
end

dhcp-proxy-interface-select- Select the interface selection method:

method {auto | sdwan | l auto: Set the outgoing interface automatically (default).

specify} l sdwan: Set the interface by SD-WAN or policy routing rules.

l specify: Set the interface manually.

dhcp-proxy-interface Specify the outgoing interface. This option is only available and must be
<interface> configured when interface-select-method is specify.

FortiOS 6.4.13 Administration Guide 762

Fortinet Inc.
SD-WAN

DHCP relay

DHCP relay traffic can use SD-WAN rules or a specific interface:

config system interface
edit <interface>
set dhcp-relay-interface-select-method {auto | sdwan | specify}
set dhcp-relay-interface <interface>
next
end

dhcp-relay-interface-select- Select the interface selection method:

method {auto | sdwan | l auto: Set the outgoing interface automatically (default).

specify} l sdwan: Set the interface by SD-WAN or policy routing rules.

l specify: Set the interface manually.

dhcp-relay-interface Specify the outgoing interface. This option is only available and must be
<interface> configured when interface-select-method is specify.

CA and local certificate renewal with SCEP

Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:
config vpn certificate setting
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

IPS TLS protocol active probing

TLS active probing can use SD-WAN rules or a specific interface:

config ips global
config tls-active-probe
set interface-selection-method {auto | sdwan | specify}
set interface <interface>
set vdom <VDOM>
set source-ip <IPv4 address>
set source-ip6 <IPv6 address>
end
end

interface-select-method {auto | Select the interface selection method:

sdwan | specify} l auto: Set the outgoing interface automatically (default).

l sdwan: Set the interface by SD-WAN or policy routing rules.

l specify: Set the interface manually.

interface <interface> Specify the outgoing interface. This option is only available and must be
configured when interface-select-method is specify.

vdom <VDOM> Specify the VDOM. This option is only available and must be configured when
interface-select-method is sdwan or specify.

FortiOS 6.4.13 Administration Guide 763

Fortinet Inc.
 SD-WAN

source-ip <IPv4 address> Specify the source IPv4 address. This option is only available and must be
configured when interface-select-method is sdwan or specify.

source-ip6 <IPv6 address> Specify the source IPv6 address. This option is only available and must be
configured when interface-select-method is sdwan or specify.

Using BGP tags with SD-WAN rules

SD-WAN rules can use Border Gateway Protocol (BGP) learned routes as dynamic destinations.

In this example, a customer has two ISP connections, wan1 and wan2. wan1 is used primarily for direct access to
internet applications, and wan2 is used primarily for traffic to the customer's data center.
The customer could create an SD-WAN rule using the data center's IP address range as the destination to force that
traffic to use wan2, but the data center's IP range is not static. Instead, a BGP tag can be used.
For this example, wan2's BGP neighbor advertises the data center's network range with a community number of 30:5.
This example assumes that SD-WAN is enabled on the FortiGate, wan1 and wan2 are added as SD-WAN members in
the virtual-wan-link SD-WAN zone, and a policy and static route have been created. See SD-WAN quick start on page
679 for details.

FortiOS supports IPv4 and IPv6 route tags.

To configure BGP tags with SD-WAN rules:

1. Configure the community list:

config router community-list
edit "30:5"
config rule
edit 1
set action permit
set match "30:5"
next

FortiOS 6.4.13 Administration Guide 764

Fortinet Inc.
SD-WAN

end
next
end

2. Configure the route map:

config router route-map
edit "comm1"
config rule
edit 1
set match-community "30:5"
set set-route-tag 15
next
end
next
end

3. Configure BGP:
config router bgp
set as xxxxx
set router-id xxxx
config neighbor
edit "10.100.20.2"
set soft-reconfiguration enable
set remote-as xxxxx
set route-map-in "comm1"
next
end
end

4. Configure a firewall policy:

config firewall policy
edit 1
set name "1"
set srcintf "dmz"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

5. Edit the SD-WAN configuration:

config system sdwan
set status enable
config members
edit 1
set interface "wan1"
set gateway 172.16.20.2
next
edit 2
set interface "wan2"
next

FortiOS 6.4.13 Administration Guide 765

Fortinet Inc.
SD-WAN

end
config service
edit 1
set name "DataCenter"
set mode manual
set route-tag 15
set priority-members 2
next
end
end

Troubleshooting BGP tags with SD-WAN rules

Check the network community

Use the get router info bgp network command to check the network community:
# get router info bgp network
BGP table version is 5, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*> 0.0.0.0/0 10.100.1.5 32768 0 ?
*> 1.1.1.1/32 0.0.0.0 32768 0 ?
*> 10.1.100.0/24 172.16.203.2 32768 0 ?
*> 10.100.1.0/30 0.0.0.0 32768 0 ?
*> 10.100.1.4/30 0.0.0.0 32768 0 ?
*> 10.100.1.248/29 0.0.0.0 32768 0 ?
*> 10.100.10.0/24 10.100.1.5 202 10000 15 20 e
*> 172.16.200.0/24 0.0.0.0 32768 0 ?
*> 172.16.200.200/32
0.0.0.0 32768 0 ?
*> 172.16.201.0/24 172.16.200.4 32768 0 ?
*> 172.16.203.0/24 0.0.0.0 32768 0 ?
*> 172.16.204.0/24 172.16.200.4 32768 0 ?
*> 172.16.205.0/24 0.0.0.0 32768 0 ?
*> 172.16.206.0/24 0.0.0.0 32768 0 ?
*> 172.16.207.1/32 0.0.0.0 32768 0 ?
*> 172.16.207.2/32 0.0.0.0 32768 0 ?
*> 172.16.212.1/32 0.0.0.0 32768 0 ?
*> 172.16.212.2/32 0.0.0.0 32768 0 ?
*> 172.17.200.200/32
0.0.0.0 32768 0 ?
*> 172.27.1.0/24 0.0.0.0 32768 0 ?
*> 172.27.2.0/24 0.0.0.0 32768 0 ?
*> 172.27.5.0/24 0.0.0.0 32768 0 ?
*> 172.27.6.0/24 0.0.0.0 32768 0 ?
*> 172.27.7.0/24 0.0.0.0 32768 0 ?
*> 172.27.8.0/24 0.0.0.0 32768 0 ?
*> 172.29.1.0/24 0.0.0.0 32768 0 ?
*> 172.29.2.0/24 0.0.0.0 32768 0 ?
*> 192.168.1.0 0.0.0.0 32768 0 ?

Total number of prefixes 28

FortiOS 6.4.13 Administration Guide 766

Fortinet Inc.
 SD-WAN

# get router info bgp network 10.100.11.0

BGP routing table entry for 10.100.10.0/24
Paths: (2 available, best 1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
172.10.22.2
20
10.100.20.2 from 10.100.20.2 (6.6.6.6)
Origin EGP metric 200, localpref 100, weight 10000, valid, external, best
Community: 30:5 <<<<===========================
Last update: Wen Mar 20 18:45:17 2019

Check dynamic BGP addresses

Use the get router info route-map-address command to check dynamic BGP addresses:
# get router info route-map-address
Extend-tag: 15, interface(wan2:16)
10.100.11.0/255.255.255.0

Check dynamic BGP addresses used in policy routes

Use the diagnose firewall proute list command to check dynamic BGP addresses used in policy routes:
# diagnose firewall proute list
list route policy info(vf=root):

id=4278779905 vwl_service=1(DataCenter) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0

sport=0:65535 iif=0 dport=1-65535 oif=16
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 10.100.11.0/255.255.255.0

BGP multiple path support

BGP supports multiple paths, allowing an ADVPN to advertise multiple paths. This allows BGP to extend and keep
additional network paths according to RFC 7911.
In this example, Spoke1 and Spoke2 each have four VPN tunnels that are connected to the Hub with ADVPN. The
Spoke-Hub has established four BGP neighbors on all four tunnels.

FortiOS 6.4.13 Administration Guide 767

Fortinet Inc.
SD-WAN

Spoke 1 and Spoke 2 can learn four different routes from each other.

To configure the hub:

config router bgp

set as 65505
set router-id 11.11.11.11
set ibgp-multipath enable
set additional-path enable
set additional-path-select 4
config neighbor-group
edit "gr1"
set capability-default-originate enable
set remote-as 65505
set additional-path both
set adv-additional-path 4
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.10.0.0 255.255.0.0
set neighbor-group "gr1"
next
end
config network
edit 12
set prefix 11.11.11.11 255.255.255.255
next
end
end

To configure a spoke:

config router bgp

set as 65505
set router-id 2.2.2.2
set ibgp-multipath enable

FortiOS 6.4.13 Administration Guide 768

Fortinet Inc.
SD-WAN

set additional-path enable

set additional-path-select 4
config neighbor
edit "10.10.100.254"
set soft-reconfiguration enable
set remote-as 65505
set additional-path both
set adv-additional-path 4
next
edit "10.10.200.254"
set soft-reconfiguration enable
set remote-as 65505
set additional-path both
set adv-additional-path 4
next
edit "10.10.203.254"
set soft-reconfiguration enable
set remote-as 65505
set additional-path both
set adv-additional-path 4
next
edit "10.10.204.254"
set soft-reconfiguration enable
set remote-as 65505
set additional-path both
set adv-additional-path 4
next
end
config network
edit 3
set prefix 22.1.1.0 255.255.255.0
next
end
end

To view the BGP routing table on a spoke:

Spoke1 # get router info routing-table bgp

Routing table for VRF=0
B*  0.0.0.0/0 [200/0] via 10.10.200.254, vd2-2, 03:57:26
[200/0] via 10.10.203.254, vd2-3, 03:57:26
[200/0] via 10.10.204.254, vd2-4, 03:57:26
[200/0] via 10.10.100.254, vd2-1, 03:57:26
B 1.1.1.1/32 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51
[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51
[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51
[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51
B 11.11.11.11/32 [200/0] via 10.10.200.254, vd2-2, 03:57:51
[200/0] via 10.10.203.254, vd2-3, 03:57:51
[200/0] via 10.10.204.254, vd2-4, 03:57:51
[200/0] via 10.10.100.254, vd2-1, 03:57:51
B 33.1.1.0/24 [200/0] via 10.10.204.3, vd2-4, 03:57:26
[200/0] via 10.10.203.3, vd2-3, 03:57:26
[200/0] via 10.10.200.3, vd2-2, 03:57:26
[200/0] via 10.10.100.3, vd2-1, 03:57:26
[200/0] via 10.10.204.3, vd2-4, 03:57:26

FortiOS 6.4.13 Administration Guide 769

Fortinet Inc.
 SD-WAN

[200/0] via 10.10.203.3, vd2-3, 03:57:26

[200/0] via 10.10.200.3, vd2-2, 03:57:26
[200/0] via 10.10.100.3, vd2-1, 03:57:26
[200/0] via 10.10.204.3, vd2-4, 03:57:26
[200/0] via 10.10.203.3, vd2-3, 03:57:26
[200/0] via 10.10.200.3, vd2-2, 03:57:26
[200/0] via 10.10.100.3, vd2-1, 03:57:26
[200/0] via 10.10.204.3, vd2-4, 03:57:26
[200/0] via 10.10.203.3, vd2-3, 03:57:26
[200/0] via 10.10.200.3, vd2-2, 03:57:26
[200/0] via 10.10.100.3, vd2-1, 03:57:26

Controlling traffic with BGP route mapping and service rules

SD-WAN allows you to select different outbound WAN links based on performance SLAs. It is important that BGP
neighbors are aware of these settings, and changes to them.
BGP can adapt to changes in SD-WAN link SLAs in the following ways:
l Applying different route-maps based on the SD-WAN's health checks. For example, different BGP community
strings can be advertised to BGP neighbors when SLAs are not met.
l Traffic can be selectively forwarded based on the active BGP neighbor. If the SD-WAN service's role matches the
active SD-WAN neighbor, the service is enabled. If there is no match, then the service is disabled.

Example

In this topology, a branch FortiGate has two SD-WAN gateways serving as the primary and secondary gateways. The
gateways reside in different datacenters, but have a full mesh network between them.

This example shows how route-maps and service rules are selected based on performance SLAs and the member that
is currently active. Traffic flows through the primary gateway unless the neighbor's health check is outside of its SLA. If
that happens, traffic routes to the secondary gateway.
BGP NBR1 is the primary neighbor and BGP NBR2 is the secondary neighbor.
The branch FortiGate's wan1 and wan2 interfaces are members of the SD-WAN. When the SD-WAN neighbor status is
primary, it will advertise community 20:1 to BGP NBR1 and 20:5 to BGP NBR2. When the SD-WAN neighbor status is
secondary, it will advertise 20:5 to BGP NBR1 and 20:2 to BGP NBR2.

FortiOS 6.4.13 Administration Guide 770

Fortinet Inc.
SD-WAN

Only one of the primary or secondary neighbors can be active at one time. The SD-WAN neighbor status is used to
decide which neighbor is selected:
l Primary: The primary neighbor takes precedence if its SLAs are met.
l Secondary: If the primary neighbor's SLAs are not met, the secondary neighbor becomes active if its SLAs are met.
l Standalone: If neither the primary or secondary neighbor's SLAs are met, the SD-WAN neighbor status becomes
standalone.

Route map

SD-WAN is configured to let BGP advertise different communities when the SLA status changes. When the SLA is
missed, it triggers BGP to advertise a different community to its BGP neighbor based on its route-map. The BGP
neighbors can use the received community string to select the best path to reach the branch.

To configure BGP route-maps and neighbors:

1. Configure an access for the routes to be matched:

config router access-list
edit "net192"
config rule
edit 1
set prefix 192.168.20.0 255.255.255.0
next
end
next
end

2. Configure the primary neighbor's preferred route-map:

config router route-map
edit "comm1"
config rule
edit 1
set match-ip-address "net192"
set set-community "20:1"
next
end
next
end

3. Configure the secondary neighbor's preferred route-map:

config router route-map
edit "comm2"
config rule
edit 1
set match-ip-address "net192"
set set-community "20:2"
next
end
next
end

FortiOS 6.4.13 Administration Guide 771

Fortinet Inc.
SD-WAN

4. Configure the failed route-map:

config router route-map
edit "comm5"
config rule
edit 1
set match-ip-address "net192"
set set-community "20:5"
next
end
next
end

5. Configure BGP neighbors:

config router bgp
set as 65412
set router-id 1.1.1.1
set ibgp-multipath enable
config neighbor
edit "10.100.1.1"
set soft-reconfiguration enable
set remote-as 20
set route-map-out "comm5"
set route-map-out-preferable "comm1"
next
edit "10.100.1.5"
set soft-reconfiguration enable
set remote-as 20
set route-map-out "comm5"
set route-map-out-preferable "comm2"
next
end
end

When SLAs are met, route-map-out-preferable is used. When SLAs are missed, route-map-out is used.

To configure SD-WAN:

1. Configure the SD-WAN members:

config system sdwan
set status enable
config members
edit 1
set interface "port1"
next
edit 2
set interface "port2"
next
end
end

2. Configure health checks for each member:

config system sdwan
config health-check
edit "ping"

FortiOS 6.4.13 Administration Guide 772

Fortinet Inc.
SD-WAN

set server "10.100.2.22"

set members 1
config sla
edit 1
set link-cost-factor packet-loss
set packetloss-threshold 1
next
end
next
edit "ping2"
set server "10.100.2.23"
set members 2
config sla
edit 1
set link-cost-factor packet-loss
set packetloss-threshold 1
next
end
next
end
end

3. Configure the SD-WAN neighbors and assign them a role and the health checks used to determine if the neighbor
meets the SLA:
SD-WAN neighbors can only be configured in the CLI.
config system sdwan
config neighbor
edit "10.100.1.1"
set member 1
set role primary
set health-check "ping"
set sla-id 1
next
edit "10.100.1.5"
set member 2
set role secondary
set health-check "ping2"
set sla-id 1
next
end
end

Service rules

Create SD-WAN service rules to direct traffic to the primary neighbor when its SLAs are met, and to the secondary
neighbor when the primary neighbor's SLAs are missed.

To configure the SD-WAN service rules:

config system sdwan

config service
edit 1
set name "Primary-Out"
set role primary
set dst "all"

FortiOS 6.4.13 Administration Guide 773

Fortinet Inc.
SD-WAN

set src "all"

set priority-members 1
next
edit 2
set name "Secondary-Out"
set role secondary
set dst "all"
set src "all"
set priority-members 2
next
end
end

If neither the primary nor secondary neighbors are active, the SD-WAN neighbor status
becomes standalone. Only service rules with standalone-action enabled will continue to
pass traffic. This option is disabled by default.

Verification

To verify when the primary neighbor is passing traffic:

1. Verify the health check status:

FortiGate-Branch # diagnose sys sdwan health-check
Health Check(ping):
Seq(1 port1): state(alive), packet-loss(0.000%) latency(0.569), jitter(0.061) sla_
map=0x1
Health Check(ping2):
Seq(2 port2): state(alive), packet-loss(0.000%) latency(3.916), jitter(2.373) sla_
map=0x1

2. Verify SD-WAN neighbor status:

FortiGate-Branch # diagnose sys sdwan neighbor
SD-WAN neighbor status: hold-down(disable), hold-down-time(0), hold_boot_time(0)
Selected role(primary) last_secondary_select_time/current_time in seconds 0/572
Neighbor(10.100.1.1): member(1) role(primary)
Health-check(ping:1) sla-pass selected alive
Neighbor(10.100.1.5): member(2) role(secondary)
Health-check(ping2:1) sla-pass alive

3. Verify service rules status:

FortiGate-Branch # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0

Gen(3), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service role: primary
Members:
1: Seq_num(1 port1), alive, selected
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

FortiOS 6.4.13 Administration Guide 774

Fortinet Inc.
SD-WAN

Service(2): Address Mode(IPV4) flags=0x0

Gen(6), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service role: secondary, disabled by unselected.
Members:
1: Seq_num(2 port2), alive, selected
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

4. Verify neighbor routers:

a. Primary neighbor router:
FGT-NBR1 # get router info bgp network 192.168.20.0
BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
64512
10.100.1.2 from 10.100.1.2 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 20:1
Last update: Thu Apr 30 13:41:40 2020

b. Secondary neighbor router:

FGT-NBR2 # get router info bgp network 192.168.20.0
VRF 0 BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
64512
10.100.1.6 from 10.100.1.6 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 20:5
Last update: Thu Apr 30 13:41:39 2020

To verify when the secondary neighbor is passing traffic:

1. Verify the health check status:

FortiGate-Branch # diagnose sys sdwan health-check
Health Check(ping):
Seq(1 port1): state(dead), packet-loss(54.000%) sla_map=0x0
Health Check(ping2):
Seq(2 port2): state(alive), packet-loss(0.000%) latency(4.339), jitter(3.701) sla_
map=0x1

2. Verify SD-WAN neighbor status:

FortiGate-Branch # diagnose sys sdwan neighbor
SD-WAN neighbor status: hold-down(disable), hold-down-time(0), hold_boot_time(0)
Selected role(secondary) last_secondary_select_time/current_time in seconds
936/936
Neighbor(10.100.1.1): member(1) role(primary)
Health-check(ping:1) sla-fail dead
Neighbor(10.100.1.5): member(2) role(secondary)
Health-check(ping2:1) sla-pass selected alive

FortiOS 6.4.13 Administration Guide 775

Fortinet Inc.
 SD-WAN

3. Verify service rules status:

FortiGate-Branch # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0

Gen(4), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service role: primary, disabled by unselected.
Members:
1: Seq_num(1 port1), alive, selected
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

Service(2): Address Mode(IPV4) flags=0x0

Gen(7), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service role: secondary
Members:
1: Seq_num(2 port2), alive, selected
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

4. Verify neighbor routers:

a. Primary neighbor router:
FGT-NBR1 # get router info bgp network 192.168.20.0
BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
64512
10.100.1.2 from 10.100.1.2 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 20:5
Last update: Thu Apr 30 15:41:58 2020

b. Secondary neighbor router:

FGT-NBR2 # get router info bgp network 192.168.20.0
VRF 0 BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
64512
10.100.1.6 from 10.100.1.6 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 20:2
Last update: Thu Apr 30 15:42:07 2020

Applying BGP route-map to multiple BGP neighbors

Controlling traffic with BGP route mapping and service rules explained how BGP can apply different route-maps to the
primary and secondary SD-WAN neighbors based on SLA health checks.

FortiOS 6.4.13 Administration Guide 776

Fortinet Inc.
SD-WAN

In this example, SD-WAN neighbors that are not bound to primary and secondary roles are configured.

The FortiGate has multiple SD-WAN links and has formed BGP neighbors with both ISPs.
ISP1 is used primarily for outbound traffic, and has an SD-WAN service rule using the lowest cost algorithm applied to it.
When SLAs for ISP1 are not met, it will fail over to the MPLS line.
Inbound traffic is allowed by both WAN links, with each WAN advertising a community string when SLAs are met. When
SLAs are not met, the WAN links advertise a different community string.
This example uses two SD-WAN links. The topology can be expanded to include more links as needed.

To configure BGP route-maps and neighbors:

1. Configure an access list for routes to be matched:

config router access-list
edit "net192"
config rule
edit 1
set prefix 192.168.20.0 255.255.255.0
next
end
next
end

2. Configure route-maps for neighbor ISP1:

config router route-map
edit "comm1"
config rule
edit 1
set match-ip-address "net192"
set set-community "64511:1"
next
end
next
edit "comm-fail1"
config rule
edit 1
set match-ip-address "net192"
set set-community "64511:5"
next

FortiOS 6.4.13 Administration Guide 777

Fortinet Inc.
SD-WAN

end
next
end

3. Configure route-maps for neighbor ISP2:

config router route-map
edit "comm2"
config rule
edit 1
set match-ip-address "net192"
set set-community "64522:1"
next
end
next
edit "comm-fail2"
config rule
edit 1
set match-ip-address "net192"
set set-community "64522:5"
next
end
next
end

4. Configure the BGP neighbors:

config router bgp
set as 64512
set keepalive-timer 1
set holdtime-timer 3
config neighbor
edit "192.168.2.1"
set soft-reconfiguration enable
set remote-as 64511
set route-map-out "comm-fail1"
set route-map-out-preferable "comm1"
next
edit "172.31.0.1"
set soft-reconfiguration enable
set remote-as 64522
set route-map-out "comm-fail2"
set route-map-out-preferable "comm2"
next
end
config network
edit 1
set prefix 192.168.20.0 255.255.255.0
next
end
end

When SLAs are met, route-map-out-preferable is used. When SLAs are missed, route-map-out is used.

FortiOS 6.4.13 Administration Guide 778

Fortinet Inc.
SD-WAN

To configure SD-WAN:

1. Configure the SD-WAN members:

config system sdwan
set status enable
config members
edit 1
set interface "port1"
set gateway 192.168.2.1
next
edit 2
set interface "MPLS"
set cost 20
next
end
end

2. Configure the health checks that must be met:

config system sdwan
config health-check
edit "pingserver"
set server "8.8.8.8"
set members 2 1
config sla
edit 1
set link-cost-factor packet-loss
set packetloss-threshold 2
next
end
next
end
end

3. Configure the SD-WAN neighbors and assign them a role and the health checks used to determine if the neighbor
meets the SLA:
When no role is defined, the default role, standalone, is used.
config system sdwan
config neighbor
edit "192.168.2.1"
set member 1
set health-check "pingserver"
set sla-id 1
next
edit "172.31.0.1"
set member 2
set health-check "pingserver"
set sla-id 1
next
end
end

FortiOS 6.4.13 Administration Guide 779

Fortinet Inc.
SD-WAN

Service rules

Create SD-WAN service rules to direct traffic to the SD-WAN links based on the lowest cost algorithm The same SLA
health check and criteria that are used for the SD-WAN neighbor are used for this SD-WAN service rule.
When no roles are defined in the service rule, the default role, standalone, is used.

To configure the SD-WAN service rule:

config system sdwan

config service
edit 1
set name "OutboundAll"
set mode sla
set dst "all"
set src "all"
config sla
edit "pingserver"
set id 1
next
end
set priority-members 1 2
next
end
end

Verification

To verify that when both SLAs are met, port1 is selected due to its lower cost:

1. Verify the health check status:

FortiGate-Branch # diagnose sys sdwan health-check
Health Check(pingserver):
Seq(2 MPLS): state(alive), packet-loss(0.000%) latency(24.709), jitter(14.996) sla_
map=0x1
Seq(1 port1): state(alive), packet-loss(0.000%) latency(28.771), jitter(14.840) sla_
map=0x1

2. Verify SD-WAN neighbor status:

FortiGate-Branch # diagnose sys sdwan neighbor
Neighbor(192.168.2.1): member(1) role(standalone)
Health-check(pingserver:1) sla-pass selected alive
Neighbor(172.31.0.1): member(2) role(standalone)
Health-check(pingserver:1) sla-pass selected alive

3. Verify service rules status:

Because the service role is standalone, it matches both neighbors. The mode (SLA) determines that port1 is
lower cost.
FortiGate-Branch # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0

Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Service role: standalone
Members:

FortiOS 6.4.13 Administration Guide 780

Fortinet Inc.
SD-WAN

1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected

2: Seq_num(2 MPLS), alive, sla(0x1), cfg_order(1), cost(20), selected
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

4. Verify neighbor routers:

a. Primary neighbor router:
FGT-NBR1 # get router info bgp network 192.168.20.0
BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
64512
192.168.2.5 from 192.168.2.5 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 64511:1
Last update: Thu Apr 30 23:59:05 2020

b. Secondary neighbor router:

FGT-NBR2 # get router info bgp network 192.168.20.0
VRF 0 BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
64512
172.31.0.2 from 172.31.0.2 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 64522:1
Last update: Fri May 1 00:11:28 2020

To verify that when neighbor ISP1 misses SLAs, MPLS is selected and BGP advertises a different
community string for ISP1:

1. Verify the health check status:

FortiGate-Branch # diagnose sys sdwan health-check
Health Check(pingserver):
Seq(2 MPLS): state(alive), packet-loss(0.000%) latency(25.637), jitter(17.820) sla_
map=0x1
Seq(1 port1): state(dead), packet-loss(16.000%) sla_map=0x0

2. Verify SD-WAN neighbor status:

FortiGate-Branch # diagnose sys sdwan neighbor
Neighbor(192.168.2.1): member(1) role(standalone)
Health-check(pingserver:1) sla-fail dead
Neighbor(172.31.0.1): member(2) role(standalone)
Health-check(pingserver:1) sla-pass selected alive

3. Verify service rules status:

As SLA failed for neighbor ISP1, MPLS is preferred.
FortiGate-Branch # diagnose sys sdwan service

FortiOS 6.4.13 Administration Guide 781

Fortinet Inc.
SD-WAN

Service(1): Address Mode(IPV4) flags=0x0

Gen(3), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Service role: standalone
Members:
1: Seq_num(2 MPLS), alive, sla(0x1), cfg_order(1), cost(20), selected
2: Seq_num(1 port1), dead, sla(0x0), cfg_order(0), cost(0)
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

4. Verify neighbor routers:

The community received on ISP1 is updated.
a. Primary neighbor router:
FGT-NBR1 # get router info bgp network 192.168.20.0
BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
64512
192.168.2.5 from 192.168.2.5 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 64511:5
Last update: Fri May 1 00:33:26 2020

b. Secondary neighbor router:

FGT-NBR2 # get router info bgp network 192.168.20.0
VRF 0 BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
64512
172.31.0.2 from 172.31.0.2 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 64522:1
Last update: Fri May 1 00:22:42 2020

VPN overlay

The following topics provide instructions on SD-WAN VPN overlays:

l ADVPN and shortcut paths on page 783
l SD-WAN monitor on ADVPN shortcuts on page 796
l SD-WAN integration with OCVPN on page 797
l Forward error correction on VPN overlay networks on page 804
l Dual VPN tunnel wizard on page 807
l Duplicate packets based on SD-WAN rules on page 808
l Duplicate packets on other zone members on page 810

FortiOS 6.4.13 Administration Guide 782

Fortinet Inc.
 SD-WAN

ADVPN and shortcut paths

This topic provides an example of how to use SD-WAN and ADVPN together.
ADVPN (Auto Discovery VPN) is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish
dynamic, on-demand, direct tunnels between each other to avoid routing through the topology's hub device. The primary
advantage is that it provides full meshing capabilities to a standard hub-and-spoke topology. This greatly reduces the
provisioning effort for full spoke-to-spoke low delay reachability, and addresses the scalability issues associated with
very large fully meshed VPN networks.
If a customer's head office and branch offices all have two or more internet connections, they can build a dual-hub
ADVPN network. Combined with SD-WAN technology, the customer can load-balance traffic to other offices on multiple
dynamic tunnels, control specific traffic using specific connections, or choose better performance connections
dynamically.

SD-WAN load-balance mode rules (or services) do not support ADVPN members. Other
modes' rules, such as SLA and priority, support ADVPN members.

This topic covers three parts:

1. Configure dual-hub ADVPN with multiple branches.
2. Configure BGP to exchange routing information among hubs and spokes.
3. Configure SD-WAN on spoke to do load-balancing and control traffic.

FortiOS 6.4.13 Administration Guide 783

Fortinet Inc.
SD-WAN

Configuration example

A typical ADVPN configuration with SD-WAN usually has two hubs, and each spoke connects to two ISPs and
establishes VPN tunnels with both hubs.
This example shows a hub-and-spoke configuration using two hubs and one spoke:
l Hub1 and Hub2 both use wan1 to connect to the ISPs and port10 to connect to internal network.
l Spoke1 uses wan1 to connect to ISP1 and wan2 to connect to ISP2.
l wan1 sets up VPN to hub1.
l wan2 sets up VPN to hub2.
The SD-WAN is configured on the spoke. It uses the two VPN interfaces as members and two rules to control traffic to
headquarters or other spokes using ADVPN VPN interfaces. You can create more rules if required.
For this example:
l Use SD-WAN member 1 (via ISP1) and its dynamic shortcuts for financial department traffic if member 1 meets SLA
requirements. If it doesn't meet SLA requirements, it will use SD-WAN member 2 (via ISP2).
l Use SD-WAN member 2 (via ISP2) and its dynamic shortcuts for engineering department traffic.
l Load balance other traffic going to hubs and other spokes between these two members.
l Set up all other traffic to go with their original ISP connection. All other traffic does not go through SD-WAN.
l Set up basic network configuration to let all hubs and spokes connect to their ISPs and the Internet.

FortiOS 6.4.13 Administration Guide 784

Fortinet Inc.
SD-WAN

Hub internal network 172.16.101.0/24

Spoke1 internal network 10.1.100.0/24

ADVPN 1 network 10.10.100.0/24

ADVPN 2 network 10.10.200.0/24

Hub1 wan1 IP 11.1.1.11

Hub2 wan1 IP 11.1.2.11

Hub1 VPN IP 10.10.100.254

Hub2 VPN IP 10.10.200.254

Spoke1 to hub1 VPN IP 10.10.100.2

Spoke1 to hub2 VPN IP 10.10.200.2

Ping server in Headquarters 11.11.11.11

Internal subnet of spoke1 22.1.1.0/24

Internal subnet of spoke2 33.1.1.0/24

Firewall addresses Configure hub_subnets and spoke_subnets before using in policies. These can
be customized.

The GUI does not support some ADVPN related options, such as auto-discovery-sender, auto-discovery-receiver, auto-
discovery-forwarder, and IBGP neighbor-group setting, so this example only provides CLI configuration commands.

Hub1 sample configuration

To configure the IPsec phase1 and phase2 interface:

config vpn ipsec phase1-interface

edit "hub-phase1"
set type dynamic
set interface "wan1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-
sha1
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set tunnel-search nexthop
set psksecret sample
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "hub-phase2"
set phase1name "hub-phase1"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-
sha256

FortiOS 6.4.13 Administration Guide 785

Fortinet Inc.
SD-WAN

next
end

To configure the VPN interface and BGP:

config system interface

edit "hub-phase1"
set ip 10.10.100.254 255.255.255.255
set remote-ip 10.10.100.253 255.255.255.0
next
end
config router bgp
set as 65505
config neighbor-group
edit "advpn"
set link-down-failover enable
set remote-as 65505
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.10.100.0 255.255.255.0
set neighbor-group "advpn"
next
end
config network
edit 1
set prefix 172.16.101.0 255.255.255.0
next
edit 2
set prefix 11.11.11.0 255.255.255.0
next
end
end

To configure the firewall policy:

config firewall policy

edit 1
set name "spoke2hub"
set srcintf "hub-phase1"
set dstintf "port10"
set srcaddr "spoke_subnets"
set dstaddr "hub_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow traffic from spokes to headquarter"
next
edit 2
set name "spoke2spoke"
set srcintf "hub-phase1"
set dstintf "hub-phase1"
set srcaddr "spoke_subnets"
set dstaddr "spoke_subnets"

FortiOS 6.4.13 Administration Guide 786

Fortinet Inc.
SD-WAN

set action accept

set schedule "always"
set service "ALL"
set comments "allow traffic from spokes to spokes"
next
edit 3
set name "internal2spoke"
set srcintf "port10"
set dstintf "hub-phase1"
set srcaddr "hub_subnets"
set dstaddr "spoke_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow traffic from headquarter to spokes"
next
end

Hub2 sample configuration

Hub2 configuration is the same as hub1 except the wan1 IP address, VPN interface IP address, and BGP neighbor-
range prefix.

To configure the IPsec phase1 and phase2 interface:

config vpn ipsec phase1-interface

edit "hub-phase1"
set type dynamic
set interface "wan1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-
sha1
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set tunnel-search nexthop
set psksecret sample
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "hub-phase2"
set phase1name "hub-phase1"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-
sha256
next
end

To configure the VPN interface and BGP:

config system interface

edit "hub-phase1"
set ip 10.10.200.254 255.255.255.255
set remote-ip 10.10.200.253 255.255.255.0

FortiOS 6.4.13 Administration Guide 787

Fortinet Inc.
SD-WAN

next
end
config router bgp
set as 65505
config neighbor-group
edit "advpn"
set link-down-failover enable
set remote-as 65505
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.10.200.0 255.255.255.0
set neighbor-group "advpn"
next
end
config network
edit 1
set prefix 172.16.101.0 255.255.255.0
next
edit 2
set prefix 11.11.11.0 255.255.255.0
next
end
end

To configure the firewall policy:

config firewall policy

edit 1
set name "spoke2hub"
set srcintf "hub-phase1"
set dstintf "port10"
set srcaddr "spoke_subnets"
set dstaddr "hub_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow traffic from spokes to headquarter"
next
edit 2
set name "spoke2spoke"
set srcintf "hub-phase1"
set dstintf "hub-phase1"
set srcaddr "spoke_subnets"
set dstaddr "spoke_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow traffic from spokes to spokes"
next
edit 3
set name "internal2spoke"
set srcintf "port10"
set dstintf "hub-phase1"

FortiOS 6.4.13 Administration Guide 788

Fortinet Inc.
SD-WAN

set srcaddr "hub_subnets"

set dstaddr "spoke_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow traffic from headquarter to spokes"
next
end

Spoke1 sample configuration

To configure the IPsec phase1 and phase2 interface:

config vpn ipsec phase1-interface

edit "spoke1-phase1"
set interface "wan1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set remote-gw 11.1.1.11
set psksecret sample
set dpd-retryinterval 5
next
edit "spoke1-2-phase1"
set interface "wan2"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set remote-gw 11.1.2.11
set psksecret sample
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "spoke1-phase2"
set phase1name "spoke1-phase1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm
chacha20poly1305
set auto-negotiate enable
next
edit "spoke1-2-phase2"
set phase1name "spoke1-2-phase1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm
chacha20poly1305
set auto-negotiate enable
next
end

FortiOS 6.4.13 Administration Guide 789

Fortinet Inc.
SD-WAN

To configure the VPN interface and BGP:

config system interface

edit "spoke1-phase1"
set ip 10.10.100.2 255.255.255.255
set remote-ip 10.10.100.254 255.255.255.0
next
edit "spoke1-2-phase1"
set ip 10.10.200.2 255.255.255.255
set remote-ip 10.10.200.254 255.255.255.0
next
end
config router bgp
set as 65505
config neighbor
edit "10.10.100.254"
set advertisement-interval 1
set link-down-failover enable
set remote-as 65505
next
edit "10.10.200.254"
set advertisement-interval 1
set link-down-failover enable
set remote-as 65505
next
end
config network
edit 1
set prefix 10.1.100.0 255.255.255.0
next
end
end

To configure SD-WAN:

config system sdwan

set status enable
config members
edit 1
set interface "spoke1-phase1"
next
edit 2
set interface "spoke1-2-phase1"
next
end
config health-check
edit "ping"
set server "11.11.11.11"
set members 1 2
config sla
edit 1
set latency-threshold 200
set jitter-threshold 50
set packetloss-threshold 5
next
end

FortiOS 6.4.13 Administration Guide 790

Fortinet Inc.
SD-WAN

next
end
config service
edit 1
set mode sla
set dst "financial-department"
config sla
edit "ping"
set id 1
next
end
set priority-members 1 2
next
edit 2
set priority-members 2
set dst "engineering-department"
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

To configure the firewall policy:

config firewall policy

edit 1
set name "outbound_advpn"
set srcintf "internal"
set dstintf "virtual-wan-link"
set srcaddr "spoke_subnets"
set dstaddr "spoke_subnets" "hub_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow internal traffic going out to headquarter and other spokes"
next
edit 2
set name "inbound_advpn"
set srcintf "virtual-wan-link"
set dstintf "internal"
set srcaddr "spoke_subnets" "hub_subnets"
set dstaddr "spoke_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow headquarter and other spokes traffic coming in"
next
end

FortiOS 6.4.13 Administration Guide 791

Fortinet Inc.
SD-WAN

Troubleshooting ADVPN and shortcut paths

Before spoke vs spoke shortcut VPN is established

Use the following CLI commands to check status before spoke vs spoke shortcut VPN is established.
# get router info bgp summary
BGP router identifier 2.2.2.2, local AS number 65505
BGP table version is 13
3 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.10.100.254 4 65505 3286 3270 11 0 0 00:02:15 5
10.10.200.254 4 65505 3365 3319 12 0 0 00:02:14 5

Total number of neighbors 2

# get router info routing-table bgp

Routing table for VRF=0

B* 0.0.0.0/0 [200/0] via 10.10.200.254, spoke1-2-phase1, 00:00:58
[200/0] via 10.10.100.254, spoke1-phase1, 00:00:58
B 1.1.1.1/32 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:01:29
[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:01:29
B 11.11.11.0/24 [200/0] via 10.10.200.254, spoke1-2-phase1, 00:01:29
[200/0] via 10.10.100.254, spoke1-phase1, 00:01:29
B 33.1.1.0/24 [200/0] via 10.10.200.3, spoke1-2-phase1, 00:00:58
[200/0] via 10.10.100.3, spoke1-phase1, 00:00:58
[200/0] via 10.10.200.3, spoke1-2-phase1, 00:00:58
[200/0] via 10.10.100.3, spoke1-phase1, 00:00:58
# diagnose vpn tunnel list
list all ipsec tunnel in vd 3
------------------------------------------------------
name=spoke1-phase1 ver=1 serial=5 12.1.1.2:0->11.1.1.11:0 dst_mtu=15324
bound_if=48 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev
frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=22 ilast=0 olast=0 ad=r/2

stat: rxp=1 txp=185 rxb=16428 txb=11111
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=spoke1 proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=15262 expire=42820/0B replaywin=2048
seqno=ba esn=0 replaywin_lastseq=00000002 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=03e01a2a esp=aes key=16 56e673f0df05186aa657f55cbb631c13
ah=sha1 key=20 b0d50597d9bed763c42469461b03da8041f87e88
enc: spi=2ead61bc esp=aes key=16 fe0ccd4a3ec19fe6d520c437eb6b8897
ah=sha1 key=20 e3e669bd6df41b88eadaacba66463706f26fb53a
dec:pkts/bytes=1/16368, enc:pkts/bytes=185/22360
npu_flag=03 npu_rgwy=11.1.1.11 npu_lgwy=12.1.1.2 npu_selid=0 dec_npuid=1 enc_npuid=1
------------------------------------------------------
name=spoke1-2-phase1 ver=1 serial=6 112.1.1.2:0->11.1.2.11:0 dst_mtu=15324

