Home‎ > ‎

FortiNet-Knowledge_Center-Tips_HowTo

1. How To
This page includes a collection of "how to" articles to provide you quick answers to simple setup and configuration questions for Fortinet products. For detailed technical information, see the Fortinet Product Documentation.

1.1. Using a FortiGate unit

How to articles for using and configuring a FortiGate unit.
For detailed and technical information, see the FortiGate Documentation.
1.1.1. VPN
1.1.1.1. Fortinet VPN Quick Start Guide

This quick start guide explains how to configure the FortiClient Host Security application or a FortiGate unit to connect to a remote network.

1.1.1.2. Connecting to a Remote Network through a VPN

This technical note describes how to connect to a remote network through a VPN using the FortiClient Host Security application. It also describes how to configure a FortiGate unit to create a VPN to a remote network.

1.1.1.3. How do I configure an IPSec VPN?

This configuration procedure is common to all IPSec VPNs. These steps are relevant for FortiOS 2.8 and 3.0. For complete details on configuring a FortiGate VPN, see the FortiGate VPN Guide.
Define the phase 1 parameters that the FortiGate unit needs to authenticate remote peers and establish a secure a connection.
Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel with a remote peer.
Define source and destination addresses for the IP packets that are to be transported through the VPN tunnel.
Create the firewall encryption policy and define the scope of permitted services between the IP source and destination addresses.

You must perform Steps 1 and 2 to have the FortiGate unit generate unique IPSec encryption and authentication keys automatically. In situations where a remote VPN peer requires a specific IPSec encryption and/or authentication key, you must configure the FortiGate unit to use manual keys instead of performing Steps 1 and 2. For more information, see “Manual-key configurations” in the FortiGate VPN Guide.

See also the Fortinet Knowledge Center Articles "Fortinet VPN QuickStart Guide" and "Connecting to a Remote Network through a VPN.

1.1.2. Blocking

Articles about how to use a FortiGate unit to block an IP address, files, Skype, Instant Messaging traffic, Peer-to-Peer use, web sites, and so on.
1.1.2.1. How do I block an IP address?
Description  How to block an IP address.
Components  All FortiGate units running FortiOS 2.8 or 3.0.
Steps or Commands  
To block an IP address, create an address entry and create a firewall policy to block the address.
Add an Address

To add an address entry
Go to Firewall > Address.
Select Create New.
Enter a name for the address.
Enter the IP address and subnet.

Note that if you are blocking an internal IP address, set the netmask to 255.255.255.255, or /32. Otherwise you could block the entire subnet.
Add a Firewall Policy

To add a firewall policy
Go to Firewall > Policy.
Select Create new.
Configure the firewall policy as required. For the Source and/or Destination address, select the address name added above.
Set the Action to Deny.
Move the firewall policy to the top of the policy list.

1.1.2.2. How do I block files?

Configure file blocking to remove all files that are a potential threat and to prevent active computer virus attacks. You can block files by name, by extension, or any other pattern, giving you the flexibility to block potentially harmful content. You can also enable or disable file blocking by protocol for each file pattern you configure.

When the FortiGate unit blocks a file such as a image file (gif, jpg), the user will not see the image on a web page, nor receive any indication that the file was blocked.
FortiOS 3.0MR3

To configure file blocking
Go to AntiVirus > File Pattern.
Select Create New to create a new list, and select OK.
Select Edit for the new list.
Select Create New.
Enter the file name or file pattern.
Select Block.
Select OK.

For more information on file blocking or adding file blocking to protection profiles, see the FortiGate Administration Guide.
FortiOS 3.0 up to MR3

To configure file blocking
Go to AntiVirus > File Pattern.
Select Create New.
Enter the file name or file pattern.
Select Block.
Select OK.

For more information on file blocking or adding file blocking to protection profiles, see the FortiGate Administration Guide.
FortiOS 2.8

To configure file blocking
Go to Anti-Virus > File Block.
Enter the file name or file pattern you want to add.
Select Create New.
Select the protocols for which you want to block the file, or select Check All.
Select Apply.

For more information on file blocking or adding file blocking to protection profiles, see the FortiGate Administration Guide.

1.1.2.3. How do I block ARES?
FortiOS 3.0

To block ARES
Go to IPS > Signature > Predefined.
Expand the Misc category.
Locate the Ares signatures and select Configure for each one.
Note that starting in 3.0 MR6, the signature is called P2P.Ares.
For the Action, select Drop Session.
Select OK
Select the Protocol Decoder tab.
Select to expand P2P_Decoder.
Locate Ares and select Configure
For the Action, select Drop Session.
Select OK
FortiOS 2.8

To block ARES
Go to IPS > Signature > Predefined.
Expand the Misc category.
Locate Ares.Connect and select Configure
For the Action, select Drop Session.
Select OK

1.1.2.4. How do I block Emule traffic?

To block emule P2P, first ensure that the FortiGate unit has the latest Antivirus and NIDS definition updates. The installed version appears on the System > Status menu. The currently distributed version is listed on the FortiGuard Center web site:

http://www.fortinet.com/FortiGuardCenter/av.html
FortiOS 3.0

For FortiOS 3.0, the protection profile has a blocking feature for the eDonkey network that enables you to block or limit the file transfer size.

To configure the eDonkey network
Go to Firewall > Protection Profile.
Select a default profile or select Create New.
Select the IP/P2P arrow to expand the options.
Select an option for eDonkey.
Select OK .

Note there are additional IPS signatures which you can block or enable for eMule. To view, go to Intrusion Protection > Signature > Predefined. Select the Misc arrow to expand the list.
FortiOS 2.8

To block emule file sharing
Go to IPS > Signature > p2p > edonkey
Select Enable and select Edit.
Set the action to Drop and select OK.
Go to Firewall > Protection Profile and configure a Protection Profile so that IPS Signature is Enabled.
Apply this Protection Profile to the Firewall > Policy that will be used to block this traffic.

If Logging on the signature is also enabled, the following message will be logged when an Emule/Edonkey client attempts to connect to a server.

2006-02-17 15:42:01 Local7.Alert 72.31.225.206 date=2006-02-17 time=06:41:03 device_id=FG200A210xxxxxxx log_id=0420070000 type=ips subtype=signature pri=alert vd=root attack_id=109051907 src=193.138.221.214 dst=10.105.1.15 src_port=4242 dst_port=3691 src_int=wan1 dst_int=internal status=drop_session proto=6 service=3691/tcp msg="p2p: edonkey [Reference: http://www.fortinet.com/ids/ID109051907]"

1.1.2.5. Preventing Instant Messaging traffic

Description How do I prevent the use of instant messaging programs such as MSN, Yahoo Messenger and AIM?

Components All FortiGate units running FortiOS 2.8 and FortiOS 3.0.

Steps or Commands 
Prevent the use of Instant Messaging traffic through the IPS options in FortiOS 2.8.

To block instant messaging traffic
Go to IPS > Signature > Predefined.
Scroll down to IM and expand the IM selections.
Select Configure for an instant messenger application.
For the Action, select the setting to Drop or Drop Session.
Select OK.

For more information on the Action selections, see the FortiGate Administration Guide for your FortiGate unit.

For more information on signatures see:

IPS Custom Signatures

Tips for adding IPS custom signatures using the web-based manager
FortiOS 3.0
FortiOS 3.0 includes functionality to monitor and configure the IM and P2P traffic for the most popular IM clients. To configure their use through the firewall, go to the IM/P2P menu. For details on conifiguring the options, see the FortiGate Administration Guide.


1.1.2.6. How do I prevent Peer-to-Peer use?

Description 
How do I prevent Peer-to-Peer use?

Components All FortiGate 2.8 and 3.0 devices

Steps 
Note: These instructions are for FortiOS 2.8. For FortiOS 3.0, use the IM/P2P menu to configure file blocking. See the FortiGate Administration Guide for details, see the Archived area for FortiOS 2.8.

FortiGate units running FortiOS 2.8 include the signatures for common Peer-to-Peer (P2P) software such as Kazaa, Gnutella, eDonkey, Bit Torrent, and so on. The signatures for this type of software are included in the IPS signatures (P2P) and can be used limit their use when the users have already installed the application and are using the application.

To block peer-to-peer requests
Go to  IPS > Signature.
Select P2P to expand the list of file sharing applications.
Select the desired P2P application and select Configure.
Select the action the FortiGate unit should take when encountering the signature.
Select OK.
Block downloads of Kazaa

While the IPS will stop the use of this type of software, you may want to also prevent users from downloading it. To do this, set the Anti-Virus Grayware options. The FortiGate unit will view downloads of this type of software as a virus and act on it according to your protection profile. On the FortiGate unit, Kazaa is defined as adware.

For details on protection profiles, see the FortiGate Administration Guide.

To add Kazaa to the Firewall protection profile
Go to Anti-Virus > Grayware.
Select Adware.

Tip: When setting the IPS P2P when Anti-Virus is enabled, set the IPS Action to "Reset" or "Reset Server".

If you are only using IPS, set the Action to "Clear Session", "Drop Session" or "Reset".