FortiOS 6.4.13 Administration Guide 792

Fortinet Inc.
SD-WAN

bound_if=90 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev

frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=21 ilast=0 olast=0 ad=r/2

stat: rxp=1 txp=186 rxb=16498 txb=11163
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=74
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=spoke1-2 proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=15262 expire=42818/0B replaywin=2048
seqno=bb esn=0 replaywin_lastseq=00000002 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=03e01a2b esp=aes key=16 fe49f5042a5ad236250bf53312db1346
ah=sha1 key=20 5dbb15c8cbc046c284bb1c6425dac2b3e15bec85
enc: spi=2ead61bd esp=aes key=16 d6d97be52c3cccb9e88f28a9db64ac46
ah=sha1 key=20 e20916ae6ea2295c2fbd5cbc8b8f5dd8b17f52f1
dec:pkts/bytes=1/16438, enc:pkts/bytes=186/22480
npu_flag=03 npu_rgwy=11.1.2.11 npu_lgwy=112.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1
# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)
Member sub interface:
Members:
1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(0), selected
Dst address: 33.1.1.1-33.1.1.100

Service(2): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Member sub interface:
Members:
1: Seq_num(2), alive, selected
Dst address: 33.1.1.101-33.1.1.200
# diagnose firewall proute list
list route policy info(vf=vd2):

id=2132869121 vwl_service=1 vwl_mbr_seq=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_

mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=70 oif=71
destination(1): 33.1.1.1-33.1.1.100
source wildcard(1): 0.0.0.0/0.0.0.0

id=2132869122 vwl_service=2 vwl_mbr_seq=2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_

mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=71
destination(1): 33.1.1.101-33.1.1.200
source wildcard(1): 0.0.0.0/0.0.0.0

After spoke vs spoke shortcut VPN is established

Use the following CLI commands to check status after spoke vs spoke shortcut VPN is established.
# get router info routing-table bgp

Routing table for VRF=0

FortiOS 6.4.13 Administration Guide 793

Fortinet Inc.
SD-WAN

B* 0.0.0.0/0 [200/0] via 10.10.200.254, spoke1-2-phase1, 00:01:33

[200/0] via 10.10.100.254, spoke1-phase1, 00:01:33
B 1.1.1.1/32 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:02:04
[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:02:04
B 11.11.11.0/24 [200/0] via 10.10.200.254, spoke1-2-phase1, 00:02:04
[200/0] via 10.10.100.254, spoke1-phase1, 00:02:04
B 33.1.1.0/24 [200/0] via 10.10.200.3, spoke1-2-phase1_0, 00:01:33
[200/0] via 10.10.100.3, spoke1-phase1_0, 00:01:33
[200/0] via 10.10.200.3, spoke1-2-phase1_0, 00:01:33
[200/0] via 10.10.100.3, spoke1-phase1_0, 00:01:33
# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)
Member sub interface:
1: seq_num(1), interface(spoke1-phase1):
1: spoke1-phase1_0(111)
2: seq_num(2), interface(spoke1-2-phase1):
1: spoke1-2-phase1_0(113)
Members:
1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(0), selected
Dst address: 33.1.1.1-33.1.1.100

Service(2): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Member sub interface:
1: seq_num(2), interface(spoke1-2-phase1):
1: spoke1-2-phase1_0(113)
Members:
1: Seq_num(2), alive, selected
Dst address: 33.1.1.101-33.1.1.200
# diagnose vpn tunnel list
list all ipsec tunnel in vd 3
------------------------------------------------------
name=spoke1-phase1 ver=1 serial=5 12.1.1.2:0->11.1.1.11:0 dst_mtu=15324
bound_if=48 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev
frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=20 ilast=0 olast=0 ad=r/2

stat: rxp=1 txp=759 rxb=16428 txb=48627
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vd2-1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=15262 expire=42536/0B replaywin=2048
seqno=2f8 esn=0 replaywin_lastseq=00000002 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42898/43200
dec: spi=03e01a42 esp=aes key=16 1f131bda108d33909d49fc2778bd08bb
ah=sha1 key=20 14131d3f0da9b741a2fd13d530b0553aa1f58983
enc: spi=2ead61d8 esp=aes key=16 81ed24d5cd7bb59f4a80dceb5a560e1f
ah=sha1 key=20 d2ccc2f3223ce16514e75f672cd88c4b4f48b681
dec:pkts/bytes=1/16360, enc:pkts/bytes=759/94434
npu_flag=03 npu_rgwy=11.1.1.11 npu_lgwy=12.1.1.2 npu_selid=0 dec_npuid=1 enc_npuid=1

FortiOS 6.4.13 Administration Guide 794

Fortinet Inc.
SD-WAN

------------------------------------------------------
name=spoke1-2-phase1 ver=1 serial=6 112.1.1.2:0->11.1.2.11:0 dst_mtu=15324
bound_if=90 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev
frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=0 olast=0 ad=r/2

stat: rxp=1 txp=756 rxb=16450 txb=48460
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=74
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vd2-2 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=15262 expire=42538/0B replaywin=2048
seqno=2f5 esn=0 replaywin_lastseq=00000002 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42900/43200
dec: spi=03e01a43 esp=aes key=16 7fc87561369f88b56d08bfda769eb45b
ah=sha1 key=20 0ed554ef231c5ac16dc2e71d1907d7347dda33d6
enc: spi=2ead61d9 esp=aes key=16 00286687aa1762e7d8216881d6720ef3
ah=sha1 key=20 59d5eec6299ebcf038c190860774e2833074d7c3
dec:pkts/bytes=1/16382, enc:pkts/bytes=756/94058
npu_flag=03 npu_rgwy=11.1.2.11 npu_lgwy=112.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1
------------------------------------------------------
name=spoke1-phase1_0 ver=1 serial=55 12.1.1.2:0->13.1.1.3:0 dst_mtu=15324
bound_if=48 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu
create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1

parent=vd2-1 index=0
proxyid_num=1 child_num=0 refcnt=18 ilast=8 olast=8 ad=r/2
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vd2-1 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=1a227 type=00 soft=0 mtu=15262 expire=42893/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=03e01a44 esp=aes key=16 c3b77a98e3002220e2373b73af14df6e
ah=sha1 key=20 d18d107c248564933874f60999d6082fd7a78948
enc: spi=864f6dba esp=aes key=16 eb6181806ccb9bac37931f9eadd4d5eb
ah=sha1 key=20 ab788f7a372877a5603c4ede1be89a592fc21873
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=13.1.1.3 npu_lgwy=12.1.1.2 npu_selid=51 dec_npuid=0 enc_npuid=0
------------------------------------------------------
name=spoke1-2-phase1_0 ver=1 serial=57 112.1.1.2:0->113.1.1.3:0 dst_mtu=15324
bound_if=90 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu
create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1

parent=vd2-2 index=0
proxyid_num=1 child_num=0 refcnt=17 ilast=5 olast=5 ad=r/2
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vd2-2 proto=0 sa=1 ref=3 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0

FortiOS 6.4.13 Administration Guide 795

Fortinet Inc.
 SD-WAN

SA: ref=3 options=1a227 type=00 soft=0 mtu=15262 expire=42900/0B replaywin=2048

seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=03e01a45 esp=aes key=16 0beb519ed9f800e8b4c0aa4e1df7da35
ah=sha1 key=20 bc9f38db5296cce4208a69f1cc8a9f7ef4803c37
enc: spi=864f6dbb esp=aes key=16 1d26e3556afcdb9f8e3e33b563b44228
ah=sha1 key=20 564d05ef6f7437e1fd0a88d5fee7b6567f9d387e
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=113.1.1.3 npu_lgwy=112.1.1.2 npu_selid=53 dec_npuid=0 enc_npuid=0
# diagnose firewall proute list
list route policy info(vf=vd2):

id=2132869121 vwl_service=1 vwl_mbr_seq=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_

mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=111 oif=70 oif=113 oif=71
destination(1): 33.1.1.1-33.1.1.100
source wildcard(1): 0.0.0.0/0.0.0.0

id=2132869122 vwl_service=2 vwl_mbr_seq=2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_

mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=113 oif=71
destination(1): 33.1.1.101-33.1.1.200
source wildcard(1): 0.0.0.0/0.0.0.0

SD-WAN monitor on ADVPN shortcuts

SD-WAN monitors ADVPN shortcut link quality by dynamically creating link monitors for each ADVPN link. The dynamic
link monitor on the spoke will use ICMP probes and the IP address of the gateway as the monitored server. These ICMP
probes will not be counted as actual user traffic that keeps the spoke-to-spoke tunnel alive.

l When no shortcut is established:

# diagnose sys sdwan health-check
Health Check(ping):
Seq(1 tunnel-1): state(alive), packet-loss(0.000%) latency(0.038), jitter(0.006) sla_
map=0x3
Seq(2 tunnel-2): state(alive), packet-loss(0.000%) latency(0.035), jitter(0.004) sla_
map=0x3

FortiOS 6.4.13 Administration Guide 796

Fortinet Inc.
 SD-WAN

l When one shortcut is established:

# diagnose sys sdwan health-check
Health Check(ping):
Seq(1 tunnel-1): state(alive), packet-loss(0.000%) latency(0.039), jitter(0.003) sla_
map=0x3
Seq(1 tunnel-1_0): state(alive), packet-loss(0.000%) latency(0.060), jitter(0.023) sla_
map=0x3
Seq(2 tunnel-2): state(alive), packet-loss(0.000%) latency(0.035), jitter(0.002) sla_
map=0x3

l When more than one shortcut is established:

# diagnose sys sdwan health-check
Health Check(ping):
Seq(1 tunnel-1): state(alive), packet-loss(0.000%) latency(0.036), jitter(0.004) sla_
map=0x3
Seq(1 tunnel-1_0): state(alive), packet-loss(0.000%) latency(0.041), jitter(0.009) sla_
map=0x3
Seq(2 tunnel-2): state(alive), packet-loss(0.000%) latency(0.030), jitter(0.005) sla_
map=0x3
Seq(2 tunnel-2_0): state(alive), packet-loss(0.000%) latency(0.031), jitter(0.004) sla_
map=0x3

SD-WAN integration with OCVPN

OCVPN has the capability to enable SD-WAN in order to dynamically add its tunnel interfaces as SD-WAN members.
Users can configure SD-WAN health checks and service rules to direct traffic over the OCVPN tunnels.
The following example uses a dual hub and spoke topology. Each hub and spoke has two WAN link connections to the
ISP. The spokes generate two IPsec tunnels to each hub (four tunnels in total). BGP neighbors are established over
each tunnel and routes from the hubs and other spokes learned from all neighbors, which forms an ECMP scenario. All
tunnels are placed as SD-WAN members, so traffic can be distributed across tunnels based on the configured SD-WAN
service rules.

FortiOS 6.4.13 Administration Guide 797

Fortinet Inc.
SD-WAN

To integrate SD-WAN with OCVPN in the GUI:

1. Configure the primary hub:

a. Go to VPN > Overlay Controller VPN and set the Status to Enable.
b. For Role, select Primary Hub.
c. Enter the WAN interfaces (port15 and port16) and tunnel IP allocation block (10.254.0.0/16).

The WAN interface is position sensitive, meaning a tunnel will be created with the first
position interface on the hub to the first position interface on the spoke, and so on. In
this example, FGT_A (primary hub) will create two tunnels with FGT_C (spoke):
l FGT_A port15 <==> FGT_C internal1

l FGT_A port16 <==> FGT_C internal2

d. Enable Auto-discovery shortcuts.

e. Enable Add OCVPN tunnels to SD-WAN. The IPsec tunnels will be added automatically to the SD-WAN
members if SD-WAN is enabled.
2. Configure the overlays on the primary hub:
a. In the Overlays section, click Create New.
b. Enter a name and add the local interface (port2). Note the overlay is either based on local subnets or local
interfaces, but not both.
By default, inter-overlay traffic is not enabled. Toggle Allow traffic from other overlays to enable it.
c. Click OK and repeat these steps to create the second overlay (loop1).

d. Click Apply.

3. Configure the secondary hub with the same settings as the primary hub.
4. Configure the spoke:
a. Go to VPN > Overlay Controller VPN and set the Status to Enable.
b. For Role, select Spoke.
c. Enter the WAN interfaces (internal1 and internal2).
d. Enable Auto-discovery shortcuts.
e. Enable Add OCVPN tunnels to SD-WAN. The IPsec tunnels will be added automatically to the SD-WAN
members if SD-WAN is enabled.

FortiOS 6.4.13 Administration Guide 798

Fortinet Inc.
SD-WAN

f. Configure the overlays.

The overlay names on the spokes must match the hub for the traffic to be allowed
through the same overlay.

g. Click Apply.

5. Configure the other spoke with the same settings.

6. On a spoke, go to Network > SD-WAN Zones to view the configuration generated by OCVPN.

Firewall policies will be automatically generated by OCVPN between the local interfaces and the SD-WAN interface.
Each policy will define the proper local and remote networks for its source and destination addresses.

To integrate SD-WAN with OCVPN in the CLI:

1. Configure the primary hub:

config vpn ocvpn
set role primary-hub
set sdwan enable
set wan-interface "port15" "port16"
set ip-allocation-block 10.254.0.0 255.255.0.0
config overlays
edit "overlay1"
config subnets
edit 1
set type interface
set interface "port2"
next
end
next
edit "overlay2"
config subnets

FortiOS 6.4.13 Administration Guide 799

Fortinet Inc.
SD-WAN

edit 1
set type interface
set interface "loop1"
next
end
next
end
end

2. Configure the secondary hub with the same settings as the primary hub.
3. Configure the spoke:
config vpn ocvpn
set status enable
set sdwan enable
set wan-interface "internal1" "internal2"
config overlays
edit "overlay1"
config subnets
edit 1
set type interface
set interface "wan2"
next
end
next
edit "overlay2"
config subnets
edit 1
set type interface
set interface "loop1"
next
end
next
end
end

4. Configure the other spoke with the same settings.

5. Configure SD-WAN:
config system sdwan
set status enable
config members
edit 1
set interface "_OCVPN2-0a"
next
edit 2
set interface "_OCVPN2-0b"
next
edit 3
set interface "_OCVPN2-1a"
next
edit 4
set interface "_OCVPN2-1b"
next
end
end

FortiOS 6.4.13 Administration Guide 800

Fortinet Inc.
SD-WAN

Firewall policies will be automatically generated by OCVPN between the local interfaces and the SD-WAN interface.
Each policy will define the proper local and remote networks for its source and destination addresses.

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

To verify the integration is working after the ADVPN shortcut is triggered:

1. Check the routing table on the spoke:

FGT_C # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 172.16.17.2, internal1
[10/0] via 172.16.18.2, internal2
B 10.1.100.0/24 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:24
[200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:24
B 10.1.200.0/24 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:24
[200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:24
B 10.2.100.0/24 [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
[200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
B 10.2.200.0/24 [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
[200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
B 10.254.0.0/16 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:15
[200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:15
[200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
[200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
C 10.254.0.0/21 is directly connected, _OCVPN2-0a
C 10.254.0.1/32 is directly connected, _OCVPN2-0a
C 10.254.8.0/21 is directly connected, _OCVPN2-0b
C 10.254.8.1/32 is directly connected, _OCVPN2-0b
C 10.254.64.0/21 is directly connected, _OCVPN2-1a
C 10.254.64.1/32 is directly connected, _OCVPN2-1b_0 <==shortcut tunnel
C 10.254.64.2/32 is directly connected, _OCVPN2-1a
C 10.254.72.0/21 is directly connected, _OCVPN2-1b
C 10.254.72.2/32 is directly connected, _OCVPN2-1b
is directly connected, _OCVPN2-1b_0
C 172.16.17.0/24 is directly connected, internal1
C 172.16.18.0/24 is directly connected, internal2
C 172.16.200.0/24 is directly connected, wan1
C 192.168.1.0/24 is directly connected, internal
C 192.168.4.0/24 is directly connected, wan2
B 192.168.5.0/24 [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
[200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
[200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
[200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
[200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
[200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10

FortiOS 6.4.13 Administration Guide 801

Fortinet Inc.
SD-WAN

[200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10

[200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
C 192.168.44.0/24 is directly connected, loop1
B 192.168.55.0/24 [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
[200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
[200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
[200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
[200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
[200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
[200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
[200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10

2. Check the VPN tunnel state:

FGT_C # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------
name=_OCVPN2-1b_0 ver=2 serial=1c 172.16.18.3:0->172.16.15.4:0 dst_mtu=1500
bound_if=9 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu
create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1 overlay_id=4

parent=_OCVPN2-1b index=0
proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=r/2
stat: rxp=641 txp=1025 rxb=16436 txb=16446
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1b proto=0 sa=1 ref=3 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=42650/0B replaywin=1024
seqno=407 esn=0 replaywin_lastseq=00000280 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43186/43200
dec: spi=90f03d9d esp=aes key=16 6cb33685bbc67d5c85488e0176ecf7b0
ah=sha1 key=20 7d11b3babe62c840bf444b7b1f637b4324722a71
enc: spi=7bc94bda esp=aes key=16 b4d8fc731d411eb24448b4077a5872ca
ah=sha1 key=20 b724064d827304a6d80385ed4914461108b7312f
dec:pkts/bytes=641/16368, enc:pkts/bytes=2053/123426
npu_flag=03 npu_rgwy=172.16.15.4 npu_lgwy=172.16.18.3 npu_selid=1f dec_npuid=1 enc_
npuid=1
------------------------------------------------------
name=_OCVPN2-0a ver=2 serial=18 172.16.17.3:0->172.16.13.1:0 dst_mtu=1500
bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_
dev frag-rfc accept_traffic=1 overlay_id=1

proxyid_num=1 child_num=0 refcnt=20 ilast=0 olast=0 ad=r/2

stat: rxp=1665 txp=2922 rxb=278598 txb=70241
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=7
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0a proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41599/0B replaywin=1024
seqno=890 esn=0 replaywin_lastseq=00000680 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42899/43200
dec: spi=90f03d95 esp=aes key=16 a6ffcc197bb1b46ec745d0b595cdd69a
ah=sha1 key=20 8007c134e41edf282f95daf9c9033d688ef05ccc

FortiOS 6.4.13 Administration Guide 802

Fortinet Inc.
SD-WAN

enc: spi=a1bf21bf esp=aes key=16 ead05be389b0dec222f969e2f9c46b1d

ah=sha1 key=20 b04105d34d4b0e61b018f2e60591f9b1510783bb
dec:pkts/bytes=1665/278538, enc:pkts/bytes=4237/265074
npu_flag=03 npu_rgwy=172.16.13.1 npu_lgwy=172.16.17.3 npu_selid=1b dec_npuid=1 enc_
npuid=1
------------------------------------------------------
name=_OCVPN2-1a ver=2 serial=1a 172.16.17.3:0->172.16.11.1:0 dst_mtu=1500
bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_
dev frag-rfc accept_traffic=1 overlay_id=3

proxyid_num=1 child_num=0 refcnt=17 ilast=0 olast=0 ad=r/2

stat: rxp=1 txp=2913 rxb=16376 txb=69642
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=5
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1a proto=0 sa=1 ref=28 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41653/0B replaywin=1024
seqno=887 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42900/43200
dec: spi=90f03d9b esp=aes key=16 ee03f5b0f617a26c6177e91d60abf90b
ah=sha1 key=20 f60cbbc4ebbd6d0327d23137da707b7ab2dc49e6
enc: spi=a543a7d3 esp=aes key=16 1d37efab13a5c0347b582b2198b15cb8
ah=sha1 key=20 427ee4c82bac6f26f0bcabfe04328c7f57ce682e
dec:pkts/bytes=1/16316, enc:pkts/bytes=4229/264036
npu_flag=03 npu_rgwy=172.16.11.1 npu_lgwy=172.16.17.3 npu_selid=1d dec_npuid=1 enc_
npuid=1
------------------------------------------------------
name=_OCVPN2-0b ver=2 serial=19 172.16.18.3:0->172.16.14.1:0 dst_mtu=1500
bound_if=9 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_
dev frag-rfc accept_traffic=1 overlay_id=2

proxyid_num=1 child_num=0 refcnt=20 ilast=0 olast=0 ad=r/2

stat: rxp=1665 txp=2917 rxb=278576 txb=69755
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=7
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0b proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41599/0B replaywin=1024
seqno=88b esn=0 replaywin_lastseq=00000680 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42899/43200
dec: spi=90f03d96 esp=aes key=16 9d7eb233c1d095b30796c3711d53f2fd
ah=sha1 key=20 d8feacd42b5e0ba8b5e38647b2f2734c94644bd1
enc: spi=a1bf21c0 esp=aes key=16 d2c0984bf86dc504c5475230b24034f0
ah=sha1 key=20 3946e4033e1f42b0d9a843b94448f56fd5b57bee
dec:pkts/bytes=1665/278516, enc:pkts/bytes=4233/264411
npu_flag=03 npu_rgwy=172.16.14.1 npu_lgwy=172.16.18.3 npu_selid=1c dec_npuid=1 enc_
npuid=1
------------------------------------------------------
name=_OCVPN2-1b ver=2 serial=1b 172.16.18.3:0->172.16.12.1:0 dst_mtu=1500
bound_if=9 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_
dev frag-rfc accept_traffic=1 overlay_id=4

proxyid_num=1 child_num=1 refcnt=19 ilast=1 olast=0 ad=r/2

stat: rxp=1 txp=2922 rxb=16430 txb=70173

FortiOS 6.4.13 Administration Guide 803

Fortinet Inc.
 SD-WAN

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=4

natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1b proto=0 sa=1 ref=28 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41656/0B replaywin=1024
seqno=890 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=90f03d9c esp=aes key=16 a655767c1ed6cff4575857eb3981ad81
ah=sha1 key=20 bfc2bccd7103a201be2641d4c6147d437d2c3f70
enc: spi=a543a7d4 esp=aes key=16 7221b814e483165b01edfdc8260d261a
ah=sha1 key=20 d54819643c2f1b20da2aea4282d50a1f1bc1d72a
dec:pkts/bytes=1/16370, enc:pkts/bytes=4238/265164
npu_flag=03 npu_rgwy=172.16.12.1 npu_lgwy=172.16.18.3 npu_selid=1e dec_npuid=1 enc_
npuid=1

3. Check the SD-WAN state:

FGT_C # diagnose sys sdwan health-check
Health Check(Default_DNS):
Health Check(Default_Office_365):
Health Check(Default_Gmail):
Health Check(Default_AWS):
Health Check(Default_Google Search):
Health Check(Default_FortiGuard):
Health Check(ocvpn):
Seq(1 _OCVPN2-0a): state(alive), packet-loss(0.000%) latency(0.364), jitter(0.028) sla_
map=0x0
Seq(2 _OCVPN2-0b): state(alive), packet-loss(0.000%) latency(0.287), jitter(0.026) sla_
map=0x0
Seq(3 _OCVPN2-1a): state(dead), packet-loss(100.000%) sla_map=0x0
Seq(4 _OCVPN2-1b): state(dead), packet-loss(100.000%) sla_map=0x0
Seq(4 _OCVPN2-1b_0): state(alive), packet-loss(0.000%) latency(0.289), jitter(0.029)
sla_map=0x0

Forward error correction on VPN overlay networks

This topic shows an SD-WAN with forward error correction (FEC) on VPN overlay networks. FEC is a technique used to
control and correct errors in data transmission by sending redundant data across the VPN. It uses six parameters in
IPsec phase1/phase1-interface settings:

fec-ingress Enable/disable Forward Error Correction for ingress IPsec traffic (default = disable).
fec-egress Enable/disable Forward Error Correction for egress IPsec traffic (default = disable).
fec-base The number of base Forward Error Correction packets (1 - 100, default = 20).
fec-redundant The number of redundant Forward Error Correction packets (1 - 100, default = 10).
fec-send-timeout The time before sending Forward Error Correction packets, in milliseconds (1 - 1000, default =
8).
fec-receive- The time before dropping Forward Error Correction packets, in milliseconds (1 - 1000, default
timeout = 5000).

For every fec-base number of sent packets, the tunnel will send fec-redundant number of redundant packets.

FortiOS 6.4.13 Administration Guide 804

Fortinet Inc.
SD-WAN

If your FortiGate is NPU capable, disable npu-offload in your phase1 configurations:

config vpn ipsec phase1-interface
edit <name>
set npu-offload disable
next
end

Example

For example, a customer has two ISP connections, wan1 and wan2. Using these two connections, create two IPsec VPN
interfaces as SD-WAN members. Configure FEC on each VPN interface to lower packet loss ratio by re-transmitting the
packets using its backend algorithm.

To configure IPsec VPN:

config vpn ipsec phase1-interface

edit "vd1-p1"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 14
set remote-gw 172.16.201.2
set psksecret ftnt1234
set fec-egress enable
set fec-send-timeout 8
set fec-base 20
set fec-redundant 10
set fec-ingress enable
set fec-receive-timeout 5000
next
edit "vd1-p2"
set interface "wan2"
set peertype any

FortiOS 6.4.13 Administration Guide 805

Fortinet Inc.
SD-WAN

set net-device disable

set proposal aes256-sha256
set dhgrp 14
set remote-gw 172.16.202.2
set psksecret ftnt1234
set fec-egress enable
set fec-send-timeout 8
set fec-base 20
set fec-redundant 10
set fec-ingress enable
set fec-receive-timeout 5000
next
end
config vpn ipsec phase2-interface
edit "vd1-p1"
set phase1name "vd1-p1"
next
edit "vd1-p2"
set phase1name "vd1-p2"
next
end

To configure the interface:

config system interface

edit "vd1-p1"
set ip 172.16.211.1 255.255.255.255
set remote-ip 172.16.211.2 255.255.255.255
next
edit "vd1-p2"
set ip 172.16.212.1 255.255.255.255
set remote-ip 172.16.212.2 255.255.255.255
next
end

To configure the firewall policy:

config firewall policy

edit 1
set name "1"
set srcintf "dmz"
set dstintf ""virtual-wan-link""
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

To configure SD-WAN:

config system sdwan

set status enable
config members

FortiOS 6.4.13 Administration Guide 806

Fortinet Inc.
 SD-WAN

edit 1
set interface "vd1-p1"
set gateway 172.16.211.2
next
edit 1
set interface "vd2-p2"
set gateway 172.16.212.2
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

To use the diagnose command to check VPN FEC status:

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0
------------------------------------------------------
name=vd1 ver=1 serial=1 172.16.200.1:0->172.16.200.2:0
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/3600 options[0e10]=create_dev
frag-rfc fec-egress fec-ingress accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec-egress: base=20 redundant=10 remote_port=50000 <<<<<<<<<<<<<<<<<<<<<<
fec-ingress: base=20 redundant=10 <<<<<<<<<<<<<<<<<<<<<<
proxyid=demo proto=0 sa=1 ref=2 serial=1
src: 0:10.1.100.0/255.255.255.0:0
dst: 0:173.1.1.0/255.255.255.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=42897/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42899/43200
dec: spi=181f4f81 esp=aes key=16 6e8fedf2a77691ffdbf3270484cb2555
ah=sha1 key=20 f92bcf841239d15d30b36b695f78eaef3fad05c4
enc: spi=0ce10190 esp=aes key=16 2d684fb19cbae533249c8b5683937329
ah=sha1 key=20 ba7333f89cd34cf75966bd9ffa72030115919213
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

Dual VPN tunnel wizard

This wizard is used to automatically set up multiple VPN tunnels to the same destination over multiple outgoing
interfaces. This includes automatically configuring IPsec, routing, and firewall settings, avoiding cumbersome and error-
prone configuration steps.

FortiOS 6.4.13 Administration Guide 807

Fortinet Inc.
 SD-WAN

To create a new SD-WAN VPN interface using the tunnel wizard:

1. Go to Network > SD-WAN Zones and click Create New > SD-WAN Member.
2. In the Interface drop-down, click +VPN. The Create IPsec VPN for SD-WAN members pane opens.

3. Enter the required information, then click Create.

4. Click Close to return to the SD-WAN page.

The newly created VPN interface will be highlighted in the Interface drop-down list.

5. Select the VPN interface to add it as an SD-WAN member, then click OK.

Duplicate packets based on SD-WAN rules

SD-WAN duplication rules can specify SD-WAN service rules to trigger packet duplication. This allows the duplication to
occur based on an SD-WAN rule instead of the source, destination, and service parameters in the duplication rule.

FortiOS 6.4.13 Administration Guide 808

Fortinet Inc.
SD-WAN

1. Packets can be forced to duplicate to all members of the same SD-WAN zone. See Duplicate packets on other zone
members on page 810 for details.
For example, in Spoke 1 set packet-duplication to force so that when a client sends a packet to the server, it
is duplicated to all members of the same zone as long as its health check is alive. If a members health check is
dead, then the member is removed from the SD-WAN duplication zone.
2. Packets can be duplicated to other members of the SD-WAN zone only when the condition of the link is not good
enough.
Set packet-duplication to on-demand so that, when the SLA of the member does not match (sla_map=0) the
packet is duplicated, but when the SLA does match (sla_map!=0) the packet is not duplicated.
3. Packets can be duplicated to all members of the same SD-WAN zone when the traffic matches one or more regular
SD-WAN service rules.
The following example shows the third type of packet duplication.

In this example, SD-WAN is configured with three members: vpn1, vpn2, and vpn3. Service rule 1 controls all traffic from
10.100.20.0/24 to 172.16.100.0/24 using member 1.
To send a duplicate of the traffic that matches service rule 1 using member 2, members 1 and 2 are added to the same
SD-WAN zone, and a duplicate rule is configured with service-id set to 1.

To send a duplicate of the traffic that matches service rule 1 using member 2:

config system sdwan

set status enable
config zone
edit "virtual-wan-link"
next
edit "zone2"
next
end
config members
edit 1
set interface "vpn1"
next
edit 2
set interface "vpn2"
next

FortiOS 6.4.13 Administration Guide 809

Fortinet Inc.
 SD-WAN

edit 3
set interface "vpn3"
set zone "zone2"
next
end
config service
edit 1
set dst "172.16.100.0"
set src "10.100.20.0"
set priority-members 1
next
end
config duplication
edit 1
set service-id 1
set packet-duplication force
next
end
end

Duplicate packets on other zone members

When duplication rules are used, packets are duplicated on other good links within the SD-WAN zone and de-duplicated
on the destination FortiGate. Use force mode to force duplication on other links within the SD-WAN zone, or use on-
demand mode to trigger duplication only when SLA fails on the selected member.
The duplication rule is configured in the CLI by using the config duplication command. The following options can
be configured:

Parameter Description

srcaddr Source address or address group names.

dstaddr Destination address or address group names.

srcaddr6 Source IPv6 address or IPv6 address group names.

dstaddr6 Destination IPv6 address or IPv6 address group names.

srcintf Incoming (ingress) interfaces or zones.

dstintf Outgoing (egress) interfaces or zones.

service Service and service group names.

packet-duplication Configure packet duplication method.

l disable: Disable packet duplication (default).

l force: Duplicate packets across all interface members of the SD-WAN zone.

l on-demand: Duplicate packets across all interface members of the SD-WAN

zone based on the link quality.

packet-de-duplication Enable/disable discarding of packets that have been duplicated (default =

disable).

The duplication-max-num <integer> option under config system sdwan is the maximum number of
interface members that a packet is duplicated on in the SD-WAN zone (2 - 4, default = 2). If this value is set to 3, the

FortiOS 6.4.13 Administration Guide 810

Fortinet Inc.
SD-WAN

original packet plus two more copies are created. If there are three member interfaces in the SD-WAN zone and the
duplication-max-num is set to 2, the packet duplication follows the configuration order, so the packets are
duplicated on the second member.

Example

The packet duplication feature works best in a spoke-spoke or hub-and-spoke topology. In this example, a hub-and-
spoke ADVPN topology is used. Before shortcuts are established, Hub 1 forwards the duplicate packets from Spoke 1 to
Spoke 2. Once shortcuts are established, Hub 1 is transparent, and duplicate packets are exchanged directly between
the spokes.

To configure packet duplication between Spoke 1 and Spoke 2:

1. Configure Spoke 1:
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "sdwanzone_v4"
next
end
config members
edit 1
set interface "t1"
set zone "sdwanzone_v4"
next
edit 4
set interface "t21"
set zone "sdwanzone_v4"
next
edit 2
set interface "t2"
set zone "sdwanzone_v4"

FortiOS 6.4.13 Administration Guide 811

Fortinet Inc.
SD-WAN

next
end
config health-check
edit "h1"
set server "10.34.1.1"
set interval 1000
set failtime 10
set members 1 2
config sla
edit 1
set packetloss-threshold 40
next
end
next
end
config duplication
edit 1
set srcaddr "all"
set dstaddr "all"
set srcintf "port1"
set dstintf "sdwanzone_v4"
set service "ALL"
set packet-duplication force
set packet-de-duplication enable
next
end
end

2. Configure Spoke 2 with similar settings.

Advanced configuration

The following topics provide instructions on SD-WAN advanced configuration:

l SD-WAN with FGCP HA on page 812
l Configuring SD-WAN in an HA cluster using internal hardware switches on page 819
l SD-WAN configuration portability on page 822
See also Per packet distribution and tunnel aggregation on page 1678.

SD-WAN with FGCP HA

This example shows how to convert a standalone FortiGate SD-WAN solution to a FGCP HA cluster with full-mesh WAN
set up. This configuration allows you to load balance your internet traffic between multiple ISP links. It also provides
redundancy for your internet connection if your primary ISP in unavailable, or if one of the FortiGates in the HA cluster
fails.
This example assumes that a standalone FortiGate has already been configured for SD-WAN by following the SD-WAN
quick start on page 679.

FortiOS 6.4.13 Administration Guide 812

Fortinet Inc.
SD-WAN

Standalone FortiGate:

FGCP HA cluster:

The following devices are required to convert the topology to HA:

l A second FortiGate that is the same model running the same firmware version.
l Two switches for connecting each FortiGate's WAN interface to the corresponding ISP modem.
Before you begin:
l Ensure that the licenses and subscriptions on both HA members match.
l Ensure that there are one or more ports reserved for HA heartbeat.
l Ensure you have physical access to both HA members.

Enabling HA and re-cabling the WAN interfaces will cause network interruptions.
This procedure should be performed during a maintenance window.

FortiOS 6.4.13 Administration Guide 813

Fortinet Inc.
SD-WAN

Configuring the standalone FortiGate for HA

After running the following commands, the FortiGate negotiates to establish an HA cluster. You might temporarily lose
connectivity with the FortiGate as FGCP negotiations take place and the MAC addresses of the FortiGate interfaces are
changed to HA virtual MAC addresses.
This configurations sets the HA mode to active-passive.
The ha1 and ha2 interfaces are configured as the heartbeat interfaces, with priorities set to 200 and 100 respectively.
Setting different priorities for the heartbeat interfaces is a best practice, but is not required.
If you have more than one cluster on the same network, each cluster should have a different group ID. Changing the
group ID changes the cluster interface's virtual MAC addresses. If the group IP causes a MAC address conflict on your
network, select a different group ID.
Enabling override and increasing the device priority means that this FortiGate always becomes the primary unit.

To configure the standalone FortiGate for HA in the GUI:

1. Go to System > Settings and change the Host name so that the FortiGate can be easily identified as the primary
unit.
2. Go to System > HA and configure the following options:

Mode Active-Passive

Device priority 250

Group name My-cluster

Password <password>

Heartbeat interfaces ha1 and ha2

Heartbeat Interface Priority port2 (ha1): 200

port3 (ha2): 100

Override and the group ID can only be configured from the CLI.

FortiOS 6.4.13 Administration Guide 814

Fortinet Inc.
SD-WAN

3. Click OK.
Connectivity with the FortiGate will temporarily be lost.

To configure the standalone FortiGate for HA in the CLI:

1. Change the host name so that the FortiGate can be easily identified:
config system global
set hostname primary_FG
end

2. Configure HA:
config system ha
set mode a-p
set group-id 100
set group-name My-cluster
set password <password>
set priority 250
set override enable
set hbdev ha1 200 ha2 100
end

If HA mode does not start after running the above steps, ensure that none of the FortiGate's
interfaces use DHCP or PPPoE addressing.

Configuring the secondary FortiGate for HA

The secondary FortiGate must be the same model and running the same firmware version as the primary FortiGate. The
HA settings are the same as the for the primary unit, except the secondary device has a lower priority and override is not
enabled.

It is best practice to reset the FortiGate to factory default settings prior to configuring HA. This
reduces the chance of synchronization problems.
# execute factoryreset
This operation will reset the system to factory default!
Do you want to continue? (y/n) y

This is unnecessary if the device is new from the factory.

To configure the secondary FortiGate for HA in the GUI:

1. Go to System > Settings and change the Host name so that the FortiGate can be easily identified as the backup unit.
2. Go to System > HA and configure the options the same as for the primary FortiGate, except with a lower priority:

Mode Active-Passive

Device priority 128

Group name My-cluster

FortiOS 6.4.13 Administration Guide 815

Fortinet Inc.
SD-WAN

Password <password>

Heartbeat interfaces ha1 and ha2

Heartbeat Interface Priority port2 (ha1): 200

port3 (ha2): 100

3. Click OK.

To configure the secondary FortiGate for HA in the CLI:

1. Change the host name so that the secondary FortiGate can be easily identified:
config system global
set hostname secondary_FG
end

2. Configure HA:
config system ha
set mode a-p
set group-id 100
set group-name My-cluster
set password <password>
set priority 128
set hbdev ha1 200 ha2 100
end

Connecting the heartbeat interfaces between the FortiGates

To connect and check the heartbeat interfaces:

1. Connect the heartbeat interfaces ha1 and ha2 between the primary and secondary FortiGate.
a. An HA primary device is selected. Because the primary FortiGate has a higher priority and override enabled, it
assumes the role of HA primary.
b. The secondary FortiGate synchronizes its configuration from the primary device.
2. Verify that the checksums match between the primary and secondary FortiGates:
# diagnose sys ha checksum cluster

================== FG5H0XXXXXXXXXX0 ==================

is_manage_primary()=1, is_root_primary()=1
debugzone
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

checksum
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

================== FG5H0XXXXXXXXXX1 ==================

FortiOS 6.4.13 Administration Guide 816

Fortinet Inc.
SD-WAN

is_manage_primary()=0, is_root_primary()=0
debugzone
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

checksum
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

If all of the cluster members have identical checksums, then their configurations are synchronized. If the checksums
are not the same, wait for a few minutes, then repeat the command. Some parts of the configuration might take a
significant amount of time to synchronize (tens of minutes).

Connecting other traffic interfaces

After the device configurations are synchronized, you can connect the rest of the traffic interfaces. Making these
connections will disrupt traffic as cables are disconnected and reconnected.
Switches must be used between the cluster and the ISPs, and between the cluster and the internal network, as shown in
the topology diagram.

Checking cluster operations

The HA Status dashboard widget shows the synchronization status. Hover over the host names of each FortiGate in the
widget to verify that they are synchronized and have the same checksum.
To view more information about the cluster status, including the number of sessions passing through the cluster
members, go to System > HA.
See Check HA sync status on page 961 for more information.

Results

1. Browse the internet on a computer in the internal network.

2. Go to Network > SD-WAN Zones to see the bandwidth, volume, and sessions for traffic on the SD-WAN interfaces.
See Results on page 683 for details.
3. Go to Dashboard > Network, and expand the SD-WAN widget to see information about each interface, such as the
number of sessions and the bit rate.

Testing HA failover

All traffic should currently be flowing through the primary FortiGate. If it becomes unavailable, traffic fails over to the
secondary FortiGate. When the primary FortiGate rejoins the cluster, the secondary FortiGate continues to operate as
the primary FortiGate.
To test this, ping a reliable IP address from a computer in the internal network, and then power off the primary FortiGate.

FortiOS 6.4.13 Administration Guide 817

Fortinet Inc.
SD-WAN

There will be a momentary pause in the ping results until traffic diverts to the backup FortiGate, allowing the ping traffic to
continue:
64 bytes from 184.25.76.114: icmp_seq=69 ttl=52 time=8.719 ms\
64 bytes from 184.25.76.114: icmp_seq=70 ttl=52 time=8.822 ms\
64 bytes from 184.25.76.114: icmp_seq=74 ttl=52 time=8.901 ms\
Request timeout for icmp_seq 75\
64 bytes from 184.25.76.114: icmp_seq=76 ttl=52 time=8.860 ms\
64 bytes from 184.25.76.114: icmp_seq=77 ttl=52 time=9.174 ms\
64 bytes from 184.25.76.114: icmp_seq=83 ttl=52 time=8.639 ms}

If you are using port monitoring, you can also unplug the primary FortiGate's internet facing
interface to test failover.

After the secondary FortiGate becomes the primary, you can log into the cluster using the same IP address as before the
fail over. If the primary FortiGate is powered off, you will be logged into the backup FortiGate. Check the host name to
verify what device you have logged into. The FortiGate continues to operate in HA mode, and if you restart the primary
FortiGate, it will rejoin the cluster and act as the backup FortiGate. Traffic is not disrupted when the restarted FortiGate
rejoins the cluster.
You can also use the CLI to force an HA failover. See Force HA failover for testing and demonstrations on page 986 for
information.

Testing ISP failover

To test a failover of the redundant internet configuration, you need to simulate a failed internet connection to one of the
ports. You can do this by disconnecting power from the wan1 switch, or by disconnecting the wan1 interfaces of both
FortiGates from ISP1.
After disconnecting, verify that users still have internet access
l Go to Dashboard > Network, and expand the SD-WAN widget. The Upload and Download columns for wan1 show
that traffic is not going through that interface.

l Go to Network > SD-WAN Zones. The Bandwidth, Volume, and Sessions tabs show that traffic is entirely diverted to
wan2.

Users on the network should not notice the wan1 failure. If you are using the wan1 gateway IP address to connect to the
administrator dashboard, it will appear as though you are still connecting through wan1.
After verifying a successful failover, reestablish the connection to ISP1.

FortiOS 6.4.13 Administration Guide 818

Fortinet Inc.
 SD-WAN

Configuring SD-WAN in an HA cluster using internal hardware switches

In this SD-WAN configuration, two FortiGates in an active-passive (A-P) HA pair are used to provide hardware
redundancy. Instead of using external switches to provide a mesh network connection to the ISP routers, the FortiGates
use their built-in hardware switches to connect to the ISP routers.

Only FortiGate models that have hardware switches can be used for this solution. Ports in a
software switch are not in a forwarding state when a FortiGate is acting as a secondary device
in a A-P cluster.

In this topology:
l Two hardware switches are created, HD_SW1 and HD_SW2.
l HD_SW1 is used to connect to ISP 1 Router and includes the internal1 and internal2 ports.
l HD_SW2 is used to connect to ISP 2 Router and includes the internal3 and internal4 ports.
l Another interface on each device is used as the HA heartbeat interface, connecting the two FortiGates in HA.
The FortiGates create two hardware switches to connect to ISP 1 and ISP2. When FGT_A is the primary device, it
reaches ISP 1 on internal1 in HD_SW1 and ISP 2 on internal4 in HD_SW2. When FGT_B is the primary device, it
reaches ISP 1 on internal2 in HD_SW1 and ISP 2 on internal3 on HD_SW2.

HA failover

This is not a standard HA configuration with external switches. In the case of a device failure, one of the ISPs will no
longer be available because the switch that is connected to it will be down.
For example, If FGT_A loses power, HA failover will occur and FGT_B will become the primary unit. Its connection to
internal2 on HD_SW1 will also be down, so it will be unable to connect to ISP 1. Its SD-WAN SLAs will be broken, and
traffic will only be routed through ISP 2.

A link on a hardware switch cannot be monitored in HA monitor, so it is impossible to perform

link failure when a port in either of the hardware switches fails. Performing a link failure is
unnecessary in this configuration though, because any link failure on the hardware switch will
be experienced by both cluster members. SD-WAN SLA health checks should be used to
monitor the health of each ISP.

FortiOS 6.4.13 Administration Guide 819

Fortinet Inc.
SD-WAN

Failure on a hardware switch or ISP router

If a hardware switch or switch interface is down, or the ISP router is down, the SD-WAN can detect the broken SLA and
continue routing to the other ISP.
For example, if FGT_A is the primary unit, and ISP 2 Router becomes unreachable, the SLA health checks on SD-WAN
will detect the broken SLA and cause traffic to stop routing to ISP 2.

Configuration

To configure the HA A-P cluster with internal hardware switches:

1. Configure two FortiGates with internal switches in an A-P HA cluster (follow the steps in HA active-passive cluster
setup on page 955), starting by connecting the heartbeat interface.
2. When the HA cluster is up, connect to the primary FortiGate's GUI.
3. Remove the existing interface members from the default hardware switch:
a. Go to Network > Interfaces.
b. In the LAN section, double-click the internal interface to edit it.
c. In Interface Members, remove all of the interfaces.

d. Click OK.
4. Configure the hardware switch interfaces for the two ISPs:
a. Go to Network > Interfaces and click Create New > Interface.
b. Enter a name (HD_SW1).
c. Set Type to Hardware Switch.
d. In Interface Members, add two interfaces (internal1 and internal2).
e. Set IP/Netmask to 192.168.1.2/24.

FortiOS 6.4.13 Administration Guide 820

Fortinet Inc.
SD-WAN

f. Configure the remaining settings as needed.

g. Click OK.
h. Repeat these steps to create a second hardware switch interface (HD_SW2) with two interface members
(internal3 and internal4) and IP/Netmask set to 192.168.3.2/24.

To connect the devices as shown in the topology:

1. Connect the incoming interface to the internal switch on both FortiGates.

2. On FGT_A, connect internal1 of HD_SW1 to ISP 1 Router.

FortiOS 6.4.13 Administration Guide 821

Fortinet Inc.
 SD-WAN

3. On FGT_B, connect internal3 of HD_SW2 to ISP 2 Router.

4. For HD_SW1, connect FGT_A internal2 directly to FGT_B internal2.
5. For HD_SW2, connect FGT_A internal4 directly to FGT_B internal4.

To configure SD-WAN:

The primary FortiGate makes all the SD-WAN decisions.

1. On the primary FortiGate, go to Network > SD-WAN Zones and click Create New > SD-WAN Member.
2. In the Interface dropdown, select HD_SW1.
3. Leave SD-WAN Zone set to virtual-wan-link.
4. Enter the Gateway address 192.168.1.1.
5. Click OK.
6. Repeat these steps to add the second interface (HD_SW2) with the gateway 192.168.3.1.
7. Click Apply.

8. Create a health check:

a. Go to Network > Performance SLA and click Create New.
b. Set Name to GW_HC.
c. Set Protocol to Ping and Servers to 8.8.8.8.
d. Set Participants to All SD-WAN Members.
e. Enable SLA Target and leave the default values.
f. Click OK.
9. Create SD-WAN rules as needed. The SLA health check can be used to determine when the ISP connections are in
or out of SLA, and to failover accordingly.

SD-WAN configuration portability

When configuring SD-WAN, adding interfaces to members is optional.

This allows the SD-WAN to be configured without associating any interfaces to SD-WAN members. It also allows a
configuration to be copied directly from one device to another, without requiring the devices to have interfaces with the
same names.
After the configuration is created, add interfaces to the members make it functional.

FortiOS 6.4.13 Administration Guide 822

Fortinet Inc.
SD-WAN

Example 1

In this example, we create a template with two SD-WAN members configured without assigned interfaces that are used
in a performance SLA and SD-WAN rule. The template can be used to configure new devices, as in Example 2 on page
826. Interfaces are then assigned to the members, and the configuration becomes active.

To create the SD-WAN members in the GUI:

1. Go to Network > SD-WAN Zones.

2. Click Create New > SD-WAN Member.
3. Leave all the settings set to their default values and click OK.

4. Repeat the above steps to create a second member.

The empty members are listed on the SD-WAN Zones page.

The members are disabled until interfaces are configured, but can still be used in performance SLAs and SD-WAN
rules.

FortiOS 6.4.13 Administration Guide 823

Fortinet Inc.
SD-WAN

To create a performance SLA in the GUI:

1. Go to Network > Performance SLA.

2. Click Create New.
3. Configure the performance SLA, specifying the empty members as participants.

4. Click OK.

To create an SD-WAN rule in the GUI:

1. Go to Network > SD-WAN Rules.

2. Click Create New.
3. Configure the rule, adding both members to the Interface preference field:

4. Click OK.

FortiOS 6.4.13 Administration Guide 824

Fortinet Inc.
SD-WAN

To assign interfaces to the SD-WAN members in the GUI:

1. Go to Network > SD-WAN Zones.

2. Edit the first member
3. Set Interface to an actual interface.

4. Click OK.
5. Repeat the above steps to assign an interface to the second member.

To configure the SD-WAN in the CLI:

1. Create SD-WAN members:

config system sdwan
set status enable
config members
edit 1
next
edit 2
next
end
end

2. Create a health check (performance SLA):

config system sdwan
config health-check
edit "office"
set server "office365.com"
set protocol http
set sla-fail-log-period 300
set sla-pass-log-period 300
set members 2 1
config sla
edit 1
set latency-threshold 300
set jitter-threshold 200
next
edit 2
set link-cost-factor latency
set latency-threshold 20
next
end
next
end
end

FortiOS 6.4.13 Administration Guide 825

Fortinet Inc.
SD-WAN

3. Create a service (rule):

config system sdwan
config service
edit 3
set name "Office365"
set mode sla
set internet-service enable
set internet-service-app-ctrl 33182
config sla
edit "office"
set id 2
next
end
set priority-members 1 2
next
end
end

The SD-WAN configuration can now be used in as a template for new spokes, as in Example 2 on page 826.

To assign interfaces to the SD-WAN members in the CLI:

config system sdwan

config members
edit 1
set interface "_OCVPN4-0.0"
next
edit 2
set interface "_OCVPN4-0.1"
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

Example 2

In this example, the configuration from Example 1 is copied onto a new FortiGate.

Using the CLI console and the GUI

To copy the SD-WAN configuration from the original FortiGate:

1. Optionally, change the console screen paging setting. See Screen paging on page 34 for details.
2. Open the CLI console.
3. If necessary, click Clear console to empty the console.
4. Enter the following command:
show system sdwan

FortiOS 6.4.13 Administration Guide 826

Fortinet Inc.
SD-WAN

5. Either click Download and open the file in a text editor, or click Copy to clipboard and paste the content into a text
editor.

6. Edit the CLI configuration as necessary. For example, the first line that shows the show command should be
deleted, and the default health checks can be removed.
7. If required, save the CLI configuration as a text file.

To paste the SD-WAN configuration onto a new FortiGate:

1. Copy the SD-WAN configuration from the text editor.

2. On the new FortiGate, open the CLI console.
3. Press Ctrl + v to paste the CLI commands.
4. In necessary, press Enter to apply the last end command.
The SD-WAN configuration is copied to the new FortiGate.
If the interfaces do not exist, the SD-WAN members are created without interfaces, and are disabled until interfaces
are configured.

To assign interfaces to the SD-WAN members:

1. Go to Network > SD-WAN Zones.

2. Edit the first member
3. Set Interface to an actual interface.

4. Click OK.
5. Repeat the above steps to assign an interface to the second member.

Using a terminal emulator

The following instructions use PuTTy. The steps may vary in other terminal emulators.

FortiOS 6.4.13 Administration Guide 827

Fortinet Inc.
SD-WAN

To copy the SD-WAN configuration from the original FortiGate:

1. Connect to the FortiGate. See Connecting to the CLI on page 27 for details.
2. Enter the following command:
show system sdwan
3. Select the output, press Ctrl + c to copy it, and then paste it into a text editor.
4. Edit the CLI configuration as necessary. For example, the default health checks can be removed.
5. If required, save the CLI configuration as a text file.

To paste the SD-WAN configuration onto a new FortiGate:

1. Copy the SD-WAN configuration from the text editor.

2. Connect to the new FortiGate. See Connecting to the CLI on page 27 for details.
3. Right-click to paste the SD-WAN configuration.
4. In necessary, press Enter to apply the last end command.
The SD-WAN configuration is copied to the new FortiGate.
If the interfaces do not exist, the SD-WAN members are created without interfaces, and are disabled until interfaces
are configured.

To assign interfaces to the SD-WAN members::

config system sdwan

config members
edit 1
set interface "_OCVPN4-0.0"
next
edit 2
set interface "_OCVPN4-0.1"
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

SD-WAN cloud on-ramp

In this example, you configure a connection to a new cloud deployment that has some remote servers. SD-WAN is used
to steer traffic through the required overlay tunnel.
The on-premise FortiGate has two internet connections, each with a single VPN connection. The two VPN gateways are
configured on the cloud for redundancy, one terminating at the FortiGate-VM, and the other at the native AWS VPN
Gateway.
This example uses AWS as the Infrastructure as a Service (IaaS) provider, but the same configuration can also apply to
other services. A full mesh VPN setup is not shown, but can be added later if required.

FortiOS 6.4.13 Administration Guide 828

Fortinet Inc.
 SD-WAN

To connect to the servers that are behind the cloud FortiGate-VM, virtual IP addresses (VIPs) are configured on port2 to
map to the servers:
l VPN traffic terminating on port1 is routed to the VIP on port2 to access the web servers.
l VPN traffic terminating on the VPN gateway accesses the VIPs on port2 directly.
There are four major steps to configure this setup:
1. Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM on page 829
2. Configuring the VPN overlay between the HQ FortiGate and AWS native VPN gateway on page 834
3. Configuring the VIP to access the remote servers on page 837
4. Configuring the SD-WAN to steer traffic between the overlays on page 840
After the configuration is complete, verify the traffic to ensure that the configuration is working as expected, see Verifying
the traffic on page 845.

Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM

Configure the cloud FortiGate-VM

To create an address for the VPN gateway:

1. Go to Policy & Objects > Addresses and click Create New > Address.
2. Set Name to local_subnet_10_0_2_0.
3. Set IP/Netmask to 10.0.2.0/24.

4. Click OK.

FortiOS 6.4.13 Administration Guide 829

Fortinet Inc.
SD-WAN

To configure a custom IPsec VPN:

1. Go to VPN > IPsec Wizard.

2. Set Name to Core_Dialup.
3. Set Template type to Custom.

4. Click Next.
5. Configure Network settings:

Remote Gateway Dialup User

Interface port1

NAT Traversal Enable

6. Configure Authentication settings:

Method Pre-shared Key

Pre-shared Key Enter the pre-shared key.

Version 1

Mode Aggressive
This setting allows the peer ID to be specified.

Accept Types Specific peer ID

Peer ID IaaS
The other end of the tunnel needs to have its local ID set to IaaS.

7. Leave the default Phase 1 Proposal settings and disable XAUTH.

FortiOS 6.4.13 Administration Guide 830

Fortinet Inc.
SD-WAN

8. Configure the Phase 2 Selector settings:

Name Ent_Core

Local Address Named Address - local_subnet_10_0_2_0

Remote Address Named Address - all

This setting allows traffic originating from both the remote subnet 10.100.88.0
and the health checks from the VPN interface on the remote FortiGate. For
increased security, each subnet can be specified individually.

9. Click OK.

To configure remote and local tunnel IP addresses:

1. Go to Network > Interfaces and edit the Core_Dialup interface under port1.
2. Set IP to 172.16.200.1.
3. Set Remote IP/Netmask to 172.16.200.2 255.255.255.0. This is where remote health check traffic will come from.
4. Enable Administrative access for HTTPS, PING, and SSH.

5. Click OK.

To configure a route to the remote subnet through the tunnel:

1. Go to Network > Static Routes and click Create New.

2. Set Destination to Subnet and enter the IP address and netmask: 10.100.88.0/255.255.255.0.
3. Set Interface to Core_Dialup.

4. Click OK.

FortiOS 6.4.13 Administration Guide 831

Fortinet Inc.
SD-WAN

To configure a firewall policy to allow traffic from the tunnel to port2:

1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Configure the following:

Name Core_Dialup-to-port2

Incoming Interface Core_Dialup

Outgoing Interface port2

Source all

Destination local_subnet_10_0_2_0

Schedule always

Service ALL

Action ACCEPT

3. Configure the remaining settings as required.

4. Click OK.

Configure the HQ FortiGate

To create an address for the VPN gateway:

1. Go to Policy & Objects > Addresses and click Create New > Address.
2. Set Name to remote_subnet_10_0_2_0.
3. Set IP/Netmask to 10.0.2.0/24.
4. Click OK.

To configure a custom IPsec VPN:

1. Go to VPN > IPsec Wizard.

2. Set Name to FGT_AWS_Tun.
3. Set Template type to Custom.
4. Click Next.

FortiOS 6.4.13 Administration Guide 832

Fortinet Inc.
SD-WAN

5. Configure Network settings:

Remote Gateway Static IP Address

IP Address 100.21.29.17

Interface port5

NAT Traversal Enable

6. Configure Authentication settings:

Method Pre-shared Key

Pre-shared Key Enter the pre-shared key.

Version 1

Mode Aggressive
This setting allows the peer ID to be specified.

Accept Types Any peer ID

7. Leave the default Phase 1 Proposal settings, except set Local ID to IaaS.
8. Disable XAUTH.
9. Configure the Phase 2 Selector settings:

Name FGT_AWS_Tun

Local Address Named Address - all

This setting allows traffic originating from both the local subnet 10.100.88.0
and the health checks from the VPN interface. For increased security, each
subnet can be specified individually.

Remote Address Named Address - remote_subnet_10_0_2_0

10. Click OK.

To configure local and remote tunnel IP addresses:

1. Go to Network > Interfaces and edit the FGT_AWS_Tun interface under port5.
2. Set IP to 172.16.200.2.
3. Set Remote IP/Netmask to 172.16.200.1 255.255.255.0.
4. Enable Administrative access for HTTPS, PING, and SSH.
5. Click OK.

Routing is defined when creating the SD-WAN interface. The firewall policy is created after the
SD-WAN interface is defined.

FortiOS 6.4.13 Administration Guide 833

Fortinet Inc.
 SD-WAN

Configuring the VPN overlay between the HQ FortiGate and AWS native VPN
gateway

This example uses static routing. It is assumed that the AWS VPN Gateway is already configured, and that proper
routing is applied on the corresponding subnet.

Verify the AWS configuration

See Creating routing tables and associate subnets in the AWS Administration Guide for configuration details.

To check the AWS configuration:

1. Go to Virtual Private Network (VPN) > Customer Gateways to confirm that the customer gateway defines the
FortiGate IP address as its Gateway IP address, in this case 34.66.121.231.

2. Go to Virtual Private Network (VPN) > Virtual Private Gateways to confirm that a virtual private gateway (VPG) has
been created. In this case it is attached to the Cloud_onRamp VPC that contains the FortiGate and servers.

3. Go to Virtual Private Network (VPN) > Site-to-Site VPN Connections to confirm that site-to-site VPN connections
have been created and attached to the customer gateway and virtual private gateway.
If Routing Options is Static, the IP prefix of the remote subnet on the HQ FortiGate (10.100.88.0) is entered here.

AWS site-to-site VPN always creates two VPN tunnels for redundancy. In this example, only Tunnel 1 is used.

4. Click Download Configuration to download the FortiGate's tunnel configurations. The configuration can be referred
to when configuring the FortiGate VPN.

FortiOS 6.4.13 Administration Guide 834

Fortinet Inc.
SD-WAN

5. The new VPG is attached to your VPC, but to successfully route traffic to the VPG, proper routing must be defined.
Go to Virtual Private Cloud > Subnets, select the Cloud-OnRamp-VPN, and select the Route Table tab to verify that
there are at least two routes to send traffic over the VPG.

l 169.254.0.0/24 defines the tunnel IP address. Health check traffic originating from the FortiGate will come from
this IP range.
l 10.100.0.0/16 defines the remote subnet from the HQ FortiGate.

l Both routes point to the just created VPG vgw-04xxxx.

6. On the cloud FortiGate-VM EC2 instances, ensure that port1 and port2 both have Source/Dest. Check set to false.
This allows the FortiGate to accept and route traffic to and from a different network.
If you launched the instance from the AWS marketplace, this setting defaults to true.

Configure routing to the VPG on the cloud FortiGate-VM

To configure routing to the VPG on the cloud FortiGate-VM:

1. Go to Network > Static Routes and click Create New.

2. Set Destination to Subnet and enter the IP address and netmask: 10.100.88.0/255.255.255.0.
3. Set Gateway Address to Specify and enter 10.0.2.1.

FortiOS 6.4.13 Administration Guide 835

Fortinet Inc.
SD-WAN

4. Set Interface to port2.

The new route must have the same Administrative Distance as the route that was created for traffic through the
Core_Dialup tunnel to ensure that both routes are added to the routing table (see To configure a route to the remote
subnet through the tunnel).
The Gateway Address is arbitrarily set to 10.0.2.1. The VPG does not have an IP address, but the address defined
here allows the FortiGate to route traffic out of port2, while AWS routes the traffic based on its routing table.
5. Click OK.
6. Go to Network > Static Routes to view the configured static routes:

7. If Optimal dashboards is selected, go to Dashboard > Network and expand the Routing widget to view the routing
table.
If Comprehensive dashboards is selected, go to Dashboard > Routing Monitor and select Static & Dynamic in the
widget toolbar to view the routing table:

Configure IPsec VPN on the HQ FortiGate

To configure a custom IPsec VPN:

1. Go to VPN > IPsec Wizard.

2. Set Name to AWS_VPG.
3. Set Template type to Custom.
4. Click Next.
5. Configure Network settings:

Remote Gateway Static IP Address

IP Address 34.210.19.225
This address is taken from the downloaded AWS configuration file.

Interface port1

NAT Traversal Enable

FortiOS 6.4.13 Administration Guide 836

Fortinet Inc.
 SD-WAN

6. Configure Authentication settings:

Method Pre-shared Key

Pre-shared Key Enter the pre-shared key.

Version 1

Mode Main

7. Configure the Phase 1 Proposal settings using information from the downloaded AWS configuration file.
8. Disable XAUTH.
9. Configure the Phase 2 Selector settings:

Name AWS_VPG

Local Address Named Address - all

This setting allows traffic originating from both the local subnet 10.100.88.0
and the health checks from the VPN interface. For increased security, each
subnet can be specified individually.

Remote Address Named Address - remote_subnet_10_0_2_0

10. Click OK.

To configure local and remote tunnel IP addresses:

1. Go to Network > Interfaces and edit the AWS_VPG interface under port1.
2. Set IP to 169.254.55.154.
3. Set Remote IP/Netmask to 169.254.55.153 255.255.255.0.
4. Enable Administrative access for HTTPS and PING.
5. Click OK.

Routing is defined when creating the SD-WAN interface. The firewall policy is created after the
SD-WAN interface is defined.

Configuring the VIP to access the remote servers

VIPs, interface IP addresses, and policies are created on the cloud FortiGate-VM to allow access to the remote servers.

To configure additional private IPs on AWS for the FortiGate VIP:

1. On the FortiGate EC2 instance, edit the Elastic Network Interface that corresponds to port2. In this example,
Network Interface eth1.
2. Go to Actions > Manage IP Addresses.
3. Add two private IP address in the 10.0.2.0/24 subnet.
These address will be used in the VIPs on the FortiGate. This ensures that traffic to these IP addresses is routed to
the FortiGate by AWS.

FortiOS 6.4.13 Administration Guide 837

Fortinet Inc.
SD-WAN

4. Click Yes, Update.

To configure VIPs on the cloud FortiGate-VM:

1. Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.
2. Configure the following:

Name VIP-HTTP

Interface port2

External IP address/range 10.0.2.20

Mapped IP address/range 10.0.3.33

3. Click OK.

FortiOS 6.4.13 Administration Guide 838

Fortinet Inc.
SD-WAN

4. Create a second VIP for the FTP server with the following settings:

Name VIP-FTP

Interface port2

External IP address/range 10.0.2.21

Mapped IP address/range 10.0.3.44

To configure firewall policies to allow traffic from port2 to port3:

1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Configure the following:

Name To-WebServer

Incoming Interface port2

Outgoing Interface port3

Source all

Destination VIP-HTTP

Schedule always

Service ALL

Action ACCEPT

NAT Enabled

3. Configure the remaining settings as required.

4. Click OK.

FortiOS 6.4.13 Administration Guide 839

Fortinet Inc.
 SD-WAN

5. Create a second policy for the FTP VIP with the following settings:

Name To-FTP

Incoming Interface port2

Outgoing Interface port3

Source all

Destination VIP-FTP

Schedule always

Service ALL

Action ACCEPT

NAT Enabled

6. Click OK.

Configuring the SD-WAN to steer traffic between the overlays

Configure the HQ FortiGate to use two overlay tunnels for SD-WAN, steering HTTPS and HTTP traffic through the FGT_
AWS_Tun tunnel, and SSH and FTP throguh the AWS_VPG tunnel.
1. Add SD-WAN member interfaces
2. Configure a route to the remote network
3. Configure firewall policies
4. Configure a health check
5. Configure SD-WAN rules

To add SD-WAN member interfaces:

1. Go to Network > SD-WAN Zones and click Create New > SD-WAN Member.
2. Set Interface to AWS_VPG then click OK.

3. Click Create New > SD-WAN Member again.

FortiOS 6.4.13 Administration Guide 840

Fortinet Inc.
SD-WAN

4. Set Interface to FGT_AWS_Tun.

5. Set Gateway to 172.16.200.1.
6. Click OK.

To configure a route to the remote network 10.0.2.0/24:

1. Go to Network > Static Routes and click Create New.

2. Set Destination to Subnet and enter the IP address and netmask: 10.0.2.0/255.255.255.0.
3. Set Interface to SD-WAN.

4. Click OK.
Individual routes to each tunnel are automatically added to the routing table with the same distance:

FortiOS 6.4.13 Administration Guide 841

Fortinet Inc.
SD-WAN

To configure firewall policies to allow traffic from the internal subnet to SD-WAN:

1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Configure the following:

Name ISFW-to-IaaS

Incoming Interface port3

Outgoing Interface virtual-wan-link

Source all

Destination all

Schedule always

Service ALL

Action ACCEPT

NAT Enabled

FortiOS 6.4.13 Administration Guide 842

Fortinet Inc.
SD-WAN

3. Configure the remaining settings as required.

4. Click OK.
Once the firewall policies are configured, the VPN tunnels should come up when there is traffic.

To configure a health check to monitor the status of the tunnels:

As you are accessing the servers on the 10.0.2.0/24 subnet, it is preferable to use the FortiGate port2 interface as the
ping server for detection. This ensures that, if the gateway is not reachable in either tunnel, its routes are brought down
and traffic continues on the other tunnel.
1. Go to Network > Performance SLA and click Create New.
2. Configure the following:

Name ping_AWS_Gateway

Protocol Ping

Server 10.0.2.10

Participants Specify
Add AWS_VPG and FGT_AWS_Tun as participants.

FortiOS 6.4.13 Administration Guide 843

Fortinet Inc.
SD-WAN

3. Click OK.

Health check probes originate from the VPN interface's IP address. This is why the phase2 selectors are configured
with Local Address set to all.

To configure SD-WAN rules to steer traffic:

HTTPS and HTTP traffic is steered to the FGT_AWS_Tun tunnel, and SSH and FTP traffic is steered to the AWS_VPG
tunnel. The Manual algorithm is used in this example.
1. Go to Network > SD-WAN Rules and click Create New.
2. Configure the following:

Name http-to-FGT_AWS_Tun

Source Address all

Address remote_subnet_10_0_2_0

Protocol TCP

Port range 80 - 80

Outgoing Interfaces Manual

Interface preference FGT_AWS_Tun

FortiOS 6.4.13 Administration Guide 844

Fortinet Inc.
 SD-WAN

3. Click OK.
4. Create other SD-WAN rules as required:

Verifying the traffic

To verify that pings are sent across the IPsec VPN tunnels

l On the HQ FortiGate, run the following CLI command:

# diagnose sniffer packet any 'host 10.0.2.10' 4 0 1 interfaces=[any]
filters=[host 10.0.2.10]
2020-06-05 11:35:14.822600 AWS_VPG out 169.254.55.154 -> 10.0.2.10: icmp: echo request
2020-06-05 11:35:14.822789 FGT_AWS_Tun out 172.16.200.2 -> 10.0.2.10: icmp: echo request
2020-06-05 11:35:14.877862 FGT_AWS_Tun in 10.0.2.10 -> 172.16.200.2: icmp: echo reply
2020-06-05 11:35:14.878887 AWS_VPG in 10.0.2.10 -> 169.254.55.154: icmp: echo reply

l On the cloud FortiGate-VM, run the following CLI command:

# diagnose sniffer packet any 'host 10.0.2.10' 4 0 1 interfaces=[any]
filters=[host 10.0.2.10]
2020-06-05 11:37:57.176329 port2 in 169.254.55.154 -> 10.0.2.10: icmp: echo request
2020-06-05 11:37:57.176363 port2 out 10.0.2.10 -> 169.254.55.154: icmp: echo reply

FortiOS 6.4.13 Administration Guide 845

Fortinet Inc.
SD-WAN

2020-06-05 11:37:57.176505 Core_Dialup in 172.16.200.2 -> 10.0.2.10: icmp: echo request

2020-06-05 11:37:57.176514 Core_Dialup out 10.0.2.10 -> 172.16.200.2: icmp: echo reply

To verify the SLA health checks on the HQ FortiGate:

1. Go to Network > Performance SLA and select Packet Loss and the ping_AWS_Gateway SLA:

2. Run the following CLI command:

# diagnose sys sdwan health-check
…
Seq(1 AWS_VPG): state(alive), packet-loss(0.000%) latency(56.221), jitter(0.290) sla_
map=0x0
Seq(2 FGT_AWS_Tun): state(alive), packet-loss(0.000%) latency(55.039), jitter(0.223)
sla_map=0x0

To verify service rules:

1. Go to Network > SD-WAN Rules:

2. Run the following CLI command:

# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0

Gen(1), TOS(0x0/0x0), Protocol(6: 80->80), Mode(manual)
Members:
1: Seq_num(2 FGT_AWS_Tun), alive, selected
Src address:
0.0.0.0-255.255.255.255
Dst address:
10.0.2.0-10.0.2.255

FortiOS 6.4.13 Administration Guide 846

Fortinet Inc.
SD-WAN

Service(2): Address Mode(IPV4) flags=0x0

Gen(1), TOS(0x0/0x0), Protocol(6: 22->22), Mode(manual)
Members:
1: Seq_num(1 AWS_VPG), alive, selected
Src address:
0.0.0.0-255.255.255.255
Dst address:
10.0.2.0-10.0.2.255

Service(3): Address Mode(IPV4) flags=0x0

Gen(1), TOS(0x0/0x0), Protocol(6: 443->443), Mode(manual)
Members:
1: Seq_num(2 FGT_AWS_Tun), alive, selected
Src address:
0.0.0.0-255.255.255.255
Dst address:
10.0.2.0-10.0.2.255

Service(4): Address Mode(IPV4) flags=0x0

Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members:
1: Seq_num(1 AWS_VPG), alive, selected
Src address:
0.0.0.0-255.255.255.255
Dst address:
10.0.2.21-10.0.2.21

To verify that sessions are going to the correct tunnel:

1. Run the following CLI command to verify that HTTPS and HTTP traffic destined for the Web server at 10.0.2.20
uses FGT_AWS_Tun:
# diagnose sys session filter dst 10.0.2.20
# diagnose sys session list

session info: proto=6 proto_state=11 duration=2 expire=3597 timeout=3600 flags=00000000

socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=FGT_AWS_Tun/ vlan_cos=0/255
state=log may_dirty npu f00 csf_syncd_log app_valid
statistic(bytes/packets/allow_err): org=593/4/1 reply=3689/5/1 tuples=3
tx speed(Bps/kbps): 264/2 rx speed(Bps/kbps): 1646/13
orgin->sink: org pre->post, reply pre->post dev=0->18/18->0 gwy=172.16.200.1/0.0.0.0
hook=post dir=org act=snat 10.100.88.101:55589->10.0.2.20:80(172.16.200.2:55589)
hook=pre dir=reply act=dnat 10.0.2.20:80->172.16.200.2:55589(10.100.88.101:55589)
hook=post dir=reply act=noop 10.0.2.20:80->10.100.88.101:55589(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:09:0f:00:03:01
misc=0 policy_id=32 auth_info=0 chk_client_info=0 vd=0
serial=00b7442c tos=ff/ff app_list=2000 app=34050 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id= ff000001 rpdb_svc_id=2154552596 ngfwid=n/a
npu_state=0x3041008

FortiOS 6.4.13 Administration Guide 847

Fortinet Inc.
SD-WAN

session info: proto=6 proto_state=66 duration=1 expire=3 timeout=3600 flags=00000000

socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=FGT_AWS_Tun/ vlan_cos=0/255
state=log may_dirty ndr f00 csf_syncd_log
statistic(bytes/packets/allow_err): org=48/1/0 reply=40/1/1 tuples=3
tx speed(Bps/kbps): 26/0 rx speed(Bps/kbps): 22/0
orgin->sink: org pre->post, reply pre->post dev=5->18/18->5
gwy=172.16.200.1/10.100.88.101
hook=post dir=org act=snat 10.100.88.101:55621->10.0.2.20:443(172.16.200.2:55621)
hook=pre dir=reply act=dnat 10.0.2.20:443->172.16.200.2:55621(10.100.88.101:55621)
hook=post dir=reply act=noop 10.0.2.20:443->10.100.88.101:55621(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:09:0f:00:03:01
misc=0 policy_id=32 auth_info=0 chk_client_info=0 vd=0
serial=00b74b50 tos=ff/ff app_list=2000 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id= ff000003 rpdb_svc_id=2154552596 ngfwid=n/a
npu_state=0x3041008

2. Run the following CLI command to verify that SSH and FTP traffic destined for the FTP server at 10.0.2.21 uses
AWS_VPG:
# diagnose sys session filter dst 10.0.2.20
# diagnose sys session list

session info: proto=6 proto_state=11 duration=197 expire=3403 timeout=3600

flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=AWS_VPG/ helper=ftp vlan_cos=0/255
state=log may_dirty ndr npu f00 csf_syncd_log app_valid
statistic(bytes/packets/allow_err): org=580/12/1 reply=863/13/1 tuples=3
tx speed(Bps/kbps): 2/0 rx speed(Bps/kbps): 4/0
orgin->sink: org pre->post, reply pre->post dev=5->17/17->5
gwy=169.254.55.153/10.100.88.101
hook=post dir=org act=snat 10.100.88.101:55528->10.0.2.21:21(169.254.55.154:55528)
hook=pre dir=reply act=dnat 10.0.2.21:21->169.254.55.154:55528(10.100.88.101:55528)
hook=post dir=reply act=noop 10.0.2.21:21->10.100.88.101:55528(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:09:0f:00:03:01
misc=0 policy_id=32 auth_info=0 chk_client_info=0 vd=0
serial=00b72a5f tos=ff/ff app_list=2000 app=15896 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id= ff000004 rpdb_svc_id=2149689849 ngfwid=n/a
npu_state=0x3041008

session info: proto=6 proto_state=11 duration=3 expire=3596 timeout=3600 flags=00000000

socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=AWS_VPG/ vlan_cos=0/255
state=log may_dirty ndr npu f00 csf_syncd_log app_valid

FortiOS 6.4.13 Administration Guide 848

Fortinet Inc.
SD-WAN

statistic(bytes/packets/allow_err): org=1496/6/1 reply=1541/5/1 tuples=3

tx speed(Bps/kbps): 416/3 rx speed(Bps/kbps): 429/3
orgin->sink: org pre->post, reply pre->post dev=5->17/17->5
gwy=169.254.55.153/10.100.88.101
hook=post dir=org act=snat 10.100.88.101:55644->10.0.2.21:22(169.254.55.154:55644)
hook=pre dir=reply act=dnat 10.0.2.21:22->169.254.55.154:55644(10.100.88.101:55644)
hook=post dir=reply act=noop 10.0.2.21:22->10.100.88.101:55644(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:09:0f:00:03:01
misc=0 policy_id=32 auth_info=0 chk_client_info=0 vd=0
serial=00b75287 tos=ff/ff app_list=2000 app=16060 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id= ff000002 rpdb_svc_id=2149689849 ngfwid=n/a
npu_state=0x3041008

To simulate an issue on an overlay VPN tunnel:

On the cloud FortiGate-VM, disable the firewall policy allowing Core_Dialup to port2.
1. Health-checks through the FGT_AWS_Tun tunnel fail:
a. Go to Network > Performance SLA and select Packet Loss and the ping_AWS_Gateway SLA:

b. Run the following CLI command:

# diagnose sys sdwan health-check
…
Seq(1 AWS_VPG): state(alive), packet-loss(0.000%) latency(52.746), jitter(0.713) sla_
map=0x0
Seq(2 FGT_AWS_Tun): state(dead), packet-loss(19.000%) sla_map=0x0

2. Service rules show that the member is down:

a. Go to Network > SD-WAN Rules:

FortiOS 6.4.13 Administration Guide 849

Fortinet Inc.
SD-WAN

b. Run the following CLI command:

# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0

Gen(2), TOS(0x0/0x0), Protocol(6: 80->80), Mode(manual)
Members:
1: Seq_num(2 FGT_AWS_Tun), dead
Src address:
0.0.0.0-255.255.255.255
Dst address:
10.0.2.0-10.0.2.255

Service(2): Address Mode(IPV4) flags=0x0

Gen(1), TOS(0x0/0x0), Protocol(6: 22->22), Mode(manual)
Members:
1: Seq_num(1 AWS_VPG), alive, selected
Src address:
0.0.0.0-255.255.255.255
Dst address:
10.0.2.0-10.0.2.255

Service(3): Address Mode(IPV4) flags=0x0

Gen(2), TOS(0x0/0x0), Protocol(6: 443->443), Mode(manual)
Members:
1: Seq_num(2 FGT_AWS_Tun), dead
Src address:
0.0.0.0-255.255.255.255
Dst address:
10.0.2.0-10.0.2.255

Service(4): Address Mode(IPV4) flags=0x0

Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members:
1: Seq_num(1 AWS_VPG), alive, selected
Src address:
0.0.0.0-255.255.255.255
Dst address:
10.0.2.21-10.0.2.21

3. Sessions are redirected to the working tunnel:

a. Run the following CLI command:
# diagnose sys session list

session info: proto=6 proto_state=11 duration=3 expire=3596 timeout=3600

flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=AWS_VPG/ vlan_cos=0/255
state=log may_dirty ndr npu f00 csf_syncd_log app_valid
statistic(bytes/packets/allow_err): org=504/4/1 reply=620/3/1 tuples=3
tx speed(Bps/kbps): 150/1 rx speed(Bps/kbps): 184/1
orgin->sink: org pre->post, reply pre->post dev=0->17/17->0
gwy=169.254.55.153/0.0.0.0
hook=post dir=org act=snat 10.100.88.101:56373->10.0.2.20:80(169.254.55.154:56373)

FortiOS 6.4.13 Administration Guide 850

Fortinet Inc.
SD-WAN

hook=pre dir=reply act=dnat 10.0.2.20:80->169.254.55.154:56373(10.100.88.101:56373)

hook=post dir=reply act=noop 10.0.2.20:80->10.100.88.101:56373(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:09:0f:00:03:01
misc=0 policy_id=32 auth_info=0 chk_client_info=0 vd=0
serial=00b87199 tos=ff/ff app_list=2000 app=34050 url_cat=0
rpdb_link_id= 80000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x3041008

session info: proto=6 proto_state=66 duration=3 expire=1 timeout=3600 flags=00000000

socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=AWS_VPG/ vlan_cos=0/255
state=log may_dirty ndr f00 csf_syncd_log
statistic(bytes/packets/allow_err): org=48/1/0 reply=40/1/1 tuples=3
tx speed(Bps/kbps): 15/0 rx speed(Bps/kbps): 12/0
orgin->sink: org pre->post, reply pre->post dev=5->17/17->5
gwy=169.254.55.153/10.100.88.101
hook=post dir=org act=snat 10.100.88.101:56383->10.0.2.20:443(169.254.55.154:56383)
hook=pre dir=reply act=dnat 10.0.2.20:443->169.254.55.154:56383(10.100.88.101:56383)
hook=post dir=reply act=noop 10.0.2.20:443->10.100.88.101:56383(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:09:0f:00:03:01
misc=0 policy_id=32 auth_info=0 chk_client_info=0 vd=0
serial=00b876bb tos=ff/ff app_list=2000 app=0 url_cat=0
rpdb_link_id= 80000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x3041008
total session 2

4. Routes to the FGT_AWS_Tun tunnel are removed:

a. If Optimal dashboards is selected, go to Dashboard > Network and expand the Routing widget to view the
routing table.
If Comprehensive dashboards is selected, go to Dashboard > Routing Monitor and select Static & Dynamic in
the widget toolbar to view the routing table:

b. Run the following CLI command:

# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

FortiOS 6.4.13 Administration Guide 851

Fortinet Inc.
 SD-WAN

Routing table for VRF=0

S* 0.0.0.0/0 [1/0] via 10.100.64.254, port1
[1/0] via 10.100.65.254, port5
S 10.0.2.0/24 [1/0] via 169.254.55.153, AWS_VPG
C 10.0.10.0/24 is directly connected, Branch-HQ-A
C 10.0.10.1/32 is directly connected, Branch-HQ-A
…

Hub and spoke SD-WAN deployment example

This topology diagram shows an overview of the network that is configured in this example:

Datacenter configuration

The datacenter is configured to support:

FortiOS 6.4.13 Administration Guide 852

Fortinet Inc.
SD-WAN

l Zero touch provisioning of new spokes

l Point to multipoint VPN
l Central management of access with the datacenter firewall
l Dynamic peering, to share routing information between branches and the datacenter
l VDOM compatibility, with inter-VDOM links for isolation and segmentation

To configure the datacenter, complete the following steps:

1. Configure dial-up (dynamic) VPN

2. Configure VPN interfaces
3. Configure loopback interface
4. Configure BGP
5. Firewall policies
6. Configure a black hole route

Configure dial-up (dynamic) VPN

Dial-up, or dynamic, VPNs are used to facilitate zero touch provisioning of new spokes to establish VPN connections to
the hub FortiGate.
The exchange-interface-ip option is enabled to allow the exchange of IPsec interface IP addresses. This allows a
point to multipoint connection to the hub FortiGate.
The add-route option is disabled to allow multiple dial-up tunnels to be established to the same host that is advertising
the same network. This dynamic network discovery is facilitated by the BGP configuration; see Configure BGP on page
855 for details.
Wildcard security associations are defined for the phase2 interface because routing is used to determine if traffic is
subject to encryption and transmission through the IPsec VPN tunnel. The phase1 interface name must be 11 characters
or less.
A dynamic VPN configuration must be defined for each interface that connects to the internet.