1.1.2.7. How do I block a web site?
Description  How to block users from visiting a web site.
Components  Any FortiGate unit running FortiOS 2.8 or 3.0.
Steps or Commands  
To block a web site
Go to Web Filter > URL Filter.
Select Create New.
Type in a URL or IP address.
For the Type, select Regex (Regular Expression).
For the Action, select Block.
Select Enable.
Select OK.

Type a top-level URL or IP address to control access to all pages on a web site. For example, www.example.com or 192.168.144.155 controls access to all pages at this web site.

Enter a top-level URL followed by the path and filename to control access to a single page on a web site. For example, www.example.com/news.html or 192.168.144.155/news.html controls the news page on this web site.

To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com, and so on.

Control access to all URLs that match patterns created using text and regular expressions (or wildcard characters). For example, example.* matches example.com, example.org, example.net and so on.

1.1.3. Virus Scanning
1.1.3.1. How do I scan large files for viruses?

To configure antivirus scanning of large files (HTTP, FTP, POP3, IMAP, AND SMTP)
Connect to the CLI.
Enter the following for a FortiGate unit running FortiOS 2.8:

config antivirus service <service_str>
   set memfilesizelimit <MB_integer>
   set port <port_integer>
   set uncompsizelimit <MB_integer>
end

Enter the following for a FortiGate unit running FortiOS 3.0:
config antivirus service <service_str>
   set port <port_integer>
   set uncompsizelimit <MB_integer>
end
1.1.3.2. How do I optimize CPU settings for antivirus scanning?
Description  Optimizing CPU settings for antivirus scanning.
Components  FortiGate-1000 and higher running FortiOS 2.8 or 3.0.
Steps or Commands  
The optimize feature configures CPU settings to ensure efficient operation of the FortiGate unit for either antivirus scanning or straight throughput traffic. When optimize is set to antivirus, the FortiGate unit uses symmetric multiprocessing to spread the antivirus tasks to several CPUs, making scanning faster.

To optimize CPU settings for antivirus scanning
Connect to the CLI.
Enter the following:

config system global
   set optimize antivirus
end

To optimize CPU settings for throughput
Connect to the CLI.
Enter the following:

config system global
   set optimize throughput
end

1.1.3.3. Can I enable an antivirus failover for high traffic?
Description  Optimizing CPU settings for antivirus scanning.
Components  FortiGate-300A and higher running FortiOS 2.8 or 3.0.
Steps or Commands  
Antivirus failopen is a safeguard feature that determines the behavior of the FortiGate antivirus system if it becomes overloaded in high traffic.

To set antivirus failopen
Connect to the CLI.
Enter the following:
config system global
   set av_failopen {off|one-shot|pass}
end

1.1.3.4. How do I allow fragmented email messages to pass through?
Description  Pass fragmented email messages.
Components  All FortiGate running FortiOS 2.8 or 3.0.
Steps or Commands  
Note: There is the potential that a virus in a fragmented email will not be detected by some email virus scanners. For most secure operation, disable email fragmentation in your email client. FortiGate Antivirus Firewalls block fragmented email by default. Using the following procedure, you can change this behavior. If you choose not to block fragmented email, users in your organization should be running host virus scanning software such as FortiClient Host Security.

To pass fragmented email (IMAP, POP3, and SMTP)
Go to Firewall > Protection Profile.
Select a protection profile or select Create New.
Select the blue arrow to expand Antivirus.
Enable Pass Fragmented Emails for required protocols.
Select OK.

1.1.3.5. How do I block oversized files or email?
Description  Blocking oversized files or email.
Components  All FortiGate running FortiOS 2.8 or 3.0.
Steps or Commands  
To block oversized files or emails
Go to Firewall > Protection Profile.
Select a protection profile or select Create New.
Select the blue arrow to expand Antivirus.
Select an action for required protocols.
Select OK.

See also How do I set a file size limit on email attachments?.

1.1.3.6. How do I set a file size limit on email attachments?
Description  Setting a file size limit on email attachments.
Components  All FortiGate running FortiOS 2.8 or 3.0.
Steps or Commands  
Note: For email scanning, the oversize threshold refers to the final size of the email after encoding by the email client, including attachments. Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment. The most common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data. A file may be blocked or logged as oversized even if the attachment is several megabytes less than the configured oversize threshold.

See also How do I block oversized files or email?.
FortiOS 3.0

To set the oversized threshold for files and email
Go to Firewall > Protect Profile.
Select a profile or select Create New.
Select the blue arrow for AntiVirus to expand the options.
Set thresholds for each protocol as required.
Select OK.
Use the protection profile in a firewall policy.
FortiOS 2.8

To set the oversized threshold for files and email
Go to Antivirus > Config > Config.
Set thresholds for each protocol as required.
Select Apply.

1.1.3.7. How do I turn on virus scanning?
Description  Enabling virus scanning.
Components  All FortiGate running FortiOS 2.8 or 3.0.
Steps or Commands  
Turn on virus scanning by adding the Scan Protection Profile to your firewall policies that accept email traffic.

To enable virus scanning
Go to Firewall > Protection Profile.
Select a protection profile or select Create New.
Select the blue arrow to expand Antivirus.
Enable Virus Scan for required protocols.
Select OK.
Use the protection profile in a firewall policy.

Note:If scanning is enabled on a protection profile, the FortiGate unit will block traffic containing a virus. If scanning is disabled on a protection profile, the FortiGate unit will be neither scan nor block a virus.

See the FortiGate online help or the "Firewall" chapter of the FortiGate Administration Guide for more information about adding firewall policies and adding protection profiles to firewall policies.

1.1.3.8. How do I enable / view Grayware scanning?
Description  Enabling and viewing grayware scanning.
Components  All FortiGate running FortiOS 2.8 or 3.0.
Steps or Commands  
To view the grayware list
Go to Antivirus > Config > Grayware.

To enable grayware scanning
Go to Antivirus > Config > Grayware.
For each grayware category, select Enable.

Note: Grayware scanning is enabled in protection profiles when antivirus scanning is enabled.
See How do I turn on virus scanning?

1.1.3.9. How do I use Protection Profiles to scan for viruses?
Description  Using protection profiles to enable virus scanning.
Components  All FortiGate running FortiOS 2.8 or 3.0.
Steps or Commands  
To configure a protection profile to scan for viruses
Go to Firewall > Protection Profile.
Select Create New to add a new Protection Profile.
Give a name to the Protection Profile.
Select Anti-Virus.
Select the options you require to apply virus scanning.
Select OK.
Add the Protection Profile to a firewall policy.

See the FortiGate online help or the "Firewall" chapter of the FortiGate Administration Guide for more information about protection profiles.

1.1.4. Quarantine
1.1.4.1. How do I quarantine files?
Description  Saving quarantined files to the hard disk or FortiAnalyzer.
Components  All FortiGate units running FortiOS 2.8 or 3.0.
Only FortiGate units with internal hard disks can store quarantined files on the hard disk. All FortiGates can save quarantined files to a FortiAnalyzer unit.
Steps or Commands  
To quarantine files to a FortiAnalyzer unit
Go to Antivirus > Quarantine > Config.
Select the services for which to quarantine files.
Select FortiAnalyzer.
If required, select Configure to configure the FortiGate unit to connect to a FortiAnalyzer unit.
See How do I send log files to a FortiLog/FortiAnalyzer unit?.
Select Apply.
Go to Firewall > Protection Profile.
Select a profile or select Create New.
Select the blue arrow to expand Antivirus.
Enable Quarantine for required protocols.
Select OK.
Use the protection profile in a firewall policy.

To quarantine files to a local disk
Go to Antivirus > Quarantine > Config.
Select Quarantine to Disk (this option is only available if your FortiGate unit has a local disk).
Select the services for which to quarantine files.
Select Apply.
Go to Firewall > Protection Profile.
Select a profile or select Create New.
Select the blue arrow to expand Antivirus.
Enable Quarantine for required protocols.
Select OK.
Use the protection profile in a firewall policy.

1.1.4.2. How do I configure heuristic scanning?
Description  Configuring heuristic scanning.
Components  All FortiGate running FortiOS 2.8 or 3.0.
Steps or Commands  
The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators. Heuristic scanning is performed last, after file blocking and virus scanning have found no matches. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results.

To configure heuristic scanning
Connect to the CLI.
Enter the following:
config antivirus heuristic
   set mode {pass|block|disable}
     end

To configure heuristic settings on models 200 and higher
Connect to the CLI.
Enter the following:
config antivirus quarantine
   set drop_heuristic {ftp http imap pop3 smtp}
   set store_heuristic {ftp http imap pop3 smtp}
     end

See also How do I enable heuristic scanning?

1.1.4.3. How do I enable heuristic scanning?
Description  Enabling heuristic scanning.
Components  All FortiGate units with a hard disk running FortiOS 2.8 or 3.0.
Steps or Commands  
To enable heuristic scanning
Go to Antivirus > Quarantine > Config.
Select the services for which to quarantine files.
Select Quarantine to Disk.
Select Enable AutoSubmit.
Select Use File Status.
Select Heuristics.
Select Apply.

Note: Configure Heuristic scanning using the CLI.

See How do I configure heuristic scanning.

1.1.4.4. How do I enable auto submit for file quarantine and file blocking?
Description  Enabling auto submit for file quarantine and file blocking.
Components  All FortiGate units with a hard disk running FortiOS 2.8 or 3.0.
Steps or Commands  
To enable AutoSubmit
Go to Antivirus > Quarantine > Config.
Select the services for which to quarantine files.
Select Quarantine to Disk.
Select Enable AutoSubmit.
Select Apply.

1.1.4.5. How do I add files to the quarantine list?
Description  Adding files to the quarantine list.
Components  All FortiGate units with a hard disk running FortiOS 2.8 or 3.0.
Steps or Commands  
Configure the FortiGate unit to upload suspicious files automatically to Fortinet for analysis. Add file patterns to the AutoSubmit list using wildcard characters (* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. Upload files to Fortinet based on status (blocked or heuristics), or submit individual files directly from the quarantined files list. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25.

This option is only available on FortiGate units with a local disk.

To add a file pattern to the AutoSubmit list
Go to Antivirus > Quarantine > AutoSubmit.
Select Create New.
Enter the File Pattern.
Select Enable.
Select OK.

See also How do I quarantine by file pattern?

1.1.4.6. How do I quarantine blocked email files?
Description  Quarantining blocked email files.
Components  All FortiGate units running FortiOS 2.8 or 3.0.
Steps or Commands  
To quarantine blocked files (IMAP, POP3, and SMTP)
Go to Antivirus > Quarantine > Config.
Select the services for which to quarantine files.

1.1.4.7. How do I set the maximum size of a quarantined file?
Description  Setting the maximum size of a quarantined file.
Components  All FortiGate units running FortiOS 2.8 or 3.0.
Steps or Commands  
You can set the maximum file size the FortiGate unit will quarantine.

To set the maximum size of quarantined files
Go to Antivirus > Quarantine > Config.
Select the services for which to quarantine files.
Enter a Max Filesize to Quarantine.
Select Apply.

Note: Setting a large file size can affect performance.

1.1.4.8. How do I set an age limit on quarantined files?
Description  Setting an age limit on quarantined files.
Components  All FortiGate units running FortiOS 2.8 or 3.0.
Steps or Commands  
The age limit is the length of time the FortiGate stores a quarantined file.

To set the age limit for quarantined files.
Go to Antivirus > Quarantine > Config.
Select the services for which to quarantine files.
Enter an Age Limit.
Select Apply.

1.1.5. Logging
1.1.5.1. How do I send log files to a FortiLog/FortiAnalyzer unit?
Description  Sending logs to FortiAnalyzer.
Components  All FortiGate units running FortiOS 2.8 or 3.0.
Steps or Commands  FortiOS 3.0

To send log files to a FortiAnalyzer unit
Go to Log&Report > Log Config.
Select FortiAnalyzer.
Select the blue arrow beside the FortiAnalyzer selection, and set the FortiAnalyzer options.
Select Apply.
Go to Firewall > Protection Profile.
Select a protection profile or select Create New.
Select the blue arrow beside Logging to expand the options.
Enable the logging type for the log messages you want the FortiGate unit to send to the FotiAnalyzer unit.
Select Apply.
Enable the protection profile in a firewall policy.

For more information on the FortiLog settings, see the FortiGate Adminstration Guide.
FortiOS 2.8

To send log files to a FortiLog unit
Go to Log&Report > Log Config.
Select FortiLog.
Select the blue arrow beside the FortiLog selection, and set the FortiLog options.
Select Apply.
Go to Log&Report > Log Config > Log Filter.
Enable the logging type for the log messages you want the FortiGate unit to send to the FotiLog unit.
Select Apply.

For more information on the FortiLog settings, see your the FortiGate Adminstration Guide.

See also
Connecting a FortiGate (2.8) unit to a FortiLog unit over an IPsec connection
Connecting a FortiGate (2.5) unit to a FortiLog unit over an IPsec connection

1.1.5.2. How do I enable traffic logging in FortiOS 2.8?

Description How to configure traffic logging for the FortiGate Antivirus Firewall.
Components FortiGate Antivirus Firewalls running FortiOS v2.80 MR6 and up.
Steps 
There are a number of steps required to set up traffic logging on the FortiGate unit.

Select and configure a logging media.

To Configure a logging location
Go to Log&Report > Log Config.
Select and configure one or more locations where the FortiGate will save the log files. You can save logs to a FortiLog unit, the FortiGate local disk (if available on your device), the FortiGate unit's memory, a syslog server, or a WebTrends server.
Enable logging to the selected locations

To Enable traffic logging for the configured locations
Go to Log&Report > Log Config > Log Filter.
Enable the Traffic Log for traffic allowed by firewall policies and/or traffic that violates firewall policies.
Enable traffic logging

You can enable the logging of traffic in two ways:
for a particular interface
for all traffic that corresponds to a particular firewall policy

To enable logging all traffic that comes to or from an interface
Go to System > Network > Interface and select the Edit icon for the interface you want to log.
Select Log, and select OK.
Repeat for each interface that you want to log.

To log all traffic for a particular firewall policy
Go to Firewall > Policy and select the Edit icon for the policy you want to log.
Select Log Traffic and select OK.
Repeat for each firewall policy you want to log.

For configuration information, see the FortiGate Administration Guide, and for log message interpretation, see the FortiGate Log Message Reference Guide.

1.1.5.3. How do I enable traffic logging in FortiOS 3.0?

Description How to configure traffic logging for the FortiGate unit.
Components All FortiGate units running FortiOS v3.0.
Steps 
There are a number of steps required to set up traffic logging on the FortiGate unit.

Select and configure a logging media.

To Configure a logging location
Go to Log&Report > Log Config.
Select and configure one or more locations where the FortiGate will save the log files.
Select Apply.

Note: You cannot log traffic to memory, due to the potentially large amount of traffic logs and the amount of available log memory.
Enable traffic logging

You can enable the logging of traffic in two ways:
for a particular interface
for all traffic that corresponds to a particular firewall policy

To enable logging all traffic that comes to or from an interface
Go to System > Network > Interface and select the Edit icon for the interface you want to log.
Select Log, and select OK.
Repeat for each interface that you want to log.

To log all traffic for a particular firewall policy
Go to Firewall > Policy and select the Edit icon for the policy you want to log.
Select Log Traffic and select OK.
Repeat for each firewall policy you want to log.

To log additional traffic including blocked traffic, IPS and spam attacks, enable logging in the protection profile (Firewall > Protection Profile).

For configuration information, see the FortiGate Administration Guide, and for log message interpretation, see the FortiGate Log Message Reference Guide.

1.1.5.4. How do I log to the hard disk in FortiOS 3.0?
Description  How to log to the hard disk in FortiOS 3.0.
Components  All FortiGate units with a hard disk.
Steps or Commands  
With FortiOS 3.0, logging to the hard disk (if available in the FortiGate unit) is still possible. The option was moved to the CLI.

To log to the hard disk, enter the following command:

config log disk setting
    set status enable
end

Once enabled, you can configure logging options for the disk using the command config log disk settings.

You can also set additional filters using the command config log disk filter.

For full details on the command line options, see the FortiGate CLI Reference.

1.1.6. Setup and troubleshooting flowchart
Description  First time setup and flow diagram.
Components  All FortiGate units.
Steps or Commands  
The attached files are flow diagrams for first time setup of a FortiGate unit. You can also use this as a simple troubleshooting aid if you cannot connect to the Internet or to the FortiGate unit.

This document is available in a Visio and MS Word format.

1.1.7. How do I configure a Virtual IP
Description Creating a virtual IP
Components  All FortiGate units
FortiOS 2.8 and 3.0
Steps or Commands  About virtual IPs

Virtual IP (VIP) addresses enable users from outside a private network to access services inside that network. Under normal circumstances, this is not possible because Internet routers generally do not connect to private IP addresses. For example, a user from the Internet is not able to access an internal page on a company network. However, the FortiGate unit can be configured to allow an employee of a company to access an internal web page on a private network from the Internet.


FortiGate must be in NAT/Route mode to add VIPs.

Note that when using a Dynamically assigned address (DHCP or PPPoE) for your Internet connection, you can only use Port Forwarding option, and set the External IP to 0.0.0.0.

When using static NAT the internal device will always NAT to the public IP address, regardless of how the NAT is configured in the policy.

When setting up a Virtual IP on the FortiGate for a mail server, there can be issues with mail being sent outbound through the firewall when NAT is configured. See the Fortinet Knowledge Center article How to NAT an internal mail server to the Internet for additional configuration information.

For more virtual IP articles, see Virtual IP.
Creating a static VIP

Static NAT virtual IP for a single IP address is the simplest virtual IP configuration. A single IP address on one network is mapped to another IP address on a second network. The FortiGate unit connects the two networks and allows communication between them.

To create a static VIP
Go to Firewall > Virtual IP.
Select Create New.
Enter a name for the Virtual IP you will create.
Select the interface the new Virtual IP will be entering from.
Select Static NAT.
Enter the address for the virtual IP in External IP Address/Range.
This is the address visible to users outside the network.
Enter the internal IP address in Map to IP Address/Range.
This address is invisible to users outside the network. It is the address for the page linked to the external IP.
Select OK
Creating a VIP with port forwarding

With port forwarding, a port or a range of ports on computers outside the network can be linked to a port or range of ports inside the network.