To configure the IPsec phase1 interfaces:

config vpn ipsec phase1-interface

edit "vpn-isp-a"
set type dynamic
set interface "port2"
set peertype any
set exchange-interface-ip enable
set proposal aes256-sha256
set add-route disable
set dhgrp 5
set net-device enable
set psksecret ********
next
edit "vpn-isp-b"
set type dynamic
set interface "port3"
set peertype any
set exchange-interface-ip enable
set proposal aes256-sha256

FortiOS 6.4.13 Administration Guide 853

Fortinet Inc.
SD-WAN

set add-route disable

set dhgrp 5
set net-device enable
set psksecret ********
next
end

To configure the IPsec phase2 interfaces:

config vpn ipsec phase2-interface

edit "vpn-isp-a_p2"
set phase1name "vpn-isp-a"
set proposal aes256-sha256
set pfs disable
set replay disable
next
edit "vpn-isp-b_p2"
set phase1name "vpn-isp-b"
set proposal aes256-sha256
set pfs disable
set replay disable
next
end

Configure VPN interfaces

To establish the BGP session, IP addresses must be assigned to the tunnel interfaces that BGP will use to peer.
The hub IP address is set to the address that the tunnels connect to. The remote IP address is set to highest unused IP
address that is part of the tunnel network. This establishes two connected routes directly back to the branch FortiGate in
the hub FortiGate's routing table.
Ping is allowed on the virtual interface to confirm that a point to point tunnel has been established between the hub and
branch FortiGates.

To define IP addresses for VPN interfaces:

config system interface

edit "vpn-isp-a"
set vdom "root"
set ip 10.254.0.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.254.0.254 255.255.255.0
set interface "port2"
next
edit "vpn-isp-b"
set vdom "root"
set ip 10.254.1.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.254.1.254 255.255.255.0
set interface "port3"
next
end

FortiOS 6.4.13 Administration Guide 854

Fortinet Inc.
SD-WAN

Configure loopback interface

A loopback interface must be defined on the hub FortiGate to be used as a common probe point for the FortiGates that
are using SD-WAN. The FortiGates send a probe packet from each of their SD-WAN member interfaces so that they can
determine the best route according to their policies. Ping is allowed so that it can be used for measurements.

To configure the loopback interface on the hub FortiGate:

config system interface

edit "loopback_0"
set vdom "root"
set ip 10.255.255.1 255.255.255.255
set allowaccess ping
set type loopback
next
end

Configure BGP

Network route discovery is facilitated by BGP.

EBGP is used to prevent the redistribution of routes that are in the same Autonomous System (AS) number as the host.
It is also required to influence route selection on the branches with AS-Path prepending. EBGP multipath is enabled so
that the hub FortiGate can dynamically discover multiple paths for networks that are advertised at the branches.
The neighbor range and group settings are configured to allow peering relationships to be established without defining
each individual peer. Connecting branches have their tunnel interfaces configured within the range of the BGP peer.
In order to facilitate the fastest route failovers, configure the following timers to their lowest levels: scan-time,
advertisement-interval, keep-alive-timer, and holdtime-timer.

To configure BGP on the hub FortiGate:

config router bgp

set as 65500
set router-id 10.10.0.1
set ebgp-multipath enable
set graceful-restart enable
config neighbor-group
edit "branch-peers-1"
set soft-reconfiguration enable
set remote-as 65501
next
edit "branch-peers-2"
set soft-reconfiguration enable
set remote-as 65501
next
end
config neighbor-range
edit 1
set prefix 10.254.0.0 255.255.255.0
set neighbor-group "branch-peers-1"
next
edit 2

FortiOS 6.4.13 Administration Guide 855

Fortinet Inc.
SD-WAN

set prefix 10.254.1.0 255.255.255.0

set neighbor-group "branch-peers-2"
next
end
config network
edit 1
set prefix 10.200.1.0 255.255.255.0
next
edit 2
set prefix 10.200.0.0 255.255.255.0
next
edit 3
set prefix 10.200.3.0 255.255.255.0
next
end
end

Firewall policies

Centralized access is controlled from the hub FortiGate using Firewall policies. In addition to layer three and four
inspection, security policies can be used in the policies for layer seven traffic inspection.
It is best practice to only allow the networks and services that are required for communication through the firewall. The
following rules are the minimum that must be configured to allow SD-WAN to function:

Source Destination Source Destination Action Schedule Service Comments

Interface Interface Address Address

<vpn <internal <branch <hub Accept Always ICMP Allow health

interfaces> Interface> tunnel IP FortiGate checks to the
addresses> internal hub
interface> FortiGate

<vpn <internal <branch <datacenter Accept Always <allowed Allow traffic

interfaces> Interface> networks> networks> services> from branch
networks

For this example, a simple policy that allows all traffic is configured.

To configure a firewall policy:

config firewall policy

edit 1
set name "Allow All"
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

FortiOS 6.4.13 Administration Guide 856

Fortinet Inc.
 SD-WAN

Configure a black hole route

If there is a temporary loss of connectivity to the branch routes, it is best practice to send the traffic that is destined for
those networks into a black hole until connectivity is restored.

To configure a black hole route for branch networks:

config router static

edit 6
set dst 10.0.0.0/14
set distance 254
set blackhole enable
next
end

Branch configuration

The branches are configured to support:

l Client side SD-WAN with intelligent load balancing based on link quality
l Easy to create configuration templates for quick spoke deployment
l Split tunnel deployment for local internet access
l VDOM compatibility, with inter-VDOM links for isolation and segmentation

To configure a branch, complete the following steps:

1. Configure VPN to the hub

2. Configure VPN interfaces
3. Configure BGP
4. Configure SD-WAN
5. Firewall configuration

Configure VPN to the hub

The branch uses a normal site-to-site VPN configuration.

Wildcard security associations are define in the phase2 configuration because dynamic routing with BGP determines
what traffic must traverse the VPN tunnel for encryption/transmission.
To make sure that the VPN is established, auto-negotiate is enabled.

To configure the IPsec phase1 interfaces:

config vpn ipsec phase1-interface

edit "vpn_dc1-1"
set interface "port2"
set peertype any
set exchange-interface-ip enable
set proposal aes256-sha256
set dhgrp 5
set remote-gw 172.16.0.78

FortiOS 6.4.13 Administration Guide 857

Fortinet Inc.
SD-WAN

set psksecret ********

next
edit "vpn_dc1-2"
set interface "port3"
set peertype any
set exchange-interface-ip enable
set proposal aes256-sha256
set dhgrp 5
set remote-gw 172.16.0.82
set psksecret ********
next
end

To configure the IPsec phase2 interfaces:

config vpn ipsec phase2-interface

edit "vpn_dc1-1_p2"
set phase1name "vpn_dc1-1"
set proposal aes256-sha256
set pfs disable
set replay disable
set auto-negotiate enable
next
edit "vpn_dc1-2_p2"
set phase1name "vpn_dc1-2"
set proposal aes256-sha256
set pfs disable
set replay disable
set auto-negotiate enable
next
end

Configure VPN interfaces

The branch must define its local tunnel interface IP address, and the remote tunnel interface IP address of the
datacenter FortiGate, to establish the point to multipoint VPN.

To define IP addressses for VPN interfaces:

config system interface

edit "vpn_dc1-1"
set vdom "root"
set ip 10.255.0.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.255.0.1 255.255.255.255
set interface "port2"
next
edit "vpn_dc1-2"
set vdom "root"
set ip 10.255.1.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.255.1.1 255.255.255.255

FortiOS 6.4.13 Administration Guide 858

Fortinet Inc.
SD-WAN

set interface "port3"

next
end

Configure BGP

BGP enables learning dynamic routes from the datacenter. The BGP configuration is normal, with the definition of the
datacenter FortiGate tunnel IP addresses set as BGP peers.
Routes that have the same network mask, administrative distance, priority, and AS length are automatically considered
for SD-WAN when the interfaces that those routes are on are added to the SD-WAN interface group.
In order to facilitate the fastest route failovers, configure the following timers to their lowest levels: scan-time,
advertisement-interval, keep-alive-timer, and holdtime-timer.
The distance-external option might need to be configured if you need routes that are learned from BGP to take
precedence over static routes.

To configure BGP on the branch FortiGate:

config router bgp

set as 65501
set router-id 10.254.0.2
set ebgp-multipath enable
config neighbor
edit "10.254.0.1"
set soft-reconfiguration enable
set remote-as 65500
next
edit "10.254.1.1"
set soft-reconfiguration enable
set remote-as 65500
next
end
end

Configure SD-WAN

SD-WAN configuration is required to load balance based on the quality of the links. It can be configured to select the best
link based on characteristics such as jitter, packet loss, and latency. A policy route is created by the FortiGate to select
the best link based on the defined criteria.
For SD-WAN interfaces, or members, the peer is defined to reference the BGP neighbor that is tied to that specific
interface.
The health check is the ping server that gathers the link characteristics used for link selection. It is recommended that the
minimum failtime be set to 2.
The service definition defines the criteria for the policy routes. It can match based on the following characteristics:
l Protocol
l Destination Address
l Source Address
l Identity Based Group

FortiOS 6.4.13 Administration Guide 859

Fortinet Inc.
SD-WAN

l Internet Service Definition

l Source Port
l Destination Port
l Destination Route Tag
To dynamically determine the networks of the policy routes, routes that are learned from a BGP neighbor are matched
against a route map, and a tag is defined for the matching routes. The service rules learn the networks based on these
tags, instead of defining objects based on the learned addresses' network prefixes . See Dynamic definition of SD-WAN
routes on page 862 for details on configuring the FortiGate to use the destination tags for the SD-WAN service definition.

To define the SD-WAN member interfaces:

config system sdwan

set status enable
config members
edit 1
set interface "vpn_dc1-1"
next
edit 2
set interface "vpn_dc1-2"
next
end
end

To define the SD-WAN health checks:

config system sdwan

config health-check
edit "datacenter1"
set server "10.200.1.1"
set interval 1
set failtime 2
set recoverytime 10
next
end
end

To define the SD-WAN service rules:

config system sdwan

config service
edit 1
set mode priority
set dst n-corporate
set health-check "datacenter1"
set priority-members 1 2
next
end
end

FortiOS 6.4.13 Administration Guide 860

Fortinet Inc.
 SD-WAN

Firewall configuration

Centralized access is controlled from the hub FortiGate using Firewall policies. In addition to layer three and four
inspection, security policies can be used in the policies for layer seven traffic inspection.
It is best practice to only allow the networks and services that are required for communication through the firewall. The
following rules are the minimum that must be configured to allow SD-WAN to function:

Source Destination Source Destination Action Schedule Service Comments

Interface Interface Address Address

<internal <virtual wan <branch <datacenter Accept Always <allowed Allow traffic
interface> link> networks> networks> services> from branch
to datacenter

<virtual <internal <datacenter <branch Accept Always <allowed Allow traffic

wan link> Interface> networks> networks> services> from
datacenter to
branch

For this example, a simple policy that allows all traffic is configured.

To configure a firewall policy:

config firewall policy

edit 1
set name "Allow All"
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

Validation

The following commands can be used to validate the connections on the datacenter and branches.

Datacenter

Routing table:

get router info routing-table all

VPN establishment:

diagnose vpn ike gateway list

FortiOS 6.4.13 Administration Guide 861

Fortinet Inc.
 SD-WAN

Branch

SD-WAN validation:

diagnose sys sdwan member

diagnose sys sdwan service
diagnose sys sdwan health-check

Routing table:

get router info routing-table all

get router info route-map-address
get router info bgp route-map <route-map-name>

VPN establishment:

diagnose vpn ike gateway list

Dynamic definition of SD-WAN routes

Dynamic definitions of SD-WAN routes alleviate administrators from needing to know the destination of the traffic that is
being load balanced, which, in an environment where routes are constantly added and removed, required a significant
amount of administrative overhead.
The FortiGate can be configured to apply a route map to a BGP neighbor, and tag the routes that are learned from that
neighbor with the set-route-tag command. After those routes are assigned a tag ID in the route map, the ID can be
referenced in the SD-WAN rule.

To define the route map to apply to the BGP neighbor:

config router route-map

edit "map-comm1"
config rule
edit 1
set match-origin igp
set set-route-tag 12
next
edit 2
set match-ip-address "pf-all-in"
set set-route-tag 11
next
end
next
end

To apply the route map to the BGP neighbor:

config router bgp

config neighbor
edit "10.254.0.1"

FortiOS 6.4.13 Administration Guide 862

Fortinet Inc.
 SD-WAN

set route-map-in "map-comm1"

next
end
end

To reference tagged routes in an SD-WAN rule:

config system sdwan

config service
edit 1
set mode priority
set dst-tag 11
set health-check "datacenter1"
set priority-members 1 2
next
end
end

Adding another datacenter

Datacenter FortiGates should be configured to establish an OSPF neighbor relationship with the internal core router.
This allows the dynamic redistribution of routes to the branches that are receiving updates from the datacenter
FortiGates.
To ensure the fastest failover with OSPF, the following timers are set to their minimum levels: spf-timers, hello-
interval, dead-interval.
Bi-directional forwarding is enabled to allow the fastest convergence time if there is a failure with a peering neighbor.

To configure OSPF:

config router ospf

set router-id 10.10.10.10
set spf-timers 0 1
set distribute-list-in "pf-datacenter2-tunnel"
set restart-mode graceful-restart
config area
edit 10.10.10.10
next
end
config ospf-interface
edit "port5"
set interface "port5"
set dead-interval 3
set hello-interval 1
set bfd enable
next
end
config network
edit 1
set prefix 192.168.100.0 255.255.255.252
set area 10.10.10.10
next
end

FortiOS 6.4.13 Administration Guide 863

Fortinet Inc.
 SD-WAN

config redistribute "connected"

set status enable
set routemap "redistribute-branch-tunnel"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
set status enable
set routemap "redistribute-branch-networks"
end
config redistribute "isis"
end
end

Troubleshooting SD-WAN

The following topics provide instructions on SD-WAN troubleshooting:

l Tracking SD-WAN sessions on page 864
l Understanding SD-WAN related logs on page 865
l SD-WAN related diagnose commands on page 868
l SD-WAN bandwidth monitoring service on page 872
l Using SNMP to monitor health check on page 874

Tracking SD-WAN sessions

You can check the destination interface in Dashboard > FortiView Sessions in order to see which port the traffic is being
forwarded to.
The example below demonstrates a source-based load-balance between two SD-WAN members:
l If the source IP address is an even number, it will go to port13.
l If the source IP address is an odd number, it will go to port12.

FortiOS 6.4.13 Administration Guide 864

Fortinet Inc.
 SD-WAN

Understanding SD-WAN related logs

This topic lists the SD-WAN related logs and explains when the logs will be triggered.

Health-check detects a failure:

l When health-check detects a failure, it will record a log:

34: date=2019-03-23 time=17:26:06 logid="0100022921" type="event" subtype="system"
level="critical" vd="root" eventtime=1553387165 logdesc="Routing information changed"
name="test" interface="R150" status="down" msg="Static route on interface R150 may be
removed by health-check test. Route: (10.100.1.2->10.100.2.22 ping-down)"

l When health-check detects a recovery, it will record a log:

32: date=2019-03-23 time=17:26:54 logid="0100022921" type="event" subtype="system"
level="critical" vd="root" eventtime=1553387214 logdesc="Routing information changed"
name="test" interface="R150" status="up" msg="Static route on interface R150 may be
added by health-check test. Route: (10.100.1.2->10.100.2.22 ping-up)"

Health-check has an SLA target and detects SLA qualification changes:

l When health-check has an SLA target and detects SLA changes, and changes to fail:
5: date=2019-04-11 time=11:48:39 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1555008519816639290 logdesc="Virtual WAN Link status"
msg="SD-WAN Health Check(ping) SLA(1): number of pass members changes from 2 to 1."

l When health-check has an SLA target and detects SLA changes, and changes to pass:
2: date=2019-04-11 time=11:49:46 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1555008586149038471 logdesc="Virtual WAN Link status"
msg="SD-WAN Health Check(ping) SLA(1): number of pass members changes from 1 to 2."

SD-WAN calculates a link's session/bandwidth over/under its ratio and stops/resumes traffic:

l When SD-WAN calculates a link's session/bandwidth over its configured ratio and stops forwarding traffic:
3: date=2019-04-10 time=17:15:40 logid="0100022924" type="event" subtype="system"
level="notice" vd="root" eventtime=1554941740185866628 logdesc="Virtual WAN Link volume
status" interface="R160" msg="The member(3) enters into conservative status with limited
ablity to receive new sessions for too much traffic."

l When SD-WAN calculates a link's session/bandwidth according to its ratio and resumes forwarding traffic:
1: date=2019-04-10 time=17:20:39 logid="0100022924" type="event" subtype="system"
level="notice" vd="root" eventtime=1554942040196041728 logdesc="Virtual WAN Link volume
status" interface="R160" msg="The member(3) resume normal status to receive new sessions
for internal adjustment."

The SLA mode service rule's SLA qualified member changes:

l When the SLA mode service rule's SLA qualified member changes. In this example R150 fails the SLA check, but is
still alive:
14: date=2019-03-23 time=17:44:12 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553388252 logdesc="Virtual WAN Link status"
msg="Service2() prioritized by SLA will be redirected in seq-num order 2(R160) 1(R150)."

FortiOS 6.4.13 Administration Guide 865

Fortinet Inc.
SD-WAN

15: date=2019-03-23 time=17:44:12 logid="0100022923" type="event" subtype="system"

level="notice" vd="root" eventtime=1553388252 logdesc="Virtual WAN Link status"
interface="R150" msg="The member1(R150) SLA order changed from 1 to 2. "
16: date=2019-03-23 time=17:44:12 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553388252 logdesc="Virtual WAN Link status"
interface="R160" msg="The member2(R160) SLA order changed from 2 to 1. "

l When the SLA mode service rule's SLA qualified member changes. In this example R150 changes from fail to pass:
1: date=2019-03-23 time=17:46:05 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553388365 logdesc="Virtual WAN Link status"
msg="Service2() prioritized by SLA will be redirected in seq-num order 1(R150) 2(R160)."
2: date=2019-03-23 time=17:46:05 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553388365 logdesc="Virtual WAN Link status"
interface="R160" msg="The member2(R160) SLA order changed from 1 to 2. "
3: date=2019-03-23 time=17:46:05 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553388365 logdesc="Virtual WAN Link status"
interface="R150" msg="The member1(R150) SLA order changed from 2 to 1. "

The priority mode service rule member's link status changes:

l When priority mode service rule member's link status changes. In this example R150 changes to better than R160,
and both are still alive:
1: date=2019-03-23 time=17:33:23 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553387603 logdesc="Virtual WAN Link status"
msg="Service2() prioritized by packet-loss will be redirected in seq-num order 1(R150) 2
(R160)."
2: date=2019-03-23 time=17:33:23 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553387603 logdesc="Virtual WAN Link status"
interface="R160" msg="The member2(R160) link quality packet-loss order changed from 1 to
2. "
3: date=2019-03-23 time=17:33:23 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553387603 logdesc="Virtual WAN Link status"
interface="R150" msg="The member1(R150) link quality packet-loss order changed from 2 to
1. "

l When priority mode service rule member's link status changes. In this example R160 changes to better than R150,
and both are still alive:
6: date=2019-03-23 time=17:32:01 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553387520 logdesc="Virtual WAN Link status"
msg="Service2() prioritized by packet-loss will be redirected in seq-num order 2(R160) 1
(R150)."
7: date=2019-03-23 time=17:32:01 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553387520 logdesc="Virtual WAN Link status"
interface="R150" msg="The member1(R150) link quality packet-loss order changed from 1 to
2. "
8: date=2019-03-23 time=17:32:01 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553387520 logdesc="Virtual WAN Link status"
interface="R160" msg="The member2(R160) link quality packet-loss order changed from 2 to
1. "

FortiOS 6.4.13 Administration Guide 866

Fortinet Inc.
SD-WAN

SD-WAN member is used in service and it fails the health-check:

l When SD-WAN member fails the health-check, it will stop forwarding traffic:

6: date=2019-04-11 time=13:33:21 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1555014801844089814 logdesc="Virtual WAN Link status"
interface="R160" msg="The member2(R160) link is unreachable or miss threshold. Stop
forwarding traffic. "

l When SD-WAN member passes the health-check again, it will resume forwarding logs:
2: date=2019-04-11 time=13:33:36 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1555014815914643626 logdesc="Virtual WAN Link status"
interface="R160" msg="The member2(R160) link is available. Start forwarding traffic. "

Load-balance mode service rule's SLA qualified member changes:

l When load-balance mode service rule's SLA qualified member changes. In this example R150 changes to not meet
SLA:
2: date=2019-04-11 time=14:11:16 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1555017075926510687 logdesc="Virtual WAN Link status"
msg="Service1(rule2) will be load balanced among members  2(R160) with available
routing."
3: date=2019-04-11 time=14:11:16 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1555017075926508676 logdesc="Virtual WAN Link status"
interface="R150" msg="The member1(R150) SLA order changed from 1 to 2. "
4: date=2019-04-11 time=14:11:16 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1555017075926507182 logdesc="Virtual WAN Link status"
interface="R160" msg="The member2(R160) SLA order changed from 2 to 1. "

l When load-balance mode service rule's SLA qualified member changes. In this example R150 changes to meet
SLA:
1: date=2019-04-11 time=14:33:23 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1555017075926510668 logdesc="Virtual WAN Link status"
msg="Service1(rule2) will be load balanced among members 1(R150) 2(R160) with available
routing."
2: date=2019-03-23 time=14:33:23 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553387603592651068 logdesc="Virtual WAN Link status"
interface="R160" msg="The member2(R160) link quality packet-loss order changed from 1 to
2. "
3: date=2019-03-23 time=14:33:23 logid="0100022923" type="event" subtype="system"
level="notice" vd="root" eventtime=1553387603592651068 logdesc="Virtual WAN Link status"
interface="R150" msg="The member1(R150) link quality packet-loss order changed from 2 to
1. "

SLA link status logs, generated with interval sla-fail-log-period or sla-pass-log-period:

l When SLA fails, SLA link status logs will be generated with interval sla-fail-log-period:
7: date=2019-03-23 time=17:45:54 logid="0100022925" type="event" subtype="system"
level="notice" vd="root" eventtime=1553388352 logdesc="Link monitor SLA information"
name="test" interface="R150" status="up" msg="Latency: 0.016, jitter: 0.002, packet
loss: 21.000%, inbandwidth: 0Mbps, outbandwidth: 200Mbps, bibandwidth: 200Mbps, sla_map:
0x0"

FortiOS 6.4.13 Administration Guide 867

Fortinet Inc.
 SD-WAN

l When SLA passes, SLA link status logs will be generated with interval sla-pass-log-period:
5: date=2019-03-23 time=17:46:05 logid="0100022925" type="event" subtype="system"
level="information" vd="root" eventtime=1553388363 logdesc="Link monitor SLA
information" name="test" interface="R150" status="up" msg="Latency: 0.017, jitter:
0.003, packet loss: 0.000%, inbandwidth: 0Mbps, outbandwidth: 200Mbps, bibandwidth:
200Mbps, sla_map: 0x1"

SD-WAN related diagnose commands

This topic lists the SD-WAN related diagnose commands and related output.

To check SD-WAN health-check status:

FGT # diagnose sys sdwan health-check

Health Check(server):
Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0

FGT  # diagnose sys sdwan health-check

Health Check(ping):
Seq(1): state(alive), packet-loss(0.000%) latency(0.683), jitter(0.082) sla_map=0x0
Seq(2): state(dead), packet-loss(100.000%) sla_map=0x0

FGT # diagnose sys sdwan health-check google

Health Check(google):
Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

To check SD-WAN member status:

l When SD-WAN load-balance mode is source-ip-based/source-dest-ip-based.

FGT # diagnose sys sdwan member
Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0, weight:
0
Member(2): interface: port15, gateway: 10.100.1.5 2004:10:100:1::5, priority: 0, weight:
0

l When SD-WAN load-balance mode is weight-based.

FGT # diagnose sys sdwan member
Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0, weight:
33
Member(2): interface: port15, gateway: 10.100.1.5 2004:10:100:1::5, priority: 0, weight:
66

l When SD-WAN load-balance mode is measured-volume-based.

l Both members are under volume and still have room:

FGT # diagnose sys sdwan member

Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0,
weight: 33
Config volume ratio: 33, last reading: 8211734579B, volume room 33MB
Member(2): interface: port15, gateway: 10.100.1.5 2004:10:100:1::5, priority: 0,

FortiOS 6.4.13 Administration Guide 868

Fortinet Inc.
SD-WAN

weight: 66
Config volume ratio: 66, last reading: 24548159B, volume room 66MB

l Some members are overloaded and some still have room:

FGT # diagnose sys sdwan member
Member(1): interface: port1, gateway: 10.10.0.2, priority: 0, weight: 0
Config volume ratio: 10, last reading: 10297221000B, overload volume 1433MB
Member(2): interface: port2, gateway: 10.11.0.2, priority: 0, weight: 38
Config volume ratio: 50, last reading: 45944239916B, volume room 38MB

l When SD-WAN load balance mode is usage-based/spillover.

l When no spillover occurs:

FGT # diagnose sys virtual-wan-link member

Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0,
weight: 255
Egress-spillover-threshold: 400kbit/s, ingress-spillover-threshold: 300kbit/s
Egress-overbps=0, ingress-overbps=0
Member(2): interface: port15, gateway: 10.100.1.5 2004:10:100:1::5, priority: 0,
weight: 254
Egress-spillover-threshold: 0kbit/s, ingress-spillover-threshold: 0kbit/s
Egress-overbps=0, ingress-overbps=0

l When member has reached limit and spillover occurs:

FGT # diagnose sys sdwan member
Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0,
weight: 255
Egress-spillover-threshold: 400kbit/s, ingress-spillover-threshold: 300kbit/s
Egress-overbps=1, ingress-overbps=1
Member(2): interface: port15, gateway: 10.100.1.5 2004:10:100:1::5, priority: 0,
weight: 254
Egress-spillover-threshold: 0kbit/s, ingress-spillover-threshold: 0kbit/s
Egress-overbps=0, ingress-overbps=0

l You can also use the diagnose netlink dstmac list command to check if you are over the limit.
FGT # diagnose netlink dstmac list port13
dev=port13 mac=08:5b:0e:ca:94:9d rx_tcp_mss=0 tx_tcp_mss=0 egress_overspill_
threshold=51200 egress_bytes=103710 egress_over_bps=1 ingress_overspill_
threshold=38400 ingress_bytes=76816 ingress_over_bps=1 sampler_rate=0

To check SD-WAN service rules status:

l Manual mode service rules.

FGT # diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members:
1: Seq_num(2), alive, selected
Dst address: 10.100.21.0-10.100.21.255

l Auto mode service rules.

FGT # diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(auto), link-cost-factor(latency), link-cost-
threshold(10), health-check(ping)

FortiOS 6.4.13 Administration Guide 869

Fortinet Inc.
SD-WAN

Members:
1: Seq_num(2), alive, latency: 0.011
2: Seq_num(1), alive, latency: 0.018, selected
Dst address: 10.100.21.0-10.100.21.255

l Priority mode service rules.

FGT # diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-
cost-threshold(10), health-check(ping)
Members:
1: Seq_num(2), alive, latency: 0.011, selected
2: Seq_num(1), alive, latency: 0.017, selected
Dst address: 10.100.21.0-10.100.21.255

l Load-balance mode service rules.

FGT # diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance)
Members:
1: Seq_num(1), alive, sla(0x1), num of pass(1), selected
2: Seq_num(2), alive, sla(0x1), num of pass(1), selected
Dst address: 10.100.21.0-10.100.21.255

l SLA mode service rules.

FGT # diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)
Members:
1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(0), selected
Dst address: 10.100.21.0-10.100.21.255

To check interface logs from the past 15 minutes:

FGT (root) # diagnose sys sdwan intf-sla-log R150

Timestamp: Fri Apr 12 11:08:36 2019, used inbandwidth: 0bps, used outbandwidth: 0bps, used
bibandwidth: 0bps, tx bytes: 860bytes, rx bytes: 1794bytes.
Timestamp: Fri Apr 12 11:08:46 2019, used inbandwidth: 1761bps, used outbandwidth: 1710bps,
used bibandwidth: 3471bps, tx bytes: 2998bytes, rx bytes: 3996bytes.
Timestamp: Fri Apr 12 11:08:56 2019, used inbandwidth: 2452bps, used outbandwidth: 2566bps,
used bibandwidth: 5018bps, tx bytes: 7275bytes, rx bytes: 7926bytes.
Timestamp: Fri Apr 12 11:09:06 2019, used inbandwidth: 2470bps, used outbandwidth: 3473bps,
used bibandwidth: 5943bps, tx bytes: 13886bytes, rx bytes: 11059bytes.
Timestamp: Fri Apr 12 11:09:16 2019, used inbandwidth: 2433bps, used outbandwidth: 3417bps,
used bibandwidth: 5850bps, tx bytes: 17946bytes, rx bytes: 13960bytes.
Timestamp: Fri Apr 12 11:09:26 2019, used inbandwidth: 2450bps, used outbandwidth: 3457bps,
used bibandwidth: 5907bps, tx bytes: 22468bytes, rx bytes: 17107bytes.

To check SLA logs in the past 10 minutes:

FGT (root) # diagnose sys sdwan sla-log ping 1

Timestamp: Fri Apr 12 11:09:27 2019, vdom root, health-check ping, interface: R150, status:
up, latency: 0.014, jitter: 0.003, packet loss: 16.000%.
Timestamp: Fri Apr 12 11:09:28 2019, vdom root, health-check ping, interface: R150, status:

FortiOS 6.4.13 Administration Guide 870

Fortinet Inc.
SD-WAN

up, latency: 0.015, jitter: 0.003, packet loss: 15.000%.

Timestamp: Fri Apr 12 11:09:28 2019, vdom root, health-check ping, interface: R150, status:
up, latency: 0.014, jitter: 0.003, packet loss: 14.000%.
Timestamp: Fri Apr 12 11:09:29 2019, vdom root, health-check ping, interface: R150, status:
up, latency: 0.015, jitter: 0.003, packet loss: 13.000%.

To check Application Control used in SD-WAN and the matching IP addresses:

FGT # diagnose sys sdwan internet-service-app-ctrl-list

Ctrl application(Microsoft.Authentication 41475):Internet Service ID(4294836224)
Protocol(6), Port(443)
Address(2): 104.42.72.21 131.253.61.96
Ctrl application(Microsoft.CDN 41470):Internet Service ID(4294836225)
Ctrl application(Microsoft.Lync 28554):Internet Service ID(4294836226)
Ctrl application(Microsoft.Office.365 33182):Internet Service ID(4294836227)
Ctrl application(Microsoft.Office.365.Portal 41468):Internet Service ID(4294836228)
Ctrl application(Microsoft.Office.Online 16177):Internet Service ID(4294836229)
Ctrl application(Microsoft.OneNote 40175):Internet Service ID(4294836230)
Ctrl application(Microsoft.Portal 41469):Internet Service ID(4294836231)
Protocol(6), Port(443)
Address(8): 23.58.134.172 131.253.33.200 23.58.135.29 204.79.197.200 64.4.54.254
23.59.156.241 13.77.170.218 13.107.22.200
Ctrl application(Microsoft.Sharepoint 16190):Internet Service ID(4294836232)
Ctrl application(Microsoft.Sway 41516):Internet Service ID(4294836233)
Ctrl application(Microsoft.Tenant.Namespace 41471):Internet Service ID(4294836234)

To check IPsec aggregate interface when SD-WAN uses the per-packet distribution feature:

# diagnose sys ipsec-aggregate list

agg1 algo=L3 member=2 run_tally=2
members:
vd1-p1
vd1-p2

To check BGP learned routes and determine if they are used in SD-WAN service:

FGT # get router info bgp network

FGT # get router info bgp network 10.100.11.0
BGP routing table entry for 10.100.10.0/24
Paths: (2 available, best 1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
172.10.22.2
20
10.100.20.2 from 10.100.20.2 (6.6.6.6)
Origin EGP metric 200, localpref 100, weight 10000, valid, external, best
Community: 30:5
Last update: Wen Mar 20 18:45:17 2019
FGT # get router info route-map-address
Extend-tag: 15, interface(wan2:16)
10.100.11.0/255.255.255.0

FGT # diagnose firewall proute list

list route policy info(vf=root):

id=4278779905 vwl_service=1(DataCenter) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0

sport=0:65535 iif=0 dport=1-65535 oif=16

FortiOS 6.4.13 Administration Guide 871

Fortinet Inc.
 SD-WAN

source wildcard(1): 0.0.0.0/0.0.0.0

destination wildcard(1): 10.100.11.0/255.255.255.0

SD-WAN bandwidth monitoring service

The bandwidth measuring tool is used to detect true upload and download speeds. Bandwidth tests can be run on
demand or automated using a script to measure upload and download speeds up to 1 Gbps of throughput. This can be
useful when configuring SD-WAN SLA and rules to balance SD-WAN traffic.
The speed test tool requires a valid SD-WAN Bandwidth Monitoring Service license.
The speed test tool is compatible with iperf3.6 with SSL support. It can test the upload bandwidth to the FortiGate Cloud
speed test service. It can initiate the server connection and send download requests to the server. The tool can be run up
to 10 times a day .
FortiGate downloads the speed test server list. The list expires after 24 hours. One of the speed test servers is selected,
based on user input. The speed test runs, testing upload and download speeds. The test results are shown in the
command terminal.

To download the speed test server list:

# execute speed-test-server download

Download completed.

To check the speed test server list:

# execute speed-test-server list

AWS_West valid
Host: 34.210.67.183 5204 fortinet
Host: 34.210.67.183 5205 fortinet
Host: 34.210.67.183 5206 fortinet
Host: 34.210.67.183 5207 fortinet
Google_West valid
Host: 35.197.55.210 5204 fortinet
Host: 35.197.55.210 5205 fortinet
Host: 35.197.55.210 5206 fortinet
Host: 35.197.55.210 5207 fortinet
Host: 35.230.2.124 5204 fortinet
Host: 35.230.2.124 5205 fortinet
Host: 35.230.2.124 5206 fortinet
Host: 35.230.2.124 5207 fortinet
Host: 35.197.18.234 5204 fortinet
Host: 35.197.18.234 5205 fortinet
Host: 35.197.18.234 5206 fortinet
Host: 35.197.18.234 5207 fortinet

To run the speed test:

You can run the speed test without specifying a server. The system will automatically choose one server from the list and
run the speed test.
# execute speed-test auto
The license is valid to run speed test.
Speed test quota for 2/1 is 9

FortiOS 6.4.13 Administration Guide 872

Fortinet Inc.
SD-WAN

current vdom=root
Run in uploading mode.
Connecting to host 35.230.2.124, port 5206
[ 16] local 172.16.78.185 port 2475 connected to 35.230.2.124 port 5206
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 16] 0.00-1.01 sec 11.0 MBytes 91.4 Mbits/sec 0 486 KBytes
[ 16] 1.01-2.00 sec 11.6 MBytes 98.4 Mbits/sec 0 790 KBytes
[ 16] 2.00-3.01 sec 11.0 MBytes 91.6 Mbits/sec 15 543 KBytes
[ 16] 3.01-4.01 sec 11.2 MBytes 94.2 Mbits/sec 1 421 KBytes
[ 16] 4.01-5.01 sec 11.2 MBytes 93.5 Mbits/sec 0 461 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 16] 0.00-5.01 sec 56.1 MBytes 93.8 Mbits/sec 16 sender
[ 16] 0.00-5.06 sec 55.8 MBytes 92.6 Mbits/sec receiver

speed test Done.

Run in reverse downloading mode!
Connecting to host 35.230.2.124, port 5206
Reverse mode, remote host 35.230.2.124 is sending
[ 16] local 172.16.78.185 port 2477 connected to 35.230.2.124 port 5206
[ ID] Interval Transfer Bitrate
[ 16] 0.00-1.00 sec 10.9 MBytes 91.4 Mbits/sec
[ 16] 1.00-2.00 sec 11.2 MBytes 93.9 Mbits/sec
[ 16] 2.00-3.00 sec 11.2 MBytes 94.0 Mbits/sec
[ 16] 3.00-4.00 sec 11.2 MBytes 93.9 Mbits/sec
[ 16] 4.00-5.00 sec 10.9 MBytes 91.1 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 16] 0.00-5.03 sec 57.5 MBytes 95.9 Mbits/sec 40 sender
[ 16] 0.00-5.00 sec 55.4 MBytes 92.9 Mbits/sec receiver

speed test Done

To run the speed test on a server farm or data center:

# execute speed-test auto AWS_West

The license is valid to run speed test.
Speed test quota for 2/1 is 8
current vdom=root
Run in uploading mode.
Connecting to host 34.210.67.183, port 5205

To run the speed test on a local interface when there are multiple valid routes:

# execute speed-test port1 Google_West

The license is valid to run speed test.
Speed test quota for 2/1 is 6
bind to local ip 172.16.78.202
current vdom=root
Specified interface port1 does not comply with default outgoing interface port2 in routing
table!
Force to use the specified interface!
Run in uploading mode.
Connecting to host 35.197.18.234, port 5205
[ 11] local 172.16.78.202 port 20852 connected to 35.197.18.234 port 5205
[ ID] Interval Transfer Bitrate Retr Cwnd

FortiOS 6.4.13 Administration Guide 873

Fortinet Inc.
 SD-WAN

[ 11] 0.00-1.01 sec 10.7 MBytes 89.0 Mbits/sec 0 392 KBytes

[ 11] 1.01-2.01 sec 10.5 MBytes 88.5 Mbits/sec 1 379 KBytes
[ 11] 2.01-3.01 sec 11.3 MBytes 94.5 Mbits/sec 0 437 KBytes
[ 11] 3.01-4.01 sec 11.2 MBytes 94.3 Mbits/sec 0 478 KBytes
[ 11] 4.01-5.00 sec 11.3 MBytes 95.2 Mbits/sec 0 503 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 11] 0.00-5.00 sec 55.1 MBytes 92.3 Mbits/sec 1 sender
[ 11] 0.00-5.04 sec 54.5 MBytes 90.7 Mbits/sec receiver

speed test Done.

Run in reverse downloading mode!
Connecting to host 35.197.18.234, port 5205
Reverse mode, remote host 35.197.18.234 is sending
[ 11] local 172.16.78.202 port 20853 connected to 35.197.18.234 port 5205
[ ID] Interval Transfer Bitrate
[ 11] 0.00-1.00 sec 10.9 MBytes 91.1 Mbits/sec
[ 11] 1.00-2.00 sec 11.2 MBytes 94.0 Mbits/sec
[ 11] 2.00-3.00 sec 11.2 MBytes 94.0 Mbits/sec
[ 11] 3.00-4.00 sec 11.2 MBytes 94.0 Mbits/sec
[ 11] 4.00-5.00 sec 11.2 MBytes 94.0 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 11] 0.00-5.03 sec 57.4 MBytes 95.8 Mbits/sec 33 sender
[ 11] 0.00-5.00 sec 55.7 MBytes 93.4 Mbits/sec receiver

speed test Done.