To create a VIP with port forwarding
Go to Firewall > Virtual IP.
Select Create New.
Enter a name for the Virtual IP you will create.
Select the interface the new Virtual IP will be entering from.
Enter the address for the virtual IP in External IP Address/Range.
This is the address visible to users outside the network.
Enter the internal IP address in Map to IP Address/Range.
This address is invisible to users outside the network. It is the address for the page linked to the external IP.
Select Port Forwarding.
Select the protocol (TCP or UDP) you want the forwarded packets to use.
Enter the external service port number for which you want to configure port forwarding.
Enter the port number on the destination network to which the external port number is mapped. You can also enter a port number range to forward packets to multiple ports on the destination network.
Select OK
Configuring the Firewall

You must create a firewall service and a firewall policy for the Virtual IP address to function, and to allow traffic to flow between the VIP and the network.

To create a firewall service
Go to Firewall > Service > Custom.
Select Create New
Enter a name for the new service.
Select the protocol for the new VIP.
Leave the default settings for Source Port.
Enter the destination port numbers for the new service.
Select OK.

To create a firewall policy
Go to Firewall > Policy.
Select Create New
Select the external interface connected to the internet for Source Interface/Zone.
Select all for Source Address Name.
Select the internal interface connected to the network for Destination Interface/Zone.
Select the virtual IP you created for Destination Address Name.
Select the service you just created from the Service options.
Select OK.

1.1.8. Link Aggregation how tos
Description  "How Tos" for link aggregation
Components  FortiGate models 310B, 620B, 800 and higher
FortiOS 3.0MR1 and higher
Steps or Commands  
How can I tell what interfaces can be used in a trunk?

The FortiGate v3.0 Administration Guide chapter on creating interfaces lists the restrictions for creating a trunk. Some of it is included below.

An interface is available for aggregation only if
it is a physical interface, not a VLAN interface
it is not already part of an aggregated interface
it is in the same VDOM as the aggregated interface
it has no defined IP address and is not configured for DHCP or PPPoE
it has no DHCP server or relay configured on it
it does not have any VLAN subinterfaces
it is not referenced in any firewall policy, VIP, IP Pool or multicast policy
it is not an HA heartbeat interface
it is a FGT-5000 backplane interface, it must be visible

How do I configure an interface to use link aggregation using CLI commands?

If port 2 and port 3 are available, the following CLI commands create an aggregate called "link_agg" with an IP/netmask of 172.168.1.2/255.255.255.0 on the root vdom using those two interfaces. You can optionally set other interface settings.

config system interface
            edit "link_agg"
            set vdom "root"
            set ip 172.168.1.2 255.255.255.0
            set type aggregate
            set member "port2" "port3"
            end

 

How do I configure my HA setup to use link aggregation?

In the HA section of the FortiGate HA Overview there is a very good explanation and diagram showing an easy way to configure two FortiGate units in an HA configuration using link aggregation.

How do I check the number of statically configured ports in a trunk?

Use the following CLI command:

show system interface <trunk-name>

How do I check the number of dynamically configured ports in a trunk and in use?

Use the following CLI command:

diagnose netlink interface name <trunk-name>

How do I check the aggregate speed of a trunk?

This is not currently supported. However as mentioned above in MR1 and up you can use SNMP to find the aggregate speed of the trunk.

See also
802.3ad Link Aggregation FAQ

1.1.9. How do I get the MIBs for my FortiGate unit?
Description  How do I get the MIBs for my FortiGate unit?
Components  All FortiGate units
Steps or Commands  
FortiGate MIBs are available from the Fortinet Technical Support web site at http://support.fortinet.com.

To download the MIB
Log into the site using your user name and password
Once logged in, go to Firmware Images > FortiGate.
Select your FortiOS version, then the MIB directory.

If you have any questions regarding logging in or downloading the MIB, contact Fortinet Technical Support.

See also
OID for use with SNMP
Fortinet OID Values
SNMP and FortiOS v3.0 HA clusters

1.1.10. How do I configure alert email?

To configure alert email on a FortiGate unit
Go to Log&Report > Log Config > Alert E-mail.
Enter the name/address of the SMTP mail server. For example, smtp.company.com.
Enter the Email address information.
Select Authentication if your smtp mail server requires a username and password.
Select the alert level. The FortiGate unit sends alert email for all messages at and above the logging severity level you select.
Configure the time limit in which to send email for each logging severity level.
Select Apply.

Select Test to verify the alert email settings. The FortiGate unit sends test email to the configured email address

Note: Do not select test until you have selected Apply, otherwise your settings will be lost.

1.1.11. How do I convert a standalone FortiGate unit into a cluster?

Note: All FortiGate units have HA capabililties except the FortiGate-50A and 50AM.

Use the following steps to convert an already configured and installed FortiGate unit into a cluster by changing this FortiGateunit into a primary unit and adding subordinate units.

The new FortiGate unit must:
Be the same FortiGate model as the original FortiGate unit.
Have the same hard drive configuration as the original FortiGateunit.
Be running the same firmware version and build as the original FortiGate unit.
Configure the standalone FortiGate unit for HA
Connect to the FortiGate unit web-based manager.
Go to System > Config > HA.
Configure the FortiGate unit for HA operation.
Mode: Active-Active
Group ID: (any number between 1 and 63)
Unit Priority: 255 (Set a high priority so that this unit becomesthe primary unit.)
Password: (enter and confirm a password of up to 15 characters)
Schedule: Round-Robin (Keep default settings for all others.)
Select Apply.
Configure the new cluster unit with the same HA configuration asthe original FortiGate unit with two exceptions. Do not change theunit priority and do not select Override Master.
If the original FortiGate unit was operating in Transparent mode,switch the new FortiGate unit to Transparent mode.
Power off both FortiGate units. Connect the cluster to your network (see diagram).

 
Turn on the FortiGate units.As the units start, they negotiate to choose the primary unit and thesubordinate unit. Because the original FortiGate unit has the highestunit priority and because you selected Override Master, the originalunit becomes the primary unit. Once the cluster is up and running theconfiguration of the primary unit is synchronized to the other cluster unit. This process occurs with no user intervention. When complete the cluster is configured for your network and no further configuration changes are required.

1.1.12. How do I set up two FortiGate units to operate as an HA cluster?

Note: All FortiGate units have HA capabililties except the FortiGate-50A and 50AM.

Use the following steps to configure an active-active HA cluster oftwo identical FortiGate units operating in NAT/Route mode. These steps assume that you have just received two new FortiGate units that you are going to configure as a cluster. In other words the FortiGate units are set to the default configuration and have the same FortiOSv2.80 firmware version.
Configure both FortiGate units for HA operation.
Turn on a FortiGate unit and connect to the web-based manager as described in your FortiGate QuickStart Guide.
Go to System > Status and change the host name. (Each FortiGate unit in the cluster should have a different host name.)
Configure HA settings.
Go to System > HA and Select High Availability.
Configure the following HA settings (keep default settings for others):
Mode: Active-Active
Group ID: (any number between 1 and 63)
Password: (enter and confirm a password of up to 15 characters)
Schedule: Round-Robin
Select Apply.
Turn off the FortiGate unit.
Turn on the other FortiGate unit and repeat these steps. Give the second FortiGate unit a different host name. Make sure both FortiGate unit HA configurations are identical, including the same Group ID and Password.
Connect the cluster to your network.

See the following diagram (a FortiGate-500 unit is shown.)

 

Turn on the FortiGate units, they will negotiate to form a cluster.
Add basic configuration settings

You can now configure the cluster in the same manner as a standalone FortiGate unit. This includes changing configuration settings and upgrading firmware. For example:

1. Connect to the cluster web-based manager. Use the procedure in your QuickStart Guide for connecting to the FortiGate unit web-based manager.

2. Change the administrator password.
Go to System > Admin > Administrators.
For admin, select Change password.
Enter and confirm a new password.
Select OK.

3. Configure network interfaces.
Go to System > Network > Interface.
For internal, select Edit.
Change the IP/Netmask to 192.168.20.93/24.
Select OK.
For external, select Edit.
Change the IP/Netmask to 64.29.46.67/24.
Select OK.

4. Set the default route.
Go to Router > Static.
Change the default route as required.
Select OK.


1.1.13. How do I reset the factory defaults?

This procedures clears all changes you have made to the FortiGate configuration and resets the system to its original configuration, including resetting the interface addresses. This procedure does not change the firmware version or the antivirus or attack definitions.

To reset the FortiGate unit to its factory defaults in FortiOS 2.8
Go to System > Maintenance > Shutdown.
Select Reset to factory default from the list.
Select Apply.

The FortiGate unit restarts with the configuration it had when it was first powered on.

For details on resetting the FortiGate unit, see the FortiGate Administration Guide.

To reset the FortiGate unit to its factory default in FortiOS 3.0 (up to MR3)
Go to System > Dashboard.
In the System Operation list, select Reset Factory Defaults.

Select Go.

To reset the FortiGate unit to its factory default in FortiOS 3.0 (MR4)
Go to System > Dashboard.
In the System Operation display, select Reset .

Using the command line interface

execute factoryreset

The FortiGate unit restarts with the configuration it had when it was first powered on.

For details on resetting the FortiGate unit, see the FortiGate Administration Guide.

1.1.14. How do I update the FortiGate firmware?

FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware.

Download the most recent firmware build from the Fortinet Technical Support web site at http://support.fortinet.com/.

To upgrade the firmware using the web-based manager

Note:Always upgrade the firmware from a local copy. Never perform firmware upgrade over the Internet.
Copy the firmware image file to your management computer.
Log into the web-based manager as the admin administrative user.
Go to System > Status.
Under Unit Information > Firmware Version, select Update.
Enter the path and filename of the firmware image file, or select Browse and locate the file.
Select OK.

The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes.

If the firmware does not upgrade successfully, you may need to perform an upgrade on startup using the console cable and a TFTP server. See the FortiGate Install Guide for details on how to do this.

1.1.15. How do I get firmware updates?
Description  How do I get the latest firmware for my FortiGate unit?
Components  All FortiGate units
Steps or Commands  
FortiGate firmware (FortiOS) updates are available from the Fortinet Technical Support web site at http://support.fortinet.com.

To download the firmware
Log into the site using your user name and password
Once logged in, go to Firmware Images > FortiGate.
Select the most recent FortiOS version, and MR release.
Locate the firmware for your FortiGate unit, right-click the link and select the Download option for your browser.

If you have any questions regarding logging in or downloading the FortiOS firmware, contact Fortinet Technical Support.

1.1.16. How do I add a signature to all outgoing (SMTP) email?

To add a standard email signature
Go to Firewall > Protection Profile.
Add a new or edit an existing Protection Profile.
Select Anti-virus.
Enable "Add signature to outgoing emails:" and add the content of the signature.
Add this Protection Profile to the firewall policy that accepts outgoing SMTP traffic.

The protection profile will add the content as a signature to all SMTP email that exits your network.

1.1.17. How do I update the attack definitions

You can request updated attack definitions from the FortiProtect Distribution Network at any time. If your are licensed to review new updates and if new updates are available they will be installed on your FortiGate unit.

To update your attack definitions
Go to System > Maintenance > Update Center.
Select Update Now.

See the FortiGate online help or the "System Maintenance" chapter of your FortiGate Administration Guide for more information about updating your attack definitions.

1.1.18. How do I update my virus definitions?

You can request updated antivirus definitions from the FortiProtect Distribution Network at any time. If your are licensed to review new updates and if new updates are available they will be installed on your FortiGate unit.

To update your virus definitions
Go to System > Maintenance > Update Center.
Select Update Now.

See the FortiGate online help or the "System Maintenance" chapter of your FortiGate Administration Guide for more information about updating your virus definitions.

1.1.19. How do I back up my FortiGate configuration?

To backup your FortiGate configuration
Go to System > Maintenance > Backup & Restore.
Select the system configuration to backup.

You can backup the following:
System Configuration
Debug Log
Web Filtering lists
  Web Content Block
  Web URL Block List
  Web URL Exempt List
Spam Filtering lists
  IP Address
  RBL & ORDBL
  Email Address
  MIME Headers
  Banned Word
IPS User-Defined Signatures
All VPN Certificates

See the FortiGate online help or the "System Maintenance" chapter of your FortiGate Administration Guide for more information about backing up your configuration.
1.1.20. How do I change the FortiGate administrator password?

To change the FortiGate administrator password
Go to System > Admin > Administrators.
Select the Change Password icon next to the administrator account you want to change the password for.
Enter and confirm the new password.
Select OK.

See the FortiGate online help or the "System Admin" chapter of your FortiGate Administration Guide for more information about configuring FortiGate administrator accounts.

1.1.21. How do I specify a default gateway for the FortiGate unit?

The FortiGate unit ships with a factory configured default static route, which provides you with a starting point to configure the default gateway. The default static route is associated with an IP address of 0.0.0.0 and a network mask of 0.0.0.0. You must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit, or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit.

The factory configured default static route may be edited as follows through the web-based manager. For more information, see the "Router" chapters of the FortiGate Administration Guide.

To edit the default static route
Go to Router > Static.
In the Static Route list, select the Edit icon in the row that corresponds to the default static route.
In the Gateway field, type the IP address of the default gateway (for example, a next-hop router).
From the device field, select the name of the interface that has a link to the default gateway (for example, external or wan1).
Select OK

1.1.22. How do I disable the broadcasting of my SSID?

The Service Set Identifier (SSID) is the network name shared by all users on a wireless network. Wireless users configure their wireless devices to connect ot the network that broadcasts the network name.

You can turn off the broadcasting of the SSID, which in effect, hides the wireless network from unwanted attackers

To turn off SSID broadcasting
Go to System > Wireless.
Select Disable for the SSID Broadcast.
Select OK.
1.1.23. How do I access my internal servers (or services) from the Internet?
Description How to access internal servers (or services) from the Internet

Components All Fortigates
v2.50, v2.80
Steps or Commands 
Internal email (SMTP), web (HTTP), and FTP servers, can be accessed from the Internet as long as an external public IP address is mapped (or linked) to the server's private internal IP address, on the FortiGate unit. The creation of this mapping is called 'Virtual IP' or 'VIP'. Other commonly used names are 'Static NAT table' or 'Static Port mapping'.

You will need to perform this same type of configuration if you are attempting to access from the Internet, an internal host behind the FortiGate unit that is running something such as Windows Remote Desktop (RDP), PC Anywhere, VNC or Citrix services.

For further information on the usage and configuration of a VIP, see the 'Virtual IP' chapter of the FortiGate Administration Guide.

1.1.24. How do I add a Ping Server?
Description How to set up a ping server and dead gateway detection on a FortiGate unit.
Components All FortiGate units.
Steps or Commands 
Use a ping server in conjunction with dead gateway detection, and a redundant internet connection. If the primary connection fails, the redundant connection (for example a modem on a FortiGate-60M) replaces the down connection.The Ping Server automatically pings an IP address on the next hop router to verify when the connection is up and active again. The FortiGate unit will automatically switch back to the primary Internet connection.
Adding a Ping server

To add a ping server to an interface
Go to System > Network > Interface.
Choose an interface and select Edit.
Set Ping Server to the IP address of the next hop router on the network connected to the interface.
Select the Enable check box.
Select OK to save the changes.
Dead gateway detection

The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure the FortiGate unit can connect to that IP address. Modify the dead gateway detection to control how the FortiGate unit confirms connectivity with a ping server added to an interface configuration.

To modify dead gateway detection
Go to System > Network > Options.
For Detection Interval, type a number in seconds to specify how often the FortiGate unit tests the connection to the ping target.
For Fail-over Detection, type a number of times the connection test fails before the FortiGate unit assumes the gateway is no longer functioning.
Select Apply.

 

1.1.25. How do I display the FortiGate unit ARP table?

All FortiGate devices. v2.50, v2.80, v3.0

These commands may also apply to other Fortinet devices, such as FortiAnalyzer, FortiMail, etc.

v2.50: get sys inter

v2.80: diag netl neighbor list

v3.0: get sys arp
1.1.26. How do I configure PPTP?
Description  Configuring PPTP
Components  All FortiGate units running in NAT/Route mode
FortiOS 2.8 and 3.0MR1
Steps or Commands  
To set up PPTP connections on a FortiGate unit you must complete the following steps:
Add the users who will be connecting to the network using PPTP.
Configure user groups to add and maintain user lists.
Create a PPTP range (it can be part of the existing internal network).
Create a PPTP and internal subnet address entries.
Create the firewall policy.
Adding Users

To add PPTP users
Go to User > Local.
Select Create New and add the user name and password.
Select OK.
Adding Groups

To create a group and add users to the group
Go to User > User Group.
Select Create New.
Enter a group name.
Select user names from the Available Users list and select the arrow to move the user to the Members list.
Select OK.
Create a PPTP Range

To create a PPTP range
Go to VPN > PPTP.
Select Enable PPTP.
Enter the Starting IP and Ending IP values.
Select the user group created above.
Select Apply
Create a PPTP address range and internal subnet address entries

To create the subnet addresses
Go to Firewall > Address.
Select Create New.
Enter a name for the PPTP address range, and the IP address range.
Select OK.
Select Create New.
Enter a name for the internal address, and enter the internal IP address.
Select OK.
Create the Firewall Policy

Add a firewall policy to allow the traffic from the PPTP connection into the internal network.

To add a firewall policy
Go to Firewall > Policy.
Select Create New.
Set the Source Interface to be the external port connecting to the Internet.
Select the Address name from the list. This will be the PPTP address range created above.
Select the internal interface connecting to the internal network.
Select the internal address from the list. This will be the internal address created above.
Set the required schedule, service and action, or leave as the defaults.
Select OK.
Client side connection

For the PPTP client, the user can use the Microsoft Windows New Connection Wizard to configure a VPN connection to the FortiGate unit.

For information on modifying the PPTP client gateway information, see the Fortinet Knowledge Center article Windows PPTP client gateway settings when connecting to a FortiGate unit.