To add a script to run a speed test automatically once every 24 hours:

config system auto-script

edit "speedtest"
set interval 86400
set repeat 0
set start auto
set script "
execute speed-test-server download
execute speed-test"
next
end

To view the results of the speed test script:

execute auto-script result speedtest

Using SNMP to monitor health check

You can monitor SD-WAN health check related statistics using SNMP. The MIB file can be downloaded by going to
System > SNMP and clicking Download FortiGate MIB File.
The following OIDs can be monitored:

FortiOS 6.4.13 Administration Guide 874

Fortinet Inc.
SD-WAN

Name OID Description

fgVWLHealthCheckLinkNumber .1.3.6.1.4.1.12356.101.4.9.1 The number of health check links

in fgVWLHealthCheckLinkTable

fgVWLHealthCheckLinkTable .1.3.6.1.4.1.12356.101.4.9.2 SD-WAN health check statistics

table.
This table has a dependent
expansion relationship with
fgVdTable.Only health checks with
a configured member link are
present in this table.

fgVWLHealthCheckLinkTableEntry .1.3.6.1.4.1.12356.101.4.9.2.1 SD-WAN health check statistics on

a virtual domain.

fgVWLHealthCheckLinkID .1.3.6.1.4.1.12356.101.4.9.2.1.1 SD-WAN health check link ID.

Only health checks with configured
member link are present in this
table. Virtual-wan-link health check
link IDs are only unique within a
virtual domain.

fgVWLHealthCheckLinkName .1.3.6.1.4.1.12356.101.4.9.2.1.2 Health check name.

fgVWLHealthCheckLinkSeq .1.3.6.1.4.1.12356.101.4.9.2.1.3 SD-WAN member link sequence.

fgVWLHealthCheckLinkState .1.3.6.1.4.1.12356.101.4.9.2.1.4 Health check state on a specific

member link.

fgVWLHealthCheckLinkLatency .1.3.6.1.4.1.12356.101.4.9.2.1.5 The average latency of a health

check on a specific member link
within last 30 probes, in float
number.

fgVWLHealthCheckLinkJitter .1.3.6.1.4.1.12356.101.4.9.2.1.6 The average jitter of a health check

on a specific member link within
last 30 probes, in float number.

fgVWLHealthCheckLinkPacketSend .1.3.6.1.4.1.12356.101.4.9.2.1.7 The total number of packets sent

by a health check on a specific
member link.

fgVWLHealthCheckLinkPacketRecv .1.3.6.1.4.1.12356.101.4.9.2.1.8 The total number of packets

received by a health check on a
specific member link.

fgVWLHealthCheckLinkPacketLoss .1.3.6.1.4.1.12356.101.4.9.2.1.9 The packet loss percentage of a

health check on a specific member
link within last 30 probes, in float
number.

fgVWLHealthCheckLinkVdom .1.3.6.1.4.1.12356.101.4.9.2.1.10 The VDOM that the link monitor

entry exists in.

FortiOS 6.4.13 Administration Guide 875

Fortinet Inc.
SD-WAN

Name OID Description

This name corresponds to the

fgVdEntName used in fgVdTable.

fgVWLHealthCheckLinkBandwidthIn .1.3.6.1.4.1.12356.101.4.9.2.1.11 The available bandwidth of

incoming traffic detected by a
health check on a specific member
link, in Mbps,

fgVWLHealthCheckLinkBandwidthOut .1.3.6.1.4.1.12356.101.4.9.2.1.12 The available bandwidth of

outgoing traffic detected by a
health check on a specific member
link, in Mbps.

fgVWLHealthCheckLinkBandwidthBi .1.3.6.1.4.1.12356.101.4.9.2.1.13 The available bandwidth of bi-

direction traffic detected by a
health check on a specific member
link, in Mbps.

fgVWLHealthCheckLinkIfName .1.3.6.1.4.1.12356.101.4.9.2.1.14 SD-WAN member interface name.

Example

This example shows a SD-WAN health check configuration and its collected statistics.

To configure the SD-WAN health check:

config system sdwan

set status enable
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "port1"
set gateway 192.168.2.1
next
edit 2
set interface "MPLS"
set zone "SD-Zone2"
set cost 20
next
edit 3
set interface "port2"
next
end
config health-check
edit "pingserver"
set server "8.8.8.8"
set sla-fail-log-period 10
set sla-pass-log-period 20
set members 2 1 3

FortiOS 6.4.13 Administration Guide 876

Fortinet Inc.
SD-WAN

config sla
edit 1
set link-cost-factor jitter packet-loss
set packetloss-threshold 2
next
end
next
end
end

The collected statistics:

fgVWLHealthCheckLinkID .1.3.6.1.4.1.12356.101.4.9.2.1.1 1 2 3

fgVWLHealthCheckLinkName .1.3.6.1.4.1.12356.101.4.9.2.1.2 pingserver pingserver pingserver

fgVWLHealthCheckLinkSeq .1.3.6.1.4.1.12356.101.4.9.2.1.3 2 1 3

fgVWLHealthCheckLinkState .1.3.6.1.4.1.12356.101.4.9.2.1.4 0 0 0

fgVWLHealthCheckLinkLatency .1.3.6.1.4.1.12356.101.4.9.2.1.5 39.302 43.124 44.348

fgVWLHealthCheckLinkJitter .1.3.6.1.4.1.12356.101.4.9.2.1.6 4.346 3.951 5.05

fgVWLHealthCheckLinkPacketSend .1.3.6.1.4.1.12356.101.4.9.2.1.7 3657689 3657689 3657689

fgVWLHealthCheckLinkPacketRecv .1.3.6.1.4.1.12356.101.4.9.2.1.8 3196258 3220258 3219466

fgVWLHealthCheckLinkPacketLoss .1.3.6.1.4.1.12356.101.4.9.2.1.9 0 0 0

fgVWLHealthCheckLinkVdom .1.3.6.1.4.1.12356.101.4.9.2.1.1 root root root

0

fgVWLHealthCheckLinkBandwidthIn .1.3.6.1.4.1.12356.101.4.9.2.1.1 9999963 9999937 9999999

1

fgVWLHealthCheckLinkBandwidthO .1.3.6.1.4.1.12356.101.4.9.2.1.1 9999981 9999953 9999998

ut 2

fgVWLHealthCheckLinkBandwidthBi .1.3.6.1.4.1.12356.101.4.9.2.1.1 19999944 19999890 19999997

3

fgVWLHealthCheckLinkIfName .1.3.6.1.4.1.12356.101.4.9.2.1.1 MPLS port1 port2

4

FortiOS 6.4.13 Administration Guide 877

Fortinet Inc.
System

This topic contains information about FortiGate administration and system configuration that you can do after installing
the FortiGate in your network.

Basic system settings

Administrators

By default, FortiGate has an administrator account with the username admin and no password. See Administrators on
page 881 for more information.

Administrator profiles

An administrator profile defines what the administrator can see and do on the FortiGate. See Administrator profiles on
page 881 for more information.

Password policy

Set up a password policy to enforce password criteria and change frequency. See Password policy on page 887 for
more information.

Interfaces

Physical and virtual interface allow traffic to flow between internal networks, and between the internet and internal
networks. See Interfaces on page 402 for more information.

Advanced system settings

SNMP

The simple network management protocol (SNMP) allows you to monitor hardware on your network. See SNMP on page
1030 for more information.

DHCP server

You can configure one or more DHCP servers on any FortiGate interface. See DHCP servers and relays on page 525 for
more information.

FortiOS 6.4.13 Administration Guide 878

Fortinet Inc.
System

VDOM

You can use virtual domains (VDOMs) to divide a FortiGate into multiple virtual devices that function independently. See
Virtual Domains on page 917 for more information.

High availability

You can configure multiple FortiGate devices, including private and public cloud VMs, in HA mode. See High Availability
on page 942 for more information.

Certificates

You can manage certificates on the FortiGate. See Certificates on page 1065 for more information.

Operating modes

A FortiGate or VDOM (in multi-vdom mode) can operate in either NAT/route mode or transparent mode.

NAT/route mode

The FortiGate or VDOM is installed as a gateway or router between multiple networks, such as a private network and the
internet. One function of NAT/route mode is to allow the FortiGate to hide the IP addresses on the private network using
NAT. NAT/route mode can also be used to connect to multiple ISPs in an SD-WAN setup, and to route traffic between
different networks. .
By default, new VDOMs are set to NAT/route operation mode.
See NAT mode on page 926 for more information.

Transparent mode

The FortiGate or VDOM operates in layer 2 to forward traffic between network devices such as routers, firewalls, and
switches. For example. it can be installed inline between a router and a switch to perform security scanning without
changing the network topology or modifying the IP addresses. When you add a FortiGate that is in transparent mode to a
network, it only needs to be provided with a management IP address in order to access the device. It is recommended
that a dedicated interface is used to connect to the management network in transparent mode.
The following topology is an example of a transparent mode FortiGate inserted inline between a router and a switch:

FortiOS 6.4.13 Administration Guide 879

Fortinet Inc.
System

Using transparent mode VDOMs is recommended when multiple VLANs pass through the
FortiGate. Otherwise, they must be separated into different forwarding domains within the
same VDOM.

See NAT and transparent mode on page 935 for more information.

Changing modes

The following is a sample configuration for changing from NAT/route operation mode to transparent operation mode in
the CLI:
config system settings
set opmode transparent
set manageip <IP_address>
set gateway <gateway_address>
end

The gateway setting is optional. However, once the operation mode is changed from
NAT/route to transparent, the gateway configuration is found under the static router settings:
config router static
edit <seq-num>
set gateway <IP_address>
next
end

The following is a sample configuration for changing from transparent operation to NAT/route operation mode in the CLI:
config system settings
set opmode nat
set ip <IP_address>
set device <interface>
set gateway <gateway_address>
end

FortiOS 6.4.13 Administration Guide 880

Fortinet Inc.
 System

The IP and device settings are mandatory. Once the operation mode is changed from
transparent to NAT/route, the IP address configuration is found under the corresponding
interface settings:
config system interface
edit <interface>
set ip <IP_address>
next
end

The gateway setting is optional. However, once the operation mode is changed, the gateway
configuration is found under the static router settings:
config router static
edit <seq-num>
set gateway <IP_address>
device <interface>
next
end

Administrators

By default, FortiGate has an administrator account with the username admin and no password. To prevent unauthorized
access to the FortiGate, this account must be protected with a password. Additional administrators can be added for
various functions, each with a unique username, password, and set of access privileges.
The following topics provide information about administrators:
l Administrator profiles on page 881
l Add a local administrator on page 884
l Remote authentication for administrators on page 885
l Password policy on page 887
l Admin profile option for diagnose access on page 888
l REST API administrator on page 890
l SSO administrators on page 891

Administrator profiles

Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an
administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending
on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or
as little as is required.
By default, the FortiGate has an admin administrator account that uses the super_admin profile.

FortiOS 6.4.13 Administration Guide 881

Fortinet Inc.
System

super_admin profile

This profile has access to all components of FortiOS, including the ability to add and remove other system
administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin
access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile cannot
be deleted or modified.

Lower level administrator profiles cannot backup or restore the FortiOS configuration.

The super_admin profile is used by the default admin account. It is recommended that you add a password and rename
this account once you have set up your FortiGate. In order to rename the default account, a second admin account is
required.

Creating customized profiles

To create a profile in the GUI:

1. Go to System > Admin Profiles and click Create New.

2. Configure the following settings:
l Name.

l Access permissions.

l Override idle timeout.

3. Click OK.

To create a profile in the CLI:

config system accprofile

edit <name>
set secfabgrp {none | read | read-write}
set ftviewgrp {none | read | read-write}
set authgrp {none | read | read-write}
set sysgrp {none | read | read-write | custom}
set netgrp {none | read | read-write | custom}
set loggrp {none | read | read-write | custom}
set fwgrp {none | read | read-write | custom}
set vpngrp {none | read | read-write}
set utmgrp {none | read | read-write | custom}
set wanoptgrp {none | read | read-write}
set wifi {none | read | read-write}
next
end

Displaying execute commands for custom system permissions

A custom access profile can have customized system permissions. In this example, a profile is created for maintenance
read access, and the profile is applied to a new system administrator account. Once the administrator logs in, they can
view the available execute commands by entering execute ? in the CLI.

FortiOS 6.4.13 Administration Guide 882

Fortinet Inc.
System

To create the profile:

1. Configure the access profile:

config system accprofile
edit "mnt test"
set sysgrp custom
config sysgrp-permission
set mnt read
end
next
end

2. Configure the system administrator account:

config system admin
edit "mnt"
set accprofile "mnt test"
set vdom "root"
set password ********
next
end

To display the list of the execute commands:

$ execute ?
backup backup
fctems fctems
ping PING command.
ping-options ping-options
ping6 PINGv6 command. [Take 0-100 arg(s)]
ping6-options ping6-options
telnet-options telnet-options
traceroute Traceroute {IP|hostname}.
traceroute-options traceroute-options
tracert6 Traceroute for IPv6. [Take 0-32 arg(s)]
usb-device usb-device
usb-disk usb-disk
vm-license-options VM license options.

The output will vary based on the FortiGate model. A FortiGate VM is used in this example. For
more information about using the CLI, see CLI basics on page 29.

Editing profiles

To edit a profile in the GUI:

1. Go to System > Admin Profiles.

2. Select the profile to be edited and click Edit.
3. Click OK to save any changes.

FortiOS 6.4.13 Administration Guide 883

Fortinet Inc.
 System

To edit a profile in the CLI:

config system accprofile

edit "sample"
set secfabgrp read
next
end

Deleting profiles

To delete a profile in the GUI:

1. Go to System > Admin Profiles.

2. Select the profile to be deleted and click Delete.
3. Click OK.

To delete a profile in the CLI:

config system accprofile

delete "sample"
end

Add a local administrator

By default, FortiGate has one super admin named admin. You can create more administrator accounts with different
privileges.

To create an administrator account in the GUI:

1. Go to System > Administrators.

2. Select Create New > Administrator.
3. Specify the Username.

Do not use the characters < > ( ) # " ' in the administrator username.
Using these characters in an administrator username might have a cross site scripting
(XSS) vulnerability.

4. Set Type to Local User.

5. Set the password and other fields.
6. Click OK.

To create an administrator account in the CLI:

config system admin

edit <admin_name>
set accprofile <profile_name>
set vdom <vdom_name>
set password <password for this admin>
next
end

FortiOS 6.4.13 Administration Guide 884

Fortinet Inc.
 System

Remote authentication for administrators

Administrators can use remote authentication, such as LDAP, to connect to the FortiGate.
Setting up remote authentication for administrators includes the following steps:
1. Configuring the LDAP server on page 885
2. Adding the LDAP server to a user group on page 885
3. Configuring the administrator account on page 886

Configuring the LDAP server

To configure the LDAP server in the GUI:

1. Go to User & Authentication > LDAP Servers and click Create New.
2. Enter the server Name and Server IP/Name.
3. Enter the Common Name Identifier and Distinguished Name.
4. Set the Bind Type to Regular and enter the Username and Password.
5. Click OK.

To configure the LDAP server in the CLI:

config user ldap

edit <name>
set server <server_ip>
set cnid "cn"
set dn "dc=XYZ,dc=fortinet,dc=COM"
set type regular
set username "cn=Administrator,dc=XYA, dc=COM"
set password <password>
next
end

Adding the LDAP server to a user group

After configuring the LDAP server, create a user group that includes that LDAP server.

To create a user group in the GUI:

1. Go to User & Authentication > User Groups and click Create New.
2. Enter a Name for the group.
3. In the Remote groups section, select Create New.
4. Select the Remote Server from the dropdown list.
5. Click OK.

To create a user group in the CLI:

config user group

edit <name>
set member <ldap_server_name>

FortiOS 6.4.13 Administration Guide 885

Fortinet Inc.
System

next
end

Configuring the administrator account

After configuring the LDAP server and adding it to a user group, create a new administrator. For this administrator,
instead of entering a password, use the new user group for authentication.

To create an administrator in the GUI:

1. Go to System > Administrators and click Create New > Administrator.

2. Specify the Username.
3. Set Type to Match all users in a remote server group.
4. In Remote User Group, select the user group you created.
5. Select an Administrator Profile.
6. Click OK.

To create an administrator in the CLI:

config system admin

edit <name>
set remote-auth enable
set accprofile super_admin
set wildcard enable
set remote-group <ldap_group_name>
next
end

The Match all users in a remote server group option acts as a wildcard for matching any users
against the remote server group. The Match a user on a remote server group option only
matches the username defined to match against the remote server group, which is the
equivalent of using set wildcard disable.

Other methods of administrator authentication

Administrator accounts can use different methods for authentication, including RADIUS, TACACS+, and PKI.

RADIUS authentication for administrators

To use a RADIUS server to authenticate administrators, you must:

1. Configure the FortiGate to access the RADIUS server.
2. Create the RADIUS user group.
3. Configure an administrator to authenticate with a RADIUS server.

TACACS+ authentication for administrators

To use a TACACS+ server to authenticate administrators, you must:

FortiOS 6.4.13 Administration Guide 886

Fortinet Inc.
 System

1. Configure the FortiGate to access the TACACS+ server.

2. Create a TACACS+ user group.
3. Configure an administrator to authenticate with a TACACS+ server.

PKI certificate authentication for administrators

To use PKI authentication for an administrator, you must:

1. Configure a PKI user.
2. Create a PKI user group.
3. Configure an administrator to authenticate with a PKI certificate.

Restricting logins from local administrator accounts when remote servers are available

There is an optional setting that restricts logins from local administrator accounts when remote servers are available.
This is disabled by default, but can be enabled globally. This option only works when all configured remote servers are
down.

To restrict local administrator authentication when a remote authentication server is running:

config system global

set admin-restrict-local enable
end

Password policy

Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a
letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.
Using secure passwords is vital for preventing unauthorized access to your FortiGate. When changing the password,
consider the following to ensure better security:
l Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words
or phrases.
l Use numbers in place of letters, for example: passw0rd.
l Administrator passwords can be up to 64 characters.
l Include a mixture of numbers, symbols, and upper and lower case letters.
l Use multiple words together, or possibly even a sentence, for example: correcthorsebatterystaple.
l Use a password generator.
l Change the password regularly and always make the new password unique and not a variation of the existing
password. for example, do not change from password to password1.
l Make note of the password and store it in a safe place away from the management computer, in case you forget it;
or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have
two different admin logins.
FortiGate allows you to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can
enforce regular changes and specific criteria for a password policy, including:
l Minimum length between 8 and 64 characters.
l If the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.

FortiOS 6.4.13 Administration Guide 887

Fortinet Inc.
 System

l If the password must contain numbers (1, 2, 3).

l If the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).
l Where the password applies (admin or IPsec or both).
l The duration of the password before a new one must be specified.
If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into
the FortiGate, the administrator is prompted to update the password to meet the new requirements before proceeding to
log in.
For information about setting passwords, see Default administrator password on page 900.

To create a system password policy the GUI:

1. Go to System > Settings.

2. In the Password Policy section, change the Password scope to Admin, IPsec, or Both.
3. Configure the password policy options.
4. Click Apply.

To create a system password policy the CLI:

config system password-policy

set status {enable | disable}
set apply-to {admin-password | ipsec-preshared-key}
set minimum-length <8-128>
set min-lower-case-letter <0-128>
set min-upper-case-letter <0-128>
set min-non-alphanumeric <0-128>
set min-number <0-128>
set change-4-characters {enable | disable}
set expire-status {enable | disable}
set expire-day <1-999>
set reuse-password {enable | disable}
end

Admin profile option for diagnose access

The system-diagnostics command in an administrator profile can be used to control access to diagnose commands
for global and VDOM level administrators.

To block an administrator's access to diagnose commands:

1. Create an admin profile that cannot access diagnose commands:

config system accprofile
edit "nodiagnose"
...
set system-diagnostics disable
next
end

FortiOS 6.4.13 Administration Guide 888

Fortinet Inc.
 System

2. Apply the profile to an administrator:

config system admin
edit "nodiag"
set accprofile "nodiagnose"
set vdom "root"
set password ********
next
end

3. Log in as that administrator and confirm that they cannot access diagnose commands:
$ ?
config Configure object.
get Get dynamic and system information.
show Show configuration.
execute Execute static commands.
alias Execute alias commands.
exit Exit the CLI.

Associating a FortiToken to an administrator account

You can also associate FortiTokens with administrator accounts.

To associate a FortiToken to an administrator account using the GUI:

1. Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.
2. Go to System > Administrators. Edit the admin account. This example assumes that the account is fully configured
except for two-factor authentication.
3. Enable Two-factor Authentication.
4. From the Token dropdown list, select the desired FortiToken serial number.
5. In the Email Address field, enter the administrator's email address.
6. Click OK.

For a mobile token, click Send Activation Code to send the activation code to the configured
email address. The admin uses this code to activate their mobile token. You must have
configured an email service in System > Settings to send the activation code.

To associate a FortiToken to an administrator account using the CLI:

config system admin

edit <username>
set password "myPassword"
set two-factor fortitoken
set fortitoken <serial_number>
set email-to "[email protected]"
next
end

The fortitoken keyword is not visible until you select fortitoken for the two-factor option.

FortiOS 6.4.13 Administration Guide 889

Fortinet Inc.
 System

Before you can use a new FortiToken, you may need to synchronize it due to clock drift.

REST API administrator

REST API administrator accounts are used for automated configuration, backup creation, and monitoring of the
FortiGate.
For more information about the REST API, see the Fortinet Development Network (FNDN). Note that an account is
required to access the FNDN.

To create a REST API administrator in the GUI:

1. Go to System > Administrators.

2. Select Create New > REST API Admin.
3. Configure the administrator:

Username The username of the administrator.

Do not use the characters < > ( ) # " ' in the administrator username.
Using these characters in an administrator username might have a cross site
scripting (XSS) vulnerability.

Administrator Profile Where permissions for the REST API administrator are defined.
A REST API administrator should have the minimum permissions required to
complete the request.

PKI Group Certificate matching is supported as an extra layer of security. Both the client
certificate and token must match to be granted access to the API.

CORS Allow Origin Cross Origin Resource Sharing (CORS) allows third-party web apps to make
API requests to the FortiGate using the token.

Trusted Hosts The following can be used to restrict access to FortiGate API:
l Multiple trusted hosts/subnets can be configured

l IPv6 hosts are supported

l Allow all (0.0.0.0/0) is not allowed
You need your Source Address to create the trusted host.

4. Click OK.
An API token is generated. Make note of the token, as it is only shown once.

To create a REST API administrator in the CLI:

1. Create the REST API administrator:

config system api-user
edit "api-admin"

FortiOS 6.4.13 Administration Guide 890

Fortinet Inc.
 System

set comments <string>

set api-key ************
set accprofile "API profile"
set vdom "root"
config trusthost
edit 1
set ipv4-trusthost <class_ip&net_netmask>
next
...
end
next
end

2. Generate the API token:

# execute api-user generate-key <API username>

Make note of the token, as it is only shown once.

By default, The SSO administrator account can only be assigned the admin_no_access or
super_admin_readonly profile. You can define a new administrator profile with the required
permissions for the account. For example, you could use a specific API user to query the
FortiGate for just their own status. In that case, the profile would be configured as read-only.

SSO administrators

SSO administrators are automatically created when the FortiGate acts as a SAML service provider (SP) with SAML
Single Sign-On enabled in the Security Fabric settings.
On the system login page, an administrator can log in with their username and password against the root FortiGate
acting as the identity provider (IdP) in the Security Fabric. After the first successful login, this user is added to the
administrators table (System > Administrators under Single Sign-On Administrator). The default profile selected is based
on the SP settings (Default admin profile). See Configuring a downstream FortiGate as an SP on page 223 for more
information.

SSO administrators can be manually configured in FortiOS.

To manually configure an SSO administrator:

1. Go to System > Administrators and click Create New > SSO Admin.

2. Enter the username.
3. Select an administrator profile.
4. Click OK.

FortiOS 6.4.13 Administration Guide 891

Fortinet Inc.
 System

Firmware

Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. After you have
registered your FortiGate unit, firmware updates can be downloaded from the Fortinet Customer Service & Support
website.

Always back up the current configuration before installing new firmware. See Configuration
backups on page 57.

Before you install any new firmware, follow the below steps:
1. Understand the maturity level of the current and target firmware releases to help you determine whether to upgrade.
See Firmware maturity levels on page 892.
2. Review the Release Notes for a new firmware release.
3. Review the Supported Upgrade Paths.
4. Download a copy of the currently installed firmware, in case you need to revert to it. See Downloading a firmware
image on page 894 and Downgrading to a previous firmware version on page 896 for details.
5. Have a plan in place in case there is a critical failure, such as the FortiGate not coming back online after the update.
This could include having console access to the device (Connecting to the CLI on page 27), ensuring that you TFTP
server is working (Installing firmware from system reboot on page 897), and preparing a USB drive (Restoring from
a USB drive on page 899).
6. Back up the current configuration, including local certificates. See Configuration backups on page 57 for details.
7. Test the new firmware until you are satisfied that it applies to your configuration. See Testing a firmware version on
page 894 and Controlled upgrade on page 899 for details.
Installing new firmware without reviewing release notes or testing the firmware may result in changes to settings and
unexpected issues.

Only FortiGate admin users and administrators whose access profiles contain system read
and write privileges can change the FortiGate firmware.

Firmware maturity levels

Released FortiOS 6.4.10 and later firmware images use tags to indicate the following maturity levels:
l The Feature tag indicates that the firmware release includes new features.
l The Mature tag indicates that the firmware release includes no new, major features. Mature firmware contains bug
fixes and vulnerability patches where applicable.
Administrators can use the get system status command to identify the maturity level of the current firmware.

To view maturity levels for firmware in the CLI:

# get system status

Version: FortiGate-VM64-KVM v6.4.10,build2000,220824 (GA.M)
...

FortiOS 6.4.13 Administration Guide 892

Fortinet Inc.
 System

In this example, the Version field includes .M to indicate that the maturity level is mature.
# get system status
Version: FortiGate-VM64-KVM v7.2.0,build1157,220331 (GA.F)
...

In this example, the Version field includes .F to indicate that the maturity level is feature.

Firmware upgrade notifications

FortiGates with a firmware upgrade license that are connected to FortiGuard display upgrade notifications in the setup
window, banner, and FortiGuard menu. The firmware notifications are enabled by default.

To configure firmware notifications in the CLI:

config system global

set gui-firmware-upgrade-warning {enable | disable}
end

To use the firmware upgrade notifications in the GUI:

1. When you log in to FortiGate, the FortiGate Setup window includes an Upgrade firmware step. Click Begin.

2. Follow the steps in the Setup Progress, then click Review Firmware Upgrade.

The System > Firmware page opens.

3. Notifications appear below the Notification icon in the banner, and beside Firmware in the tree menu.

FortiOS 6.4.13 Administration Guide 893

Fortinet Inc.
 System

Downloading a firmware image

Firmware images for all FortiGate units are available on the Fortinet Customer Service & Support website.

To download firmware:

1. Log into the support site with your user name and password.
2. Go to Download > Firmware Images.
A list of Release Notes is shown. If you have not already done so, download and review the Release Notes for the
firmware version that you are upgrading your FortiGate unit to.
3. Select the Download tab.
4. Navigate to the folder for the firmware version that you are upgrading to.
5. Find your device model from the list. FortiWiFi devices have file names that start with FWF.
6. Click HTTPS in the far right column to download the firmware image to your computer.

Firmware can also be downloaded using FTP, but as FTP is not an encrypted file transferring
protocol, HTTPS downloading is recommended.

Security levels are pre-configured on the BIOS. See BIOS-level signature and file integrity
checking on page 1094 andReal-time file system integrity checking on page 1098 for more
information.

Testing a firmware version

The integrity of firmware images downloaded from Fortinet's support portal can be verified using a file checksum. A file
checksum that does not match the expected value indicates a corrupt file. The corruption could be caused by errors in
transfer or by file modification. A list of expected checksum values for each build of released code is available on
Fortinet’s support portal.
Image integrity is also verified when the FortiGate is booting up. This integrity check is done through a cyclic redundancy
check (CRC). If the CRC fails, the FortiGate unit will encounter an error during the boot process.
Firmware images are signed and the signature is attached to the code as it is built. When upgrading an image, the
running OS will generate a signature and compare it with the signature attached to the image. If the signatures do not
match, the new OS will not load.

Testing before installation

FortiOS lets you test a new firmware image by installing the firmware image from a system reboot and saving it to system
memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current
configuration. The new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates
with the originally installed firmware image using the current configuration. If the new firmware image operates
successfully, you can install it permanently using the procedure explained in Upgrading the firmware.
For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The
TFTP server should be on the same subnet as the internal interface.

FortiOS 6.4.13 Administration Guide 894

Fortinet Inc.
 System

To test the new firmware version:

1. Connect to the CLI using an RJ-45 to USB (or DB-9) or null modem cable.
2. Ensure that the TFTP server is running.
3. Copy the new firmware image file to the root directory on the TFTP server.
4. Ensure that the FortiGate unit can connect to the TFTP server using the execute ping command.
5. Restart the FortiGate unit: execute reboot. The following message is shown:
This operation will reboot the system!
Do you want to continue? (y/n)
6. Type y. As the FortiGate unit starts, a series of system startup messages appears.
7. When the following messages appears:
Press any key to display configuration menu..........
Immediately press any key to interrupt the system startup.
You have only three seconds to press any key. If you do not press a key during this time, the FortiGate will reboot,
and you will have to log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
8. Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP
server address [192.168.1.168]:
9. Type the address of the TFTP server, then press Enter. The following message appears: Enter Local Address
[192.168.1.188]:
10. Type the IP address of the FortiGate unit to connect to the TFTP server.

The IP address must be on the same network as the TFTP server.

Make sure that you do not enter the IP address of another device on this network.

The following message appears:

Enter File Name [image.out]:
11. Enter the firmware image file name then press Enter. The TFTP server uploads the firmware image file to the
FortiGate unit and the following message appears:
Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
12. Type R. The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware
image, but with its current configuration.
Test the new firmware image as required. When done testing, reboot the FortiGate unit, and the it will resume using the
firmware that was running before you installed the test firmware.

Upgrading the firmware

Installing a new firmware image replaces the current antivirus and attack definitions, along with the definitions included
with the firmware release that is being installed. After you install new firmware, make sure that the antivirus and attack
definitions are up to date.

FortiOS 6.4.13 Administration Guide 895

Fortinet Inc.
 System

Back up your configuration before making any firmware changes.

To upgrade the firmware in the GUI:

1. Log into the FortiGate GUI as the admin administrative user.

2. Go to System > Firmware.
3. Under Latest or All available, select a firmware version, and click Backup config and upgrade.
Alternately, under Upload Firmware, click Browse and locate the previously downloaded firmware image file (see
Downloading a firmware image on page 894).
4. Review the warning, and click Continue to initiate the upgrade.
The FortiGate unit backs up the current configuration to the management computer, uploads the firmware image
file, upgrades to the new firmware version, and restarts. This process takes a few minutes.

To upgrade the firmware in the CLI:

1. Make sure that the TFTP server is running.

2. Copy the new firmware image file to the root directory of the TFTP server.
3. Log into the CLI.
4. Ping the TFTP server to ensure that the FortiGate can connect to it:
execute ping <tftp_ipv4>
5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:
execute restore image tftp <filename> <tftp_ipv4>
The FortiGate unit responds with the message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6. Type y. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This
process takes a few minutes.
7. Reconnect to the CLI.
8. Update the antivirus and attack definitions:
execute update-now

Downgrading to a previous firmware version

Downgrading the firmware is not recommended.

This procedure downgrades the FortiGate to a previous firmware version. The backup configuration might not be able to
be restored after downgrading.

To downgrade to a previous firmware version in the GUI:

1. Log into the FortiGate GUI as the admin administrative user.

2. Go to System > Firmware.

FortiOS 6.4.13 Administration Guide 896

Fortinet Inc.
 System

3. Under Upload Firmware, click Browse and locate the previously downloaded firmware image file (see Downloading
a firmware image on page 894).
4. Enable Confirm version downgrade.
5. Click Backup config and downgrade.
The FortiGate unit backs up the current configuration to the management computer, uploads the firmware image
file, upgrades to the new firmware version, and restarts. This process takes a few minutes.

To downgrade to a previous firmware version in the CLI:

1. Make sure that the TFTP server is running.

2. Copy the new firmware image file to the root directory of the TFTP server.
3. Log into the CLI.
4. Ping the TFTP server to ensure that the FortiGate can connect to it:
execute ping <tftp_ipv4>
5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:
execute restore image tftp <filename> <tftp_ipv4>
The FortiGate unit responds with the message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6. Type y. The FortiGate unit uploads the firmware image file, then a message similar to the following is shown:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
7. Type y. The FortiGate unit downgrades to the old firmware version and restarts. This process takes a few minutes.
8. Reconnect to the CLI.
9. Update the antivirus and attack definitions:
execute update-now

Installing firmware from system reboot

In the event that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously
reboots, it is best to perform a fresh install of the firmware from a reboot using the CLI. If configured, the firmware can
also be automatically installed from a USB drive; see Restoring from a USB drive on page 899 for details.
This procedure installs a firmware image and resets the FortiGate unit to factory default settings. You can use this
procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.
To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to USB (or DB-9), or
null modem cable. You must also install a TFTP server that you can connect to from the FortiGate internal interface. The
TFTP server should be on the same subnet as the internal interface.
Before beginning this procedure, ensure that you backup the FortiGate unit configuration. See Configuration backups on
page 57 for details. If you are reverting to a previous FortiOS version, you might not be able to restore the previous
configuration from the backup configuration file.
Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the
firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up
to date.

FortiOS 6.4.13 Administration Guide 897

Fortinet Inc.
System

To install firmware from a system reboot:

1. Connect to the CLI using the RJ-45 to USB (or DB-9) or null modem cable.
2. Ensure that the TFTP server is running.
3. Copy the new firmware image file to the root directory of the TFTP server.
4. Ensure that the FortiGate unit can connect to the TFTP server using the execute ping command.
5. Restart the FortiGate unit: execute reboot. The following message is shown:
This operation will reboot the system!
Do you want to continue? (y/n)
6. Type y. As the FortiGate unit starts, a series of system startup messages appears.
7. When the following messages appears:
Press any key to display configuration menu..........
Immediately press any key to interrupt the system startup.
You have only three seconds to press any key. If you do not press a key during this time, the FortiGate will reboot,
and you will have to log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears:
[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[I]: System information.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.

Enter C,R,T,F,I,B,Q,or H:

8. If necessary, type C to configure the TFTP parameters, then type Q to return to the previous menu:
[P]: Set firmware download port.
[D]: Set DHCP mode.
[I]: Set local IP address.
[S]: Set local subnet mask.
[G]: Set local gateway.
[V]: Set local VLAN ID.
[T]: Set remote TFTP server IP address.
[F]: Set firmware file name.
[E]: Reset TFTP parameters to factory defaults.
[R]: Review TFTP parameters.
[N]: Diagnose networking(ping).
[Q]: Quit this menu.
[H]: Display this list of options.

Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:

The IP address must be on the same network as the TFTP server.

Make sure that you do not enter the IP address of another device on this network.

9. Type T get the new firmware image from the TFTP server.
The FortiGate unit loads the firmware.

FortiOS 6.4.13 Administration Guide 898

Fortinet Inc.
 System

10. Save the firmware as the default (D) or backup (B) firmware image, or run the image without saving it (R).
The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to
complete.

Restoring from a USB drive

The FortiGate firmware can be manually restored from a USB drive, or installed automatically from a USB drive after a
reboot.

To restore the firmware from a USB drive:

1. Copy the firmware file to the root directory on the USB drive.
2. Connect the USB drive to the USB port of the FortiGate device.
3. Connect to the FortiGate CLI using the RJ-45 to USB (or DB-9) or null modem cable.
4. Enter the following command:
execute restore image usb <filename>
The FortiGate unit responds with the following message:
This operation will replace the current firmware version! Do you want to continue?
(y/n)
5. Type y. The FortiGate unit restores the firmware and restarts. This process takes a few minutes.
6. Update the antivirus and attack definitions:
execute update-now

To install firmware automatically from a USB drive:

1. Go to System > Settings.

2. In the Start Up Settings section, enable Detect firmware and enter the name of the firmware file.
3. Copy the firmware file to the root directory on the USB drive.
4. Connect the USB drive to the USB port of the FortiGate device.
5. Reboot the FortiGate device.

Controlled upgrade

Using a controlled upgrade, you can upload a new version of the FortiOS firmware to a separate partition in the FortiGate
memory for later upgrade. The FortiGate unit can be configured so that when it is rebooted, it will automatically load the
new firmware. Using this option, you can stage multiple FortiGate units to upgrade simultaneously using FortiManager or
a script.

To load the firmware for later installation:

execute restore secondary-image {ftp | tftp | usb} <filename_str>

To set the FortiGate unit so that when it reboots, the new firmware is loaded:

execute set-next-reboot {primary | secondary}

where {primary | secondary} is the partition with the preloaded firmware.

FortiOS 6.4.13 Administration Guide 899

Fortinet Inc.
 System

Settings

The default administrator password should be configured immediately after the FortiGate is installed, see Default
administrator password on page 900.
After that, there are several system settings that should also be configured in System > Settings:
l Changing the host name on page 901
l Setting the system time on page 901
l Configuring ports on page 905
l Setting the idle timeout time on page 905
l Setting the password policy on page 906
l Changing the view settings on page 906
l Setting the administrator password retries and lockout time on page 907
l TLS configuration on page 907
l Controlling return path with auxiliary session on page 908
l Email alerts on page 912
l Trusted platform module support on page 915

Default administrator password

By default, your FortiGate has an administrator account set up with the username admin and no password. In order to
prevent unauthorized access to the FortiGate, it is highly recommended that you add a password to this account.

In FortiOS 6.2.1 and later, adding a password to the admin administrator is mandatory. You
will be prompted to configured it the first time you log in to the FortiGate using that account,
after a factory reset, and after a new image installation.

To change the default password in the GUI:

1. Go to System > Administrators.

2. Edit the admin account.
3. Click Change Password.
4. If applicable, enter the current password in the Old Password field.
5. Enter a password in the New Password field, then enter it again in the Confirm Password field.
6. Click OK.

To change the default password in the CLI:

config system admin

edit admin
set password <password>
next
end

FortiOS 6.4.13 Administration Guide 900

Fortinet Inc.
 System

It is also recommended that you change the user name of this account; however, since you
cannot change the user name of an account that is currently in use, a second administrator
account must be created in order to do this.

Changing the host name

The FortiGate host name is shown in the Hostname field in the System Information widget on a dashboard, as the
command prompt in the CLI, as the SNMP system name, as the device name on FortiGate Cloud, and other places. If
the FortiGate is in an HA cluster, use a unique host name to distinguish it from the other devices in the cluster.
An administrator requires System > Configuration read/write access to edit the host name. See Administrator profiles on
page 881 for details.

To change the host name in the GUI:

1. Go to System > Settings.

2. In the Host name field, enter a new name.
3. Click Apply.

To change the host name in the CLI:

config system global

set hostname <hostname>
end

Setting the system time

You can either manually set the FortiOS system time, or configure the device to automatically keep its system time
correct by synchronizing with a Network Time Protocol (NTP) server.
Daylight savings time is enabled by default, and can only be configured in the CLI.

For many features to work, including scheduling, logging, and SSL-dependent features, the
FortiOS system time must be accurate.

To configure the date and time in the GUI:

1. Go to System > Settings.

2. In the System Time section, configure the following settings to either manually set the time or use an NTP server:

Time Zone Select a time zone from the list. This should be the time zone that the
FortiGate is in.

Set Time Select to either Synchronize with an NTP Server, or use Manual settings.

FortiOS 6.4.13 Administration Guide 901

Fortinet Inc.
System

Synchronize with To use an NTP server other than FortiGuard, the CLI must be used.
an NTP Server In the Sync interval field, enter how often, in minutes, that the device
synchronizes its time with the NTP server.

Manual settings Manually enter the Date, Hour (in 24-hour format), Minute, and Second in their
fields.