Below is the debug output showing a a successful connection:

Fortigate-500 # diag debug en

Fortigate-500 # diag debug app ppp 255

Fortigate-500 # id=29013 msg="pppd is started"
using channel 2
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
Parent: pptp

PPP send: LCP Configure_Request id(1) len(25) [Asnync_Control_Character_Map 00 00 00 00] [Authentication_Protocol CHAP algorithm=81] [Magic_Number 3B8F19FA] [Protocol_Field_Compression] [Address-and-Control-Field-Compression]
PPP recv: LCP Configure_Ack id(1) len(25) [Asnync_Control_Character_Map 00 00 00 00] [Authentication_Protocol CHAP algorithm=81] [Magic_Number 3B8F19FA] [Protocol_Field_Compression] [Address-and-Control-Field-Compression]
PPP recv: LCP Configure_Request id(1) len(21) [Maximum_Received_Unit 1400] [Magic_Number 511E70D5] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Call_Back]
PPP send: LCP Configure_Ack id(1) len(21) [Maximum_Received_Unit 1400] [Magic_Number 511E70D5] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Call_Back]
PPP send: CHAP Challenge id(1)
PPP recv: LCP Identification id(2) len(18)
PPP send: LCP Code_Reject id(2) len(22)
PPP recv: LCP Identification id(3) len(26)
PPP send: LCP Code_Reject id(3) len(30)
PPP recv: CHAP Response id(1)
PPP send: CHAP Success id(1) msg(S=6ABB4A1BF63E53333D5CC6996E6FCCAEFD2B894B)
PPP send: CBCP
id=29002 user=test local=192.168.182.156 remote=192.168.182.64 assigned=10.101.101.1 action=auth_success msg="User 'test' using pptp with authentication protocol MSCHAP_V2, succeeded"
MSCHAP-v2 peer authentication succeeded for test
PPP recv: CBCP
Callback: none
PPP send: CBCP
PPP send: IPCP Configure_Request id(1) [IP_Address 192.168.182.156] [IP_Compression_Protocol Van Jacobson] [Primary_DNS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0]
PPP send: CCP Configure_Request id(1) [Deflate] [MVRCA] [Microsoft_PPC] [BSD_LZW_Compress]
PPP recv: CCP Configure_Request id(4) [Microsoft_PPC]
PPP send: CCP Configure_Nak id(4) [Microsoft_PPC]
PPP recv: IPCP Configure_Request id(5) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
PPP send: IPCP Configure_Reject id(5) [Primary_DNS_IP_Address 0.0.0.0] [Primary_ WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
PPP recv: IPCP Configure_Reject id(1) [IP_Compression_Protocol Van Jacobson] [Primary_DNS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0]
PPP send: IPCP Configure_Request id(2) [IP_Address 192.168.182.156]
PPP recv: CCP Configure_Reject id(1) [Deflate] [MVRCA] [BSD_LZW_Compress]
PPP send: CCP Configure_Request id(2) [Microsoft_PPC]
PPP recv: CCP Configure_Request id(6) [Microsoft_PPC]
PPP send: CCP Configure_Ack id(6) [Microsoft_PPC]
PPP recv: IPCP Configure_Request id(7) [IP_Address 0.0.0.0]
PPP send: IPCP Configure_Nak id(7) [IP_Address 10.101.101.1]
PPP recv: IPCP Configure_Ack id(2) [IP_Address 192.168.182.156]
PPP recv: CCP Configure_Nak id(2) [Microsoft_PPC]
PPP send: CCP Configure_Request id(3) [Microsoft_PPC]
PPP recv: IPCP Configure_Request id(8) [IP_Address 10.101.101.1]
PPP send: IPCP Configure_Ack id(8) [IP_Address 10.101.101.1]
Cannot determine ethernet address for proxy ARP
local IP address 192.168.182.156
remote IP address 10.101.101.1
PPP recv: CCP Configure_Ack id(3) [Microsoft_PPC]
MPPC + MPPE 128 bit, stateless compression enabled

Fortigate-500 # diag debug dis

Fortigate-500 # diag debug app ppp 0

1.1.27. How do I adjust maximum transmission unit value?

The default MTU is 1500. You can adjust the MTU in FortiOS 2.8 and FortiOS 3.0.

To change the MTU on a given port
Go to System > Network > Interface.
Select the Edit icon for the interface.
Select Override default MTU value (1500).
Enter the new MTU value.
Select OK.

See also
Jumbo Frames (Glossary)
Which FortiGate models support jumbo frames?

1.1.28. How do I change the error messages displayed when a user browses a blocked site?
Description  Changing the messages the FortiGate unit displays to users when accessing blocked web sites, email, FTP sessions or infected email attachments.
Components  All FortiGate units.
Steps or Commands  
Error messages that appear in the browser when a user attempts to visit a blocked web site or site filtered by FortiGuard, are HTML messages displayed by the FortiGAte unit. These messages are not hard coded, and you can change them as required.

To change a error message
Go to Config > Replacement Messages.
Select the blue arrow for the message category to expand the list.
Select Edit for a message, and modify the contents as required.
Select OK when done.

Replacement messages can be text or HTML messages. You can add HTML code to HTML messages. Allowed Formats shows you which format to use in the replacement message. There is a maximum of 8192 characters for each replacement message.

In addition, replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message. Replacement message tags lists the replacement message tags that you can add.

For details on the message tags, see the FortiGate Administration Guide or the FortiGate Online Help.

1.1.29. How to define a policy for a small set of users, without affecting all users.
Description  How to define a policy for a small set of users, without affecting all users.
Components  All FortiGate units.
Steps or Commands  
In some cases, it is necessary to create unfiltered access to the Internet for a small subset of administrative users or servers on your LAN. The following steps are the basic steps to configure this, assuming a filtered outgoing policy already exists in your FortiGate unit.
Define an address object using each static IP for the PCs by going to Firewall > Address.
Define an address group, for the entries created in the previous step by going to Firewall > Group.
Create a new internal to wan1 firewall policy, where this group is the source address. Ensure NAT is enabled.
Move this new policy above your standard policy for Internet access.

Whenever a user accesses the Internet, they will still use the older policy unless they are a member of the group you define.

The FortiGate Administration Guide provides further detail on each component of the configuration.

1.2. Using a FortiLog/FortiAnalyzer unit

How to articles for using and configuring a FortiLog or FortiAnalyzer unit.
For detailed and technical information, see the FortiLog Administration Guide or the FortiAnalyzer Administration Guide.
1.2.1. How do I upgrade the FortiLog firmware?

Download the most recent firmware build from the Fortinet Technical Support web site at http://support.fortinet.com/.

To upgrade the firmware using the web-based manager
Copy the firmware image file to your management computer.
Log on to the web-based manager as the administrative user.
Go to System > Status > Status.
Select Update.
Enter the path and filename of the firmware image file, or select Browse and locate the firmware image file.
Select OK.

The FortiLog or FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware version, resets the configuration, restarts, and displays the login. This process takes a few minutes.

1.2.2. How do I back up my FortiLog configuration?

To backup up system settings
Go to System > Status > Status.
For System Settings, select Backup.
Select Backup system settings.
Type a name and location for the file, and select OK.

1.2.3. How do I see real names in reports?

For FortiLog reports, you can view real names rather than IP addresses to better identify the source and destination of network traffic. To do this, set up IP aliases.

To set host alias names
Go to Reports > IP Aliases.
Select Create New.
Enter a name of the host, network or IP address range in the Alias text box.
Enter the IP address of the host, network or the IP range. For example:
10.1.1.1
10.1.1.1/24 10.1.1.0/24
10.1.0.0/16-10.9.0.0
10.1.0.0/16-10.9.0.0/16.

1.2.4. How do I configure alert email messages?

The FortiLog unit can send alert messages for alerts for its own status, or the status of the devices configured on the FortiLog unit. In both cases, you must first configure the email server.

To configure the email server
Go to System > Alert Email > Server.
Enter the SMTP Server address and user name.
Select Authentication if required, and enter the required password.
Select OK.

To configure alert email for FortiLog events
Go to System > Alert Email > Local.
Select Enable
Enter the email address(es) where you want the messages sent.
Select the level and the number of events and their frequency before triggering the alert email message.
Select Apply.

To configure alert email messages for other device events
Go to System > Alert Email > Device.
Select the device and the alert criteria.
Enter the email address(es) where you want the message sent.
Select OK.

For further details on configuring device and FortiLog alert email messages, see the FortiLog Administration Guide

1.2.5. How do I get it to show the listings of all BLOCKED sites?

Use the search function in the Logs section to located blocked urls. for a user's IP address.

Go to Logs > Search and enter blocked <ip address>

where <ip address> is the IP address of the user.

1.3. Using FortiClient

How to articles for using and configuring a FortiClient. For detailed and technical information, see the FortiClient documentation.
1.3.1. How do I uninstall FortiClient?
Description  How do I uninstall FortiClient?
Components  FortiClient 2.0 and higher
Steps or Commands  
To uninstall FortiClient from a computer
In Microsoft Windows, go to Start > Settings > Control Panel > Add/Remove Programs.
In the Currently Installed Programs list, select FortiClient.
Select Change.
The FortiClient Install Shield application launches.
Select Next.
Select Remove, then Next.
Verify whether you want to remove the user configuration data and select Next.
Select Remove to unistall the FortiClient application.

Note: You must restart your computer to complete the removal of FortiClient.

1.3.2. Fortinet VPN Quick Start Guide

This quick start guide explains how to configure the FortiClient Host Security application or a FortiGate unit to connect to a remote network.