Setup device as local NTP Enable to configure the FortiGate as a local NTP server.
server In the Listen on Interfaces field, set the interface or interfaces that the
FortiGate will listen for NTP requests on.

3. Click Apply.

To configure the date and time in the CLI:

1. Configure the timezone and daylight savings time:

config system global
set timezone <integer>
set dst {enable | disable}
end

2. Either manually configure the date and time, or configure an NTP server:
Manual:
execute date <yyyy-mm-dd>
execute time <hh:mm:ss>

NTP server:
config system ntp
set ntpsync enable
set type {fortiguard | custom}
set syncinterval <integer>
set source-ip <ip_address>
set source-ip6 <ip6_address>
set server-mode {enable | disable}
set interface <interface>
set authentication {enable | disable}
set key-type {MD5 | SHA1}
set key <password>
set key-id <integer>
config ntpserver
edit <server_id>
set server <ip_address or hostname>
set ntpv3 {enable | disable}
set authentication {enable | disable}
set key <password>
set key-id <integer>
next
end
end

FortiOS 6.4.13 Administration Guide 902

Fortinet Inc.
System

SHA-1 authentication support (for NTPv4)

SHA-1 authentication support allows the NTP client to verify that severs are known and trusted and not intruders
masquerading (accidentally or intentionally) as legitimate servers. In cryptography, SHA-1 is a cryptographic hash
algorithmic function.

SHA-1 authentication support is only available for NTP clients, not NTP servers.

To configure authentication on a FortiGate NTP client:

config system ntp

set ntpsync enable
set type custom
set syncinterval 1
config ntpserver
edit "883502"
set server "10.1.100.11"
set authentication enable
set key
ENCi9NmcqsV3xBJvOkgIL3lFxA8mnNs2XKfB7spOQoUw4cm8FOOP0nrCbqx6rJ+om95+hVUHpaVZmepdd4KznPlAHNiu
liPgPOk
set key-id 1
next
end
end

Command Description
authentication <enable | Enable/disable MD5/SHA1 authentication (default = disable).
disable>
key <passwd> Key for MD5/SHA1 authentication. Enter a password value.
key-id <integer> Key ID for authentication. Enter an integer value from 0 to 4294967295.

To confirm that NTP authentication is set up correctly:

# diagnose sys ntp status

synchronized: yes, ntpsync: enabled, server-mode: disabled
ipv4 server(10.1.100.11) 10.1.100.11 -- reachable(0xff) S:4 T:6 selected
server-version=4, stratum=3

If NTP authentication is set up correctly, the server version is equal to 4.

PTPv2

Precision time protocol (PTP) is used to synchronize network clocks. It is best suited to situations where time accuracy is
of the utmost importance, as it supports accuracy in the sub-microsecond range. Conversely, NTP accuracy is in the
range of milliseconds or tens of milliseconds.
The following CLI commands are available:

FortiOS 6.4.13 Administration Guide 903

Fortinet Inc.
System

config system ptp

set status {enable | disable}
set mode {multicast | hybrid}
set delay-mechanism {E2E | P2P}
set request-interval <integer>
set interface <interface>
end

Command Description

status {enable | disable} Enable or disable the FortiGate system time by synchronizing with a PTP server
(default = disable).

mode {multicast | hybrid} Use multicast or hybrid transmission (default = multicast).

delay-mechanism {E2E | P2P} Use end-to-end (E2E) or peer-to-peer (P2P) delay detection (default = E2E).

request-interval <integer> The logarithmic mean interval between the delay request messages sent by the
client to the server in seconds (default = 1).

interface <interface> The interface that the PTP client will reply through.

Sample configuration

This example uses the following topology:

To configure a FortiGate to act as a PTP client that synchronizes itself with a Linux PTP server:

1. Enable debug messages:

# diagnose debug application ptpd -1
This command will provide details to debug the PTP communication with the server.
2. Check the system date:
# execute date
current date is: 2020-01-01
3. Configure PTP in global mode:
config system ptp
set status enable
set interface wan2
end
4. Check the system date again after synchronization with the PTP server:
# execute date
current date is: 2020-01-14

FortiOS 6.4.13 Administration Guide 904

Fortinet Inc.
 System

Configuring ports

To improve security, the default ports for administrative connections to the FortiGate can be changed. Port numbers
must be unique. If a conflict exists with a particular port, a warning message is shown.
When connecting to the FortiGate after a port has been changed, the port number be included, for example:
https://192.168.1.99:100.

To configure the ports in the GUI:

1. Go to System > Settings.

2. In the Administration Settings section, set the HTTP, HTTPS, SSH, and Telnet ports.
3. Enable Redirect to HTTPS to prevent HTTP from being used by administrators.
4. Click Apply.

To configure the ports in the CLI:

config system global

set admin-port <port>
set admin-sport <port>
set admin-https-redirect {enable | disable}
set admin-ssh-port <port>
set admin-telnet-port <port>
end

Custom default service port range

The default service port range can be customized using the following CLI command:
config system global
set default-service-source-port <port range>
end

Where <port range> is the new default service port range, that can have a minimum value of 0 and a maximum value
up to 65535. The default value is 1 to 65535.

This change effects the TCP/UDP protocol.

Setting the idle timeout time

The idle timeout period is the amount of time that an administrator will stay logged in to the GUI without any activity. This
is to prevent someone from accessing the FortiGate if the management PC is left unattended. By default, it is set to five
minutes.

A setting of higher than 15 minutes will have a negative effect on a security rating score. See
Security rating on page 238 for more information.

FortiOS 6.4.13 Administration Guide 905

Fortinet Inc.
 System

To change the idle timeout in the GUI:

1. Go to System > Settings.

2. In the Administration Settings section, set the Idle timeout to up to 480 minutes.
3. Click Apply.

To change the idle timeout in the CLI:

config system global

set admintimeout <integer>
end

Setting the password policy

A password policy can be created for administrators and IPsec pre-shared keys. See Password policy on page 887 for
information.

Changing the view settings

The view settings change the look and language of the FortiOS GUI.

To change the view settings in the GUI:

1. Go to System > Settings.

2. In the View Settings section, configure the following settings:

Language Set the GUI language: English, French, Spanish, Portuguese, Japanese,
Traditional Chinese, Simplifies Chinese, Korean.

Lines per page Set the number of lines per page, from 20 to 100.

Theme Set the theme color: Green, Red, Blue, Melongene, or Mariner.

Date/Time Display Set the date and time to display using the FortiGate's or the browser's
timezone.

NGFW Mode Set the NGFW mode to either Profile-based (default) or Policy-based.
If Policy-based is selected, the SSL/SSH Inspection profile must be selected.

3. Click Apply.

To change the view settings in the CLI:

config system global

set language {english | french | spanish | portuguese | japanese | trach | simch |
korean}
set gui-lines-per-page <integer>
set gui-theme {green | red | blue | melongene | mariner}
set gui-date-time-source {system | browser}
end
config system settings

FortiOS 6.4.13 Administration Guide 906

Fortinet Inc.
 System

set ngfw-mode {profile-based | policy-based}

set ssl-ssh-profile {certificate-inspection | custom-deep-inspection | deep-inspection |
no-inspection}
end

Setting the administrator password retries and lockout time

By default, the number password retry attempts is set to three, allowing the administrator a maximum of three attempts
at logging in to their account before they are locked out for a set amount of time (by default, 60 seconds).
The number of attempts and the default wait time before the administrator can try to enter a password again can be
configured using the CLI.
A maximum of ten retry attempts can be configured, and the lockout period can be 1 to 2147483647 seconds (over 68
years). The higher the retry attempts, the higher the risk that someone might be able to guess the password.

To configure the lockout options:

config system global

set admin-lockout-threshold <failed_attempts>
set admin-lockout-duration <seconds>
end

For example, to set the number of retry attempts to 1, and the lockout time to 5 minutes:
config system global
set admin-lockout-threshold 1
set admin-lockout-duration 300
end

If the time span between the first failed log in attempt and the lockout threshold failed attempt
is less than lockout time, the lockout will be triggered.

TLS configuration

The minimum TLS version that is used for local out connections from the FortiGate can be configured in the CLI:
config system global
set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2 | TLSv1-3}
end

By default, the minimum version is TLSv1.2. The FortiGate will try to negotiate a connection using the configured version
or higher. If the server that FortiGate is connecting to does not support the version, then the connection will not be made.
Some FortiCloud and FortiGuard services do not support TLSv1.3.
Minimum SSL/TLS versions can also be configured individually for the following settings, not all of which support
TLSv1.3:

FortiOS 6.4.13 Administration Guide 907

Fortinet Inc.
 System

Setting CLI

Email server config system email-server

Certificate config vpn certificate setting

FortiSandbox config system fortisandbox

FortiGuard config log fortiguard setting

FortiAnalyzer config log fortianalyzer setting

Syslog config log syslogd setting

User Authentication config user setting

LDAP server config user ldap

POP3 server config user pop3

Exchange server config user exchange

A minimum (ssl-min-proto-ver) and a maximum (ssl-max-proto-ver) version can be configured for SSL VPN.
See TLS 1.3 support on page 1931

Controlling return path with auxiliary session

When multiple incoming or outgoing interfaces are used in ECMP or for load balancing, changes to routing, incoming, or
return traffic interfaces impacts how an existing sessions handles the traffic. Auxiliary sessions can be used to handle
these changes to traffic patterns.

l In FortiOS 6.0 and earlier, the auxiliary session feature is not supported.
l In FortiOS 6.2.0 to 6.2.2, the auxiliary session feature is permanently enabled.
l In FortiOS 6.2.3 and later, the auxiliary session feature is disabled by default, and can be
enabled if required.

To enable or disable the auxiliary session feature:

config system settings

set auxiliary-session {enable | disable*}
end

When enabling auxiliary sessions, consider the impact of routing in both traffic directions. In
topologies such as SD-WAN hub and spoke or ADVPN deployments, the symmetry of the
return traffic is important for maintaining the stability of the session. It is expected that the
spoke selects the outbound interface and path, and the other nodes obey and reply
symmetrically. It is recommended to disable auxiliary in these scenarios, and others where
incoming and return traffic symmetry is expected.

FortiOS 6.4.13 Administration Guide 908

Fortinet Inc.
System

Scenarios

Incoming traffic is from the client to the server. Return traffic is from the server to the client.

Scenario 1 - Return traffic returns on the original outgoing interface

In this scenario, a session is established between port1 and port3. When the return traffic hits port3:

Auxiliary sessions disabled:

The reply to the client egresses on the original incoming interface, port1. If policy routes or SD-WAN rules are
configured, the next hop gateway is applied if the output device is the same as the original incoming interface.

Auxiliary sessions enabled:

The reply to the client egresses on the best route in the routing table:
l If the best route is port1, then it will egress on port1.
l If the best route is port2, then it will egress on port2.
If policy routes or SD-WAN rules are configured, they must be matched to determine the egress interface. If both are
configured, policy routes have higher priority.

Scenario 2 - Return traffic returns on an interfaces other than the original outgoing interfaces

In this scenario, a session is established between port1 and port3. When the return traffic hits port4:

Auxiliary sessions disabled:

l The session is dirtied and then gets refreshed, and interfaces on the session are updated.
l If there is a high traffic volume or flapping between the interfaces, the CPU usage increases.

Auxiliary sessions enabled:

An auxiliary session is created for the existing session, and traffic returns to the client as normal on the auxiliary session.

Scenario 3 - Incoming traffic enters on an interfaces other than the original incoming interfaces

In this scenario, a session is established between port1 and port3. When the incoming traffic hits port2:

FortiOS 6.4.13 Administration Guide 909

Fortinet Inc.
System

Auxiliary sessions disabled:

The session is dirtied and then gets refreshed, and interfaces on the session are updated.

Auxiliary sessions enabled:

An auxiliary session is created for the existing session, and traffic is forwarded to the server as normal on the auxiliary
session.

Scenario 4 - the routing table is changed

In this scenario, a session has been established between port1 and port3, when a new route on port4 is updated as the
route to the server.

Auxiliary sessions disabled:

As long as there is a route to the destination, the session will not be dirtied or refreshed. Even though there is a better
route, traffic continues on the original path between port1 and port3.

Auxiliary sessions enabled:

The session is dirtied and then gets refreshed, and interfaces on the session are updated.

Effect on NPU offloading sessions

When the auxiliary session feature is disabled, there is always one session. If the incoming or return interface changes,
the FortiGate marks the session as dirty and updates the session's interfaces. This cannot be done by the NPU, so the
session is not offloaded to the NPU, and is processed by the CPU instead. If Equal-Cost Multi-Path (ECMP) causes the
interface to keep changing, then it will use significant CPU resources.
When the auxiliary session feature is enabled and the incoming or return interface changes, it creates an auxiliary
session, and all traffic can continue to be processed by the NPU.

Verification

When an auxiliary, or reflect, session is created, it will appear as a reflect session below the existing session:
# diagnose sys session list
session info: proto=17 proto_state=00 duration=111 expire=175 timeout=0 flags=00000000
socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=131/4/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=36->38/38->36 gwy=10.1.2.3/0.0.0.0
hook=pre dir=org act=noop 10.1.100.22:51926->172.16.204.44:5001(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.204.44:5001->10.1.100.22:51926(0.0.0.0:0)
src_mac=90:6c:ac:19:19:58
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2

FortiOS 6.4.13 Administration Guide 910

Fortinet Inc.
System

serial=00002b11 tos=ff/ff app_list=0 app=0 url_cat=0

sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x000400
npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0,
vlan=0x0016/0x0000
vlifid=142/0, vtag_in=0x0016/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=4/0
no_ofld_reason:
reflect info 0:
dev=37->38/38->37
npu_state=0x000400
npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0,
vlan=0x0017/0x0000
vlifid=142/0, vtag_in=0x0017/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=4/0
total reflect session num: 1
total session 1

When a session is dirtied, a dirty flag is added to it:

# diagnose sys session list
session info: proto=17 proto_state=00 duration=28 expire=152 timeout=0 flags=00000000
socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=dirty may_dirty npu
statistic(bytes/packets/allow_err): org=68/2/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 2/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.1.100.22:51926->172.16.204.44:5001(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.204.44:5001->10.1.100.22:51926(0.0.0.0:0)
src_mac=90:6c:ac:19:19:58 dst_mac=02:6c:ac:5c:c6:f9
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2
serial=00002b2c tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x000400
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0,
vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
total session 1

When an auxiliary session is created, NPU offloading will continue in the reflect session:
# diagnose sys session list
session info: proto=17 proto_state=01 duration=169 expire=129 timeout=0 flags=00000000
socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=131/4/1 reply=66/2/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=36->38/38->36 gwy=10.1.2.3/172.17.2.1
hook=pre dir=org act=noop 10.1.100.22:51926->172.16.204.44:5001(0.0.0.0:0)

FortiOS 6.4.13 Administration Guide 911

Fortinet Inc.
 System

hook=post dir=reply act=noop 172.16.204.44:5001->10.1.100.22:51926(0.0.0.0:0)

src_mac=90:6c:ac:19:19:58
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2
serial=00002b11 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x000c00
npu info: flag=0x91/0x81, offload=8/8, ips_offload=0/0, epid=129/142, ipid=142/128,
vlan=0x0016/0x0016
vlifid=142/128, vtag_in=0x0016/0x0016 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=4/4
reflect info 0:
dev=37->38/38->37
npu_state=0x000400
npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0,
vlan=0x0017/0x0000
vlifid=142/0, vtag_in=0x0017/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=4/0
total reflect session num: 1
total session 1

Email alerts

Alert emails are used to notify administrators about events on the FortiGate device, allowing a quick response to any
issues.
There are two methods that can be used to configure email alerts:
l Automation stitches on page 913
l Alert emails on page 915
The FortiGate has a default SMTP server, notification.fortinet.net, that provides secure mail service with SMTPS. It is
used for all emails that are sent by the FortiGate, including alert emails, automation stitch emails, and FortiToken Mobile
activations. You can also configure a custom email service.

To configure a custom email service in the GUI:

1. Go to System > Settings.

2. In the Email Service section, enable Use custom settings.
3. Configure the following settings:

SMTP Server If required, select Specify and enter the address or name of the SMTP server,
such as smtp.example.com.

Port If required, select Specify and enter a specific port number. The default is port
465.

Authentication If required by the email server, enable authentication. If enabled, enter the
Username and Password.

Security Mode Set the security mode: None, SMTPS, or STARTTLS.

Default Reply To Optionally, enter the reply to email address, such as [email protected].
This address will override the from address that is configured for an alert
email.

FortiOS 6.4.13 Administration Guide 912

Fortinet Inc.
System

If SMTP Server is set to Default, the Default Reply To field is hidden and
cannot be configured, and the default address is set to
[email protected]. This ensures that default SMTP server
can work correctly.

4. Click Apply.

To configure a custom email service in the CLI:

config system email-server

set server "smtp.fortinet.net"
set reply-to "[email protected]"
set port 465
set authenticate enable
set username "fortigate"
set password **********
set security smtps
end

If server is set to notification.fortinet.net, the reply-to command is hidden and

cannot be configured, and the default reply to address is set to
[email protected]. This ensures that default SMTP server can
work correctly.

Automation stitches

Automation stitches can be configured to send emails based on a variety of triggers, giving you control over the events
that cause an alert, and who gets alerted. For more information, see Automation stitches on page 243.
In this example, the default mail service sends an email to two recipients when there is a configuration change or an
Admin login failed event occurs.

To configure the automation stitch in the GUI:

1. On the root FortiGate, go to Security Fabric > Automation and click Create New.
2. Enter a name for the stitch, such as Admin Fail.
3. In the Trigger section, select FortiOS Event Log.
4. Click in the Event field, and in the slide out pane, search for and select Admin login failed.
5. In the Action section, select Email.
6. Configure the Email settings:

FortiOS 6.4.13 Administration Guide 913

Fortinet Inc.
System

a. In the To field, click the plus icon, then enter the two email recipients' addresses, such as [email protected]
and [email protected].
b. Enter the Email subject, such as Admin log in failed.
c. Edit the Email body as required. By default, the email body will include all the fields from the log event that
triggered the stitch.

7. Click OK.
8. Create a second stitch, selecting Configuration Change as the trigger.

To configure the automation stitch in the CLI:

1. Create automation actions to send the email messages:

config system automation-action
edit "Config Change_email"
set action-type email
set email-to "[email protected]" "[email protected]"
set email-subject "Configuration Change Detected"
next
edit "Admin Fail_email"
set action-type email
set email-to "[email protected]" "[email protected]"
set email-subject "Admin log in failed"
next
end

2. Create the automation triggers:

config system automation-trigger
edit "Config Change"
set event-type config-change
next
edit "Admin Fail"
set event-type event-log
set logid 32002

FortiOS 6.4.13 Administration Guide 914

Fortinet Inc.
 System

next
end

3. Create the automation stitches:

config system automation-stitch
edit "Config Change"
set trigger "Config Change"
set action "Config Change_email"
next
edit "Admin Fail"
set trigger "Admin Fail"
set action "Admin Fail_email"
next
end

Alert emails

When configuring an alert email, you can define the threshold when an issue becomes critical and requires attention.
When the threshold is reached, an email is sent to up to three recipients on the configured schedule to notify them of the
issue.
Alert email messages can be configured in the CLI. For more information on the available CLI commands, see Configure
alert email settings.

Alert email messages (under config alertemail setting) cannot monitor and notify
users of the current logging status or the status of the miglogd daemon. In the event that the
miglogd daemon is unresponsive, alert email messages cannot be triggered.

In this example, the FortiGate is configured to send email messages to two addresses, [email protected] and
[email protected], every two minutes when multiple intrusions, administrator log in or out events, or configuration
changes occur.

To configure an alert email:

config alertemail setting

set username [email protected]
set mailto1 [email protected]
set mailto2 [email protected]
set filter-mode category
set email-interval 2
set IPS-logs enable
set configuration-changes-logs enable
set admin-login-logs enable
end

Trusted platform module support

On supported FortiGate hardware devices, the Trusted Platform Module (TPM) can be used to protect your password
and key against malicious software and phishing attacks. The dedicated module hardens the FortiGate by generating,
storing, and authenticating cryptographic keys. To help prevent tampering, the chip is soldered on the motherboard to
reduce the risk of data transaction interceptions from attackers.

FortiOS 6.4.13 Administration Guide 915

Fortinet Inc.
System

By default, the TPM is disabled. To enable it, you must set the 32 hexadecimal digit master-encryption-password which
encrypts sensitive data on the FortiGate using AES128-CBC. With the password, TPM generates a 2048-bit primary key
to secure the master-encryption-password through RSA-2048 encryption. The master-encryption-password protects the
data. The primary key protects the master-encryption-password.

The TPM module does not encrypt the disk drive of eligible FortiGates.

The primary key binds the encrypted configuration file to a specific FortiGate unit and never leaves the TPM. When
backing up the configuration, the TPM uses the primary key to encrypt the master-encryption-password in the
configuration file. When restoring a configuration that includes a TPM protected master-encryption-password:
l If TPM is disabled, then the configuration cannot be restored.
l If TPM is enabled but has a different master-encryption-password than the configuration file, then the configuration
cannot be restored.
l If TPM is enabled and the master-encryption-password is the same in the configuration file, then the configuration
can be restored.
For information on backing up and restoring the configuration, see Configuration backups on page 57.
Passwords and keys that can be encrypted by the master-encryption-key include:
l Admin password
l Alert email user's password
l BGP and other routing related configurations
l External resource
l FortiGuard proxy password
l FortiToken/FortiToken Mobile’s seed
l HA password
l IPsec pre-shared key
l Link Monitor, server side password
l Local certificate's private key
l Local, LDAP. RADIUS, FSSO, and other user category related passwords
l Modem/PPPoE
l NST password
l NTP Password
l SDN connector, server side password
l SNMP
l Wireless Security related password

In HA configurations, each cluster member must use the same master-encryption-key so that
the HA cluster can form and its members can synchronize their configurations.

To check if your FortiGate device has a TPM:

Verify all the following commands exist. Otherwise, the platform does not support it.

FortiOS 6.4.13 Administration Guide 916

Fortinet Inc.
System

# diagnose hardware test info

List of test cases:
bios: sysid
bios: checksum
bios: license
bios: detect

# diagnose hardware deviceinfo tpm

TPM capability information of fixed properties:
=========================================================
TPM_PT_FAMILY_INDICATOR: 2.0
TPM_PT_LEVEL: 0
TPM_PT_REVISION: 138
TPM_PT_DAY_OF_YEAR: 8
TPM_PT_YEAR: 2018
TPM_PT_MANUFACTURER: NTC
# diagnose hardware test tpm
=========== Fortinet Hardware Test Report ===================
TPM
TPM Device Detection.......................................... PASS
================= Fortinet Hardware Test PASSED ==============
# diagnose tpm
get-property Get TPM properties. [Take 0-1 arg(s)]
get-var-property Get TPM var properties.
read-clock Read TPM internal clock.
shutdown-prepare Prepare for TPM power cycle.
selftest Perform self tests.
generate-random-number Generate a 4-byte random number
SHA-1 HASH a sequence of num with SHA-1 algo
SHA-256 HASH a sequence of num with SHA-256 algo

To enable TPM and input the master-encryption-password:

config system global

set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
********************************
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
********************************
Your private data encryption key is accepted.

Virtual Domains

Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently.
VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and
VPN services for each connected network.
There are two VDOM modes:
l Split-task VDOM mode: One VDOM is used only for management, and the other is used to manage traffic. See
Split-task VDOM mode on page 920.

FortiOS 6.4.13 Administration Guide 917

Fortinet Inc.
 System

l Multi VDOM mode: Multiple VDOMs can be created and managed as independent units. See Multi VDOM mode on
page 923 and Backing up and restoring configurations in multi VDOM mode on page 939.
By default, most FortiGate units support 10 VDOMs, and many FortiGate models support purchasing a license key to
increase the maximum number.
Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as
interfaces, firmware, DNS, some logging and sandboxing options, and others. Global settings should only be changed
by top level administrators.

Enable the following to prevent accidentally creating VDOMs in the CLI:

config system global
set edit-vdom-prompt enable
end

The FortiGate displays a prompt to confirm before the VDOM is created.

Switching VDOM modes

Current VDOM mode New VDOM mode Rule

No VDOM Split-task VDOM Allowed

Split-task VDOM No VDOM Allowed

No VDOM Multi VDOM Allowed only if the FortiGate is not a member

of a Security Fabric. See Configuring the root
FortiGate and downstream FortiGates on
page 144 for more information.

Multi VDOM No VDOM Allowed

Split-task VDOM Multi VDOM Allowed only if the FortiGate is not a member
of a Security Fabric. See Configuring the root
FortiGate and downstream FortiGates on
page 144 for more information.

Multi VDOM Split-task VDOM Not Allowed. User must first switch to No
VDOM

Global and per-VDOM resources

Global and per-VDOM resources can be configured when the FortiGate is in Split-Task or Multi VDOM mode. Global
resources apply to resources that are shared by the whole FortiGate, while per-VDOM resources are specific to each
VDOM.
By default, all per-VDOM resource settings are set to have no limits. This means that any single VDOM can use all of the
FortiGate device's resources. This could deprive other VDOMs of the resources that they require, to the point that could
be unable to function. We recommend settings maximum values on the resources that are vital to you.

FortiOS 6.4.13 Administration Guide 918

Fortinet Inc.
System

To configure global resources:

1. In the Global VDOM, go to System > Global Resources.

2. Enable the resource's override in the Override Maximum column, then enter the override value.

3. Click Apply.
To reset the all of the override values, click Reset All.

To configure per-VDOM resources:

1. In the Global VDOM, go to System > VDOM.

2. Edit the VDOM whose resources need to be configured.
3. Enable the resource's override in the Override Maximum column, then enter the override value.
4. Optionally, enter a value in the Guaranteed column.

5. Click OK.
To reset the all of the override values, click Reset All.

FortiOS 6.4.13 Administration Guide 919

Fortinet Inc.
 System

Split-task VDOM mode

In split-task VDOM mode, the FortiGate has two VDOMs: the management VDOM (root) and the traffic VDOM (FG-
traffic).

The management VDOM is used to manage the FortiGate, and cannot be used to process traffic.
The following GUI sections are available when in the management VDOM:
l The Status dashboard
l Security Fabric topology and settings (read-only, except for HTTP Service settings)
l Interface and static route configuration
l FortiClient configuration
l Replacement messages
l Certificates
l System events
l Log and email alert settings
l Threat weight definitions
The traffic VDOM provides separate security policies, and is used to process all network traffic.
The following GUI sections are available when in the traffic VDOM:
l The Status, Top Usage LAN/DMZ, and Security dashboards
l Security Fabric topology, settings (read-only, except for HTTP Service settings), and External Connectors
(Endpoint/Identity connectors only)
l FortiView
l Interface configuration
l Packet capture
l SD-WAN, SD-WAN Rules, and Performance SLA
l Static and policy routes
l RIP, OSPF, BGP, and Multicast
l Replacement messages
l Feature visibility
l Tags
l Certificates
l Policies and objects
l Security profiles
l VPNs
l User and device authentication
l Wifi and switch controller
l Logging
l Monitoring
Split-task VDOM mode is not available on all FortiGate models. The Fortinet Security Fabric supports split-task VDOM
mode.

FortiOS 6.4.13 Administration Guide 920

Fortinet Inc.
System

Enable split-task VDOM mode

Split-task VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of
the FortiGate.

When split-task VDOM mode is enabled, all current management configuration is assigned to
the root VDOM, and all non-management settings, such as firewall policies and security
profiles, are deleted.

On VMs and FortiGate 60 series models and lower, VDOMs can only be enabled using the
CLI.

To enable split-task VDOM mode in the GUI:

1. On the FortiGate, go to System > Settings.

2. In the System Operation Settings section, enable Virtual Domains.

3. Select Split-Task VDOM for the VDOM mode.

4. Select a Dedicated Management Interface from the Interface list. This interface is used to access the management
VDOM, and cannot be used in firewall policies.
5. Click OK.

To enable split-task VDOM mode with the CLI:

config system global

set vdom-mode split-vdom
end

Assign interfaces to a VDOM

An interface can only be assigned to one of the VDOMs. When split-task VDOM mode is enabled, all interfaces are
assigned to the root VDOM. To use an interface in a policy, it must first be assigned to the traffic VDOM.
An interface cannot be moved if it is referenced in an existing configuration.

FortiOS 6.4.13 Administration Guide 921

Fortinet Inc.
System

In the GUI, the interface list Ref. column shows if the interface is referenced in an existing
configuration, and allows you to quickly access and edit those references.

To assign an interface to a VDOM in the GUI:

1. On the FortiGate, go to Global > Network > Interfaces.

2. Edit the interface that will be assigned to a VDOM.
3. Select the VDOM that the interface will be assigned to from the Virtual Domain list.

4. Click OK.

To assign an interface to a VDOM using the CLI:

config global
config system interface
edit <interface>
set vdom <VDOM_name>
next
end
end

Create per-VDOM administrators

Per-VDOM administrators can be created that can access only the management or traffic VDOM. These administrators
must use either the prof_admin administrator profile, or a custom profile.
A per-VDOM administrator can only access the FortiGate through a network interface that is assigned to the VDOM that
they are assigned to. The interface must also be configured to allow management access. They can also connect to the
FortiGate using the console port.
To assign an administrator to multiple VDOMs, they must be created at the global level. When creating an administrator
at the VDOM level, the super_admin administrator profile cannot be used.

FortiOS 6.4.13 Administration Guide 922

Fortinet Inc.
 System

To create a per-VDOM administrator in the GUI:

1. On the FortiGate, connect to the management VDOM.

2. Go to Global > System > Administrators and click Create New > Administrator.
3. Fill in the required information, setting the Type as Local User.
4. In the Virtual Domains field, add the VDOM that the administrator will be assigned to, and if necessary, remove the
other VDOM from the list.

5. Click OK.

To create a per-VDOM administrator using the CLI:

config global
config system admin
edit <name>
set vdom <VDOM_name>
set password <password>
set accprofile <admin_profile>
...
next
end
end

Multi VDOM mode

In multi VDOM mode, the FortiGate can have multiple VDOMs that function as independent units. One VDOM is used to
manage global settings. The root VDOM cannot be deleted, and remains in the configuration even if it is not processing
any traffic.
Multi VDOM mode isn't available on all FortiGate models. The Fortinet Security Fabric does not support multi VDOM
mode.
There are three main configuration types in multi VDOM mode:

FortiOS 6.4.13 Administration Guide 923

Fortinet Inc.
System

Independent VDOMs:

Multiple, completely separate VDOMs are created. Any VDOM can be the management VDOM, as long as it has Internet
access. There are no inter-VDOM links, and each VDOM is independently managed.

Management VDOM:

A management VDOM is located between the other VDOMs and the Internet, and the other VDOMs connect to the
management VDOM with inter-VDOM links. The management VDOM has complete control over Internet access,
including the types of traffic that are allowed in both directions. This can improve security, as there is only one point of
ingress and egress.
There is no communication between the other VDOMs.

Meshed VDOMs:

VDOMs can communicate with inter-VDOM links. In full-mesh configurations, all the VDOMs are interconnected. In
partial-mesh configurations, only some of the VDOMs are interconnected.
In this configuration, proper security must be achieved by using firewall policies and ensuring secure account access for
administrators and users.

FortiOS 6.4.13 Administration Guide 924

Fortinet Inc.
System

Multi VDOM configuration examples

The following examples show how to configure per-VDOM settings, such as operation mode, routing, and security
policies, in a network that includes the following VDOMs:
l VDOM-A: allows the internal network to access the Internet.
l VDOM-B: allows external connections to an FTP server.
l root: the management VDOM.

You can use VDOMs in either NAT or transparent mode on the same FortiGate. By default, VDOMs operate in NAT
mode.
For both examples, multi VDOM mode must be enabled, and VDOM-A and VDOM-B must be created.

Enable multi VDOM mode

Multi VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of the
device. The current configuration is assigned to the root VDOM.

On VMs and FortiGate 60 series models and lower, VDOMs can only be enabled using the
CLI.

To enable multi VDOM mode in the GUI:

1. On the FortiGate, go to System > Settings.

2. In the System Operation Settings section, enable Virtual Domains.
3. Select Multi VDOM for the VDOM mode.
4. Click OK.

To enable multi VDOM mode with the CLI:

config system global

set vdom-mode multi-vdom
end

FortiOS 6.4.13 Administration Guide 925

Fortinet Inc.
System

Create the VDOMs

To create the VDOMs in the GUI:

1. In the Global VDOM, go to System > VDOM, and click Create New. The New Virtual Domain page opens.

2. In the Virtual Domain field, enter VDOM-A.

3. If required, set the NGFW Mode. If the NGFW Mode is Policy-based, select an SSL/SSH Inspection from the list.
4. Optionally, enter a comment.
5. Click OK to create the VDOM.
6. Repeat the above steps for VDOM-B.

To create the VDOMs with the CLI:

config vdom
edit <VDOM-A>
next
edit <VDOM-B>
next
end
end

NAT mode

In this example, both VDOM-A and VDOM-B use NAT mode. A VDOM link is created that allows users on the internal
network to access the FTP server.
This configuration requires the following steps:
1. Configure VDOM-A on page 926
2. Configure VDOM-B on page 928
3. Configure the VDOM link on page 931

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this
VDOM.
The per-VDOM configuration for VDOM-A includes the following:
l A firewall address for the internal network
l A static route to the ISP gateway
l A security policy allowing the internal network to access the Internet
All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator
account.

FortiOS 6.4.13 Administration Guide 926

Fortinet Inc.
System

To add the firewall addresses in the GUI:

1. Go to Policy & Objects > Addresses and create a new address.

2. Enter the following information:

Name internal-network

Type Subnet

Subnet / IP Range 192.168.10.0/255.255.255.0

Interface port1

Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom
edit VDOM-A
config firewall address
edit internal-network
set associated-interface port1
set subnet 192.168.10.0 255.255.255.0
next
end
next
end

To add a default route in the GUI:

1. Go to Network > Static Routes and create a new route.

2. Enter the following information:

Destination Subnet

IP address 0.0.0.0/0.0.0.0

Gateway 172.20.201.7

Interface wan1

Distance 10

To add a default route with the CLI:

config vdom
edit VDOM-A
config router static
edit 0
set gateway 172.20.201.7
set device wan1
next
end
next
end

FortiOS 6.4.13 Administration Guide 927

Fortinet Inc.
System

To add the security policy in the GUI:

1. Connect to VDOM-A.
2. Go to Policy & Objects > Firewall Policy and create a new policy.
3. Enter the following information:

Name VDOM-A-Internet

Incoming Interface port1

Outgoing Interface wan1

Source internal-network

Destination all

Schedule always

Service ALL

Action ACCEPT

NAT enabled

To add the security policy with the CLI:

config vdom
edit VDOM-A
config firewall policy
edit 0
set name VDOM-A-Internet
set srcintf port1
set dstintf wan1
set srcaddr internal-network
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.
The per-VDOM configuration for VDOM-B includes the following:
l A firewall address for the FTP server
l A virtual IP address for the FTP server
l A static route to the ISP gateway
l A security policy allowing external traffic to reach the FTP server
All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator
account.

FortiOS 6.4.13 Administration Guide 928

Fortinet Inc.
System

To add the firewall addresses in the GUI:

1. Go to Policy & Objects > Addresses and create a new address.

2. Enter the following information:

Address Name FTP-server

Type Subnet

Subnet / IP Range 192.168.20.10/32

Interface port2

Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom
edit VDOM-B
config firewall address
edit FTP-server
set associated-interface port2
set subnet 192.168.20.10 255.255.255.255
next
end
next
end

To add the virtual IP address in the GUI:

1. Go to Policy & Objects > Virtual IPs and create a new virtual IP address.

2. Enter the following information:

Name FTP-server-VIP

Interface wan2

External IP Address/Range 172.25.177.42

Internal IP Address/Range 192.168.20.10

To add the virtual IP address with the CLI:

config firewall vip

edit FTP-server-VIP
set extip 172.25.177.42
set extintf wan2
set mappedip 192.168.20.10
next
end

FortiOS 6.4.13 Administration Guide 929

Fortinet Inc.
System

To add a default route in the GUI:

1. Go to Network > Static Routes and create a new route.

2. Enter the following information:

Destination Subnet

IP address 0.0.0.0/0.0.0.0

Gateway 172.20.10.10

Interface wan2

Distance 10

To add a default route with the CLI:

config vdom
edit VDOM-B
config router static
edit 0
set device wan2
set gateway 172.20.10.10
next
end
next
end

To add the security policy in the GUI:

1. Go to Policy & Objects > Firewall Policy and create a new policy.

2. Enter the following information:

Name Access-server

Incoming Interface wan2

Outgoing Interface port2

Source all

Destination FTP-server-VIP

Schedule always

Service FTP

Action ACCEPT

NAT enabled

To add the security policy with the CLI:

config vdom
edit VDOM-B
config firewall policy
edit 0
set name Access-server

FortiOS 6.4.13 Administration Guide 930

Fortinet Inc.
System

set srcintf wan2

set dstintf port2
set srcaddr all
set dstaddr FTP-server-VIP
set action accept
set schedule always
set service FTP
set nat enable
next
end
next
end

Configure the VDOM link

The VDOM link allows connections from VDOM-A to VDOM-B. This allows users on the internal network to access the
FTP server through the FortiGate.
The configuration for the VDOM link includes the following:
l The VDOM link interface
l Firewall addresses for the FTP server on VDOM-A and for the internal network on VDOM-B
l Static routes for the FTP server on VDOM-A and for the internal network on VDOM-B
l Policies allowing traffic using the VDOM link
All procedures in this section require you to connect to the global VDOM using a global administrator account.

To add the VDOM link in the GUI:

1. Connect to root.
2. Go to Global > Network > Interfaces and select Create New > VDOM link.
3. Enter the following information:

Name VDOM-link

Interface 0

Virtual Domain VDOM-A

IP/Netmask 0.0.0.0/0.0.0.0

Interface 1

Virtual Domain VDOM-B

IP/Netmask 0.0.0.0/0.0.0.0

To add the VDOM link with the CLI:

config global
config system vdom-link
edit vlink
end
config system interface
edit VDOM-link0
set vdom VDOM-A
set ip 0.0.0.0 0.0.0.0

FortiOS 6.4.13 Administration Guide 931

Fortinet Inc.
System

next
edit VDOM-link1
set vdom VDOM-B
set ip 0.0.0.0 0.0.0.0
next
end
end

To add the firewall address on VDOM-A in the GUI:

1. Connect to VDOM-A.
2. Go to Policy & Objects > Addresses and create a new address.
3. Enter the following information:

Address Name FTP-server

Type Subnet

Subnet / IP Range 192.168.20.10/32

Interface VDOM-link0

Show in Address List enabled

Static Route Configuration enabled

To add the firewall addresses on VDOM-A with the CLI:

config vdom
edit VDOM-B
config firewall address
edit FTP-server
set associated-interface VDOM-link0
set allow-routing enable
set subnet 192.168.20.10 255.255.255.255
next
end
next
end

To add the static route on VDOM-A in the GUI:

1. Connect to VDOM-A.
2. Go to Network > Static Routes and create a new route.
3. Enter the following information:

Destination Named Address

Named Address FTP-server

Gateway 0.0.0.0

Interface VDOM-link0

FortiOS 6.4.13 Administration Guide 932

Fortinet Inc.
System

To add the static route on VDOM-A with the CLI:

config vdom
edit VDOM-A
config router static
edit 0
set device VDOM-link0
set dstaddr FTP-server
next
end
next
end

To add the security policy on VDOM-A in the GUI:

1. Connect to VDOM-A.
2. Go to Policy & Objects > Firewall Policy and create a new policy.
3. Enter the following information:

Name Access-FTP-server

Incoming Interface port1

Outgoing Interface VDOM-link0

Source internal-network

Destination FTP-server

Schedule always

Service FTP

Action ACCEPT

NAT disabled

To add the security policy on VDOM-A with the CLI:

config vdom
edit VDOM-A
config firewall policy
edit 0
set name Access-FTP-server
set srcintf port1
set dstintf VDOM-link0
set srcaddr internal-network
set dstaddr FTP-server
set action accept
set schedule always
set service FTP
next
end
next
end

FortiOS 6.4.13 Administration Guide 933

Fortinet Inc.
System

To add the firewall address on VDOM-B in the GUI:

1. Connect to VDOM-B.
2. Go to Policy & Objects > Addresses and create a new address.
3. Enter the following information:

Address Name internal-network

Type Subnet

Subnet / IP Range 192.168.10.0/24

Interface VDOM-link1

Show in Address List enabled

Static Route Configuration enabled

To add the firewall addresses on VDOM-B with the CLI:

config vdom
edit VDOM-B
config firewall address
edit internal-network
set associated-interface VDOM-link1
set allow-routing enable
set subnet 192.168.10.0 255.255.255.0
next
end
next
end

To add the static route on VDOM-B in the GUI:

1. Connect to VDOM-B.
2. Go to Network > Static Routes and create a new route.
3. Enter the following information:

Destination Named Address

Named Address internal-network

Gateway 0.0.0.0

Interface VDOM-link1

To add the static route on VDOM-B with the CLI:

config vdom
edit VDOM-B
config router static
edit 0
set device VDOM-link1
set dstaddr internal-network
next
end
next

FortiOS 6.4.13 Administration Guide 934

Fortinet Inc.
System

end

To add the security policy on VDOM-B in the GUI:

1. Connect to VDOM-B.
2. Go to Policy & Objects > Firewall Policy and create a new policy.
3. Enter the following information:

Name Internal-server-access

Incoming Interface VDOM-link1

Outgoing Interface port2

Source internal-network

Destination FTP-server

Schedule always

Service FTP

Action ACCEPT

NAT disabled

To add the security policy on VDOM-B with the CLI:

config vdom
edit VDOM-B
config firewall policy
edit 0
set name Internal-server-access
set srcintf VDOM-link1
set dstintf port2
set srcaddr internal-network
set dstaddr FTP-server
set action accept
set schedule always
set service FTP
next
end
next
end

NAT and transparent mode

In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.
This configuration requires the following steps:
1. Configure VDOM-A on page 936
2. Configure VDOM-B on page 938

FortiOS 6.4.13 Administration Guide 935

Fortinet Inc.
System

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this
VDOM.
The per-VDOM configuration for VDOM-A includes the following:
l A firewall address for the internal network
l A static route to the ISP gateway
l A security policy allowing the internal network to access the Internet
All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator
account.

To add the firewall addresses in the GUI:

1. Go to Policy & Objects > Addresses and create a new address.

2. Enter the following information:

Name internal-network

Type Subnet

Subnet / IP Range 192.168.10.0/24

Interface port1

Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom
edit VDOM-A
config firewall address
edit internal-network
set associated-interface port1
set subnet 192.168.10.0 255.255.255.0
next
end
next
end

To add a default route in the GUI:

1. Go to Network > Static Routes and create a new route.

2. Enter the following information:

Destination Subnet

IP address 0.0.0.0/0.0.0.0

Gateway 172.20.201.7

Interface wan1

Distance 10

FortiOS 6.4.13 Administration Guide 936

Fortinet Inc.
System

To add a default route with the CLI:

config vdom
edit VDOM-A
config router static
edit 0
set gateway 172.20.201.7
set device wan1
next
end
next
end

To add the security policy in the GUI:

1. Connect to VDOM-A.
2. Go to Policy & Objects > Firewall Policy and create a new policy.
3. Enter the following information:

Name VDOM-A-Internet

Incoming Interface port1

Outgoing Interface wan1

Source internal-network

Destination all

Schedule always

Service ALL

Action ACCEPT

NAT enabled

To add the security policy with the CLI:

config vdom
edit VDOM-A
config firewall policy
edit 0
set name VDOM-A-Internet
set srcintf port1
set dstintf wan1
set srcaddr internal-network
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
end

FortiOS 6.4.13 Administration Guide 937

Fortinet Inc.
System

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.
The per-VDOM configuration for VDOM-B includes the following:
l A firewall address for the FTP server
l A static route to the ISP gateway
l A security policy allowing external traffic to reach the FTP server
All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator
account.

To add the firewall addresses in the GUI:

1. Go to Policy & Objects > Addresses and create a new address.

2. Enter the following information:

Address Name FTP-server

Type Subnet

Subnet / IP Range 172.25.177.42/32

Interface port2

Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom
edit VDOM-B
config firewall address
edit FTP-server
set associated-interface port2
set subnet 172.25.177.42 255.255.255.255
next
end
next
end

To add a default route in the GUI:

1. Go to Network > Routing Table and create a new route.

2. Enter the following information:

Destination Subnet

IP address 0.0.0.0/0.0.0.0

Gateway 172.20.10.10

To add a default route with the CLI:

config vdom
edit VDOM-B

FortiOS 6.4.13 Administration Guide 938

Fortinet Inc.
System

config router static

edit 0
set gateway 172.20.10.10
next
end
next
end

To add the security policy in the GUI:

1. Connect to VDOM-B.
2. Go to Policy & Objects > Firewall Policy and create a new policy.
3. Enter the following information:

Name Access-server

Incoming Interface wan2

Outgoing Interface port2

Source all

Destination FTP-server

Schedule always

Service FTP

Action ACCEPT

To add the security policy with the CLI:

config vdom
edit VDOM-B
config firewall policy
edit 0
set name Access-server
set srcintf wan2
set dstintf port2
set srcaddr all
set dstaddr FTP-server-VIP
set action accept
set schedule always
set service FTP
next
end
next
end

Backing up and restoring configurations in multi VDOM mode

When a FortiGate is in multi VDOM mode, the configuration can be backed up or restored using the GUI or the CLI. Back
up and restoration permissions depend on the VDOM administrator when in multi VDOM mode:
l A global super_admin can back up and restore the global configuration or the configuration of a specific VDOM.
l A VDOM administrator of one VDOM can only back up and restore the configuration of the current VDOM.

FortiOS 6.4.13 Administration Guide 939

Fortinet Inc.
System

l A VDOM administrator of multiple VDOMs can back up and restore the configuration of multiple VDOMs.

To back up the configuration using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
2. Select VDOM for the Scope. The VDOM dropdown menu is displayed.
3. Select the VDOM you want to back up.
4. Direct the backup to your Local PC or to a USB Disk.
5. Enable Encryption.

This is recommended to secure your backup configurations and prevent unauthorized

parties from reloading your configuration.

6. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
7. Click OK.
8. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will
have a .conf extension.

To restore the FortiGate configuration using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
2. Select VDOM for the Scope. The VDOM dropdown menu is displayed.
3. Select the VDOM that you want to restore the configuration for.
4. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.
The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the
FortiManager using the CLI.
5. Click Upload, locate the configuration file, and click Open.

Confirm that the configuration file you are uploading is for the same VDOM selected from
the dropdown menu.

6. Enter the password if required.

7. Click OK.

Backing up configurations in the CLI

Configuration backups can be performed in the CLI using the execute backup commands. If you are backing up a
VDOM configuration instead of the global configuration, first enter the commands:
config vdom
edit <vdom_name>

Configurations can be backed up in FortiOS format.

Configuration files can be backed up to various locations depending on the command:
l flash: Backup the configuration file to the flash drive.
l ftp: Backup the configuration file to an FTP server.

FortiOS 6.4.13 Administration Guide 940

Fortinet Inc.
System

l sftp: Backup the configuration file to a SFTP server.

l tftp: Backup the configuration file to a TFTP server.
l usb: Backup the configuration file to an external USB drive.

Command Description
# execute backup config Back up the configuration in FortiOS format.
Backup your configuration file to:
l flash

l ftp
l sftp
l tftp
l usb

# execute backup full- Backup the configuration, including backups of default configuration settings.
config Backup your configuration file to:
l ftp

l sftp
l tftp
l usb

To back up the configuration in FortiOS format using the CLI:

For FTP, note that port number and username are optional depending on the FTP site:
config vdom
edit <vdom_name>
execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>] [<password>]
[<backup_password>]

or for TFTP:
config vdom
edit <vdom_name>
execute backup config tftp <backup_filename> <tftp_servers> [<backup_password>]

or for SFTP:
config vdom
edit <vdom_name>
execute backup config sftp <backup_filename> <sftp_server>[<:sftp_port>] <password>
[<backup_password>]

or for an external USB:

config vdom
edit <vdom_name>
execute backup config usb <backup_filename> [<backup_password>]

Restoring configurations in the CLI

Restoring configurations can be performed in the CLI using the execute restore commands. If you are restoring a
VDOM configuration instead of the global configuration, first enter the commands:

FortiOS 6.4.13 Administration Guide 941

Fortinet Inc.
 System

config vdom
edit <vdom_name>

When restoring a VDOM configuration, ensure that the configuration file is for the correct VDOM specified.

Command Description
# execute restore config Restore a configuration that is in FortiOS format.
Configurations can be loaded from:
l dhcp: Load the configuration though DHCP.

l flash: Load the configuration file from flash to firewall.

l ftp: Load the configuration file from an FTP server.

l tftp: Load the configuration from a TFTP server.

l usb: Load the configuration file from an external USB disk to firewall.

To restore the FortiGate configuration in FortiOS format using the CLI:

For FTP, note that port number and username are optional depending on the FTP site:
config vdom
edit <vdom_name>
execute restore config ftp <file_path> <ftp_server>[<:port>] [<FTP password>]
[<password>]

or for TFTP:
config vdom
edit <vdom_name>
execute restore config tftp <file_name> <tftp_server> [<password>]

or for DHCP:
config vdom
edit <vdom_name>
execute restore config dhcp <port> [<VLAN_ID>]

or for flash:
config vdom
edit <vdom_name>
execute restore config flash <revision_ID>

or for an external USB:

config vdom
edit <vdom_name>
execute restore config usb <file_name> [<password>]

High Availability

Whether your FortiGate is used as a security gateway, an internal segmentation firewall, in the cloud, or in an MSSP
environment, as long as there is critical traffic passing through it, there is risk of it being a single point of failure. Physical
outages can occur due to power failures, physical link failures, transceiver failures, or power supply failures. Non-
physical outages can be caused by routing, resource issues, or kernel panic.

FortiOS 6.4.13 Administration Guide 942

Fortinet Inc.
 System

Network outages cause disruptions to business operations, downtime, and frustration for users and in some situations
may have financial setbacks. In designing your network and architecture, it is important to weigh the risks and
consequences associated with unexpected outages.
There are many ways to build redundancy and resiliency. In a switching network, you can accomplish this by adding
redundant links and switches in partial or full mesh topologies. Using redundant and aggregate links, you can avoid a
single link failure causing a network to go down. Using SD-WAN, you can build redundant and intelligent WAN load
balancing and failover architectures.
FortiGate HA offers several solutions for adding redundancy in the case where a failure occurs on the FortiGate, or is
detected by the FortiGate through monitored links, routes, and other health checks. These solutions support fast failover
to avoid lengthy network outages and disruptions to your traffic.

FortiGate Clustering Protocol (FGCP)

FGCP provides a solution for two key requirements of critical enterprise networking components: enhanced reliability
and increased performance. Enhanced reliability is achieved through device failover protection, link failover protection,
and remote link failover protection. Session failover protection for most IPv4 and IPv6 sessions also contributes to
enhanced reliability. Increased performance is achieved though active-active HA load balancing.

FortiGate Session Life Support Protocol (FGSP)

In a network that already includes load balancing (either with load balancers or routers) for traffic redundancy, two
entities (either standalone FortiGates or FGCP clusters) can be integrated into the load balancing configuration using the
FortiGate Session Life Support Protocol (FGSP). The external load balancers or routers can distribute sessions among
the FortiGates and the FGSP performs session synchronization of IPv4 and IPv6 TCP, SCTP, UDP, ICMP, expectation,
and NAT sessions to keep the session tables of both entities synchronized. In the event of a failure, the load balancer
can detect the failed unit and failover the sessions to other active members to continue processing the traffic.

VRRP

FortiGates can function as primary or backup Virtual Router Redundancy Protocol (VRRP) routers. The FortiGates can
quickly and easily integrate into a network that has already deployed VRRP. A FortiGate can be integrated into a VRRP
group with any third-party VRRP devices, and VRRP can provide redundancy between multiple FortiGates. FortiOS
supports VRRP version 2 and 3.
The following topics provide more information about each HA solution and other HA related topics:
l FGCP on page 943
l FGSP on page 991
l Using standalone configuration synchronization on page 1017
l VRRP on page 1019

FGCP

High availability (HA) is usually required in a system where there is high demand for little downtime. There are usually
hot-swaps, backup routes, or standby backup units and as soon as the active entity fails, backup entities will start

FortiOS 6.4.13 Administration Guide 943

Fortinet Inc.
System

functioning. This results in minimal interruption for the users.

The FortiGate Clustering Protocol (FGCP) is a proprietary HA solution whereby FortiGates can find other member
FortiGates to negotiate and create a cluster. A FortiGate HA cluster consists of at least two FortiGates (members)
configured for HA operation. All FortiGates in the cluster must be the same model and have the same firmware installed.
Cluster members must also have the same hardware configuration (such as the same number of hard disks). All cluster
members share the same configurations except for their host name and priority in the HA settings. The cluster works like
a device but always has a hot backup device.

Critical cluster components

The following are critical components in an HA cluster:

l Identical heartbeat connections and interfaces: members will use this to communicate with each other. In general, a
two-member cluster is most common. We recommend double back-to-back heartbeat connections (as
demonstrated in the topology).
l Identical connections for internal and external interfaces: we recommend similar connections from each member to
the switches for the cluster to function properly (as demonstrated in the topology).

The HA heartbeat interface communicates with each unit in the cluster using the same
heartbeat interface for each member.
For example, if port1 and port2 are the heartbeat interfaces for the HA cluster, then in a cluster
consisting of two members:
l port1 of the primary FortiGate should be connected to port1 of the secondary FortiGate.

l port2 of the primary FortiGate should be connected to port2 of the secondary FortiGate.

General operation

The following are best practices for general cluster operation:

l Ensure that heartbeat communication is present (see HA heartbeat interface on page 946).
l Enable the session synchronization option in daily operation (see FGSP basic peer setup on page 994).
l Monitor traffic flowing in and out of the interfaces.

FortiOS 6.4.13 Administration Guide 944

Fortinet Inc.
System

Failover

FGCP provides failover protection in the following scenarios:

l The active device loses power.
l A monitored interface loses a connection.
After failover occurs, the user will not notice any difference, except that the active device has changed. See Failover
protection on page 946 for more information.

Synchronizing the configuration

FGCP uses a combination of incremental and periodic synchronization to make sure that the configuration of all cluster
units is synchronized to that of the primary unit.
The following settings are not synchronized between cluster units:
l The FortiGate host name
l GUI Dashboard widgets
l HA override
l HA device priority
l The virtual cluster priority
l The HA priority setting for a ping server (or dead gateway detection) configuration
l The system interface settings of the HA reserved management interface
l The HA default route for the reserved management interface, set using the ha-mgmt-interface-gateway
option of the config system ha command
Most subscriptions and licenses are not synchronized, as each FortiGate must be licensed individually. FortiToken
Mobile is an exception; they are registered to the primary unit and synchronized to the secondary units.
The primary unit synchronizes all other configuration settings, including the other HA configuration settings.
All synchronization activity takes place over the HA heartbeat link using TCP/703 and UDP/703 packets.
The following topics provide more information about FGCP:
l Failover protection on page 946
l HA heartbeat interface on page 946
l HA active-passive cluster setup on page 955
l HA active-active cluster setup on page 956
l HA virtual cluster setup on page 958
l Check HA sync status on page 961
l Out-of-band management with reserved management interfaces on page 963
l In-band management on page 969
l Upgrading FortiGates in an HA cluster on page 969
l HA between remote sites over managed FortiSwitches on page 970
l HA using a hardware switch to replace a physical switch on page 975
l VDOM exceptions on page 978
l Override FortiAnalyzer and syslog server settings on page 980
l Routing NetFlow data over the HA management interface on page 984
l Force HA failover for testing and demonstrations on page 986
l Disabling stateful SCTP inspection on page 988

FortiOS 6.4.13 Administration Guide 945

Fortinet Inc.
System

l Querying autoscale clusters for FortiGate VM on page 989

l Troubleshoot an HA formation on page 990

Failover protection

The FortiGate Clustering Protocol (FGCP) provides failover protection, meaning that a cluster can provide FortiGate
services even when one of the devices in the cluster encounters a problem that would result in the complete loss of
connectivity for a stand-alone FortiGate unit. Failover protection provides a backup mechanism that can be used to
reduce the risk of unexpected downtime, especially in mission-critical environments.
FGCP supports failover protection in three ways:
1. Link failover maintains traffic flow if a link fails.
2. If a device loses power, it automatically fails over to a backup unit with minimal impact on the network.
3. Optionally, if an SSD fails, it can automatically fail over to a backup unit.
When session-pickup is enabled in the HA settings, existing TCP session are kept, and users on the network are not
impacted by downtime as the traffic can be passed without reestablishing the sessions.

When and how the failover happens

1. Link fails

Before triggering a failover when a link fails, the administrator must ensure that monitor interfaces are configured.
Normally, the internal interface that connects to the internal network, and an outgoing interface for traffic to the internet or
outside the network, should be monitored. Any of those links going down will trigger a failover.

2. Loss of power for active unit.

When an active (primary) unit loses power, a backup (secondary) unit automatically becomes the active, and the impact
on traffic is minimal. There are no settings for this kind of fail over.

3. SSD failure

HA failover can be triggered by an SSD failure.

To enable an SSD failure triggering HA fail over:

config system ha
set ssd-failover enable
end

HA heartbeat interface

The HA heartbeat allows cluster units to communicate with each other. The heartbeat consists of hello packets that are
sent at regular intervals by the heartbeat interface of all cluster units. The hello packets describe the state of the cluster
unit (including communication sessions) and are used by other cluster units to keep the cluster synchronized. While the
cluster is operating, the HA heartbeat confirms that all cluster units are functioning normally.

FortiOS 6.4.13 Administration Guide 946

Fortinet Inc.
System

HA heartbeat packets are Layer 2 Ethernet frames that use EtherType values of 0x8890 and 0x8891 rather than 0x0800
for normal 802.3 IP packets. The default time interval between HA heartbeats is 200 ms.
As a best practice, it is recommended to isolate the heartbeat devices from the user networks by connecting the
heartbeat devices to a dedicated switch that is not connected to any network. The heartbeat packets contain sensitive
information about the cluster configuration and may use a considerable amount of network bandwidth. If the cluster
consists of two FortiGates, connect the heartbeat device interfaces back-to back using a crossover cable. If there are
more than two FortiGates, each heartbeat interface should be connected to a dedicated switch. For example, in a four-
member HA cluster with two heartbeat interfaces, there would be two switches (one switch dedicated to each interface).
Upon starting up, a FortiGate configured for HA broadcasts HA heartbeat hello packets from its HA heartbeat interface to
find other FortiGates configured to operate in HA mode. If two or more FortiGates operating in HA mode connect with
each other, they compare HA configurations (mode, password, and group ID). If the HA configurations match, then the
units negotiate to form a cluster.

The HA heartbeat interface communicates with each unit in the cluster using the same
heartbeat interface for each member.
For example, if port1 and port2 are the heartbeat interfaces for the HA cluster, then in a cluster
consisting of two members:
l port1 of the primary FortiGate should be connected to port1 of the secondary FortiGate.

l port2 of the primary FortiGate should be connected to port2 of the secondary FortiGate.

Configuring an HA heartbeat interface

A heartbeat interface is an Ethernet network interface in a cluster that is used by the FGCP for HA heartbeat
communications between cluster units.
By default, two interfaces are configured to be heartbeat interfaces on most FortiGate models. The heartbeat interface
configuration can be changed to select an additional or different heartbeat interface. It is possible to select only one
heartbeat interface; however, this is not a recommended configuration (see Split brain scenario on page 948).
Another important setting in the HA configuration is the heartbeat interface priority. In all cases, the heartbeat interface
with the highest priority is used for all HA heartbeat communication. If the interface fails or becomes disconnected, then
the selected heartbeat interface with the next highest priority handles all HA heartbeat communication.
If more than one heartbeat interface has the same priority, the heartbeat interface with the highest priority that is also
highest in the heartbeat interface list is used for all HA heartbeat communication. If this interface fails or becomes
disconnected, then the selected heartbeat interface with the highest priority that is next highest in the list handles all
heartbeat communication (see Selecting heartbeat packets and interfaces on page 948).
The default heartbeat interface configuration sets the priority of both heartbeat interfaces to 50, and the range is 0 to 512.
When selecting a new heartbeat interface, the default priority is 0. The higher the number, the higher the priority.
In most cases, the default heartbeat interface configuration can be maintained as long the heartbeat interfaces are
connected. Configuring HA heartbeat interfaces is the same for virtual clustering and for standard HA clustering. Up to
eight heartbeat interface can be selected. This limit only applies to FortiGates with more than eight physical interfaces.

Heartbeat communications can be enabled on physical interfaces, but not on switch ports,
VLAN subinterfaces, IPsec VPN interfaces, redundant interfaces, or 802.3ad aggregate
interfaces.

FortiOS 6.4.13 Administration Guide 947

Fortinet Inc.
System

To change the heartbeat interfaces in the GUI:

1. Go to System > HA and select a Mode.

2. Click the + in the Heartbeat interfaces field to select an interface.
3. Click OK.

To configure two interfaces as heartbeat interfaces with the same priority in the CLI:

config system ha
set hbdev port4 150 port5 150
end

In this example, port4 and port5 are configured as the HA heartbeat interfaces and they both have a priority of 150.

To configure two interfaces as heartbeat interfaces with different priorities in the CLI:

config system ha
set hbdev port4 100 port1 50
end

In this example, port4 and port1 are configured as the HA heartbeat interfaces. The priority for port4 is higher (100) than
port1 (50), so port4 is the preferred HA heartbeat interface.

Split brain scenario

At least one heartbeat interface must be selected for the HA cluster to function correctly. This interface must be
connected to all the units in the cluster. If heartbeat communication is interrupted and cannot fail over to a second
heartbeat interface, then the cluster units will not be able to communicate with each other and more than one cluster unit
may become a primary unit. As a result, the cluster stops functioning normally because multiple devices on the network
may be operating as primary units with the same IP and MAC addresses creating a split brain scenario. See Split brain
scenario: on page 991 for more information.

Sharing heartbeat interfaces with traffic ports

HA heartbeat and data traffic is supported on the same cluster interface. In NAT mode, if the heartbeat interfaces are
used for processing network traffic, then the interface can be assigned any IP address. The IP address does not affect
HA heartbeat traffic.
In transparent mode, the heartbeat interface can be connected to the network with management access enabled on the
same interface. A management connection would then be established to the interface using the transparent mode
management IP address. This configuration does not affect HA heartbeat traffic.
While these configurations are allowable, they are not recommended. When possible, use dedicated interfaces for
heartbeat traffic.

Selecting heartbeat packets and interfaces

HA heartbeat hello packets are sent constantly by all of the enabled heartbeat interfaces. Using these hello packets,
each cluster unit confirms that the other cluster units are still operating. The FGCP selects one of the heartbeat
interfaces to be used for communication between the cluster units. This interface is used for heartbeat communication
and is based on the linkfail states of the heartbeat interfaces, the heartbeat interface priority, and the interface index. The
connected heartbeat interface with the highest priority is selected for heartbeat communication.

FortiOS 6.4.13 Administration Guide 948

Fortinet Inc.
System

If more than one connected heartbeat interface has the highest priority, then the FGCP selects the heartbeat interface
with the lowest interface index. The interface index order is visible in the CLI by running the diagnose netlink
interface list command.
If the interface that is processing heartbeat traffic fails or becomes disconnected, the FGCP uses the same criteria to
select another heartbeat interface for heartbeat communication. If the original heartbeat interface is fixed or
reconnected, the FGCP selects this interface again for heartbeat communication.
The HA heartbeat interface communicates cluster session information, synchronizes the cluster configuration,
synchronizes the cluster kernel routing table, and reports individual cluster member statuses. The HA heartbeat
constantly communicates HA status information to make sure that the cluster is operating properly.

Modifying heartbeat timing

The heartbeat interval and heartbeat lost threshold are two variables that dictate the length of time one cluster unit will
wait before determining a peer is dead.
config system ha
set hb-interval <integer>
set hb-interval-in-milliseconds {100 | 10}
set hb-lost-threshold <integer>
end

hb-interval <integer> Set the time between sending heartbeat packets; increase to reduce false
positives (1 - 20, default = 2).
hb-interval-in- Set the number of milliseconds for each heartbeat interval (100 or 10, default =
milliseconds {100 | 100).
10}
hb-lost-threshold Set the number of lost heartbeats to signal a failure; increase to reduce false
<integer> positives (1 - 60, default = 20).

Heartbeats are sent out every 2 × 100 ms, and it takes 20 consecutive lost heartbeats for a cluster member to be
detected as dead. Therefore, it takes by default 2 × 100 ms × 20 = 4000 ms, or 4 seconds, for a failure to be detected.
Sub-second heartbeat failure detection can be achieved by lowering the interval and threshold or lowering the heartbeat
interval unit of measurement from 100 ms to 10 ms.
If the primary unit does not receive a heartbeat packet from a subordinate unit before the heartbeat threshold expires,
the primary unit assumes that the subordinate unit has failed.
If a subordinate unit does not receive a heartbeat packet from the primary unit before the heartbeat threshold expires,
the subordinate unit assumes that the primary unit has failed. The subordinate unit then begins negotiating to become
the new primary unit.
The HA heartbeat packets consume more bandwidth if the heartbeat interval is short. But if the heartbeat interval is very
long, the cluster is not as sensitive to topology and other network changes. Therefore, gauge your settings based on the
amount of traffic and CPU usage sustainable by the cluster units versus the tolerance for an outage when the primary
unit fails. Avoid using the heartbeat interfaces as traffic ports to prevent congesting the interfaces.

Changing the time to wait in the hello state

The hello state hold down time is the number of seconds that a cluster unit waits before changing from hello state to work
state. After a failure or when starting up, cluster units operate in the hello state to send and receive heartbeat packets so

FortiOS 6.4.13 Administration Guide 949

Fortinet Inc.
System

that all the cluster units can find each other and form a cluster. A cluster unit should change from the hello state to work
state after it finds all the other FortiGates to form a cluster with.
If all cluster units cannot find each other during the hello state, then some cluster units may join the cluster after it has
formed. This can cause disruptions to the cluster and affect how it operates. A delay could occur if the cluster units are
located at different sites or if communication is delayed between the heartbeat interfaces. If delays occur, increase the
cluster units wait time in the hello state.
config system ha
set hello-holddown <integer>
end

hello-holddown <integer> Set the time to wait before changing from hello to work state, in seconds (5 - 300,
default = 20).

Configuring HA heartbeat encryption and authentication

HA heartbeat encryption and authentication to encrypt and authenticate HA heartbeat packets can be enabled. HA
heartbeat packets should be encrypted and authenticated if the cluster interfaces that send HA heartbeat packets are
also connected to the networks. HA heartbeat encryption and authentication are disabled by default. Note that enabling
these settings could reduce cluster performance.
config system ha
set authentication {enable | disable}
set encryption {enable | disable}
end

If HA heartbeat packets are not encrypted, the cluster password and changes to the cluster configuration could be
exposed. An attacker may be able to sniff HA packets to get cluster information. Enabling HA heartbeat message
authentication prevents an attacker from creating false HA heartbeat messages. False HA heartbeat messages could
affect the stability of the cluster.
HA authentication and encryption uses AES-128 for encryption and SHA1 for authentication. Heartbeat messages are
encrypted and encapsulated in ESP packets for transfer in an IPsec tunnel between the cluster members.

Heartbeat bandwidth requirements

The majority of the traffic processed by the HA heartbeat interface is session synchronization traffic. Other heartbeat
interface traffic required to synchronize IPsec states, IPsec keys, routing tables, configuration changes, and so on is
usually negligible.
The amount of traffic required for session synchronization depends on the connections per second (CPS) that the cluster
is processing, since only new sessions (and session table updates) need to be synchronized.
Another factor to consider is that if session pickup is enabled, the traffic on the heartbeat interface surges during a
failover or when a unit joins or re-joins the cluster. When one of these events occurs, the entire session table needs to be
synchronized. Lower throughput HA heartbeat interfaces may increase failover time if they cannot handle the higher
demand during these events.
The amount of heartbeat traffic can also be reduced by:
l Turning off session pickup if it is not needed
l Enabling session-pickup-delay to reduce the number of sessions that are synchronized
l Using the session-sync-dev option to move session synchronization traffic off of the heartbeat link

FortiOS 6.4.13 Administration Guide 950

Fortinet Inc.
System

Heartbeat packet EtherTypes

Normal 802.3 IP packets have an EtherType field value of 0x0800. EtherType values other than 0x0800 are understood
as Layer 2 frames rather than IP packets.
HA heartbeat packets use the following EtherTypes:

Field value Function Description

0x8890 Heartbeat Heartbeat packets are used by cluster units to find other
cluster units, and to verify the status of other cluster units
while the cluster is operating.
Use the ha-eth-type option to change the EtherType.

0x8891 Traffic redistribution from primary These are used when the HA primary needs to
to subordinate redistribute traffic packets and the corresponding session
information to the subordinate units in A-A mode.
Use the hc-eth-type option to change the EtherType.

0x8892 Session synchronization Session synchronization uses the heartbeat interfaces for
communication, unless session synchronization devices
are specified. See Session synchronization on page 951
for more information.

0x8893 HA Telnet sessions The Telnet sessions are used to synchronize the cluster
(configuration synchronization) configurations, and to connect from one cluster unit's CLI
to another when an administrator uses the execute ha
manage command.
Use the l2ep-eth-type option to change the
EtherType.

Session synchronization

Since large amounts of session synchronization traffic can increase network congestion, it is recommended to keep this
traffic off of the network and separate from the HA heartbeat interfaces by using dedicated connections for it. The
interfaces are configured in the session-sync-dev setting.
The session synchronization device interfaces must be connected together by directly using the appropriate cable or
using switches. If one of the interfaces becomes disconnected, then the cluster uses the remaining interfaces for session
synchronization. If all the session synchronization interfaces become disconnected, then session synchronization
reverts to using the HA heartbeat link.
All session synchronization traffic is between the primary unit and each subordinate unit. Session synchronization
always uses UDP/708, but this will be encapsulated differently depending on the session-sync-dev setting. If
session-sync-dev is specified, the packets will use 0x8892 and will exit over the mentioned port. If session-sync-
dev is not specified, the packets will use 0x8893 and will exit the heartbeat port.
Session synchronization packets are typically processed by a single CPU core because all source and destination MAC
addresses of the L2 frames are the same. Hashing based on the L2 addresses maps the processing of the frames to the
same core. When large amounts of session synchronization traffic must be processed, enable the sync-packet-
balance setting to distribute the processing to more cores. This effectively uses a larger set of MAC addresses for the
hashing to map to multiple cores.

FortiOS 6.4.13 Administration Guide 951

Fortinet Inc.
System

Troubleshooting heartbeat packets

Understanding the different types of heartbeat packets will ease troubleshooting. Heartbeat packets are recognized as
Layer 2 frames. The switches and routers on the heartbeat network that connect to heartbeat interfaces must be
configured to allow them to pass through. If Layer 2 frames are dropped by these network devices, then the heartbeat
traffic will not be allowed between the cluster units.
For example, some third-party network equipment may not allow EtherType 0x8893. The unit can still be found in the HA
cluster, but you would be unable to run execute ha manage to manage the other unit. Use the following settings to
change the EtherTypes of the HA heartbeat packets, if they require changing them for the traffic to be forwarded on the
connected switch.
config system ha
set ha-eth-type <hex_value>
set hc-eth-type <hex_value>
set l2ep-eth-type <hex_value>
end

To change the EtherType values of the heartbeat and HA Telnet session packets:

config system ha
set ha-eth-type 8895
set l2ep-eth-type 889f
end

For troubleshooting issues with packets sent or received on the HA heartbeat ports, use the following diagnostic
command to sniff the traffic by EtherType.
# diagnose sniffer packet any 'ether proto <EtherType_in_hex>' 6 0 1

To sniff the traffic on EtherType 0x8890:

# diagnose sniffer packet any 'ether proto 0x8890' 6 0 l

Using Original Sniffing Mode
interfaces=[any]
filters=[ether proto 0x8890]
2022-10-19 16:22:26.512813 port5 out Ether type 0x8890 printer hasn't been added to sniffer.
0x0000 0000 0000 0000 000c 293b e61c 8890 5201 ........);....R.
0x0010 020c 6e65 7700 0000 0000 0000 0000 0000 ..new...........
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030 0000 0000 0700 0000 0000 0000 0000 8738 ...............8
0x0040 0100 706f 7274 3500 0000 0000 0000 0000 ..port5.........
0x0050 0000 0300 843d 4647 564d 3034 544d 3232 .....=FGVM04TM22
0x0060 3030 3236 3338 0b00 0100 000c 0001 00c8 002001..........
0x0070 0d00 0100 000e 0004 0009 0000 000f 0004 ................
0x0080 0000 0000 0010 0004 0000 0000 0011 0004 ................
0x0090 0000 0000 0012 0004 0001 0000 0028 0000 .............(..
0x00a0 002b 0002 000a 002c 0002 000a 0038 0008 .+.....,.....8..
0x00b0 00c0 0300 0000 0000 0037 0004 0000 0000 .........7......
0x00c0 003c 0030 0030 2704 175f 0858 9d4f 5611 .<.0.0'.._.X.OV.
0x00d0 2005 6310 b1b0 be14 e029 1f5b 61fd 5b49 ..c......).[a.[I
0x00e0 7cad bed4 ecaf 05bd 70c3 2adc 4fa0 6ab7 |.......p.*.O.j.
0x00f0 4d5d 1df7 4f3d 000c 0007 0000 0002 0000 M]..O=..........
0x0100 0085 0400 003e 0001 0000 4000 0400 0000 .....>....@.....
0x0110 0000 3f00 2400 0000 0000 0000 0000 0000 ..?.$...........
0x0120 0000 0000 0000 0000 0000 0000 0000 0000 ................

FortiOS 6.4.13 Administration Guide 952

Fortinet Inc.
System

0x0130 0000 0000 0000 0000 0000 3300 0400 0000 ..........3.....
0x0140 0000 2a00 7200 0a00 789c edcc 290e c250 ..*.r...x...)..P
0x0150 1440 d19f d420 5068 3449 5dcb d009 8b66 [email protected]]....f
0x0160 2b34 8435 b302 3401 9e22 6f05 15e7 c82b +4.5..4.."o....+
0x0170 ee7c bb3f daf2 675d 9f9f af6a fee6 7dce .|.?..g]...j..}.
0x0180 efc8 879c 5791 8f39 6f22 9f72 de46 ee72 ....W..9o".r.F.r
0x0190 de45 ee73 6eca 2f0f 394f 91c7 9c2f 3169 .E.sn./.9O.../1i
0x01a0 9b94 af55 0100 0000 0000 0000 0000 0000 ...U............
0x01b0 0058 ac0f 0096 24af 0000 0000 .X....$.....

2022-10-19 16:22:26.545236 port5 in Ether type 0x8890 printer hasn't been added to sniffer.
0x0000 ffff ffff ffff 000c 29ca ba5d 8890 5201 ........)..]..R.
0x0010 020c 6e65 7700 0000 0000 0000 0000 0000 ..new...........
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030 0000 0000 0700 0000 0000 0000 0000 8738 ...............8
0x0040 0100 706f 7274 3500 0000 0000 0000 0000 ..port5.........
0x0050 0000 0300 d221 4647 564d 3034 544d 3232 .....!FGVM04TM22
0x0060 3030 3236 3339 0b00 0100 000c 0001 0080 002002..........
0x0070 0d00 0100 000e 0004 0000 0000 000f 0004 ................
0x0080 0000 0000 0010 0004 0000 0000 0011 0004 ................
0x0090 0000 0000 0012 0004 0000 0000 0028 0000 .............(..
0x00a0 002b 0002 000a 002c 0002 000a 0038 0008 .+.....,.....8..
0x00b0 00e6 0400 0000 0000 0037 0004 0000 0000 .........7......
0x00c0 003c 0030 0029 6d7e 3407 2d31 c00f 42b3 .<.0.)m~4.-1..B.
0x00d0 59b6 17cb 4be7 d043 a158 e74c 5841 c821 Y...K..C.X.LXA.!
0x00e0 7843 b598 c95d 3dcf 81a9 bc8b b304 53f3 xC...]=.......S.
0x00f0 17b6 3cd5 a83d 000c 0007 0000 0002 0000 ..<..=..........
0x0100 0085 0400 0040 0004 0000 0000 003f 0024 .....@.......?.$
0x0110 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0120 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0130 0000 0000 0033 0004 0000 0000 002a 0073 .....3.......*.s
0x0140 000a 0078 9ced cc21 1282 5014 40d1 3f43 ...x...!..P.@.?C
0x0150 7523 3651 414c 66b2 994c 1419 9bd9 ec7e u#6QALf..L.....~
0x0160 5c82 ab52 5e72 de0a 0ce7 c41b ee74 996f \..R^r.......t.o
0x0170 75f9 b15a bf5f 4d35 7df3 36e7 53e4 5dce u..Z._M5}.6.S.].
0x0180 7de4 7dce e7c8 4dce 43e4 36e7 31f2 21e7 }.}...M.C.6.1.!.
0x0190 6b59 7297 f33d f231 e747 4cea 4dca cfaa kYr..=.1.GL.M...
0x01a0 0000 0000 0000 0000 0000 0000 00fc ad0f ................
0x01b0 c16c 2917 0000 0000 .l).....

Interface IP addresses

An FGCP cluster communicates heartbeat packets using Layer 2 frames over the physical heartbeat interface, but it also
communicates other synchronization traffic, logs, and locally generated traffic from subordinate devices over Layer 3 IP
packets. Additional virtual interfaces are created in the hidden vsys_ha VDOM, which need to be addressed with IPv4
addresses.

FortiOS 6.4.13 Administration Guide 953

Fortinet Inc.
System

The FGCP uses link-local IPv4 addresses (see RFC 3927) in the 169.254.0.x range for the virtual HA heartbeat interface
(port_ha) and for the inter-VDOM link interfaces between the vsys_ha and management VDOM. When members join an
HA cluster, each member's heartbeat interface (port_ha) is assigned an IP address from the range of 169.254.0.1 to
169.254.0.63/26. HA inter-VDOM link interfaces (havdlink0 and havdlink1) are assigned IP address from the range of
169.254.0.65 to 169.254.0.66/26.
The IP address that is assigned to a virtual heartbeat interface depends on the serial number priority of the member.
Higher serial numbers have a higher priority, and therefore a lower serialno_prio number, for example:
# diagnose sys ha status
...
FGVM08TM20002002: Secondary, serialno_prio=0, usr_priority=128, hostname=FGVM08TM20002002
FGVM08TM19003001: Primary, serialno_prio=1, usr_priority=128, hostname=FGVM08TM19003001

The member with serialno_prio=0 is assigned IP address 169.254.0.1, serialno_prio=1 is assigned

169.254.0.2, and so forth.

To view the HA heartbeat interface IP address of the primary unit:

# get system ha status

...
vcluster 1: work 169.254.0.2
...

To view all the assigned IP addresses of a device:

# diagnose ip address list

IP=172.16.151.84->172.16.151.84/255.255.255.0 index=3 devname=port1
IP=192.168.2.204->192.168.2.204/255.255.255.0 index=6 devname=port2
IP=10.10.10.1->10.10.10.1/255.255.255.0 index=9 devname=port3
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=13 devname=root
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=16 devname=vsys_ha
IP=169.254.0.2->169.254.0.2/255.255.255.192 index=17 devname=port_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=18 devname=vsys_fgfm
IP=169.254.0.65->169.254.0.65/255.255.255.192 index=19 devname=havdlink0
IP=169.254.0.66->169.254.0.66/255.255.255.192 index=20 devname=havdlink1

When generating traffic from a subordinate unit, traffic will be routed to the primary unit’s port_ha virtual heartbeat
interface. From there, if traffic is destined to another network, the traffic is routed from the vsys_ha VDOM to the
management VDOM by the havdlink interfaces.
Use the execute traceroute command on the subordinate unit to display HA heartbeat IP addresses and the HA
inter-VDOM link IP addresses.

FortiOS 6.4.13 Administration Guide 954

Fortinet Inc.
System

To trace the route to an IP address on a subordinate unit:

# execute ha manage 1
# execute traceroute 172.20.20.10
traceroute to 172.20.20.10 (172.20.20.10), 32 hops max, 72 byte packets
1 169.254.0.1 0 ms 0 ms 0 ms
2 169.254.0.66 0 ms 0 ms 0 ms
3 172.20.20.10 0 ms 0 ms 0 ms

To run a sniffer trace on the primary unit to view the traffic flow:

# diagnose sniffer packet any 'net 169.254.0.0/24' 4 0 l

HA active-passive cluster setup

An HA Active-Passive (A-P) cluster can be set up using the GUI or CLI.