1.3.3. Connecting to a Remote Network through a VPN

This technical note describes how to connect to a remote network through a VPN using the FortiClient Host Security application. It also describes how to configure a FortiGate unit to create a VPN to a remote network.

1.3.4. How do I do a quick virus scan of my computer?

To perform a quick virus scan your computer

Go to AntiVirus > Scan.
Select Quick Scan.
1.3.5. How do I schedule antivirus scanning?

To schedule antivirus scanning
Go go AntiVirus > Scan.
For Scheduled Scan, select Add.
Add the schedule.
1.3.6. How do I scan a specify file or directory?

To scan a specify file or directory
Go to AntiVirus > Scan.
For File System Scan, select Browse and locate the file or directory.
Select Scan Now.
1.3.7. How do I use the firewall feature to protect my home computer?

To use the FortiClient firewall feature for home use
Go to Firewall > Status.
For Firewall Mode, select Normal.
For Profile, select Basic home use.
1.3.8. How do I prevent my children from surfing unhealthy web sites?

To block child unfriendly web sites
Go to WebFilter > WebFilter.
Select Modify Settings.
Select Enable webfilter.
For Current profile, select Child.
1.3.9. How do I block a specific web site?

To block a specific web site
Go to WebFilter > WebFilter.
Select Modify Settings.
Select Settings.
Select Add and enter the URL.
Select OK.
1.3.10. Can I use FortiClient on a computer with Microsoft IPSec?

You can use FortiClient on a computer using Microsoft IPSec.

When installing FortiClient
Select the Custom Install option.
For the IPSec VPN and Firewall features, select "This feature will not be available".
Select Next and follow the installation wizard to completion.

FortiClient installs without IPSec VPN or Firewall. You can use the other network protection features of FortiClient, such as antivirus, antispam and URL filtering.

1.3.11. Can I install FortiClient on a PC with the Cisco VPN client?

Yes. FortiClient 3.0 MR2 or later can coexist with the Cisco VPN client. You cannot use the two VPN clients at the same time, but each will work separately.

Note: When installed on a PC with the Cisco VPN client, the FortiClient DHCP over IPSec and Manual Virtual IP features do not work. This has been corrected in FortiClient 3.0 MR5. The latest firmware is available on the Technical Support Web Site.

1.3.12. Can I run FortiClient on Microsoft Vista?

FortiClient will run on Microsoft Vista. You must use at least version 3.0 MR4 (build 395) which supports Microsoft Vista (both 32-bit and 64-bit).

To obtain this version, go to https://support.fortinet.com.

1.4. Using a Macintosh and the web-based manager
Description  Mac OS browsers for use with Fortinet hardware web-based managers.
Components  All Fortinet products
Mac OS X
Steps or Commands  
You can use a Macintosh computer to administer a Fortinet product including a FortiGate, FortiLog/FortiAnalyzer, FortiManager and FortiMail.

While Fortinet products have been tested using FireFox and Internet Explorer on Windows systems, the following web browsers have also been reported being used when using the web-based manager. Results may vary.
Camino
FireFox
Safari running with Mac OS 10.5 (Leopard)

See also:
Windows compatible web browsers
Recommended minimum screen resolution for FortiManager
Web-based manager not functioning correctly

1.5. Supported Windows web browsers
Description  Web browsers that run under Microsoft Windows and are compatible with or supported by Fortinet product web-based managers.
Components  All Fortinet products
Microsoft Windows 95, XP, Vista
Steps or Commands  
If you re running a Microsoft Windoes operations system, you should use the following web browsers to administer Fortinet products using the web-based manager:
Internet Explorer 6
Internet Explorer 7
FireFox 2.0 and higher

See the Install Guides for details on how to connect to the web-based manager using a web browser.

See also:
Using a Macintosh and the web-based manager
Recommended minimum screen resolution for FortiManager
Web-based manager not functioning correctly

1.6. How to increase the number of VDOMs on your FortiGate unit
Description  By default, FortiGate units support a maximum of 10 virtual domains (VDOMs). On high-end FortiGate models, FortiGate 3000 and higher, you can increase the number of VDOMs to 25, 50, 100, 250, or 500 by purchasing a license key from Fortinet.
Components  FortiGate unit - model 3000 or higher
FortiOS firmware - version 3.0
Procedure  
To obtain a VDOM license key
Record your FortiGate unit serial number. You can find the serial number in the web-based manager on the System Status page.
Login on the Fortinet Support website, and use your serial number of your registered FortiGate unit to purchase a license key for 25, 50, 100, 250, or 500 VDOMs.
When you receive your license key, go to System > Maintenance > License on your FortiGate unit.
In the License Key field, enter the 32-character license key you received from Fortinet.
Select Apply.
To verify the VDOM license was upgraded, go to the System Status page under License Information to confirm VDOMs Allowed is now the upgraded license number.

Note: When configuring 250 or more VDOMs, you may experience performance issues. For more information on this, see the KC article Performance issues with 250 or more VDOMs.

1.7. Authenticate a CLI administrator using an SSH public-private key pair
Description  FortiGate units running FortiOS 3.0 MR3 or later can use a public-private key pair to authenticate up to three administrators who connect to the CLI using an SSH client. This article describes how to configure a Windows SSH Secure Shell client and a FortiGate unit for public-private key authentication.
Components  SSH Secure Shell application
(this article is based on version 3.2.2)
FortiGate unit with FortiOS 3.0 MR3 or later.
Procedure  Create the public-private key pair

In the SSH Secure Shell application, do the following:
Go to Edit > Settings.
In the tree view, select Global Settings > User Authentication > Keys.
Select Generate New.
The Key Generation wizard starts.
Select Next.
Select the Key Type and Key Length.
The defaults of DSA and 2048-bit key are good choices.
Select Next.
Wait for key generation to complete.
Select Next.
Enter a name for your private key file and enter the passphrase you will use to access the private key. You must enter the passphrase identically in the two Passphrase fields. Select Next.
Select Finish.
The Upload Public Key function is not compatible with FortiGate units.
From the Keys list, select your private key file and then select View.
Notepad opens showing your public key .
In the SSH Secure Shell application Settings window, select OK to close the Settings window.

The text displayed in Notepad contains your public key plus some other information. You need to copy only the key data to the FortiGate unit.
Copy the public key to the FortiGate unit

Log in to the FortiGate CLI, and do the following:
Enter the following commands:
  config system admin
    edit admin
      set ssh-public-key1 "<key-type> <key-value>"
<key-type> must be ssh-dss for a DSA key or ssh-rsa for an RSA key. For <key-value>, you must copy and paste the public key data from the Notepad window to the CLI one line at a time. Observe the following so that you copy only the key data:

Do not copy the ---- BEGIN SSH2 PUBLIC KEY ---- or Comment: "[2048-bit dsa,...]" lines.
Do not copy the ---- END SSH2 PUBLIC KEY ---- line.
Do not copy the end-of-line characters that appear as small rectangles in Notepad.

The command, including the key data, appears as a single long line of text unless your CLI console application wraps the displayed text for you. Make sure that you paste each line of key data at the end of the previously pasted data. Do not forget to type the closing quotation mark before you press Enter.
Enter the end command.

Your SSH Secure Shell application can now authenticate to the FortiGate unit based on SSH keys instead of using the administrator password.

1.8. How to use RSA SecureID authentication on a FortiGate unit
Description  This article describes how to set up RSA SecureID authentication on a FortiGate unit.
Components  a FortiGate unit running FortiOS 3.0
an RSA ACE/Server 5.1
a RADIUS server

The RADIUS server uses information from the RSA ACE/Server to validate authentication requests from the FortiGate unit.
SecurID configuration Configure the RADIUS server

You need to configure the RADIUS server to work with the RSA ACE/Server. See the RSA ACE/Server Administrator's Guide.
Configure the RSA ACE/Server to support the RADIUS server

See the RSA ACE/Server Installation Guide.
Configure the FortiGate unit as an Agent Host

You need to set up the FortiGate unit as an Agent Host within the RSA ACE/Server database.
On the RSA ACE/Server computer, go to Start > Programs > RSA ACE/Server, and then Database Administration - Host Mode.
On the Agent Host menu, select Add Agent Host.
In the Name field, enter a name for the FortiGate unit.
In the Network address field, enter the FortiGate unit IP address.
Select Secondary Nodes and define all hostname/IP addresses that resolve to the FortiGate unit.

If needed, refer to the RSA ACE/Server documentation for more information.
FortiGate configuration Add the RADIUS server

The FortiGate unit will use the RADIUS server to authenticate SecurID users.
Go to User > RADIUS and select Create New.
In the Name field, enter a name for the RADIUS server.
In the Server Name/IP and Server Secret fields, enter the appropriate information about the RADIUS server you configured for use with SecureID.
Create a SecurID user group

You need to create a user group with the SecurID RADIUS server as its only member.
Go to User > User Group.
Select Create New.
In the Name field, enter a name for the group.
In the Available Users/Groups list, select the RADIUS server you configured for use with SecureID.
Select the right arrow button to move the selected server to the Members list.
Select OK.
Use the SecurID user group for authentication

You can use the SecureID user group in several FortiGate features that authenticate by user group:
Firewall policies - select the Authentication checkbox and add the SecurID user group to the Allowed list.
XAuth in dialup VPN - in the VPN Phase 1 configuration Advanced settings, in the XAuth section, select Enable as Server and choose the SecurID user group.
PPTP VPN - in the PPTP configuration, choose the SecurID user group.