This example uses the following network topology:

To set up an HA A-P cluster using the GUI:

1. Make all the necessary connections as shown in the topology diagram.

2. Log into one of the FortiGates.
3. Go to System > HA and set the following options:

Mode Active-Passive

Device priority 128 or higher

Group name Example_cluster

Heartbeat interfaces ha1 and ha2

Except for the device priority, these settings must be the same on all FortiGates in the cluster.

FortiOS 6.4.13 Administration Guide 955

Fortinet Inc.
System

4. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
5. Click OK.
The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the
HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate's interfaces.
6. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting
setting the device priority, to join the cluster.

To set up an HA A-P cluster using the CLI:

1. Make all the necessary connections as shown in the topology diagram.

2. Log into one of the FortiGates.
3. Change the hostname of the FortiGate:
config system global
set hostname Example1_host
end

Changing the host name makes it easier to identify individual cluster units in the cluster operations.
4. Enable HA:
config system ha
set mode a-p
set group-name Example_cluster
set hbdev ha1 10 ha2 20
end

5. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
6. Repeat steps 1 to 5 on the other FortiGate devices to join the cluster.

HA active-active cluster setup

An HA Active-Active (A-A) cluster can be set up using the GUI or CLI.

FGCP in Active-Active mode cannot load balance any sessions that traverse NPU VDOM links
or regular VDOM links. If Active-Active session load balancing between VDOMs is required,
use an external router to handle the inter-VDOM routing.

FortiOS 6.4.13 Administration Guide 956

Fortinet Inc.
System

This example uses the following network topology:

To set up an HA A-A cluster using the GUI:

1. Make all the necessary connections as shown in the topology diagram.

2. Log into one of the FortiGates.
3. Go to System > HA and set the following options:

Mode Active-Active

Device priority 128 or higher

Group name Example_cluster

Heartbeat interfaces ha1 and ha2

Except for the device priority, these settings must be the same on all FortiGates in the cluster.

4. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
5. Click OK.
The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the
HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate's interfaces.

FortiOS 6.4.13 Administration Guide 957

Fortinet Inc.
System

6. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting
setting the device priority, to join the cluster.

To set up an HA A-A cluster using the CLI:

1. Make all the necessary connections as shown in the topology diagram.

2. Log into one of the FortiGates.
3. Change the hostname of the FortiGate:
config system global
set hostname Example1_host
end

Changing the host name makes it easier to identify individual cluster units in the cluster operations.
4. Enable HA:
config system ha
set mode a-a
set group-name Example_cluster
set hbdev ha1 10 ha2 20
end

5. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
6. Repeat steps 1 to 5 on the other FortiGate devices to join the cluster.

HA virtual cluster setup

Virtual clustering is an extension of FGCP HA that provides failover protection between two instances of one or more
VDOMs operating on two FortiGates that are in a virtual cluster. A standard virtual cluster consists of FortiGates that are
operating in active-passive HA mode with multiple VDOMs enabled.
Active-passive virtual clustering uses VDOM partitioning to send traffic for some VDOMs to the primary FortiGate and
traffic for other VDOMs to the secondary FortiGates. Traffic distribution between FortiGates can potentially improve
throughput. If a failure occurs and only one FortiGate continues to operate, all traffic fails over to that FortiGate, similar to
normal HA. If the failed FortiGates rejoin the cluster, the configured traffic distribution is restored.
In an active-passive virtual cluster of two FortiGates, the primary and secondary FortiGates share traffic processing
according to the VDOM partitioning configuration. If you add a third or fourth FortiGate, the primary and first secondary
FortiGate process all traffic and the other one or two FortiGates operate in standby mode. If the primary or first
secondary FortiGate fails, one of the other FortiGates becomes the new primary or secondary FortiGate and begins
processing traffic.

Separation of VDOM traffic

Virtual clustering creates a cluster between instances of each VDOM on the two FortiGates in the virtual cluster. All
traffic to and from a given VDOM is sent to one of the FortiGates where it stays within its VDOM and is only processed by
that VDOM. One FortiGate is the primary FortiGate for each VDOM and one FortiGate is the secondary FortiGate for
each VDOM. The primary FortiGate processes all traffic for its VDOMs; the secondary FortiGate processes all traffic for
its VDOMs.

FortiOS 6.4.13 Administration Guide 958

Fortinet Inc.
System

Virtual clustering and heartbeat interfaces

The HA heartbeat provides the same HA services in a virtual clustering configuration as in a standard HA configuration.
One set of HA heartbeat interfaces provides HA heartbeat services for all of the VDOMs in the cluster. You do not have
to add a heartbeat interface for each VDOM.

Special considerations for NPU-based VLANs in a Virtual Cluster

In an FGCP cluster, the primary FortiGate uses virtual MAC addresses when forwarding traffic, and the secondary uses
the physical MAC addresses when forwarding traffic. In a virtual cluster, packets are sent with the cluster’s virtual MAC
addresses. However, in the case of NPU offloading on a non-root VDOM, traffic that leaves an NPU-based VLAN will
use the physical MAC address of its parent interface rather than the virtual MAC address. If this behavior is not desired,
disable auto-asic-offload in the firewall policy where the VLAN interface is used.

Example

This example shows a virtual cluster configuration consisting of two FortiGates. The virtual cluster has two VDOMs, Root
and End_vdm.

The root VDOM can only be associated with virtual cluster 1.

The VDOM that is assigned as the management VDOM can also only be associated with
virtual cluster 1.

To set up an HA virtual cluster using the GUI:

1. Make all the necessary connections as shown in the topology diagram.

2. Log into one of the FortiGates.

FortiOS 6.4.13 Administration Guide 959

Fortinet Inc.
System

3. Go to System > HA and set the following options:

Mode Active-Passive

Device priority 128 or higher

Group name Example_cluster

Heartbeat interfaces ha1 and ha2

Except for the device priority, these settings must be the same on all FortiGates in the cluster.
4. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
5. Click OK.
The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the
HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate's interfaces.
6. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting
setting the device priority, to join the cluster.
7. Go to System > Settings and enable Virtual Domains.
8. Click Apply. You will be logged out of the FortiGate.
9. Log back into the FortiGate, ensure that you are in the global VDOM, and go to System > VDOM.
10. Create two new VDOMs, such as VD1 and VD2:
a. Click Create New. The New Virtual Domain page opens.
b. Enter a name for the VDOM in the Virtual Domain field, then click OK to create the VDOM.
c. Repeat these steps to create a second new VDOM.
11. Implement a virtual cluster by moving the new VDOMs to Virtual cluster 2:
a. Go to System > HA.
b. Enable VDOM Partitioning.
c. Click on the Virtual cluster 2 field and select the new VDOMs.

d. Click OK.

FortiOS 6.4.13 Administration Guide 960

Fortinet Inc.
System

To set up an HA virtual cluster using the CLI:

1. Make all the necessary connections as shown in the topology diagram.

2. Set up a regular A-P cluster. See HA active-passive cluster setup on page 955.
3. Enable VDOMs:
config system global
set vdom-mode multi-vdom
end

You will be logged out of the FortiGate.

4. Create two VDOMs:
config vdom
edit VD1
next
edit VD2
next
end

5. Reconfigure the HA settings to be a virtual cluster:

config global
config system ha
set vcluster2 enable
config secondary-vcluster
set vdom "VD1" "VD2"
end
end
end

Check HA sync status

The HA sync status can be viewed in the GUI through either a widget on the Dashboard or on the System > HA page. It
can also be confirmed through the CLI. When a cluster is out of sync, administrators should correct the issue as soon as
possible as it affects the configuration integrity and can cause issues to occur.

HA sync status in the GUI

l Dashboard widget:
l Following HA setup, the HA Status widget can be added to the Dashboard. The widget shows the HA sync

status by displaying a green checkmark next to each member in sync. A red mark indicates the member is out

FortiOS 6.4.13 Administration Guide 961

Fortinet Inc.
System

of sync.

l System > HA page:

l The same set of icons will be displayed on the System > HA page to indicate if the member is in sync.

HA sync status in the CLI

In the CLI, run the get system ha status command to see if the cluster is in sync. The sync status is reported under
Configuration Status. In the following example, both members are in sync:
# get system ha status
HA Health Status: OK
Model: FortiGate-VM64
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 0 days 0:29:2
Cluster state change time: 2020-09-25 08:23:09
Primary selected using:
<2020/09/25 08:23:09> FGVME000000JUG0E is selected as the primary because it has the
largest value of override priority.
<2020/09/25 08:23:09> FGVMEV00000M6S87 is selected as the primary because it's the only
member in the cluster.
ses_pickup: disable
override: disable
Configuration Status:
FGVME000000JUG0E(updated 2 seconds ago): in-sync
FGVMEV00000M6S87(updated 4 seconds ago): in-sync
System Usage stats:
FGVME000000JUG0E(updated 2 seconds ago):
sessions=11, average-cpu-user/nice/system/idle=1%/0%/1%/98%, memory=69%
FGVMEV00000M6S87(updated 4 seconds ago):
sessions=1, average-cpu-user/nice/system/idle=0%/0%/1%/99%, memory=69%
HBDEV stats:
FGVME000000JUG0E(updated 2 seconds ago):

FortiOS 6.4.13 Administration Guide 962

Fortinet Inc.
System

port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=60578029/155605/0/0,

tx=13360110/25218/0/0
FGVMEV00000M6S87(updated 4 seconds ago):
port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=7006310/19328/0/0,
tx=6220835/13974/0/0
MONDEV stats:
FGVME000000JUG0E(updated 2 seconds ago):
port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=60578029/155605/0/0,
tx=13360110/25218/0/0
port2: physical/1000auto, up, rx-bytes/packets/dropped/errors=70459776/175970/0/0,
tx=36854/226/0/0
FGVMEV00000M6S87(updated 4 seconds ago):
port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=7006310/19328/0/0,
tx=6220835/13974/0/0
port2: physical/1000auto, up, rx-bytes/packets/dropped/errors=7197677/20580/0/0,
tx=29200/83/0/0
Primary : HA1 , FGVME000000JUG0E, HA cluster index = 0
Secondary : HA2 , FGVMEV00000M6S87, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FGVME000000JUG0E, HA operating index = 0
Secondary: FGVMEV00000M6S87, HA operating index = 1

Out-of-band management with reserved management interfaces

As part of an HA configuration, you can reserve up to four management interfaces to provide direct management access
to all cluster units. For each reserved management interface, you can configure a different IP address, administrative
access, and other interface settings, for each cluster unit. By connecting these interfaces to your network, you can
separately manage each cluster unit from different IP addresses.
l Reserved management interfaces provide direct management access to each cluster unit, and give each cluster
unit a different identity on your network. This simplifies using external services, such as SNMP, to monitor separate
cluster units.
l Reserved management interfaces are not assigned HA virtual MAC addresses. They retain the permanent
hardware address of the physical interface, unless you manually change it using the config system
interface command.
l Reserved management interfaces and their IP addresses should not be used for managing a cluster using
FortiManager. To manage a FortiGate HA cluster with FortiManager, use the IP address of one of the cluster unit
interfaces.
l Configuration changes to a reserved management interface are not synchronized to other cluster units. Other
configuration changes are automatically synchronized to all cluster units.

You can configure an in-band management interface for a cluster unit. See In-band
management on page 969 for information. In-band management does not reserve the
interface exclusively for HA management.

Management interface

Enable HTTPS or HTTP administrative access on the reserved management interfaces to connect to the GUI of each
cluster unit. On secondary units, the GUI has the same features as the primary unit, except for unit specific information,
for example:

FortiOS 6.4.13 Administration Guide 963

Fortinet Inc.
System

l The System Information widget on the Status dashboard shows the secondary unit's serial number.
l In the cluster members list at System > HA, you can change the HA configuration of the unit that you are logged into.
You can only change the host name and device priority of the primary and other secondary units.
l The system events logs show logs for the device that you are logged into. Use the HA device drop down to view the
log messages for other cluster units, including the primary unit.
Enable SSH administrative access on the reserved management interfaces to connect to the CLI of each cluster unit.
The CLI prompt includes the host of the cluster unit that you are connected to. Use the execute ha manage command
to connect to other cluster unit CLIs.
Enable SNMP administrative access on a reserved management interface to use SNMP to monitor each cluster unit
using the interface's IP address. Direct management of cluster members must also be enabled, see Configuration
examples on page 965.
Reserved management interfaces are available in both NAT and transparent mode, and when the cluster is operating
with multiple VDOMs.

FortiCloud, FortiSandbox, and other management services

By default, management services such as FortiCloud, FortiSandbox, SNMP, remote logging, and remote authentication,
use a cluster interface. This means that communication from each cluster unit will come from a cluster interface of the
primary unit, and not from the individual cluster unit's interface.
You can configure HA reserved management interfaces to be used for communication with management services by
enabling the ha-direct option. This separates management traffic for each cluster unit, and allows each unit to be
individually managed. This is especially useful when cluster units are in different physical locations.
The following management features will then use the HA reserved management interface:
l Remote logging, including syslog, FortiAnalyzer, and FortiCloud
l Remote authentication and certificate verification
l Communication with FortiSandbox
l Netflow and sflow, see Routing NetFlow data over the HA management interface on page 984 for information.
l SNMP queries and traps
Syntax for HA reserved management interfaces is as follows:
config system ha
set ha-direct enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface <interface>
set dst <destination IP>
set gateway <IPv4 gateway>
set gateway6 <IPv6 gateway>
next
end
end

The ha-direct option is a pre-requisite for allowing communication on each HA reserved

management interface for various management services listed above. Once enabled, all
source-ip settings will be unset from log related, netflow and sflow management services.
SNMP requires ha-direct to be configured under SNMP settings only. See below for more
configuration options.

FortiOS 6.4.13 Administration Guide 964

Fortinet Inc.
System

Configuration examples

The configuration examples below will use the following topology:

Two FortiGate units are already operating in a cluster. On each unit, port8 is connected to the internal network through a
switch and configured as an out-of-band reserved management interface.

Configuration changes to the reserved management interface are not synchronized to other
cluster units.

Administrative access and default route for HA management interface

To configure the primary unit's reserved management interface, configure an IP address and management access on
port8. Then, configure the necessary HA settings to enable the HA reserved management interface and its route. To
configure the secondary unit's reserved management interface, access the unit's CLI through the primary unit, and
configure an IP address, management access on port8, and the necessary HA settings. Configuration changes to the
reserved management interface are not synchronized to other cluster units.

To configure the primary unit reserved management interface to allow HTTPS, SSH, and ICMP access:

1. From a computer on the internal network, connect to the CLI at 10.11.101.100 on port2.
2. Change the port8 IP address and management access:
config system interface
edit port8
set ip 10.11.101.101/24
set allowaccess https ping ssh
next
end

3. Configure the HA settings for the HA reserved management interface by defining a default route to route to the
gateway 10.11.101.2:
config system ha
set ha-mgmt-status enable

FortiOS 6.4.13 Administration Guide 965

Fortinet Inc.
System

config ha-mgmt-interfaces
edit 1
set interface port8
set gateway 10.11.101.2
next
end
end

You can now log into the primary unit's GUI by browsing to https://10.11.101.101. You can also log into the primary
unit's CLI by using an SSH client to connect to 10.11.101.101.

To configure secondary unit reserved management interfaces to allow HTTPS, SSH, and ICMP access:

1. From a computer on the internal network, connect to the primary unit's CLI.
2. Connect to the secondary unit with the following command:
execute ha manage <unit id> <username> <password>

3. Change the port8 IP address and management access:

config system interface
edit port8
set ip 10.11.101.102/24
set allowaccess https ping ssh
next
end
exit

4. Configure the HA settings for the HA reserved management interface by defining a default route to route to the
gateway 10.11.101.2:
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface port8
set gateway 10.11.101.2
next
end
end

You can now log into the secondary unit's GUI by browsing to https://10.11.101.102. You can also log into the
secondary unit's CLI by using an SSH client to connect to 10.11.101.102.

SNMP monitoring

The SNMP server can get status information from the cluster members. To use the reserved management interfaces,
you must add at least one HA direct management host to an SNMP community. If the SNMP configuration includes
SNMP users with user names and passwords, HA direct management must be enabled for the users.

To configure the cluster for SNMP management using the reserved management interfaces in the CLI:

1. Allow SNMP on port8 on both primary and secondary units:

config system interface
edit port8

FortiOS 6.4.13 Administration Guide 966

Fortinet Inc.
System

append allowaccess snmp

next
end

2. Add an SNMP community with a host for the reserved management interface of each cluster member. The host
includes the IP address of the SNMP server.
config system snmp community
edit 1
set name "Community"
config hosts
edit 1
set ip 10.11.101.20 255.255.255.255
set ha-direct enable
next
end
next
end

Enabling ha-direct in a non-HA environment will make SNMP unusable.

3. Add an SNMP user for the reserved management interface:

config system snmp user
edit "1"
set notify-hosts 10.11.101.20
set ha-direct enable
next
end

The SNMP configuration is synchronized to all cluster units.

To get CPU, memory, and network usage information from the SNMP manager for each cluster unit
using the reserved management IP addresses:

1. Connect to the SNMP manager CLI.

2. Get resource usage information for the primary unit using the MIB fields:
snmpget -v2c -c Community 10.11.101.101 fgHaStatsCpuUsage
snmpget -v2c -c Community 10.11.101.101 fgHaStatsMemUsage
snmpget -v2c -c Community 10.11.101.101 fgHaStatsNetUsage

3. Get resource usage information for the primary unit using the OIDs:
snmpget -v2c -c Community 10.11.101.101 1.3.6.1.4.1.12356.101.13.2.1.1.3.1
snmpget -v2c -c Community 10.11.101.101 1.3.6.1.4.1.12356.101.13.2.1.1.4.1
snmpget -v2c -c Community 10.11.101.101 1.3.6.1.4.1.12356.101.13.2.1.1.5.1

4. Get resource usage information for the secondary unit using the MIB fields:

FortiOS 6.4.13 Administration Guide 967

Fortinet Inc.
System

snmpget -v2c -c Community 10.11.101.102 fgHaStatsCpuUsage

snmpget -v2c -c Community 10.11.101.102 fgHaStatsMemUsage
snmpget -v2c -c Community 10.11.101.102 fgHaStatsNetUsage

5. Get resource usage information for the primary unit using the OIDs:
snmpget -v2c -c Community 10.11.101.102 1.3.6.1.4.1.12356.101.13.2.1.1.3.1
snmpget -v2c -c Community 10.11.101.102 1.3.6.1.4.1.12356.101.13.2.1.1.4.1
snmpget -v2c -c Community 10.11.101.102 1.3.6.1.4.1.12356.101.13.2.1.1.5.1

Firewall local-in policies for the reserved management interface

Enabling ha-mgmt-intf-only applies the local-in policy only to the VDOM that contains the reserved management
interface. The incoming interface is set to match any interface in the VDOM.

To add local-in policies for the reserved management interface:

config firewall local-in-policy

edit 0
set ha-mgmt-intf-only enable
set intf any
set srcaddr internal-net
set dstaddr mgmt-int
set action accept
set service HTTPS
set schedule weekdays
next
end

NTP over reserved management interfaces

When NTP is enabled in an HA cluster, the primary unit will always be the unit to contact the NTP server and synchronize
system time to the secondary units over the HA heartbeat interface. However, in the event that the primary should
contact the NTP server over the HA reserved management interface, then the ha-direct option should be enabled
under the config system ha settings.
config system interface
edit port5
set ip 172.16.79.46 255.255.255.0
next
end
config system ha
set group-name FGT-HA
set mode a-p
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface port5
set gateway 172.16.79.1
next
end
set ha-direct enable
end

FortiOS 6.4.13 Administration Guide 968

Fortinet Inc.
System

config system ntp

set ntpsync enable
set syncinterval 5
end

In-band management

In-band management IP addresses are an alternative to reserved HA management interfaces, and do not require
reserving an interface exclusively for management access. They can be added to multiple interfaces on each cluster
unit.
The in-band management IP address is accessible from the network that the cluster interface is connected to. It should
be in the same subnet as the interface that you are adding it to. It cannot be in the same subnet as other interface
IP addresses.
In-band management interfaces support ping, HTTP, HTTPS, and SNMP administrative access options.
Primary and secondary units send packets differently from an interface with a management IP address configured:
l On the primary unit, packets are sent to destinations based on routing information.
l On secondary units, packets can only be sent to destinations with the same management IP address segment.

In-band management IP address configuration is not synchronized to other cluster units.

To add an in-band management IP address to port23 with HTTPS, SSH, and SNMP access:

config system interface

edit port23
set management-ip 172.25.12.5/24
set allowaccess https ssh snmp
next
end

Upgrading FortiGates in an HA cluster

You can upgrade the firmware on an HA cluster in the same way as on a standalone FortiGate. During a firmware
upgrade, the cluster upgrades the primary unit and all of the subordinate units to the new firmware image.

Before upgrading a cluster, back up your configuration (Configuration backups on page 57),
schedule a maintenance window, and make sure that you are using a supported upgrade path
(https://docs.fortinet.com/upgrade-tool).

Uninterrupted upgrade

An uninterrupted upgrade occurs without interrupting communication in the physical or virtual cluster.
To upgrade the cluster firmware without interrupting communication, use the following steps. These steps are
transparent to the user and the network, and might result in the cluster selecting a new primary unit.

FortiOS 6.4.13 Administration Guide 969

Fortinet Inc.
System

1. The administrator uploads a new firmware image using the GUI or CLI. See Firmware on page 892 for details.
2. The firmware is upgraded on all of the subordinate units.
3. A new primary unit is selected from the upgraded subordinates.
4. The firmware is upgraded on the former primary unit.
5. Primary unit selection occurs, according to the standard primary unit selection process.
If all of the subordinate units crash or otherwise stop responding during the upgrade process, the primary unit will
continue to operate normally, and will not be upgraded until at least one subordinate rejoins the cluster.

Interrupted upgrade

An interrupted upgrade upgrades all cluster members at the same time. This takes less time than an uninterrupted
upgrade, but it interrupts communication in the cluster. Interrupted upgrade is disabled by default.

To enable interrupted upgrade:

config system ha
set uninterruptible-upgrade disable
end

HA between remote sites over managed FortiSwitches

In a multi-site FortiGate HA topology that uses managed FortiSwitches in a multi-chassis link aggregation group
(MCLAG) to connect between sites, HA heartbeat signals can be sent through the switch layer of the FortiSwitches,
instead of through back-to-back links between the heartbeat interfaces. This means that two fiber connections can be
used, instead of four (two back-to-back heartbeat fiber connections and two connections for the FortiSwitches). The
FortiSwitches can be different models, but must all support MCLAG and be running version 6.4.2 or later.
This example shows how to configure heartbeat VLANs to assign to the access ports that the heartbeat interfaces
connect to, passing over the trunk between the FortiSwitches on the two sites.

FortiOS 6.4.13 Administration Guide 970

Fortinet Inc.
System

FortiGate HA is with two FortiGates in separate locations and the switch layer connection between the FortiSwitches is
used for the heartbeat signal.

To configure the example:

1. Disconnect the physical connections between Site 1 and Site 2:

l Disconnect the cable on Site 1 FSW-1 port 12.
l Disconnect the cable on Site 1 FSW-2 port 10.
2. Configure Site 1:

FortiOS 6.4.13 Administration Guide 971

Fortinet Inc.
System

a. On the FortiGate, go to WiFi & Switch Controller > FortiLink Interface and configure FortiLink:

b. Go to System > HA and configure HA:

i. Set the heartbeat ports to the ports that are connected to FortiSwitch.
ii. Adjust the priority and enable override so that this FortiGate becomes the primary.

c. Go to WiFi & Switch Controller > FortiSwitch VLANs and create switch VLANs that are dedicated to each
FortiGate HA heartbeat interface between the two FortiGates: Heartbeat VLAN 1000 and Heartbeat VLAN
1100.

FortiOS 6.4.13 Administration Guide 972

Fortinet Inc.
System

d. Assign the native VLAN of the switch ports that are connected to the heartbeat ports to the created VLAN. Each
HA heartbeat should be in its own VLAN.
i. Go to WiFi & Switch Controller > FortiSwitch Ports.
ii. In the Native VLAN column for the heartbeat port that is connected to FSW-1, click the edit icon and select
the Heartbeat VLAN.

iii. In the Native VLAN column for the heartbeat port that is connected to FSW-2, click the edit icon and select
the Heartbeat2 VLAN.
e. On each FortiSwitch, enable MCLAG-ICL on the trunk port:
config switch trunk
edit D243Z17000032-0
set mclag-icl enable
next
end

3. Configure Site 2 the same as Site 1, except set the HA priority so that the FortiGate becomes the secondary.
4. Disconnect the physical connections for FortiGate HA and FortiLink interfaces on Site 2:
l Disconnect the cable on Site 2 FSW-1 ports 47 and 48.
l Disconnect the cable on Site 2 FSW-2 ports 47 and 48.

FortiOS 6.4.13 Administration Guide 973

Fortinet Inc.
System

5. Connect cables between the FortiSwitch MCLAG in Site 1 and Site 2:

l Connect a cable from Site 1 FSW-1 port 12 to Site 2 FSW-1 port 22.
l Connect a cable from Site 1 FSW-2 port 10 to Site 2 FSW-2 port 20.
6. On all of the FortiSwitches, configure the auto-isl-port-group. The group must match on both sides.
a. Site 1 FSW-1:
Set members to the port that is connected to Site 2 FSW-1:
config switch auto-isl-port-group
edit 1
set members port12
next
end

b.  Site 1 FSW-2:
Set members to the port that is connected to Site 1 FSW-1:
config switch auto-isl-port-group
edit 1
set members port22
next
end

c.  Site 2 FSW-1:
Set members to the port that is connected to Site 2 FSW-2:
config switch auto-isl-port-group
edit 1
set members port10
next
end

d.  Site 2 FSW-2:
Set members to the port that is connected to Site 1 FSW-2:
config switch auto-isl-port-group
edit 1
set members port20
next
end

7. Connect the FortiGate HA and FortiLink interface connections on Site 2.

8. Configure a firewall policy and route for traffic so that the client can reach the internet.
9. Wait for HA to finish synchronizing and for all of the FortiSwitches to come online, then on FortiGate-1, go to WiFi &
Switch Controller > Managed FortiSwitches and select the Topology view from the drop-down on the right.
The page should look similar to the following:

FortiOS 6.4.13 Administration Guide 974

Fortinet Inc.
System

To test the configuration to confirm what happens when there is a failover:

1. On both PC-1 and PC-2, access the internet and monitor traffic. The traffic should be going through the primary
FortiGate.
2. Perform a continuous ping to an outside IP address, then reboot any one of the FortiSwitches.
Traffic from both Site 1 and Site 2 to the internet should be recovered in approximately five seconds.
3. Perform a continuous ping to an outside IP address, then force an HA failover (see Force HA failover for testing and
demonstrations on page 986).
Traffic from both Site 1 and Site 2 to the internet should be recovered in approximately five seconds.
4. After an HA failover, on the new primary FortiGate, go to WiFi & Switch Controller > Managed FortiSwitch.
The switch layer tiering will be changed so that the directly connected FortiSwitches are at the top of the topology.

HA using a hardware switch to replace a physical switch

An HA cluster can be deployed without physical switches connecting the traffic interfaces on the primary and secondary
members. This setup may be desirable in certain environments where the network infrastructure must be kept to a bare
minimum.
Generally, using a hardware switch to replace a physical switch is not recommended, as it offers no redundancy or
interface monitoring.
• If one FortiGate loses power, all of the clients connected to that FortiGate device cannot go to another device until that
FortiGate recovers.
• A hardware switch cannot be used as a monitor interface in HA. Any incoming or outgoing link failures on hardware
member interfaces will not trigger failover; this can affect traffic.
Therefore, assess your environment thoroughly before applying this solution.

FortiOS 6.4.13 Administration Guide 975

Fortinet Inc.
System

Examples

The examples use the following topology:

Traffic between hardware switches

When using Hardware switch in HA environment, a client device connected to the hardware switch on the primary
FortiGate can communicate with client devices connected to the hardware switch on secondary FortiGates as long as
there is a direct connection between the two switches.
No configuration is required after setting up the hardware switches. If a client connected to both of the hardware switches
needs to reach destinations outside of the cluster, the firewall must be configured for it.

To configure the FortiGate devices:

1. Connect the devices as shown in the topology diagram.

2. On each FortiGate, configure HA:
config system ha
set mode a-a
set group-name Example_cluster
set hbdev ha1 10 ha2 20
end

3. On the primary FortiGate, configure the hardware switch:

config system virtual-switch
edit Hardware-SW
set physical-switch sw0
config port
edit port3
next
edit port5
next
end
next
end

FortiOS 6.4.13 Administration Guide 976

Fortinet Inc.
System

4. On each FortiGate, configure the IP addresses on the hardware switches:

config system interface
edit Hardware-SW
set ip 6.6.6.1 255.255.255.0
set allowaccess ping ssh http https
next
end

After configuring the hardware switches, PC1 and PC2 can now communicate with each other.

Traffic passes through FortiGate

If client device needs to send traffic through the FortiGate, additional firewall configuration on the FortiGate is required.
All traffic from the hardware switches on either the primary or secondary FortiGate reaches the primary FortiGate first.
The traffic is then directed according to the HA mode and firewall configuration.

To configure the FortiGate devices:

1. Connect the devices as shown in the topology diagram.

2. On each FortiGate, configure HA:
config system ha
set mode a-a
set group-name Example_cluster
set hbdev ha1 10 ha2 20
end

3. On the primary FortiGate, configure the hardware switch:

config system virtual-switch
edit Hardware-SW
set physical-switch sw0
config port
edit port3
next
edit port5
next
end
next
edit Hardware-SW2
set physical-switch sw0
config port
edit port1
next
end
next
end

4. On each FortiGate, configure the IP addresses on the hardware switch:

config system interface
edit Hardware-SW
set ip 6.6.6.1 255.255.255.0
set allowaccess ping ssh http https
next
edit Hardware-SW2

FortiOS 6.4.13 Administration Guide 977

Fortinet Inc.
System

set ip 172.16.200.1 255.255.255.0

set allowaccess ping ssh http https
next
end

5. On each FortiGate, configure a firewall policy:

config firewall policy
edit 1
set srcintf Hardware-SW
set dstintf Hardware-SW2
set srcaddr all
set dstaddr all
set service ALL
set action accept
set schedule always
set nat enable
next
end

6. On each FortiGate, configure a static route:

config router static
edit 1
set device Hardware-SW2
set gateway 172.16.200.254
next
end

Traffic from PC1 and PC2 can now reach destinations outside of the FortiGate cluster.

VDOM exceptions

VDOM exceptions are settings that can be selected for specific VDOMs or all VDOMs that are not synchronized to other
HA members. This can be required when cluster members are not in the same physical location, subnets, or availability
zones in a cloud environment.
Some examples of possible use cases include:
l You use different source IP addresses for FortiAnalyzer logging from each cluster member. See Override
FortiAnalyzer and syslog server settings on page 980 for more information.
l You need to keep management interfaces that have specific VIPs or local subnets that cannot transfer from being
synchronized.
l In a unicast HA cluster in the cloud, you use NAT with different IP pools in different subnets, so IP pools must be
exempt.
When a VDOM exception is configured, the object will not be synchronized between the primary and secondary devices
when the HA forms. Different options can be configured for every object.
When VDOM mode is disabled, the configured object is excluded for the entire device. To define a scope, VDOM mode
must be enabled and the object must be configurable in a VDOM.
VDOM exceptions are synchronized to other HA cluster members.

FortiOS 6.4.13 Administration Guide 978

Fortinet Inc.
System

To configure VDOM exceptions:

config global
config system vdom-exception
edit 1
set object <object name>
set scope {all* | inclusive | exclusive}
set vdom <vdom name>
next
end
end

object The name of the configuration object that can be configured independently for
some or all of the VDOMs.
See Objects on page 979 for a list of available settings and resources.
scope Determine if the specified object is configured independently for all VDOMs or a
subset of VDOMs.
l all: Configure the object independently on all VDOMs.

l inclusive: Configure the object independently only on the specified

VDOMs.
l exclusive: Configure the object independently on all of the VDOMs that
are not specified.
vdom The names of the VDOMs that are included or excluded.

Objects

The following settings and resources can be exempt from synchronization in an HA cluster:

log.fortianalyzer.setting user.radius
log.fortianalyzer.override-setting system.interface*
log.fortianalyzer2.setting vpn.ipsec.phase1-interface*
log.fortianalyzer2.override-setting vpn.ipsec.phase2-interface*
log.fortianalyzer3.setting router.bgp*
log.fortianalyzer3.override-setting router.route-map*
log.fortianalyzer-cloud.setting router.prefix-list*
log.fortianalyzer-cloud.override-setting firewall.ippool*
log.syslogd.setting firewall.ippool6*
log.syslogd.override-setting router.static*
log.syslogd2.setting router.static6*
log.syslogd2.override-setting firewall.vip*
log.syslogd3.setting firewall.vip6*
log.syslogd3.override-setting system.sdwan*
log.syslogd4.setting system.saml*
log.syslogd4.override-setting router.policy*
system.central-management router.policy6*
system.csf

FortiOS 6.4.13 Administration Guide 979

Fortinet Inc.
System

*
This setting can only be configured on cloud VMs.

Override FortiAnalyzer and syslog server settings

In an HA cluster, secondary devices can be configured to use different FortiAnalyzer devices and syslog servers than the
primary device. VDOMs can also override global syslog server settings.

Configure a different syslog server on a secondary HA device

To configure the primary HA device:

1. Configure a global syslog server:

config global
config log syslog setting
set status enable
set server 172.16.200.44
set facility local6
set format default
end
end

2. Set up a VDOM exception to enable setting the global syslog server on the secondary HA device:
config global
config system vdom-exception
edit 1
set object log.syslogd.setting
next
end
end

FortiOS 6.4.13 Administration Guide 980

Fortinet Inc.
System

To configure the secondary HA device:

1. Configure a global syslog server:

config global
config log syslogd setting
set status enable
set server 172.16.200.55
set facility local5
end
end

2. After the primary and secondary device synchronize, generate logs on the secondary device.

To confirm that logs are been sent to the syslog server configured on the secondary device:

1. On the primary device, retrieve the following packet capture from the secondary device's syslog server:
# diagnose sniffer packet any "host 172.16.200.55" 6
interfaces=[any]
filters=[host 172.16.200.55]

​266.859494 port2 out 172.16.200.2.7434 -> 172.16.200.55.514: udp 278

0x0000 0000 0000 0000 0009 0f09 0004 0800 4500 ..............E.
0x0010 0132 f3c7 0000 4011 9d98 ac10 c802 ac10 .2....@.........
0x0020 c837 1d0a 0202 011e 4b05 3c31 3734 3e64 .7......K.<174>d
0x0030 6174 653d 3230 3230 2d30 332d 3134 2074 ate=2020-03-14.t
0x0040 696d 653d 3132 3a30 303a 3035 2064 6576 ime=12:00:05.dev
0x0050 6e61 6d65 3d22 466f 7274 6947 6174 652d name="FGT-81E-Sl
0x0060 3831 455f 4122 2064 6576 6964 3d22 4647 ave-A".devid="FG
0x0070 5438 3145 3451 3136 3030 3030 3438 2220 T81E4Q16000048".
0x0080 6c6f 6769 643d 2230 3130 3030 3230 3032 logid="010002002
0x0090 3722 2074 7970 653d 2265 7665 6e74 2220 7".type="event".
0x00a0 7375 6274 7970 653d 2273 7973 7465 6d22 subtype="system"
0x00b0 206c 6576 656c 3d22 696e 666f 726d 6174 .level="informat
0x00c0 696f 6e22 2076 643d 2276 646f 6d31 2220 ion".vd="vdom1".
0x00d0 6576 656e 7474 696d 653d 3135 3834 3231 eventtime=158421
0x00e0 3234 3035 3835 3938 3335 3639 3120 747a 2405859835691.tz
0x00f0 3d22 2d30 3730 3022 206c 6f67 6465 7363 ="-0700".logdesc
0x0100 3d22 4f75 7464 6174 6564 2072 6570 6f72 ="Outdated.repor
0x0110 7420 6669 6c65 7320 6465 6c65 7465 6422 t.files.deleted"
0x0120 206d 7367 3d22 4465 6c65 7465 2031 206f .msg="Delete.1.o
0x0130 6c64 2072 6570 6f72 7420 6669 6c65 7322 ld.report.files"

FortiOS 6.4.13 Administration Guide 981

Fortinet Inc.
System

Configure a different syslog server in the root VDOM on a secondary HA device

To configure the primary HA device:

1. Configure a global syslog server:

config global
config log syslog setting
set status enable
set server 172.16.200.44
set facility local6
set format default
end
end

2. Set up a VDOM exception to enable syslog-override in the secondary HA device root VDOM:
config global
config system vdom-exception
edit 1
set object log.syslogd.override-setting
set scope inclusive
set vdom root
next
end
end

3. In the VDOM, enable syslog-override in the log settings, and set up the override syslog server:
config root
config log setting
set syslog-override enable
end
config log syslog override-setting
set status enable
set server 172.16.200.44
set facility local6
set format default

FortiOS 6.4.13 Administration Guide 982

Fortinet Inc.
System

end
end

After syslog-override is enabled, an override syslog server must be configured, as logs will not be sent to the global
syslog server.

To configure the secondary HA device:

1. Configure an override syslog server in the root VDOM:

config root
config log syslogd override-setting
set status enable
set server 172.16.200.55
set facility local5
set format default
end
end

2. After the primary and secondary device synchronize, generate logs in the root VDOM on the secondary device.

To confirm that logs are been sent to the syslog server configured for the root VDOM on the secondary
device:

1. On the primary device, retrieve the following packet capture from the syslog server configured in the root VDOM on
the secondary device:
# diagnose sniffer packet any "host 172.16.200.55" 6
interfaces=[any]
filters=[host 172.16.200.55]

156.759696 port2 out 172.16.200.2.1165 -> 172.16.200.55.514: udp 277

0x0000 0000 0000 0000 0009 0f09 0004 0800 4500 ..............E.
0x0010 0131 f398 0000 4011 9dc8 ac10 c802 ac10 .1....@.........
0x0020 c837 048d 0202 011d af5f 3c31 3734 3e64 .7......._<174>d
0x0030 6174 653d 3230 3230 2d30 332d 3134 2074 ate=2020-03-14.t
0x0040 696d 653d 3131 3a33 353a 3035 2064 6576 ime=11:35:05.dev
0x0050 6e61 6d65 3d22 466f 7274 6947 6174 652d name="FGT-81E-Sl
0x0060 3831 455f 4122 2064 6576 6964 3d22 4647 ave-A".devid="FG
0x0070 5438 3145 3451 3136 3030 3030 3438 2220 T81E4Q16000048".
0x0080 6c6f 6769 643d 2230 3130 3030 3230 3032 logid="010002002
0x0090 3722 2074 7970 653d 2265 7665 6e74 2220 7".type="event".
0x00a0 7375 6274 7970 653d 2273 7973 7465 6d22 subtype="system"
0x00b0 206c 6576 656c 3d22 696e 666f 726d 6174 .level="informat
0x00c0 696f 6e22 2076 643d 2272 6f6f 7422 2065 ion".vd="root".e
0x00d0 7665 6e74 7469 6d65 3d31 3538 3432 3130 venttime=1584210
0x00e0 3930 3537 3539 3334 3132 3632 2074 7a3d 905759341262.tz=
0x00f0 222d 3037 3030 2220 6c6f 6764 6573 633d "-0700".logdesc=
0x0100 224f 7574 6461 7465 6420 7265 706f 7274 "Outdated.report
0x0110 2066 696c 6573 2064 656c 6574 6564 2220 .files.deleted".
0x0120 6d73 673d 2244 656c 6574 6520 3220 6f6c msg="Delete.2.ol
0x0130 6420 7265 706f 7274 2066 696c 6573 22 d.report.files"

FortiOS 6.4.13 Administration Guide 983

Fortinet Inc.
System

Routing NetFlow data over the HA management interface

In an HA environment, the ha-direct option allows data from services such as syslog, FortiAnalyzer, SNMP, and
NetFlow to be routed over the outgoing interface.
The following example shows how Net