For more information about configuring these features, see the FortiGate Administration Guide.

1.9. How to download a FortiGate configuration file using secure file copy (SCP)
Description  You can use secure copy (SCP) protocol to download the configuration file from FortiGate units running FortiOS 3.0 MR3 or later. This article describes how to enable SCP download on the FortiGate unit and use typical SCP client programs.
Components  
FortiGate unit with FortiOS 3.0 MR3 or later.

Management computer with SCP client application
Configure the FortiGate unit  Enable SCP

Using the Web-based manager:

Go to System > Admin > Settings.

Select Enable SCP.

Select Apply.

Using the CLI:
config system global
  set admin-scp enable
end
Enable SSH access on the interface

SCP uses SSH protocol to provide secure file transfer. The interface you use for administration must allow SSH access.

Using the Web-based manager:

Go to System > Network > Interface.

Select the Edit icon for the interface you use for administrative access.

In the Administrative Access section, select the SSH check box.

Select OK.

Using the CLI:

Enter show system interface <interface name>
and note the allowaccess setting, e.g.: ping https

Add ssh to the allowaccess setting:
config system interface
  edit <interface name>
    set allowaccess ping https ssh
  end
Use the SCP client The FortiGate unit configuration file name is sys_config. Use the following syntax to download the file:

Linux

scp admin@<FortiGate_IP>:sys_config <location>

Windows

pscp admin@<FortiGate_IP>:sys_config <location>
Examples These examples show how to download the configuration file from a FortiGate unit at IP address 172.20.120.171, using Linux and Windows SCP clients.

Linux client example

To download the configuration file to a local directory called ~/config, enter the following command:

scp admin@172.20.120.171:sys_config ~/config

Enter the admin password when prompted.

Windows client example

To download the configuration file to a local directory called c:\config, enter the following command in a Command Prompt window:

pscp admin@172.20.120.171:sys_config c:\config

Enter the admin password when prompted.
Optional public-private key authentication SCP authenticates itself to the FortiGate unit in the same way as an administrator using SSH to access the CLI. Instead of using a password, you can configure the SCP client and the FortiGate unit with a public-private key pair.

To configure public-private key authentication

Create a public-private key pair using a key generator tool compatible with your SCP client.

Save the private key to the location on your computer where your SSH private keys are stored.
This step depends on your SCP product. The SSH Secure Shell key generator automatically stores the private key. In the PuTTY Key Generator, you must manually save the private key.

Copy the public key to the FortiGate unit. You do this in the FortiGate CLI, as follows:
Enter:
config system admin
  edit admin
    set ssh-public-key1 "<key-type> <key-value>"

<key-type> must be ssh-dss for a DSA key or ssh-rsa for an RSA key. For <key-value>, you must copy the public key data and paste it into the CLI command.

If you are copying the key data from Windows Notepad, observe the following so that you copy the key data correctly:
Copy one line at a time and make sure that you paste each line of key data at the end of the previously pasted data.
Do not copy the end-of-line characters that appear as small rectangles in Notepad.
Do not copy the ---- BEGIN SSH2 PUBLIC KEY ---- or Comment: "[2048-bit dsa,...]" lines.
Do not copy the ---- END SSH2 PUBLIC KEY ---- line.

Type the closing quotation mark and press Enter.

Enter the end command.

Your SCP client can now authenticate to the FortiGate unit based on SSH keys instead of an administrator password.

1.10. How to remove the CommWarrior and Beselo viruses from your Symbian cell phone
Description  This article describes how to remove the CommWarrior and Beselo viruses from your Symbian cell phone using the FortiCleanup tool.
Components Symbian Series 60 cell phone
Fortinet FortiCleanup program
Obtaining FortiCleanup  You can download the tool from the Fortinet Mobile Security portal. Choose the CommWarrior or Beselo version of the tool, as needed. See http://www.fortiguardcenter.com/mobile/cleanup.html.
Pre-cleaning steps  You should insert the phone set's memory card. If the infection is CommWarrior.C, you must insert the memory card.
Installation  
To install the FortiCleanUp tool
Use the software provided with your phone to install FortiMobileCleanUp_Commwarrior.sis or FortiMobileCleanUp_Beselo.sis.
When warned that the application is untrusted, press Yes to proceed with the installation.
This warning occurs because the FortiCleanup application is not signed by Symbian.
When asked to confirm that you want to install the FortiCleanUp tool, press Yes.
At the Options screen, select Install and press OK.
Select your preferred language and press OK.
On the Select Memory screen, select Phone Memory and press OK.
Installation in the phone memory is recommended.
Cleaning your phone set  
The FortiCleanup tool has two scanning options:
Quick Scan scans the phone memory, phone processes and usual virus locations.
Full Scan scans the entire phone memory and file systems, including inserted memory cards.

To run the Quick Scan
From the main menu, select the FortiCleanup tool icon.
From the FortiCleanup main screen, select the Quick Scan option, and press OK.
When the scan completes, the summary report lists infected and deleted files. Select Options > Details for more information.

If the Quick Scan finds infected files, run the Full Scan.

To run the Full Scan
From the main menu, select the FortiCleanup tool icon.
From the FortiCleanup main screen, select the Full Scan option, and press OK.
The scan requires about 20 seconds. When the scan completes, the summary report lists infected and deleted files. Select Options > Details for more information.
Exit the FortiCleanUp tool.
Close all running applications on the phone.
Turn the phone off.
Turn the phone on and rerun the Quick Scan to confirm that the viruses have been removed.
After cleaning your phone set  
Periodically re-run the FortiCleanup tool to ensure that your phone is not re-infected.

The FortiCleanup_Commwarrior tool cleans viruses from the CommWarrior family only. The FortiCleanup_Beselo tool cleans only the Beselo virus. For enhanced protection, consider using a security application with full antivirus coverage, firewall and antispam features, such as Fortinet FortiClient Host Security.

1.11. How to choose the correct firmware image for your Fortinet product

Description  How to choose the correct firmware image to upgrade or downgrade the current firmware image on your Fortinet product
Components  All Fortinet products
Steps or Commands  
The following firmware versions include all firmware versions and their respective maintenance builds, and patch releases if applicable. Maintenance releases are referred to as MR<number>, and patch releases as P<number>.
 
FortiGate 2.80:
MR2, build-158
MR3, build-184
MR4, build-219
MR5, build-251
MR6, build-292
MR7, build-318
MR8, build-359
MR9, build-393
MR10, build-456
MR11, build-489/490
MR12, build-519
MR12, P1, build-520
FortiGate 3.0:
MR1, build-0247
MR2, build-0318
MR3, build-0400
MR3, P3, build0403
MR3, P5, build-0405
MR3, P6, build-0406
MR3, P7, build-0410
MR3, P7-MEM, build-0424
MR3, P8, build-0411
MR3, P9, build-0413
MR3, P9-MEM, build-0468
MR3, P10, build-0415
MR3, P11, build-0416
MR4, build-0474
MR4, P1, build-0475
MR4, P2, build-0477
MR4, P3, build-0479
MR4, P4, build-0480
MR4, P5, build-0483
MR5, build-0559
MR5, P1, build-0564
MR5, P2, build-0565
MR5, P3, build-0568
MR5, P4, build-0572
MR5, P5, build-0574
MR6, build-0660
MR6, P1, build-0662
MR6, P2, build-0668
FortiManager 3.0:
GA, build-219
MR1, build-292
MR2, build-365
MR3, build-421
MR4, build-457
MR4, P1, build-462
MR4, P2, build-468
MR4, P3, build-471
MR4, P4, build-475
MR4, P5, build-476
MR5, build538
MR5, P1, build-544
MR5, P2, build-551
MR5, P3, build-554
MR5, P4, build-555
MR5, P5, build-558
MR6, build-594
MR6, P1, build-597
MR6, P2, build-600
MR6, P3, build-602
FortiAnalyzer 3.0:
GA, build-219
MR1, build-292
MR2, build-365
MR3, build-421
MR4, build-502
MR4, P1, build-506
MR4, P2, build-507
MR4, P3, build-508
MR4, P4, build-510
MR4, P5, build-511
MR5, build-558
MR5, P1, build-560
MR5, P2, build-561
MR5, P3, build-562
MR5, P4, build-563
MR5, P5, build-655
MR6, build-643
MR6, build-645
FortiMail (all firmware versions):
2.20, build-057
2.80, build-145
2.80, MR1, build-196
3.0, builid-083
3.0:
MR1, P1, build-148
MR2, build-199
MR2, P1, build-204
MR2, P2, build-215
MR2, P3, build-218
MR3, build-295
FortiClient 2.0:
GA, build-062
MR1, build-148
FortiClient 3.0:
GA, build-142
MR1, build-229
MR2, build-308
MR4, build-0395
MR5, build-0457
MR5, P1, build-465
MR5, P2, build-470
MR5, P3, build-473
MR5, P4, build-474
MR5, P5, build-475
MR6, build-534
MR6, P1, build-537
MR6, P1, build-539
FortiOS Carrier 3.0:
GA, build-014
MR1, build-031
MR1, P1, build-033
MR2, build-055

Comments